Changelog
-Version 7.32.0 (11 Aug 2013)
+Version 7.59.0 (13 Mar 2018)
-Daniel Stenberg (11 Aug 2013)
-- THANKS: added contributors from the 7.32.0 release notes
+Daniel Stenberg (13 Mar 2018)
+- release: 7.59.0
-- [Fabian Keil brought this change]
+Kamil Dudka (13 Mar 2018)
+- tests/.../spnego.py: fix identifier typo
+
+ Detected by Coverity Analysis:
+
+ Error: IDENTIFIER_TYPO:
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
+ * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
+ * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
+
+ Closes #2379
- test1228: add 'HTTP proxy' to the keywords
+Daniel Stenberg (13 Mar 2018)
+- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
+
+ Reported-by: Aron Bergman
+ Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
+
+ [ci skip]
-- [Fabian Keil brought this change]
+- Revert "hostip: fix compiler warning: 'variable set but not used'"
+
+ This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
+
+ The assignment really needs to be there or we risk working with an
+ uninitialized pointer.
- tests: add keywords for a couple of FILE tests
+Michael Kaufmann (12 Mar 2018)
+- limit-rate: fix compiler warning
+
+ follow-up to 72a0f62
-- [Fabian Keil brought this change]
+Viktor Szakats (12 Mar 2018)
+- checksrc.pl: add -i and -m options
+
+ To sync it with changes made for the libssh2 project.
+ Also cleanup some whitespace.
- tests: add 'FAILURE' keywords to tests 1409 and 1410
+- curl-openssl.m4: fix spelling [ci skip]
-- [Fabian Keil brought this change]
+- FAQ: fix a broken URL [ci skip]
- tests: add keywords for a couple of HTTP tests
+Daniel Stenberg (12 Mar 2018)
+- http2: mark the connection for close on GOAWAY
+
+ ... don't consider it an error!
+
+ Assisted-by: Jay Satiro
+ Reported-by: Łukasz Domeradzki
+ Fixes #2365
+ Closes #2375
-- [Fabian Keil brought this change]
+- credits: Viktor prefers without accent
- tests: add keywords for a couple of FTP tests
+- openldap: white space changes, fixed up the copyright years
-- [Fabian Keil brought this change]
+- openldap: check ldap_get_attribute_ber() results for NULL before using
+
+ CVE-2018-1000121
+ Reported-by: Dario Weisser
+ Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
- test1511: consistently terminate headers with CRLF
+- FTP: reject path components with control codes
+
+ Refuse to operate when given path components featuring byte values lower
+ than 32.
+
+ Previously, inserting a %00 sequence early in the directory part when
+ using the 'singlecwd' ftp method could make curl write a zero byte
+ outside of the allocated buffer.
+
+ Test case 340 verifies.
+
+ CVE-2018-1000120
+ Reported-by: Duy Phan Thanh
+ Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
-- DISABLED: shut of test 1512 for now
+- readwrite: make sure excess reads don't go beyond buffer end
- It shows intermittent failures and I haven't been able to track them
- down yet. Disable this test for now.
+ CVE-2018-1000122
+ Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+
+ Detected by OSS-fuzz
-- curl_multi_add_handle.3: ... that timer callback is for event-based
+- BUGS: updated link to security process
-- comments: remove old and wrong multi/easy interface statements
+- limit-rate: kick in even before "limit" data has been received
+
+ ... and make sure to avoid integer overflows with really large values.
+
+ Reported-by: 刘佩东
+ Fixes #2371
+ Closes #2373
-- curl_multi_add_handle.3: mention the CURLMOPT_TIMERFUNCTION use
+- docs/SECURITY.md -> docs/SECURITY-PROCESS.md
-- [John E. Malmberg brought this change]
+- SECURITY.md: call it the security process
- KNOWN_BUGS: 22 and 57 have been fixed and committed
+Michael Kaufmann (11 Mar 2018)
+- Curl_range: fix FTP-only and FILE-only builds
+
+ follow-up to e04417d
-- RELEASE-NOTES: synced with d20def20462e7
+- hostip: fix compiler warning: 'variable set but not used'
-- global dns cache: fix memory leak
+Daniel Stenberg (11 Mar 2018)
+- HTTP: allow "header;" to replace an internal header with a blank one
- The take down of the global dns cache didn't take CURLOPT_RESOLVE names
- into account.
+ Reported-by: Michael Kaufmann
+ Fixes #2357
+ Closes #2362
-- global dns cache: didn't work [regression]
+- http2: verbose output new MAX_CONCURRENT_STREAMS values
- CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c43127414d89ccb (been
- broken since the libcurl 7.29.0 release). While this option has been
- documented as deprecated for almost a decade and nobody even reported
- this bug, it should remain functional.
+ ... as it is interesting for many users.
+
+- SECURITY: distros' max embargo time is 14 days now
+
+Patrick Monnerat (8 Mar 2018)
+- curl tool: accept --compressed also if Brotli is enabled and zlib is not.
+
+Daniel Stenberg (5 Mar 2018)
+- THANKS + mailmap: remove duplicates, fixup full names
+
+- [sergii.kavunenko brought this change]
+
+ WolfSSL: adding TLSv1.3
- Added test case 1512 to verify
+ Closes #2349
+
+- RELEASE-NOTES/THANKS: synced with cc1d4c505
-Yang Tse (8 Aug 2013)
-- [John Malmberg brought this change]
+- [Richard Alcock brought this change]
- packages/vms: update VMS build files
+ winbuild: prefer documented zlib library names
+
+ Check for existence of import and static libraries with documented names
+ and use them if they do. Fallback to previous names.
+
+ According to
+ https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
+ Windows, the names of the import library is "zdll.lib" and static
+ library is "zlib.lib".
+
+ closes #2354
+
+Marcel Raad (4 Mar 2018)
+- krb5: use nondeprecated functions
+
+ gss_seal/gss_unseal have been deprecated in favor of
+ gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
+ version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
+ 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
+ "GSS_Unwrap() (formerly GSS_Unseal())".
- VMS modified files either missing from a previous commit and changes
- to remove references to CVS repositories.
+ Use the nondeprecated functions to avoid deprecation warnings.
+
+ [1] https://tools.ietf.org/html/rfc2078
+ [2] https://tools.ietf.org/html/rfc1964
+
+ Closes https://github.com/curl/curl/pull/2356
+
+Daniel Stenberg (4 Mar 2018)
+- curl.1: mention how to add numerical IP addresses in NO_PROXY
+
+- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses
-Daniel Stenberg (8 Aug 2013)
-- FTP: renamed several local functions
+- NO_PROXY: fix for IPv6 numericals in the URL
- The previous naming scheme ftp_state_post_XXXX() wasn't really helpful
- as it wasn't always immediately after 'xxxx' and it wasn't easy to
- understand what it does based on such a name.
+ Added test 1265 that verifies.
- This new one is instead ftp_state_yyyy() where yyyy describes what it
- does or sends.
+ Reported-by: steelman on github
+ Fixes #2353
+ Closes #2355
-- mk-ca-bundle.1: don't install on make install
+- build: get CFLAGS (including -werror) used for examples and tests
- Since the mk-ca-bundle tool itself isn't installed with make install,
- there's no point in installing its documentation.
+ ... so that the CI and more detects compiler warnings/errors properly!
- Bug: http://curl.haxx.se/mail/lib-2013-08/0057.html
- Reported-by: Guenter Knauf
+ Closes #2337
-Yang Tse (7 Aug 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+Marcel Raad (3 Mar 2018)
+- curl_ctype: fix macro redefinition warnings
+
+ On MinGW and Cygwin, GCC and clang have been complaining about macro
+ redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
+ by undefining the macros before redefining them as suggested in
+ https://github.com/curl/curl/pull/2269.
+
+ Suggested-by: Daniel Stenberg
-- [John Malmberg brought this change]
+Dan Fandrich (2 Mar 2018)
+- unit1307: proper cleanup on OOM to fix torture tests
- Building_vms_pcsi_kit
+Marcel Raad (28 Feb 2018)
+- unit1309: fix warning on Windows x64
- These are the files needed to build VMS distribution packages known as
- PCSI kits.
+ When targeting x64, MinGW-w64 complains about conversions between
+ 32-bit long and 64-bit pointers. Fix this by reusing the
+ GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
+ from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
+ CURLX_INTEGER_TO_POINTER_CAST.
- Also minor update to the existing files, mainly to the documentation and
- file clean up code.
+ Closes https://github.com/curl/curl/pull/2341
-Daniel Stenberg (6 Aug 2013)
-- LIBCURL-STRUCTS: new document
+- travis: update compiler versions
- This is the first version of this new document, detailing the seven
- perhaps most important internal structs in libcurl source code:
+ Update clang to version 3.9 and GCC to version 6.
- 1.1 SessionHandle
- 1.2 connectdata
- 1.3 Curl_multi
- 1.4 Curl_handler
- 1.5 conncache
- 1.6 Curl_share
- 1.7 CookieInfo
+ Closes https://github.com/curl/curl/pull/2345
-- CONTRIBUTE: minor language polish
+Daniel Stenberg (26 Feb 2018)
+- docs/MANUAL: formfind.pl is not accessible on the site anymore
+
+ Fixes #2342
-- FTP: when EPSV gets a 229 but fails to connect, retry with PASV
+Jay Satiro (24 Feb 2018)
+- curl-openssl.m4: Fix version check for OpenSSL 1.1.1
- This is a regression as this logic used to work. It isn't clear when it
- broke, but I'm assuming in 7.28.0 when we went all-multi internally.
+ - Add OpenSSL 1.1.1 to the header/library version lists.
- This likely never worked with the multi interface. As the failed
- connection is detected once the multi state has reached DO_MORE, the
- Curl_do_more() function was now expanded somewhat so that the
- ftp_do_more() function can request to go "back" to the previous state
- when it makes another attempt - using PASV.
+ - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
+ which was added in that version.
- Added test case 1233 to verify this fix. It has the little issue that it
- assumes no service is listening/accepting connections on port 1...
+ Prior to this change an erroneous header/library mismatch was caused by
+ lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
+
+Viktor Szakats (23 Feb 2018)
+- lib655: silence compiler warning
- Reported-by: byte_bucket in the #curl IRC channel
+ Closes https://github.com/curl/curl/pull/2335
-Nick Zitzmann (5 Aug 2013)
-- md5: remove use of CommonCrypto-to-OpenSSL macros for the benefit of Leopard
+- spelling fixes
- For some reason, OS X 10.5's GCC suddenly stopped working correctly with
- macros that change MD5_Init etc. in the code to CC_MD5_Init etc., so I
- worked around this by removing use of the macros and inserting static
- functions that just call CommonCrypto's implementations of the functions
- instead.
+ Detected using the `codespell` tool.
+
+ Also contains one URL protocol upgrade.
+
+ Closes https://github.com/curl/curl/pull/2334
-Guenter Knauf (5 Aug 2013)
-- Simplify check for trusted certificates.
+Daniel Stenberg (24 Feb 2018)
+- projects/README: remove reference to dead IDN link/package
+
+ Reported-by: Stefan Kanthak and Rod Widdowson
- This changes the previous check for untrusted certs to a check for
- certs explicitely marked as trusted.
- The change is backward-compatible (tested with certdata.txt v1.80).
+ Fixes #2325
-Daniel Stenberg (5 Aug 2013)
-- configure: warn on bad env variable use, don't error
+Jay Satiro (23 Feb 2018)
+- [Rod Widdowson brought this change]
+
+ winbuild: Use macros for the names of some build utilities
+
+ - Add macros to the top of the makefile for rc and mt utilities so that
+ it is easier to change their locations.
- Use XC_CHECK_BUILD_FLAGS instead XC_CHECK_USER_FLAGS.
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
+ Reported-by: Stefan Kanthak
+
+ Closes https://github.com/curl/curl/issues/2329
+
+Daniel Stenberg (23 Feb 2018)
+- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2
-- Revert "configure: don't error out on variable confusions, just warn"
+- curl_share_setopt.3: connection cache is shared within multi handles
+
+Jay Satiro (22 Feb 2018)
+- [Rod Widdowson brought this change]
+
+ winbuild: Use CALL to run batch scripts
- This reverts commit 6b27703b5f525eccdc0a8409f51de8595c75132a.
+ Co-authored-by: Stefan Kanthak
+
+ Closes https://github.com/curl/curl/issues/2330
+ Closes https://github.com/curl/curl/pull/2331
+
+Patrick Monnerat (22 Feb 2018)
+- os400: add curl_resolver_start_callback type to ILE/RPG binding
-- formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
+Daniel Stenberg (22 Feb 2018)
+- form.d: rephrased somewhat, added two example command lines
+
+Jay Satiro (21 Feb 2018)
+- [Francisco Sedano brought this change]
+
+ url: Add option CURLOPT_RESOLVER_START_FUNCTION
- The internal function that's used to detect known file extensions for
- the default Content-Type got the the wrong pointer passed in when
- CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that
- strlen() would be used which could lead to an out-of-bounds read (and
- thus segfault). In most cases it would only lead to it not finding or
- using the correct default content-type.
+ - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
+ will be called every time before a new resolve request is started
+ (ie before a host is resolved) with a pointer to backend-specific
+ resolver data. Currently this is only useful for ares.
- It also showed that test 554 and test 587 were testing for the
- previous/wrong behavior and now they're updated as well.
+ - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
+ pass to the resolver start callback.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1262
- Reported-by: Konstantin Isakov
+ Closes https://github.com/curl/curl/pull/2311
-Guenter Knauf (4 Aug 2013)
-- Skip more untrusted certificates.
+- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
+
+ - In keeping with the naming of our other connect timeout options rename
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
+
+ This change adds the _MS suffix since the option expects milliseconds.
+ This is more intuitive for our users since other connect timeout options
+ that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
+ CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
- Christian Heimes brought to our attention that the certdata.txt
- format has recently changed [1], causing ca-bundle.crt created
- with mk-ca-bundle.[pl|vbs] to include untrusted certs.
