Changelog
-Version 7.48.0 (23 Mar 2016)
+Version 7.50.2 (7 Sep 2016)
-Daniel Stenberg (23 Mar 2016)
-- RELEASE-NOTES: curl 7.48.0
+Daniel Stenberg (7 Sep 2016)
+- RELEASE-NOTES: curl 7.50.2 release
-- THANKS: 15 new contributors from 7.48.0 release
+- THANKS: updated for 7.50.2
-Jay Satiro (23 Mar 2016)
-- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
-
- Bug: https://github.com/curl/curl/issues/685
+Jay Satiro (6 Sep 2016)
+- [Gaurav Malhotra brought this change]
-Daniel Stenberg (22 Mar 2016)
-- Revert "sshserver: remove use of AuthorizedKeysFile2"
+ openssl: fix CURLINFO_SSL_VERIFYRESULT
- It seems we may have some autobuild problems after this commit went
- in. Trying to see if a revert helps to get them back.
+ CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
+ result when SSL_connect fails because of a certificate verification
+ error.
- This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
+ This fix saves the result of SSL_get_verify_result so that it is
+ returned by CURLINFO_SSL_VERIFYRESULT.
+
+ Closes https://github.com/curl/curl/pull/995
-- maketgz: add -j to make dist
+Daniel Stenberg (6 Sep 2016)
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
- ... makes it a lot faster
+ While noErr and errSecSuccess are defined as the same value, the API
+ documentation states that SecPKCS12Import() returns errSecSuccess if
+ there were no errors in importing. Ensure that a future change of the
+ defined value doesn't break (however unlikely) and be consistent with
+ the API docs.
-- libcurl-thread.3: minor nroff format fix
+- [Daniel Gustafsson brought this change]
-- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
+ docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
-- CODE_STYLE: indend example code
-
- ... to make it look nicer in markdown outputa
+- [Marcel Raad brought this change]
-Jay Satiro (22 Mar 2016)
-- build-wolfssl: Update VS properties for wolfSSL v3.9.0
+ openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
- - Do not use wolfSSL's sample user-setting files.
+ With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
+ functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
+ replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
+ OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
+ now called OpenSSL_version_num().
- wolfSSL starting in v3.9.0 has added their own sample user settings that
- are applied by default, but we don't use them because we have our own
- settings.
+ [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
+ [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
- - Do not use wolfSSL's Visual Studio Unicode character setting.
+ Closes #992
+
+- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
+
+- http2: return EOF when done uploading without known size
- wolfSSL Visual Studio projects use the Unicode character set however our
- settings and options imitate mingw build which does not use the Unicode
- character set. This does not appear to have any effect at the moment but
- better safe than sorry.
+ Fixes #982
+
+- http2: skip the content-length parsing, detect unknown size
+
+- http2: minor white space edit
+
+- http2: use named define instead of magic constant in read callback
+
+- [Craig Davison brought this change]
+
+ configure: make the cpp -P detection not clobber CPPFLAGS
+ CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
- These changes are backwards compatible with earlier versions.
+ Fixes #958
-Steve Holme (22 Mar 2016)
-- hostip6: Fixed compilation warnings when verbose strings disabled
+- [Olivier Brunel brought this change]
+
+ speed caps: not based on average speeds anymore
- warning C4189: 'data': local variable is initialized but not referenced
+ Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
+ CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
+ with the cumulative average speed of the entire transfer; While this
+ might work at times with good/constant connections, in other cases it
+ can result to the limits simply being "ignored" for more than "short
+ bursts" (as told in man page).
- ...and some minor formatting/spacing changes.
-
-Daniel Stenberg (21 Mar 2016)
-- sshserver: remove use of AuthorizedKeysFile2
+ Consider a download that goes on much slower than the limit for some
+ time (because bandwidth is used elsewhere, server is slow, whatever the
+ reason), then once things get better, curl would simply ignore the limit
+ up until the average speed (since the beginning of the transfer) reached
+ the limit. This could prove the limit useless to effectively avoid
+ using the entire bandwidth (at least for quite some time).
- Support for the (undocumented) AuthorizedKeysFile2 was removed in
- OpenSSH 5.9, released in September 2011
+ So instead, we now use a "moving starting point" as reference, and every
+ time at least as much as the limit as been transferred, we can reset
+ this starting point to the current position. This gets a good limiting
+ effect that applies to the "current speed" with instant reactivity (in
+ case of sudden speed burst).
- Closes #715
+ Closes #971
-Steve Holme (20 Mar 2016)
-- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
-
- warning C4189: 'data': local variable is initialized but not referenced
+- HISTORY.md: the multi socket was put in the wrong year!
-- openssl: Fixed compilation warning when /Wall enabled
-
- warning C4706: assignment within conditional expression
+- [Mark Hamilton brought this change]
-- CODE_STYLE: Use boolean conditions
+ tool_helpers.c: fix comment typo (#989)
+
+- [Mark Hamilton brought this change]
+
+ libtest/test.h: fix typo (#988)
+
+- CURLMOPT_PIPELINING.3: language
+
+- CURLMOPT_PIPELINING.3: extended and clarified
- Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
+ Especially in regards to the multiplexing part.
+
+Steve Holme (31 Aug 2016)
+- curl_sspi.c: Updated function description comments
- Additionally, corrected some example code to adhere to the recommended
- coding style.
+ * Added description to Curl_sspi_free_identity()
+ * Added parameter and return explanations to Curl_sspi_global_init()
+ * Added parameter explaination to Curl_sspi_global_cleanup()
-- inet_pton.c: Fixed compilation warnings
+- README: Corrected the supported Visual Studio versions
- warning: conversion to 'unsigned char' from 'int' may alter its value
+ Missed from commit 8356022d17.
-Daniel Stenberg (19 Mar 2016)
-- RELEASE-NOTES: synced with 80851028efc2fa9
+- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
-- mbedtls: fix compiler warning
+- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
- vtls/mbedtls.h:67:36: warning: implicit declaration of function
- ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
+ ...and discuss a possible solution.
-Steve Holme (19 Mar 2016)
-- easy: Minor coding standard and style updates
+Daniel Stenberg (30 Aug 2016)
+- connect: fix #ifdefs for debug versions of conn/streamclose() macros
- Following commit c5744340db. Additionally removes the need for a second
- 'result code' variable as well.
-
-Jay Satiro (19 Mar 2016)
-- easy: Remove poll failure check in easy_transfer
+ CURLDEBUG is for the memory debugging
- .. because curl_multi_wait can no longer signal poll failure.
+ DEBUGBUILD is for the extra debug stuff
- follow-up to 77e1726
+ Pointed-out-by: Steve Holme
+
+- KNOWN_BUGS: mention some cmake "support gaps"
+
+Nick Zitzmann (28 Aug 2016)
+- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
- Bug: https://github.com/curl/curl/issues/707
+ In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
-Steve Holme (19 Mar 2016)
-- build: Added missing Visual Studio filter files for VC10 onwards
+Daniel Stenberg (28 Aug 2016)
+- http2: return CURLE_HTTP2_STREAM for unexpected stream close
- As these files don't need to contain references to the source files,
- although typically do, added basic files which only include three
- filters and don't require the project file generator to be modified.
+ Follow-up to c3e906e9cd0f, seems like a more appropriate error code
- These files allow the source code to be viewed in the Solution Explorer
- in versions of Visual Studio from 2010 onwards in the same manner as
- previous versions did rather than one large view of files.
+ Suggested-by: Jay Satiro
-- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
-
- warning C4706: assignment within conditional expression
+- [Tatsuhiro Tsujikawa brought this change]
-- config-w32.h: Fixed compilation warning when /Wall enabled
+ http2: handle closed streams when uploading
- warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
- replacing with '0' for '#if/#elif'
+ Fixes #986
-- imap.c: Fixed compilation warning with /Wall enabled
-
- warning C4701: potentially uninitialized local variable 'size' used
+- http2: make sure stream errors don't needlessly close the connection
- Technically this can't happen, as the usage of 'size' is protected by
- 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
+ With HTTP/2 each transfer is made in an indivial logical stream over the
+ connection, making most previous errors that caused the connection to get
+ forced-closed now instead just kill the stream and not the connection.
- Anyway, lets keep the compiler happy.
+ Fixes #941
-- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
+- Curl_verify_windows_version: minor edit to avoid compiler warnings
+
+ ... instead of if() before the switch(), add a default to the switch so
+ that the compilers don't warn on "warning: enumeration value
+ 'PLATFORM_DONT_CARE' not handled in switch" anymore.
-Daniel Stenberg (18 Mar 2016)
-- bump: the coming release is 7.48.0
+Steve Holme (27 Aug 2016)
+- RELEASE-NOTES: Added missing fix from commit 15592143f
-- configure: use cpp -P when needed
+Jay Satiro (26 Aug 2016)
+- schannel: Disable ALPN for Wine since it is causing problems
- Since gcc 5, the processor output can get split up on multiple lines
- that made the configure script fail to figure out values from
- definitions. The fix is to use cpp -P, and this fix now first checks if
- cpp -P is necessary and then if cpp -P works before it uses that to
- extract defined values.
+ - Disable ALPN on Wine.
- Fixes #719
+ - Don't pass input secbuffer when ALPN is disabled.
+
+ When ALPN support was added a change was made to pass an input secbuffer
+ to initialize the context. When ALPN is enabled the buffer contains the
+ ALPN information, and when it's disabled the buffer is empty. In either
+ case this input buffer caused problems with Wine and connections would
+ not complete.
+
+ Bug: https://github.com/curl/curl/issues/983
+ Reported-by: Christian Fillion
-Steve Holme (18 Mar 2016)
-- formdata.c: Fixed compilation warning
+Kamil Dudka (26 Aug 2016)
+- [Peter Wang brought this change]
+
+ nss: work around race condition in PK11_FindSlotByName()
- formdata.c:390: warning: cast from pointer to integer of different size
+ Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
+ a multi-threaded environment. The underlying cause is a race condition
+ in nssSlot_IsTokenPresent().
- Introduced in commit ca5f9341ef this happens because a char*, which is
- 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
- 64-bits wide where 64-bit integers are supported by the compiler.
+ Bug: https://bugzilla.mozilla.org/1297397
- This doesn't happen in 64-bit land as a pointer is the same size as a
- curl_off_t.
+ Closes #985
+
+- nss: refuse previously loaded certificate from file
- This fix doesn't address the fact that a 64-bit value cannot be used
- for CURLFORM_CONTENTLEN when set in a form array and compiled on a
- 32-bit platforms, it does at least suppress the compilation warning.
+ ... when we are not asked to use a certificate from file
-Daniel Stenberg (18 Mar 2016)
-- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
+Daniel Stenberg (26 Aug 2016)
+- ftp_done: remove dead code
-- [Gisle Vanem brought this change]
+- TLS: random file/egd doesn't have to match for conn reuse
- openssl: adapt to API breakage in ERR_remove_thread_state()
+- test161: add comment for the exit code
+
+Dan Fandrich (26 Aug 2016)
+- test219: Add http as a required feature
+
+Daniel Stenberg (25 Aug 2016)
+- [Michael Kaufmann brought this change]
+
+ HTTP: stop parsing headers when switching to unknown protocols
- The OpenSSL API change that broke this is "Convert ERR_STATE to new
- multi-threading API": openssl commit 8509dcc.
+ - unknown protocols probably won't send more headers (e.g. WebSocket)
+ - improved comments and moved them to the correct case statements
- Closes #713
+ Closes #899
-- version: init moved to private name space, added protos
+- openssl: make build with 1.1.0 again
- follow-up to 80015cdd52145
+ synced with OpenSSL git master commit cc06906707
-- openssl: verbose: show matching SAN pattern
+- INTERNALS: fix title
+
+- configure: detect zlib with our pkg-config macros
- ... to allow users to see which specfic wildcard that matched when such
- is used.
+ ... instead of relying on the pkg-config autoconf macros to be present.
- Also minor logic cleanup to simplify the code, and I removed all tabs
- from verbose strings.
-
-Jay Satiro (16 Mar 2016)
-- version: thread safety
+ Fixes #972 (again...)
-Steve Holme (16 Mar 2016)
-- transfer: Removed redundant HTTP authentication include files
+Jay Satiro (25 Aug 2016)
+- http2: Remove incorrect comments
- It would also seem that share.h is not required here either as there
- are no references to the Curl_share structure or functions.
+ .. also remove same from scp
-- easy: Removed redundant HTTP authentication include files
+Daniel Stenberg (23 Aug 2016)
+- [Ales Novak brought this change]
-Jay Satiro (15 Mar 2016)
-- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
+ ftp: fix wrong poll on the secondary socket
- Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
- Reported-by: Oliver Graute
+ When we're uploading using FTP and the server issues a tiny pause
+ between opening the connection to the client's secondary socket, the
+ client's initial poll() times out, which leads to second poll() which
+ does not wait for POLLIN on the secondary socket. So that poll() also
+ has to time out, creating a long (200ms) pause.
+
+ This patch adds the correct flag to the secondary socket, making the
+ second poll() correctly wait for the connection there too.
+
+ Signed-off-by: Ales Novak <alnovak@suse.cz>
+
+ Closes #978
-Steve Holme (15 Mar 2016)
-- curl_sasl: Minor code indent fixes
+- RELEASE-NOTES: synced with 95ded2c56
-Daniel Stenberg (14 Mar 2016)
-- runtests: mention when run event-based
+- configure: make it work without PKG_CHECK_MODULES
+
+ With commit c2f9b78 we added a new dependency on pkg-config for
+ developers which may be unwanted. This change make the configure script
+ still work as before if pkg-config isn't installed, it'll just use the
+ old zlib detection logic without pkg-config.
+
+ Reported-by: Marc Hörsken
+
+ Fixes #972
-- easy: add check to malloc() when running event-based
+Marc Hoersken (21 Aug 2016)
+- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
- ... to allow torture tests then too.
+ This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
+
+ As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
-- memdebug: skip logging the limit countdown, fflush when reached
+Daniel Stenberg (21 Aug 2016)
+- [Marco Deckel brought this change]
-- CODE_STYLE: Space around operators
+ win: Basic support for Universal Windows Platform apps
- As just discussed on the mailing list, also document how we prefer
- spacing in expressions.
+ Closes #820
-- curl: glob_range: no need to check unsigned variable for negative
+Steve Holme (21 Aug 2016)
+- sasl: Don't use GSSAPI authentication when domain name not specified
- cppcheck warned:
+ Only choose the GSSAPI authentication mechanism when the user name
+ contains a Windows domain name or the user is a valid UPN.
- [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
- is less than zero.
+ Fixes #718
-- CODE_STYLE: add example for indent style as well
+- vauth: Added check for supported SSPI based authentication mechanisms
+
+ Completing commit 00417fd66c and 2708d4259b.
-- CODE_STYLE: mention braces for functions too
+- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
+
+ From commit 2708d4259b.
-- docs/Makefile.am: include CODE_STYLE in tarball too
+Marc Hoersken (20 Aug 2016)
+- socks.c: display the hostname returned by the SOCKS5 proxy server
+
+ Instead of displaying the requested hostname the one returned
+ by the SOCKS5 proxy server is used in case of connection error.
+ The requested hostname is displayed earlier in the connection sequence.
+
+ The upper-value of the port is moved to a temporary variable and
+ replaced with a 0-byte to make sure the hostname is 0-terminated.
-- CONTRIBUTE: moved out code style to a separate document
+Steve Holme (20 Aug 2016)
+- urldata.h: Corrected comment for httpcode which is also populated by SMTP
+
+ As of 7.25.0 and commit 5430007222.
-- CODE_STYLE: initial version
+Marc Hoersken (20 Aug 2016)
+- socks.c: use Curl_printable_address in SOCKS5 connection sequence
- Ripped out from CONTRIBUTE into its own document, but also extended from
- there.
+ Replace custom string formatting with Curl_printable_address.
+ Add additional debug and error output in case of failures.
-- curl_sasl.c: minor code indent fixes
+- socks.c: align SOCKS4 connection sequence with SOCKS5
+
+ Calling sscanf is not required since the raw IPv4 address is
+ available and the protocol can be detected using ai_family.
-- multi: simplified singlesocket
+Steve Holme (20 Aug 2016)
+- http.c: Corrected indentation change from commit 2708d4259b
- Since sh_getentry() now checks for invalid sockets itself and by
- narrowing the scope of the remove_sock_from_hash variable.
+ Made by Visual Studio's auto-correct feature and missed by me in my own
+ code reviews!
-- multi: introduce sh_getentry() for looking up sockets in the sockhash
+- http: Added calls to Curl_auth_is_<mechansism>_supported()
- Simplify the code by using a single entry that looks for a socket in the
- socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
- at some point and that is ineffective/wrong and this makes it easier to
- avoid that.
+ Hooked up the HTTP authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ As per commit 00417fd66c existing functionality is maintained for now.
-- [Jaime Fullaondo brought this change]
+Marc Hoersken (20 Aug 2016)
+- socks.c: improve verbose output of SOCKS5 connection sequence
- multi hash: ensure modulo performed on curl_socket_t
-
- Closes #712
+- configure.ac: add missing quotes to PKG_CHECK_MODULES
-Steve Holme (13 Mar 2016)
-- base64: Minor coding standard and style updates
+Steve Holme (20 Aug 2016)
+- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
+
+ Hooked up the SASL authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ For now existing functionality is maintained.
-- base64: Use 'CURLcode result' for curl result codes
+Daniel Stenberg (19 Aug 2016)
+- [Miroslav Franc brought this change]
-- negotiate: Use 'CURLcode result' for curl result codes
+ spnego_sspi: fix memory leak in case *outlen is zero (#970)
-Daniel Stenberg (13 Mar 2016)
-- [Maksim Kuzevanov brought this change]
+- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
- multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
+Steve Holme (18 Aug 2016)
+- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
- Closes #703
-
-- TODO: Use the RFC6265 test suite
+ As Windows SSPI authentication calls fail when a particular mechanism
+ isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
+ and Negotiate to allow both HTTP and SASL authentication the opportunity
+ to query support for a supported mechanism before selecting it.
+
+ For now each function returns TRUE to maintain compatability with the
+ existing code when called.
-Steve Holme (13 Mar 2016)
-- checksrc.bat: Added the ability to scan src and lib source independently
+Daniel Stenberg (18 Aug 2016)
+- test1144: verify HEAD with body-only response
-- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
+Steve Holme (17 Aug 2016)
+- RELEASE-PROCEDURE: Added some more future release dates
- Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
- based success code.
+ ...and removed some old ones
-- digest: Corrected some typos in comments
+Daniel Stenberg (17 Aug 2016)
+- [David Woodhouse brought this change]
-- krb5: Corrected some typos in function descriptions
+ curl: allow "pkcs11:" prefix for client certificates
+
+ RFC7512 provides a standard method to reference certificates in PKCS#11
+ tokens, by means of a URI starting 'pkcs11:'.
+
+ We're working on fixing various applications so that whenever they would
+ have been able to use certificates from a file, users can simply insert
+ a PKCS#11 URI instead and expect it to work. This expectation is now a
+ part of the Fedora packaging guidelines, for example.
+
+ This doesn't work with cURL because of the way that the colon is used
+ to separate the certificate argument from the passphrase. So instead of
+
+ curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
+
+ I instead need to invoke cURL with the colon escaped, like this:
+
+ curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
+
+ This is suboptimal because we want *consistency* — the URI should be
+ usable in place of a filename anywhere, without having strange
+ differences for different applications.
+
+ This patch therefore disables the processing in parse_cert_parameter()
+ when the string starts with 'pkcs11:'. It means you can't pass a
+ passphrase with an unescaped PKCS#11 URI, but there's no need to do so
+ because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
+ the URI itself.
+
+ Also, if users are already using RFC7512 URIs with the colon escaped as
+ in the above example — even providing a passphrase for cURL to handling
+ instead of using a pin-value attribute, that will continue to work
+ because their string will start 'pkcs11\:' and won't match the check.
+
+ What *does* break with this patch is the extremely unlikely case that a
+ user has a file which is in the local directory and literally named
+ just "pkcs11", and they have a passphrase on it. If that ever happened,
+ the user would need to refer to it as './pkcs11:<passphrase>' instead.
-- ntlm: Corrected some typos in function descriptions
+- nss: make the global variables static
-- url: Corrected indentation when calling idna_to_ascii_lz()
+- openssl: use regular malloc instead of OPENSSL_malloc
+
+ This allows for better memmory debugging and torture tests.
-- idn_win32: Use boolean based success codes
+- proxy: fix tests as follow-up to 93b0d907d5
- Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
- based success code.
+ This fixes tests that were added after 113f04e664b as the tests would
+ fail otherwise.
+
+ We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
+ regressions with old and stupid proxies, but we could possibly switch to
+ using it only for CONNECT or only for NTLM in a future if we want to
+ gradually reduce it.
+
+ Fixes #954
+
+ Reported-by: János Fekete
-Daniel Stenberg (10 Mar 2016)
-- idn_win32.c: warning: Trailing whitespace
+- Revert "Proxy-Connection: stop sending this header by default"
+
+ This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
-Steve Holme (10 Mar 2016)
-- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
+- CURLOPT_PROXY.3: unsupported schemes cause errors now
- warning C4267: 'function': conversion from 'size_t' to 'int',
- possible loss of data
+ Follow-up to a96319ebb9 (document the new behavior)
-Daniel Stenberg (10 Mar 2016)
-- THANKS-filter: unify Michael König
+- tests/README: mention nghttpx for HTTP/2 tests
-- RELEASE-NOTES: synced with 863c5766dd
+- README.md: add our CII Best Practices badge
-- ftp: remove a check for NULL(!)
+- proxy: polished the error message for unsupported schemes
- ... as it implies we need to check for that on all the other variable
- references as well (as Coverity otherwise warns us for missing NULL
- checks), and we're alredy making sure that the pointer is never NULL.
+ Follow up to a96319ebb93
-- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
-
- RFC 6265 section 4.1.1 spells out that the first name/value pair in the
- header is the actual cookie name and content, while the following are
- the parameters.
-
- libcurl previously had a more liberal approach which causes significant
- problems when introducing new cookie parameters, like the suggested new
- cookie priority draft.
+- test219: verify unsupported scheme for proxies get rejected
+
+- proxy: reject attempts to use unsupported proxy schemes
- The previous logic read all n/v pairs from left-to-right and the first
- name used that wassn't a known parameter name would be used as the
- cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
- a cookie named 'person' while an RFC 6265 compliant parser should
- consider that to be a cookie named 'Max-Age' with an (unknown) parameter
- 'person'.
+ I discovered some people have been using "https://example.com" style
+ strings as proxy and it "works" (curl doesn't complain) because curl
+ ignores unknown schemes and then assumes plain HTTP instead.
- Fixes #709
+ I think this misleads users into believing curl uses HTTPS to proxies
+ when it doesn't. Now curl rejects proxy strings using unsupported
+ schemes instead of just ignoring and defaulting to HTTP.
-- krb5: improved type handling to avoid clang compiler warnings
+- RELEASE-NOTES: synced with b7ee5316c2fd5b
-- url.c: fix clang warning: no newline at end of file
+Marc Hoersken (14 Aug 2016)
+- socks.c: Correctly calculate position of port in response packet
+
+ Third commit to fix issue #944 regarding SOCKS5 error handling.
+
+ Reported-by: David Kalnischkies
-- curl_multi_wait: never return -1 in 'numfds'
+- socks.c: Do not modify and invalidate calculated response length
- Such a return value isn't documented but could still happen, and the
- curl tool code checks for it. It would happen when the underlying
- Curl_poll() function returns an error. Starting now we mask that error
- as a user of curl_multi_wait() would have no way to handle it anyway.
+ Second commit to fix issue #944 regarding SOCKS5 error handling.
- Reported-by: Jay Satiro
- Closes #707
+ Reported-by: David Kalnischkies
-- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
+- socks.c: Move error output after reading the whole response packet
+
+ First commit to fix issue #944 regarding SOCKS5 error handling.
+
+ Reported-by: David Kalnischkies
-- curl_multi_wait.3: add example
+Daniel Stenberg (13 Aug 2016)
+- [Ronnie Mose brought this change]
-Steve Holme (8 Mar 2016)
-- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
-
- Regression since commit 710f14edba.
+ MANUAL: Remove invalid link to LDAP documentation (#962)
- Bug: https://github.com/curl/curl/issues/422
- Reported-by: Justin Ehlert
+ The server developer.netscape.com does not resolve into any
+ ip address and can be removed.
-Jay Satiro (8 Mar 2016)
-- opt-docs: fix heading macros
+Jay Satiro (13 Aug 2016)
+- openssl: accept subjectAltName iPAddress if no dNSName match
- ..SH should be .SH
+ Undo change introduced in d4643d6 which caused iPAddress match to be
+ ignored if dNSName was present but did not match.
- Bug: https://github.com/curl/curl/issues/705
- Reported-by: Eric S. Raymond
+ Also, if iPAddress is present but does not match, and dNSName is not
+ present, fail as no-match. Prior to this change in such a case the CN
+ would be checked for a match.
+
+ Bug: https://github.com/curl/curl/issues/959
+ Reported-by: wmsch@users.noreply.github.com
-Kamil Dudka (8 Mar 2016)
-- [Tim Rühsen brought this change]
+Daniel Stenberg (12 Aug 2016)
+- [Dambaev Alexander brought this change]
- cookie: do not refuse cookies for localhost
+ configure.ac: add zlib search with pkg-config
- Closes #658
+ Closes #956
-Daniel Stenberg (8 Mar 2016)
-- ftp_done: clear tunnel_state when secondary socket closes
+- rtsp: ignore whitespace in session id
- Introducing a function for closing the secondary connection to make this
- bug less likely to happen again.
+ Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
+ whitespace as well.
- Reported-by: daboul
- Closes #701
+ Help-by: Erik Janssen
-- [Gisle Vanem brought this change]
+- HTTP: retry failed HEAD requests too
+
+ Mark's new document about HTTP Retries
+ (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
+ spotted that we don't retry failed HEAD requests which seems totally
+ inconsistent and I can't see any reason for that separate treatment.
+
+ So, no separate treatment for HEAD starting now. A HTTP request sent
+ over a reused connection that gets cut off before a single byte is
+ received will be retried on a fresh connection.
+
+ Made-aware-by: Mark Nottingham
- openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
+- mk-ca-bundle.1: document -m, added in 1.26
-- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
+- RELEASE-NOTES: synced with e577c43bb5
-- [Anders Bakken brought this change]
+- [Erik Janssen brought this change]
- pipeline: Sanity check pipeline pointer before accessing it.
+ rtsp: accept any RTSP session id
- I got a crash with this stack:
+ Makes libcurl work in communication with gstreamer-based RTSP
+ servers. The original code validates the session id to be in accordance
+ with the RFC. I think it is better not to do that:
- curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
- curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
- curl/lib/multi.c:561 (curl_multi_remove_handle)
- curl/lib/url.c:415 (Curl_close)
- curl/lib/easy.c:859 (curl_easy_cleanup)
+ - For curl the actual content is a don't care.
- Closes #704
-
-- HTTP2.md: mention the disable ALPN and NPN options
-
-- TODO: 17.12 keep running, read instructions from pipe/socket
+ - The clarity of the RFC is debatable, is $ allowed or only as \$, that
+ is imho not clear
- And delete trailing whitespace
- And rename section 17 to "command line tool" from "client"
+ - Gstreamer seems to url-encode the session id but % is not allowed by
+ the RFC
- Closes #702
-
-- README.md: linkified
+ - less code
- It also makes it less readable as plain text, so let's keep this
- primarily for github use.
+ With this patch curl will correctly handle real-life lines like:
+ Session: biTN4Kc.8%2B1w-AF.; timeout=60
- Removed the top ascii art logo, as it looks weird when markdownified.
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
-- README.md: markdown version of README
+- symbols-in-versions: add CURL_STRICTER
- Attempt to make it look more appealing on github
+ Added in 5fce88aa8c12564
-Jay Satiro (6 Mar 2016)
-- mprintf: update trio project link
+- [Simon Warta brought this change]
-Daniel Stenberg (6 Mar 2016)
-- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
+ winbuild: Allow changing C compiler via environment variable CC (#952)
+
+ This makes it possible to use specific compilers or a cache.
+
+ Sample use for clcache:
+ set CC=clcache.bat
+ nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
-- CURLOPT_ACCEPT_ENCODING.3: added example
+- LICENSE-MIXING.md: switched to markdown
-- CURLOPT_APPEND.3: added example
+- docs-make: have markdown files use .md
-- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
+- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
-Steve Holme (6 Mar 2016)
-- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
-
- Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
- in which Perl was added to the PATH.
+- HISTORY.md: use markdown extension
-Daniel Stenberg (6 Mar 2016)
-- opts: added two examples
+- SSLCERTS.md: renamed to markdown extension
-- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
+- INTERNALS.md: use markdown extension for markdown content
-- CURLOPT_SSL_CTX_FUNCTION.3: added example
-
- and removed erroneous reference to test case lib509
+- CONTRIBUTE.md: markdown extension
-- curlx.c: use more curl style code
+- CONTRIBUTE: changed to markdown
-- test46: change cookie expiry date
+- CONTRIBUTE: refreshed
+
+- TODO: added an SSH section and two SFTP things to do
+
+- TODO: remove the 1.22 duplicated item
+
+- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
+
+- TODO: API for URL parsing/splitting
+
+- TODO: move QUIC to the HTTP section
+
+- [Simon Warta brought this change]
+
+ winbuild: Free name $(CC) in Makefile (#950)
- Since two of the cookies would now otherwise expire and cause the test
- to fail after commit 20de9b4f09
+ In the old line number 290, CC and CURL_CC had the same value. After
+ that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
- Discussed in #697
+ This gets rid of the CC variable entirely. It is a first step to make it
+ possible to manualyl set a CC variable in order to be able to change the
+ compiler.
-Jay Satiro (5 Mar 2016)
-- [Viktor Szakats brought this change]
+- TODO: Use huge HTTP/2 windows
- makefile.m32: add missing libs for static -winssl-ssh2 builds
+- [Simon Warta brought this change]
+
+ winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
- Bug: https://github.com/curl/curl/pull/693
+ $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
+ all arguments in CURL_CFLAGS have been added twice.
-- mbedtls: fix user-specified SSL protocol version
+Jay Satiro (8 Aug 2016)
+- cmake: Enable win32 threaded resolver by default
- Prior to this change when a single protocol CURL_SSLVERSION_ was
- specified by the user that version was set only as the minimum version
- but not as the maximum version as well.
+ - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
+
+ This change is similar to what we already do in the autotools build.
-Steve Holme (5 Mar 2016)
-- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
+- cmake: Enable win32 large file support by default
+
+ All compilers used by cmake in Windows should support large files.
+
+ - Add test SIZEOF_OFF_T
+ - Remove outdated test SIZEOF_CURL_OFF_T
+ - Turn on USE_WIN32_LARGE_FILES in Windows
+ - Check for 'Largefile' during the features output
-- build-openssl.bat: Fixed cannot find perl if installed but not in path
+Daniel Stenberg (7 Aug 2016)
+- TODO: added several ideas, removed SPDY
-- checksrc.bat: Fixed cannot find perl if installed but not in path
+- http2: always wait for readable socket
+
+ Since the server can at any time send a HTTP/2 frame to us, we need to
+ wait for the socket to be readable during all transfers so that we can
+ act on incoming frames even when uploading etc.
+
+ Reminded-by: Tatsuhiro Tsujikawa
-Jay Satiro (5 Mar 2016)
-- [Viktor Szakats brought this change]
+- RELEASE-NOTES: synced with 7b4bf37a44791
- makefile.m32: fix to allow -ssh2-winssl combination
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
- In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
- (OpenSSL) option, with no way to override it with -winssl. Since both
- libssh2 and curl support using Windows's built-in SSL backend, modify
- the logic to allow that combination.
+ In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
+ to 0. This patch also adds a comment how mbedtls must be compiled in
+ order to make debugging work, and explains the possible debug levels.
-- cookie: Don't expire session cookies in remove_expired
+- CURLOPT_TCP_NODELAY: now enabled by default
- Prior to this change cookies with an expiry date that failed parsing
- and were converted to session cookies could be purged in remove_expired.
+ After a few wasted hours hunting down the reason for slowness during a
+ TLS handshake that turned out to be because of TCP_NODELAY not being
+ set, I think we have enough motivation to toggle the default for this
+ option. We now enable TCP_NODELAY by default and allow applications to
+ switch it off.
- Bug: https://github.com/curl/curl/issues/697
- Reported-by: Seth Mos
+ This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
+ used to disable it.
+
+ Thanks-to: Tim Rühsen
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
-Daniel Stenberg (3 Mar 2016)
-- cookie: remove redundant check
+- [Serj Kalichev brought this change]
+
+ TFTP: Fix upload problem with piped input
- ... as it was already checked previously within the function.
+ When input stream for curl is stdin and input stream is not a file but
+ generated by a script then curl can truncate data transfer to arbitrary
+ size since a partial packet is treated as end of transfer by TFTP.
- Reported-by: Dmitry-Me
- Closes #695
+ Fixes #857
-Jay Satiro (1 Mar 2016)
-- [Anders Bakken brought this change]
-
- url: if Curl_done is premature then pipeline not in use
+- mk-ca-bundle.pl: -m keeps ca cert meta data in output
- Prevent a crash if 2 (or more) requests are made to the same host and
- pipelining is enabled and the connection does not complete.
+ Makes the script pass on comments holding meta data to the output
+ file. Like fingerprinters, issuer, date ranges etc.
- Bug: https://github.com/curl/curl/pull/690
+ Closes #937
-- [Viktor Szakats brought this change]
+- multi: make Curl_expire() work with 0 ms timeouts
+
+ Previously, passing a timeout of zero to Curl_expire() was a magic code
+ for clearing all timeouts for the handle. That is now instead made with
+ the new Curl_expire_clear() function and thus a 0 timeout is fine to set
+ and will trigger a timeout ASAP.
+
+ This will help removing short delays, in particular notable when doing
+ HTTP/2.
- makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
+- transfer: return without select when the read loop reached maxcount
- using envvars `CURL_LDFLAG_EXTRAS_DLL` and
- `CURL_LDFLAG_EXTRAS_EXE` respectively. This
- is useful f.e. to pass ASLR-related extra
- options, that are required to make this
- feature work when using the mingw toolchain.
+ Regression added in 790d6de48515. The was then added to avoid one
+ particular transfer to starve out others. But when aborting due to
+ reading the maxcount, the connection must be marked to be read from
+ again without first doing a select as for some protocols (like SFTP/SCP)
+ the data may already have been read off the socket.
- Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
+ Reported-by: Dan Donahue
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
+
+Steve Holme (3 Aug 2016)
+- [Bill Nagel brought this change]
+
+ mbedtls: Added support for NTLM
+
+Daniel Stenberg (3 Aug 2016)
+- [Sergei Nikulov brought this change]
+
+ travis: removed option to rebuild autotool from source
- Closes https://github.com/curl/curl/pull/689
+ Fixes #943
-Daniel Stenberg (29 Feb 2016)
-- formpost: fix memory leaks in AddFormData error branches
+- bump: start working toward 7.50.2
+
+Version 7.50.1 (3 Aug 2016)
+
+Daniel Stenberg (3 Aug 2016)
+- THANKS: 7 new contributors from the 7.50.1 release
+
+- RELEASE-NOTES: 7.50.1
+
+- TLS: only reuse connections with the same client cert
- Reported-by: Dmitry-Me
- Fixes #688
+ CVE-2016-5420
+ Bug: https://curl.haxx.se/docs/adv_20160803B.html
-Jay Satiro (28 Feb 2016)
-- getinfo: Fix syntax error when mbedTLS
+- TLS: switch off SSL session id when client cert is used
- The assignment of the mbedTLS TLS session info in the parent commit was
- incorrect. Change the assignment to a pointer to the session structure.
+ CVE-2016-5419
+ Bug: https://curl.haxx.se/docs/adv_20160803A.html
+ Reported-by: Bru Rom
+ Contributions-by: Eric Rescorla and Ray Satiro
-- getinfo: Add support for mbedTLS TLS session info
+- curl_multi_cleanup: clear connection pointer for easy handles
- .. and preprocessor check TLS session info is defined for all backends.
+ CVE-2016-5421
+ Bug: https://curl.haxx.se/docs/adv_20160803C.html
+ Reported-by: Marcelo Echeverria and Fernando Muñoz
-Daniel Stenberg (26 Feb 2016)
-- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
+- KNOWN_BUGS: SOCKS proxy not working via IPv6
+
+ Closes #835
-- file: try reading from files with no size
+- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
- Some systems have special files that report as 0 bytes big, but still
- contain data that can be read (for example /proc/cpuinfo on
- Linux). Starting now, a zero byte size is considered "unknown" size and
- will be read as far as possible anyway.
+ Closes #768
+
+- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
- Reported-by: Jesse Tan
+ Closes #662
+
+- TODO: Provide cmake config-file
- Closes #681
+ Closes #885
-Jay Satiro (25 Feb 2016)
-- configure: warn on invalid ca bundle or path
+Patrick Monnerat (2 Aug 2016)
+- os400: define BUILDING_LIBCURL in make script.
+
+Daniel Stenberg (1 Aug 2016)
+- RELEASE-NOTES: synced with aa9f536a18b
+
+Jay Satiro (1 Aug 2016)
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: Fix debug function name
- - Warn if --with-ca-bundle file does not exist.
+ This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
+ defined.
- - Warn if --with-ca-path directory does not contain certificates.
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
+
+Daniel Stenberg (1 Aug 2016)
+- [Sergei Nikulov brought this change]
+
+ travis: fix OSX build by re-installing libtool
- - Improve help messages for both.
+ Apparently due to a broken homebrew install
- Example configure output:
+ fixes #934
+ Closes #939
+
+- [Martin Vejnár brought this change]
+
+ win32: fix a potential memory leak in Curl_load_library
- ca cert bundle: /some/file (warning: certs not found)
- ca cert path: /some/dir (warning: certs not found)
+ If a call to GetSystemDirectory fails, the `path` pointer that was
+ previously allocated would be leaked. This makes sure that `path` is
+ always freed.