+ The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
- [1] http://lists.debian.org/debian-release/2012/11/msg00411.html
+ Follow-up to 2427d94 which added the lib and tool option yesterday.
+
+ Ref: https://github.com/curl/curl/pull/2260
+
+Patrick Monnerat (21 Feb 2018)
+- sasl: prefer PLAIN mechanism over LOGIN
+
+ SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
+ PLAIN should be used instead if available.
+
+Daniel Stenberg (21 Feb 2018)
+- RELEASE-NOTES: synced with 2427d94c6
-Daniel Stenberg (4 Aug 2013)
-- configure: don't error out on variable confusions, just warn
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
+
+ url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
+
+ - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
+ eyeball timeout value.
+
+ - Add new optval macro CURL_HET_DEFAULT to represent the default happy
+ eyeballs timeout value (currently 200 ms).
+
+ - Add new tool option --happy-eyeballs-timeout-ms to expose
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
+ other -timeout options in the tool expect seconds not milliseconds.
+
+ Closes https://github.com/curl/curl/pull/2260
-- configure: rephrase the notice in _XC_CHECK_VAR_*
+- hostip: fix 'potentially uninitialized variable' warning
- Instead of claiming it is an error, we call it a "note" to reduce the
- severity level. But the following text now says the [variable] "*should*
- only be used to specify"... instead of previously having said "may".
+ Follow-up to 50d1b33.
+
+ Caught by AppVeyor.
+
+Daniel Stenberg (20 Feb 2018)
+- TODO: warning if curl version is not in sync with libcurl version
-- multi: remove data->state.current_conn struct field
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
+
+ CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
+
+ This enables users to preresolve but still take advantage of happy
+ eyeballs and trying multiple addresses if some are not connecting.
- Not needed
+ Ref: https://github.com/curl/curl/pull/2260
-- multi: remove the one_easy struct field
+Daniel Stenberg (20 Feb 2018)
+- [Sergio Borghese brought this change]
+
+ examples/sftpuploadresume: resume upload via CURLOPT_APPEND
- Since the merge of SessionHandle with Curl_one_easy, this indirection
- isn't used anymore.
+ URL: https://curl.haxx.se/mail/lib-2018-02/0072.html
-- multi: rename all Curl_one_easy to SessionHandle
+- curl --version: show PSL if the run-time lib has it enabled
+
+ ... not of the #define was set at build-time!
-- multi: remove the multi_pos struct field
+- TODO: "Support in-memory certs/ca certs/keys"
- Since Curl_one_easy is really a SessionHandle now, this indirection
- doesn't exist anymore.
+ removed SSLKEYLOGFILE support (fixed)
+
+ removed "consider SSL patches" (outdated)
+
+ Closes #2310
+
+- CURLOPT_HEADER.3: clarify problems with different data sizes
+
+- test1556: verify >16KB headers to the header callback
-- multi: remove easy_handle struct field
+- header callback: don't chop headers into smaller pieces
- It isn't needed anymore
+ Reported-by: Guido Berhoerster
+ Fixes #2314
+ Closes #2316
-- multi: remove 'Curl_one_easy' struct, phase 1
+- test1154: verify that long HTTP headers get rejected
+
+- http: fix the max header length detection logic
- The motivation for having a separate struct that keep track of an easy
- handle when using the multi handle was removed when we switched to
- always using the multi interface internally. Now they were just two
- separate struct that was always allocated for each easy handle.
+ Previously, it would only check for max length if the existing alloc
+ buffer was to small to fit it, which often would make the header still
+ get used.
- This first step just moves the Curl_one_easy struct members into the
- SessionHandle struct and hides this somehow (== keeps the source code
- changes to a minimum) by defining Curl_one_easy to SessionHandle
+ Reported-by: Guido Berhoerster
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
- The biggest changes in this commit are:
+ Closes #2315
+
+- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
- 1 - the linked list of easy handles had to be changed somewhat due
- to the new struct layout. This made the main linked list pointer
- get renamed to 'easyp' and there's also a new pointer to the last
- node, called easylp. It is no longer circular but ends with ->next
- pointing to NULL. New nodes are still added last.
+ Reported-by: Erik Johansson
+ Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495
+
+- CURLOPT_HEADERFUNCTION.3: mention folded headers
+
+- TODO: 1.1 Option to refuse usernames in URLs
- 2 - easy->state is now called easy->mstate to avoid name collision
+ Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
+
+- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies
-Steve Holme (2 Aug 2013)
-- Revert "DOCS: Added IMAP URL example for listing new messages"
+- ssh: add two missing state names
+
+ The list of state names (used in debug builds) was out of sync in
+ relation to the list of states (used in all builds).
+
+ I now added an assert to make sure the sizes of the two lists match, to
+ aid in detecting this mistake better in the future.
- This reverts commit 82ab5f1b0c7c3f as this was the wrong place to
- document the complexity of IMAP URLs and Custom Requests.
+ Regression since c92d2e14cf, shipped in 7.58.0.
+
+ Reported-by: Somnath Kundu
+
+ Fixes #2312
+ Closes #2313
-- DOCS: Added IMAP URL example for listing new messages
+- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
- In addition to listing the folder contents, in the URL examples, added
- an example to list the new messages waiting in the user's inbox.
+ This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
+
+ Reported-by: Jay Satiro
-Yang Tse (1 Aug 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+Jay Satiro (15 Feb 2018)
+- non-ascii: fix implicit declaration warning
+
+ Follow-up to b46cfbc.
+
+ Caught by Travis CI.
-- [John Malmberg brought this change]
+Daniel Stenberg (15 Feb 2018)
+- travis: add build with iconv enabled
+
+ ... to verify it builds and works fine.
+
+ Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
+
+ Closes #1872
- Add in the files needed to build libcurl shared images on VMS.
+- TODO: 18.18 retry on network is unreachable
- Update the packages/vms/readme file to be current.
+ Closes #1603
+
+- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
- Also some files for the GNV based build were either missing or needed an
- update.
+ Closes #1254
+
+Kamil Dudka (15 Feb 2018)
+- nss: use PK11_CreateManagedGenericObject() if available
- curl_crtl_init.c is a special file that is run before main() to
- set up the proper C runtime behavior.
+ ... so that the memory allocated by applications using libcurl does not
+ grow per each TLS connection.
- generate_vax_transfer.com generates the VAX transfer vector modules from
- the gnv_libcurl_symbols.opt file.
+ Bug: https://bugzilla.redhat.com/1510247
- gnv_conftest.c_first is a helper file needed for configure scripts to
- come up with the expected answers on VMS.
+ Closes #2297
+
+Daniel Stenberg (15 Feb 2018)
+- [Björn Stenberg brought this change]
+
+ TODO fixed: Detect when called from within callbacks
- gnv_libcurl_symbols.opt is the public symbols for the libcurl shared
- image.
+ Closes #2302
+
+- BINDINGS: fix curb link (and remove ruby-curl-multi)
- gnv_link_curl.com builds the shared libcurl image and rebuilds other
- programs to use it.
+ Reported-by: Klaus Stein
+
+- curl_gssapi: make sure this file too uses our *printf()
+
+- libcurl-security.3: separate file:// section
- macro32_exactcase.patch is a hack to make a local copy of the VMS Macro32
- assembler case sensitive, which is needed to build the VAX transfer modules.
+ ... just to make it more apparent. Even if it repeats
+ some pieces of information.
+
+- libcurl-security.3: the http://192.168.0.1/my_router_config case
- report_openssl_version.c is a tool for help verify that the libcurl
- shared image is being built for a minium version of openssl.
+ Mentioned-By: Rich Moore
+
+- libcurl-security.3: mention the URL standards problems too
-- curl: second follow-up for commit 5af2bfb9
+- libcurl-security.3: split out from libcurl-tutorial.3
+
+ To make more accessible.
+
+ Merged in some new language from "URLs are dangerous things" as discussed on
+ the mailing list a few days ago:
- Display progress-bar unconditionally on first call
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html
-- curl: follow-up for commit 5af2bfb9
+- RELEASE-NOTES: synced with e551910f8
+
+Patrick Monnerat (13 Feb 2018)
+- tests: new tests for http raw mode
+
+ Test 319 checks proper raw mode data with non-chunked gzip
+ transfer-encoded server data.
+ Test 326 checks raw mode with chunked server data.
- Use tvnow() and tvdiff() to avoid introducing new linkage issues
+ Bug: #2303
+ Closes #2308
-Daniel Stenberg (31 Jul 2013)
-- curl: --progress-bar max update frequency now at 5Hz
+Kamil Dudka (12 Feb 2018)
+- tlsauthtype.d: works only if libcurl is built with TLS-SRP support
+
+ Bug: https://bugzilla.redhat.com/1542256
+
+ Closes #2306
-- curl: make --progress-bar update the line less frequently
+Patrick Monnerat (12 Feb 2018)
+- smtp: fix processing of initial dot in data
- Also, use memset() instead of a lame loop.
+ RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
+ should be taken into account when chasing the <CRLF>.<CRLF> end marker.
+ Thus a leading dot character in data is also subject to escaping.
- The previous logic that tried to avoid too many updates were very
- ineffective for really fast transfers, as then it could easily end up
- doing hundreds of updates per second that would make a significant
- impact in transfer performance!
+ Tests 911 and test server are adapted to this situation.
+ New tests 951 and 952 check proper handling of initial dot in data.
- Bug: http://curl.haxx.se/mail/archive-2013-07/0031.html
- Reported-by: Marc Doughty
+ Closes #2304
-Nick Zitzmann (30 Jul 2013)
-- darwinssl: added LFs to some strings passed into infof()
+Daniel Stenberg (12 Feb 2018)
+- sha256: avoid redefine
+
+- [Douglas Mencken brought this change]
+
+ sha256: build with OpenSSL < 0.9.8 too
- (This doesn't need to appear in the release notes.) I noticed a few places
- where infof() was called, and there should've been an LF at the end of the
- string, but there wasn't.
+ support for SHA-2 was introduced in OpenSSL 0.9.8
+
+ Closes #2305
+
+- [Bruno Grasselli brought this change]
-- darwinssl: fix build error in crypto authentication under Snow Leopard
+ README: language fix
- It turns out Snow Leopard not only has SecItemCopyMatching() defined in
- a header not included by the omnibus header, but it won't work for our
- purposes, because searching for SecIdentityRef objects wasn't added
- to that API until Lion. So we now use the old SecKeychainSearch API
- instead if the user is building under, or running under, Snow Leopard.
+ s/off/from
- Bug: http://sourceforge.net/p/curl/bugs/1255/
- Reported by: Edward Rudd
+ Closes #2300
-- md5 & metalink: use better build macros on Apple operating systems
+Patrick Monnerat (12 Feb 2018)
+- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
- Previously we used __MAC_10_X and __IPHONE_X to mark digest-generating
- code that was specific to OS X and iOS. Now we use
- __MAC_OS_X_VERSION_MAX_ALLOWED and __IPHONE_OS_VERSION_MAX_ALLOWED
- instead of those macros.
+ Bug: #2303
+ Reported-By: Henry Roeland
+
+Daniel Stenberg (9 Feb 2018)
+- get_posix_time: only check for overflows if they can happen!
+
+Michael Kaufmann (9 Feb 2018)
+- schannel: fix "no previous prototype" compiler warning
+
+Jay Satiro (9 Feb 2018)
+- [Mohammad AlSaleh brought this change]
+
+ content_encoding: Add "none" alias to "identity"
- Bug: http://sourceforge.net/p/curl/bugs/1255/
- Reported by: Edward Rudd
+ Some servers return a "content-encoding" header with a non-standard
+ "none" value.
+
+ Add "none" as an alias to "identity" as a work-around, to avoid
+ unrecognised content encoding type errors.
+
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
+
+ Closes https://github.com/curl/curl/pull/2298
-Yang Tse (29 Jul 2013)
-- tool_operhlp.c: fix add_file_name_to_url() OOM handling
+Steve Holme (8 Feb 2018)
+- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output
-- tool_operate.c: fix brace placement for vi/emacs delimiter matching
+- build-openssl.bat: Fixed incorrect move if destination build folder exists
-- tool_operate.c: move <fabdef.h> header inclusion location
+Michael Kaufmann (8 Feb 2018)
+- schannel: fix compiler warnings
+
+ Closes #2296
-Daniel Stenberg (29 Jul 2013)
-- RELEASE-NOTES: synced with b5478a0e033e7
+Steve Holme (7 Feb 2018)
+- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
+
+ Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
+ Added the necessary include file to curl_addrinfo.c.
+
+ Note: The SDK (which is considered beta) has to be installed, VS 2017
+ project file has to be re-targeted for Windows 10.0.17061 and #define
+ enabled in config-win32.h.
+
+Patrick Monnerat (7 Feb 2018)
+- fnmatch: optimize processing of consecutive *s and ?s pattern characters
+
+ Reported-By: Daniel Stenberg
+ Fixes #2291
+ Closes #2293
-- curl_easy_pause: on unpause, trigger mulit-socket handling
+Steve Holme (6 Feb 2018)
+- build-openssl.bat/build-wolfssl.bat: Build platform is optional
- When the multi-socket API is used, we need the handle to be checked
- again when it gets unpaused.
+ Whilst the compiler parameter is mandatory, platform is optional as it
+ is automatically calculated by the :configure section.
- Bug: http://curl.haxx.se/mail/lib-2013-07/0239.html
- Reported-by: Justin Karneges
+ This partially reverts commit 6d62d2c55d.
-- [John E. Malmberg brought this change]
+Daniel Stenberg (6 Feb 2018)
+- [Patrick Schlangen brought this change]
+
+ openssl: Don't add verify locations when verifypeer==0
+
+ When peer verification is disabled, calling
+ SSL_CTX_load_verify_locations is not necessary. Only call it when
+ verification is enabled to save resources and increase performance.
+
+ Closes #2290
- curl_formadd: fix file upload on VMS
+Steve Holme (5 Feb 2018)
+- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
- For the standard VMS text file formats, VMS needs to read the file to
- get the actual file size.