- Bug: https://github.com/curl/curl/issues/404
- Reported-by: Jeffrey Walton
+ Closes #938
-Daniel Stenberg (24 Feb 2016)
-- Curl_read: check for activated HTTP/1 pipelining, not only requested
+- include: revert 9adf3c4 and make public types void * again
- ... as when pipelining is used, we read things into a unified buffer and
- we don't do that with HTTP/2. This could then easily make programs that
- set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
- intermixed or plain broken between HTTP/2 streams.
+ Many applications assume the actual contents of the public types and use
+ that do for example forward declarations (saving them from including our
+ public header) which then breaks when we switch from void * to a struct
+ *.
- Reported-by: Anders Bakken
+ I'm not convinced we were wrong, but since this practise seems
+ widespread enough I'm willing to (partly) step down.
+
+ Now libcurl uses the struct itself when it is built and it allows
+ applications to use the struct type if CURL_STRICTER is defined at the
+ time of the #include.
+
+ Reported-by: Peter Frühberger
+ Fixes #926
-Patrick Monnerat (24 Feb 2016)
-- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
+Jay Satiro (28 Jul 2016)
+- [Yonggang Luo brought this change]
-Jay Satiro (23 Feb 2016)
-- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
+ cmake: Fix for schannel support
- The two options are almost the same, except in the case of OpenSSL:
+ The check_library_exists_concat do not check crypt32 library properly.
+ So include it directly.
- CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
+ Bug: https://github.com/curl/curl/pull/917
+ Reported-by: Yonggang Luo
- CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
+ Bug: https://github.com/curl/curl/issues/935
+ Reported-by: Alain Danteny
+
+- Revert "travis: Install libtool for OS X builds"
- For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
- return an SSL pointer for OpenSSL.
+ Didn't work.
- Also, add support for the 'internals' member to point to SSL object for
- the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
- wolfSSL.
-
- Bug: https://github.com/curl/curl/issues/234
- Reported-by: dkjjr89@users.noreply.github.com
-
- Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
- Reported-by: Michael König
+ This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
-Daniel Stenberg (23 Feb 2016)
-- multi_remove_handle: keep the timeout list until after disconnect
-
- The internal Curl_done() function uses Curl_expire() at times and that
- uses the timeout list. Better clean up the list once we're done using
- it. This caused a segfault.
+- travis: Install libtool for OS X builds
- Reported-by: 蔡文凱
- Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
+ CI is failing due to missing libtoolize, so I'm trying this.
-Kamil Dudka (23 Feb 2016)
-- tests/sshserver.pl: use RSA instead of DSA for host auth
-
- DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
- test cases to be skipped. Using RSA for host authentication works with
- both old and new versions of OpenSSH.
-
- Reported-by: Karlson2k
+Daniel Stenberg (26 Jul 2016)
+- [Viktor Szakats brought this change]
+
+ TODO: minor typo in last commit
- Closes #676
+ merged #931
-Jay Satiro (23 Feb 2016)
-- TFTP: add option to suppress TFTP option requests (Part 2)
+- TODO: Timeout idle connections from the pool
+
+Patrick Monnerat (25 Jul 2016)
+- os400: minimum supported OS version: V6R1M0.
+ Do not log compilation informational messages.
+
+Jay Satiro (24 Jul 2016)
+- tests: Fix for http/2 feature
- - Add tests.
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
+ Reported-by: Paul Howarth
+
+Steve Holme (23 Jul 2016)
+- README: Mention wolfSSL in the 'Dependencies' section
+
+- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
- - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
+ As SPNEGO is only defined when these pre-processor variables are defined
+ there is no need to query them explicitly.
+
+- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
- - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
+ Typo introduced in commit ad5e9bfd5d.
+
+Daniel Stenberg (22 Jul 2016)
+- SECURITY: mention how to get windows-specific CVEs
- Bug: https://github.com/curl/curl/issues/481
+ ... and make the distros link a proper link
-- [Michael Koenig brought this change]
+Dan Fandrich (21 Jul 2016)
+- test558: fix test by stripping file paths from FD lines
- TFTP: add option to suppress TFTP option requests (Part 1)
-
- Some TFTP server implementations ignore the "TFTP Option extension"
- (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
- problems with libcurl. Another switch for curl_easy_setopt
- "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
- sending TFTP option requests to a server, avoiding many problems caused
- by faulty implementations.
-
- Bug: https://github.com/curl/curl/issues/481
+Kamil Dudka (21 Jul 2016)
+- tests: distribute the http2-server.pl script, too
-Daniel Stenberg (22 Feb 2016)
-- [Karlson2k brought this change]
+- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
- runtests: Fixed usage of %PWD on MinGW64
-
- Closes #672
+Daniel Stenberg (21 Jul 2016)
+- bump: start working on 7.50.1
-Jay Satiro (20 Feb 2016)
-- CURLOPT_DEBUGFUNCTION.3: Fix example
+Version 7.50.0 (21 Jul 2016)
-- [Viktor Szakats brought this change]
+Daniel Stenberg (21 Jul 2016)
+- RELEASE-NOTES: version 7.50.0 ready
- src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
+- THANKS: 13 new contributors from the 7.50.0 release
+
+Jay Satiro (21 Jul 2016)
+- winbuild: fix embedded manifest option
- Sync with lib/Makefile.m32 which already uses those variables.
+ Embedded manifest option didn't work due to typo.
- Bug: https://github.com/curl/curl/pull/670
+ Reported-by: Stefan Kanthak
-Dan Fandrich (20 Feb 2016)
-- Enabled test 1437 after the bug fix in commit 3fa220a6
+- vauth: Fix memleak by freeing credentials if out of memory
+
+ This is a follow up to the parent commit dcdd4be which fixes one leak
+ but creates another by failing to free the credentials handle if out of
+ memory. Also there's a second location a few lines down where we fail to
+ do same. This commit fixes both of those issues.
-Jay Satiro (19 Feb 2016)
-- [Emil Lerner brought this change]
+Daniel Stenberg (20 Jul 2016)
+- [Saurav Babu brought this change]
- curl_sasl: Fix memory leak in digest parser
+ vauth: Fixed memory leak due to function returning without free
- If any parameter in a HTTP DIGEST challenge message is present multiple
- times, memory allocated for all but the last entry should be freed.
+ This patch allocates memory to "output_token" only when it is required
+ so that memory is not leaked if function returns.
+
+- test558: updated after ipv6-check move
- Bug: https://github.com/curl/curl/pull/667
+ Follow-up commit to c50980807c5 to make this test pass.
-Dan Fandrich (19 Feb 2016)
-- Added test 1437 to verify a memory leak
+Jay Satiro (20 Jul 2016)
+- connect: disable TFO on Linux when using SSL
- Reported-by: neex@users.noreply.github.com
+ - Linux TFO + TLS is not implemented yet.
+
+ Bug: https://github.com/curl/curl/issues/907
-Jay Satiro (18 Feb 2016)
-- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
+Daniel Stenberg (19 Jul 2016)
+- ROADMAP: QUIC and TLS 1.3
+
+- RELEASE-NOTES: synced with c50980807c5
+
+Jay Satiro (18 Jul 2016)
+- [Brian Prodoehl brought this change]
+
+ curl_global_init: Check if IPv6 works
- Bug: https://github.com/curl/curl/issues/666
- Reported-by: baumanj@users.noreply.github.com
+ - Curl_ipv6works() is not thread-safe until after the first call, so
+ call it once during global init to avoid a possible race condition.
+
+ Bug: https://github.com/curl/curl/issues/915
+ PR: https://github.com/curl/curl/pull/918
-- curl.1: HTTP headers for --cookie must be Set-Cookie style
+- [Timothy Polich brought this change]
+
+ CURLMOPT_SOCKETFUNCTION.3: fix typo
- Bug: https://github.com/curl/curl/issues/666
- Reported-by: baumanj@users.noreply.github.com
+ Closes https://github.com/curl/curl/pull/914
-Daniel Stenberg (18 Feb 2016)
-- curl.1: add a missing dash
+- [Miroslav Franc brought this change]
-- CONTRIBUTING.md: fix links
+ library: Fix memory leaks found during static analysis
+
+ Closes https://github.com/curl/curl/pull/913
-- ISSUE_TEMPLATE: github issue template
+- [Viktor Szakats brought this change]
+
+ cookie.c: Fix misleading indentation
- First version, try this out!
+ Closes https://github.com/curl/curl/pull/911
-- CONTRIBUTING.md: move into .github
+- FAQ: Update FTP directory listing section for MLSD command
- To hide github specific files somewhat from the rest.
+ Explain how some FTP servers support the machine readable listing
+ format MLSD from RFC 3659 and compare it to LIST.
+
+ Ref: https://github.com/curl/curl/issues/906
-- opts: add references
+Daniel Stenberg (1 Jul 2016)
+- [Sergei Nikulov brought this change]
-- examples/make: add 'checksrc' target
+ Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
+
+ Closes #892
-- 10-at-a-time: typecast the argument passed to sleep()
+- TODO: 17.4 also brings more HTTP/2 support
-- externalsocket.c: fix compiler warning for fwrite return type
+- TODO: try next proxy if one doesn't work
+
+ Closes #896
-- anyauthput.c: fix compiler warnings
+- conn: don't free easy handle data in handler->disconnect
+
+ Reported-by: Gou Lingfeng
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
-- simplessl.c: warning: while with space
+- test1244: test different proxy ports same URL
-- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
+- curl_global_init.3: improved formatting of the flags
+
+- curl_global_init.3: expand on the SSL and WIN32 bits purpose
- Reported-By: Gisle Vanem
+ Reported-by: Richard Gray
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
-- http2: don't decompress gzip decoding automatically
+- [Michael Kaufmann brought this change]
+
+ cleanup: minor code cleanup in Curl_http_readwrite_headers()
- At one point during the development of HTTP/2, the commit 133cdd29ea0
- introduced automatic decompression of Content-Encoding as that was what
- the spec said then. Now however, HTTP/2 should work the same way as
- HTTP/1 in this regard.
+ - the expression of an 'if' was always true
+ - a 'while' contained a condition that was always true
+ - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
+ - fixed a typo
- Reported-by: Kazuho Oku
+ Closes #889
+
+- SFTP: set a generic error when no SFTP one exists...
- Closes #661
+ ... as otherwise we could get a 0 which would count as no error and we'd
+ wrongly continue and could end up segfaulting.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
+ Reported-by: 暖和的和暖
-Jay Satiro (16 Feb 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+- ROADMAP: http2 tests are merged, mention http2 perf
- http: Don't break the header into chunks if HTTP/2
+- docs/README.md: to render nicer pages on github
- nghttp2 callback deals with TLS layer and therefore the header does not
- need to be broken into chunks.
+ ... as previously the README.cmake would be picked and put at the bottom
+ of the docs page there and it wasn't very representative!
+
+- README.md: change host name for the svg logo
- Bug: https://github.com/curl/curl/issues/659
- Reported-by: Kazuho Oku
+ rawgit.com asks to use the domain cdn.rawgit.com for production
+
+ See #900
-Daniel Stenberg (16 Feb 2016)
- [Viktor Szakats brought this change]
- openssl: use macro to guard the opaque EVP_PKEY branch
+ README.md: use the SVG logo
-- [Viktor Szakats brought this change]
+- README.md: logo on top!
- openssl: avoid direct PKEY access with OpenSSL 1.1.0
-
- by using API instead of accessing an internal structure.
- This is required starting OpenSSL 1.1.0-pre3.
+- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
- Closes #650
+ Closes #740
-- RELEASE-NOTES: synced with ede0bfc079da
+- RELEASE-NOTES: synced with d61c80515aa8
-- [Clint Clayton brought this change]
+- [Michael Osipov brought this change]
- CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
+ acinclude.m4: improve autodetection of CA bundle on FreeBSD
- Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
- CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
+ The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
+ to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
+ discovery process.
- Closes #653
+ This change also removes the former FreeBSD path that has been obsolete
+ for 8 years since this FreeBSD ports commit:
+ https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
+
+ Closes #894
-- opt-docs: add more references
+- configure: don't specify .lib for libs on windows
+
+ Another follow up for crypt32.lib linking with winssl
-- [David Byron brought this change]
+- configure: fix winssl LIBS change typo
+
+ follow-up from 120bf29e
- SCP: use libssh2_scp_recv2 to support > 2GB files on windows
+- TODO: "TCP Fast Open" is done, add monitor pool connections
+
+- configure: add crypt32.lib for winssl builds
- libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
- day now.
+ Necessary since 6cabd78531f
+
+- Makefile.vc: link with crypt32.lib for winssl builds
- Closes #451
+ Necessary since 6cabd78531f
+
+ Fixes #853
-Jay Satiro (13 Feb 2016)
-- [Shine Fan brought this change]
+- [Joel Depooter brought this change]
- gtls: fix for builds lacking encrypted key file support
+ VC: Add crypt32.lib to Visual Sudio project template files
- Bug: https://github.com/curl/curl/pull/651
+ Closes #854
-Dan Fandrich (13 Feb 2016)
-- test1604: Add to Makefile.inc so it gets run
+- vc: fix the build for schannel certinfo support
+
+ Broken since 6cabd785, which adds use of the Curl_extract_certinfo
+ function from the x509asn1.c file.
-Jay Satiro (12 Feb 2016)
-- generate.bat: Fix comment bug by removing old comments
+- typedefs: use the full structs in internal code...
- Remove NOTES section, it's no longer needed since we aren't setting the
- errorlevel and more importantly the recently updated URL in the comments
- is causing some unusual behavior that breaks the script.
+ ... and save the typedef'ed names for headers and external APIs.
+
+- internals: rename the SessionHandle struct to Curl_easy
+
+- headers: forward declare CURL, CURLM and CURLSH as structs
- Closes https://github.com/curl/curl/issues/649
+ Instead of typedef'ing to void, typedef to their corresponding actual
+ struct names to allow compilers to type-check.
+
+ Assisted-by: Reinhard Max
-Kamil Dudka (12 Feb 2016)
-- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
+Jay Satiro (22 Jun 2016)
+- vtls: Only call add/getsession if session id is enabled
- The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
- pages since curl-7_12_3~131. This patch makes it clear in the curl.1
- man page, too.
+ Prior to this change we called Curl_ssl_getsessionid and
+ Curl_ssl_addsessionid regardless of whether session ID reusing was
+ enabled. According to comments that is in case session ID reuse was
+ disabled but then later enabled.
- Bug: https://bugzilla.redhat.com/1305970
+ The old way was not intuitive and probably not something users expected.
+ When a user disables session ID caching I'd guess they don't expect the
+ session ID to be cached anyway in case the caching is later enabled.
-Daniel Stenberg (12 Feb 2016)
-- dist: ship buildconf.bat too
+Daniel Stenberg (22 Jun 2016)
+- curl.1: the used progress meter suffix is k in lower case
- As the winbuild/* stuff uses it!
+ Closes #883
-- curlx_tvdiff: handle 32bit time_t overflows
+- [Sergei Nikulov brought this change]
+
+ cmake: now using BUILD_TESTING=ON/OFF
- On 32bit systems, make sure we don't overflow and return funky values
- for very large time differences.
+ CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
+ tests and enabling CTest integration. Options BUILD_CURL_TESTS and
+ BUILD_DASHBOARD_REPORTS was removed.
- Reported-by: Anders Bakken
+ Closes #882
- Closes #646
+ Reviewed-by: Brad King
-- examples: fix some compiler warnings
+- [Michael Kaufmann brought this change]
-- simplessl.c: fix my breakage
+ cleanup: fix method names in code comments
+
+ Closes #887
-- examples: adhere to curl code style
+Kamil Dudka (21 Jun 2016)
+- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
- All plain C examples now (mostly) adhere to the curl code style. While
- they are only examples, they had diverted so much and contained all
- sorts of different mixed code styles by now. Having them use a unified
- style helps users and readability. Also, as they get copy-and-pasted
- widely by users, making sure they're clean and nice is a good idea.
+ Some builds of GCC produce output on both stdout and stderr when --help
+ --verbose is used. The 2>&1 redirection caused them to be arbitrarily
+ interleaved with each other because of stream buffering. Consequently,
+ grep failed to match the fvisibility= string in the mixed output, even
+ though the string was present in GCC's standard output.
- 573 checksrc warnings were addressed.
+ This led to silently disabling symbol hiding in some builds of curl.
-- examples/cookie_interface.c: add cleanup call
+Daniel Stenberg (19 Jun 2016)
+- tests: fix the HTTP/2 tests
- cleaning up handles is a good idea as we leak memory otherwise
+ The HTTP/2 tests brought with commit bf05606ef1f were using the internal
+ name 'http2' for the HTTP/2 server, while in fact that name was already
+ used for the second instance of the HTTP server. This made tests using
+ the second instance (like test 2050) fail after a HTTP/2 test had run.
- Also, line wrapped before 80 columns.
+ The server is now known as HTTP/2 internally and within the <server>
+ section in test cases. 1700, 1701 and 1702 were updated accordingly.
-Kamil Dudka (10 Feb 2016)
-- nss: search slash in forward direction in dup_nickname()
-
- It is wasteful to search it backwards if we look for _any_ slash.
+- openssl: use more 'const' to fix build warnings with 1.1.0 branch
-- nss: do not count enabled cipher-suites
+- curl.1: missed 'T' in the progress unit suffixes
+
+- curl.1: mention the unix for the progress meter
+
+Patrick Monnerat (16 Jun 2016)
+- os400: add new definitions to ILE/RPG binding.
+
+Daniel Stenberg (16 Jun 2016)
+- openssl: fix cert check with non-DNS name fields present
- We only care if at least one cipher-suite is enabled, so it does
- not make any sense to iterate till the end and count all enabled
- cipher-suites.
+ Regression introduced in 5f5b62635 (released in 7.48.0)
+
+ Reported-by: Fabian Ruff
+ Fixes #875
-Daniel Stenberg (10 Feb 2016)
-- contributors.sh: make 79 the max column width (from 80)
+Dan Fandrich (16 Jun 2016)
+- axtls: Use Curl_wait_ms instead of the less-portable usleep
-- RELEASE-NOTES: synced with c276aefee3995
+- axtls: Fixed compile after compile 31c521b0
-- mbedtls.c: re-indent to better match curl standards
+- tests: Added HTTP proxy keywords to tests 1141 & 1142
-- [Rafael Antonio brought this change]
+Jay Satiro (15 Jun 2016)
+- [Sergei Nikulov brought this change]
- mbedtls: fix memory leak when destroying SSL connection data
+ cmake: Fix build with winldap
- Closes #626
+ Bug: https://github.com/curl/curl/pull/874
+ Reported-by: Sergei Nikulov
-- mbedtls: fix ALPN usage segfault
+- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
- Since we didn't keep the input argument around after having called
- mbedtls, it could end up accessing the wrong memory when figuring out
- the ALPN protocols.
+ When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
+ zero-byte POST. Prior to this change it was documented as sending data
+ from the read callback.
- Closes #642
+ This also changes the wording of what happens when empty or NULL so that
+ it's hopefully easier to understand for people whose primary language
+ isn't English.
+
+ Bug: https://github.com/curl/curl/issues/862
+ Reported-by: Askar Safin
-Jay Satiro (9 Feb 2016)
-- [Timotej Lazar brought this change]
+- [Michael Wallner brought this change]
- opts: update references to renamed options
+ curl_multi_socket_action.3: Fix rewording
+
+ - Remove some erroneous text.
+
+ Closes https://github.com/curl/curl/pull/865
-- KNOWN_BUGS: Update #92 - Windows device prefix
+- [Luo Jinghua brought this change]
-- tool_doswin: Support for literal path prefix \\?\
+ resolve: enable protocol family logic for synthesized IPv6
- For example something like --output \\?\C:\foo
+ - Enable protocol family logic for IPv6 resolves even when support
+ for synthesized addresses is enabled.
+
+ This is a follow up to the parent commit that added support for
+ synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
+ logic needed for IPv6 was inadvertently excluded if support for
+ synthesized addresses was enabled.
+
+ Bug: https://github.com/curl/curl/issues/863
+ Ref: https://github.com/curl/curl/pull/866
+ Ref: https://github.com/curl/curl/pull/867
-Daniel Stenberg (9 Feb 2016)
-- configure: state "BoringSSL" in summary when that was detected
+Daniel Stenberg (7 Jun 2016)
+- [Luo Jinghua brought this change]
-- [David Benjamin brought this change]
+ resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
+
+ Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
+ If the current network interface doesn’t support IPv4, but supports
+ IPv6, NAT64, and DNS64.
+
+ Closes #866
+ Fixes #863
- openssl: remove most BoringSSL #ifdefs.
+- tests: two more HTTP/2 tests
- As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
- BoringSSL #ifdefs in cURL should be unnecessary:
+ 1701 and 1702
+
+- runtests: don't display logs when http2 server fails to start
+
+- runtests: make stripfile work on stdout as well
- - BoringSSL provides no-op stubs for compatibility which replaces most
- #ifdefs.
+ ... and have test 1700 use that to strip out the nghttpx server: headers
+
+- http2-tests: test1700 is the first real HTTP/2 test
- - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
- the compatibility codepath.
-
- - With a small tweak to an extend_key_56_to_64 call, the NTLM code
- builds fine.
-
- - Switch OCSP-related #ifdefs to the more generally useful
- OPENSSL_NO_OCSP.
+ It requires that 'nghttpx' is in the PATH, and it will run the tests
+ using nghttpx as a front-end proxy in front of the standard HTTP/1 test
+ server. This uses HTTP/2 over plain TCP.
- The only #ifdefs which remain are Curl_ossl_version and the #undefs to
- work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
- that to the consumer. The in-header workaround makes things sensitive to
- include order.)
-
- This change errs on the side of removing conditionals despite many of
- the restored codepaths being no-ops. (BoringSSL generally adds no-op
- compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
- bad enough!)
+ If you like me have nghttpx installed in a custom path, you can run test 1700
+ like this:
- Closes #640
+ $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
-Jay Satiro (8 Feb 2016)
-- KNOWN_BUGS: Windows device prefix is required for devices
+- RELEASE-NOTES: synced with 34855feeb4c299
-- tool_urlglob: Allow reserved dos device names (Windows)
+Steve Holme (6 Jun 2016)
+- schannel: Disable ALPN on Windows < 8.1
- Allow --output to reserved dos device names without the device prefix
- for backwards compatibility.
+ Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
+ fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
- Example: --output NUL can be used instead of --output \\.\NUL
+ Inspiration provide by: Daniel Seither
- Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
- Reported-by: Gisle Vanem
+ Closes #848
+ Fixes #840
-Daniel Stenberg (8 Feb 2016)
-- cookies: allow spaces in cookie names, cut of trailing spaces
+Jay Satiro (5 Jun 2016)
+- checksrc: Add LoadLibrary to the banned functions list
- It turns out Firefox and Chrome both allow spaces in cookie names and
- there are sites out there using that.
+ LoadLibrary was supplanted by Curl_load_library for security
+ reasons in 6df916d.
+
+- http: Fix HTTP/2 connection reuse
- Turned out the code meant to strip off trailing space from cookie names
- didn't work. Fixed now.
+ - Change the parser to not require a minor version for HTTP/2.
- Test case 8 modified to verify both these changes.
+ HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
+ in 8243a95 because the parser still expected a minor version.
- Closes #639
-
-Patrick Monnerat (8 Feb 2016)
-- Merge branch 'master' of github.com:curl/curl
+ Bug: https://github.com/curl/curl/issues/855
+ Reported-by: Andrew Robbins, Frank Gevaerts
-- os400: sync ILE/RPG definitions with latest public header files.
+Steve Holme (4 Jun 2016)
+- connect.c: Fixed compilation warning from commit 332e8d6164
+
+ connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
-Daniel Stenberg (8 Feb 2016)
-- [Ludwig Nussel brought this change]
+- win32: Used centralised verify windows version function
+
+ Closes #845
- SSLCERTS: update wrt SSL CA certificate store
+- win32: Added verify windows version functionality
-- [Ludwig Nussel brought this change]
+- win32: Introduced centralised verify windows version function
- configure: --with-ca-fallback: use built-in TLS CA fallback
+Kamil Dudka (3 Jun 2016)
+- tool_urlglob: fix off-by-one error in glob_parse()
- When trying to verify a peer without having any root CA certificates
- set, this makes libcurl use the TLS library's built in default as
- fallback.
+ ... causing SIGSEGV while parsing URL with too many globs.
+ Minimal example:
- Closes #569
+ $ curl $(for i in $(seq 101); do printf '{a}'; done)
+
+ Reported-by: Romain Coltel
+ Bug: https://bugzilla.redhat.com/1340757
-- Proxy-Connection: stop sending this header by default
+Daniel Stenberg (1 Jun 2016)
+- [Benjamin Kircher brought this change]
+
+ libcurl-multi.3: fix small typo
- RFC 7230 says we should stop. Firefox already stopped.
+ Closes #850
+
+- [Viktor Szakats brought this change]
+
+ makefile.m32: add crypt32 for winssl builds
- Bug: https://github.com/curl/curl/issues/633
- Reported-By: Brad Fitzpatrick
+ Dependency added by 6cabd78
- Closes #633
+ Closes #849
-- bump: work toward the next release
+- [Ivan Avdeev brought this change]
-- THANKS: 2 contributors from the 7.47.1 release
+ vtls: fix ssl session cache race condition
+
+ Sessionid cache management is inseparable from managing individual
+ session lifetimes. E.g. for reference-counted sessions (like those in
+ SChannel and OpenSSL engines) every session addition and removal
+ should be accompanied with refcount increment and decrement
+ respectively. Failing to do so synchronously leads to a race condition
+ that causes symptoms like use-after-free and memory corruption.
+ This commit:
+ - makes existing session cache locking explicit, thus allowing
+ individual engines to manage lock's scope.
+ - fixes OpenSSL and SChannel engines by putting refcount management
+ inside this lock's scope in relevant places.
+ - adds these explicit locking calls to other engines that use
+ sessionid cache to accommodate for this change. Note, however,
+ that it is unknown whether any of these engines could also have
+ this race.
+
+ Bug: https://github.com/curl/curl/issues/815
+ Fixes #815
+ Closes #847
-- RELEASE-PROCEDURE: remove the github upload part
+- [Andrew Kurushin brought this change]
+
+ schannel: add CURLOPT_CERTINFO support
- ... as we're HTTPS on the main site now, there's no point in that
- extra step
+ Closes #822
-Version 7.47.1 (8 Feb 2016)
+- RELEASE-NOTES: synced with 142ee9fa15002315
-Daniel Stenberg (8 Feb 2016)
-- RELEASE-NOTES: curl 7.47.1 time!
+- openssl: rename the private SSL_strerror
+
+ ... to make it not look like an OpenSSL function
-Jay Satiro (8 Feb 2016)
-- tool_operhlp: Check for backslashes in get_url_file_name
+- [Michael Kaufmann brought this change]
+
+ openssl: Use correct buffer sizes for error messages
- Extract the filename from the last slash or backslash. Prior to this
- change backslashes could be part of the filename.
+ Closes #844
+
+- curl: fix -q [regression]
- This change needed for the curl tool built for Cygwin. Refer to the
- CYGWIN addendum in advisory 20160127B.
+ This broke in 7.49.0 with commit e200034425a7625
- Bug: https://curl.haxx.se/docs/adv_20160127B.html
-
-Daniel Stenberg (7 Feb 2016)
-- RELEASE-NOTES: synced with d6a8869ea34
+ Fixes #842
-Jay Satiro (6 Feb 2016)
-- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
+- URL parser: allow URLs to use one, two or three slashes
- sk_X509_EXTENSION_num may return an unsigned integer, however the value
- will fit in an int.
+ Mostly in order to support broken web sites that redirect to broken URLs
+ that are accepted by browsers.
- Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
- Reported-by: Gisle Vanem
+ Browsers are typically even more leniant than this as the WHATWG URL
+ spec they should allow an _infinite_ amount. I tested 8000 slashes with
+ Firefox and it just worked.
+
+ Added test case 1141, 1142 and 1143 to verify the new parser.
+
+ Closes #791
-Daniel Stenberg (7 Feb 2016)
-- TODO: 17.11 -w output to stderr
+- [Renaud Lehoux brought this change]
-Jay Satiro (6 Feb 2016)
-- [Michael Kaufmann brought this change]
+ cmake: Added missing mbedTLS support
+
+ Closes #837
- idn_win32: Better error checking
+- [Renaud Lehoux brought this change]
+
+ mbedtls: removed unused variables
- .. also fix a conversion bug in the unused function
- curl_win32_ascii_to_idn().
+ Closes #838
+
+- [Frank Gevaerts brought this change]
+
+ http: add CURLINFO_HTTP_VERSION and %{http_version}
- And remove wprintfs on error (Jay).
+ Adds access to the effectively used http version to both libcurl and
+ curl.
- Bug: https://github.com/curl/curl/pull/637
+ Closes #799
-- [Gisle Vanem brought this change]
+- bump: start the journey toward 7.50.0
- examples/asiohiper: Avoid function name collision on Windows
+- [Marcel Raad brought this change]
+
+ openssl: fix build with OPENSSL_NO_COMP
- closesocket => close_socket
- Winsock already has the former.
+ With OPENSSL_NO_COMP defined, there is no function
+ SSL_COMP_free_compression_methods
- Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
+ Closes #836
- [Gisle Vanem brought this change]
- examples/htmltitle: Use _stricmp on Windows
+ memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
- Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
+ Fixes #828
-Daniel Stenberg (6 Feb 2016)
-- COPYING: clarify that Daniel is not the sole author
+- [Jonathan brought this change]
+
+ README.md: polish
- ... done on request and as it is a fair point.
+ Closes #834
-Jay Satiro (5 Feb 2016)
-- unit1604: Fix unit setup return code
+- RELEASE-NOTES: fix vuln link
-- tool_doswin: Use type SANITIZEcode in sanitize_file_name
+Version 7.49.1 (30 May 2016)
-- tool_doswin: Improve sanitization processing
+Daniel Stenberg (30 May 2016)
+- RELEASE-NOTES: 7.49.1
+
+- [Steve Holme brought this change]
+
+ loadlibrary: Only load system DLLs from the system directory
- - Add unit test 1604 to test the sanitize_file_name function.
+ Inspiration provided by: Daniel Stenberg and Ray Satiro
- - Use -DCURL_STATICLIB when building libcurltool for unit testing.
+ Bug: https://curl.haxx.se/docs/adv_20160530.html
- - Better detection of reserved DOS device names.
+ Ref: Windows DLL hijacking with curl, CVE-2016-4802
+
+- ssh: fix version number check typo
+
+Jay Satiro (29 May 2016)
+- curl_share_setopt.3: Add min ver needed for ssl session lock
- - New flags to modify sanitize behavior:
+ Bug: https://github.com/curl/curl/issues/826
+ Reported-by: Michael Wallner
+
+Daniel Stenberg (29 May 2016)
+- ssh: fix build for libssh2 before 1.2.6
- SANITIZE_ALLOW_COLONS: Allow colons
- SANITIZE_ALLOW_PATH: Allow path separators and colons
- SANITIZE_ALLOW_RESERVED: Allow reserved device names
- SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
+ The statvfs functionality was added to libssh2 in that version, so we
+ switch off that functionality when built with older libraries.
- - Restore sanitization of banned characters from user-specified outfile.
+ Fixes #831
+
+- mbedtls: fix includes so snprintf() works
- Prior to this commit sanitization of a user-specified outfile was
- temporarily disabled in 2b6dadc because there was no way to allow path
- separators and colons through while replacing other banned characters.
- Now in such a case we call the sanitize function with
- SANITIZE_ALLOW_PATH which allows path separators and colons to pass
- through.
+ Regression from the previous *printf() rearrangements, this file missed to
+ include the correct header to make sure snprintf() works universally.
+ Reported-by: Moti Avrahami
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
+
+Steve Holme (23 May 2016)
+- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- Closes https://github.com/curl/curl/issues/624
- Reported-by: Octavio Schroeder
+ Added support for checking the tchar, unicode and mbcs variants of
+ strcat() and strncat() in the banned function list.
-- [Viktor Szakats brought this change]
+Daniel Stenberg (23 May 2016)
+- smtp: minor ident (white space) fixes
- URLs: change more http to https
+- THANKS: updated after script fixes
+
+ Now giving credit properly to github user names, fixed some UTF-8 issues
+ and added names discovered when contrithanks was improved.
-- sasl_sspi: Fix memory leak in domain populate
+- THANKS-filter: more name cleanups
+
+- contrithanks.sh: exclude existing names case insensitively
+
+- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
+
+- contributors.sh: better grep pattern, use grep -a
+
+- THANKS-filter: fix more names
+
+- contrithanks.sh: do the same github fix as contributors.sh
- Free an existing domain before replacing it.
+ from 1577bfa35ba
+
+Jay Satiro (23 May 2016)
+- contributors: Show GitHub username if real name unknown
- Bug: https://github.com/curl/curl/issues/635
- Reported-by: silveja1@users.noreply.github.com
+ Prior to this change if a GitHub contributor's real name was unknown
+ they would be omitted from the list.
+
+ Bug: https://github.com/curl/curl/issues/824
-Daniel Stenberg (4 Feb 2016)
-- [Viktor Szakats brought this change]
+Daniel Stenberg (21 May 2016)
+- RELEASE-NOTES: synced with 3caaeffbe8ded4
- URLs: follow GitHub project rename (also Travis CI)
+Jay Satiro (20 May 2016)
+- openssl: cleanup must free compression methods
- Closes #632
-
-- CHANGES.o: fix references to curl.haxx.nu
+ - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
- I removed the scheme prefix from the URLs references this host name, as
- we don't own/run that anymore but the name is kept for historic reasons.
+ Bug: https://github.com/curl/curl/issues/817
+ Reported-by: jveazey@users.noreply.github.com
-- HISTORY: add some info about when we used which host names
+Daniel Stenberg (20 May 2016)
+- [Gisle Vanem brought this change]
-Jay Satiro (2 Feb 2016)
-- [Viktor Szakats brought this change]
+ curl_multibyte: fix compiler error
+
+ While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
+ getting:
+
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
+ to follow 'CURL_EXTERN'
+
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
+ 'curl_domalloc': not in formal parameter list
- URLs: change more http to https
+- THANKS-filter: make Jan-E get proper credit
-Dan Fandrich (3 Feb 2016)
-- URLs: Change more haxx.se URLs from http: to https:
+- [Jan-E brought this change]
-Daniel Stenberg (3 Feb 2016)
-- RELEASE-NOTES: synced with 4af40b364
+ winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
+
+ Closes #818
-- URLs: change all http:// URLs to https://
+- [Alexander Traud brought this change]
-- configure: update the copyright year range in output
+ libcurl.m4: Avoid obsolete warning
+
+ Closes #821
-- dotdot: allow an empty input string too
+Jay Satiro (20 May 2016)
+- [Michael Kaufmann brought this change]
+
+ CURLOPT_CONNECT_TO.3: user must not free the list prematurely
- It isn't used by the code in current conditions but for safety it seems
- sensible to at least not crash on such input.
+ The connect-to list isn't copied so as long as the handle may be used
+ for a transfer the list must be valid.
- Extended unit test 1395 to verify this too as well as a plain "/" input.
+ Bug: https://github.com/curl/curl/pull/819
+ Reported-by: Michael Kaufmann
-- HTTPS: update a bunch of URLs from HTTP to HTTPS
+Daniel Stenberg (19 May 2016)
+- RELEASE-NOTES: synced with 48114a8634242c
-- [Sergei Nikulov brought this change]
+- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
+
+ See OpenSSL commit 21e001747d4a
- AppVeyor: updated to handle OpenSSL/WinSSL builds
+- http2: use HTTP/2 in the HTTP/1.1-alike header
- Closes #621
+ ... when generating them, not "2.0" as the protocol is called just
+ HTTP/2 and nothing else.
-Jay Satiro (1 Feb 2016)
-- tool_operate: Don't sanitize --output path (Windows)
+Jay Satiro (19 May 2016)
+- dist: include curl_multi_socket_all.3
- Due to path separators being incorrectly sanitized in --output
- pathnames, eg -o c:\foo => c__foo
+ Closes https://github.com/curl/curl/pull/816
+
+Steve Holme (18 May 2016)
+- bump: Start work on 7.49.1
+
+Daniel Stenberg (18 May 2016)
+- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
- This is a partial revert of 3017d8a until I write a proper fix. The
- remote-name will continue to be sanitized, but if the user specified an
- --output with string replacement (#1, #2, etc) that data is unsanitized
- until I finish a fix.
+ The preprocessor check that sets up the 32bit defines for non-configure
+ builds didn't work properly for MIPS systems as __mips__ is defined for
+ both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
- Bug: https://github.com/bagder/curl/issues/624
- Reported-by: Octavio Schroeder
+ Reported-by: Tomas Jakobsson
+ Fixes #813
-- curl.1: Explain remote-name behavior if file already exists
+- [Marcel Raad brought this change]
+
+ schannel: fix compile break with MSVC XP toolset
- .. also warn about letting the server pick the filename.
+ For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
+ 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
+
+ Closes #812
-- [Gisle Vanem brought this change]
+- dist: include CHECKSRC.md
+
+ Reported-by: Paul Howarth
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
- urldata: Error on missing SSL backend-specific connect info
+- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
+
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
-Daniel Stenberg (28 Jan 2016)
-- bump: towards the next (7.47.1 ?)
+Version 7.49.0 (17 May 2016)
-- [Sergei Nikulov brought this change]
+Daniel Stenberg (17 May 2016)
+- THANKS: 24 new names from 7.49.0 release notes
- cmake: fixed when OpenSSL enabled on Windows and schannel detected
+- RELEASE-NOTES: 7.49.0
+
+- mbedtls/polarssl: set "hostname" unconditionally
- Closes #617
+ ...as otherwise the TLS libs will skip the CN/SAN check and just allow
+ connection to any server. curl previously skipped this function when SNI
+ wasn't used or when connecting to an IP address specified host.