+ ...and not just the Community Edition.
+
+- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
- For the standard VMS binary file formats, VMS needs a special format of
- fopen() call so that it stops reading at the logical end of file instead
- of at the end of the blocks allocated to the file.
+ ...and not just the Community Edition.
+
+Michael Kaufmann (5 Feb 2018)
+- time-cond: fix reading the file modification time on Windows
- I structured the patch this way as I was not sure about changing the
- structures or parameters to the routines, but would prefer to only call
- the stat() function once and pass the information to where the fopen()
- call is made.
+ On Windows, stat() may adjust the unix file time by a daylight saving time
+ offset. Avoid this by calling GetFileTime() instead.
- Bug: https://sourceforge.net/p/curl/bugs/758/
+ Fixes #2164
+ Closes #2204
-- formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
+Daniel Stenberg (5 Feb 2018)
+- formdata: use the mime-content type function
- The code for CURLFORM_FILECONTENT had its check for duplicate options
- wrong so that it would reject CURLFORM_PTRNAME if used in combination
- with it (but not CURLFORM_COPYNAME)! The flags field used for this
- purpose cannot be interpreted that broadly.
+ Reduce code duplication by making Curl_mime_contenttype available and
+ used by the formdata function. This also makes the formdata function
+ recognize a set of more file extensions by default.
- Bug: http://curl.haxx.se/mail/lib-2013-07/0258.html
- Reported-by: Byrial Jensen
+ PR #2280 brought this to my attention.
+
+ Closes #2282
-Yang Tse (25 Jul 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+- getdate: return -1 for out of range
+
+ ...as that's how the function is documented to work.
+
+ Reported-by: Michael Kaufmann
+ Bug found in an autobuild with 32 bit time_t
+
+ Closes #2278
-- [John E. Malmberg brought this change]
+- [Ben Greear brought this change]
- VMS: intial set of files to allow building using GNV toolkit.
+ build: fix termios issue on android cross-compile
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
+ Signed-off-by: Ben Greear <greearb@candelatech.com>
-- string formatting: fix too many arguments for format
+- time_t-fixes: remove typecasts to 'long' for info.filetime
+
+ They're now wrong.
+
+ Reported-by: Michael Kaufmann
+
+ Closes #2277
-- string formatting: fix zero-length printf format string
+- curl_setup: move the precautionary define of SIZEOF_TIME_T
+
+ ... up to before it may be used for the TIME_T_MAX/MIN logic.
+
+ Reported-by: Michael Kaufmann
-- easy.c: curl_easy_getinfo() fix va_start/va_end matching
+- parsedate: s/#if/#ifdef
+
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
-- imap.c: imap_sendf() fix va_start/va_end matching
+Patrick Monnerat (31 Jan 2018)
+- fnmatch: pattern syntax can no longer fail
+
+ Whenever an expected pattern syntax rule cannot be matched, the
+ character starting the rule loses its special meaning and the parsing
+ is resumed:
+ - backslash at the end of pattern string matches itself.
+ - Error in [:keyword:] results in set containing :\[dekorwy.
+
+ Unit test 1307 updated for this new situation.
+
+ Closes #2273
-- string formatting: fix 15+ printf-style format strings
+- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
+
+ Also be more tolerant about set pattern syntax.
+ Update unit test 1307 accordingly.
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
-Patrick Monnerat (24 Jul 2013)
-- OS400: sync ILE/RPG binding with current curl.h
+- fnmatch: do not match the empty string with a character set
-Yang Tse (24 Jul 2013)
-- string formatting: fix 25+ printf-style format strings
+Jay Satiro (30 Jan 2018)
+- build: fix windows build methods for curl_ctype.c
+
+ - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
+ curlx files since they are required by both src and lib.
+
+ Follow-up to 4272a0b which added curl_ctype.
-Daniel Stenberg (23 Jul 2013)
-- Makefile.am: use LDFLAGS as well when linking libcurl
+Daniel Stenberg (30 Jan 2018)
+- progress-bar.d: update to match implementation
- Linking on Solaris 10 x86 with Sun Studio 12 failed when we upgraded
- automake for the release builds.
+ ... since commit 993dd5651a6
- Bug: http://curl.haxx.se/bug/view.cgi?id=1217
- Reported-by: Dagobert Michelsen
+ Reported-by: Martin Dreher
+ Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
+
+ Closes #2271
-- [Fabian Keil brought this change]
+- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
+
+ ... instead of doing it unconditionally in debug builds. It cluttered up
+ the output a little too much.
- url.c: Fix dot file path cleanup when using an HTTP proxy
+- [Max Dymond brought this change]
+
+ file: Check the return code from Curl_range and bail out on error
+
+- [Max Dymond brought this change]
+
+ Curl_range: add check to ensure "from <= to"
+
+- [Max Dymond brought this change]
+
+ Curl_range: commonize FTP and FILE range handling
- Previously the path was cleaned, but the URL wasn't properly updated.
+ Closes #2205
+
+- RELEASE-NOTES: synced with 811beab9f
+
+- curlver: next release will be 7.59.0
-- [Fabian Keil brought this change]
+- [Michał Janiszewski brought this change]
- tests: test1232 verifies dotdot removal from path with proxy
+ curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
+
+ Closes #2275
-- [Fabian Keil brought this change]
+- time: support > year 2038 time stamps for system with 32bit long
+
+ ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
+ CURLINFO_FILETIME_T.
+
+ Fixes #2238
+ Closes #2264
- dotdot.c: Fix a RFC section number in a comment for Curl_dedotdotify()
+- curl_easy_reset: clear digest auth state
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
+ Reported-by: Ruurd Beerstra
+ Fixes #2255
+ Closes #2272
-- [John E. Malmberg brought this change]
+- [Adam Marcionek brought this change]
- build_vms.com: fix debug and float options
+ winbuild: make linker generate proper PDB
- In the reorganization of the build_vms.com the debug and float options
- were not fixed up correctly.
+ Link.exe requires /DEBUG to properly generate a full pdb file on release
+ builds.
+
+ Closes #2274
-- [John E. Malmberg brought this change]
+- curl: add --proxy-pinnedpubkey
+
+ To verify a proxy's public key. For when using HTTPS proxies.
+
+ Fixes #2192
+ Closes #2268
- curl: fix upload of a zip file in OpenVMS
+- configure: set PATH_SEPARATOR to colon for PATH w/o separator
- Two fixes:
+ The logic tries to figure out what the path separator in the $PATH
+ variable is, but if there's only one directory in the $PATH it
+ fails. This change make configure *guess* on colon instead of erroring
+ out, simply because that is probably the more common character.
- 1. Force output file format to be stream-lf so that partial downloads
- can be continued.
+ PATH_SEPARATOR can always be set by the user to override the guessing.
- This should have minor impact as if the file does not exist, it was
- created with stream-lf format. The only time this was an issue is if
- there was already an existing file with a different format.
+ (tricky bug to reproduce, as in my case for example the configure script
+ requires binaries in more than one directory so passing in a PATH with a
+ single dir fails.)
- 2. Fix file uploads are now fixed.
+ Reported-by: Earnestly on github
+ Fixes #2202
+ Closes #2265
+
+- curl_ctype: private is*() type macros and functions
- a. VMS binary files such as ZIP archives are now uploaded
- correctly.
+ ... since the libc provided one are locale dependent in a way we don't
+ want. Also, the "native" isalnum() (for example) works differently on
+ different platforms which caused test 1307 failures on macos only.
- b. VMS text files are read once to get the correct size
- and then converted to line-feed terminated records as
- they are read into curl.
+ Closes #2269
+
+Marcel Raad (29 Jan 2018)
+- build: open VC15 projects with VS 2017
- The default VMS text formats do not contain either line-feed or
- carriage-return terminated records. Those delimiters are added by the
- operating system file read calls if the application requests them.
+ Previously, they were opened with Visual Studio 2015 by default, which
+ cannot build them.
+
+Daniel Stenberg (29 Jan 2018)
+- RELEASE-NOTES: synced with 094647fca
+
+- TODO: UTF-8 filenames in Content-Disposition
- Bug: http://curl.haxx.se/bug/view.cgi?id=496
+ Closes #1888
-Yang Tse (22 Jul 2013)
-- libtest: fix data type of some *_setopt() 'long' arguments
+- KNOWN_BUGS: DICT responses show the underlying protocol
+
+ Closes #1809
-- curl: fix symbolic names for CURL_NETRC_* enum in --libcurl output
+Jay Satiro (27 Jan 2018)
+- [Alessandro Ghedini brought this change]
-- curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
+ docs: fix typos in man pages
+
+ Closes https://github.com/curl/curl/pull/2266
-- tool_operate.c: fix passing curl_easy_setopt long arg on some x64 ABIs
+Patrick Monnerat (26 Jan 2018)
+- lib555: drop text conversion and encode data as ascii codes
- We no longer pass our 'bool' data type variables nor constants as
- an argument to my_setopt(), instead we use proper 1L or 0L values.
+ If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
+ giving a result that is different from what is expected.
+ This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
+ to upload in ascii.
- This also fixes macro used to pass string argument for CURLOPT_SSLCERT,
- CURLOPT_SSLKEY and CURLOPT_EGDSOCKET using my_setopt_str() instead of
- my_setopt().
+ Bug: https://github.com/curl/curl/pull/1872
+
+Daniel Stenberg (26 Jan 2018)
+- lib517: make variable static to avoid compiler warning
- This also casts enum or int argument data types to long when passed to
- my_setopt_enum().
+ ... with clang on macos
-Daniel Stenberg (21 Jul 2013)
-- curl_multi_wait: fix revents
+Patrick Monnerat (26 Jan 2018)
+- lib544: sync ascii code data with textual data
- Commit 6d30f8ebed34e7276 didn't work properly. First, it used the wrong
- array index, but this fix also:
+ Data mismatch caused test 545 to fail when character encoding
+ conversion is enabled.
- 1 - only does the copying if indeed there was any activity
+ Bug: https://github.com/curl/curl/pull/1872
+
+Daniel Stenberg (25 Jan 2018)
+- [Travis Burtrum brought this change]
+
+ GSKit: restore pinnedpubkey functionality
+
+ inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
- 2 - makes sure to properly translate between internal and external
- bitfields, which are not guaranteed to match
+ Closes #2263
+
+- [Dair Grant brought this change]
+
+ darwinssl: Don't import client certificates into Keychain on macOS
- Reported-by: Evgeny Turnaev
+ Closes #2085
-- RELEASE-NOTES: synced with d529f3882b9bca
+- configure: fix the check for unsigned time_t
+
+ Assign the time_t variable negative value and then check if it is
+ greater than zero, which will evaluate true for unsigned time_t but
+ false for signed time_t.
-- curl_easy_perform: gradually increase the delay time
+- parsedate: fix date parsing for systems with 32 bit long
+
+ Make curl_getdate() handle dates before 1970 as well (returning negative
+ values).
- Instead of going 50,100,150 etc millisecond delay time when nothing has
- been found to do or wait for, we now start lower and double each loop as
- in 4,8,16,32 etc.
+ Make test 517 test dates for 64 bit time_t.
- This lowers the minimum wait without sacrifizing the longer wait too
- much with unnecessary CPU cycles burnt.
+ This fixes bug (3) mentioned in #2238
+
+ Closes #2250
+
+- [McDonough, Tim brought this change]
+
+ openssl: fix pinned public key build error in FIPS mode
+
+ Here is a version that should work with all versions of openssl 0.9.7
+ through 1.1.0.
+
+ Links to the docs:
+ https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
+ https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
+
+ At the very bottom of the 1.1.0 documentation there is a history section
+ that states, " stack allocated EVP_MD_CTXs are no longer supported."
+
+ If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
+ simple mapping can be used as described here:
+ https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
+
+ Closes #2258
+
+- [Travis Burtrum brought this change]
+
+ SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum
+
+- [Travis Burtrum brought this change]
+
+ SChannel/WinSSL: Implement public key pinning
- Bug: http://curl.haxx.se/mail/lib-2013-07/0103.html
- Reported-by: Andreas Malzahn
+ Closes #1429
+
+- bump: towards 7.58.1
-- ftp_do_more: consider DO_MORE complete when server connects back
+- cookies: remove verbose "cookie size:" output
- In the case of an active connection when ftp_do_more() detects that the
- server has connected back, it must make sure to mark it as complete so
- that the multi_runsingle() function will detect this and move on to the
- next state.
+ It was once used for some debugging/verifying logic but should never have
+ ended up in git!
+
+- TODO: hardcode the "localhost" addresses
+
+- TODO: CURL_REFUSE_CLEARTEXT
- Bug: http://curl.haxx.se/mail/lib-2013-07/0115.html
- Reported-by: Clemens Gruber
+ An idea that popped up in discussions on twitter.
-Yang Tse (19 Jul 2013)
-- Makefile.b32: Borland makefile adjustments. Tested with BCC 5.5.1
+- progress-bar: don't use stderr explicitly, use bar->out
+
+ Reported-By: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080
-- WIN32 MemoryTracking: require UNICODE for wide strdup code support
+GitHub (24 Jan 2018)
+- [Gisle Vanem brought this change]
-Daniel Stenberg (18 Jul 2013)
-- CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
+ Fixes for MSDOS etc.
- CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function
- and CURLOPT_PROGRESSFUNCTION is considered deprecated.
+ djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
+ But djgpp seems the only choice for MSDOS anyway.
- This new callback uses pure 'curl_off_t' arguments to pass on full
- resolution sizes. It otherwise retains the same characteristics: the
- same call rate, the same meanings for the arguments and the return code
- is used the same way.
+ PellesC do have a 'F_OK' defined in it's <unistd.h>.
- The progressfunc.c example is updated to show how to use the new
- callback for newer libcurls while supporting the older one if built with
- an older libcurl or even built with a newer libcurl while running with
- an older.
+ Update year in Copyright.
+
+- [Gisle Vanem brought this change]
+
+ Fix small typo.
+
+Version 7.58.0 (23 Jan 2018)
+
+Daniel Stenberg (23 Jan 2018)
+- RELEASE: 7.58.0
+
+- [Gisle Vanem brought this change]
+
+ progress-bar: get screen width on windows
-Yang Tse (18 Jul 2013)
-- Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage".
+- test1454: --connect-to with IPv6 address w/o IPv6 support!
+
+- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
- This reverts commit 7ed25cc, reinstating commit 8ec2cb5.
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
+ Reported-by: John Hascall
- As of 18-jul-2013 we still do have code in libcurl that makes use of these
- memory functions. Commit 8ec2cb5 comment still applies and is yet valid.
+ Closes #2257
+
+- docs: fix man page syntax to make test 1140 OK again
+
+- http: prevent custom Authorization headers in redirects
- These memory functions are solely used in Windows builds, so all related
- code is protected with '#ifdef WIN32' preprocessor conditional compilation
- directives.
+ ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+ curl already handles Authorization headers created internally.
- Specifically, wcsdup() _wcsdup() are used when building a Windows target with
- UNICODE and USE_WINDOWS_SSPI preprocessor symbols defined. This is the case
- when building a Windows UNICODE target with Windows native SSL/TLS support
- enabled.
+ Note: this changes behavior slightly, for the sake of reducing mistakes.
- Realizing that wcsdup() _wcsdup() are used is a bit tricky given that usage
- of these is hidden behind _tcsdup() which is MS way of dealing with code
- that must tolerate UNICODE and non-UNICODE compilation. Additionally, MS
- header files and those compatible from other compilers use this preprocessor
- conditional compilation directive in order to select at compilation time
- whether 'wide' or 'ansi' MS API functions are used.
+ Added test 317 and 318 to verify.
- Without this code, Windows build targets with Windows native SSL/TLS support
- enabled and MemoryTracking support enabled misbehave in tracking memory usage,
- regardless of being a UNICODE enabled build or not.
+ Reported-by: Craig de Stigter
+ Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
-- xc-am-iface.m4: comments refinement
+- curl: progress bar refresh, get width using ioctl()
+
+ Get screen width from the environment variable COLUMNS first, if set. If
+ not, use ioctl(). If nether works, assume 79.
+
+ Closes #2242
+
+ The "refresh" is for the -# output when no total transfer size is
+ known. It will now only use a single updated line even for this case:
+
+ The "-=O=-" ship moves when data is transferred. The four flying
+ "hashes" move (on a sine wave) on each refresh, independent of data.
-- configure: fix 'subdir-objects' distclean related issue
+- RELEASE-NOTES: synced with bb0ffcc36
+
+- libcurl-env.3: first take
+
+- TODO: two possible name resolver improvements
+
+- [Kartik Mahajan brought this change]
+
+ http2: don't close connection when single transfer is stopped
- See XC_AMEND_DISTCLEAN comments for details.
+ Fixes #2237
+ Closes #2249
-Daniel Stenberg (18 Jul 2013)
-- [Evgeny Turnaev brought this change]
+- test558: fix for multissl builds
+
+ vtls.c:multissl_init() might do a curl_free() call so strip that out to
+ make this work with more builds. We just want to verify that
+ memorytracking works so skipping one line is no harm.
- curl_multi_wait: set revents for extra fds
+- examples/url2file.c: add missing curl_global_cleanup() call
- Pass back the revents that happened for the user-provided file
- descriptors.
+ Reported-by: XhstormR on github
+ Fixes #2245
-- [Ben Greear brought this change]
+- [Michael Gmelin brought this change]
- asyn-ares: Don't blank ares servers if none configured.
+ SSH: Fix state machine for ssh-agent authentication
- Best to just let c-ares use it's defaults if none are configured
- in (lib)curl.
+ In case an identity didn't match[0], the state machine would fail in
+ state SSH_AUTH_AGENT instead of progressing to the next identity in
+ ssh-agent. As a result, ssh-agent authentication only worked if the
+ identity required happened to be the first added to ssh-agent.
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which
+ stated that the "else" statement was required to prevent getting stuck
+ in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
+ interface I couldn't see how this could happen or reproduce it and I
+ also couldn't find a more detailed description of the problem which
+ would explain a test case to reproduce the problem this was supposed to
+ fix.
+
+ [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
+
+ Closes #2248
-- [Sergei Nikulov brought this change]
+- openssl: fix potential memory leak in SSLKEYLOGFILE logic
+
+ Coverity CID 1427646.
- cmake: Fix for MSVC2010 project generation
+- openssl: fix the libressl build again
- Fixed issue with static build for MSVC2010.
+ Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
+ late OpenSSL version...
- After some investigation I've discovered known issue
- http://public.kitware.com/Bug/view.php?id=11240 When .rc file is linked
- to static lib it fails with following linker error
+ Fixes #2246
+ Closes #2247
- LINK : warning LNK4068: /MACHINE not specified; defaulting to X86
- file.obj : fatal error LNK1112: module machine type 'x64' conflicts with
- target machine type 'X86'
+ Reported-by: jungle-boogie on github
+
+- unit1307: test many wildcards too
+
+- curl_fnmatch: only allow 5 '*' sections in a single pattern
- Fix add target property /MACHINE: for MSVC generation.
+ ... to avoid excessive recursive calls. The number 5 is totally
+ arbitrary and could be modified if someone has a good motivation.
+
+- ftp-wildcard: fix matching an empty string with "*[^a]"
- Also removed old workarounds - it caused errors during msvc build.
+ .... and avoid advancing the pointer to trigger an out of buffer read.
- Bug: http://curl.haxx.se/mail/lib-2013-07/0046.html
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
+ Assisted-by: Max Dymond
-- mk-ca-bundle.1: point out certdata.txt format docs
+- SMB: fix numeric constant suffix and variable types
+
+ 1. don't use "ULL" suffix since unsupported in older MSVC
+ 2. use curl_off_t instead of custom long long ifdefs
+ 3. make get_posix_time() not do unaligned data access
+
+ Fixes #2211
+ Closes #2240
+ Reported-by: Chester Liu
-Yang Tse (16 Jul 2013)
-- slist.c: Curl_slist_append_nodup() OOM handling fix
+- [rouzier brought this change]
-Daniel Stenberg (16 Jul 2013)
-- test1414: FTP PORT download without SIZE support
+ CURLOPT_TCP_NODELAY.3: fix typo
+
+ Closes #2239
-Yang Tse (16 Jul 2013)
-- tests/Makefile.am: add configurehelp.pm to DISTCLEANFILES
+- smtp/pop3/imap_get_message: decrease the data length too...
+
+ Follow-up commit to 615edc1f73 which was incomplete.
+
+ Assisted-by: Max Dymond
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
-Patrick Monnerat (15 Jul 2013)
-- curl_slist_append(): fix error detection
+- openssl: enable SSLKEYLOGFILE support by default
+
+ Fixes #2210
+ Closes #2236
-- slist.c: fix indentation
+Patrick Monnerat (14 Jan 2018)
+- mime: clone mime tree upon easy handle duplication.
+
+ A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
+ strongly bound to the handle: there is a pointer to the easy handle in
+ each item of the mime tree and following the parent pointer list
+ of mime items ends in a dummy part stored within the handle.
+
+ Because of this binding, a mime tree cannot be shared between different
+ easy handles, thus it needs to be cloned upon easy handle duplication.
+
+ There is no way for the caller to get the duplicated mime tree
+ handle: it is then set to be automatically destroyed upon freeing the
+ new easy handle.
+
+ New test 654 checks proper mime structure duplication/release.
+
+ Add a warning note in curl_mime_data_cb() documentation about sharing
+ user data between duplicated handles.
+
+ Closes #2235
-- OS400: new SSL backend GSKit
+- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
-- OS400: add slist and certinfo EBCDIC support
+Daniel Stenberg (13 Jan 2018)
+- test395: HTTP with overflow Content-Length value
-- config-os400.h: enable system strdup(), strcmpi(), etc.
+- test394: verify abort of rubbish in Content-Length: value
-- x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract
- Use from qssl backend
+- test393: verify --max-filesize with excessive Content-Length
+
+- HTTP: bail out on negative Content-Length: values
+
+ ... and make the max filesize check trigger if the value is too big.
+
+ Updates test 178.
+
+ Reported-by: Brad Spencer
+ Fixes #2212
+ Closes #2223
-- ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL
+Marcel Raad (13 Jan 2018)
+- [Dan Johnson brought this change]
-- Merge branch 'master' of github.com:bagder/curl
+ configure.ac: append extra linker flags instead of prepending them.
- Merge for resync
+ Link order should list libraries after the libraries that use them,
+ so when we're guessing that we might also need to add -ldl in order
+ to use -lssl, we should add -ldl after -lssl.
+
+ Closes https://github.com/curl/curl/pull/2234
-- slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup()
+Daniel Stenberg (13 Jan 2018)
+- RELEASE-NOTES: synced with 6fa10c8fa
-Yang Tse (15 Jul 2013)
-- sslgen.c: fix Curl_rand() compiler warning
+Jay Satiro (13 Jan 2018)
+- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
+
+ Broken since f121575 (precedes 7.56.1).
- Use simple seeding method upon RANDOM_FILE seeding method failure.
+ Bug: https://github.com/curl/curl/issues/2225
+ Reported-by: cmfrolick@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/2227
-- sslgen.c: fix unreleased Curl_rand() infinite recursion
+Patrick Monnerat (13 Jan 2018)
+- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
+
+ This also upgrades ILE/RPG bindings with latest setopt options.
+
+ Reported-By: jonrumsey on github
+ Fixes #2230
+ Closes #2233
-Daniel Stenberg (14 Jul 2013)
-- [Dave Reisner brought this change]
+Jay Satiro (11 Jan 2018)
+- [Zhouyihai Ding brought this change]
- src/tool: allow timeouts to accept decimal values
+ http2: fix incorrect trailer buffer size
+
+ Prior to this change the stored byte count of each trailer was
+ miscalculated and 1 less than required. It appears any trailer
+ after the first that was passed to Curl_client_write would be truncated
+ or corrupted as well as the size. Potentially the size of some
+ subsequent trailer could be erroneously extracted from the contents of
+ that trailer, and since that size is used by client write an
+ out-of-bounds read could occur and cause a crash or be otherwise
+ processed by client write.
- Implement wrappers around strtod to convert the user argument to a
- double with sane error checking. Use this to allow --max-time and
- --connect-timeout to accept decimal values instead of strictly integers.
+ The bug appears to have been born in 0761a51 (precedes 7.49.0).
- The manpage is updated to make mention of this feature and,
- additionally, forewarn that the actual timeout of the operation can
- vary in its precision (particularly as the value increases in its
- decimal precision).
+ Closes https://github.com/curl/curl/pull/2231
-- [Dave Reisner brought this change]
+- [Basuke Suzuki brought this change]
- curl.1: fix long line, found by checksrc.pl
+ easy: fix connection ownership in curl_easy_pause
+
+ Before calling Curl_client_chop_write(), change the owner of connection
+ to the current Curl_easy handle. This will fix the issue #2217.
+
+ Fixes https://github.com/curl/curl/issues/2217
+ Closes https://github.com/curl/curl/pull/2221
+
+Daniel Stenberg (9 Jan 2018)
+- [Dimitrios Apostolou brought this change]
+
+ system.h: Additionally check __LONG_MAX__ for defining curl_off_t
+
+ __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced
+ in GCC 3.3.
+
+ Closes #2216
+
+- COPYING: it's 2018!
+
+- progress: calculate transfer speed on milliseconds if possible
+
+ to increase accuracy for quick transfers
+
+ Fixes #2200
+ Closes #2206
+
+Jay Satiro (7 Jan 2018)
+- scripts: allow all perl scripts to be run directly
+
+ - Enable execute permission (chmod +x)
+
+ - Change interpreter to /usr/bin/env perl
+
+ Closes https://github.com/curl/curl/pull/2222
+
+- mail-rcpt.d: fix short-text description
+
+- build: remove HAVE_LIMITS_H check
+
+ .. because limits.h presence isn't optional, it's required by C89.
+
+ Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
+
+ Closes https://github.com/curl/curl/pull/2215
+
+- openssl: fix memory leak of SSLKEYLOGFILE filename
+
+ - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
+ initialization.
+
+ Caught by ASAN.
+
+- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
+
+ This reverts commit c97648b55080343bb371522bf4233e94a2a13a99.
+
+ SIZEOF_LONG should not be checked in system.h since that macro is only
+ defined when building libcurl.
+
+ Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080
+ Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html
+
+Michael Kaufmann (30 Dec 2017)
+- test1554: improve the error handling
+
+- test1554: add global initialization and cleanup
+
+Daniel Stenberg (29 Dec 2017)
+- curl_version_info.3: call the argument 'age'
+
+ Reported-by: Pete Lomax
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html
+
+Patrick Monnerat (27 Dec 2017)
+- [Mikalai Ananenka brought this change]
+
+ brotli: data at the end of content can be lost
+
+ Decoding loop implementation did not concern the case when all
+ received data is consumed by Brotli decoder and the size of decoded
+ data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
+ For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
+ can result in the loss of data at the end of content.
+
+ Closes #2194
+
+Jay Satiro (26 Dec 2017)
+- examples/cacertinmem: ignore cert-already-exists error
+
+ - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
+ since it's possible the cert may have already been loaded by libcurl.
+
+ - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
+ Instead have it direct the reader to this cacertinmem.c example.
+
+ - Fix the CA certificate to use the right CA for example.com, Digicert.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
+ Reported-by: Thomas van Hesteren
+
+ Closes https://github.com/curl/curl/pull/2182
+
+- [Gisle Vanem brought this change]
+
+ tool_getparam: Support size modifiers for --max-filesize
+
+ - Move the size modifier detection code from limit-rate to its own
+ function so that it can also be used with max-filesize.
+
+ Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc.