+
+ CVE-2016-3739
+
+ Bug: https://curl.haxx.se/docs/adv_20160518A.html
+ Reported-by: Moti Avrahami
-Jay Satiro (28 Jan 2016)
-- [Sergei Nikulov brought this change]
+- [Frank Gevaerts brought this change]
- urldata: moved common variable out of ifdef
+ CURLOPT_RESOLVE.3: fix typo
- Closes https://github.com/bagder/curl/pull/618
+ Closes #811
-- [Viktor Szakats brought this change]
+- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
- tool_doswin: silence unused function warning
+- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
- tool_doswin.c:185:14: warning: 'msdosify' defined but not used
- [-Wunused-function]
+ Closes #762
+
+- CURLOPT_HTTPPOST.3: the data needs to be around while in use
+
+- openssl: get_cert_chain: fix NULL dereference
- Closes https://github.com/bagder/curl/pull/616
+ CID 1361815: Explicit null dereferenced (FORWARD_NULL)
-Daniel Stenberg (27 Jan 2016)
-- getredirect.c: fix variable name
+- openssl: get_cert_chain: avoid NULL dereference
- Reported-by: Bernard Spil
+ CID 1361811: Explicit null dereferenced (FORWARD_NULL)
-Version 7.47.0 (27 Jan 2016)
+- dprintf_formatf: fix (false?) Coverity warning
+
+ CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
+ we run over 'workend' but the condition says <= workend and for all I
+ can see it should be safe. Compensating for the warning by adding a byte
+ margin in the buffer.
+
+ Also, removed the extra brace level indentation in the code and made it
+ so that 'workend' is only assigned once within the function.
-Daniel Stenberg (27 Jan 2016)
-- examples/Makefile.inc: specify programs without .c!
+- RELEASE-NOTES: synced with 2dcb5adc72d6
-- THANKS: 6 new contributors from 7.47.0 release notes
+- THANKS-filter: fixed Jonathan Cardoso
-- [Isaac Boukris brought this change]
+Jay Satiro (15 May 2016)
+- ftp: fix incorrect out-of-memory code in Curl_pretransfer
+
+ - Return value type must match function type.
+
+ s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
+
+ Caught by Travis CI
- NTLM: Fix ConnectionExists to compare Proxy credentials
+Daniel Stenberg (15 May 2016)
+- ftp wildcard: segfault due to init only in multi_perform
- Proxy NTLM authentication should compare credentials when
- re-using a connection similar to host authentication, as it
- authenticate the connection.
+ The proper FTP wildcard init is now more properly done in Curl_pretransfer()
+ and the corresponding cleanup in Curl_close().
- Example:
- curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
- --proxy-ntlm --next -x http://proxy:port http://host/
- [-U fake_user:fake_pwd --proxy-ntlm]
-
- CVE-2016-0755
+ The previous place of init/cleanup code made the internal pointer to be NULL
+ when this feature was used with the multi_socket() API, as it was made within
+ the curl_multi_perform() function.
- Bug: http://curl.haxx.se/docs/adv_20160127A.html
-
-- [Ray Satiro brought this change]
+ Reported-by: Jonathan Cardoso Machado
+ Fixes #800
- curl: avoid local drive traversal when saving file (Windows)
-
- curl does not sanitize colons in a remote file name that is used as the
- local file name. This may lead to a vulnerability on systems where the
- colon is a special path character. Currently Windows/DOS is the only OS
- where this vulnerability applies.
-
- CVE-2016-0754
+Jay Satiro (13 May 2016)
+- libcurl-tlibcurl-thread: Update OpenSSL links
- Bug: http://curl.haxx.se/docs/adv_20160127B.html
+ Because the old OpenSSL link now redirects to their master documentation
+ (currently 1.1.0), which does not document the required actions for
+ OpenSSL <= 1.0.2.
-- RELEASE-NOTES: 7.47.0
+Daniel Stenberg (13 May 2016)
+- [Viktor Szakats brought this change]
-- FAQ: language fix in 4.19
+ darwinssl.c: fix OS X codename typo in comment
-- [paulehoffman brought this change]
+- RELEASE-NOTES: synced with 68701e51c1f7
+
+ Added 8 bug fixes and 5 more contrbutors
- FAQ: Update to point to GitHub
+- [Jay Satiro brought this change]
+
+ mprintf: Fix processing of width and prec args
- Current FAQ didn't make it clear where the main repo is.
+ Prior to this change a width arg could be erroneously output, and also
+ width and precision args could not be used together without crashing.
- Closes #612
-
-- maketgz: generate date stamp with LC_TIME=C
+ "%0*d%s", 2, 9, "foo"
- bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
+ Before: "092"
+ After: "09foo"
+
+ "%*.*s", 5, 2, "foo"
+
+ Before: crash
+ After: " fo"
+
+ Test 557 is updated to verify this and more
-- curl_multi_socket_action.3: line wrap
+- [Michael Kaufmann brought this change]
-- RELEASE-NOTES: synced with d58ba66eeceb
+ ConnectionExists: follow-up fix for proxy re-use
+
+ Follow-up commit to 5823179
+
+ Closes #648
-Steve Holme (21 Jan 2016)
-- TODO: "Create remote directories" for SMB
+- [Per Malmberg brought this change]
-Jay Satiro (18 Jan 2016)
-- mbedtls: Fix pinned key return value on fail
+ darwinssl: fix certificate verification disable on OS X 10.8
- - Switch from verifying a pinned public key in a callback during the
- certificate verification to inline after the certificate verification.
+ The new way of disabling certificate verification doesn't work on
+ Mountain Lion (OS X 10.8) so we need to use the old way in that version
+ too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
+ and 10.11.
- The callback method had three problems:
+ Closes #802
+
+- [Cory Benfield brought this change]
+
+ http2: Add space between colon and header value
- 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
- was not returned.
+ curl's representation of HTTP/2 responses involves transforming the
+ response to a format that is similar to HTTP/1.1. Prior to this change,
+ curl would do this by separating header names and values with only a
+ colon, without introducing a space after the colon.
- 2. If peer certificate verification was disabled the pinned key
- verification did not take place as it should.
+ While this is technically a valid way to represent a HTTP/1.1 header
+ block, it is much more common to see a space following the colon. This
+ change introduces that space, to ensure that incautious tools are safely
+ able to parse the header block.
- 3. (related to #2) If there was no certificate of depth 0 the callback
- would not have checked the pinned public key.
+ This also ensures that the difference between the HTTP/1.1 and HTTP/2
+ response layout is as minimal as possible.
- Though all those problems could have been fixed it would have made the
- code more complex. Instead we now verify inline after the certificate
- verification in mbedtls_connect_step2.
+ Bug: https://github.com/curl/curl/issues/797
- Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
- Ref: https://github.com/bagder/curl/pull/601
+ Closes #798
+ Fixes #797
-- tests: Add a test for pinnedpubkey fail even when insecure
+Kamil Dudka (12 May 2016)
+- openssl: fix compile-time warning in Curl_ossl_check_cxn()
- Because disabling the peer verification (--insecure) must not disable
- the public key pinning check (--pinnedpubkey).
-
-- [Daniel Schauenberg brought this change]
-
- CURLINFO_RESPONSE_CODE.3: add example
+ ... introduced in curl-7_48_0-293-g2968c83:
+
+ Error: COMPILER_WARNING:
+ lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
+ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
+ may alter its value [-Wconversion]
-Kamil Dudka (15 Jan 2016)
-- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
+Jay Satiro (11 May 2016)
+- openssl: stricter connection check function
- The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
- empty strings specially since curl-7_25_0-31-g05a443a but the behavior
- was unintentionally removed in curl-7_38_0-47-gfa7d04f.
+ - In the case of recv error, limit returning 'connection still in place'
+ to EINPROGRESS, EAGAIN and EWOULDBLOCK.
- This commit restores the original behavior and clarifies it in the
- documentation that NULL and "" have both the same meaning when passed
- to CURLOPT_SSH_PUBLIC_KEYFILE.
+ This is an improvement on the parent commit which changed the openssl
+ connection check to use recv MSG_PEEK instead of SSL_peek.
- Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
+ Ref: https://github.com/curl/curl/commit/856baf5#comments
-Daniel Stenberg (14 Jan 2016)
-- RELEASE-NOTES: synced with 35083ca60ed035a
+Daniel Stenberg (11 May 2016)
+- [Anders Bakken brought this change]
-- openssl: improved error detection/reporting
+ TLS: SSL_peek is not a const operation
- ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
- 1.1.0+ returned a new func number of another cerfificate fail so this
- required a fix and this is the better way to catch this error anyway.
-
-- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
-
-- CURLOPT_RESOLVE.3: minor language polish
-
-- configure: assume IPv6 works when cross-compiled
+ Calling SSL_peek can cause bytes to be read from the raw socket which in
+ turn can upset the select machinery that determines whether there's data
+ available on the socket.
- The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
- works, and testing like that doesn't work for cross-compiles. These days
- IPv6 support is widespread so a blind guess is probably more likely to
- be 'yes' than 'no' now.
+ Since Curl_ossl_check_cxn only tries to determine whether the socket is
+ alive and doesn't actually need to see the bytes SSL_peek seems like
+ the wrong function to call.
- Further: anyone who cross-compiles can use configure's --disable-ipv6 to
- explicitly disable IPv6 and that also works for cross-compiles.
+ We're able to occasionally reproduce a connect timeout due to this
+ bug. What happens is that Curl doesn't know to call SSL_connect again
+ after the peek happens since data is buffered in the SSL buffer and thus
+ select won't fire for this socket.
- Made happen after discussions in issue #594
+ Closes #795
-- TODO: "Try to URL encode given URL"
-
- Closes #514
+Jay Satiro (9 May 2016)
+- [Daniel Stenberg brought this change]
-- ConnectionExists: only do pipelining/multiplexing when asked
+ TLS: move the ALPN/NPN enable bits to the connection
- When an HTTP/2 upgrade request fails (no protocol switch), it would
- previously detect that as still possible to pipeline on (which is
- acorrect) and do that when PIPEWAIT was enabled even if pipelining was
- not explictily enabled.
+ Only protocols that actually have a protocol registered for ALPN and NPN
+ should try to get that negotiated in the TLS handshake. That is only
+ HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
+ would wrongly be used in all handshakes if libcurl was built with it
+ enabled.
- It should only pipelined if explicitly asked to.
+ Reported-by: Jay Satiro
- Closes #584
+ Fixes #789
-- [Mohammad AlSaleh brought this change]
+Daniel Stenberg (8 May 2016)
+- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
- lib: Prefix URLs with lower-case protocol names/schemes
-
- Before this patch, if a URL does not start with the protocol
- name/scheme, effective URLs would be prefixed with upper-case protocol
- names/schemes. This behavior might not be expected by library users or
- end users.
+- [Antonio Larrosa brought this change]
+
+ connect: fix invalid "Network is unreachable" errors
- For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
- URL is "hostname/path". The effective URL would be
- "HTTPS://hostname/path" instead of "https://hostname/path".
+ Sometimes, in systems with both ipv4 and ipv6 addresses but where the
+ network doesn't support ipv6, Curl_is_connected returns an error
+ (intermittently) even if the ipv4 socket connects successfully.
- After this patch, effective URLs would be prefixed with a lower-case
- protocol name/scheme.
+ This happens because there's a for-loop that iterates on the sockets but
+ the error variable is not resetted when the ipv4 is checked and is ok.
- Closes #597
+ This patch fixes this problem by setting error to 0 when checking the
+ second socket and not having a result yet.
- Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
-
-- [Alessandro Ghedini brought this change]
+ Fixes #794
- scripts: don't generate and install zsh completion when cross-compiling
+Jay Satiro (5 May 2016)
+- FAQ: refer to thread safety guidelines
-- [Alessandro Ghedini brought this change]
+Daniel Stenberg (3 May 2016)
+- connections: non-HTTP proxies on different ports aren't reused either
+
+ Reported-by: Oleg Pudeyev and fuchaoqun
+
+ Fixes #648
- scripts: fix zsh completion generation
+- http: make sure a blank header overrides accept_decoding
- The script should use the just-built curl, not the system one. This fixes
- zsh completion generation when no system curl is installed.
+ Reported-by: rcanavan
+ Assisted-by: Isaac Boukris
+ Closes #785
-- [Alessandro Ghedini brought this change]
+- CHECKSRC.md: clarified, explained the whitelist file
- zsh.pl: fail if no curl is found
-
- Instead of generation a broken completion file.
+- nroff-scan.pl: verify that references are made with \fI
-- [Michael Kaufmann brought this change]
+- docs: unified man page references to use \fI
- IDN host names: Remove the port number before converting to ACE
+- TODO: 17.14 --fail without --location should treat 3xx as a failure
- Closes #596
+ Closes #727
-Jay Satiro (10 Jan 2016)
-- runtests: Add mbedTLS to the SSL backends
+- RELEASE-NOTES: synced with 7987f5cb14d
+
+- [Isaac Boukris brought this change]
+
+ CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
- .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
+ Mention possible content-length mismatch with sum of bytes reported
+ by write callbacks when auto decoding is enabled.
+
+ See #785
-Daniel Stenberg (10 Jan 2016)
-- [Thomas Glanzmann brought this change]
+- test1140: run nroff-scan to verify man pages
- mbedtls: implement CURLOPT_PINNEDPUBLICKEY
+- nroff-scan.pl: verify the .BR references as well
-Jay Satiro (9 Jan 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
- url: Fix compile error with --enable-werror
+- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
-- [Tatsuhiro Tsujikawa brought this change]
+- curl_easy_pause.3: fix man page reference
- http2: Ensure that http2_handle_stream_close is called
+Jay Satiro (1 May 2016)
+- tool_cb_hdr: Fix --remote-header-name with schemeless URL
- Previously, when HTTP/2 is enabled and used, and stream has content
- length known, Curl_read was not called when there was no bytes left to
- read. Because of this, we could not make sure that
- http2_handle_stream_close was called for every stream. Since we use
- http2_handle_stream_close to emit trailer fields, they were
- effectively ignored. This commit changes the code so that Curl_read is
- called even if no bytes left to read, to ensure that
- http2_handle_stream_close is called for every stream.
+ - Move the existing scheme check from tool_operate.
- Discussed in https://github.com/bagder/curl/pull/564
+ In the case of --remote-header-name we want to parse Content-disposition
+ for a filename, but only if the scheme is http or https. A recent
+ adjustment 0dc4d8e was made to account for schemeless URLs however it's
+ not 100% accurate. To remedy that I've moved the scheme check to the
+ header callback, since at that point the library has already determined
+ the scheme.
+
+ Bug: https://github.com/curl/curl/issues/760
+ Reported-by: Kai Noda
-Daniel Stenberg (8 Jan 2016)
-- http2: handle the received SETTINGS frame
+Daniel Stenberg (1 May 2016)
+- tls: make setting pinnedkey option fail if not supported
- This regression landed in 5778e6f5 and made libcurl not act on received
- settings and instead stayed with its internal defaults.
+ to make it obvious to users trying to use the feature with TLS backends
+ not supporting it.
- Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
- Reported-by: Bankde
+ Discussed in #781
+ Reported-by: Travis Burtrum
-- Revert "multiplex: allow only once HTTP/2 is actually used"
-
- This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
+- nroff-scan.pl: verifies nroff pages
- Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+ ... not used by any test yet but can be used stand-alone.
-Jay Satiro (8 Jan 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+- opts: fix broken/bad references
- http2: Fix PUSH_PROMISE headers being treated as trailers
+- [Michael Kaufmann brought this change]
+
+ docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
- Discussed in https://github.com/bagder/curl/pull/564
+ Closes #786
-Daniel Stenberg (8 Jan 2016)
-- [Michael Kaufmann brought this change]
+- CURLOPT_ACCEPT_ENCODING.3: clarified
+
+ As discussed in #785
- connection reuse: IDN host names fixed
+- curl.1: --mail-rcpt can be used multiple times
- Use the ACE form of IDN hostnames as key in the connection cache. Add
- new tests.
+ Reported-by: mgendre
+ Closes #784
+
+- [Karlson2k brought this change]
+
+ tests: Use 'pathhelp' for paths conversions in secureserver.pl
- Closes #592
+ Closes #675
-- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
+- [Karlson2k brought this change]
-Jay Satiro (7 Jan 2016)
-- mbedtls: Fix ALPN support
+ tests: Use 'pathhelp' for paths conversions in sshserver.pl
+
+- [Karlson2k brought this change]
+
+ tests: Use 'pathhelp' for current path in runtests.pl
+
+- [Karlson2k brought this change]
+
+ tests: pathhelp.pm to process paths on Msys/Cygwin
+
+- lib: include curl_printf.h as one of the last headers
- - Fix ALPN reply detection.
+ curl_printf.h defines printf to curl_mprintf, etc. This can cause
+ problems with external headers which may use
+ __attribute__((format(printf, ...))) markers etc.
- - Wrap nghttp2 code in ifdef USE_NGHTTP2.
+ To avoid that they cause problems with system includes, we include
+ curl_printf.h after any system headers. That makes the three last
+ headers to always be, and we keep them in this order:
+ curl_printf.h
+ curl_memory.h
+ memdebug.h
- Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
+ None of them include system headers, they all do funny #defines.
+
+ Reported-by: David Benjamin
+
+ Fixes #743
-- http2: Fix client write for trailers on stream close
+- memdebug.h: remove inclusion of other headers
- Check that the trailer buffer exists before attempting a client write
- for trailers on stream close.
+ Mostly because they're not needed, because memdebug.h is always included
+ last of all headers so the others already included the correct ones.
- Refer to comments in https://github.com/bagder/curl/pull/564
+ But also, starting now we don't want this to accidentally include any
+ system headers, as the header included _before_ this header may add
+ defines and other fun stuff that we won't want used in system includes.
-Daniel Stenberg (7 Jan 2016)
-- COPYING: update general copyright year range
+- [Jay Satiro brought this change]
-- ConnectionExists: add missing newline in infof() call
+ curl -J: make it work even without http:// scheme on URL
- Mistake from commit a464f33843ee1
-
-- multiplex: allow only once HTTP/2 is actually used
+ It does open up a miniscule risk that one of the other protocols that
+ libcurl could use would send back a Content-Disposition header and then
+ curl would act on it even if not HTTP.
- To make sure curl doesn't allow multiplexing before a connection is
- upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
- connection uses HTTP/2 as well and not only check what's wanted.
+ A future mitigation for this risk would be to allow the callback to ask
+ libcurl which protocol is being used.
- Closes #584
+ Verified with test 1312
- Patch-by: c0ff
+ Closes #760
-Jay Satiro (4 Jan 2016)
-- curl_global_init.3: Add Windows-specific info for init via DLL
+- manpage-scan.pl: also verify the command line option docs
- - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
- that initializing libcurl via a DLL's DllMain or static initializer
- could cause a deadlock.
-
- Bug: https://github.com/bagder/curl/issues/586
- Reported-by: marc-groundctl@users.noreply.github.com
+ This script now also scans src/tool_getparam.c, docs/curl.1 and
+ src/tool_help.c and will warn if any of them lists a command line option
+ not mentioned in one of the other places.
-Daniel Stenberg (4 Jan 2016)
-- FAQ: clarify who to mail about ECCN clarifications
+- curl: show the long option version of -q in the -h list
-- progressfunc.c: spellfix description
+- curl: remove "--socks" as "--socks5" turned 8
+
+ In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
+ and it has not been documented since. The more explicit socks options
+ (like --socks4 or --socks5) should be used.
-- docs/examples/multi-app.c: fix bad desc formatting
+- curl.1: document the deprecated --ftp-ssl option
-- examples: added descriptions
+- curl: remove --http-request
+
+ It was mentioned as deprecated already in commit ae1912cb0d4 from
+ 1999. It has not been documented in this millennium.
-- example/simple.c: add description
+- curl: mention --ntlm-wb in -h list
-- getredirect.c: a new example
+- curl: -h output lacked --proxy-header
-Marc Hoersken (27 Dec 2015)
-- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
+- curl.1: document --ntlm-wb
-Daniel Stenberg (26 Dec 2015)
-- RELEASE-NOTES: synced with 2aec4359db1088b10d
+- curl.1: document the long format of -q: --disable
-Marc Hoersken (26 Dec 2015)
-- test 1515: add data check
+- curl.1: mention the deprecated --krb4 option
-- test 1515: add MSYS support by passing a relative path
+- curl.1: document --ftp-ssl-reqd
- MSYS would otherwise turn a /-style path into a C:\-style path.
+ Even if deprecated, document it so that people will find it as old
+ scripts may still use it.
-- test 539: use datacheck mode text for ASCII-mode LISTings
+- curl: use --telnet-option as documented
- While still using datacheck mode binary for the inline reply data.
+ The code said "telnet-options" but no documentation ever said so. It
+ worked fine since the code is fine with a unique match of the first
+ part.
-- runtests.pl: check up to 5 data parts with different text modes
+- getparam: remove support for --ftpport
- Move the text-mode conversion for reply/replycheck from the verify
- section into the load section and add support for 4 more check parts.
+ It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
+ 2003). --ftp-port is the proper long option name.
-Daniel Stenberg (24 Dec 2015)
-- CURLOPT_RANGE: for HTTP servers, range support is optional
+- curl: make --disable work as long form of -q
+
+ To make the aliases list reflect reality.
-Marc Hoersken (24 Dec 2015)
-- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
-
-- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
-
-- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
+- aliases: remove trailing space from capath string
-- sockfilt.c: fix calculation of sleep timeout on Windows
+- cmdline parse: only single letter options have single-letter strings
- Not converting to double caused small timeouts to be skipped.
+ ... moved around options so that parsing the code to find all
+ single-letter options easier.
-- tests first.c: fix calculation of sleep timeout on Windows
+Jay Satiro (28 Apr 2016)
+- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
- Not converting to double caused small timeouts to be skipped.
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
+ Reported-by: Bru Rom
-- test 573: add more debug output
+Daniel Stenberg (28 Apr 2016)
+- curl_easy_getinfo.3: remove superfluous blank lines
-- ftplistparser.c: fix handling of file LISTings using Windows EOL
+- test1139: verifies libcurl option man page presence
- Previously file.txt[CR][LF] would have been returned as file.tx
- (without the last t) if filetype is symlink. Now the t is
- included and the internal item_length includes the zero byte.
+ - checks that each option has its own man page present
- Spotted using test 576 on Windows.
+ - checks that each option is mentioned in its corresponding index man
+ page
-- test 16: fix on Linux (and Windows) by using plain ASCII characters
+- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
- Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
+ ... although it is deprecated.
-- tftpd server: add Windows support by writing files in binary mode
+Jay Satiro (28 Apr 2016)
+- mbedtls: Fix session resume
+
+ This also fixes PolarSSL session resume.
+
+ Prior to this change the TLS session information wasn't properly
+ saved and restored for PolarSSL and mbedTLS.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
+ Reported-by: Thomas Glanzmann
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
+ Reported-by: Moti Avrahami
-- tests 252-255: use datacheck mode text for ASCII-mode LISTings
+Daniel Stenberg (27 Apr 2016)
+- RELEASE-NOTES: synced with f4298fcc6d2
-- test 16: fix on Windows by converting data file from ANSI to UTF-8
+- [Michael Kaufmann brought this change]
-Daniel Stenberg (23 Dec 2015)
-- Makefile.inc: s/curl_SOURCES/CURL_FILES
+ opts: Fix some syntax errors in example code fragments
- This allows the root Makefile.am to include the Makefile.inc without
- causing automake to warn on it (variables named *_SOURCES are
- magic). curl_SOURCES is then instead assigned properly in
- src/Makefile.am only.
+ Fixes #779
+
+- openssl: avoid BN_print a NULL bignum
- Closes #577
+ OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
+ numbers so make sure the function handles this.
+
+ Reported-by: Linus Nordberg
-- [Anders Bakken brought this change]
+- [Marcel Raad brought this change]
- ConnectionExists: with *PIPEWAIT, wait for connections
+ CONNECT_ONLY: don't close connection on GSS 401/407 reponses
- Try harder to prevent libcurl from opening up an additional socket when
- CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
- handshakes complete first before the decision is made.
+ Previously, connections were closed immediately before the user had a
+ chance to extract the socket when the proxy required Negotiate
+ authentication.
- Closes #575
+ This regression was brought in with the security fix in commit
+ 79b9d5f1a42578f
+
+ Closes #655
-- [Anders Bakken brought this change]
+- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
- Add .dir-locals and set c-basic-offset to 2.
+- mbedtls.c: silly spellfix of a comment
+
+- KNOWN_BUGS: 1.10 Strips trailing dot from host name
- This makes it easier for emacs users to automatically get the right
- 2-space indentation when they edit curl source files.
+ Closes #716
+
+- test1322: verify stripping of trailing dot from host name
- c++-mode is in there as well because Emacs can't easily know if
- something is a C or C++ header.
+ While being debated (in #716) and a violation of RFC 7230 section 5.4,
+ this test verifies that the existing functionality works as intended. It
+ strips the dot from the host name and uses the host without dot
+ throughout the internals.
+
+- multi: accidentally used resolved host name instead of proxy
- Closes #574
+ Regression introduced in 09b5a998
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
+ Reported-by: BoBo
-- [Johannes Schindelin brought this change]
+- symbols-in-versions: added new CURLSSLBACKEND_ symbols
- configure: detect IPv6 support on Windows
+- test148: fixed after the --ftp-create-dirs retry change
- This patch was "nicked" from the MINGW-packages project by Daniel.
-
- https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
- Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+ follow-up commit to 3c1e84f569 as it made curl try a little harder
-- configure: allow static builds on mingw
+- curl.h: clarify curl_sslbackend for openssl clones and renames
+
+- [Karlson2k brought this change]
+
+ url.c: fixed DEBUGASSERT() for WinSock workaround
- This patch is adopted from the MINGW-packages project. It makes it
- possible to build curl both shared and static again.
+ If buffer is allocated, but nothing is received during prereceive
+ stage, than number of processed bytes must be zero.
- URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
+ Closes #778
-Marc Hoersken (17 Dec 2015)
-- test 1326: fix file check since curl is outputting binary data
+- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
+
+ Closes #686 for now.
-- test 1326: fix getting stuck on Windows due to incomplete request
+- TODO: 1.17 Add support for IRIs
- The request needs to be read and send in binary mode in order to use
- CRLF instead of LF. Adding --upload-file - causes curl to read stdin
- in binary mode.
+ Adding support for IRIs is a mouthful, but is probably interesting at
+ least for areas and countries where the use of such "URLs" are growing
+ popularity.
+
+ Closes #776
-Daniel Stenberg (17 Dec 2015)
-- RELEASE-NOTES: command line option recount
+- THANKS-filter: Travis Burtrum
-Dan Fandrich (16 Dec 2015)
-- scripts/Makefile: build zsh script even in an out-of-tree build
+- lib1517: checksrc compliance
-Marc Hoersken (16 Dec 2015)
-- sockfilt.c: added some debug output to select_ws
+- [moparisthebest brought this change]
-- sockfilt.c: keep lines shorter than 80 chars
+ PolarSSL: Implement public key pinning
-- sockfilt.c: do not wait on unreliable file or pipe handle
+Patrick Monnerat (22 Apr 2016)
+- os400: upgrade ILE/RPG binding
+
+- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
+
+Daniel Stenberg (22 Apr 2016)
+- contributors.sh: make --releasenotes implied
- The previous implementation caused issues on modern MSYS2 runtimes.
+ It got too annoying to type =)
-Daniel Stenberg (16 Dec 2015)
-- cyassl: deal with lack of *get_peer_certificate
+- RELEASE-NOTES: synced with 3c1e84f5693d8093
+
+- curl: make --ftp-create-dirs retry on failure
- The function is only present in wolfssl/cyassl if it was built with
- --enable-opensslextra. With these checks added, pinning support is disabled
- unless the TLS lib has that function available.
+ The underlying libcurl option used for this feature is
+ CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
+ creation, but it was never set to do that by the command line tool.
- Also fix the mistake in configure that checks for the wrong lib name.
+ Now it does.
- Closes #566
+ Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
+ Reported-by: John Wanghui
+ Help-by: Leif W
-- wolfssl: handle builds without SSLv3 support
+- [Henrik Gaßmann brought this change]
-- [Tatsuhiro Tsujikawa brought this change]
+ winbuild: add mbedtls support
+
+ Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
+ options mutual exclusive.
+
+ Closes #606
- http2: Support trailer fields
+- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
- This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
- encoding must be used to send trialer fields. HTTP/2 deprecated any
- trandfer-encoding, including chunked. But trailer fields are now
- always available.
+ As of commit d9f3b365a3
+
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_ -> curl_cv_ for write-only vars
- Since trailer fields are relatively rare these days (gRPC uses them
- extensively though), allocating buffer for trailer fields is done when
- we detect that HEADERS frame containing trailer fields is started. We
- use Curl_add_buffer_* functions to buffer all trailers, just like we
- do for regular header fields. And then deliver them when stream is
- closed. We have to be careful here so that all data are delivered to
- upper layer before sending trailers to the application.
+ These configure vars are modified in a curl-specific way but never
+ evaluated or loaded from cache, even though they are designated as
+ _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
+ remove them completely.
- We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
- mechanism, but current method is far more simple.
+ Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
+ AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
+ the first configure run with caching.
- Another possibility is use chunked encoding internally for HTTP/2
- traffic. I have not tested it, but it could add another overhead.
+ `ac_cv_func_strcasecmp` is curious, see #770.
- Closes #564
+ `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
+ tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
+ would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
+ which works the same as AC_CHECK_FUNCS but relies on caching the values
+ of curl_cv_func_* variables, without modifiying ac_cv_func_*.
-- RELEASE-NOTES: synced with 6c2c019654e658a
+- [Irfan Adilovic brought this change]
-Jay Satiro (15 Dec 2015)
-- x509asn1: Fix host altname verification
-
- - In Curl_verifyhost check all altnames in the certificate.
-
- Prior to this change only the first altname was checked. Only the GSKit
- SSL backend was affected by this bug.
+ configure: ac_cv_ -> curl_cv_ for r/w vars
- Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
- Reported-by: John Kohl
+ These configure vars are modified in a curl-specific way and modified by
+ the configure process, but are never loaded from cache, even though they
+ are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
+ them eventually.
-Daniel Stenberg (15 Dec 2015)
-- curl --expect100-timeout: added
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_func_clock_gettime -> curl_...
- This is the new command line option to set the value for the existing
- libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
+ This variable must not be cached in its current form, as any cached
+ information will prevent the next configure run from determining the
+ correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
+ just `curl_`.
-- cyassl: fix compiler warning on type conversion
+- [Irfan Adilovic brought this change]
-- curlver: the pending release will become 7.47.0
+ configure: ac_cv_ -> curl_cv_ for all cached vars
+
+ This was automated by:
+
+ sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
+ ack -o 'ac_cv_.*?\b' | \
+ sort -u | xargs -n1 bash -c \
+ 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
+ $(git ls-files)
+
+ This only changed the prefix for 16 variables actually checked with
+ AC_CACHE_CHECK.
-- [Anders Bakken brought this change]
+- openssl: builds with OpenSSL 1.1.0-pre5
+
+ The RSA, DSA and DH structs are now opaque and require use of new APIs
+
+ Fixes #763
- setstropt: const-correctness
+Steve Holme (20 Apr 2016)
+- url.c: Prefer we don't use explicit NULLs in conditions
- Closes #565
+ Fixed commit fa5fa65a30 to not use NULLs in if condition.
-- ROADMAP: implemented HTTP2 for HTTPS-only
+Daniel Stenberg (20 Apr 2016)
+- [Isaac Boukris brought this change]
-- HTTP2.md: spell fix and remove TODO now implemented
+ NTLM: check for NULL pointer before deferencing
+
+ At ConnectionExists, both check->proxyuser and check->proxypasswd
+ could be NULL, so make sure to check first.
+
+ Fixes #765
-- libressl: the latest openssl x509 funcs are not in libressl
+- [Karlson2k brought this change]
-- curl: use 2TLS by default
+ tests: added test1517
- Make this the default for the curl tool (if built with HTTP/2 powers
- enabled) unless a specific HTTP version is requested on the command
- line.
+ ... for checking ability to receive full HTTP response when POST request
+ is used with slow read callback function.
- This should allow more users to get HTTP/2 powers without having to
- change anything.
+ This test checks for bug #657 and verifies the work-around from
+ 72d5e144fbc6.
+
+ Closes #720
-- http: add libcurl option to allow HTTP/2 for HTTPS only
+- [Karlson2k brought this change]
+
+ sendf.c: added ability to call recv() before send() as workaround
- ... and stick to 1.1 for HTTP. This is in line with what browsers do and
- should have very little risk.
+ WinSock destroys recv() buffer if send() is failed. As result - server
+ response may be lost if server sent it while curl is still sending
+ request. This behavior noticeable on HTTP server short replies if
+ libcurl use several send() for request (usually for POST request).
+ To workaround this problem, libcurl use recv() before every send() and
+ keeps received data in intermediate buffer for further processing.
+
+ Fixes: #657
+ Closes: #668
-- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
+Kamil Dudka (19 Apr 2016)
+- connect: make sure that rc is initialized in singleipconnect()
- Closes #491
+ This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
+
+ Error: CLANG_WARNING:
+ lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
+ 1118| }
+ 1119|
+ 1120|-> if(-1 == rc)
+ 1121| error = SOCKERRNO;
+ 1122| }
-- openssl: avoid BIO_reset() warnings since it returns a value
+Daniel Stenberg (19 Apr 2016)
+- make/checksrc: use $srcdir, not $top_srcdir
-- openssl: adapt to 1.1.0+ name changes
+- src/checksrc.whitelist: removed
-- scripts/makefile: add standard header
+- tool_operate: switch to inline checksrc ignore
-- scripts/Makefile: fix GNUism and survive no perl
+- lib/checksrc.whitelist: not needed anymore
- Closes #555
+ ... as checksrc now skips comments
+
+- vtls.h: remove a space before semicolon
- Reported-by: Thomas Klausner
+ ... that the new checksrc detected
-- fix b6d5cb40d7038fe
+- darwinssl: removed commented out code
-- [Tatsuhiro Tsujikawa brought this change]
+- http_chunks: removed checksrc disable
+
+ ... since checksrc now skips comments
- http2: Fix hanging paused stream
+- imap: inlined checksrc disable instead of whitelist edit
+
+- checksrc: taught to skip comments
- When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
- might not process DATA frame fully. Calling nghttp2_session_mem_recv()
- again will continue to process DATA frame, but if there is no incoming
- frames, then we have to call it again with 0-length data. Without this,
- on_stream_close callback will not be called, and stream could be hanged.
+ ... but output non-stripped version of the line, even if that then can
+ make the script identify the wrong position in the line at
+ times. Showing the line stripped (ie without comments) is just too
+ surprising.
+
+- opts/Makefile.am: list all docs file one by one
- Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
- Reported-by: Francisco Moraes
+ ... to make it easier to add lines in patches that won't just break all
+ other patches trying to add lines too.
-- [Christian Stewart brought this change]
+- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
- build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
+- RELEASE-NOTES: synced with 03de4e4b219
- With curl disable verbose strings in http.c the compilation fails due to
- the data variable being undefined later on in the function.
+ (since we just merged two major features)
+
+- [Alessandro Ghedini brought this change]
+
+ connect: implement TCP Fast Open for Linux
- Closes #558
+ Closes #660
-Jay Satiro (7 Dec 2015)
-- [Gisle Vanem brought this change]
+- [Alessandro Ghedini brought this change]
- config-win32: Fix warning HAVE_WINSOCK2_H undefined
+ tool: add --tcp-fastopen option
-- [Gisle Vanem brought this change]
+- [Alessandro Ghedini brought this change]
- openssl: BoringSSL doesn't have CONF_modules_free
+ connect: implement TCP Fast Open for OS X
-- [Gisle Vanem brought this change]
+- [Alessandro Ghedini brought this change]
- lwip: Fix compatibility issues with later versions
-
- The name of the header guard in lwIP's <lwip/opt.h> has changed from
- '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
+ url: add CURLOPT_TCP_FASTOPEN option
+
+- checksrc: pass on -D so the whitelists are found correctly
+
+- configure: remove check for libresolve
- Other fixes:
+ 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
+ but this check is broken and most likely adds nothing useful. Removing
+ now.
- - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
- used.
+ Reported-by: Irfan Adilovic
- - In memdebug.h, the 'socket' should be undefined first due to lwIP's
- lwip_socket() macro.
+ Discussed in #770
+
+- scripts/make: use $(EXEEXT) for executables
- - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
- special handling because they were undef'ed in memdebug.h.
+ Reported-by: bodop
- - In select.c we can't use preprocessor conditionals inside select if
- MSVC and select is a macro, as it is with lwIP.
+ Fixes #771
+
+- includes: avoid duplicate memory callback typdefs even harder
+
+- checksrc/makefile.am: use $top_srcdir to find source files
- http://curl.haxx.se/mail/lib-2015-12/0023.html
- http://curl.haxx.se/mail/lib-2015-12/0024.html
+ ... to properly support out of source tree builds.
-Patrick Monnerat (7 Dec 2015)
-- os400: define CURL_VERSION_PSL in ILE/RPG binding
+- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
-Jay Satiro (7 Dec 2015)
-- [Gisle Vanem brought this change]
+- opts: fix option references missing (section)
- version: Add flag CURL_VERSION_PSL for libpsl
+- [Michael Kaufmann brought this change]
-- formdata: Check if length is too large for memory
-
- - If the size of the length type (curl_off_t) is greater than the size
- of the size_t type then check before allocating memory to make sure the
- value of length will fit in a size_t without overflow. If it doesn't
- then return CURLE_BAD_FUNCTION_ARGUMENT.
+ news: CURLOPT_CONNECT_TO and --connect-to
- Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
- Reported-by: Steve Holme
-
-Steve Holme (3 Dec 2015)
-- tests: Corrected copy and pasted comments from commit e643c5c908
+ Makes curl connect to the given host+port instead of the host+port found
+ in the URL.
-Daniel Stenberg (3 Dec 2015)
-- curl: remove keepalive #ifdef checks done on libcurl's behalf
+- makefile.vc6: use d suffix on debug object
- They didn't match the ifdef logic used within libcurl anyway so they
- could indeed warn for the wrong case - plus the tool cannot know how the
- lib actually performs at that level.
+ To allow both release and debug builds in parallel.
+
+ Reported-by: Rod Widdowson
+
+ Fixes #769
-Steve Holme (2 Dec 2015)
-- test947: Corrected typo in test name
+Jay Satiro (12 Apr 2016)
+- http2: Use size_t type for data drain count
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- tests: Disable the OAUTHBEARER tests when using a non-default port number
+- http2: Improve header parsing
- Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
- if a custom port number is specified via the -b option of runtests.pl.
+ - Error if a header line is larger than supported.
- Suggested by: Kamil Dudka
- Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
-
-Daniel Stenberg (2 Dec 2015)
-- bump: towards next release
+ - Warn if cumulative header line length may be larger than supported.
- for all we know now, it might be called 7.46.1
+ - Allow spaces when parsing the path component.
+
+ - Make sure each header line ends in \r\n. This fixes an out of bounds.
+
+ - Disallow header continuation lines until we decide what to do.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Version 7.46.0 (1 Dec 2015)
+- http2: Add Curl_http2_strerror for HTTP/2 error codes
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Daniel Stenberg (1 Dec 2015)
-- RELEASE-NOTES: updated contributor count for 7.46.0
+- [Tatsuhiro Tsujikawa brought this change]
-- THANKS: new contributors from the 7.46.0 release
+ http2: Don't increment drain when one header field is received
+
+ Sicne we write header field in temporary location, not in the memory
+ that upper layer provides, incrementing drain should not happen.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- THANKS-filter: single Tim Rühsen spelling
+- [Tatsuhiro Tsujikawa brought this change]
-- docs/examples: gitignore some more built examples
+ http2: Ensure that http2_handle_stream_close is called
+
+ This commit ensures that streams which was closed in on_stream_close
+ callback gets passed to http2_handle_stream_close. Previously, this
+ might not happen. To achieve this, we increment drain property to
+ forcibly call recv function for that stream.
+
+ To more accurately check that we have no pending event before shutting
+ down HTTP/2 session, we sum up drain property into
+ http_conn.drain_total. We only shutdown session if that value is 0.
+
+ With this commit, when stream was closed before reading response
+ header fields, error code CURLE_HTTP2_STREAM is returned even if
+ HTTP/2 level error is NO_ERROR. This signals the upper layer that
+ stream was closed by error just like TCP connection close in HTTP/1.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- RELEASE-NOTES; this bug was never released
+- [Tatsuhiro Tsujikawa brought this change]
-- RELEASE-NOTES: synced with e55f15454efacb0
+ http2: Process paused data first before tear down http2 session
+
+ This commit ensures that data from network are processed before HTTP/2
+ session is terminated. This is achieved by pausing nghttp2 whenever
+ different stream than current easy handle receives data.
+
+ This commit also fixes the bug that sometimes processing hangs when
+ multiple HTTP/2 streams are multiplexed.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- [Flavio Medeiros brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
- Curl_read_plain: clean up ifdefs that break statements
+ http2: Check session closure early in http2_recv
- Closes #546
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- http2: convert some verbose output into debug-only output
+- [Tatsuhiro Tsujikawa brought this change]
-- http2 push: add missing inits of new stream
+ http2: Add handling stream level error
- - set the correct stream_id for pushed streams
- - init maxdownload and size properly
-
-- http2 push: set weight for new stream
+ Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
+ by RST_STREAM, underlying TCP connection was dropped. This is
+ undesirable since there may be other streams multiplexed and they are
+ very much fine. This change introduce new error code
+ CURLE_HTTP2_STREAM, which indicates stream error that only affects the
+ relevant stream, and connection should be kept open. The existing
+ CURLE_HTTP2 means connection error in general.
- give the new stream the old one's stream_weight internally to avoid
- sending a PRIORITY frame unless asked for it
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
+Daniel Stenberg (11 Apr 2016)
+- http2: drain the socket better...
- Fixes warnings 78c25c854a added.
-
-- nonblock: fix setting non-blocking mode for Amiga
+ ... but ignore EAGAIN if the stream has ended so that we don't end up in
+ a loop. This is a follow-up to c8ab613 in order to avoid the problem
+ d261652 was made to fix.
- IoctlSocket() apparently wants a pointer to a long, passed as a char *
- in its third parameter. This bug was introduced already back in commit
- c5fdeef41d from October 1 2001!
+ Reported-by: Jay Satiro
+ Clues-provided-by: Tatsuhiro Tsujikawa
- Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
- Reported-by: Norbert Kett
+ Discussed in #750
-- zsh install: fix DESTDIR support
+- KNOWN_BUGS: added info for "Hangs with PolarSSL"
+
+- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
- Reported-by: Mohammad AlSaleh
+ Closes #750
-Dan Fandrich (27 Nov 2015)
-- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
+- build: include scripts/ in the dist
-Steve Holme (27 Nov 2015)
-- tool_paramhlp: Fixed display of URL index in password prompt for --next
+Steve Holme (9 Apr 2016)
+- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
- Commit f3bae6ed73 added the URL index to the password prompt when using
- --next. Unfortunately, because the size_t specifier (%zu) is not
- supported by all sprintf() implementations we use the curl_off_t format
- specifier instead. The display of an incorrect value arises on platforms
- where size_t and curl_off_t are of a different size.
+ As these two options provide identical functionality, the former for
+ SOCK5 proxies and the latter for HTTP proxies, merged the two options
+ together.
+
+ As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
+ 7.49.0.
-Daniel Stenberg (25 Nov 2015)
-- timecond: do not add if-modified-since without timecondition
+- urldata: Use bool for socks5_gssapi_nec as it is a flag
- The RTSP code path didn't skip adding the if-modified-since for certain
- RTSP code paths, even if CURLOPT_TIMECONDITION was set to
- CURL_TIMECOND_NONE.
+ This value is set to TRUE or FALSE so should be a bool and not a long.
+
+- url: Ternary operator code style changes
+
+- CODE_STYLE: Added ternary operator example to 'Space around operators'
- Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
- CURL_TIMECOND_IFMODSINCE.
+ Following conversation on the libcurl mailing list.
+
+- sasl: Fixed compilation errors from commit 9d89a0387
- Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
+ ...when GSS-API or Windows SSPI are not used.
-- RELEASE-NOTES: synced with 99d17a5e2ba77e58
+- url: Corrected comments following 9d89a0387
-- examples/README: cut out the incomplete list
-
- ... and add a generic explanation for them instead. Each example file
- should contain its own description these days.
+- docs: Added clarification following commit 9d89a0387
-- test1513: make sure the callback is only called once
+- Makefile: Fixed echo of checksrc check
-- [Daniel Shahaf brought this change]
+- checksrc: Fix issue with the autobuilds not picking up the whitelist
- build: Install zsh completion
-
- Fixes #534
- Closes #537
+- checksrc: Added missing vauth and vtls directories
-- done: make sure the final progress update is made
-
- It would previously be skipped if an existing error was returned, but
- would lead to a previous value being left there and later used.
- CURLINFO_TOTAL_TIME for example.
-
- Still it avoids that final progress update if we reached DONE as the
- result of a callback abort to avoid another callback to be called after
- an abort-by-callback.
+- ftp/imap/pop3/smtp: Allow the service name to be overridden
- Reported-by: Lukas Ruzicka
-
- Closes #538
+ Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
+ authentication in FTP, IMAP, POP3 and SMTP.
-- curl: expanded the -XHEAD warning text
+- http_negotiate: Calculate service name and proxy service name locally
- ... to also mention the specific options used.
+ Calculate the service name and proxy service names locally, rather than
+ in url.c which will allow for us to support overriding the service name
+ for other protocols such as FTP, IMAP, POP3 and SMTP.
-- Revert "cleanup: general removal of TODO (and similar) comments"
+- ROADMAP: Updated following the move of the authentication code
+
+Patrick Monnerat (8 Apr 2016)
+- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
+
+Daniel Stenberg (8 Apr 2016)
+- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
- This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
+ Closes #603
+
+- KNOWN_BUGS: 11.2 error buffer not set...
- Feedback-by: Dan Fandrich
- URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
+ Closes #544
-- CURLOPT_HEADERFUNCTION.3: fix typo
+- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
- Refer to _HEADERDATA not _WRITEDATA.
+ Closes #543
+
+- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
- Reported-by: Michał Piechowski
+ Closes #522
-- TODO: TCP Fast Open
+- TODO: HTTP/2 "prior knowledge" is implemented!
-Steve Holme (22 Nov 2015)
-- examples: Added website parse-able descriptions to the e-mail examples
+- [Damien Vielpeau brought this change]
-- TODO: Added another 'multi-interface' idea
+ mbedtls: fix MBEDTLS_DEBUG builds
-- smb.c: Fixed compilation warnings
+- mbedtls: implement and provide *_data_pending()
- smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
- smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
- unsigned int' may alter its value
- smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
- unsigned int' may alter its value
+ ... as otherwise we might get stuck thinking there's no more data to
+ handle.
+
+ Reported-by: Damien Vielpeau
+
+ Fixes #737
-- schannel: Corrected copy/paste error in commit 8d17117683
+- mbedtls: follow-up for the previous commit
-- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
+- mbedtls.c: name space pollution fix, Use 'Curl_'
+
+- mbedtls.c: changed private prefix to mbed_
- Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
+ mbedtls_ is the prefix used by the mbedTLS library itself so we should
+ avoid using that for our private functions.
-- examples: Fixed compilation warnings
+- mbedtls.h: fix compiler warnings
+
+- Revert "winbuild: trying to set some files eol=crlf for git"
- pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
- imap-multi.c:96:5: warning: implicit declaration of function 'memset'
- http2-download.c:226:5: warning: implicit declaration of function 'memset'
- http2-upload.c:290:5: warning: implicit declaration of function 'memset'
- http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+ This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
+
+ Didn't help. Caused problems.
+
+ Fixes #756
-- Makefile.inc: Fixed test run error
+- curl.1: use example.com more
- test845 not present in tests/data/Makefile.inc
+ Make (most) example snippets use the example.com domain instead of the
+ random ones picked and used before. Some of those were probably
+ legitimate sites and some not. example.com is designed for this purpose.
-Daniel Stenberg (20 Nov 2015)
-- TODO: remove duplicated title
+- [Michael Kaufmann brought this change]
-- TODO: added two more libcurl ideas
+ HTTP2: Add a space character after the status code
- Moved some ideas from "next major" to just ordinary ideas since we can
- always add new things while keeping the old without doing a "next
- major".
+ The space character after the status code is mandatory, even if the
+ reason phrase is empty (see RFC 7230 section 3.1.2)
+
+ Closes #755
-Steve Holme (20 Nov 2015)
-- tests: Re-enabled tests 889 and 890 following POP3 fix
+- [Viktor Szakats brought this change]
-- pop3: Differentiate between success and continuation responses
+ URLs: change http to https in many places
+
+ Closes #754
-- pop3: Added clarity on some server response codes
+- winbuild: trying to set some files eol=crlf for git
+
+ Thinking it might help to apply patches etc with git.
-Daniel Stenberg (20 Nov 2015)
-- [Daniel Shahaf brought this change]
+- [Theodore Dubois brought this change]
- build: Fix theoretical infinite loops
+ curl.1: change example for -F
- Add error-checking to 'cd' in a few cases where omitting the checks
- might result in an infinite loop.
+ It's a bad idea to send your passwords anywhere, especially over HTTP.
+ Modified example to send a picture instead.
- Closes #535
+ Fixes #752
-Patrick Monnerat (19 Nov 2015)
-- curl.h: s/#defien/#define/
+- KNOWN_BUGS: reorganized and cleaned up
+
+ Now sorted into categories and organized in the same style we do the
+ TODO document. It will make each issue linked properly on the
+ https://curl.haxx.se/docs/knownbugs.html web page.
+
+ The sections should make it easier to find issues and issues related to
+ areas of the reader's specific interest.
-- os400: synchronize ILE/RPG header file
+Jay Satiro (6 Apr 2016)
+- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
-- os400: Provide options for libssh2 use in compile scripts. Adjust README.
+Steve Holme (6 Apr 2016)
+- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
-Daniel Stenberg (19 Nov 2015)
-- [danielsh@apache.org brought this change]
+- CHECKSRC.md: Corrected some typos
- zsh completion: Preserve single quotes in output
-
- When an option's help string contains literal single quotes, those
- single quotes would be stripped from the option's description in the
- completion output (unless the zsh RC_QUOTES option were set while the
- completion function was being sourced, which is not the default). This
- patch makes the completion output contain single quotes where the --help
- output does.
+- RELEASE-NOTES: Corrected last updated
- Closes #532
+ Included a summary of the checksrc.bat updates and combined two krb5
+ changes as they should have been implemented at the same time.
-Jay Satiro (18 Nov 2015)
-- [MaxGiting brought this change]
+- vauth: Corrected a number of typos in comments
+
+ Reported-by: Michael Osipov
- FAQ: Grammar changes
+Jay Satiro (5 Apr 2016)
+- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
- Closes https://github.com/bagder/curl/pull/533
+ Bug: https://github.com/curl/curl/issues/536
+ Reported-by: eXeC64@users.noreply.github.com
-Daniel Stenberg (17 Nov 2015)
-- http2: http_done: don't free already-freed push headers
+Daniel Stenberg (5 Apr 2016)
+- KNOWN_BUGS: remove 68, 70 and 72.
- The push headers are freed after the push callback has been invoked,
- meaning this code should only free the headers if the callback was never
- invoked and thus the headers weren't freed at that time.
+ Due to their age (we don't fully know if they actually remain) and lack
+ of detail - very few people will bother to find out what they're about
+ or work on them. If people truly still suffer from any of these, I
+ assume they will be reported again and then we'll deal with them.
- Reported-by: Davey Shafik
+ 72. "Pausing pipeline problems."
+ https://curl.haxx.se/mail/lib-2009-07/0214.html
+
+ 70. Problem re-using easy handle after call to curl_multi_remove_handle
+ https://curl.haxx.se/mail/lib-2009-07/0249.html
+
+ 68. "More questions about ares behavior".
+ https://curl.haxx.se/mail/lib-2009-08/0012.html
-- [Anders Bakken brought this change]
+- KNOWN_BUGS: remove 92 and 88, fixed
- getconnectinfo: Don't call recv(2) if socket == -1
+- http2: fix connection reuse when PING comes after last DATA
- Closes #528
-
-- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
+ It turns out the google GFE HTTP/2 servers send a PING frame immediately
+ after a stream ends and its last DATA has been received by curl. So if
+ we don't drain that from the socket, it makes the socket readable in
+ subsequent checks and libcurl then (wrongly) assumes the connection is
+ dead when trying to reuse the connection.
- ... if there are more than one using the same name
+ Reported-by: Joonas Kuorilehto
+
+ Discussed in #750
-- http2: minor comment typo
+- multi: remove trailing space in debug output
-- sasl; fix checksrc warnings
+- RELEASE-NOTES: synced with 86e97b642fb
-Steve Holme (15 Nov 2015)
-- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
+- CHECKSRC.md: mention cmdline options, fix the bullet list
-- tests: Disabled 889 and 890 until we support POP3 continuation responses
+- docs/CHECKSRC.md: initial version
+
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Added support for the examples
+
+Daniel Stenberg (3 Apr 2016)
+- lib/src: fix the checksrc invoke
- As POP3 final and continuation responses both begin with a + character,
- and both the finalcode and contcode variables in SASLprotoc are set as
- such, we cannot tell the difference between them when we are expecting
- an optional continuation from the server such as the following:
+ ... now works correctly when invoke from the root makefile
+
+- nw: please the stricter checksrc
+
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Re-enabled the tests directory by default
- + something else from the server
- +OK final response
+ Following the recent changes to the source in the tests directory,
+ re-enabled tests for the default scan.
+
+- checksrc.bat: Added tests/server directory support
- Disabled these tests until such a time we can tell the responses apart.
+ In addition to commit 83b174b3f0 and following the recent changes.
-- tests: Corrected typos from commit ba4d8f7eba
+- tests: Fixed header files to comply with our code style
-- tests: Added OAUTHBEARER failure response tests
+Daniel Stenberg (3 Apr 2016)
+- make checksrc: run it in docs/examples too by default
-- oauth2: Support OAUTHBEARER failures sent as continuation responses
-
- According to RFC7628 a failure message may be sent by the server in a
- base64 encoded JSON string as a continuation response.
+- docs/examples: remove spurious white spaces all over
- Currently only implemented for OAUTHBEARER and not XAUTH2.
+ ... to please the new, slightly picker, checksrc.pl
-Daniel Stenberg (15 Nov 2015)
-- RELEASE-NOTES: synced with 808a17ee675
+- tests: fix make checksrc in servers/
-Steve Holme (14 Nov 2015)
-- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
+- tests: 'make checksrc' now checks server/ too
-- tests: Added OAuth 2.0 (OAUTHBEARER) tests
+- root/make: have checksrc run in include/curl too
-- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
-
- OAUTHBEARER is now the official "registered" SASL mechanism name for
- OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
- servers won't support the new mechanism yet.
+- tests/server: comply with our code style
-Daniel Stenberg (13 Nov 2015)
-- RELEASE-NOTES: recounted curl_easy_setopt() options
+- code: style updates
-- typecheck-gcc.h: add missing slist-using options
+- checksrc: check for more malplaced spaces
+
+- unit: make unit test source code checksrc compliant
+
+- checksrc: run checksrc in tests when 'make checksrc' in root
+
+- checksrc: remove debug crap
+
+- lib557: allow too long lines
+
+- checksrc: allow ignore of specific warnings within a file (section)
+
+- checksrc: add warning names, explain on help output
+
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Disable tests by default until warnings are fixed
+
+- checksrc.bat: Added support for the tests directory
+
+- vauth: Removed the need for a separate GSS-API based SPN function
+
+- curl_sasl: Fixed potential null pointer utilisation
- CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
+ Although this should never happen due to the relationship between the
+ 'mech' and 'resp' variables, and the way they are allocated together,
+ it does cause problems for code analysis tools:
- Also sorted the list.
+ V595 The 'mech' pointer was utilized before it was verified against
+ nullptr. Check lines: 376, 381. curl_sasl.c 376
+
+ Bug: https://github.com/curl/curl/issues/745
+ Reported-by: Alexis La Goutte
-- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
+- spnego: Small code tidy up
- ... and sorted curl_is_cb_data_option alphabetically
+ * Prefer dereference of string pointer rather than strlen()
+ * Free challenge pointer in one place
+ * Additional comments
-Jay Satiro (13 Nov 2015)
-- [Sebastian Pohlschmidt brought this change]
+- krb5: Small code tidy up
+
+ * Prefer dereference of string pointer rather than strlen()
+ * Free challenge pointer in one place
+ * Additional comments
- openssl: Free modules on cleanup
+- krb5_gssapi: Only process challenge when present
- Curl_ossl_init calls OPENSSL_load_builtin_modules() but
- Curl_ossl_cleanup doesn't make a call to free these modules.
+ This wouldn't cause a problem because of the way the function is called,
+ but prior to this change, we were processing the challenge message when
+ the credentials were NULL rather than when the challenge message was
+ populated.
- Bug: https://github.com/bagder/curl/issues/526
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-Steve Holme (13 Nov 2015)
-- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
+- krb5: Fixed missing client response when mutual authentication enabled
- ...following commit aba281e762 to fix test 1119.
-
-Daniel Stenberg (13 Nov 2015)
-- curl: mark two more options strings for --libcurl output
+ Although mutual authentication is currently turned off and can only be
+ enabled by changing libcurl source code, authentication using Kerberos
+ 5 has been broken since commit 79543caf90 in this use case.
-- typecheck-gcc.h: add some missing string types
+- krb5_sspi: Only process challenge when present
- Also sorted that list alphabetically
-
-- curl.h: introducing the STRINGPOINT alias
+ This wouldn't cause a problem because of the way the function is called,
+ but prior to this change, we were processing the challenge message when
+ the credentials were NULL rather than when the challenge message was
+ populated.
- As an alias for OBJECTPOINT. Provided to allow us to grep for all string
- options easier.
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-- cleanup: general removal of TODO (and similar) comments
+- krb5_sspi: Only generate the output token when its not allocated
- They tend to never get updated anyway so they're frequently inaccurate
- and we never go back to revisit them anyway. We document issues to work
- on properly in KNOWN_BUGS and TODO instead.
-
-- ftplistparser: remove empty function
-
-- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
-
-- openssl: all supported versions have X509_STORE_set_flags
+ Prior to this change, we were generating the output token when the
+ credentials were NULL rather than when the output token was NULL.
- Simplify by removing #ifdefs and macros
-
-- openssl: remove 0.9.3 check
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-- openssl: remove #ifdefs for < 0.9.5 support
+- krb5: Only generate a SPN when its not known
- We only support >= 0.9.7
-
-- lib/vtls/openssl: remove unused traces of yassl ifdefs
-
-Dan Fandrich (12 Nov 2015)
-- [dfandrich brought this change]
-
- unit1603: Demote hash mismatch failure to a warning
+ Prior to this change, we were generating the SPN in the SSPI code when
+ the credentials were NULL and in the GSS-API code when the context was
+ empty. It is better to decouple the SPN generation from these checks
+ and only generate it when the SPN itself is NULL.
- The hashes can vary between architectures (e.g. Sparc differs from x86_64).
- This is not a fatal problem but just reduces the coverage of these white-box
- tests, as the assumptions about into which hash bucket each key falls are no
- longer valid.
-
-- [dfandrich brought this change]
-
- unit1603: Added unit tests for hash functions
-
-- [dfandrich brought this change]
-
- unit1602: Fixed failure in torture test
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-Steve Holme (12 Nov 2015)
-- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
-
- Following the fix in commit d6d58dd558 it is necessary to re-introduce
- XOAUTH2 in the default enabled authentication mechanism, which was
- removed in commit 7b2012f262, otherwise users will have to specify
- AUTH=XOAUTH2 in the URL.
+Daniel Stenberg (3 Apr 2016)
+- tests/libtest: follow our code style guidelines better
- Note: OAuth 2.0 will only be used when the bearer is specified.
+ ... checksrc of all test code is pending.
-- [Stefan Bühler brought this change]
-
- sasl_sspi: fix identity memory leak in digest authentication
+- checksrc.whitelist: remove fopen() uses
-- [Stefan Bühler brought this change]
+- formdata: use appropriate fopen() macros
- sasl_sspi: fixed unicode build for digest authentication
+- checksrc: improve the fopen() parser somewhat
- Closes #525
-
-- oauth2: Re-factored OAuth 2.0 state variable
+ The quote scanner was too fragile, now look for a comma instead to find
+ the mode argument.
-- sasl: Don't choose OAuth 2.0 if mechanism not advertised
+- unit1604: fix snprintf
- Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
- specified but the SASL mechanism wasn't supported by the server then
- the mechanism would be chosen.
-
-Daniel Stenberg (12 Nov 2015)
-- runtests: more compact "System characteristics" output
+ follow-up to 0326b06
- - no point in repeating curl features that is already listed as features
- from the curl -V output
+ sizeof(pointer) is no good for the buffer size!
- - remove the port numbers/unix domain path from the output unless
- verbose is used, as that is rarely interesting to users.
-
-- runtests: rename conditional curl-features to $has_[name]
+ Reported-by: Viktor Szakats
-Steve Holme (11 Nov 2015)
-- oauth2: Introduced support for host and port details
+Steve Holme (3 Apr 2016)
+- unittests: Fixed compilation warnings
- Added support to the OAuth 2.0 message function for host and port, in
- order to accommodate the official OAUTHBEARER SASL mechanism which is
- to be added shortly.
-
-- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
-
-- cmake: Add missing feature macros in config header (Part 2)
+ warning: implicit declaration of function 'sprintf_was_used'
+ [-Wimplicit-function-declaration]
- In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
+ Follow up to the modications made to tests/libtest in commit 55452ebdff
+ as we prefer not to use sprintf() now.
-Daniel Stenberg (10 Nov 2015)
-- [Douglas Creager brought this change]
-
- cmake: Add missing feature macros in config header
-
- The curl_config.h file can be generated either from curl_config.h.cmake
- or curl_config.h.in, depending on whether you're building using CMake or
- the autotools. The CMake template header doesn't include entries for
- all of the protocols that you can disable, which (I think) means that
- you can't actually disable those protocols when building via CMake.
+Daniel Stenberg (2 Apr 2016)
+- curl.1: -w filename_effective was introduced in 7.26.0
- Closes #523
+ We never made a 7.25.1 release
-- [Douglas Creager brought this change]
+- 7.49.0: next release version
- BoringSSL: Work with stricter BIO_get_mem_data()
+- http2: make use of the nghttp2 error callback
- BoringSSL implements `BIO_get_mem_data` as a function, instead of a
- macro, and expects the output pointer to be a `char **`. We have to add
- an explicit cast to grab the pointer as a `const char **`.
+ It offers extra info from nghttp2 in certain error cases. Like for
+ example when trying prior-knowledge http2 on a server that doesn't speak
+ http2 at all. The error message is passed on as a verbose message to
+ libcurl.
- Closes #524
-
-- http2: rectify the http2 version #if check
+ Discussed in #722
- We need 1.0.0 or later. Also verified by configure.
-
-Steve Holme (9 Nov 2015)
-- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
-
-- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
+ The error callback was added in nghttp2 1.9.0
-- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
+Steve Holme (2 Apr 2016)
+- spnego: Renamed the context's SPN variable
- When referring to OAuth 2.0 we should use the official name rather the
- SASL mechanism name.
+ To be consistent with the Kerberos 5 context and other authentication
+ code.
-Daniel Stenberg (9 Nov 2015)
-- imap: avoid freeing constant string
+- krb5_gssapi: Renamed the status variables
- The fix in 1a614c6c3 was wrong and would leed to free() of a fixed
- string.
-
- Pointed-out-by: Kamil Dudka
-
-- ROADMAP: remove two items already done
+ For consistency with the spnego code.
-- RELEASE-NOTES: synced with 2200bf62054
-
-Jay Satiro (9 Nov 2015)
-- acinclude: Remove check for 16-bit curl_off_t
+- krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argument
- Because it's illogical to check for a 16-bit curl_off_t.
+ For consistency with the spnego and oauth2 code moved the setting of
+ the host name outside of the Curl_auth_create_gssapi_user_messag()
+ function.
- Ref: https://github.com/bagder/curl/issues/425#issuecomment-154964205
-
-Dan Fandrich (8 Nov 2015)
-- tool: Fixed a memory leak on OOM introduced in 19cb0c4a
+ This will allow us to more easily override it in the future.
-Steve Holme (8 Nov 2015)
-- [Justin Ehlert brought this change]
+- test1119: Fixed missing CURL_DID_MEMORY_FUNC_TYPEDEFS symbol
- imap: Don't check for continuation when executing a CUSTOMREQUEST
+- RELEASE-NOTES: Removed "http_negotiate: Corrected host and proxy host name"
- Bug: https://github.com/bagder/curl/issues/486
- Closes https://github.com/bagder/curl/pull/487
+ As this was introduced in the recent vauth changes and not a prior
+ release.
-Daniel Stenberg (7 Nov 2015)
-- imap: checksrc: remove space after while before paren
+Daniel Stenberg (1 Apr 2016)
+- RELEASE-NOTES: synced with 0aa8da10bbdafa
-- checksrc.whitelist: "missing space after close paren"
+Steve Holme (1 Apr 2016)
+- http_negotiate: Corrected host and proxy host name being wrong way round
- ... when it was within a string!
-
-Steve Holme (7 Nov 2015)
-- opts: Corrected TLS protocols list to include POP3S rather than POP3
+ I had accidentally used the proxy server name for the host and the host
+ server name for the proxy in commit ad5e9bfd5d and 6d6f9ca1d9. Whilst
+ Windows SSPI was quite happy with this, GSS-API wasn't.
+
+ Thanks-to: Michael Osipov
-- imap: Quote other 'atom-specials' and not just the space character
+- build: Changed the Visual Studio projects warning level from 3 to 4
- Closes #517
+ After squashing most of our compiler warnings, up'ed the default
+ warning level from 3 to 4 in order to increase the likelyhood of
+ catching future warnings.
-- imap: Fixed double quote in LIST command when mailbox contains spaces
+Daniel Stenberg (1 Apr 2016)
+- [ehlertjd@gmail.com brought this change]
-Daniel Stenberg (6 Nov 2015)
-- imap: fix compiler warning
+ IMAP: check pointer before dereferencing it
- imap.c:657:13: error: assignment discards 'const' qualifier from pointer
- target type [-Werror=discarded-qualifiers]
+ may be null in the CURLOPT_CONNECT_ONLY case
+
+ Fixes #747
-Steve Holme (6 Nov 2015)
-- imap: Don't call imap_atom() when no mailbox specified in LIST command
+Steve Holme (1 Apr 2016)
+- .gitignore: Added new VC14 SQLite based program database files
-Daniel Stenberg (6 Nov 2015)
-- curl.1: remove the overlap --range example
+- curl_memory.h: Fixed typo in comment
- ... it is just weird to include by default even if it still works.
+ From commit 7218b52c49.
-- tftp tests: verify sent options too
+- spnego: Corrected some typos in comments
- The tftpd test server now logs all received options and thus all TFTP
- test cases need to match them exactly.
+ Corrected typos from commit ad5e9bfd5d and 6d6f9ca1d9.
+
+- memdebug: Ensure curl/curl.h is included before curl_memory.h
- Extended test 283 to use and verify --tftp-blksize.
+ Follow up to commit 7db9782dd6.
-Jay Satiro (6 Nov 2015)
-- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
+Daniel Stenberg (1 Apr 2016)
+- upload: missing rewind call could make libcurl hang
- - Set user info param to the socket returned by Curl_getconnectinfo,
- regardless of if the socket is bad. Effectively this means the user info
- param now will receive CURL_SOCKET_BAD instead of -1 on bad socket.
+ When an upload is done, there are two places where that can be detected
+ and only one of them would rewind the input stream - which sometimes is
+ necessary for example when doing NTLM HTTP POSTs and more.
- - Remove incorrect comments.
+ This could then end up libcurl hanging.
- CURLINFO_ACTIVESOCKET is documented to write CURL_SOCKET_BAD to user
- info param but prior to this change it wrote -1.
+ Figured-out-by: Isaac Boukris
+ Reported-by: Anatol Belski
- Bug: https://github.com/bagder/curl/pull/518
- Reported-by: Marcel Raad
+ Fixes #741
-Patrick Monnerat (5 Nov 2015)
-- curl_ntlm_core: fix 2 curl_off_t constant overflows.
-
-- os400: adjust specific code to support new options.
-
-Daniel Stenberg (2 Nov 2015)
-- [Lauri Kasanen brought this change]
-
- rawstr: Speed up Curl_raw_toupper by 40%
+- curl.h: define CURL_DID_MEMORY_FUNC_TYPEDEFS
- Rationale: when starting up a curl-using app, all cookies from the jar
- are checked against each other. This was causing a startup delay in the
- Fifth browser.
+ So that we only do the extra typedefs in curl_memory.h when we really
+ need to and avoid double typedefs.
- All tests pass.
+ follow-up commit to 7218b52c49aeb1
- Signed-off-by: Lauri Kasanen <cand@gmx.com>
+ Thanks-to: Steve Holme
-- http redirects: %-encode bytes outside of ascii range
+- curl/mprintf.h: remove support for _MPRINTF_REPLACE
- Apparently there are sites out there that do redirects to URLs they
- provide in plain UTF-8 or similar. Browsers and wget %-encode such
- headers when doing a subsequent request. Now libcurl does too.
+ The define is not in our name space and is therefore not protected by
+ our API promises.
- Added test 1138 to verify.
+ It was only really used by libcurl internals but was mostly erased from
+ there already in 8aabbf5 (March 2015). This is supposedly the final
+ death blow to that define from everywhere.
- Closes #473
-
-- RELEASE-NOTES: synced with cba5bc585410
-
-- symbols-in-version: add all CURL_HTTPPOST_* symbols
-
-- formadd: support >2GB files on windows
+ As a side-effect, making sure _MPRINTF_REPLACE is gone and not used, I
+ made the lib tests in tests/libtest/ use curl_printf.h for its redefine
+ magic and then subsequently the use of sprintf() got banned in the tests
+ as well (as it is in libcurl internals) and I then replaced them all
+ with snprintf().
- Closes #425
+ In the unlikely event that any users is actually using this define and
+ gets sad by this change, it is very easily copied to the user's own
+ code.
-- curl.h: s/HTTPPOST_/CURL_HTTPOST_
+- curl_memory.h: avoid the curl/curl.h include
- Fixes a name space pollution at the cost of programs using one of these
- defines will no longer compile. However, the vast majority of libcurl
- programs that do multipart formposts use curl_formadd() to build this
- list.
-
- Closes #506
+ Discussed in #743
-- mbedtls: fix "Structurally dead code"
+Steve Holme (1 Apr 2016)
+- url: Corrected get protocol family for FTP and LDAP
- CID 1332129
+ Fixed copy/paste error from commit a5aec58726.
-- mbedtls: fix "Logically dead code"
+Jay Satiro (31 Mar 2016)
+- strerror: don't bit shift a signed integer
- CID 1332128
+ Bug: https://github.com/curl/curl/issues/744
+ Reported-by: Alexis La Goutte
-- Revert "openssl: engine: remove double-free"
-
- This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd.
-
- Issue #509 has all the details but it was confirmed that the crash was
- not due to this, so the previous commit was wrong.
+Daniel Stenberg (31 Mar 2016)
+- http2: more documentation for prior knowledge
-- curl.1: -E: s/private certificate/client certificate
-
- ... as the certificate is strictly speaking not private.
-
- Reported-by: John Levon
+- [Diego Bes brought this change]
-- openssl: engine: remove double-free
+ http2: support "prior knowledge", no upgrade from HTTP/1.1
- After a successful call to SSL_CTX_use_PrivateKey(), we must not call
- EVP_PKEY_free() on the key.
+ Supports HTTP/2 over clear TCP
- Reported-by: nased0
- Closes #509
-
-Jay Satiro (27 Oct 2015)
-- socks: Fix incorrect port numbers in failed connect messages
-
-Daniel Stenberg (26 Oct 2015)
-- DISTRO-DILEMMA: removed
+ - Optimize switching to HTTP/2 by removing calls to init and setup
+ before switching. Switching will eventually call setup and setup calls
+ init.
- Out of date and not kept accurate. It was sort of a problem of the past
- anyway.
-
-- [xiangbin li brought this change]
-
- MacOSX-Framework: sdk regex fix for sdk 10.10 and later
+ - Supports new version to “force” the use of HTTP/2 over clean TCP
- closes #507
+ - Add common line parameter “--http2-prior-knowledge” to the Curl
+ command line tool.
-Jay Satiro (24 Oct 2015)
-- build: Fix support for PKG_CONFIG
-
- - Allow the user to use PKG_CONFIG but not PKGCONFIG.
+- imap: remove duplicated function
- Background:
+ The list and search response functions were identical! Merged into one
+ now. Detected by PVS Studio.
- Last week in 14d5a86 a change was made to allow the user to set the
- PKGCONFIG variable. Today in 72d99f2 I supplemented that to allow the
- more common PKG_CONFIG as an alternative if PKGCONFIG is not set.
-
- Neither of those changes worked as expected because PKGCONFIG is
- occasionally reset in configure and by the CURL_CHECK_PKGCONFIG macro.
- Instead in this commit I take the approach that the user may set
- PKG_CONFIG only.
+ Reported-by: Alexis La Goutte
-- build: Fix mingw ssl gdi32 order
-
- - If mingw ssl make sure -lgdi32 comes after ssl libs
+- SOCKS5_gssapi_negotiate: don't assume little-endian ints
- - Allow PKG_CONFIG to set pkg-config location and options
+ The code copied one byte from a 32bit integer, which works fine as long
+ as the byte order is the same. Not a fine assumption. Reported by PVS
+ Studio.
- Bug: https://github.com/bagder/curl/pull/501
- Reported-by: Kang Lin
+ Reported-by: Alexis La Goutte
-Daniel Stenberg (23 Oct 2015)
-- RELEASE-NOTES: synced with 03b6e078163f
+- http: remove ((expression)) double parentheses
-- polarssl/mbedtls: fix name space pollution
+- Curl_add_buffer_send: avoid possible NULL dereference
- Global private symbols MUST start with Curl_!
-
-- [Dmitry S. Baikov brought this change]
-
- mbedTLS: THREADING_SUPPORT compilation fix
+ ... as we check for a NULL pointer below, we move the derefence to after
+ the check. Detected by PVS Studio.
- Closes #505
+ Reported-by: Alexis La Goutte
-- test1137: verify --ignore-content-length for FTP
-
-- curl.1: --ignore-content-length now works for FTP too
+- file: remove duplicate checks of the same variable
+
+ ... as it doesn't change in between. Deteced by PVS Studio.
+
+ Reported-by: Alexis La Goutte
-- [Kurt Fankhauser brought this change]
+Steve Holme (30 Mar 2016)
+- [Marcel Raad brought this change]
- ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
+ openssl: Fix compilation warnings
- This allows FTP transfers with growing (or shrinking) files without
- causing a transfer error.
+ When compiling with OpenSSL 1.1.0 (so that the HAVE_X509_GET0_SIGNATURE
+ && HAVE_X509_GET0_EXTENSIONS pre-processor block is active), Visual C++
+ 14 complains:
- Closes #480
+ warning C4701: potentially uninitialized local variable 'palg' used
+ warning C4701: potentially uninitialized local variable 'psig' used
-- CURLOPT_STREAM_WEIGHT.3: call argument 'weight' too
+Daniel Stenberg (30 Mar 2016)
+- multi: turn Curl_done into file local multi_done
- ... and add a little example of what the weight actually means. "Relative
- proportion of bandwidth".
+ ... as it now is used by multi.c only.