+
+ For example --max-filesize 1G
+
+ Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html
+
+ Closes https://github.com/curl/curl/pull/2179
+
+Steve Holme (22 Dec 2017)
+- build: Fixed incorrect script termination from commit ad1dc10e61
+
+- Makefile.vc: Added our standard copyright header
+
+- winbuild: Added support for VC15
+
+- build: Added Visual Studio 2017 project files
+
+- build-wolfssl.bat: Added support for VC15
+
+- build-openssl.bat: Added support for VC15
+
+Jay Satiro (22 Dec 2017)
+- [Dimitrios Apostolou brought this change]
+
+ curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
+
+ Closes https://github.com/curl/curl/pull/2186
+
+- [Mattias Fornander brought this change]
+
+ examples/rtsp: fix error handling macros
+
+ Closes https://github.com/curl/curl/pull/2185
+
+Patrick Monnerat (20 Dec 2017)
+- curl_easy_reset: release mime-related data.
+
+ Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
+ functions dealing with UserDefined structure contents.
+ This avoids memory leakages on curl-generated part mime headers.
+ New test 2073 checks this using the cli tool --next option: it
+ triggers a valgrind error if bug is present.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
+ Reported-by: Martin Galvan
-- [Dave Reisner brought this change]
+- content_encoding: rework zlib_inflate
+
+ - When zlib version is < 1.2.0.4, process gzip trailer before considering
+ extra data as an error.
+ - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
+ and minimize corrupt data output.
+ - Do not try to restart deflate decompression in raw mode if output has
+ started or if the leading data is not available anymore.
+ - New test 232 checks inflating raw-deflated content.
+
+ Closes #2068
+
+- brotli: allow compiling with version 0.6.0.
+
+ Some error codes were not yet defined in brotli 0.6.0: do not issue code
+ for them in this case.
- src/tool_paramhlp: try harder to catch negatives
+Daniel Stenberg (13 Dec 2017)
+- CURLOPT_READFUNCTION.3: refer to argument with correct name
- strto* functions happily chomp off leading whitespace, so simply
- checking for str[0] can lead to false negatives. Do the full parse and
- check the out value instead.
+ Bug: #2175
+
+ [ci skip]
-- [John E. Malmberg brought this change]
+- rand: add a clang-analyzer work-around
+
+ scan-build would warn on a potential access of an uninitialized
+ buffer. I deem it a false positive and had to add this somewhat ugly
+ work-around to silence it.
- build_vms.com: detect and use zlib shared image
+- krb5: fix a potential access of uninitialized memory
- Update the build_vms.com to detect and use zlib shared image installed
- by the ZLIB kit produced by Jean-Francois Pieronne, and the also the
- future ZLIB 1.2.8 kit in addition to the older ZLIB kits.
+ A scan-build warning.
+
+- conncache: fix a return code [regression]
- Also fix the indentation to match one of the common standards used for
- VMS DCL command files and removed the hard tab characters.
+ This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed
+ out by scan-build!
+
+- curl: support >256 bytes warning messsages
- Tested on OpenVMS 8.4 Alpha and IA64, and OpenVMS 7.3 VAX.
+ Bug: #2174
-Yang Tse (14 Jul 2013)
-- url.c: fix parse_url_login() OOM handling
+Michael Kaufmann (12 Dec 2017)
+- libssh: fix a syntax error in configure.ac
+
+ Follow-up to c92d2e1
+
+ Closes #2172
-- http_digest.c: SIGSEGV and OOM handling fixes
+Daniel Stenberg (12 Dec 2017)
+- examples/smtp-mail.c: use separate defines for options and mail
+
+ ... to make it clearer that the options want address-only, while the
+ headers in an email can also have the real name.
+
+ Assisted-by: Sean MacLennan
-- url.c: fix parse_login_details() OOM handling
+- THANKS: added missing names
+
+ ... as I reran the contrithanks script after the mailmap name fixups.
-- [John E. Malmberg brought this change]
+- mailmap: added/clarified several names
- setup-vms.h: sk_pop symbol tweak
+- setopt: less *or equal* than INT_MAX/1000 should be fine
+
+ ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and
+ CURLOPT_SERVER_RESPONSE_TIMEOUT range checks.
- Newer versions of curl are referencing a sk_pop symbol while the HP
- OpenSSL library has the symbol in uppercase only.
+ Reported-by: Dominik Hölzl
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html
+
+ Closes #2173
-- getinfo.c: fix enumerated type mixed with another type
+- [Dmitry Kostjuchenko brought this change]
-- test 1511: fix enumerated type mixed with another type
+ vtls: replaced getenv() with curl_getenv()
+
+ Fixed undefined symbol of getenv() which does not exist when compiling
+ for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
+ curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
+ is defined.
+
+ Closes #2171
+
+- RELEASE-NOTES: synced with 3b9ea70ee
+
+- TODO: Expose tried IP addresses that failed
+
+ Suggested-by: Rainer Canavan
+
+ Closes #2126
+
+- curl.1: mention http:// and https:// as valid proxy prefixes
+
+- curl.1: documented two missing valid exit codes
+
+- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
-- url.c: fix SIGSEGV
+- Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
+
+ This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
+
+ It was actually added rather recently in 8e8afa82cbb629 due to a crash
+ that would otherwise happen in the RTSP code. As I don't think we've
+ fixed that behavior yet, we better keep this work-around until we have
+ fixed it better.
+
+Michael Kaufmann (10 Dec 2017)
+- tests: mark data files as non-executable in git
+
+- tests: update .gitignore for libtests
+
+Daniel Stenberg (10 Dec 2017)
+- multi_done: prune DNS cache
+
+ Prune the DNS cache immediately after the dns entry is unlocked in
+ multi_done. Timed out entries will then get discarded in a more orderly
+ fashion.
+
+ Test506 is updated
+
+ Reported-by: Oleg Pudeyev
+
+ Fixes #2169
+ Closes #2170
-- dotdot.c: fix global declaration shadowing
+- mailmap: fixup two old git Author "aliases"
-- easy.c: fix global declaration shadowing
+Jay Satiro (10 Dec 2017)
+- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
+
+ Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
+ like it does for other platforms. However, the Windows CRT does not
+ actually support line buffering (_IOLBF) and will use full buffering
+ (_IOFBF) instead. We can't use full buffering because multiple processes
+ may be writing to the file and that could lead to corruption, and since
+ full buffering is the only buffering available this commit disables
+ buffering for Windows SSLKEYLOGFILE entirely (_IONBF).
+
+ Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
-Kamil Dudka (9 Jul 2013)
-- Revert "curl.1: document the --time-cond option in the man page"
+Daniel Stenberg (10 Dec 2017)
+- RESOLVE: output verbose text when trying to set a duplicate name
- This reverts commit 3a0e931fc715a80004958794a96b12cf90503f99 because
- the documentation of --time-cond was duplicated by mistake.
+ ... to help users understand what is or isn't done!
+
+- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
+
+- [John DeHelian brought this change]
+
+ sftp: allow quoted commands to use relative paths
- Reported by: Dave Reisner
+ Closes #1900
-- curl.1: document the --sasl-ir option in the man page
+Jay Satiro (8 Dec 2017)
+- [Richard Alcock brought this change]
-- curl.1: document the --post303 option in the man page
+ CURLOPT_PRIVATE.3: fix grammar
+
+ - Change "never does nothing" double-negative to "never does anything".
+
+ Closes https://github.com/curl/curl/pull/2168
-- curl.1: document the --time-cond option in the man page
+Daniel Stenberg (8 Dec 2017)
+- curl: remove __EMX__ #ifdefs
+
+ These are OS/2-specific things added to the code in the year 2000. They
+ were always ugly. If there's any user left, they still don't need it
+ done this way.
+
+ Closes #2166
-Yang Tse (9 Jul 2013)
-- configure: automake 1.14 compatibility tweak (use XC_AUTOMAKE)
+Jay Satiro (8 Dec 2017)
+- openssl: improve data-pending check for https proxy
+
+ - Allow proxy_ssl to be checked for pending data even when connssl does
+ not yet have an SSL handle.
+
+ This change is for posterity. Currently there doesn't seem to be a code
+ path that will cause a pending data check when proxyssl could have
+ pending data and the connssl handle doesn't yet exist [1].
+
+ [1]: Recall that an https proxy connection starts out in connssl but if
+ the destination is also https then the proxy SSL backend data is moved
+ from connssl to proxyssl, which means connssl handle is temporarily
+ empty until an SSL handle for the destination can be created.
+
+ Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542
+
+ Closes https://github.com/curl/curl/pull/1916
-- xc-am-iface.m4: provide XC_AUTOMAKE macro
+Daniel Stenberg (8 Dec 2017)
+- curl: don't set CURLOPT_INTERLEAVEDATA
+
+ That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
+ and that option isn't set or used by the curl tool!
+
+ Updates the 9 tests that verify --libcurl
+
+ Closes #2167
+
+- curl.h: remove incorrect comment about ERRORBUFFER
+
+ ... error messages are _not_ sent to stderr if this is not set.
-Guenter Knauf (8 Jul 2013)
-- Added winssl-zlib target to VC builds.
+- [Michael Felt brought this change]
-- Synced Makefile.vc6 with recent changes.
+ configure: add AX_CODE_COVERAGE only if using gcc
- Issue posted to the list by malinowsky AT FTW DOT at.
+ Fixes #2076
+ Closes #2125
-- Added libmetalink URL; added Android versions.
+- curl: limit -# update frequency for unknown total size
+
+ Make it use a max 10Hz update frequency for this case as well. Return
+ early if the "point" hasn't moved since last invoke.
+
+ Reported-by: Elliot Saba
+
+ Fixes #2158
+ Closes #2163
-Dan Fandrich (3 Jul 2013)
-- examples: Moved usercertinmem.c to COMPLICATED_EXAMPLES
+- BINDINGS: another PostgreSQL client
- This prevents it from being built during a "make check" since it
- depends on OpenSSL.
+ ...the former link is dead.
+
+ Reported-by: Frank Gevaerts
-Nick Zitzmann (2 Jul 2013)
-- Merge branch 'master' of https://github.com/bagder/curl
+- [Zachary Seguin brought this change]
-- darwinssl: SSLv2 connections are aborted if unsupported by the OS
+ CONNECT: keep close connection flag in http_connect_state struct
- I just noticed that OS X no longer supports SSLv2. Other TLS engines return
- an error if the requested protocol isn't supported by the underlying
- engine, so we do that now for SSLv2 if the framework returns an error
- when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is
- only enabled in curl when starting the app with the -2 argument; it's off
- by default. SSLv2 is really old and insecure.)
+ Fixes #2088
+ Closes #2157
-Marc Hoersken (1 Jul 2013)
-- lib506.c: Fixed possible use of uninitialized variables
+- [Per Malmberg brought this change]
-Kamil Dudka (30 Jun 2013)
-- url: restore the functionality of 'curl -u :'
+ include: get netinet/in.h before linux/tcp.h
- This commit fixes a regression introduced in
- fddb7b44a79d78e05043e1c97e069308b6b85f79.
+ ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc
+ 4.8.5)
- Reported by: Markus Moeller
- Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html
+ Closes #2160
+
+- openldap: fix checksrc nits
-Daniel Stenberg (25 Jun 2013)
-- digest: append the timer to the random for the nonce
+- [Stepan Broz brought this change]
-- digest: improve nonce generation
+ openldap: add commented out debug possibilities
- Use the new improved Curl_rand() to generate better random nonce for
- Digest auth.
+ ... to aid debugging openldap library using its built-in debug messages.
+
+ Closes #2159
-- curl.1: fix typo in --xattr description
+- examples: move threaded-shared-conn.c to the "complicated" ones
- Bug: http://curl.haxx.se/bug/view.cgi?id=1252
- Reported-by: Jean-Noël Rouvignac
+ ... due it relying on pthreads to link.
-- RELEASE-NOTES: synced with 365c5ba39591
+- RELEASE-NOTES: synced with b261c44e8
+
+ ... and bump next release version to 7.58.0
+
+- [Jan Ehrhardt brought this change]
+
+ URL: tolerate backslash after drive letter for FILE:
+
+ ... as in "file://c:\some\path\curl.out"
- The 10 first bug fixes for the pending release...
+ Reviewed-by: Matthew Kerwin
+ Closes #2154
-- formpost: better random boundaries
+- [Randall S. Becker brought this change]
+
+ tests: added netinet/in6.h includes in test servers
+
+- [Randall S. Becker brought this change]
+
+ configure: check for netinet/in6.h
+
+ Needed by HPE NonStop NSE and NSX systems
+
+ Fixes #2146
+ Closes #2155
+
+- curl-config: add --ssl-backends
+
+ Lists all SSL backends that were enabled at build-time.
+
+ Suggested-by: Oleg Pudeyev
+ Fixes #2128
+
+- conncache: only allow multiplexing within same multi handle
+
+ Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing
+ only get additional transfers added to them if the existing connection
+ is held by the same multi or easy handle. libcurl does not support doing
+ HTTP/2 streams in different threads using a shared connection.
+
+ Closes #2152
+
+- threaded-shared-conn.c: fixed typo in commenta
+
+- threaded-shared-conn.c: new example
+
+- conncache: fix several lock issues
+
+ If the lock is released before the dealings with the bundle is over, it may
+ have changed by another thread in the mean time.
+
+ Fixes #2132
+ Fixes #2151
+ Closes #2139
+
+- libssh: remove dead code in sftp_qoute
+
+ ... by removing a superfluous NULL pointer check that also confuses
+ Coverity.
+
+ Fixes #2143
+ Closes #2153
+
+- sasl_getmesssage: make sure we have a long enough string to pass
+
+ For pop3/imap/smtp, added test 891 to somewhat verify the pop3
+ case.
+
+ For this, I enhanced the pingpong test server to be able to send back
+ responses with LF-only instead of always using CRLF.
+
+ Closes #2150
+
+- libssh2: remove dead code from SSH_SFTP_QUOTE
+
+ Figured out while reviewing code in the libssh backend. The pointer was
+ checked for NULL after having been dereferenced, so we know it would
+ always equal true or it would've crashed.