-- http2: add stream options to dist and curl_easy_setopt.3
-
-- http2: s/priority/weight
+- multi: multi_reconnect_request is the former Curl_reconnect_request
+
+ now a file local function in multi.c
-- http2: on_frame_recv: trust the conn/data input
+- multi: move Curl_do and Curl_do_done to multi.c and make static
- Removed wrong assert()s
+ ... called multi_do and multi_do_done as they're file local now.
+
+Jay Satiro (29 Mar 2016)
+- wolfssl: Use ECC supported curves extension
- The 'conn' passed in as userdata can be used and there can be other
- sessionhandles ('data') than the single one this checked for.
+ https://github.com/wolfSSL/wolfssl/issues/366
-- http2: added three stream prio/deps options
+- build-wolfssl: Allow a broader range of ciphers (Visual Studio)
- CURLOPT_STREAM_DEPENDS
+ This is an update to the build-time options used to build wolfSSL in
+ Visual Studio for greater compatibility, and make it behave similar to
+ the way OpenSSL 1.0.2 behaves. Starting in wolfSSL v3.6.6 static ciphers
+ and SSLv3 are disabled by default at build time, but we can use both.
- CURLOPT_STREAM_DEPENDS_E
+ - Enable static cipher suites TLS_ECDH_ and TLS_RSA_.
- CURLOPT_STREAM_PRIORITY
-
-- RELEASE-NOTES: synced with ace68fdc0cfed83d
+ - Enable SSLv3 hello. Though in libcurl we disable it by default at
+ runtime, we make it available so the user can manually select it if
+ necessary.
-- [m-gardet brought this change]
+Daniel Stenberg (29 Mar 2016)
+- [Isaac Boukris brought this change]
- mbedtls:new profile with RSA min key len = 1024.
+ GSS: make Curl_gss_log_error more verbose
- Closes #502
-
-- checksrc: add crude // detection
-
-Jay Satiro (21 Oct 2015)
-- [Gisle Vanem brought this change]
-
- build: fix for MSDOS/djgpp
+ Also display the GSS_C_GSS_CODE (major code) when specified instead of
+ only GSS_C_MECH_CODE (minor code).
- - Add a VPATH-statement for the vtls/*.c files.
+ In addition, the old code was printing a colon twice after the prefix
+ and also miscalculated the length of the buffer in between calls to
+ gss_display_status (the length of ": " was missing).
- - Due to 'vtls/*.c', remove that subdir part from $(OBJECTS).
-
-Daniel Stenberg (20 Oct 2015)
-- copyrights: update Gisle Vanem's email
-
-- vtls: fix compiler warning for TLS backends without sha256
+ Also, gss_buffer is not guaranteed to be NULL terminated and thus need
+ to restrict reading by its length.
- ... noticed with mbedTLS.
-
-- [Jonas Minnberg brought this change]
+ Closes #738
- vtls: added support for mbedTLS
+- build: use roffit 0.11 feature
- closes #496
+ ... load file specified as argument.
-Jay Satiro (19 Oct 2015)
-- [Javier G. Sogo brought this change]
-
- cmake: Fix for add_subdirectory(curl) use-case
-
- - Use CURL_BINARY_DIR instead of CMAKE_BINARY_DIR.
+- http2: set correct scheme in handler structs [regression]
- When including CURL using add_subdirectory the variables
- CMAKE_BINARY_DIR and CURL_BINARY_DIR hold different paths.
+ Since commit a5aec58 the handler schemes need to match for the
+ connections to be reused and for HTTP/2 multiplexing to work, reusing
+ connections is very important!
- Closes https://github.com/bagder/curl/pull/488
- Closes https://github.com/bagder/curl/pull/498
+ Closes #736
-Daniel Stenberg (18 Oct 2015)
-- RELEASE-NOTES: synced with 4c773bcb474e
+- hostip.c: minor white space edit for style
+
+- [Viktor Szakats brought this change]
-- tests/FILEFORMAT: mention PSL as a valid feture to check for
+ TODO: use secure protocol in recently added URL
- For example in test 1136
+ Closes #733
-- teste1136: only run when PSL is enabled
+- HTTP2.md: mention libressl and boringssl too
-- curl: slist_wc: remove curl_memory.h inclusion
-
- ... that's for the library only.
+- docs/HTTP-COOKIES: converted to markdown
-- configure: add PSL to the list of features
-
- ... to make test 1014 work again after e77b5b7453.
+- HTTP2: s/polarssl/mbedtls
-- [Daniel Hwang brought this change]
+Jay Satiro (28 Mar 2016)
+- wolfssl: Add ALPN support
- tool: Generate easysrc with last cache linked-list
+- tool_operate: remove mixed declaration
- Using a last cache linked-list improves the performance of easysrc
- generation.
-
- Bug: https://github.com/bagder/curl/issues/444
- Ref: https://github.com/bagder/curl/issues/429
+ This is a follow up to the previous commit.
+
+Daniel Stenberg (28 Mar 2016)
+- curl: warn for --capath use if not supported by libcurl
- Closes #452
+ Closes #492
-- [Tim Rühsen brought this change]
+- TODO: 2.5 Edge-triggered sockets should work
- cookies: Add support for Mozilla's Publix Suffix List
+- Makefile.am: skip the scripts dir
- Use libpsl to check the domain value of Set-Cookie headers (and cookie
- jar entries) for not being a Publix Suffix.
+ Skipping the scripts dir is primarily done for 'make install' so that it
+ does not attempt to install the zsh completion script as we've not yet
+ found a proper way to do/run that at install time.
- The configure script checks for "libpsl" by default. Disable the check
- with --without-libpsl.
+ By leaving the script dir's Makefile in place, a user can still opt to
+ run make install manually in there.
- Ref: https://publicsuffix.org/
- Ref: https://github.com/publicsuffix/list
- Ref: https://github.com/rockdaboot/libpsl
-
-- [Richard Hosking brought this change]
+ Closes #620
- curlbuild.h: Fix non-configure compiling to mips and sh4 targets
-
-- [Anders Bakken brought this change]
+- CURLMOPT_SOCKETFUNCTION.3: describe the 'what' argument
- http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
+- curl_multi_socket_action.3: mark the options properly
- bug introduced by 18691642931e5c7ac8af83ac3a84fbcb36000f96.
-
- Closes #493
+ ... to make them appear as links on the html version.
-Dan Fandrich (16 Oct 2015)
-- test1601: fix compilation with --enable-debug and --disable-crypto-auth
+Steve Holme (27 Mar 2016)
+- RELEASE-NOTES: Synced with f0bdd72c10
-Daniel Stenberg (16 Oct 2015)
-- multi: fix off-by-one finit[] array size
+- http_ntlm: Renamed from curl_ntlm.[c|h]
- introduced in c6aedf680f6. It needs to be CURLM_STATE_LAST big since it
- must hande the range 0 .. CURLM_STATE_MSGSENT (18) and CURLM_STATE_LAST
- is 19 right now.
+ Renamed the header and source files for this module as they are HTTP
+ specific and as such, they should use the naming convention as other
+ HTTP authentication source files do - this revert commit 260ee6b7bf.
- Reported-by: Dan Fandrich
- Bug: http://curl.haxx.se/mail/lib-2015-10/0069.html
+ Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind
+ code needs separating from the HTTP protocol and migrating into the
+ vauth directory, thus adding support for Winbind to the SASL based
+ protocols such as IMAP, POP3 and SMTP.
-- fread_func: move callback pointer from set to state struct
-
- ... and assign it from the set.fread_func_set pointer in the
- Curl_init_CONNECT function. This A) avoids that we have code that
- assigns fields in the 'set' struct (which we always knew was bad) and
- more importantly B) it makes it impossibly to accidentally leave the
- wrong value for when the handle is re-used etc.
-
- Introducing a state-init functionality in multi.c, so that we can set a
- specific function to get called when we enter a state. The
- Curl_init_CONNECT is thus called when switching to the CONNECT state.
-
- Bug: https://github.com/bagder/curl/issues/346
+Daniel Stenberg (27 Mar 2016)
+- [marquis-de-muesli brought this change]
+
+ docs: curlinfo_filetime sftp support, new curlopt_quote "statvfs"
- Closes #346
+ Closes #677
-Dan Fandrich (14 Oct 2015)
-- test1531: case the size to fix the test on non-largefile builds
+- [marquis-de-muesli brought this change]
-Daniel Stenberg (13 Oct 2015)
-- acinclude: remove PKGCONFIG override
-
- ... and allow it to get set by a caller easier.
+ SSH: new CURLOPT_QUOTE command "statvfs"
- Reported-by: Rainer Jung
- Bug: http://curl.haxx.se/mail/lib-2015-10/0035.html
+ usage: "statvfs path"
+ returns remote file system statistics
-Dan Fandrich (12 Oct 2015)
-- docs/INSTALL: Updated example minimal binary sizes
+- [marquis-de-muesli brought this change]
-Daniel Stenberg (11 Oct 2015)
-- [Erik Johansson brought this change]
+ SSH: support CURLINFO_FILETIME
- openssl: Fix set up of pkcs12 certificate verification chain
-
- sk_X509_pop will decrease the size of the stack which means that the loop would
- end after having added only half of the certificates.
-
- Also make sure that the X509 certificate is freed in case
- SSL_CTX_add_extra_chain_cert fails.
+- [Karlson2k brought this change]
-- ntlm: error out without 64bit support as the code needs it
+ sshserver.pl: use quotes for given options
- It makes it a clearer message for developers reaching that point without
- the necessary support.
+ Fixed failed redirection of stderr with some options. At least on Msys2,
+ perl fails to redirect stderr if $value contains newline or other weird
+ characters.
+
+Jay Satiro (26 Mar 2016)
+- url: don't use bad offset in tld_check_name to show error
- Thanks-by: Jay Satiro
+ libidn's tld_check_lz returns an error offset of the first character
+ that it failed to process, however that offset is not a byte offset and
+ may not even be in the locale encoding therefore we can't use it to show
+ the user the character that failed to process.
- Closes #78
+ Bug: https://github.com/curl/curl/issues/731
+ Reported-by: Karlson2k
-- curl_global_init: set the memory function pointers correct
+Steve Holme (26 Mar 2016)
+- http_negotiate: Combine GSS-API and SSPI source files
- follow-up from 6f8ecea0
+ As the GSS-API and SSPI based source files are no longer library/API
+ specific, following the extraction of that authentication code to the
+ vauth directory, combine these files rather than maintain two separate
+ versions.
-- curl_global_init_mem: set function pointers before doing init
+- vauth: Moved the Negotiate authentication code to the new vauth directory
- ... as in the polarssl TLS backend for example it uses memory functions.
+ Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
-Jay Satiro (9 Oct 2015)
-- http2: Fix http2_recv to return -1 if recv returned -1
+- vauth: Moved the Negotiate authentication code to the new vauth directory
- If the underlying recv called by http2_recv returns -1 then that is the
- value http2_recv returns to the caller.
-
-Daniel Stenberg (8 Oct 2015)
-- [Svyatoslav Mishyn brought this change]
+ Part 1 of 2 - Moved the SSPI based Negotiate authentication code.
- curl_easy_recv.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+- warnless.h: Removed spurious character from commit 696bc6b9c9
- Closes #479
+ Not picked up by checksrc or Visual Studio but my own code review, this
+ would haven broken Intel based Unix builds - Perhaps I should learn to
+ type on my laptop's keyboard before committing!
-- [Svyatoslav Mishyn brought this change]
-
- curl_easy_send.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
-
-- [Svyatoslav Mishyn brought this change]
+- schannel: Fixed compilation warning from commit f8d88a4913
+
+ warning C4244: '=': conversion from 'int' to 'unsigned short', possible
+ loss of data
- CURLOPT_CONNECT_ONLY.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+- warnless?: Added some integer based conversion functions
-- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
+Daniel Stenberg (25 Mar 2016)
+- [Dusty Mabe brought this change]
-- ntlm: get rid of unconditional use of long long
-
- ... since some compilers don't have it and instead use other types, such
- as __int64.
+ docs/TODO: Add feature request for metalink in HTTP headers
- Reported by: gkinseyhpw
- Closes #478
+ Closes #729
+ Closes #728
-Jay Satiro (8 Oct 2015)
-- [Anders Bakken brought this change]
+Steve Holme (25 Mar 2016)
+- build: Corrected typos from commit 70e56939aa
- des: Fix header conditional for Curl_des_set_odd_parity
+- vauth: Refactored function names after move to new vauth directory
- Follow up to 613e502.
+ Renamed all the SASL functions that moved to the new vauth directory to
+ include the correct module name.
-Daniel Stenberg (7 Oct 2015)
-- configure: build silently by default
+- vauth: Updated the copyright year after recent changes
- 'make V=1' will make the build verbose like before
+ As most of this work was performed in 2015 but not pushed until 2016
+ updated the copyright year to reflect the public facing changes.
-- bump: start climbing toward 7.46.0
+- vauth: Moved the OAuth 2.0 authentication code to the new vauth directory
-- RELEASE-PROCEDURE: add the github HTTPS download step
+- vauth: Moved the NTLM authentication code to the new vauth directory
-Version 7.45.0 (7 Oct 2015)
+- vauth: Moved the Kerberos V5 authentication code to the new vauth directory
-Daniel Stenberg (7 Oct 2015)
-- THANKS: 19 new contributors from the 7.45.0 announcement
+- digest.c: Fixed checksrc warnings
-- RELEASE-NOTES: synced with 69ea57970080
+- vauth: Moved the DIGEST authentication code to the new vauth directory
-Jay Satiro (4 Oct 2015)
-- getinfo: Fix return code for unknown CURLINFO options
-
- - If a CURLINFO option is unknown return CURLE_UNKNOWN_OPTION.
-
- Prior to this change CURLE_BAD_FUNCTION_ARGUMENT was returned on
- unknown. That return value is contradicted by the CURLINFO option
- documentation which specifies a return of CURLE_UNKNOWN_OPTION on
- unknown.
+- vauth: Moved the CRAM-MD5 authentication code to the new vauth directory
-- [rouzier brought this change]
+- vauth: Moved the ClearText authentication code to the new vauth directory
- hiperfifo: fix the pointer passed to WRITEDATA
-
- Closes https://github.com/bagder/curl/pull/471
+- vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files
-- [Maksim Stsepanenka brought this change]
+- checksrc.bat: Added support for checking the new vauth directory
- tool_setopt: fix c_escape truncated octal
+- build: Updated all makefiles and project files for the new vauth directory
- Closes https://github.com/bagder/curl/pull/469
+ Updated the makefiles and Visual Studio project files to support moving
+ the authentication code to the new lib/vauth directory that was started
+ in commit 0d04e859e1.
-Daniel Stenberg (1 Oct 2015)
-- [Orange Tsai brought this change]
+Daniel Stenberg (24 Mar 2016)
+- [JDepooter brought this change]
- gopher: don't send NUL byte
+ schannel: Add ALPN support
- Closes #466
-
-Jay Satiro (29 Sep 2015)
-- runtests: Fix pid check in checkdied
+ Add ALPN support for schannel. This allows cURL to negotiate
+ HTTP/2.0 connections when built with schannel.
- Because the 'not' operator has a very low precedence and as a result the
- entire statement was erroneously negated and could never be true.
-
-Daniel Stenberg (30 Sep 2015)
-- [Thorsten Schöning brought this change]
-
- win32: make recent Borland compilers use long long
-
-- RELEASE-NOTES: synced with 69b89050d4
+ Closes #724
-Jay Satiro (28 Sep 2015)
-- [Michael Kalinin brought this change]
+Steve Holme (24 Mar 2016)
+- http: Minor update based on CODE_STYLE guidelines
- openssl: Fix algorithm init
-
- - Change algorithm init to happen after OpenSSL config load.
+Daniel Stenberg (23 Mar 2016)
+- multi: fix "Operation timed out after" timer
- Additional algorithms may be available due to the user's config so we
- initialize the algorithms after the user's config is loaded.
+ Use the local, reasonably updated, 'now' value when creating the message
+ string to output for the timeout condition.
- Bug: https://github.com/bagder/curl/issues/447
- Reported-by: Denis Feklushkin
+ Fixes #619
-- [Svyatoslav Mishyn brought this change]
-
- docs: fix unescaped '\n' in man pages
+- openssl: boringssl provides the same numbering as openssl
- Closes https://github.com/bagder/curl/pull/459
-
-Daniel Stenberg (27 Sep 2015)
-- http2: set TCP_NODELAY unconditionally
+ ... so we don't need extra boringssl precautions for for
+ HAVE_ERR_REMOVE_THREAD_STATE_NOARG.
- For a single-stream download from localhost, we managed to increase
- transfer speed from 1.6MB/sec to around 400MB/sec, mostly because of
- this single fix.
+ Pointed-out-by: David Benjamin
-- http2: avoid superfluous Curl_expire() calls
+- openssl: fix ERR_remove_thread_state() for boringssl/libressl
- ... only call it when there is data arriving for another handle than the
- one that is currently driving it.
+ The removed arg is only done in OpenSSL
- Improves single-stream download performance quite a lot.
-
- Thanks-to: Tatsuhiro Tsujikawa
- Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html
-
-- readwrite_data: set a max number of loops
-
- ... as otherwise a really fast pipe can "lock" one transfer for some
- protocols, like with HTTP/2.
+ Bug: https://twitter.com/xtraemeat/status/712564874098917376
-- [Sergei Nikulov brought this change]
+- bump: work on 7.48.1
- CI: Added AppVeyor-CI for curl
+- RELEASE-PROCEDURE: mention the github release tag edit
- Closes #439
+ ... and update the coming release dates a bit
-- FTP: fix uploading ASCII with unknown size
+Steve Holme (23 Mar 2016)
+- checksrc.bat: Updated the help to be consistent with generate.bat
- ... don't try to increase the supposed file size on newlines if we don't
- know what file size it is!
-
- Patch-by: lzsiga
+ Follow up to commit a8c7f0fcbf prior to release.
-- [Tatsuhiro Tsujikawa brought this change]
+Version 7.48.0 (23 Mar 2016)
- build: fix failures with -Wcast-align and -Werror
-
- Closes #457
+Daniel Stenberg (23 Mar 2016)
+- RELEASE-NOTES: curl 7.48.0
-- [Tatsuhiro Tsujikawa brought this change]
+- THANKS: 15 new contributors from 7.48.0 release
- curl-confopts.m4: Add missing ')'
-
- ... for CURL_CHECK_OPTION_RT
+Jay Satiro (23 Mar 2016)
+- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
- Closes #456
-
-Jay Satiro (25 Sep 2015)
-- curl_easy_getinfo.3: Add brief description for each CURLINFO
-
-Daniel Stenberg (23 Sep 2015)
-- [Jakub Zakrzewski brought this change]
+ Bug: https://github.com/curl/curl/issues/685
- CMake: Ensure discovered include dirs are considered
+Daniel Stenberg (22 Mar 2016)
+- Revert "sshserver: remove use of AuthorizedKeysFile2"
- ...during header checks. Otherwise some following header tests
- (incorrectly) fail.
+ It seems we may have some autobuild problems after this commit went
+ in. Trying to see if a revert helps to get them back.
- Closes #436
-
-- [Jakub Zakrzewski brought this change]
+ This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
- CMake: Put "winsock2.h" before "windows.h" during configure checks
+- maketgz: add -j to make dist
- "windows.h" includes "winsock.h" what causes many redefinition errors
- if "winsock2.h" is included afterwards and can cause build to fail.
+ ... makes it a lot faster
-- tests: disable 1510 due to CI-problems on github
+- libcurl-thread.3: minor nroff format fix
-- [Mike Crowe brought this change]
+- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
- gnutls: Report actual GnuTLS error message for certificate errors
-
- If GnuTLS fails to read the certificate then include whatever reason it
- provides in the failure message reported to the client.
+- CODE_STYLE: indend example code
- Signed-off-by: Mike Crowe <mac@mcrowe.com>
-
-- RELEASE-NOTES: synced with 6b56901b56e
-
-- [Mike Crowe brought this change]
+ ... to make it look nicer in markdown outputa
- gnutls: Support CURLOPT_KEYPASSWD
-
- The gnutls vtls back-end was previously ignoring any password set via
- CURLOPT_KEYPASSWD. Presumably this was because
- gnutls_certificate_set_x509_key_file did not support encrypted keys.
+Jay Satiro (22 Mar 2016)
+- build-wolfssl: Update VS properties for wolfSSL v3.9.0
- gnutls now has a gnutls_certificate_set_x509_key_file2 function that
- does support encrypted keys. Let's determine at compile time whether the
- available gnutls supports this new function. If it does then use it to
- pass the password. If it does not then emit a helpful diagnostic if a
- password is set. This is preferable to the previous behaviour of just
- failing to read the certificate without giving a reason in that case.
+ - Do not use wolfSSL's sample user-setting files.
- Signed-off-by: Mike Crowe <mac@mcrowe.com>
-
-- CURLINFO_TLS_SESSION: always return backend info
+ wolfSSL starting in v3.9.0 has added their own sample user settings that
+ are applied by default, but we don't use them because we have our own
+ settings.
- ... even for those that don't support providing anything in the
- 'internals' struct member since it offers a convenient way for
- applications to figure this out.
-
-- [Daniel Hwang brought this change]
-
- tool: remove redundant libcurl check
+ - Do not use wolfSSL's Visual Studio Unicode character setting.
- The easysrc generation is run only when --libcurl is initialized.
+ wolfSSL Visual Studio projects use the Unicode character set however our
+ settings and options imitate mingw build which does not use the Unicode
+ character set. This does not appear to have any effect at the moment but
+ better safe than sorry.
- Ref: https://github.com/bagder/curl/issues/429
- Closes #448
-
-- [Richard van den Berg brought this change]
+ These changes are backwards compatible with earlier versions.
- CURLOPT_PROXY.3: A proxy given as env variable gets no special treatment
+Steve Holme (22 Mar 2016)
+- hostip6: Fixed compilation warnings when verbose strings disabled
- Closes #449
-
-- TODO: 5.7 More compressions
+ warning C4189: 'data': local variable is initialized but not referenced
- Like for example brotli, as being implemented in Firefox now.
+ ...and some minor formatting/spacing changes.
-Jay Satiro (21 Sep 2015)
-- tool_operate: Don't call easysrc cleanup unless --libcurl
-
- - Review of 4d95491.
-
- The author changed it so easysrc only initializes when --libcurl but did
- not do the same for the call to easysrc cleanup.
+Daniel Stenberg (21 Mar 2016)
+- sshserver: remove use of AuthorizedKeysFile2
- Ref: https://github.com/bagder/curl/issues/429
-
-Daniel Stenberg (20 Sep 2015)
-- [Viktor Szakats brought this change]
-
- CURLOPT_PINNEDPUBLICKEY.3: replace test.com with example.com
+ Support for the (undocumented) AuthorizedKeysFile2 was removed in
+ OpenSSH 5.9, released in September 2011
- closes #443
+ Closes #715
-- KNOWN_BUGS: 91 "curl_easy_perform hangs with imap and PolarSSL"
+Steve Holme (20 Mar 2016)
+- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
- Closes #334
-
-- KNOWN_BUGS: add link to #85
+ warning C4189: 'data': local variable is initialized but not referenced
-- tests: disable 1801 until fixed
-
- It is unreliable and causes CI problems on github
+- openssl: Fixed compilation warning when /Wall enabled
- Closes #380
-
-- RELEASE-NOTES: synced with 4d95491636ee
-
-- [Daniel Lee Hwang brought this change]
+ warning C4706: assignment within conditional expression
- tool: generate easysrc only on --libcurl
-
- Code should only be generated when --libcurl is used.
+- CODE_STYLE: Use boolean conditions
- Bug: https://github.com/bagder/curl/issues/429
- Reported-by: @greafhe, Jay Satiro
+ Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
- Closes #429
- Closes #442
+ Additionally, corrected some example code to adhere to the recommended
+ coding style.
-Jay Satiro (19 Sep 2015)
-- vtls: Change designator name for server's pubkey hash
-
- - Change the designator name we use to show the base64 encoded sha256
- hash of the server's public key from 'pinnedpubkey' to
- 'public key hash'.
+- inet_pton.c: Fixed compilation warnings
- Though the server's public key hash is only shown when comparing pinned
- public key hashes, the server's hash may not match one of the pinned.
+ warning: conversion to 'unsigned char' from 'int' may alter its value
-Daniel Stenberg (19 Sep 2015)
-- [Isaac Boukris brought this change]
+Daniel Stenberg (19 Mar 2016)
+- RELEASE-NOTES: synced with 80851028efc2fa9
- NTLM: Reset auth-done when using a fresh connection
+- mbedtls: fix compiler warning
- With NTLM a new connection will always require authentication.
- Fixes #435
+ vtls/mbedtls.h:67:36: warning: implicit declaration of function
+ ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
-- [Daniel Hwang brought this change]
+Steve Holme (19 Mar 2016)
+- easy: Minor coding standard and style updates
+
+ Following commit c5744340db. Additionally removes the need for a second
+ 'result code' variable as well.
- ssl: add server cert's "sha256//" hash to verbose
+Jay Satiro (19 Mar 2016)
+- easy: Remove poll failure check in easy_transfer
- Add a "pinnedpubkey" section to the "Server Certificate" verbose
+ .. because curl_multi_wait can no longer signal poll failure.
- Bug: https://github.com/bagder/curl/issues/410
- Reported-by: W. Mark Kubacki
+ follow-up to 77e1726
- Closes #430
- Closes #410
-
-- [Jakub Zakrzewski brought this change]
+ Bug: https://github.com/curl/curl/issues/707
- openldap: only part of LDAP query results received
+Steve Holme (19 Mar 2016)
+- build: Added missing Visual Studio filter files for VC10 onwards
- Introduced with commit 65d141e6da5c6003a1592bbc87ee550b0ad75c2f
+ As these files don't need to contain references to the source files,
+ although typically do, added basic files which only include three
+ filters and don't require the project file generator to be modified.
- Closes #440
-
-- [Alessandro Ghedini brought this change]
-
- openssl: don't output certinfo data
+ These files allow the source code to be viewed in the Solution Explorer
+ in versions of Visual Studio from 2010 onwards in the same manner as
+ previous versions did rather than one large view of files.
-- [Alessandro Ghedini brought this change]
+- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
+
+ warning C4706: assignment within conditional expression
- openssl: refactor certificate parsing to use OpenSSL memory BIO
+- config-w32.h: Fixed compilation warning when /Wall enabled
- Fixes #427
+ warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
+ replacing with '0' for '#if/#elif'
-Kamil Dudka (18 Sep 2015)
-- nss: prevent NSS from incorrectly re-using a session
+- imap.c: Fixed compilation warning with /Wall enabled
+
+ warning C4701: potentially uninitialized local variable 'size' used
- Without this workaround, NSS re-uses a session cache entry despite the
- server name does not match. This causes SNI host name to differ from
- the actual host name. Consequently, certain servers (e.g. github.com)
- respond by 400 to such requests.
+ Technically this can't happen, as the usage of 'size' is protected by
+ 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
- Bug: https://bugzilla.mozilla.org/1202264
+ Anyway, lets keep the compiler happy.
-- nss: check return values of NSS functions
+- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
-Daniel Stenberg (17 Sep 2015)
-- CURLOPT_PINNEDPUBLICKEY.3: mention error code
+Daniel Stenberg (18 Mar 2016)
+- bump: the coming release is 7.48.0
-- openssl: build with < 0.9.8
+- configure: use cpp -P when needed
- ... without sha256 support and no define saying so.
+ Since gcc 5, the processor output can get split up on multiple lines
+ that made the configure script fail to figure out values from
+ definitions. The fix is to use cpp -P, and this fix now first checks if
+ cpp -P is necessary and then if cpp -P works before it uses that to
+ extract defined values.
- Reported-by: Rajkumar Mandal
+ Fixes #719
-- libcurl-errors.3: add two missing error codes
+Steve Holme (18 Mar 2016)
+- formdata.c: Fixed compilation warning
- CURLE_SSL_PINNEDPUBKEYNOTMATCH and CURLE_SSL_INVALIDCERTSTATUS
-
-Jay Satiro (14 Sep 2015)
-- CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example
+ formdata.c:390: warning: cast from pointer to integer of different size
- - Show how a certificate can be obtained using OpenSSL.
+ Introduced in commit ca5f9341ef this happens because a char*, which is
+ 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
+ 64-bits wide where 64-bit integers are supported by the compiler.
- Bug: https://github.com/bagder/curl/pull/430
- Reported-by: Daniel Hwang
-
-Daniel Stenberg (13 Sep 2015)
-- http2: removed unused function
-
-- CURLINFO_ACTIVESOCKET.3: mention it replaces *LASTSOCKET
-
-- opts: add CURLINFO_* man pages to dist
-
-- opts: 19 more CURLINFO_* options made into stand-alone man pages
-
-- RELEASE-NOTES: synced with fad9604613
+ This doesn't happen in 64-bit land as a pointer is the same size as a
+ curl_off_t.
+
+ This fix doesn't address the fact that a 64-bit value cannot be used
+ for CURLFORM_CONTENTLEN when set in a form array and compiled on a
+ 32-bit platforms, it does at least suppress the compilation warning.
-- curl: customrequest_helper: deal with NULL custom method
+Daniel Stenberg (18 Mar 2016)
+- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
-- [Svyatoslav Mishyn brought this change]
+- [Gisle Vanem brought this change]
- CURLOPT_FNMATCH_FUNCTION.3: fix typo
+ openssl: adapt to API breakage in ERR_remove_thread_state()
- s => is
+ The OpenSSL API change that broke this is "Convert ERR_STATE to new
+ multi-threading API": openssl commit 8509dcc.
- Closes #428
+ Closes #713
-- curl: point out unnecessary uses of -X in verbose mode
-
- It uses 'Note:' as a prefix as opposed to the common 'Warning:' to take
- down the tone a bit.
+- version: init moved to private name space, added protos
- It adds a warning for using -XHEAD on other methods becasue that may
- lead to a hanging connection.
+ follow-up to 80015cdd52145
-Jay Satiro (10 Sep 2015)
-- curl_sspi: fix possibly undefined CRYPT_E_REVOKED
+- openssl: verbose: show matching SAN pattern
- Bug: https://github.com/bagder/curl/pull/411
- Reported-by: Viktor Szakats
-
-- buildconf.bat: fix syntax error
-
-- [Benjamin Kircher brought this change]
-
- winbuild: run buildconf.bat if necessary
+ ... to allow users to see which specfic wildcard that matched when such
+ is used.
+
+ Also minor logic cleanup to simplify the code, and I removed all tabs
+ from verbose strings.
-- [Svyatoslav Mishyn brought this change]
+Jay Satiro (16 Mar 2016)
+- version: thread safety
- docs: fix argument type for CURLINFO_SPEED_*, CURLINFO_SIZE_*
+Steve Holme (16 Mar 2016)
+- transfer: Removed redundant HTTP authentication include files
- long => double
+ It would also seem that share.h is not required here either as there
+ are no references to the Curl_share structure or functions.
-Daniel Stenberg (8 Sep 2015)
-- [Sergei Nikulov brought this change]
+- easy: Removed redundant HTTP authentication include files
- cmake: IPv6 : disable Unix header check on Windows platform
+Jay Satiro (15 Mar 2016)
+- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
- Closes #409
+ Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
+ Reported-by: Oliver Graute
-- parse_proxy: reject illegal port numbers
-
- If the port number in the proxy string ended weirdly or the number is
- too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
- numerical address is used without enclosing brackets.
-
- Also mention the bracket requirement for IPv6 numerical addresses to the
- man page for CURLOPT_PROXY.
-
- Closes #415
-
- Reported-by: Marcel Raad
+Steve Holme (15 Mar 2016)
+- curl_sasl: Minor code indent fixes
-- FTP: do_more: add check for wait_data_conn in upload case
-
- In some timing-dependnt cases when a 4xx response immediately followed
- after a 150 when a STOR was issued, this function would wrongly return
- 'complete == true' while 'wait_data_conn' was still set.
-
- Closes #405
+Daniel Stenberg (14 Mar 2016)
+- runtests: mention when run event-based
+
+- easy: add check to malloc() when running event-based
- Reported-by: Patricia Muscalu
+ ... to allow torture tests then too.
-- [Svyatoslav Mishyn brought this change]
+- memdebug: skip logging the limit countdown, fflush when reached
- CURLOPT_TLSAUTH_TYPE.3: update description
+- CODE_STYLE: Space around operators
- Closes #414
- Closes #413
-
-- [Svyatoslav Mishyn brought this change]
+ As just discussed on the mailing list, also document how we prefer
+ spacing in expressions.
- CURLOPT_PATH_AS_IS.3: fix typo
+- curl: glob_range: no need to check unsigned variable for negative
- leavit => leaveit
+ cppcheck warned:
- closes #412
-
-- [Svyatoslav Mishyn brought this change]
-
- CURLINFO_SSL_VERIFYRESULT.3: add short description
+ [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
+ is less than zero.
-- [Svyatoslav Mishyn brought this change]
+- CODE_STYLE: add example for indent style as well
- CURLINFO_SSL_ENGINES.3: add short description
+- CODE_STYLE: mention braces for functions too
-- [Svyatoslav Mishyn brought this change]
+- docs/Makefile.am: include CODE_STYLE in tarball too
- CURLINFO_CONTENT_LENGTH_UPLOAD.3: replace "receive" with "get" for consistency
+- CONTRIBUTE: moved out code style to a separate document
-- [Svyatoslav Mishyn brought this change]
+- CODE_STYLE: initial version
+
+ Ripped out from CONTRIBUTE into its own document, but also extended from
+ there.
- CURLINFO_REDIRECT_TIME.3: remove redundant '!'
+- curl_sasl.c: minor code indent fixes
-Kamil Dudka (4 Sep 2015)
-- Revert "has: generate the curl/has.h header"
+- multi: simplified singlesocket
- This reverts commit a60bde79f9adeb135d5c642a07f0d783fbfbbc25 I have
- pushed by mistake. Apologies for my incompetent use of the git repo!
+ Since sh_getentry() now checks for invalid sockets itself and by
+ narrowing the scope of the remove_sock_from_hash variable.
-- nss: do not directly access SSL_ImplementedCiphers[]
-
- It causes dynamic linking issues at run-time after an update of NSS.
+- multi: introduce sh_getentry() for looking up sockets in the sockhash
- Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
+ Simplify the code by using a single entry that looks for a socket in the
+ socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
+ at some point and that is ineffective/wrong and this makes it easier to
+ avoid that.
-- [Daniel Stenberg brought this change]
+- [Jaime Fullaondo brought this change]
- has: generate the curl/has.h header
+ multi hash: ensure modulo performed on curl_socket_t
- changed macro name, moved and renamed script to become docs/libcurl/has.pl,
- generate code that is checksrc compliant
-
-Daniel Stenberg (3 Sep 2015)
-- gitignore: ignore more generated VC Makefiles
+ Closes #712
-- projects/Windows/.gitignore: ignore generated files for release
+Steve Holme (13 Mar 2016)
+- base64: Minor coding standard and style updates
-- http2: don't pass on Connection: headers
-
- RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an
- HTTP/2 message containing connection-specific header fields; any message
- containing connection-specific header fields MUST be treated as
- malformed"
-
- Closes #401
+- base64: Use 'CURLcode result' for curl result codes
-- curl.1: update RFC references
+- negotiate: Use 'CURLcode result' for curl result codes
-- CURLOPT_POSTREDIR.3: update RFC number and section
+Daniel Stenberg (13 Mar 2016)
+- [Maksim Kuzevanov brought this change]
-- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
+ multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
- and some general cleaning up
-
-- [Marcel Raad brought this change]
+ Closes #703
- inet_pton.c: Fix MSVC run-time check failure (2)
-
- This fixes another run-time check failure because of a narrowing cast on
- Visual C++.
-
- Closes #408
+- TODO: Use the RFC6265 test suite
-Jay Satiro (3 Sep 2015)
-- docs: Warn about any-domain cookies and multiple transfers
-
- - Warn that cookies without a domain are sent to any domain:
- CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie
-
- - Note that imported Set-Cookie cookies without a domain are no longer
- exported:
- CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar
+Steve Holme (13 Mar 2016)
+- checksrc.bat: Added the ability to scan src and lib source independently
-Steve Holme (2 Sep 2015)
-- tool_sdecls.h: Fixed compilation warning from commit 4a889441d3
+- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
- tool_sdecls.h:139 warning: comma at end of enumerator list
-
-Daniel Stenberg (2 Sep 2015)
-- opts: 8 more CURLINFO* options as stand-alone man pages
+ Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
+ based success code.
-- RELEASE-NOTES: synced with c764cb4add1a8
+- digest: Corrected some typos in comments
-- man-pages: more SEE ALSO links
+- krb5: Corrected some typos in function descriptions
-- opts: more CURLINFO_* options as stand-alone man pages
+- ntlm: Corrected some typos in function descriptions
-Steve Holme (31 Aug 2015)
-- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
-
- Introduced in commit 59f3f92ba6 this function is only implemented when
- CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define
- the function in the header file either.
+- url: Corrected indentation when calling idna_to_ascii_lz()
-- sasl: Updated SPN variables and comments for consistency
+- idn_win32: Use boolean based success codes
- In places the "host name" and "realm" variable was referred to as
- "instance" whilst in others it was referred to as "host".
+ Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
+ based success code.
-Daniel Stenberg (30 Aug 2015)
-- configure: check for HMAC_Update in openssl
-
- Turns out HMAC_Init is now deprecated in openssl master (and I spelled
- HMAC_Init_ex wrong in previous commit)
+Daniel Stenberg (10 Mar 2016)
+- idn_win32.c: warning: Trailing whitespace
-Steve Holme (30 Aug 2015)
-- win32: Use DES_set_odd_parity() from OpenSSL/BoringSSL by default
+Steve Holme (10 Mar 2016)
+- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
- Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native
- Windows builds don't use the autoconf tools.
+ warning C4267: 'function': conversion from 'size_t' to 'int',
+ possible loss of data
-- des: Fixed compilation warning from commit 613e5022fe
-
- curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined;
- assuming extern returning int
+Daniel Stenberg (10 Mar 2016)
+- THANKS-filter: unify Michael König
-- buildconf.bat: Fixed double blank line in 'curl manual' warning output
+- RELEASE-NOTES: synced with 863c5766dd
-- makefiles: Added our standard copyright header
+- ftp: remove a check for NULL(!)
- But kept the original author, when they were specified in a comment, as
- the initial copyright holder.
-
-Jay Satiro (29 Aug 2015)
-- CURLOPT_FILETIME.3: CURLINFO_FILETIME has its own manpage now
-
-Daniel Stenberg (29 Aug 2015)
-- CURLINFO_RESPONSE_CODE.3: added short description
-
-- opts: 7 initial CURLINFO_* options as stand-alone man pages
-
-- [Nikolai Kondrashov brought this change]
+ ... as it implies we need to check for that on all the other variable
+ references as well (as Coverity otherwise warns us for missing NULL
+ checks), and we're alredy making sure that the pointer is never NULL.
- libcurl.m4: Put braces around empty if body
+- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
- Put braces around empty "if" body in libcurl.m4 check to avoid warning:
+ RFC 6265 section 4.1.1 spells out that the first name/value pair in the
+ header is the actual cookie name and content, while the following are
+ the parameters.
- suggest braces around empty body in an 'if' statement
+ libcurl previously had a more liberal approach which causes significant
+ problems when introducing new cookie parameters, like the suggested new
+ cookie priority draft.
- and make it work with -Werror builds.
+ The previous logic read all n/v pairs from left-to-right and the first
+ name used that wassn't a known parameter name would be used as the
+ cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
+ a cookie named 'person' while an RFC 6265 compliant parser should
+ consider that to be a cookie named 'Max-Age' with an (unknown) parameter
+ 'person'.
- Closes #402
-
-- [Svyatoslav Mishyn brought this change]
+ Fixes #709
- curl_easy_escape.3: escape '\n'
-
- Closes #398
+- krb5: improved type handling to avoid clang compiler warnings
-- [Svyatoslav Mishyn brought this change]
+- url.c: fix clang warning: no newline at end of file
- curl_easy_{escape,setopt}.3: fix example
+- curl_multi_wait: never return -1 in 'numfds'
- remove redundant '}'
-
-- [Sergei Nikulov brought this change]
-
- cmake: added Windows SSL support
+ Such a return value isn't documented but could still happen, and the
+ curl tool code checks for it. It would happen when the underlying
+ Curl_poll() function returns an error. Starting now we mask that error
+ as a user of curl_multi_wait() would have no way to handle it anyway.
- Closes #399
+ Reported-by: Jay Satiro
+ Closes #707
-- curl: point out the conflicting HTTP methods if used
-
- It isn't always clear to the user which options that cause the HTTP
- methods to conflict so by spelling them out it should hopefully be
- easier to understand why curl complains.
+- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
-- curl: clarify that users can only specify one _METHOD_
+- curl_multi_wait.3: add example
-- [Svyatoslav Mishyn brought this change]
-
- curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
+Steve Holme (8 Mar 2016)
+- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
- Closes #395
-
-Patrick Monnerat (24 Aug 2015)
-- os400: include new options in wrappers and update ILE/RPG binding.
-
-Daniel Stenberg (24 Aug 2015)
-- KNOWN_BUGS: #2, not reading a HEAD response-body is not a bug
+ Regression since commit 710f14edba.
- ... since HTTP is forbidden to return any such.
-
-- KNOWN_BUGS: #78 zero-length files is already fixed!
-
-- [Razvan Cojocaru brought this change]
+ Bug: https://github.com/curl/curl/issues/422
+ Reported-by: Justin Ehlert
- getinfo: added CURLINFO_ACTIVESOCKET
+Jay Satiro (8 Mar 2016)
+- opt-docs: fix heading macros
- This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64
- bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable.
+ ..SH should be .SH
- Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
+ Bug: https://github.com/curl/curl/issues/705
+ Reported-by: Eric S. Raymond
-- http2: remove dead code
-
- Leftovers from when we removed the private socket hash.
-
- Coverity CID 1317365, "Logically dead code"
+Kamil Dudka (8 Mar 2016)
+- [Tim Rühsen brought this change]
-- ntlm: mark deliberate switch case fall-through
+ cookie: do not refuse cookies for localhost
- Coverity CID 1317367, "Missing break in switch"
+ Closes #658
-- http2: on_frame_recv: get a proper 'conn' for the debug logging
+Daniel Stenberg (8 Mar 2016)
+- ftp_done: clear tunnel_state when secondary socket closes
- "Explicit null dereferenced (FORWARD_NULL)"
+ Introducing a function for closing the secondary connection to make this
+ bug less likely to happen again.
- Coverity CID 1317366
-
-- RELEASE-NOTES: synced with 2acaf3c804
-
-Dan Fandrich (23 Aug 2015)
-- tool: fix memory leak with --proto-default option
+ Reported-by: daboul
+ Closes #701
-Jay Satiro (22 Aug 2015)
-- [Nathaniel Waisbrot brought this change]
+- [Gisle Vanem brought this change]
- CURLOPT_DEFAULT_PROTOCOL: added
-
- - Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
- protocol for schemeless URLs.
-
- - Add new tool option --proto-default to expose
- CURLOPT_DEFAULT_PROTOCOL.
-
- In the case of schemeless URLs libcurl will behave in this way:
-
- When the option is used libcurl will use the supplied default.
-
- When the option is not used, libcurl will follow its usual plan of
- guessing from the hostname and falling back to 'http'.
+ openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
-- runtests: Allow for spaces in server-verify curl custom path
+- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
-Daniel Stenberg (22 Aug 2015)
-- NTLM: recent boringssl brought DES_set_odd_parity back
-
- ... so improve the #ifdefs for using our local implementation.
+- [Anders Bakken brought this change]
-- configure: detect latest boringssl
-
- Since boringssl brought back DES_set_odd_parity again, it cannot be used
- to differentiate from boringssl. Using the OPENSSL_IS_BORINGSSL define
- seems better anyway.
-
- URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
- Original-patch-by: Bertrand Simonnet
+ pipeline: Sanity check pipeline pointer before accessing it.
- Closes #393
-
-- configure: change functions to detect openssl (clones)
+ I got a crash with this stack:
- ... since boringssl moved the former ones and the check started to fail.
+ curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
+ curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
+ curl/lib/multi.c:561 (curl_multi_remove_handle)
+ curl/lib/url.c:415 (Curl_close)
+ curl/lib/easy.c:859 (curl_easy_cleanup)
- URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
- Original-patch-by: Bertrand Simonnet
+ Closes #704
-- [Alessandro Ghedini brought this change]
+- HTTP2.md: mention the disable ALPN and NPN options
- openssl: handle lack of server cert when strict checking disabled
+- TODO: 17.12 keep running, read instructions from pipe/socket
- If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
- and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
- doesn't present a certificate at all.
+ And delete trailing whitespace
+ And rename section 17 to "command line tool" from "client"
- Closes #392
+ Closes #702
-- ftp: clear the do_more bit when the server has connected
+- README.md: linkified
- The multi state machine would otherwise go into the DO_MORE state after
- DO, even for the case when the FTP state machine had already performed
- those duties, which caused libcurl to get stuck in that state and fail
- miserably. This occured for for active ftp uploads.
+ It also makes it less readable as plain text, so let's keep this
+ primarily for github use.
- Reported-by: Patricia Muscalu
-
-- [Jactry Zeng brought this change]
-
- travis.yml: Add OS X testbot.
-
-- [Rémy Léone brought this change]
+ Removed the top ascii art logo, as it looks weird when markdownified.
- travis: Upgrading to container based build
-
- http://docs.travis-ci.com/user/migrating-from-legacy
+- README.md: markdown version of README
- Closes #388
-
-- RELEASE-NOTES: synced with 14ff86256b13e
+ Attempt to make it look more appealing on github
-- [Erik Janssen brought this change]
+Jay Satiro (6 Mar 2016)
+- mprintf: update trio project link
- rtsp: stop reading empty DESCRIBE responses
-
- Based-on-patch-by: Jim Hollinger
+Daniel Stenberg (6 Mar 2016)
+- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
-- [Erik Janssen brought this change]
+- CURLOPT_ACCEPT_ENCODING.3: added example
- rtsp: support basic/digest authentication
+- CURLOPT_APPEND.3: added example
-- [Sam Roth brought this change]
+- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
- CURLMOPT_PUSHFUNCTION.3: fix argument types
+Steve Holme (6 Mar 2016)
+- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
- Closes #389
- Closes #386
+ Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
+ in which Perl was added to the PATH.
-- [Marcel Raad brought this change]
+Daniel Stenberg (6 Mar 2016)
+- opts: added two examples
- inet_pton.c: Fix MSVC run-time check failure
-
- Visual Studio complains with a message box:
-
- "Run-Time Check Failure #1 - A cast to a smaller data type has caused a
- loss of data. If this was intentional, you should mask the source of
- the cast with the appropriate bitmask.
-
- For example:
- char c = (i & 0xFF);
-
- Changing the code in this way will not affect the quality of the
- resulting optimized code."
-
- This is because only 'val' is cast to unsigned char, so the "& 0xff" has
- no effect.
-
- Closes #387
+- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
-Jay Satiro (18 Aug 2015)
-- docs: Update the redirect protocols disabled by default
+- CURLOPT_SSL_CTX_FUNCTION.3: added example
- - Clarify that FILE and SCP are disabled by default since 7.19.4
- - Add that SMB and SMBS are disabled by default since 7.40.0
- - Add CURLPROTO_SMBS to the list of protocols
+ and removed erroneous reference to test case lib509
-- gitignore: Sort for readability
-
- find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}'
+- curlx.c: use more curl style code
-Daniel Stenberg (15 Aug 2015)
-- curl_easy_getinfo.3: fix superfluous space
+- test46: change cookie expiry date
- ... and changed "oriented" to "related"
+ Since two of the cookies would now otherwise expire and cause the test
+ to fail after commit 20de9b4f09
- Closes #378
-
-- CURLOPT_HTTP_VERSION.3: connection re-use goes before version
+ Discussed in #697
-- [Daniel Kahn Gillmor brought this change]
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
- curl.1: Document weaknesses in SSLv2 and SSLv3
-
- Acknowledge that SSLv3 is also widely considered to be insecure.
+ makefile.m32: add missing libs for static -winssl-ssh2 builds
- Also, provide references for people who want to know more about why it's
- insecure.
-
-Steve Holme (14 Aug 2015)
-- generate.bat: Added support for generating only the prerequisite files
+ Bug: https://github.com/curl/curl/pull/693
-- generate.bat: Only call buildconf.bat if it exists
+- mbedtls: fix user-specified SSL protocol version
+
+ Prior to this change when a single protocol CURL_SSLVERSION_ was
+ specified by the user that version was set only as the minimum version
+ but not as the maximum version as well.
-- generate.bat: Fixed issues when ran in directories with special chars
+Steve Holme (5 Mar 2016)
+- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
-Daniel Stenberg (14 Aug 2015)
-- [Brad King brought this change]
+- build-openssl.bat: Fixed cannot find perl if installed but not in path
- cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
-
- Fix the check code to pass 5 arguments instead of 6. This typo was
- introduced by commit aebfd4cfbf (cmake: fix gethostby{addr,name}_r in
- CurlTests, 2014-10-31).
+- checksrc.bat: Fixed cannot find perl if installed but not in path
-Steve Holme (14 Aug 2015)
-- * buildconf.bat: Fixed issues when ran in directories with special chars
-
- Bug: https://github.com/bagder/curl/pull/379
- Reported-by: Daniel Seither
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
-Jay Satiro (13 Aug 2015)
-- curl_global_init_mem.3: Stronger thread safety warning
+ makefile.m32: fix to allow -ssh2-winssl combination
- Bug: http://curl.haxx.se/mail/lib-2015-08/0016.html
- Reported-by: Eric Ridge
-
-Daniel Stenberg (12 Aug 2015)
-- [Svyatoslav Mishyn brought this change]
+ In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
+ (OpenSSL) option, with no way to override it with -winssl. Since both
+ libssh2 and curl support using Windows's built-in SSL backend, modify
+ the logic to allow that combination.
- curl_multi_add_handle.3: fix a typo
-
- "can not" => "cannot"
+- cookie: Don't expire session cookies in remove_expired
- closes #377
-
-- [Alessandro Ghedini brought this change]
-
- docs: fix typos
+ Prior to this change cookies with an expiry date that failed parsing
+ and were converted to session cookies could be purged in remove_expired.
- closes #376
-
-- bump: start working toward 7.45.0
-
-- THANKS: remove duplicate name
-
-- THANKS-filter: merge Todd's names
-
-- THANKS: 13 new contributors from the 7.44.0 RELEASE-NOTES
-
-Version 7.44.0 (11 Aug 2015)
-
-Daniel Stenberg (11 Aug 2015)
-- RELEASE-NOTES: synced with c75a1e775061
-
-- [Svyatoslav Mishyn brought this change]
+ Bug: https://github.com/curl/curl/issues/697
+ Reported-by: Seth Mos
- curl_formget.3: correct return code
+Daniel Stenberg (3 Mar 2016)
+- cookie: remove redundant check
- Closes #375
-
-- [Svyatoslav Mishyn brought this change]
-
- libcurl-tutorial.3: fix formatting
+ ... as it was already checked previously within the function.
- Closes #374
-
-- [Svyatoslav Mishyn brought this change]
-
- curl_easy_recv.3: fix formatting
+ Reported-by: Dmitry-Me
+ Closes #695
+Jay Satiro (1 Mar 2016)
- [Anders Bakken brought this change]
- http2: discard frames with no SessionHandle
-
- Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the
- SessionHandle. Apparently mod_h2 will sometimes send a frame for a
- stream_id we're finished with.
+ url: if Curl_done is premature then pipeline not in use
- Use nghttp2_session_get_stream_user_data and
- nghttp2_session_set_stream_user_data to identify SessionHandles instead
- of a hash.
+ Prevent a crash if 2 (or more) requests are made to the same host and
+ pipelining is enabled and the connection does not complete.
- Closes #372
-
-- RELEASE-NOTES: synced with 9ee40ce2aba
+ Bug: https://github.com/curl/curl/pull/690
- [Viktor Szakats brought this change]
- build: refer to fixed libidn versions
+ makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
- closes #371
-
-- Revert "configure: disable libidn by default"
+ using envvars `CURL_LDFLAG_EXTRAS_DLL` and
+ `CURL_LDFLAG_EXTRAS_EXE` respectively. This
+ is useful f.e. to pass ASLR-related extra
+ options, that are required to make this
+ feature work when using the mingw toolchain.
- This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3.
+ Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
- ... since libidn has since been fixed.
-
-- [Jakub Zakrzewski brought this change]
+ Closes https://github.com/curl/curl/pull/689
- CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define
-
- Otherwise the build only pretended to use GSS-API
+Daniel Stenberg (29 Feb 2016)
+- formpost: fix memory leaks in AddFormData error branches
- Closes #370
+ Reported-by: Dmitry-Me
+ Fixes #688
-- SFTP: fix range request off-by-one in size check
-
- Reported-by: Tim Stack
+Jay Satiro (28 Feb 2016)
+- getinfo: Fix syntax error when mbedTLS
- Closes #359
+ The assignment of the mbedTLS TLS session info in the parent commit was
+ incorrect. Change the assignment to a pointer to the session structure.
-- test46: update cookie expire time
+- getinfo: Add support for mbedTLS TLS session info
- ... since it went old and thus was expired and caused the test to fail!
-
-Steve Holme (9 Aug 2015)
-- generate.bat: Use buildconf.bat for prerequisite file generation
-
-- buildconf.bat: Tidy up of comments after recent commits
+ .. and preprocessor check TLS session info is defined for all backends.
-- buildconf.bat: Added full generation of src\tool_hugehelp.c
-
- Added support for generating the full man page based on code from
- generate.bat.
+Daniel Stenberg (26 Feb 2016)
+- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
-- buildconf.bat: Added detection of groff, nroff, perl and gzip
+- file: try reading from files with no size
- To allow for the full generation of tool_hugehelp.c added detection of
- the required programs - based on code from generate.bat.
-
-- buildconf.bat: Move DOS variable clean-up code to separate function
+ Some systems have special files that report as 0 bytes big, but still
+ contain data that can be read (for example /proc/cpuinfo on
+ Linux). Starting now, a zero byte size is considered "unknown" size and
+ will be read as far as possible anyway.
- Rather than duplicate future variables, during clean-up of both success
- and error conditions, use a common function that can be called by both.
-
-- RELEASE-NOTES: Synced with 39dcf352d2
-
-- buildconf.bat: Added error messages on failure
-
-- buildconf.bat: Generate and clean files in the same order
-
-- buildconf.bat: Maintain compatibility with DOS based systems
+ Reported-by: Jesse Tan
- Commit f08e30d7bc broke compatibility with DOS and non Windows NT based
- versions of Windows due to the use of the setlocal command.
+ Closes #681
-Jay Satiro (9 Aug 2015)
-- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
+Jay Satiro (25 Feb 2016)
+- configure: warn on invalid ca bundle or path
- Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html
- Reported-by: Inca R
-
-Steve Holme (8 Aug 2015)
-- checksrc.bat: Fixed error when missing *.c and *.h files
+ - Warn if --with-ca-bundle file does not exist.
- File Not Found
-
-- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276
-
-- checksrc.bat: Fixed error when [directory] isn't a curl source directory
+ - Warn if --with-ca-path directory does not contain certificates.
- The system cannot find the file specified.
-
-- checksrc.bat: Added check for unknown arguments
-
-- scripts: Added missing comments
-
-- scripts: Always perform setlocal and endlocal calls in pairs
+ - Improve help messages for both.
- Ensure that there isn't a mismatch between setlocal and endlocal calls,
- which could have happened due to setlocal being called after certain
- error conditions were checked for.
-
-- scripts: Allow -help to be specified in any argument
+ Example configure output:
- Allow the -help command line argument to be specified in any argument
- and not just as the first.
-
-Daniel Stenberg (6 Aug 2015)
-- [juef brought this change]
-
- curl_multi_remove_handle.3: fix formatting
+ ca cert bundle: /some/file (warning: certs not found)
+ ca cert path: /some/dir (warning: certs not found)
- closes #366
+ Bug: https://github.com/curl/curl/issues/404
+ Reported-by: Jeffrey Walton
-Steve Holme (6 Aug 2015)
-- README: Added notes about 'Running DLL based configurations'
+Daniel Stenberg (24 Feb 2016)
+- Curl_read: check for activated HTTP/1 pipelining, not only requested
- ...as well as a TODO for a future enhancement to the project files.
+ ... as when pipelining is used, we read things into a unified buffer and
+ we don't do that with HTTP/2. This could then easily make programs that
+ set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
+ intermixed or plain broken between HTTP/2 streams.
- Thanks-to: Jay Satiro
-
-- RELEASE-NOTES: Synced with cf8975387f
-
-- buildconf.bat: Synchronise no repository error with generate.bat
-
-- generate.bat: Added a check for the presence of a git repository
+ Reported-by: Anders Bakken
-- [Jay Satiro brought this change]
+Patrick Monnerat (24 Feb 2016)
+- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
- build: Added wolfSSL configurations to VC10+ project files
+Jay Satiro (23 Feb 2016)
+- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
- URL: https://github.com/bagder/curl/pull/174
-
-- [Jay Satiro brought this change]
-
- build: Added wolfSSL build script for Visual Studio projects
+ The two options are almost the same, except in the case of OpenSSL:
- Added the wolfSSL build script, based on build-openssl.bat, as well as
- the property sheet and header file required for the upcoming additions
- to the Visual Studio project files.
-
-Daniel Stenberg (6 Aug 2015)
-- CHANGES: refer to the online changelog
+ CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
- Suggested-by: mc0e
-
-- [Isaac Boukris brought this change]
-
- NTLM: handle auth for only a single request
+ CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
- Currently when the server responds with 401 on NTLM authenticated
- connection (re-used) we consider it to have failed. However this is
- legitimate and may happen when for example IIS is set configured to
- 'authPersistSingleRequest' or when the request goes thru a proxy (with
- 'via' header).
+ For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
+ return an SSL pointer for OpenSSL.
- Implemented by imploying an additional state once a connection is
- re-used to indicate that if we receive 401 we need to restart
- authentication.
+ Also, add support for the 'internals' member to point to SSL object for
+ the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
+ wolfSSL.
- Closes #363
-
-Steve Holme (5 Aug 2015)
-- RELEASE-NOTES: Synced with 473807b95f
-
-- generate.bat: Use buildconf.bat for prerequisite file clean-up
-
-- buildconf.bat: Added support for file clean-up via -clean
-
-- buildconf.bat: Added progress output
-
-- buildconf.bat: Avoid using goto for file not in repository
+ Bug: https://github.com/curl/curl/issues/234
+ Reported-by: dkjjr89@users.noreply.github.com
+
+ Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
+ Reported-by: Michael König
-Daniel Stenberg (5 Aug 2015)
-- curl_slist_append.3: add error checking to the example
-
-Steve Holme (5 Aug 2015)
-- buildconf.bat: Added display of usage text with -help
-
-- buildconf.bat: Added exit codes for error handling
-
-- buildconf.bat: Added our standard copyright header
-
-- buildconf.bat: Use lower-case for commands and reserved keywords
-
-- generate.bat: Only clean prerequisite files when in ALL mode
-
-- generate.bat: Moved error messages out of sub-routines
-
-- generate.bat: More use of lower-case for commands and reserved keywords
-
-Daniel Stenberg (3 Aug 2015)
-- libcurl.3: fix a single typo
+Daniel Stenberg (23 Feb 2016)
+- multi_remove_handle: keep the timeout list until after disconnect
- Closes #361
-
-- RELEASE-NOTES: synced with c4eb10e2f06f
-
-- SSH: three state machine fixups
+ The internal Curl_done() function uses Curl_expire() at times and that
+ uses the timeout list. Better clean up the list once we're done using
+ it. This caused a segfault.
- The SSH state machine didn't clear the 'rc' variable appropriately in a
- two places which prevented it from looping the way it should. And it
- lacked an 'else' statement that made it possible to erroneously get
- stuck in the SSH_AUTH_AGENT state.
+ Reported-by: 蔡文凱
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
+
+Kamil Dudka (23 Feb 2016)
+- tests/sshserver.pl: use RSA instead of DSA for host auth
- Reported-by: Tim Stack
+ DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
+ test cases to be skipped. Using RSA for host authentication works with
+ both old and new versions of OpenSSH.
- Closes #357
-
-- curl_gssapi: remove 'const' to fix compiler warnings
+ Reported-by: Karlson2k
- initialization discards 'const' qualifier from pointer target type
+ Closes #676
-- docs: formpost needs the full size at start of upload
+Jay Satiro (23 Feb 2016)
+- TFTP: add option to suppress TFTP option requests (Part 2)
- Closes #360
-
-Steve Holme (1 Aug 2015)
-- sspi: Fix typo from left over from old code which referenced NTLM
+ - Add tests.
- References to NTLM in the identity generation should have been removed
- in commit c469941293 but not all were.
-
-- win32: Fix compilation warnings from commit 40c921f8b8
+ - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
- connect.c:953:5: warning: initializer element is not computable at load
- time
- connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
- of 'OSVERSIONINFOEX'
- curl_sspi.c:97:5: warning: initializer element is not computable at load
- time
- curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
- of 'OSVERSIONINFOEX'
-
-- schannel: Fix compilation warning from commit 7a8e861a56
+ - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
- schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
- of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
+ Bug: https://github.com/curl/curl/issues/481
-Daniel Stenberg (31 Jul 2015)
-- libcurl-thread.3: minor reformatting
+- [Michael Koenig brought this change]
-Jay Satiro (31 Jul 2015)
-- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
+ TFTP: add option to suppress TFTP option requests (Part 1)
- Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
- Reported-by: Eric Ridge
-
-- libcurl-thread.3: Warn memory functions must be thread safe
+ Some TFTP server implementations ignore the "TFTP Option extension"
+ (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
+ problems with libcurl. Another switch for curl_easy_setopt
+ "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
+ sending TFTP option requests to a server, avoiding many problems caused
+ by faulty implementations.
- Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
- Reported-by: Eric Ridge
+ Bug: https://github.com/curl/curl/issues/481
-Steve Holme (31 Jul 2015)
-- RELEASE-NOTES: Synced with 8b1d00ac1a
+Daniel Stenberg (22 Feb 2016)
+- [Karlson2k brought this change]
-- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section
+ runtests: Fixed usage of %PWD on MinGW64
- ...as well as some rewording.
+ Closes #672
-Kamil Dudka (30 Jul 2015)
-- http: move HTTP/2 cleanup code off http_disconnect()
-
- Otherwise it would never be called for an HTTP/2 connection, which has
- its own disconnect handler.
-
- I spotted this while debugging <https://bugzilla.redhat.com/1248389>
- where the http_disconnect() handler was called on an FTP session handle
- causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *)
- was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in
- Curl_add_buffer_free() after printing the "Connection cache is full,
- closing the oldest one." message.
-
- A previously working version of libcurl started to crash after it was
- recompiled with the HTTP/2 support despite the HTTP/2 protocol was not
- actually used. This commit makes it work again although I suspect the
- root cause (reinterpreting session handle data of incompatible protocol)
- still has to be fixed. Otherwise the same will happen when mixing FTP
- and HTTP/2 connections and exceeding the connection cache limit.
-
- Reported-by: Tomas Tomecek
- Bug: https://bugzilla.redhat.com/1248389
+Jay Satiro (20 Feb 2016)
+- CURLOPT_DEBUGFUNCTION.3: Fix example
-Daniel Stenberg (30 Jul 2015)
- [Viktor Szakats brought this change]
- ABI doc: use secure URL
-
-- ABI: remove the ascii logo
-
- and made the indent level to 1
-
-- libcurl-multi.3: mention curl_multi_wait
-
- ... and some general rewordings to improve this docs.
-
- Reported-by: Tim Stack
+ src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
- Closes #356
-
-Steve Holme (30 Jul 2015)
-- maketgz: Fixed some VC makefiles missing from the release tarball
+ Sync with lib/Makefile.m32 which already uses those variables.
- VC7, VC11, VC12 and VC14 makefiles were missing from the release
- tarball.
+ Bug: https://github.com/curl/curl/pull/670
-- RELEASE-NOTES: Synced with 2d7e165761
+Dan Fandrich (20 Feb 2016)
+- Enabled test 1437 after the bug fix in commit 3fa220a6
-- build: Added VC14 project files to Makefile.am
+Jay Satiro (19 Feb 2016)
+- [Emil Lerner brought this change]
-- build: Added VC14 project files
+ curl_sasl: Fix memory leak in digest parser
- Updates to Makefile.am for the generation of the project files in
- the tarball to follow.
-
-Jay Satiro (29 Jul 2015)
-- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L
-
-Steve Holme (28 Jul 2015)
-- generate.bat: Use lower-case for commands and reserved keywords
+ If any parameter in a HTTP DIGEST challenge message is present multiple
+ times, memory allocated for all but the last entry should be freed.
- Whilst there are no coding standards for the batch files used in curl,
- most tend to use lower-case for keywords and upper-case for variables.
+ Bug: https://github.com/curl/curl/pull/667
-- build: Added initial VC14 support to generate.bat
+Dan Fandrich (19 Feb 2016)
+- Added test 1437 to verify a memory leak
- Visual Studio project files and updates to makefile.am to follow.
-
-- build: Fixed missing .opensdf files from VC10+ .gitignore files
+ Reported-by: neex@users.noreply.github.com
-- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames
+Jay Satiro (18 Feb 2016)
+- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
- This wasn't possible with the old curlsrc project filenames, but like
- commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual
- Studio macros for the output filenames.
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
-- build: Renamed curl src Visual Studio project files
+- curl.1: HTTP headers for --cookie must be Set-Cookie style
- Following commit 957fcd9049 and in preparation for adding the VC14
- project files renamed the curl source project files.
-
-Daniel Stenberg (28 Jul 2015)
-- [Jay Satiro brought this change]
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
- libcurl-thread.3: Revert to stricter handle wording
-
- .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS
- handlers list.
+Daniel Stenberg (18 Feb 2016)
+- curl.1: add a missing dash
-- [Jay Satiro brought this change]
+- CONTRIBUTING.md: fix links
- libcurl-thread.3: Consolidate thread safety info
+- ISSUE_TEMPLATE: github issue template
- This is a new document to consolidate our thread safety information from
- several documents (curl-www:features, libcurl.3, libcurl-tutorial.3).
- Each document's section on multi-threading will now point to this one.
+ First version, try this out!
-Steve Holme (27 Jul 2015)
-- README: Corrected formatting for 'Legacy Windows and SSL' section
+- CONTRIBUTING.md: move into .github
- ...as well as some wording.
+ To hide github specific files somewhat from the rest.
-- build-openssl.bat: Added support for VC14
+- opts: add references
-Daniel Stenberg (26 Jul 2015)
-- RELEASE-NOTES: synced with 0f645adc95390e8
+- examples/make: add 'checksrc' target
-- test1902: attempt to make the test more reliable
-
- Closes #355
+- 10-at-a-time: typecast the argument passed to sleep()
-- comment: fix comment about adding new option support
+- externalsocket.c: fix compiler warning for fwrite return type
-Jay Satiro (25 Jul 2015)
-- build-openssl.bat: Show syntax if required args are missing
+- anyauthput.c: fix compiler warnings
-Daniel Stenberg (26 Jul 2015)
-- TODO: improve how curl works in a windows console window
-
- Closes #322 for now
+- simplessl.c: warning: while with space
-- 1.11 minimize dependencies with dynamicly loaded modules
+- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
- Closes #349 for now
+ Reported-By: Gisle Vanem
-Jay Satiro (25 Jul 2015)
-- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS
+- http2: don't decompress gzip decoding automatically
- - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option.
+ At one point during the development of HTTP/2, the commit 133cdd29ea0
+ introduced automatic decompression of Content-Encoding as that was what
+ the spec said then. Now however, HTTP/2 should work the same way as
+ HTTP/1 in this regard.
- Broken by me several days ago in 172b2be.
- https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b
+ Reported-by: Kazuho Oku
- Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html
- Reported-by: Dan Fandrich
+ Closes #661
+
+Jay Satiro (16 Feb 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-Daniel Stenberg (25 Jul 2015)
-- configure: check if OpenSSL linking wants -ldl
+ http: Don't break the header into chunks if HTTP/2
- To make it easier to link with static versions of OpenSSL, the configure
- script now checks if -ldl is needed for linking.
+ nghttp2 callback deals with TLS layer and therefore the header does not
+ need to be broken into chunks.
- Help-by: TJ Saunders
+ Bug: https://github.com/curl/curl/issues/659
+ Reported-by: Kazuho Oku
-- [Michael Kaufmann brought this change]
+Daniel Stenberg (16 Feb 2016)
+- [Viktor Szakats brought this change]
- HTTP: ignore "Content-Encoding: compress"
-
- Currently, libcurl rejects responses with "Content-Encoding: compress"
- when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
- treat the Content-Encoding "compress" the same as other
- Content-Encodings that it does not support, e.g. "bzip2". That means
- just ignoring it.
+ openssl: use macro to guard the opaque EVP_PKEY branch
-- [Marcel Raad brought this change]
+- [Viktor Szakats brought this change]
- openssl: work around MSVC warning
+ openssl: avoid direct PKEY access with OpenSSL 1.1.0
- MSVC 12 complains:
+ by using API instead of accessing an internal structure.
+ This is required starting OpenSSL 1.1.0-pre3.
- lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
- variable 'verstr' used It's a false positive, but as it's normally not,
- I have enabled warning-as-error for that warning.
-
-- [Michał Fita brought this change]
+ Closes #650
- configure: add --disable-rt option
-
- This option disables any attempts in configure to create dependency on
- stuff requiring linking to librt.so and libpthread.so, in this case this
- means clock_gettime(CLOCK_MONOTONIC, &mt).
-
- We were in need to build curl which doesn't link libpthread.so to avoid
- the following bug:
- https://sourceware.org/bugzilla/show_bug.cgi?id=16628.
+- RELEASE-NOTES: synced with ede0bfc079da
-Kamil Dudka (23 Jul 2015)
-- http2: verify success of strchr() in http2_send()
-
- Detected by Coverity.
-
- Error: NULL_RETURNS:
- lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
- lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
- lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
- 1300|
- 1301| hdbuf = strchr(hdbuf, 0x0a);
- 1302|-> ++hdbuf;
- 1303|
- 1304| authority_idx = 0;
+- [Clint Clayton brought this change]
-Jay Satiro (22 Jul 2015)
-- Windows: Fix VerifyVersionInfo calls
-
- - Fix the VerifyVersionInfo calls, which we use to test for the OS major
- version, to also test for the minor version as well as the service pack
- major and minor versions.
-
- MSDN: "If you are testing the major version, you must also test the
- minor version and the service pack major and minor versions."
+ CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx
+ Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
+ CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
- Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098
- Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com>
-
-- [Marcel Raad brought this change]
-
- schannel: Replace deprecated GetVersion with VerifyVersionInfo
-
-Steve Holme (21 Jul 2015)
-- makefile: Added support for VC14
-
-Patrick Monnerat (21 Jul 2015)
-- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings.
-
-- libcurl: VERSIONINFO update
- Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname
- requires VERSIONINFO updating.
-
-- http2: satisfy external references even if http2 is not compiled in.
+ Closes #653
-Daniel Stenberg (20 Jul 2015)
-- http2: add stream != NULL checks for reliability
-
- They should not trigger, but in case of internal problems we at least
- avoid crashes this way.
+- opt-docs: add more references
-Jay Satiro (18 Jul 2015)
-- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol
+- [David Byron brought this change]
-- SSL: Add an option to disable certificate revocation checks
-
- New tool option --ssl-no-revoke.
- New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.
+ SCP: use libssh2_scp_recv2 to support > 2GB files on windows
- Currently this option applies only to WinSSL where we have automatic
- certificate revocation checking by default. According to the
- ssl-compared chart there are other backends that have automatic checking
- (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
- some later point.
+ libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
+ day now.
- Bug: https://github.com/bagder/curl/issues/264
- Reported-by: zenden2k <zenden2k@gmail.com>
+ Closes #451
-- runtests: Allow for spaces in curl custom path
+Jay Satiro (13 Feb 2016)
+- [Shine Fan brought this change]
+
+ gtls: fix for builds lacking encrypted key file support
- .. also fix some typos in test's FILEFORMAT spec.
+ Bug: https://github.com/curl/curl/pull/651
-- [David Woodhouse brought this change]
+Dan Fandrich (13 Feb 2016)
+- test1604: Add to Makefile.inc so it gets run
- ntlm_wb: Fix theoretical memory leak
-
- Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix
- hard-coded limit on NTLM auth packet size") introduced a potential
- memory leak on an error path, because we forget to free the buffer
- before returning an error.
-
- Fix this.
+Jay Satiro (12 Feb 2016)
+- generate.bat: Fix comment bug by removing old comments
- Although actually, it never happens in practice because we never *get*
- here with state == NTLMSTATE_TYPE1. The state is always zero. That
- might want cleaning up in a separate patch.
+ Remove NOTES section, it's no longer needed since we aren't setting the
+ errorlevel and more importantly the recently updated URL in the comments
+ is causing some unusual behavior that breaks the script.
- Reported-by: Terri Oda
-
-- strerror: Add CRYPT_E_REVOKED to SSPI error strings
+ Closes https://github.com/curl/curl/issues/649
-Kamil Dudka (14 Jul 2015)
-- libtest: call PR_Cleanup() on exit if NSPR is used
+Kamil Dudka (12 Feb 2016)
+- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
- This prevents valgrind from reporting possibly lost memory that NSPR
- uses for file descriptor cache and other globally allocated internal
- data structures.
+ The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
+ pages since curl-7_12_3~131. This patch makes it clear in the curl.1
+ man page, too.
- Reported-by: Štefan Kremeň
+ Bug: https://bugzilla.redhat.com/1305970
-Jay Satiro (14 Jul 2015)
-- [John Malmberg brought this change]
+Daniel Stenberg (12 Feb 2016)
+- dist: ship buildconf.bat too
+
+ As the winbuild/* stuff uses it!
- openssl: VMS support for SHA256
+- curlx_tvdiff: handle 32bit time_t overflows
- setup-vms.h: More symbols for SHA256, hacks for older VAX
+ On 32bit systems, make sure we don't overflow and return funky values
+ for very large time differences.
- openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX.
+ Reported-by: Anders Bakken
- openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to
- allow building on VAX and 64 bit VMS.
-
-- examples: Fix typo in multi-single.c
-
-Daniel Stenberg (7 Jul 2015)
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Fix memory leak in push header array
-
-Dan Fandrich (2 Jul 2015)
-- test2041: fixed line endings in protocol part
-
-- cyassl: fixed mismatched sha256sum function prototype
-
-Daniel Stenberg (1 Jul 2015)
-- [moparisthebest brought this change]
-
- SSL: Pinned public key hash support
+ Closes #646
-- examples: provide <DESC> sections
+- examples: fix some compiler warnings
-- [John Malmberg brought this change]
+- simplessl.c: fix my breakage
- OpenVMS: VMS Software, Inc now the supplier.
+- examples: adhere to curl code style
- setup-vms.h: Symbol case fixups submitted by Michael Steve
+ All plain C examples now (mostly) adhere to the curl code style. While
+ they are only examples, they had diverted so much and contained all
+ sorts of different mixed code styles by now. Having them use a unified
+ style helps users and readability. Also, as they get copy-and-pasted
+ widely by users, making sure they're clean and nice is a good idea.
- build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the
- supplier of new versions of VMS. The install kit needs to accept
- VSI as a producer.
+ 573 checksrc warnings were addressed.
-Jay Satiro (30 Jun 2015)
-- multi: Move http2 push function declarations to header end
+- examples/cookie_interface.c: add cleanup call
- This change necessary for binary compatibility.