+
+ Pointed-out-by: Nikos Mavrogiannopoulos
+
+ Bug #2143
+ Closes #2148
+
+- ssh-libssh.c: please checksrc
+
+Nikos Mavrogiannopoulos (4 Dec 2017)
+- libssh: fixed dereference in statvfs access
+
+ The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS
+ handling fails.
+
+ Fixes #2142
+
+Daniel Stenberg (4 Dec 2017)
+- [Guitared brought this change]
+
+ RESOURCES: update spec names
+
+ Closes #2145
+
+Nikos Mavrogiannopoulos (3 Dec 2017)
+- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
+
+ The previous code was incorrectly following the libssh2 error detection
+ for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs.
+
+ Fixes #2142
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- libssh: no need to call sftp_get_error as ssh_get_error is sufficient
+
+ Fixes #2141
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+Daniel Stenberg (2 Dec 2017)
+- libssh: fix minor static code analyzer nits
+
+ - remove superfluous NULL check which otherwise tricks the static code
+ analyzers to assume NULL pointer dereferences.
+
+ - fix fallthrough in switch()
+
+ - indent mistake
+
+- openssl: pkcs12 is supported by boringssl
+
+ Removes another #ifdef for BoringSSL
+
+ Pointed-out-by: David Benjamin
+
+ Closes #2134
+
+- [Jay Satiro brought this change]
+
+ travis: use pip2 instead of pip
+
+ .. since now mac osx image expects pip2 or pip3, and doesn't know pip:
+
+ 0.01s$ pip install --user cpp-coveralls
+ /Users/travis/.travis/job_stages: line 57: pip: command not found
+
+ Ref: https://github.com/travis-ci/travis-ci/issues/8829
+
+ Closes https://github.com/curl/curl/pull/2133
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ lib582: do not verify host for SFTP
+
+ This SFTP test fails with libssh back-end due to failure to verify
+ the peer. Disable peer verification in the test as there seems to
+ be the intention of the test.
+
+ Note that the libssh back-end automatically verifies the peer's
+ host using the default known_hosts file.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ libssh: added SFTP support
+
+ The SFTP back-end supports asynchronous reading only, limited
+ to 32-bit file length. Writing is synchronous with no other
+ limitations.
+
+ This also brings keyboard-interactive authentication.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ symbols-in-versions: added new symbols with 7.56.3 version
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ .travis.yml: added build --with-libssh
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ libssh2: return CURLE_UPLOAD_FAILED on failure to upload
+
+ This brings its in sync with the error code returned by the
+ libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ libssh2: send the correct CURLE error code on scp file not found
+
+ That also updates tests to expect the right error code
+
+ libssh2 back-end returns CURLE_SSH error if the remote file
+ is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND
+ which is sent by the libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ Added support for libssh SSH SCP back-end
+
+ libssh is an alternative library to libssh2.
+ https://www.libssh.org/
+
+ That patch set also introduces support for ECDSA
+ ed25519 keys, as well as gssapi authentication.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+- RELEASE-NOTES: synced with af8cc7a69
+
+- curlver: towards 7.57.1
+
+- [W. Mark Kubacki brought this change]
+
+ lib: don't export all symbols, just everything curl_*
+
+ Absent any 'symbol map' or script to limit what gets exported, static
+ linking of libraries previously resulted in a libcurl with curl's and
+ those other symbols being (re-)exported.
+
+ This did not happen if 'versioned symbols' were enabled (which is not
+ the default) because then a version script is employed.
+
+ This limits exports to everything starting in 'curl_*'., which is
+ what "libcurl.vers" exports.
+
+ This avoids strange side-effects such as with mixing methods
+ from system libraries and those erroneously offered by libcurl.
+
+ Closes #2127
+
+- [Johannes Schindelin brought this change]
+
+ SSL: Avoid magic allocation of SSL backend specific data
+
+ Originally, my idea was to allocate the two structures (or more
+ precisely, the connectdata structure and the four SSL backend-specific
+ strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so
+ that they all could be free()d together.
+
+ However, getting the alignment right is tricky. Too tricky.
+
+ So let's just bite the bullet and allocate the SSL backend-specific
+ data separately.
+
+ As a consequence, we now have to be very careful to release the memory
+ allocated for the SSL backend-specific data whenever we release any
+ connectdata.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+ Closes #2119
+
+- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
+
+ Reported-by: Dima Tisnek
+
+- travis: add boringssl build
+
+ Uses a separate build without --enable-debug and no valgrind.
+
+ The debug option causes far too many warnings in boringssl's headers
+ (C++ comments, trailing commas etc). Valgrind triggers some false
+ positive errors in thread-local data used by boringssl.
+
+ Closes #2118
+
+Version 7.57.0 (29 Nov 2017)
+
+Daniel Stenberg (29 Nov 2017)
+- RELEASE-NOTES: curl 7.57.0
+
+- THANKS: added contributors from 7.57.0 release
+
+- openssl: fix boringssl build again
+
+ commit d3ab7c5a21e broke the boringssl build since it doesn't have
+ RSA_flags(), so we disable that code block for boringssl builds.
+
+ Reported-by: W. Mark Kubacki
+ Fixes #2117
+
+- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided
+
+- libcurl-share.3: the connection cache is shareable now
+
+- global_init: ignore CURL_GLOBAL_SSL's absense
+
+ This bit is no longer used. It is not clear what it meant for users to
+ "init the TLS" in a world with different TLS backends and since the
+ introduction of multissl, libcurl didn't properly work if inited without
+ this bit set.
+
+ Not a single user responded to the call for users of it:
+ https://curl.haxx.se/mail/lib-2017-11/0072.html
+
+ Reported-by: Evgeny Grin
+ Assisted-by: Jay Satiro
+
+ Fixes #2089
+ Fixes #2083
+ Closes #2107
+
+- ntlm: avoid integer overflow for malloc size
+
+ Reported-by: Alex Nichols
+ Assisted-by: Kamil Dudka and Max Dymond
- When doing multi-part formposts, libcurl used a pseudo-random value that
- was seeded with time(). This turns out to be bad for users who formpost
- data that is provided with users who then can guess how the boundary
- string will look like and then they can forge a different formpost part
- and trick the receiver.
+ CVE-2017-8816
- My advice to such implementors is (still even after this change) to not
- rely on the boundary strings being cryptographically strong. Fix your
- code and logic to not depend on them that much!
+ Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+
+- wildcardmatch: fix heap buffer overflow in setcharset
- I moved the Curl_rand() function into the sslgen.c source file now to be
- able to take advantage of the SSL library's random function if it
- provides one. If not, try to use the RANDOM_FILE for seeding and as a
- last resort keep the old logic, just modified to also add microseconds
- which makes it harder to properly guess the exact seed.
+ The code would previous read beyond the end of the pattern string if the
+ match pattern ends with an open bracket when the default pattern
+ matching function is used.
- The formboundary() function in formdata.c is now using 64 bit entropy
- for the boundary and therefore the string of dashes was reduced by 4
- letters and there are 16 hex digits following it. The total length is
- thus still the same.
+ Detected by OSS-Fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
- Bug: http://curl.haxx.se/bug/view.cgi?id=1251
- Reported-by: "Floris"
-
-- printf: make sure %x are treated unsigned
+ CVE-2017-8817
- When using %x, the number must be treated as unsigned as otherwise it
- would get sign-extended on for example 64bit machines and do wrong
- output. This problem showed when doing printf("%08x", 0xffeeddcc) on a
- 64bit host.
+ Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
-- tests: add test1395 to the tarball
+- [Jay Satiro brought this change]
-- SIGPIPE: don't use 'data' in sigpipe restore
+ url: fix alignment of ssl_backend_data struct
- Follow-up fix from 7d80ed64e43515.
+ - Align the array of ssl_backend_data on a max 32 byte boundary.
- The SessionHandle may not be around to use when we restore the sigpipe
- sighandler so we store the no_signal boolean in the local struct to know
- if/how to restore.
-
-- TODO: 1.8 Modified buffer size approach
+ 8 is likely to be ok but I went with 32 for posterity should one of
+ the ssl_backend_data structs change to contain a larger sized variable
+ in the future.
- Thoughts around buffer sizes and what might be possible to do...
-
-- c-ares: improve error message on failed resolve
+ Prior to this change (since dev 70f1db3, release 7.56) the connectdata
+ structure was undersized by 4 bytes in 32-bit builds with ssl enabled
+ because long long * was mistakenly used for alignment instead of
+ long long, with the intention being an 8 byte boundary. Also long long
+ may not be an available type.
- When the c-ares based resolver backend failed to resolve a name, it
- tried to show the name that failed from existing structs. This caused
- the wrong output and shown hostname when for example --interface
- [hostname] was used and that name resolving failed.
+ The undersized connectdata could lead to oob read/write past the end in
+ what was expected to be the last 4 bytes of the connection's secondary
+ socket https proxy ssl_backend_data struct (the secondary socket in a
+ connection is used by ftp, others?).
- Now we use the hostname used in the actual resolve attempt in the error
- message as well.
+ Closes https://github.com/curl/curl/issues/2093
- Bug: http://curl.haxx.se/bug/view.cgi?id=1191
- Reported-by: Kim Vandry
-
-- ossl_recv: check for an OpenSSL error, don't assume
+ CVE-2017-8818
- When we recently started to treat a zero return code from SSL_read() as
- an error we also got false positives - which primarily looks to be
- because the OpenSSL documentation is wrong and a zero return code is not
- at all an error case in many situations.
+ Bug: https://curl.haxx.se/docs/adv_2017-af0a.html
+
+- ssh: remove check for a NULL pointer (!)
- Now ossl_recv() will check with ERR_get_error() to see if there is a
- stored error and only then consider it to be a true error if SSL_read()
- returned zero.
+ With this check present, scan-build warns that we might dereference this
+ point in other places where it isn't first checked for NULL. Thus, if it
+ *can* be NULL we have a problem on a few places. However, this pointer
+ should not be possible to be NULL here so I remove the check and thus
+ also three different scan-build warnings.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1249
- Reported-by: Nach M. S.
- Patch-by: Nach M. S.
+ Closes #2111
+
+- [Matthew Kerwin brought this change]
+
+ test: add test for bad UNC/SMB path in file: URL
-Nick Zitzmann (22 Jun 2013)
-- Merge branch 'master' of https://github.com/bagder/curl
+- [Matthew Kerwin brought this change]
-- darwinssl: fix crash that started happening in Lion
+ test: add tests to ensure basic file: URLs
+
+- [Matthew Kerwin brought this change]
+
+ URL: update "file:" URL handling
- Something (a recent security update maybe?) changed in Lion, and now it
- has changed SSLCopyPeerTrust such that it may return noErr but also give
- us a null trust, which caught us off guard and caused an eventual crash.
+ * LOTS of comment updates
+ * explicit error for SMB shares (e.g. "file:////share/path/file")
+ * more strict handling of authority (i.e. "//localhost/")
+ * now accepts dodgy old "C:|" drive letters
+ * more precise handling of drive letters in and out of Windows
+ (especially recognising both "file:c:/" and "file:/c:/")
+
+ Closes #2110
-Daniel Stenberg (22 Jun 2013)
-- SIGPIPE: ignored while inside the library
+- metalink: fix memory-leak and NULL pointer dereference
- ... and restore the ordinary handling again when it returns. This is
- done for curl_easy_perform() and curl_easy_cleanup() only for now - and
- only when built to use OpenSSL as backend as this is the known culprit
- for the spurious SIGPIPEs people have received.
+ Reported by scan-build
- Bug: http://curl.haxx.se/bug/view.cgi?id=1180
- Reported by: Lluís Batlle i Rossell
+ Closes #2109
-- KNOWN_BUGS: #83 unable to load non-default openssl engines
+- [Alessandro Ghedini brought this change]
-- test1396: invoke the correct test tool!
+ connect: add support for new TCP Fast Open API on Linux
- This erroneously run unit test 1310 instead of 1396!
+ The new API added in Linux 4.11 only requires setting a socket option
+ before connecting, without the whole sento() machinery.
+
+ Notably, this makes it possible to use TFO with SSL connections on Linux
+ as well, without the need to mess around with OpenSSL (or whatever other
+ SSL library) internals.
+
+ Closes #2056
-Kamil Dudka (22 Jun 2013)
-- test1230: avoid using hard-wired port number
+- make: fix "make distclean"
- ... to prevent failure when a non-default -b option is given
+ Fixes #2097
+ Closes #2108
-- curl-config.in: replace tabs by spaces
+- RELEASE-NOTES: synced with 31f18d272
+
+Jay Satiro (23 Nov 2017)
+- connect: improve the bind error message
+
+ eg consider a non-existent interface eth8, curl --interface eth8
+
+ Before: curl: (45) Could not resolve host: eth8
+ After: curl: (45) Couldn't bind to 'eth8'
+
+ Bug: https://github.com/curl/curl/issues/2104
+ Reported-by: Alfonso Martone
-Nick Zitzmann (22 Jun 2013)
-- darwinssl: reform OS-specific #defines
+Daniel Stenberg (23 Nov 2017)
+- examples/rtsp: clear RANGE again after use
- This doesn't need to be in the release notes. I cleaned up a lot of the #if
- lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and
- MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like
- __MAC_10_6 or whatever were defined, because for some SDKs Apple has released
- they were defined out of place.
+ Fixes #2106
+ Reported-by: youngchopin on github
-Daniel Stenberg (22 Jun 2013)
-- [Alessandro Ghedini brought this change]
+- [Michael Kaufmann brought this change]
- docs: fix typo in curl_easy_getinfo manpage
+ test1264: verify URL with space in host name being rejected
-- dotdot: introducing dot file path cleanup
+- url: reject ASCII control characters and space in host names
+
+ Host names like "127.0.0.1 moo" would otherwise be accepted by some
+ getaddrinfo() implementations.
- RFC3986 details how a path part passed in as part of a URI should be
- "cleaned" from dot sequences before getting used. The described
- algorithm is now implemented in lib/dotdot.c with the accompanied test
- case in test 1395.
+ Updated test 1034 and 1035 accordingly.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1200
- Reported-by: Alex Vinnik
+ Fixes #2073
+ Closes #2092
-- bump: start working towards what most likely will become 7.32.0
+- Curl_open: fix OOM return error correctly
+
+ Closes #2098
-- THANKS: added 24 new contributors from the 7.31.0 release
+- http2: fix "Value stored to 'end' is never read" scan-build error
-Version 7.31.0 (22 Jun 2013)
+- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
-Daniel Stenberg (22 Jun 2013)
-- RELEASE-NOTES: synced with 0de7249bb39a2 - 7.31.0
+- openssl: fix "Value stored to 'rc' is never read" scan-build error
-- unit1396: unit tests to verify curl_easy_(un)escape
+- mime: fix "Value stored to 'sz' is never read" scan-build error
-- Curl_urldecode: no peeking beyond end of input buffer
-
- Security problem: CVE-2013-2174
+- Curl_llist_remove: fix potential NULL pointer deref
- If a program would give a string like "%FF" to curl_easy_unescape() but
- ask for it to decode only the first byte, it would still parse and
- decode the full hex sequence. The function then not only read beyond the
- allowed buffer but it would also deduct the *unsigned* counter variable
- for how many more bytes there's left to read in the buffer by two,
- making the counter wrap. Continuing this, the function would go on
- reading beyond the buffer and soon writing beyond the allocated target
- buffer...
-
- Bug: http://curl.haxx.se/docs/adv_20130622.html
- Reported-by: Timo Sirainen
+ Fixes a scan-build warning.
-Guenter Knauf (20 Jun 2013)
-- Use opened body.out file and write content to it.
+- ntlm: remove unnecessary NULL-check to please scan-build
-Daniel Stenberg (20 Jun 2013)
-- multi_socket: react on socket close immediately
-
- As a remedy to the problem when a socket gets closed and a new one is
- opened with the same file descriptor number and as a result
- multi.c:singlesocket() doesn't detect the difference, the new function
- Curl_multi_closed() gets told when a socket is closed so that it can be
- removed from the socket hash. When the old one has been removed, a new
- socket should be detected fine by the singlesocket() on next invoke.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1248
- Reported-by: Erik Johansson
+- BUGS: spellchecked
-- RELEASE-NOTES: synced with e305f5ec715f
+Jay Satiro (18 Nov 2017)
+- [fmmedeiros brought this change]
-- TODO: mention the DANE patch from March
+ examples/curlx: Fix code style
+
+ - Add braces around multi-line if statement.
+
+ Closes https://github.com/curl/curl/pull/2096
-- CURLOPT_COOKIELIST: take cookie share lock
+Daniel Stenberg (17 Nov 2017)
+- resolve: allow IP address within [] brackets
- When performing COOKIELIST operations the cookie lock needs to be taken
- for the cases where the cookies are shared among multiple handles!
+ ... so that IPv6 addresses can be passed like they can for connect-to
+ and how they're used in URLs.
- Verified by Benjamin Gilbert's updated test 506
+ Added test 1324 to verify
+ Reported-by: Alex Malinovich
- Bug: http://curl.haxx.se/bug/view.cgi?id=1215
- Reported-by: Benjamin Gilbert
+ Fixes #2087
+ Closes #2091
-- [Benjamin Gilbert brought this change]
+- [Pavol Markovic brought this change]
- test506: verify that CURLOPT_COOKIELIST takes share lock
+ macOS: Fix missing connectx function with Xcode version older than 9.0
- It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215
+ The previous fix https://github.com/curl/curl/pull/1788 worked just for
+ Xcode 9. This commit extends the fix to older Xcode versions effectively
+ by not using connectx function.
+
+ Fixes https://github.com/curl/curl/issues/1330
+ Fixes https://github.com/curl/curl/issues/2080
+ Closes https://github.com/curl/curl/pull/1336
+ Closes #2082
-- TODO: HTTP2/SPDY support
+- [Dirk Feytons brought this change]
-- curl_easy_setopt.3: clarify CURLOPT_PROGRESSFUNCTION frequency
+ openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
- Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be
- called more frequently than once per second when things are happening.
+ Fixes #2079
+ Closes #2081
-- RELEASE-NOTES: synced with 9c3e098259b82
+- TODO: ignore private IP addresses in PASV response
- Mention 7 recent bug fixes and their associated contributors
+ Closes #1455
-- curl_multi_wait.3: clarify the numfds counter
+- RELEASE-NOTES: synced with ae7369b6d
-- curl_easy_perform: avoid busy-looping
+Michael Kaufmann (14 Nov 2017)
+- URL: return error on malformed URLs with junk after IPv6 bracket
- When curl_multi_wait() finds no file descriptor to wait for, it returns
- instantly and this must be handled gracefully within curl_easy_perform()
- or cause a busy-loop. Starting now, repeated fast returns without any
- file descriptors is detected and a gradually increasing sleep will be
- used (up to a max of 1000 milliseconds) before continuing the loop.
+ Follow-up to aadb7c7. Verified by new test 1263.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1238
- Reported-by: Miguel Angel
+ Closes #2072
-- [YAMADA Yasuharu brought this change]
+Daniel Stenberg (14 Nov 2017)
+- INTERNALS: we may use libidn2 now, not libidn
- cookies: follow-up fix for path checking
+Patrick Monnerat (13 Nov 2017)
+- zlib/brotli: only include header files in modules needing them
- The initial fix to only compare full path names were done in commit
- 04f52e9b4db0 but found out to be incomplete. This takes should make the
- change more complete and there's now two additional tests to verify
- (test 31 and 62).
-
-- [Sergei Nikulov brought this change]
-
- lib1900: use tutil_tvnow instead of gettimeofday
+ There is a conflict on symbol 'free_func' between openssl/crypto.h and
+ zlib.h on AIX. This is an attempt to resolve it.
- Makes it build on windows
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
+ Reported-By: Michael Felt
-- [Eric Hu brought this change]
-
- axtls: now done non-blocking
+Daniel Stenberg (13 Nov 2017)
+- SMB: fix uninitialized local variable
+
+ Reported-by: Brian Carpenter
-- [Eric Hu brought this change]
+- [Orgad Shaneh brought this change]
- test2033: requires NTLM support
+ connect.c: remove executable bit on file
+
+ Closes #2071
-- KNOWN_BUGS: #82 failed build with Borland compiler
+- [hsiao yi brought this change]
-- Curl_output_digest: support auth-int for empty entity body
-
- By always returning the md5 for an empty body when auth-int is asked
- for, libcurl now at least sometimes does the right thing.
+ README.md: fixed layout
- Bug: http://curl.haxx.se/bug/view.cgi?id=1235
- Patched-by: Nach M. S.
+ Closes #2069
-- multi_socket: reduce timeout inaccuracy margin
+- setopt: split out curl_easy_setopt() to its own file
- Allow less room for "triggered too early" mistakes by applications /
- timers on non-windows platforms. Starting now, we assume that a timeout
- call is never made earlier than 3 milliseconds before the actual
- timeout. This greatly improves timeout accuracy on Linux.
+ ... to make url.c smaller.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1228
- Reported-by: Hang Su
+ Closes #1944
-- cert_stuff: avoid double free in the PKCS12 code
-
- In the pkcs12 code, we get a list of x509 records returned from
- PKCS12_parse but when iterating over the list and passing each to
- SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from
- the "stack", which made them get freed twice (both in sk_X509_pop_free()
- and then later in SSL_CTX_free).
+Jay Satiro (10 Nov 2017)
+- [John Starks brought this change]
+
+ cmake: Add missing setmode check
- This isn't really documented anywhere...
+ Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this,
+ curl will corrupt binary files when writing them to stdout on Windows.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1236
- Reported-by: Nikaiw
-
-- cert_stuff: remove code duplication in the pkcs12 logic
-
-- [Aleksey Tulinov brought this change]
+ Closes https://github.com/curl/curl/pull/2067
- axtls: honor disabled VERIFYHOST
+Daniel Stenberg (10 Nov 2017)
+- curl_share_setopt: va_end was not called if conncache errors
- When VERIFYHOST == 0, libcurl should let invalid certificates to pass.
+ CID 984459, detected by Coverity
-- [Peter Gal brought this change]
+Sergei Nikulov (10 Nov 2017)
+- [John Starks brought this change]
- curl_easy_setopt.3: HTTP header with no content
+ cmake: Correctly include curl.rc in Windows builds (#2064)
- Update the documentation on how to specify a HTTP header with no
- content.
+ Update CMakeLists.txt to add curl.rc to the correct list.
-- RELEASE-NOTES: synced with 87cf677eca55
-
- Added 11 bugs and 7 contributors
+Daniel Stenberg (9 Nov 2017)
+- RELEASE-NOTES: synced with 32828cc4f
+
+- [Luca Boccassi brought this change]
-- lib1500: remove bad check
+ --interface: add support for Linux VRF
- After curl_multi_wait() returns, this test checked that we got exactly
- one file descriptor told to read from, but we cannot be sure that is
- true. curl_multi_wait() will sometimes return earlier without any file
- descriptor to handle, just just because it is a suitable time to call
- *perform().
+ The --interface command (CURLOPT_INTERFACE option) already uses
+ SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
+ address first, which fails in case the user passes a VRF.
- This problem showed up with commit 29bf0598.
+ Try to use the socket option immediately and parse it as a fallback
+ instead. Update the documentation to mention this feature, and that it
+ requires the binary to be ran by root or with CAP_NET_RAW capabilities
+ for this to work.
- Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html
- Reported-by: Fabian Keil
+ Closes #2024
-- tests/Makefile: typo in the perlcheck target
+- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT
- Bug: http://curl.haxx.se/bug/view.cgi?id=1239
- Reported-by: Christian Weisgerber
+ Closes #2043
+
+- examples: add shared-connection-cache
-- test1230: verify CONNECT to a numerical ipv6-address
+- test1554: verify connection cache sharing
-- sws: support extracting test number from CONNECT ipv6-address!
+- share: add support for sharing the connection cache
+
+- imap: deal with commands case insensitively
+
+ As documented in RFC 3501 section 9:
+ https://tools.ietf.org/html/rfc3501#section-9
- If an ipv6-address is provided to CONNECT, the last hexadecimal group in
- the address will be used as the test number! For example the address
- "[1234::ff]" would be treated as test case 255.
+ Closes #2061
-- curl_multi_wait: only use internal timer if not -1
+- connect: store IPv6 connection status after valid connection
- commit 29bf0598aad5 introduced a problem when the "internal" timeout is
- prefered to the given if shorter, as it didn't consider the case where
- -1 was returned. Now the internal timeout is only considered if not -1.
+ ... previously it would store it already in the happy eyeballs stage
+ which could lead to the IPv6 bit being set for an IPv4 connection,
+ leading to curl not wanting to do EPSV=>PASV for FTP transfers.
- Reported-by: Tor Arntsen
- Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html
+ Closes #2053
-Dan Fandrich (3 Jun 2013)
-- libcurl-tutorial.3: added a section on IPv6
+- curl_multi_fdset.3: emphasize curl_multi_timeout
- Also added a (correctly-escaped) backslash to the autoexec.bat
- example file and a new Windows character device name with
- a colon as examples of other characters that are special
- and potentially dangerous (this reverts and reworks commit
- 7d8d2a54).
+ ... even when there's no socket to wait for, the timeout can still be
+ very short.
-Daniel Stenberg (3 Jun 2013)
-- curl_multi_wait: reduce timeout if the multi handle wants to
+Jay Satiro (9 Nov 2017)
+- content_encoding: fix inflate_stream for no bytes available
- If the multi handle's pending timeout is less than what is passed into
- this function, it will now opt to use the shorter time anyway since it
- is a very good hint that the handle wants to process something in a
- shorter time than what otherwise would happen.
+ - Don't call zlib's inflate() when avail_in stream bytes is 0.
- curl_multi_wait.3 was updated accordingly to clarify
+ This is a follow up to the parent commit 19e66e5. Prior to that change
+ libcurl's inflate_stream could call zlib's inflate even when no bytes
+ were available, causing inflate to return Z_BUF_ERROR, and then
+ inflate_stream would treat that as a hard error and return
+ CURLE_BAD_CONTENT_ENCODING.
- This is the reason for bug #1224
+ According to the zlib FAQ, Z_BUF_ERROR is not fatal.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1224
- Reported-by: Andrii Moiseiev
-
-- multi_runsingle: switch an if() condition for readability
+ This bug would happen randomly since packet sizes are arbitrary. A test
+ of 10,000 transfers had 55 fail (ie 0.55%).
- ... because there's an identical check right next to it so using the
- operators in the check in the same order increases readability.
-
-Marc Hoersken (2 Jun 2013)
-- curl_schannel.c: Removed variable unused since 35874298e4
-
-- curl_setup.h: Fixed redefinition warning using mingw-w64
+ Ref: https://zlib.net/zlib_faq.html#faq05
+
+ Closes https://github.com/curl/curl/pull/2060
-Daniel Stenberg (30 May 2013)
-- multi_runsingle: add braces to clarify the code
+Patrick Monnerat (7 Nov 2017)
+- content_encoding: do not write 0 length data
-- libcurl-tutorial.3: remove incorrect backslash
+Daniel Stenberg (6 Nov 2017)
+- fnmatch: remove dead code
- A single backslash in the content is not legal nroff syntax.
+ There was a duplicate check for backslashes in the setcharset()
+ function.
- Reported and fixed by: Eric S. Raymond
- Bug: http://curl.haxx.se/bug/view.cgi?id=1234
+ Coverity CID 1420611
-- curl_formadd.3: fixed wrong "end-marker" syntax
+- url: remove unncessary NULL-check
- Reported and fixed by: Eric S. Raymond
- Bug: http://curl.haxx.se/bug/view.cgi?id=1233
-
-- curl.1: clarify that --silent still outputs data
+ Since 'conn' won't be NULL in there and we also access the pointer in
+ there without the check.