+ cleaning up handles is a good idea as we leak memory otherwise
- Prior to this change test 1135 failed due to the order of functions.
+ Also, line wrapped before 80 columns.
-- symbols-in-versions: Add new http2 push symbols
+Kamil Dudka (10 Feb 2016)
+- nss: search slash in forward direction in dup_nickname()
- Prior to this change test 1119 failed due to the missing symbols.
-
-Daniel Stenberg (30 Jun 2015)
-- RELEASE-NOTES: synced with e6749055d653
+ It is wasteful to search it backwards if we look for _any_ slash.
-- configure: disable libidn by default
-
- For security reasons, until there is a fix.
+- nss: do not count enabled cipher-suites
- Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html
- Reported-by: Gustavo Grieco, Feist Josselin
-
-- SSL-PROBLEMS: mention WinSSL problems in WinXP
+ We only care if at least one cipher-suite is enabled, so it does
+ not make any sense to iterate till the end and count all enabled
+ cipher-suites.
-- CODE_OF_CONDUCT.md: added
-
- Just to underscore how we treat each other in this project. Nothing new
- really, but could be useful for newcomers and outsiders to see our
- values.
+Daniel Stenberg (10 Feb 2016)
+- contributors.sh: make 79 the max column width (from 80)
-- tool_header_cb: fflush the header stream
-
- Flush the header stream when -D is used so that they are sent off
- earlier.
-
- Bug: https://github.com/bagder/curl/issues/324
- Reported-by: Cédric Connes
+- RELEASE-NOTES: synced with c276aefee3995
-- [Roger Leigh brought this change]
+- mbedtls.c: re-indent to better match curl standards
- tests: Distribute CMakeLists.txt files in subdirectories
+- [Rafael Antonio brought this change]
-- CURLOPT_FAILONERROR.3: mention that it closes the connection
+ mbedtls: fix memory leak when destroying SSL connection data
- Reported-by: bemoody
- Bug: https://github.com/bagder/curl/issues/325
-
-- curl_multi_setopt.3: alpha sort the options
+ Closes #626
-- curl_multi_setopt.3: add the new push options
+- mbedtls: fix ALPN usage segfault
+
+ Since we didn't keep the input argument around after having called
+ mbedtls, it could end up accessing the wrong memory when figuring out
+ the ALPN protocols.
+
+ Closes #642
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (9 Feb 2016)
+- [Timotej Lazar brought this change]
- http2: Use nghttp2 library error code for error return value
+ opts: update references to renamed options
-- [Tatsuhiro Tsujikawa brought this change]
+- KNOWN_BUGS: Update #92 - Windows device prefix
- http2: Harden header validation for curl_pushheader_byname
+- tool_doswin: Support for literal path prefix \\?\
- Since we do prefix match using given header by application code
- against header name pair in format "NAME:VALUE", and VALUE part can
- contain ":", we have to careful about existence of ":" in header
- parameter. ":" should be allowed to match HTTP/2 pseudo-header field,
- and other use of ":" in header must be treated as error, and
- curl_pushheader_byname should return NULL. This commit implements
- this behaviour.
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- CURLMOPT_PUSHFUNCTION.3: Remove unused variable
-
-- CURLMOPT_PUSHFUNCTION.3: added example
+ For example something like --output \\?\C:\foo
-- http2: curl_pushheader_byname now takes a const char *
+Daniel Stenberg (9 Feb 2016)
+- configure: state "BoringSSL" in summary when that was detected
-- http2-serverpush.c: example code
+- [David Benjamin brought this change]
-- http2: free all header memory after the push callback
-
-- http2: init the pushed transfer properly
-
-- http2: fixed the header accessor functions for the push callback
-
-- http2: setup the new pushed stream properly
-
-- http2: initial implementation of the push callback
-
-- http2: initial HTTP/2 server push types/docs
-
-- test1531: verify POSTFIELDSIZE set after add_handle
+ openssl: remove most BoringSSL #ifdefs.
- Following the fix made in 903b6e05565bf.
-
-- pretransfer: init state.infilesize here, not in add_handle
+ As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
+ BoringSSL #ifdefs in cURL should be unnecessary:
- ... to properly support that options are set to the handle after it is
- added to the multi handle.
+ - BoringSSL provides no-op stubs for compatibility which replaces most
+ #ifdefs.
- Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html
- Reported-by: Stefan Bühler
-
-Jay Satiro (21 Jun 2015)
-- [Lior Kaplan brought this change]
-
- tool_help: fix --tlsv1 help text to use >= for TLSv1
-
-- INSTALL: Advise use of non-native SSL for Windows <= XP
+ - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
+ the compatibility codepath.
- Advise that WinSSL in versions <= XP will not be able to connect to
- servers that no longer support the legacy handshakes and algorithms used
- by those versions, and to use an alternate backend like OpenSSL instead.
+ - With a small tweak to an extend_key_56_to_64 call, the NTLM code
+ builds fine.
- Bug: https://github.com/bagder/curl/issues/253
- Reported-by: zenden2k <zenden2k@gmail.com>
-
-Kamil Dudka (19 Jun 2015)
-- curl_easy_setopt.3: restore contents removed by mistake
+ - Switch OCSP-related #ifdefs to the more generally useful
+ OPENSSL_NO_OCSP.
- ... in commit curl-7_43_0-18-g570076e
-
-Daniel Stenberg (19 Jun 2015)
-- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
-
-Jay Satiro (18 Jun 2015)
-- cookie: Fix bug in export if any-domain cookie is present
+ The only #ifdefs which remain are Curl_ossl_version and the #undefs to
+ work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
+ that to the consumer. The in-header workaround makes things sensitive to
+ include order.)
- In 3013bb6 I had changed cookie export to ignore any-domain cookies,
- however the logic I used to do so was incorrect, and would lead to a
- busy loop in the case of exporting a cookie list that contained
- any-domain cookies. The result of that is worse though, because in that
- case the other cookies would not be written resulting in an empty file
- once the application is terminated to stop the busy loop.
-
-Dan Fandrich (18 Jun 2015)
-- FTP: fixed compiling with --disable-proxy, broken in b88f980a
-
-Daniel Stenberg (18 Jun 2015)
-- tool: always provide negotiate/kerberos options
+ This change errs on the side of removing conditionals despite many of
+ the restored codepaths being no-ops. (BoringSSL generally adds no-op
+ compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
+ bad enough!)
- libcurl can still be built with it, even if the tool is not. Maintain
- independence!
-
-- TODO: Support IDNA2008
+ Closes #640
-- [Viktor Szakats brought this change]
+Jay Satiro (8 Feb 2016)
+- KNOWN_BUGS: Windows device prefix is required for devices
- Makefile.m32: add support for CURL_LDFLAG_EXTRAS
+- tool_urlglob: Allow reserved dos device names (Windows)
- It is similar to existing CURL_CFLAG_EXTRAS, but for
- extra linker option.
-
-- RTSP: removed another piece of dead code
+ Allow --output to reserved dos device names without the device prefix
+ for backwards compatibility.
+
+ Example: --output NUL can be used instead of --output \\.\NUL
- Coverity CID 1306668
+ Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
+ Reported-by: Gisle Vanem
-- openssl: fix use of uninitialized buffer
+Daniel Stenberg (8 Feb 2016)
+- cookies: allow spaces in cookie names, cut of trailing spaces
- Make sure that the error buffer is always initialized and simplify the
- use of it to make the logic easier.
+ It turns out Firefox and Chrome both allow spaces in cookie names and
+ there are sites out there using that.
- Bug: https://github.com/bagder/curl/issues/318
- Reported-by: sneis
-
-- examples: more descriptions
-
-- examples: add descriptions with <DESC>
+ Turned out the code meant to strip off trailing space from cookie names
+ didn't work. Fixed now.
+
+ Test case 8 modified to verify both these changes.
- Using this fixed format for example descriptions, we can generate a
- better list on the web site.
+ Closes #639
-- libcurl-errors.3: fix typo
+Patrick Monnerat (8 Feb 2016)
+- Merge branch 'master' of github.com:curl/curl
-- curl_easy_setopt.3: option order doesn't matter
+- os400: sync ILE/RPG definitions with latest public header files.
-- openssl: fix build with BoringSSL
-
- OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
- from cae43a1
+Daniel Stenberg (8 Feb 2016)
+- [Ludwig Nussel brought this change]
-- [Paul Howarth brought this change]
+ SSLCERTS: update wrt SSL CA certificate store
- openssl: Fix build with openssl < ~ 0.9.8f
-
- The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
- around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
- builds with older openssls (certainly with 0.9.8b, which is the latest
- older version I have to try with).
+- [Ludwig Nussel brought this change]
-- FTP: do the HTTP CONNECT for data connection blocking
+ configure: --with-ca-fallback: use built-in TLS CA fallback
+
+ When trying to verify a peer without having any root CA certificates
+ set, this makes libcurl use the TLS library's built in default as
+ fallback.
- ** WORK-AROUND **
+ Closes #569
+
+- Proxy-Connection: stop sending this header by default
- The introduced non-blocking general behaviour for Curl_proxyCONNECT()
- didn't work for the data connection establishment unless it was very
- fast. The newly introduced function argument makes it operate in a more
- blocking manner, more like it used to work in the past. This blocking
- approach is only used when the FTP data connecting through HTTP proxy.
+ RFC 7230 says we should stop. Firefox already stopped.
- Blocking like this is bad. A better fix would make it work more
- asynchronously.
+ Bug: https://github.com/curl/curl/issues/633
+ Reported-By: Brad Fitzpatrick
- Bug: https://github.com/bagder/curl/issues/278
-
-- bump: start the journey toward 7.44.0
-
-Jay Satiro (17 Jun 2015)
-- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes
+ Closes #633
-- CURLOPT_ERRORBUFFER.3: Improve example
+- bump: work toward the next release
-Version 7.43.0 (17 Jun 2015)
+- THANKS: 2 contributors from the 7.47.1 release
-Daniel Stenberg (17 Jun 2015)
-- RELEASE-NOTES: 7.43.0 release
+- RELEASE-PROCEDURE: remove the github upload part
+
+ ... as we're HTTPS on the main site now, there's no point in that
+ extra step
-- THANKS: updated with 7.43.0 names
+Version 7.47.1 (8 Feb 2016)
-- [Kamil Dudka brought this change]
+Daniel Stenberg (8 Feb 2016)
+- RELEASE-NOTES: curl 7.47.1 time!
- http: do not leak basic auth credentials on re-used connections
+Jay Satiro (8 Feb 2016)
+- tool_operhlp: Check for backslashes in get_url_file_name
- CVE-2015-3236
+ Extract the filename from the last slash or backslash. Prior to this
+ change backslashes could be part of the filename.
- This partially reverts commit curl-7_39_0-237-g87c4abb
+ This change needed for the curl tool built for Cygwin. Refer to the
+ CYGWIN addendum in advisory 20160127B.
- Reported-by: Tomas Tomecek, Kamil Dudka
- Bug: http://curl.haxx.se/docs/adv_20150617A.html
-
-- [Kamil Dudka brought this change]
+ Bug: https://curl.haxx.se/docs/adv_20160127B.html
- test2040: verify basic auth on re-used connections
+Daniel Stenberg (7 Feb 2016)
+- RELEASE-NOTES: synced with d6a8869ea34
-- SMB: rangecheck values read off incoming packet
-
- CVE-2015-3237
+Jay Satiro (6 Feb 2016)
+- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
- Detected by Coverity. CID 1299430.
+ sk_X509_EXTENSION_num may return an unsigned integer, however the value
+ will fit in an int.
- Bug: http://curl.haxx.se/docs/adv_20150617B.html
+ Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
+ Reported-by: Gisle Vanem
-Jay Satiro (17 Jun 2015)
-- schannel: schannel_recv overhaul
-
- This commit is several drafts squashed together. The changes from each
- draft are noted below. If any changes are similar and possibly
- contradictory the change in the latest draft takes precedence.
-
- Bug: https://github.com/bagder/curl/issues/244
- Reported-by: Chris Araman
-
- %%
- %% Draft 1
- %%
- - return 0 if len == 0. that will have to be documented.
- - continue on and process the caches regardless of raw recv
- - if decrypted data will be returned then set the error code to CURLE_OK
- and return its count
- - if decrypted data will not be returned and the connection has closed
- (eg nread == 0) then return 0 and CURLE_OK
- - if decrypted data will not be returned and the connection *hasn't*
- closed then set the error code to CURLE_AGAIN --only if an error code
- isn't already set-- and return -1
- - narrow the Win2k workaround to only Win2k
+Daniel Stenberg (7 Feb 2016)
+- TODO: 17.11 -w output to stderr
+
+Jay Satiro (6 Feb 2016)
+- [Michael Kaufmann brought this change]
+
+ idn_win32: Better error checking
- %%
- %% Draft 2
- %%
- - Trying out a change in flow to handle corner cases.
+ .. also fix a conversion bug in the unused function
+ curl_win32_ascii_to_idn().
- %%
- %% Draft 3
- %%
- - Back out the lazier decryption change made in draft2.
+ And remove wprintfs on error (Jay).
- %%
- %% Draft 4
- %%
- - Some formatting and branching changes
- - Decrypt all encrypted cached data when len == 0
- - Save connection closed state
- - Change special Win2k check to use connection closed state
+ Bug: https://github.com/curl/curl/pull/637
+
+- [Gisle Vanem brought this change]
+
+ examples/asiohiper: Avoid function name collision on Windows
- %%
- %% Draft 5
- %%
- - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
- connection isn't closed.
+ closesocket => close_socket
+ Winsock already has the former.
- %%
- %% Draft 6
- %%
- - Save the last error only if it is an unrecoverable error.
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
+
+- [Gisle Vanem brought this change]
+
+ examples/htmltitle: Use _stricmp on Windows
- Prior to this I saved the last error state in all cases; unfortunately
- the logic to cover that in all cases would lead to some muddle and I'm
- concerned that could then lead to a bug in the future so I've replaced
- it by only recording an unrecoverable error and that state will persist.
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
+
+Daniel Stenberg (6 Feb 2016)
+- COPYING: clarify that Daniel is not the sole author
- - Do not recurse on renegotiation.
+ ... done on request and as it is a fair point.
+
+Jay Satiro (5 Feb 2016)
+- unit1604: Fix unit setup return code
+
+- tool_doswin: Use type SANITIZEcode in sanitize_file_name
+
+- tool_doswin: Improve sanitization processing
- Instead we'll continue on to process any trailing encrypted data
- received during the renegotiation only.
+ - Add unit test 1604 to test the sanitize_file_name function.
- - Move the err checks in cleanup after the check for decrypted data.
+ - Use -DCURL_STATICLIB when building libcurltool for unit testing.
- In either case decrypted data is always returned but I think it's easier
- to understand when those err checks come after the decrypted data check.
+ - Better detection of reserved DOS device names.
- %%
- %% Draft 7
- %%
- - Regardless of len value go directly to cleanup if there is an
- unrecoverable error or a close_notify was already received. Prior to
- this change we only acknowledged those two states if len != 0.
+ - New flags to modify sanitize behavior:
- - Fix a bug in connection closed behavior: Set the error state in the
- cleanup, because we don't know for sure it's an error until that time.
+ SANITIZE_ALLOW_COLONS: Allow colons
+ SANITIZE_ALLOW_PATH: Allow path separators and colons
+ SANITIZE_ALLOW_RESERVED: Allow reserved device names
+ SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
- - (Related to above) In the case the connection is closed go "greedy"
- with the decryption to make sure all remaining encrypted data has been
- decrypted even if it is not needed at that time by the caller. This is
- necessary because we can only tell if the connection closed gracefully
- (close_notify) once all encrypted data has been decrypted.
+ - Restore sanitization of banned characters from user-specified outfile.
- - Do not renegotiate when an unrecoverable error is pending.
+ Prior to this commit sanitization of a user-specified outfile was
+ temporarily disabled in 2b6dadc because there was no way to allow path
+ separators and colons through while replacing other banned characters.
+ Now in such a case we call the sanitize function with
+ SANITIZE_ALLOW_PATH which allows path separators and colons to pass
+ through.
- %%
- %% Draft 8
- %%
- - Don't show 'server closed the connection' info message twice.
- - Show an info message if server closed abruptly (missing close_notify).
+ Closes https://github.com/curl/curl/issues/624
+ Reported-by: Octavio Schroeder
+
+- [Viktor Szakats brought this change]
-Daniel Stenberg (16 Jun 2015)
-- [Paul Oliver brought this change]
+ URLs: change more http to https
- Fix typo in docs
+- sasl_sspi: Fix memory leak in domain populate
+
+ Free an existing domain before replacing it.
- s/curret/current/
+ Bug: https://github.com/curl/curl/issues/635
+ Reported-by: silveja1@users.noreply.github.com
+Daniel Stenberg (4 Feb 2016)
- [Viktor Szakats brought this change]
- docs: update URLs
-
-- RELEASE-NOTES: synced with f29f2cbd00dbe5f
+ URLs: follow GitHub project rename (also Travis CI)
+
+ Closes #632
-- [Viktor Szakats brought this change]
+- CHANGES.o: fix references to curl.haxx.nu
+
+ I removed the scheme prefix from the URLs references this host name, as
+ we don't own/run that anymore but the name is kept for historic reasons.
- README: use secure protocol for Git repository
+- HISTORY: add some info about when we used which host names
+Jay Satiro (2 Feb 2016)
- [Viktor Szakats brought this change]
- HTTP2.md: use SSL/TLS IETF URLs
+ URLs: change more http to https
-- [Viktor Szakats brought this change]
+Dan Fandrich (3 Feb 2016)
+- URLs: Change more haxx.se URLs from http: to https:
- LICENSE-MIXING: update URLs
-
- * use SSL/TLS where available
- * follow permanent redirects
+Daniel Stenberg (3 Feb 2016)
+- RELEASE-NOTES: synced with 4af40b364
-- LICENSE-MIXING: refreshed
+- URLs: change all http:// URLs to https://
-- curl_easy_duphandle: see also *reset
+- configure: update the copyright year range in output
-- rtsp_do: fix DEAD CODE
+- dotdot: allow an empty input string too
- "At condition p_request, the value of p_request cannot be NULL."
+ It isn't used by the code in current conditions but for safety it seems
+ sensible to at least not crash on such input.
- Coverity CID 1306668.
+ Extended unit test 1395 to verify this too as well as a plain "/" input.
-- security:choose_mech fix DEAD CODE warning
-
- ... by removing the "do {} while (0)" block.
-
- Coverity CID 1306669
+- HTTPS: update a bunch of URLs from HTTP to HTTPS
-- curl.1: netrc is in man section 5
+- [Sergei Nikulov brought this change]
-- curl.1: small format fix
+ AppVeyor: updated to handle OpenSSL/WinSSL builds
- use \fI-style instead of .BR for references
+ Closes #621
-- urldata: store POST size in state.infilesize too
+Jay Satiro (1 Feb 2016)
+- tool_operate: Don't sanitize --output path (Windows)
+
+ Due to path separators being incorrectly sanitized in --output
+ pathnames, eg -o c:\foo => c__foo
- ... to simplify checking when PUT _or_ POST have completed.
+ This is a partial revert of 3017d8a until I write a proper fix. The
+ remote-name will continue to be sanitized, but if the user specified an
+ --output with string replacement (#1, #2, etc) that data is unsanitized
+ until I finish a fix.
- Reported-by: Frank Meier
- Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
+ Bug: https://github.com/bagder/curl/issues/624
+ Reported-by: Octavio Schroeder
-Dan Fandrich (14 Jun 2015)
-- test1530: added http to required features
+- curl.1: Explain remote-name behavior if file already exists
+
+ .. also warn about letting the server pick the filename.
-Jay Satiro (14 Jun 2015)
-- [Drake Arconis brought this change]
+- [Gisle Vanem brought this change]
- build: Fix typo from OpenSSL 1.0.2 version detection fix
+ urldata: Error on missing SSL backend-specific connect info
-- [Drake Arconis brought this change]
+Daniel Stenberg (28 Jan 2016)
+- bump: towards the next (7.47.1 ?)
- build: Properly detect OpenSSL 1.0.2 when using configure
+- [Sergei Nikulov brought this change]
-- curl_multi_info_read.3: fix example formatting
+ cmake: fixed when OpenSSL enabled on Windows and schannel detected
+
+ Closes #617
-Daniel Stenberg (13 Jun 2015)
-- BINDINGS: there's a new R binding in town!
+Jay Satiro (28 Jan 2016)
+- [Sergei Nikulov brought this change]
-- BINDINGS: added the Xojo binding
+ urldata: moved common variable out of ifdef
+
+ Closes https://github.com/bagder/curl/pull/618
-Jay Satiro (11 Jun 2015)
-- [Joel Depooter brought this change]
+- [Viktor Szakats brought this change]
- schannel: Add support for optional client certificates
+ tool_doswin: silence unused function warning
- Some servers will request a client certificate, but not require one.
- This change allows libcurl to connect to such servers when using
- schannel as its ssl/tls backend. When a server requests a client
- certificate, libcurl will now continue the handshake without one,
- rather than terminating the handshake. The server can then decide
- if that is acceptable or not. Prior to this change, libcurl would
- terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
- error.
+ tool_doswin.c:185:14: warning: 'msdosify' defined but not used
+ [-Wunused-function]
+
+ Closes https://github.com/bagder/curl/pull/616
-Daniel Stenberg (11 Jun 2015)
-- curl_easy_cleanup.3: provide more SEE ALSO
+Daniel Stenberg (27 Jan 2016)
+- getredirect.c: fix variable name
+
+ Reported-by: Bernard Spil
-- debug: remove http2 debug leftovers
+Version 7.47.0 (27 Jan 2016)
-- VERSIONS: now using markdown
+Daniel Stenberg (27 Jan 2016)
+- examples/Makefile.inc: specify programs without .c!
-- RELEASE-PROCEDURE: remove ascii logo at the top of file
+- THANKS: 6 new contributors from 7.47.0 release notes
-- INTERNALS: absorbed docs/LIBCURL-STRUCTS
+- [Isaac Boukris brought this change]
-- INTERNALS: cat lib/README* >> INTERNALS
+ NTLM: Fix ConnectionExists to compare Proxy credentials
- and a conversion to markdown. Removed the lib/README.* files. The idea
- being to move toward having INTERNALS as the one and only "book" of
- internals documentation.
+ Proxy NTLM authentication should compare credentials when
+ re-using a connection similar to host authentication, as it
+ authenticate the connection.
- Added a TOC to top of the document.
-
-Jay Satiro (8 Jun 2015)
-- openssl: LibreSSL and BoringSSL do not use TLS_client_method
+ Example:
+ curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+ --proxy-ntlm --next -x http://proxy:port http://host/
+ [-U fake_user:fake_pwd --proxy-ntlm]
- Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
- TLS_client_method LibreSSL and BoringSSL didn't and still use
- SSLv23_client_method.
+ CVE-2016-0755
- Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
- Reported-by: asavah@users.noreply.github.com
+ Bug: http://curl.haxx.se/docs/adv_20160127A.html
-Daniel Stenberg (9 Jun 2015)
-- RELEASE-NOTES: synced with 20ac3458068
+- [Ray Satiro brought this change]
-- CURLOPT_OPENSOCKETFUNCTION: return error at once
+ curl: avoid local drive traversal when saving file (Windows)
+
+ curl does not sanitize colons in a remote file name that is used as the
+ local file name. This may lead to a vulnerability on systems where the
+ colon is a special path character. Currently Windows/DOS is the only OS
+ where this vulnerability applies.
+
+ CVE-2016-0754
+
+ Bug: http://curl.haxx.se/docs/adv_20160127B.html
+
+- RELEASE-NOTES: 7.47.0
+
+- FAQ: language fix in 4.19
+
+- [paulehoffman brought this change]
+
+ FAQ: Update to point to GitHub
+
+ Current FAQ didn't make it clear where the main repo is.
+
+ Closes #612
+
+- maketgz: generate date stamp with LC_TIME=C
+
+ bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
+
+- curl_multi_socket_action.3: line wrap
+
+- RELEASE-NOTES: synced with d58ba66eeceb
+
+Steve Holme (21 Jan 2016)
+- TODO: "Create remote directories" for SMB
+
+Jay Satiro (18 Jan 2016)
+- mbedtls: Fix pinned key return value on fail
+
+ - Switch from verifying a pinned public key in a callback during the
+ certificate verification to inline after the certificate verification.
+
+ The callback method had three problems:
+
+ 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
+ was not returned.
+
+ 2. If peer certificate verification was disabled the pinned key
+ verification did not take place as it should.
+
+ 3. (related to #2) If there was no certificate of depth 0 the callback
+ would not have checked the pinned public key.
+
+ Though all those problems could have been fixed it would have made the
+ code more complex. Instead we now verify inline after the certificate
+ verification in mbedtls_connect_step2.
+
+ Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
+ Ref: https://github.com/bagder/curl/pull/601
+
+- tests: Add a test for pinnedpubkey fail even when insecure
+
+ Because disabling the peer verification (--insecure) must not disable
+ the public key pinning check (--pinnedpubkey).
+
+- [Daniel Schauenberg brought this change]
+
+ CURLINFO_RESPONSE_CODE.3: add example
+
+Kamil Dudka (15 Jan 2016)
+- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
+
+ The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
+ empty strings specially since curl-7_25_0-31-g05a443a but the behavior
+ was unintentionally removed in curl-7_38_0-47-gfa7d04f.
+
+ This commit restores the original behavior and clarifies it in the
+ documentation that NULL and "" have both the same meaning when passed
+ to CURLOPT_SSH_PUBLIC_KEYFILE.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
+
+Daniel Stenberg (14 Jan 2016)
+- RELEASE-NOTES: synced with 35083ca60ed035a
+
+- openssl: improved error detection/reporting
+
+ ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
+ 1.1.0+ returned a new func number of another cerfificate fail so this
+ required a fix and this is the better way to catch this error anyway.
+
+- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
+
+- CURLOPT_RESOLVE.3: minor language polish
+
+- configure: assume IPv6 works when cross-compiled
+
+ The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
+ works, and testing like that doesn't work for cross-compiles. These days
+ IPv6 support is widespread so a blind guess is probably more likely to
+ be 'yes' than 'no' now.
+
+ Further: anyone who cross-compiles can use configure's --disable-ipv6 to
+ explicitly disable IPv6 and that also works for cross-compiles.
+
+ Made happen after discussions in issue #594
+
+- TODO: "Try to URL encode given URL"
+
+ Closes #514
+
+- ConnectionExists: only do pipelining/multiplexing when asked
+
+ When an HTTP/2 upgrade request fails (no protocol switch), it would
+ previously detect that as still possible to pipeline on (which is
+ acorrect) and do that when PIPEWAIT was enabled even if pipelining was
+ not explictily enabled.
+
+ It should only pipelined if explicitly asked to.
+
+ Closes #584
+
+- [Mohammad AlSaleh brought this change]
+
+ lib: Prefix URLs with lower-case protocol names/schemes
+
+ Before this patch, if a URL does not start with the protocol
+ name/scheme, effective URLs would be prefixed with upper-case protocol
+ names/schemes. This behavior might not be expected by library users or
+ end users.
+
+ For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
+ URL is "hostname/path". The effective URL would be
+ "HTTPS://hostname/path" instead of "https://hostname/path".
+
+ After this patch, effective URLs would be prefixed with a lower-case
+ protocol name/scheme.
+
+ Closes #597
+
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
+
+- [Alessandro Ghedini brought this change]
+
+ scripts: don't generate and install zsh completion when cross-compiling
+
+- [Alessandro Ghedini brought this change]
+
+ scripts: fix zsh completion generation
+
+ The script should use the just-built curl, not the system one. This fixes
+ zsh completion generation when no system curl is installed.
+
+- [Alessandro Ghedini brought this change]
+
+ zsh.pl: fail if no curl is found
+
+ Instead of generation a broken completion file.
+
+- [Michael Kaufmann brought this change]
+
+ IDN host names: Remove the port number before converting to ACE
+
+ Closes #596
+
+Jay Satiro (10 Jan 2016)
+- runtests: Add mbedTLS to the SSL backends
+
+ .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
+
+Daniel Stenberg (10 Jan 2016)
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: implement CURLOPT_PINNEDPUBLICKEY
+
+Jay Satiro (9 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ url: Fix compile error with --enable-werror
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Ensure that http2_handle_stream_close is called
+
+ Previously, when HTTP/2 is enabled and used, and stream has content
+ length known, Curl_read was not called when there was no bytes left to
+ read. Because of this, we could not make sure that
+ http2_handle_stream_close was called for every stream. Since we use
+ http2_handle_stream_close to emit trailer fields, they were
+ effectively ignored. This commit changes the code so that Curl_read is
+ called even if no bytes left to read, to ensure that
+ http2_handle_stream_close is called for every stream.
+
+ Discussed in https://github.com/bagder/curl/pull/564
+
+Daniel Stenberg (8 Jan 2016)
+- http2: handle the received SETTINGS frame
+
+ This regression landed in 5778e6f5 and made libcurl not act on received
+ settings and instead stayed with its internal defaults.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+ Reported-by: Bankde
+
+- Revert "multiplex: allow only once HTTP/2 is actually used"
+
+ This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+
+Jay Satiro (8 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix PUSH_PROMISE headers being treated as trailers
+
+ Discussed in https://github.com/bagder/curl/pull/564
+
+Daniel Stenberg (8 Jan 2016)
+- [Michael Kaufmann brought this change]
+
+ connection reuse: IDN host names fixed
+
+ Use the ACE form of IDN hostnames as key in the connection cache. Add
+ new tests.
+
+ Closes #592
+
+- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
+
+Jay Satiro (7 Jan 2016)
+- mbedtls: Fix ALPN support
+
+ - Fix ALPN reply detection.
+
+ - Wrap nghttp2 code in ifdef USE_NGHTTP2.
+
+
+ Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
+
+- http2: Fix client write for trailers on stream close
+
+ Check that the trailer buffer exists before attempting a client write
+ for trailers on stream close.
+
+ Refer to comments in https://github.com/bagder/curl/pull/564
+
+Daniel Stenberg (7 Jan 2016)
+- COPYING: update general copyright year range
+
+- ConnectionExists: add missing newline in infof() call
+
+ Mistake from commit a464f33843ee1
+
+- multiplex: allow only once HTTP/2 is actually used
+
+ To make sure curl doesn't allow multiplexing before a connection is
+ upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
+ connection uses HTTP/2 as well and not only check what's wanted.
+
+ Closes #584
+
+ Patch-by: c0ff
+
+Jay Satiro (4 Jan 2016)
+- curl_global_init.3: Add Windows-specific info for init via DLL
+
+ - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
+ that initializing libcurl via a DLL's DllMain or static initializer
+ could cause a deadlock.
+
+ Bug: https://github.com/bagder/curl/issues/586
+ Reported-by: marc-groundctl@users.noreply.github.com
+
+Daniel Stenberg (4 Jan 2016)
+- FAQ: clarify who to mail about ECCN clarifications
+
+- progressfunc.c: spellfix description
+
+- docs/examples/multi-app.c: fix bad desc formatting
+
+- examples: added descriptions
+
+- example/simple.c: add description
+
+- getredirect.c: a new example
+
+Marc Hoersken (27 Dec 2015)
+- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
+
+Daniel Stenberg (26 Dec 2015)
+- RELEASE-NOTES: synced with 2aec4359db1088b10d
+
+Marc Hoersken (26 Dec 2015)
+- test 1515: add data check
+
+- test 1515: add MSYS support by passing a relative path
+
+ MSYS would otherwise turn a /-style path into a C:\-style path.
+
+- test 539: use datacheck mode text for ASCII-mode LISTings
+
+ While still using datacheck mode binary for the inline reply data.
+
+- runtests.pl: check up to 5 data parts with different text modes
+
+ Move the text-mode conversion for reply/replycheck from the verify
+ section into the load section and add support for 4 more check parts.
+
+Daniel Stenberg (24 Dec 2015)
+- CURLOPT_RANGE: for HTTP servers, range support is optional
+
+Marc Hoersken (24 Dec 2015)
+- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
+
+- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
+
+- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
+
+- sockfilt.c: fix calculation of sleep timeout on Windows
- When CURL_SOCKET_BAD is returned in the callback, it should be treated
- as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently
- created when trying to connect to a server.
+ Not converting to double caused small timeouts to be skipped.
+
+- tests first.c: fix calculation of sleep timeout on Windows
- Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html
+ Not converting to double caused small timeouts to be skipped.
-- fopen.c: fix a few compiler warnings
+- test 573: add more debug output
+
+- ftplistparser.c: fix handling of file LISTings using Windows EOL
+
+ Previously file.txt[CR][LF] would have been returned as file.tx
+ (without the last t) if filetype is symlink. Now the t is
+ included and the internal item_length includes the zero byte.
+
+ Spotted using test 576 on Windows.
-- [Ville Skyttä brought this change]
+- test 16: fix on Linux (and Windows) by using plain ASCII characters
+
+ Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
- docs: Spelling fixes
+- tftpd server: add Windows support by writing files in binary mode
-- [Ville Skyttä brought this change]
+- tests 252-255: use datacheck mode text for ASCII-mode LISTings
- docs: man page indentation and syntax fixes
+- test 16: fix on Windows by converting data file from ANSI to UTF-8
+
+Daniel Stenberg (23 Dec 2015)
+- Makefile.inc: s/curl_SOURCES/CURL_FILES
+
+ This allows the root Makefile.am to include the Makefile.inc without
+ causing automake to warn on it (variables named *_SOURCES are
+ magic). curl_SOURCES is then instead assigned properly in
+ src/Makefile.am only.
+
+ Closes #577
+
+- [Anders Bakken brought this change]
+
+ ConnectionExists: with *PIPEWAIT, wait for connections
+
+ Try harder to prevent libcurl from opening up an additional socket when
+ CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
+ handshakes complete first before the decision is made.
+
+ Closes #575
+
+- [Anders Bakken brought this change]
+
+ Add .dir-locals and set c-basic-offset to 2.
+
+ This makes it easier for emacs users to automatically get the right
+ 2-space indentation when they edit curl source files.
+
+ c++-mode is in there as well because Emacs can't easily know if
+ something is a C or C++ header.
+
+ Closes #574
+
+- [Johannes Schindelin brought this change]
+
+ configure: detect IPv6 support on Windows
+
+ This patch was "nicked" from the MINGW-packages project by Daniel.
+
+ https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- configure: allow static builds on mingw
+
+ This patch is adopted from the MINGW-packages project. It makes it
+ possible to build curl both shared and static again.
+
+ URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
+
+Marc Hoersken (17 Dec 2015)
+- test 1326: fix file check since curl is outputting binary data
+
+- test 1326: fix getting stuck on Windows due to incomplete request
+
+ The request needs to be read and send in binary mode in order to use
+ CRLF instead of LF. Adding --upload-file - causes curl to read stdin
+ in binary mode.
+
+Daniel Stenberg (17 Dec 2015)
+- RELEASE-NOTES: command line option recount
+
+Dan Fandrich (16 Dec 2015)
+- scripts/Makefile: build zsh script even in an out-of-tree build
+
+Marc Hoersken (16 Dec 2015)
+- sockfilt.c: added some debug output to select_ws
+
+- sockfilt.c: keep lines shorter than 80 chars
+
+- sockfilt.c: do not wait on unreliable file or pipe handle
+
+ The previous implementation caused issues on modern MSYS2 runtimes.
+
+Daniel Stenberg (16 Dec 2015)
+- cyassl: deal with lack of *get_peer_certificate
+
+ The function is only present in wolfssl/cyassl if it was built with
+ --enable-opensslextra. With these checks added, pinning support is disabled
+ unless the TLS lib has that function available.
+
+ Also fix the mistake in configure that checks for the wrong lib name.
+
+ Closes #566
+
+- wolfssl: handle builds without SSLv3 support
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Support trailer fields
+
+ This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
+ encoding must be used to send trialer fields. HTTP/2 deprecated any
+ trandfer-encoding, including chunked. But trailer fields are now
+ always available.
+
+ Since trailer fields are relatively rare these days (gRPC uses them
+ extensively though), allocating buffer for trailer fields is done when
+ we detect that HEADERS frame containing trailer fields is started. We
+ use Curl_add_buffer_* functions to buffer all trailers, just like we
+ do for regular header fields. And then deliver them when stream is
+ closed. We have to be careful here so that all data are delivered to
+ upper layer before sending trailers to the application.
+
+ We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
+ mechanism, but current method is far more simple.
+
+ Another possibility is use chunked encoding internally for HTTP/2
+ traffic. I have not tested it, but it could add another overhead.
+
+ Closes #564
-Linus Nielsen (8 Jun 2015)
-- help: Add --proxy-service-name and --service-name to the --help output
+- RELEASE-NOTES: synced with 6c2c019654e658a
-Jay Satiro (7 Jun 2015)
-- openssl: Fix verification of server-sent legacy intermediates
+Jay Satiro (15 Dec 2015)
+- x509asn1: Fix host altname verification
- - Try building a chain using issuers in the trusted store first to avoid
- problems with server-sent legacy intermediates.
+ - In Curl_verifyhost check all altnames in the certificate.
- Prior to this change server-sent legacy intermediates with missing
- legacy issuers would cause verification to fail even if the client's CA
- bundle contained a valid replacement for the intermediate and an
- alternate chain could be constructed that would verify successfully.
+ Prior to this change only the first altname was checked. Only the GSKit
+ SSL backend was affected by this bug.
- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
+ Reported-by: John Kohl
-Daniel Stenberg (5 Jun 2015)
-- BINDINGS: update several URLs
+Daniel Stenberg (15 Dec 2015)
+- curl --expect100-timeout: added
- Stop linking to the curl.haxx.se anchor pages, they are usually only
- themselves pointers to the real page so better point there directly
- instead.
+ This is the new command line option to set the value for the existing
+ libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
-- BINDINGS: the curl-rust binding
+- cyassl: fix compiler warning on type conversion
-- curl.h: add CURL_HTTP_VERSION_2
-
- The protocol is named "HTTP/2" after all. It is an alias for the
- existing CURL_HTTP_VERSION_2_0 enum.
+- curlver: the pending release will become 7.47.0
-- openssl: removed error string #ifdef
-
- ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
+- [Anders Bakken brought this change]
-- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
+ setstropt: const-correctness
- Code for OpenSSL 0.9.4 serves no purpose anymore!
+ Closes #565
-- openssl: remove SSL_get_session()-using code
-
- It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
- later.
+- ROADMAP: implemented HTTP2 for HTTPS-only
-- openssl: remove dummy callback use from SSL_CTX_set_verify()
-
- The existing callback served no purpose.
+- HTTP2.md: spell fix and remove TODO now implemented
-- LIBCURL-STRUCTS: clarify for multiplexing
+- libressl: the latest openssl x509 funcs are not in libressl
-Jay Satiro (3 Jun 2015)
-- cookie: Stop exporting any-domain cookies
+- curl: use 2TLS by default
- Prior to this change any-domain cookies (cookies without a domain that
- are sent to any domain) were exported with domain name "unknown".
+ Make this the default for the curl tool (if built with HTTP/2 powers
+ enabled) unless a specific HTTP version is requested on the command
+ line.
- Bug: https://github.com/bagder/curl/issues/292
+ This should allow more users to get HTTP/2 powers without having to
+ change anything.
-Daniel Stenberg (3 Jun 2015)
-- RELEASE-PROCEDURE: refreshed 'coming dates'
+- http: add libcurl option to allow HTTP/2 for HTTPS only
+
+ ... and stick to 1.1 for HTTP. This is in line with what browsers do and
+ should have very little risk.
-Jay Satiro (2 Jun 2015)
-- curl_setup: Change fopen text macros to use 't' for MSDOS
+- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
- Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198
- Reported-by: Gisle Vanem
+ Closes #491
-Daniel Stenberg (2 Jun 2015)
-- curl_multi_timeout.3: added example
+- openssl: avoid BIO_reset() warnings since it returns a value
-- curl_multi_perform.3: added example
+- openssl: adapt to 1.1.0+ name changes
-- curl_multi_info_read.3: added example
+- scripts/makefile: add standard header
-- checksrc: detect fopen() for text without the FOPEN_* macros
+- scripts/Makefile: fix GNUism and survive no perl
- Follow-up to e8423f9ce150 with discussionis in
- https://github.com/bagder/curl/pull/258
+ Closes #555
- This check scans for fopen() with a mode string without 'b' present, as
- it may indicate that an FOPEN_* define should rather be used.
+ Reported-by: Thomas Klausner
+
+- fix b6d5cb40d7038fe
-- curl_getdate.3: update RFC reference
+- [Tatsuhiro Tsujikawa brought this change]
-Jay Satiro (1 Jun 2015)
-- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
-
- - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
- - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
-
- This change is to explicitly specify when we need to read/write text.
- Unfortunately 't' is not part of POSIX fopen so we can't specify it
- directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
+ http2: Fix hanging paused stream
- Prior to this change we had an issue on Windows if an application that
- uses libcurl overrides the default file mode to binary. The default file
- mode in Windows is normally text mode (translation mode) and that's what
- libcurl expects.
+ When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
+ might not process DATA frame fully. Calling nghttp2_session_mem_recv()
+ again will continue to process DATA frame, but if there is no incoming
+ frames, then we have to call it again with 0-length data. Without this,
+ on_stream_close callback will not be called, and stream could be hanged.
- Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
- Reported-by: Orgad Shaneh
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
+ Reported-by: Francisco Moraes
-Daniel Stenberg (1 Jun 2015)
-- http2-upload.c: use PIPEWAIT for playing HTTP/2 better
+- [Christian Stewart brought this change]
-- http2-download: check for CURLPIPE_MULTIPLEX properly
+ build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
- Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html
- Reported-by: Rafayel Mkrtchyan
-
-- [Isaac Boukris brought this change]
-
- HTTP-NTLM: fail auth on connection close instead of looping
+ With curl disable verbose strings in http.c the compilation fails due to
+ the data variable being undefined later on in the function.
- Bug: https://github.com/bagder/curl/issues/256
-
-- 5.6 Refuse "downgrade" redirects
-
-- README.pingpong: removed
-
-- ROADMAP: remove HTTP/2 multiplexing - its here now
-
-- HTTP2.md: formatted properly
+ Closes #558
-- HTTP2: moved docs into docs/ and make it markdown
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
-- README.http2: refreshed and added multiplexing info
+ config-win32: Fix warning HAVE_WINSOCK2_H undefined
-- dist: add the http2 examples
+- [Gisle Vanem brought this change]
-- http2 examples: clean up some comments
+ openssl: BoringSSL doesn't have CONF_modules_free
-- examples: added two programs doing multiplexed HTTP/2
+- [Gisle Vanem brought this change]
-- scripts: moved contributors.sh and contrithanks.sh into subdir
+ lwip: Fix compatibility issues with later versions
+
+ The name of the header guard in lwIP's <lwip/opt.h> has changed from
+ '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
+
+ Other fixes:
+
+ - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
+ used.
+
+ - In memdebug.h, the 'socket' should be undefined first due to lwIP's
+ lwip_socket() macro.
+
+ - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
+ special handling because they were undef'ed in memdebug.h.
+
+ - In select.c we can't use preprocessor conditionals inside select if
+ MSVC and select is a macro, as it is with lwIP.
+
+ http://curl.haxx.se/mail/lib-2015-12/0023.html
+ http://curl.haxx.se/mail/lib-2015-12/0024.html
-- RELEASE-NOTES: synced with c005790ff1c0a
+Patrick Monnerat (7 Dec 2015)
+- os400: define CURL_VERSION_PSL in ILE/RPG binding
-- [Daniel Melani brought this change]
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
- openssl: typo in comment
+ version: Add flag CURL_VERSION_PSL for libpsl
-Jay Satiro (27 May 2015)
-- openssl: Use TLS_client_method for OpenSSL 1.1.0+
+- formdata: Check if length is too large for memory
- SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
- equivalent is TLS_client_method.
+ - If the size of the length type (curl_off_t) is greater than the size
+ of the size_t type then check before allocating memory to make sure the
+ value of length will fit in a size_t without overflow. If it doesn't
+ then return CURLE_BAD_FUNCTION_ARGUMENT.
- https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
+ Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
+ Reported-by: Steve Holme
-Daniel Stenberg (26 May 2015)
-- FAQ: How do I port libcurl to my OS?
+Steve Holme (3 Dec 2015)
+- tests: Corrected copy and pasted comments from commit e643c5c908
-Jay Satiro (25 May 2015)
-- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
-
- Document that if Set-Cookie is used without a domain then the cookie is
- sent for any domain and will not be modified.
+Daniel Stenberg (3 Dec 2015)
+- curl: remove keepalive #ifdef checks done on libcurl's behalf
- Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html
- Reported-by: Alexander Dyagilev
-
-Daniel Stenberg (25 May 2015)
-- [Tatsuhiro Tsujikawa brought this change]
+ They didn't match the ifdef logic used within libcurl anyway so they
+ could indeed warn for the wrong case - plus the tool cannot know how the
+ lib actually performs at that level.
- http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer
-
- Previously, after seeing upgrade to HTTP/2, we feed data followed by
- upgrade response headers directly to nghttp2_session_mem_recv() in
- Curl_http2_switched(). But it turns out that passed buffer, mem, is
- part of stream->mem, and callbacks called by
- nghttp2_session_mem_recv() will write stream specific data into
- stream->mem, overwriting input data. This will corrupt input, and
- most likely frame length error is detected by nghttp2 library. The
- fix is first copy the passed data to HTTP/2 connection buffer,
- httpc->inbuf, and call nghttp2_session_mem_recv().
+Steve Holme (2 Dec 2015)
+- test947: Corrected typo in test name
-Jay Satiro (24 May 2015)
-- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
+- tests: Disable the OAUTHBEARER tests when using a non-default port number
- The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the
- outgoing request(s)." However there seems to be some user confusion
- about cookie modification. Document that the cookies set by this option
- are not modified by the cookie engine.
+ Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
+ if a custom port number is specified via the -b option of runtests.pl.
- Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html
- Reported-by: Alexander Dyagilev
-
-- CURLOPT_COOKIELIST.3: Add example
+ Suggested by: Kamil Dudka
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
-Dan Fandrich (24 May 2015)
-- testcurl.pl: use rel2abs to make the source directory absolute
+Daniel Stenberg (2 Dec 2015)
+- bump: towards next release
- This function makes a platform-specific absolute path which uses
- backslashes on Windows. This form works when passing it on the
- command-line, as well as if the source is on another drive.
+ for all we know now, it might be called 7.46.1
-- conncache: fixed memory leak on OOM (torture tests)
+Version 7.46.0 (1 Dec 2015)
-Daniel Stenberg (24 May 2015)
-- perl: remove subdir, not touched in 9 years
+Daniel Stenberg (1 Dec 2015)
+- RELEASE-NOTES: updated contributor count for 7.46.0
-- log2changes.pl: moved to scripts/
+- THANKS: new contributors from the 7.46.0 release
-- [Alessandro Ghedini brought this change]
+- THANKS-filter: single Tim Rühsen spelling
- scripts: add zsh.pl for generating zsh completion
+- docs/examples: gitignore some more built examples
-Dan Fandrich (23 May 2015)
-- test1510: another flaky test
+- RELEASE-NOTES; this bug was never released
-Daniel Stenberg (22 May 2015)
-- security: fix "Unchecked return value" from sscanf()
-
- By (void) prefixing it and adding a comment. Did some minor related
- cleanups.
-
- Coverity CID 1299423.
+- RELEASE-NOTES: synced with e55f15454efacb0
-- security: simplify choose_mech
-
- Coverity CID 1299424 identified dead code because of checks that could
- never equal true (if the mechanism's name was NULL).
-
- Simplified the function by removing a level of pointers and removing the
- loop and array that weren't used.
+- [Flavio Medeiros brought this change]
-- RTSP: catch attempted unsupported requests better
-
- Replace use of assert with code that properly catches bad input at
- run-time even in non-debug builds.
+ Curl_read_plain: clean up ifdefs that break statements
- This flaw was sort of detected by Coverity CID 1299425 which claimed the
- "case RTSPREQ_NONE" was dead code.
+ Closes #546
-- share_init: fix OOM crash
-
- A failed calloc() would lead to NULL pointer use.
-
- Coverity CID 1299427.
+- http2: convert some verbose output into debug-only output
-- parse_proxy: switch off tunneling if non-HTTP proxy
-
- non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL
+- http2 push: add missing inits of new stream
- Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html
- Reported-by: Sean Boudreau
+ - set the correct stream_id for pushed streams
+ - init maxdownload and size properly
-- curl: fix potential NULL dereference
+- http2 push: set weight for new stream
- Coverity CID 1299428: Dereference after null check (FORWARD_NULL)
+ give the new stream the old one's stream_weight internally to avoid
+ sending a PRIORITY frame unless asked for it
-- http2: on_frame_recv: return early on stream 0
+- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
- Coverity CID 1299426 warned about possible NULL dereference otherwise,
- but that would only ever happen if we get invalid HTTP/2 data with
- frames for stream 0. Avoid this risk by returning early when stream 0 is
- used.
+ Fixes warnings 78c25c854a added.
-- http: removed self assignment
+- nonblock: fix setting non-blocking mode for Amiga
- Follow-up fix from b0143a2a33f0
+ IoctlSocket() apparently wants a pointer to a long, passed as a char *
+ in its third parameter. This bug was introduced already back in commit
+ c5fdeef41d from October 1 2001!
- Detected by coverity. CID 1299429
-
-- [Tatsuhiro Tsujikawa brought this change]
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
+ Reported-by: Norbert Kett
- http2: Make HTTP Upgrade work
+- zsh install: fix DESTDIR support
- This commit just add implicitly opened stream 1 to streams hash.
+ Reported-by: Mohammad AlSaleh
-Jay Satiro (22 May 2015)
-- strerror: Change SEC_E_ILLEGAL_MESSAGE description
-
- Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS
- and language specific, and invariably translated to something not very
- helpful like: "The message received was unexpected or badly formatted."
-
- Bug: https://github.com/bagder/curl/issues/267
- Reported-by: Michael Osipov
+Dan Fandrich (27 Nov 2015)
+- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
-- telnet: Fix read-callback change for Windows builds
+Steve Holme (27 Nov 2015)
+- tool_paramhlp: Fixed display of URL index in password prompt for --next
- Refer to b0143a2 for more information on the read-callback change.
-
-Daniel Stenberg (21 May 2015)
-- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy!
+ Commit f3bae6ed73 added the URL index to the password prompt when using
+ --next. Unfortunately, because the size_t specifier (%zu) is not
+ supported by all sprintf() implementations we use the curl_off_t format
+ specifier instead. The display of an incorrect value arises on platforms
+ where size_t and curl_off_t are of a different size.
-Dan Fandrich (21 May 2015)
-- testcurl.pl: allow source to be in an arbitrary directory
+Daniel Stenberg (25 Nov 2015)
+- timecond: do not add if-modified-since without timecondition
- This way, the build directory can be located on an entirely different
- filesystem from the source code (e.g. a tmpfs).
-
-Daniel Stenberg (20 May 2015)
-- read_callback: move to SessionHandle from connectdata
+ The RTSP code path didn't skip adding the if-modified-since for certain
+ RTSP code paths, even if CURLOPT_TIMECONDITION was set to
+ CURL_TIMECOND_NONE.
- With many easy handles using the same connection for multiplexing, it is
- important we store and keep the transfer-oriented stuff in the
- SessionHandle so that callbacks and callback data work fine even when
- many easy handles share the same physical connection.
-
-- http2: show stream IDs in decimal
+ Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
+ CURL_TIMECOND_IFMODSINCE.
- It makes them easier to match output from the nghttpd test server.
+ Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
-- [Tatsuhiro Tsujikawa brought this change]
+- RELEASE-NOTES: synced with 99d17a5e2ba77e58
- http2: Faster http2 upload
+- examples/README: cut out the incomplete list
- Previously, when we send all given buffer in data_source_callback, we
- return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream
- temporarily for writing. This itself is good. If this is the sole
- stream in the session, nghttp2_session_want_write() returns zero,
- which means that libcurl does not check writeability of the underlying
- socket. This leads to very slow upload, because it seems curl only
- upload 16k something per 1 second. To fix this, if we still have data
- to send, call nghttp2_session_resume_data after nghttp2_session_send.
- This makes nghttp2_session_want_write() returns nonzero (if connection
- window still opens), and as a result, socket writeability is checked,
- and upload speed becomes normal.
-
-- [Dmitry Eremin-Solenikov brought this change]
+ ... and add a generic explanation for them instead. Each example file
+ should contain its own description these days.
- gtls: don't fail on non-fatal alerts during handshake
-
- Stop curl from failing when non-fatal alert is received during
- handshake. This e.g. fixes lots of problems when working with https
- sites through proxies.
+- test1513: make sure the callback is only called once
-- curl_easy_unescape.3: update RFC reference
-
- Reported-by: bsammon
- Bug: https://github.com/bagder/curl/issues/282
+- [Daniel Shahaf brought this change]
-Jay Satiro (20 May 2015)
-- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape
-
- .. also correct some variable naming in curl_easy_escape.3
+ build: Install zsh completion
- Bug: https://github.com/bagder/curl/issues/281
- Reported-by: bsammon@users.noreply.github.com
-
-Daniel Stenberg (19 May 2015)
-- [Brian Prodoehl brought this change]
+ Fixes #534
+ Closes #537
- openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg
+- done: make sure the final progress update is made
- BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
- and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
- OpenSSL.
+ It would previously be skipped if an existing error was returned, but
+ would lead to a previous value being left there and later used.
+ CURLINFO_TOTAL_TIME for example.
- re #275
-
-Jay Satiro (19 May 2015)
-- curl.1: fix missing space in section --data
-
-Daniel Stenberg (19 May 2015)
-- transfer: remove erroneous and misleading comment
-
-Kamil Dudka (19 May 2015)
-- http: silence compile-time warnings without USE_NGHTTP2
+ Still it avoids that final progress update if we reached DONE as the
+ result of a callback abort to avoid another callback to be called after
+ an abort-by-callback.
- Error: CLANG_WARNING:
- lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read
+ Reported-by: Lukas Ruzicka
- Error: COMPILER_WARNING:
- lib/http.c: scope_hint: In function ‘http_disconnect’
- lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable]
+ Closes #538
-Jay Satiro (19 May 2015)
-- transfer: Replace __func__ instances with function name
-
- .. also make __func__ replacement in multi.
+- curl: expanded the -XHEAD warning text
- Prior to this change debug builds would fail to build if the compiler
- was building pre-c99 and didn't support __func__.
-
-Daniel Stenberg (19 May 2015)
-- [Viktor Szakats brought this change]
-
- build: bump version in default nghttp2 paths
-
-- INTERNALS: we require nghttp2 1.0.0+ now
-
-Jay Satiro (18 May 2015)
-- http: Add some include guards for the new HTTP/2 stuff
+ ... to also mention the specific options used.
-Daniel Stenberg (18 May 2015)
-- http2: store upload state per stream
+- Revert "cleanup: general removal of TODO (and similar) comments"
- Use a curl_off_t for upload left
-
-- http2: fix build when NOT h2-enabled
-
-- http2: switch to use Curl_hash_destroy()
+ This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
- as after 4883f7019d3, the *_clean() function only flushes the hash.
+ Feedback-by: Dan Fandrich
+ URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
-- curlver: restore LIBCURL_VERSION_NUM defined as a full number
+- CURLOPT_HEADERFUNCTION.3: fix typo
- As it breaks configure, curl-config and test 1023 if not.
-
-- [Anthony Avina brought this change]
-
- hostip: fix unintended destruction of hash table
+ Refer to _HEADERDATA not _WRITEDATA.
- .. and added unit1602 for hash.c
-
-- curlver: introducing new version number (checking) macros
-
-- runtests.pl: use 'h2c' now, no -14 anymore
+ Reported-by: Michał Piechowski
-- [Tatsuhiro Tsujikawa brought this change]
+- TODO: TCP Fast Open
- http2: Ignore if we have stream ID not in hash in on_stream_close
-
- We could get stream ID not in the hash in on_stream_close. For
- example, if we decided to reject stream (e.g., PUSH_PROMISE), then we
- don't create stream and store it in hash with its stream ID.
+Steve Holme (22 Nov 2015)
+- examples: Added website parse-able descriptions to the e-mail examples
-- [Tatsuhiro Tsujikawa brought this change]
+- TODO: Added another 'multi-interface' idea
- Require nghttp2 v1.0.0
-
- This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0,
- and utilize recent version of nghttp2 to simplify the code,
-
- First we use nghttp2_option_set_no_recv_client_magic function to
- detect nghttp2 v1.0.0. That function only exists since v1.0.0.
-
- Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and
- validates received header field. If it found error, RST_STREAM with
- PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize
- this feature to simplify libcurl code. This commit does this.
+- smb.c: Fixed compilation warnings
- Migration from 0.7 series are done based on nghttp2 migration
- document. For libcurl, we removed the code sending first 24 bytes
- client magic. It is now done by nghttp2 library.
- on_invalid_frame_recv callback signature changed, and is updated
- accordingly.
+ smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
+ alter its value
+ smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
+ smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
-- http2: infof length in on_frame_send()
+- schannel: Corrected copy/paste error in commit 8d17117683
-- pipeline: switch some code over to functions
+- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
- ... to "compartmentalize" a bit and make it easier to change behavior
- when multiplexing is used instead of good old pipelining.
-
-- symbols-in-versions: add CURLOPT_PIPEWAIT
+ Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
-- CURLOPT_PIPEWAIT: added
+- examples: Fixed compilation warnings
- By setting this option to 1 libcurl will wait for a connection to reveal
- if it is possible to pipeline/multiplex on before it continues.
-
-- Curl_http_readwrite_headers: minor code simplification
-
-- IsPipeliningPossible: fixed for http2
-
-- http2: bump the h2 buffer size to 32K for speed
+ pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
+ imap-multi.c:96:5: warning: implicit declaration of function 'memset'
+ http2-download.c:226:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
-- http2: remove the stream from the hash in stream_close callback
+- Makefile.inc: Fixed test run error
- ... and suddenly things work much better!
+ test845 not present in tests/data/Makefile.inc
-- http2: if there is paused data, do not clear the drain field
+Daniel Stenberg (20 Nov 2015)
+- TODO: remove duplicated title
-- http2: rename s/data/pausedata
+- TODO: added two more libcurl ideas
+
+ Moved some ideas from "next major" to just ordinary ideas since we can
+ always add new things while keeping the old without doing a "next
+ major".
-- http2: "stream %x" in all outputs to make it easier to search for
+Steve Holme (20 Nov 2015)
+- tests: Re-enabled tests 889 and 890 following POP3 fix
-- http2: Curl_expire() all handles with incoming traffic
-
- ... so that they'll get handled next in the multi loop.
+- pop3: Differentiate between success and continuation responses
-- http2: don't signal settings change for same values
+- pop3: Added clarity on some server response codes
-- http2: set default concurrency, fix ConnectionExists for multiplex
+Daniel Stenberg (20 Nov 2015)
+- [Daniel Shahaf brought this change]
-- bundles: store no/default/pipeline/multiplex
-
- to allow code to act differently on the situation.
+ build: Fix theoretical infinite loops
- Also added some more info message for the connection re-use function to
- make it clearer when connections are not re-used.
-
-- http2: lazy init header_recvbuf
+ Add error-checking to 'cd' in a few cases where omitting the checks
+ might result in an infinite loop.
- It makes us use less memory when not doing HTTP/2 and subsequently also
- makes us not have to cleanup HTTP/2 related data when not using HTTP/2!
-
-- http2: separate multiplex/pipelining + cleanup memory leaks
-
-- CURLMOPT_PIPELINE: bit 1 is for multiplexing
-
-- [Tatsuhiro Tsujikawa brought this change]
+ Closes #535
- http2: Fix bug that data to be drained are overwritten by pending "paused" data
+Patrick Monnerat (19 Nov 2015)
+- curl.h: s/#defien/#define/
-- [Tatsuhiro Tsujikawa brought this change]
+- os400: synchronize ILE/RPG header file
- http2: Don't call nghttp2_session_mem_recv while it is paused by a stream
+- os400: Provide options for libssh2 use in compile scripts. Adjust README.
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (19 Nov 2015)
+- [danielsh@apache.org brought this change]
- http2: Read data left in connection buffer after pause
+ zsh completion: Preserve single quotes in output
+
+ When an option's help string contains literal single quotes, those
+ single quotes would be stripped from the option's description in the
+ completion output (unless the zsh RC_QUOTES option were set while the
+ completion function was being sourced, which is not the default). This
+ patch makes the completion output contain single quotes where the --help
+ output does.
- Previously when we do pause because of out of buffer, we just throw
- away unread data in connection buffer. This just broke protocol
- framing, and I saw occasional FRAME_SIZE_ERROR. This commit fix this
- issue by remembering how much data read, and in the next iteration, we
- process remaining data.
+ Closes #532
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (18 Nov 2015)
+- [MaxGiting brought this change]
- http2: Fix streams get stuck
+ FAQ: Grammar changes
- This commit fixes the bug that streams get stuck if stream gets some
- DATA, and stream->closed becomes true at the same time. Previously,
- in this condition, after we processed DATA, we are going to try to
- read data from underlying transport, but there is no data, and gets
- EAGAIN. There was no code path to evaludate stream->closed.
-
-- http2: store incoming h2 SETTINGS
+ Closes https://github.com/bagder/curl/pull/533
-- pipeline: move function to pipeline.c and make static
+Daniel Stenberg (17 Nov 2015)
+- http2: http_done: don't free already-freed push headers
+
+ The push headers are freed after the push callback has been invoked,
+ meaning this code should only free the headers if the callback was never
+ invoked and thus the headers weren't freed at that time.
- ... as it was only used from there.
+ Reported-by: Davey Shafik
-- IsPipeliningPossible: http2 can always "pipeline" (multiplex)
+- [Anders Bakken brought this change]
-- http2: remove debug logging from on_frame_recv
+ getconnectinfo: Don't call recv(2) if socket == -1
+
+ Closes #528
-- http2: remove the closed check in http2_recv
+- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
- With the "drained" functionality we can get here slightly asynchronously
- so the stream have have been closed but there is pending data left to
- read.
+ ... if there are more than one using the same name
-- http2: bump the h2 buffer to 8K
+- http2: minor comment typo
-- http2: Curl_read should not use the single buffer
-
- ... as it does for pipelining when we're multiplexing, as we need the
- different buffers to store incoming data correctly for all streams.
+- sasl; fix checksrc warnings
-- http2: more debug outputs
+Steve Holme (15 Nov 2015)
+- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
-- http2: leave WAITPERFORM when conn is multiplexed
+- tests: Disabled 889 and 890 until we support POP3 continuation responses
- No need to wait for our "spot" like for pipelining
-
-- http2: force "drainage" of streams
+ As POP3 final and continuation responses both begin with a + character,
+ and both the finalcode and contcode variables in SASLprotoc are set as
+ such, we cannot tell the difference between them when we are expecting
+ an optional continuation from the server such as the following:
+
+ + something else from the server
+ +OK final response
- ... which is necessary since the socket won't be readable but there is
- data waiting in the buffer.
+ Disabled these tests until such a time we can tell the responses apart.
-- http2: move the mem+len pair to the stream struct
+- tests: Corrected typos from commit ba4d8f7eba
-- http2: more stream-oriented data, stream ID 0 is for connections
+- tests: Added OAUTHBEARER failure response tests
-- http2: move lots of state data to the 'stream' struct
+- oauth2: Support OAUTHBEARER failures sent as continuation responses
- ... from the connection struct. The stream one being the 'struct HTTP'
- which is kept in the SessionHandle struct (easy handle).
+ According to RFC7628 a failure message may be sent by the server in a
+ base64 encoded JSON string as a continuation response.
- lookup streams for incoming frames in the stream hash, hashing is based
- on the stream id and we get the SessionHandle for the incoming stream
- that way.
-
-- HTTP: partial start at fixing up hash-lookups on http2 frame receival
-
-- http: a stream hash for h2 multiplexing
+ Currently only implemented for OAUTHBEARER and not XAUTH2.
-- http: a stream hash for h2 multiplexing
+Daniel Stenberg (15 Nov 2015)
+- RELEASE-NOTES: synced with 808a17ee675
-- http2: debug log when receiving unexpected stream_id
+Steve Holme (14 Nov 2015)
+- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
-- http2: move stream_id to the HTTP struct (per-stream)
+- tests: Added OAuth 2.0 (OAUTHBEARER) tests
-- Curl_http2_setup: only do it once and enable multiplex on the server
+- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
- Once we know we are HTTP/2 enabled we know the server can multiplex.
+ OAUTHBEARER is now the official "registered" SASL mechanism name for
+ OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
+ servers won't support the new mechanism yet.
-- http: switch on "pipelining" (multiplexing) for HTTP/2 servers
-
- ... and do not blacklist any.
+Daniel Stenberg (13 Nov 2015)
+- RELEASE-NOTES: recounted curl_easy_setopt() options
-- README.pipelining: removed
+- typecheck-gcc.h: add missing slist-using options
- All the details mentioned here are better documented in man pages
-
-Dan Fandrich (14 May 2015)
-- build: removed bundles.c from make files
+ CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
- This file was removed in commit fd137786
-
-Daniel Stenberg (14 May 2015)
-- Curl_conncache_add_conn: fix memory leak on OOM
-
-- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number
+ Also sorted the list.
-- conncache: keep bundles on host+port bases, not only host names
+- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
- Previously we counted all connections to a specific host name and that
- would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example,
- while servers on different port numbers are normally considered
- different "origins" on the web and should thus be considered different
- hosts.
+ ... and sorted curl_is_cb_data_option alphabetically
-- bundles: merged into conncache.c
-
- All the existing Curl_bundle* functions were only ever used from within
- the conncache.c file, so I moved them over and made them static (and
- removed the Curl_ prefix).
+Jay Satiro (13 Nov 2015)
+- [Sebastian Pohlschmidt brought this change]
-- hostcache: made all host caches use structs, not pointers
+ openssl: Free modules on cleanup
- This avoids unnecessary dynamic allocs and as this also removed the last
- users of *hash_alloc() and *hash_destroy(), those two functions are now
- removed.
-
-- multi: converted socket hash into non-allocated struct
+ Curl_ossl_init calls OPENSSL_load_builtin_modules() but
+ Curl_ossl_cleanup doesn't make a call to free these modules.
- avoids extra dynamic allocation
+ Bug: https://github.com/bagder/curl/issues/526
-- connection cache: avoid Curl_hash_alloc()
+Steve Holme (13 Nov 2015)
+- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
- ... by using plain structs instead of pointers for the connection cache,
- we can avoid several dynamic allocations that weren't necessary.
-
-- proxy: add newline to info message
-
-Patrick Monnerat (8 May 2015)
-- FTP: fix dangling conn->ip_addr dereference on verbose EPSV.
-
-- FTP: Make EPSV use the control IP address rather than the original host.
- This ensures an alternate address is not used.
- Does not apply to proxy tunnel.
-
-Daniel Stenberg (8 May 2015)
-- [Alessandro Ghedini brought this change]
-
- tool_help: fix formatting for --next option
-
-- [Egon Eckert brought this change]
+ ...following commit aba281e762 to fix test 1119.
- opts: improved the TCP keepalive examples
+Daniel Stenberg (13 Nov 2015)
+- curl: mark two more options strings for --libcurl output
-Jay Satiro (8 May 2015)
-- winbuild: Document the option used to statically link the CRT
-
- - Document option RTLIBCFG (runtime library configuration).
+- typecheck-gcc.h: add some missing string types
- Bug: https://github.com/bagder/curl/issues/254
- Reported-by: Bert Huijben
-
-- [Orgad Shaneh brought this change]
+ Also sorted that list alphabetically
- netrc: Read in text mode when cygwin
+- curl.h: introducing the STRINGPOINT alias
- Use text mode when cygwin to eliminate trailing carriage returns.
+ As an alias for OBJECTPOINT. Provided to allow us to grep for all string
+ options easier.
+
+- cleanup: general removal of TODO (and similar) comments
- Bug: https://github.com/bagder/curl/pull/258
+ They tend to never get updated anyway so they're frequently inaccurate
+ and we never go back to revisit them anyway. We document issues to work
+ on properly in KNOWN_BUGS and TODO instead.
-Patrick Monnerat (5 May 2015)
-- OS400: Add SPNEGO service name options to ILE/RPG binding.
+- ftplistparser: remove empty function
-Daniel Stenberg (4 May 2015)
-- curl_multi_info_read.3: fix typo
-
- Reported-by: Liviu Chircu
+- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
-- MANUAL: language fix
+- openssl: all supported versions have X509_STORE_set_flags
- Reported-by: Fred Stluka
- Bug: https://github.com/bagder/curl/issues/255
+ Simplify by removing #ifdefs and macros
-- [Alessandro Ghedini brought this change]
+- openssl: remove 0.9.3 check
- gtls: properly retrieve certificate status
+- openssl: remove #ifdefs for < 0.9.5 support
- Also print the revocation reason if appropriate.
+ We only support >= 0.9.7
-- OpenSSL: conditional check for SSL3_RT_HEADER
-
- The symbol is fairly new.
-
- Reported-by: Kamil Dudka
+- lib/vtls/openssl: remove unused traces of yassl ifdefs
-- openssl: skip trace outputs for ssl_ver == 0
-
- The OpenSSL trace callback is wonderfully undocumented but given a
- journey in the source code, it seems the cases were ssl_ver is zero
- doesn't follow the same pattern and thus turned out confusing and
- misleading. For now, we skip doing any CURLINFO_TEXT logging on those
- but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
-
- Also, I added direction to the text info and I edited some functions
- slightly.
+Dan Fandrich (12 Nov 2015)
+- [dfandrich brought this change]
+
+ unit1603: Demote hash mismatch failure to a warning
- Bug: https://github.com/bagder/curl/issues/219
- Reported-by: Jay Satiro, Ashish Shukla
+ The hashes can vary between architectures (e.g. Sparc differs from x86_64).
+ This is not a fatal problem but just reduces the coverage of these white-box
+ tests, as the assumptions about into which hash bucket each key falls are no
+ longer valid.
-Marc Hoersken (2 May 2015)
-- schannel.c: Small changes
+- [dfandrich brought this change]
-- schannel.c: Improve code path and readability
+ unit1603: Added unit tests for hash functions
-- schannel.c: Improve error and return code handling upon aa99a63f03
+- [dfandrich brought this change]
-- [Chris Araman brought this change]
+ unit1602: Fixed failure in torture test
- schannel: fix regression in schannel_recv
-
- https://github.com/bagder/curl/issues/244
+Steve Holme (12 Nov 2015)
+- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
- Commit 145c263 changed the behavior when Curl_read_plain returns
- CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
- correctly.
-
-- Bug born in changes made several days ago 9a91e80.
+ Following the fix in commit d6d58dd558 it is necessary to re-introduce
+ XOAUTH2 in the default enabled authentication mechanism, which was
+ removed in commit 7b2012f262, otherwise users will have to specify
+ AUTH=XOAUTH2 in the URL.
- Commit: https://github.com/bagder/curl/commit/926cb9f
- Reported-by: Ray Satiro
-
-Daniel Stenberg (30 Apr 2015)
-- [Michael Osipov brought this change]
+ Note: OAuth 2.0 will only be used when the bearer is specified.
- configure: remove missing and make it autogenerate
-
- The missing file has not been autogenerated because a temporary fix was
- employed in acinclude.m4 which blocked update. Removed that fix and a recent
- version of missing is copied to build root.
+- [Stefan Bühler brought this change]
-- [Michael Osipov brought this change]
+ sasl_sspi: fix identity memory leak in digest authentication
- acinclude.m4: fix test for default CA cert bundle/path
-
- test(1) on HP-UX requires a single equals sign and fails with two.
- Let's use one and make every OS happy.
+- [Stefan Bühler brought this change]
-- CONTRIBUTING.md: remove the sourceforge mention
+ sasl_sspi: fixed unicode build for digest authentication
- Reported-By: Michael Osipov
+ Closes #525
-Dan Fandrich (30 Apr 2015)
-- http_negotiate_sspi: added missing data variable
+- oauth2: Re-factored OAuth 2.0 state variable
-Daniel Stenberg (30 Apr 2015)
-- [Michael Osipov brought this change]
+- sasl: Don't choose OAuth 2.0 if mechanism not advertised
+
+ Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
+ specified but the SASL mechanism wasn't supported by the server then
+ the mechanism would be chosen.
- configure: remove --automake from libtoolize call
+Daniel Stenberg (12 Nov 2015)
+- runtests: more compact "System characteristics" output
- That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4.
- Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility".
+ - no point in repeating curl features that is already listed as features
+ from the curl -V output
- This option is redundant now.
+ - remove the port numbers/unix domain path from the output unless
+ verbose is used, as that is rarely interesting to users.
-- [Viktor Szakats brought this change]
+- runtests: rename conditional curl-features to $has_[name]
- build: update depedency versions, urls, example makefiles
+Steve Holme (11 Nov 2015)
+- oauth2: Introduced support for host and port details
- - update default versions of dependencies (except for rare/old platforms)
- - update urls
- - sync examples makefiles with main ones
- - remove line ending space
+ Added support to the OAuth 2.0 message function for host and port, in
+ order to accommodate the official OAUTHBEARER SASL mechanism which is
+ to be added shortly.
-- [Michael Osipov brought this change]
+- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
- configure: remove autogenerated files by autoconf
+- cmake: Add missing feature macros in config header (Part 2)
- * install-sh is always regenerated
- * mkinstalldirs was already redudant years ago. Automake uses install for
- that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html
-
-- [Anders Bakken brought this change]
+ In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
- curl_multi_add_handle: next is already NULL
+Daniel Stenberg (10 Nov 2015)
+- [Douglas Creager brought this change]
-Jay Satiro (30 Apr 2015)
-- schannel: Fix out of bounds array
-
- Bug born in changes made several days ago 9a91e80.
+ cmake: Add missing feature macros in config header
- Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
- Reported-by: Brian Chrisman
-
-- docs/libcurl: gitignore libcurl-symbols.3
+ The curl_config.h file can be generated either from curl_config.h.cmake
+ or curl_config.h.in, depending on whether you're building using CMake or
+ the autotools. The CMake template header doesn't include entries for
+ all of the protocols that you can disable, which (I think) means that
+ you can't actually disable those protocols when building via CMake.
- Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html
- Reported-by: Michael Osipov
+ Closes #523
-- [Viktor Szakats brought this change]
+- [Douglas Creager brought this change]
- lib/makefile.m32: add arch -m32/-m64 to LDFLAGS
+ BoringSSL: Work with stricter BIO_get_mem_data()
+
+ BoringSSL implements `BIO_get_mem_data` as a function, instead of a
+ macro, and expects the output pointer to be a `char **`. We have to add
+ an explicit cast to grab the pointer as a `const char **`.
- This fixes using a multi-target mingw distro to build curl .dll for the
- non-default target.
- (mirroring the same patch present in src/makefile.m32)
+ Closes #524
-Daniel Stenberg (29 Apr 2015)
-- RELEASE-NOTES: synced with cd39b944afc
+- http2: rectify the http2 version #if check
- I've not mentioned the bug fixes that were shipped in 7.42.1 from the
- 7_42 branch.
+ We need 1.0.0 or later. Also verified by configure.
-- THANKS: merged from the 7.42.1 release
+Steve Holme (9 Nov 2015)
+- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
-- CURLOPT_HEADEROPT: default to separate
-
- Make the HTTP headers separated by default for improved security and
- reduced risk for information leakage.
+- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
+
+- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
- Bug: http://curl.haxx.se/docs/adv_20150429.html
- Reported-by: Yehezkel Horowitz, Oren Souroujon
+ When referring to OAuth 2.0 we should use the official name rather the
+ SASL mechanism name.