+
+ Coverity CID 1420610
-- Digest auth: escape user names with \ or " in them
+Viktor Szakats (6 Nov 2017)
+- src/Makefile.m32: fix typo in brotli lib customization
- When sending the HTTP Authorization: header for digest, the user name
- needs to be escaped if it contains a double-quote or backslash.
+ Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31
+
+- Makefile.m32: allow to customize brotli libs
- Test 1229 was added to verify
+ It adds the ability to link against static brotli libs.
- Reported and fixed by: Nach M. S
- Bug: http://curl.haxx.se/bug/view.cgi?id=1230
+ Also fix brotli include path.
-- [Mike Giancola brought this change]
+Patrick Monnerat (5 Nov 2017)
+- travis: add a job with brotli enabled
- ossl_recv: SSL_read() returning 0 is an error too
-
- SSL_read can return 0 for "not successful", according to the open SSL
- documentation: http://www.openssl.org/docs/ssl/SSL_read.html
+- [Viktor Szakats brought this change]
-- [Mike Giancola brought this change]
+ Makefile.m32: add brotli support
- ossl_send: SSL_write() returning 0 is an error too
+- HTTP: implement Brotli content encoding
- We found that in specific cases if the connection is abruptly closed,
- the underlying socket is listed in a close_wait state. We continue to
- call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs
- report the socket closed / connection finished. Since we have cases
- where the multi connection is only used once, this can pose a problem
- for us. I've read that if another connection was to come in, curl would
- see the socket as bad and attempt to close it at that time -
- unfortunately, this does not work for us.
+ This uses the brotli external library (https://github.com/google/brotli).
+ Brotli becomes a feature: additional curl_version_info() bit and
+ structure fields are provided for it and CURLVERSION_NOW bumped.
- I found that in specific situations, if SSL_write returns 0, curl did
- not recognize the socket as closed (or errored out) and did not report
- it to the application. I believe we need to change the code slightly, to
- check if ssl_write returns 0. If so, treat it as an error - the same as
- a negative return code.
-
- For OpenSSL - the ssl_write documentation is here:
- http://www.openssl.org/docs/ssl/SSL_write.html
-
-- KNOWN_BUGS: curl -OJC- fails to resume
+ Tests 314 and 315 check Brotli content unencoding with correct and
+ erroneous data.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1169
+ Some tests are updated to accomodate with the now configuration dependent
+ parameters of the Accept-Encoding header.
-- Curl_cookie_add: handle IPv6 hosts
+- HTTP: support multiple Content-Encodings
- 1 - don't skip host names with a colon in them in an attempt to bail out
- on HTTP headers in the cookie file parser. It was only a shortcut anyway
- and trying to parse a file with HTTP headers will still be handled, only
- slightly slower.
+ This is implemented as an output streaming stack of unencoders, the last
+ calling the client write procedure.
- 2 - don't skip domain names based on number of dots. The original
- netscape cookie spec had this oddity mentioned and while our code
- decreased the check to only check for two, the existing cookie spec has
- no such dot counting required.
+ New test 230 checks this feature.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1221
- Reported-by: Stefan Neis
+ Bug: https://github.com/curl/curl/pull/2002
+ Reported-By: Daniel Bankhead
-- curl_easy_setopt.3: expand the PROGRESSFUNCTION section
+Jay Satiro (4 Nov 2017)
+- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
- Explain the callback and its arguments better and with more descriptive
- text.
-
-- tests: add test1394 file to the tarball
-
-- tarball: include the xmlstream example
-
-- [David Strauss brought this change]
-
- xmlstream: XML stream parsing example source code
+ Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
+ check on this option is incorrect; we have to accept any value.
- Add an XML stream parsing example using Expat. Add missing ignore for
- the binary from an unrelated example.
-
-- [YAMADA Yasuharu brought this change]
+ Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
+ erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120
- cookies: only consider full path matches
+Daniel Stenberg (4 Nov 2017)
+- ntlm: avoid malloc(0) for zero length passwords
- I found a bug which cURL sends cookies to the path not to aim at.
- For example:
- - cURL sends a request to http://example.fake/hoge/
- - server returns cookie which with path=/hoge;
- the point is there is NOT the '/' end of path string.
- - cURL sends a request to http://example.fake/hogege/ with the cookie.
+ It triggers an assert() when built with memdebug since malloc(0) may
+ return NULL *or* a valid pointer.
- The reason for this old "feature" is because that behavior is what is
- described in the original netscape cookie spec:
- http://curl.haxx.se/rfc/cookie_spec.html
+ Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
- The current cookie spec (RFC6265) clarifies the situation:
- http://tools.ietf.org/html/rfc6265#section-5.2.4
+ Assisted-by: Max Dymond
+ Closes #2054
-- [Eric Hu brought this change]
+- RELEASE-NOTES: synced with ee8016b3d
- axtls: prevent memleaks on SSL handshake failures
-
-- Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage"
+- curl: speed up handling of many URLs
- This reverts commit 8ec2cb5544b86306b702484ea785b6b9596562ab.
+ By properly keeping track of the last entry in the list of URLs/uploads
+ to handle, curl now avoids many meaningless traverses of the list which
+ speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K
+ URLs).
- We don't have any code anywhere in libcurl (or the curl tool) that use
- wcsdup so there's no such memory use to track. It seems to cause mild
- problems with the Borland compiler though that we may avoid by reverting
- this change again.
+ Added test 1291, to verify that it doesn't take ages - but we don't have
+ any detection of "too slow" command in the test suite.
- Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html
+ Reported-by: arainchik on github
+ Fixes #1959
+ Closes #2052
-- RELEASE-NOTES: synced with ae26ee3489588f0
+- curl: pass through [] in URLs instead of calling globbing error
+
+ Assisted-by: Per Lundberg
+ Fixes #2044
+ Closes #2046
+ Closes #2048
-Guenter Knauf (11 May 2013)
-- Updated zlib version in build files.
+- CURLOPT_INFILESIZE: accept -1
+
+ Regression since f121575
+
+ Reported-by: Petr Voytsik
+ Fixes #2047
-Daniel Stenberg (9 May 2013)
-- [Renaud Guillard brought this change]
+Jay Satiro (2 Nov 2017)
+- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
+
+ Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
+ erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.
- OS X framework: fix invalid symbolic link
+Dan Fandrich (1 Nov 2017)
+- http2: Fixed OOM handling in upgrade request
+
+ This caused the torture tests on test 1800 to fail.
-Kamil Dudka (9 May 2013)
-- [Daniel Stenberg brought this change]
+- tests: Fixed torture tests on tests 556 and 650
+
+ Test cleanup after OOM wasn't being consistently performed.
- nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send
+Daniel Stenberg (1 Nov 2017)
+- CURLOPT_MAXREDIRS: allow -1 as a value
+
+ ... which is valid according to documentation. Regression since
+ f121575c0b5f.
+
+ Verified now in test 501.
- Reported by: David Strauss
- Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html
+ Reported-by: cbartl on github
+ Fixes #2038
+ Closes #2039
-Daniel Stenberg (8 May 2013)
-- libtest: gitignore more binary files
+- include: remove conncache.h inclusion from where its not needed
-- servercert: allow empty subject
+Jay Satiro (1 Nov 2017)
+- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
- Bug: http://curl.haxx.se/bug/view.cgi?id=1220
- Patch by: John Gardiner Myers
-
-- [Steve Holme brought this change]
+ .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.
+
+ Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
+ erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
+ Reported-by: Andrew Lambert
- tests: Added new SMTP tests to verify commit 99b40451836d
+Daniel Stenberg (31 Oct 2017)
+- cookie: avoid NULL dereference
+
+ ... when expiring old cookies.
+
+ Reported-by: Pavel Gushchin
+ Fixes #2032
+ Closes #2035
-- runtests.pl: support nonewline="yes" in client/stdin sections
+Marcel Raad (30 Oct 2017)
+- memdebug: use send/recv signature for curl_dosend/curl_dorecv
+
+ This avoids build errors and warnings caused by implicit casts.
+
+ Closes https://github.com/curl/curl/pull/2031
-- build: fixed unit1394 for debug and metlink builds
+Daniel Stenberg (30 Oct 2017)
+- [Juro Bystricky brought this change]
-Kamil Dudka (6 May 2013)
-- unit1394.c: plug the curl tool unit test in
+ mkhelp.pl: support reproducible build
+
+ Do not generate line with the current date, such as:
+
+ * Generation time: Tue Oct-24 18:01:41 2017
+
+ This will improve reproducibility. The generated string is only
+ part of a comment, so there should be no adverse consequences.
+
+ Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+ closes #2026
-- [Jared Jennings brought this change]
+Dan Fandrich (30 Oct 2017)
+- runtests.pl: Fixed typo in message
- unit1394.c: basis of a unit test for parse_cert_parameter()
+Daniel Stenberg (30 Oct 2017)
+- curlx: the timeval functions are no longer provided as curlx_*
+
+ Pointed-out-by: Dmitri Tikhonov
+ Bug: #2034
-- src/Makefile.am: build static lib for unit tests if enabled
+- select: update comments
+
+ s/curlx_tvnow/Curl_now
-- tool_getparam: ensure string termination in parse_cert_parameter()
+- INTERNALS: remove curlx_tv* functions no longer provided
-- tool_getparam: fix memleak in handling the -E option
+- [Dmitri Tikhonov brought this change]
-- tool_getparam: describe what parse_cert_parameter() does
+ timeval: use mach time on MacOS
- ... and de-duplicate the code initializing *passphrase
+ If clock_gettime() is not supported, use mach_absolute_time() on MacOS.
+
+ closes #2033
-- curl.1: document escape sequences recognized by -E
+monnerat (29 Oct 2017)
+- [Patrick Monnerat brought this change]
-- [Jared Jennings brought this change]
+ cli tool: improve ";type=" handling in -F option arguments
- curl -E: allow to escape ':' in cert nickname
+- [Patrick Monnerat brought this change]
-Marc Hoersken (5 May 2013)
-- curl_schannel.c: Fixed invalid memory access during SSL shutdown
+ cli tool: in -F option arg, comma is a delimiter for files only
+
+ Also upgrade test 1133 to cover this case and clarify man page about
+ form data quoting.
+
+ Bug: https://github.com/curl/curl/issues/2022
+ Reported-By: omau on github
-Steve Holme (4 May 2013)
-- smtp: Fix trailing whitespace warning
+Daniel Stenberg (29 Oct 2017)
+- timeleft: made two more users of Curl_timeleft use timediff_t
-- smtp: Fix compilation warning
+Jakub Zakrzewski (28 Oct 2017)
+- cmake: Export libcurl and curl targets to use by other cmake projects
+
+ The config files define curl and libcurl targets as imported targets
+ CURL::curl and CURL::libcurl. For backward compatibility with CMake-
+ provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
+ also set.
- comparison between signed and unsigned integer expressions
+ Closes #1879
-- RELEASE-NOTES: synced with 92ef5f19c801
+Daniel Stenberg (28 Oct 2017)
+- RELEASE-NOTES: synced with f20cbac97
-- smtp: Updated RFC-2821 references to RFC-5321
+- [Florin Petriuc brought this change]
-- smtp: Fixed sending of double CRLF caused by first in EOB
+ auth: Added test cases for RFC7616
- If the mail sent during the transfer contains a terminating <CRLF> then
- we should not send the first <CRLF> of the EOB as specified in RFC-5321.
+ Updated docs to include support for RFC7616
- Additionally don't send the <CRLF> if there is "no mail data" as the
- DATA command already includes it.
-
-- tests: Corrected MAIL SIZE for CRLF line endings
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
- ... which was missed in commit: f5c3d9538452
+ Closes #1934
+
+- [Florin Petriuc brought this change]
-- tests: Corrected infilesize for CRLF line endings
+ auth: add support for RFC7616 - HTTP Digest access authentication
- ... which was missed in commit: f5c3d9538452
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
-- tests: Corrected test1406 to be RFC2821 compliant
+- [Daniel Bankhead brought this change]
-- tests: Corrected test1320 to be RFC2821 compliant
+ TODO: support multiple Content-Encodings
+
+ Closes #2002
-- tests: Corrected typo in test909
+- ROADMAP: cleanup
- Introduced in commit: 514817669e9e
+ Removed done stuff. Removed entries no longer considered for the near
+ term.
-- tests: Corrected test909 to be RFC2821 compliant
+- [Magicansk brought this change]
-- tests: Updated test references to 909 from 1411
+ ROADMAP.md: spelling fixes
- ...and removed references to libcurl and test1406.
+ Closes #2028
-- tests: Renamed test1411 to test909 as this is a main SMTP test
+- Curl_timeleft: change return type to timediff_t
+
+ returning 'time_t' is problematic when that type is unsigned and we
+ return values less than zero to signal "already expired", used in
+ several places in the code.
+
+ Closes #2021
-Daniel Stenberg (1 May 2013)
-- [Lars Johannesen brought this change]
+- appveyor: add a win32 build
- bindlocal: move brace out of #ifdef
+- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
- The code within #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID wrongly had two
- closing braces when it should only have one, so builds without that
- define would fail.
+ Regression since f121575c0b5f
- Bug: http://curl.haxx.se/mail/lib-2013-05/0000.html
+ Reported-by: Rob Cotrone
-Steve Holme (30 Apr 2013)
-- smtp: Tidy up to move the eob counter to the per-request structure
+Marcel Raad (27 Oct 2017)
+- resolvers: only include anything if needed
- Move the eob counter from the smtp_conn structure to the SMTP structure
- as it is associated with a SMTP payload on a per-request basis.
-
-- TODO: Updated following the addition of CURLOPT_SASL_IR
-
-- smtp: Fixed unknown percentage complete in progress bar
+ This avoids warnings about unused stuff.
- The curl command line utility would display the the completed progress
- bar with a percentage of zero as the progress routines didn't know the
- size of the transfer.
+ Closes https://github.com/curl/curl/pull/2023
-Daniel Stenberg (29 Apr 2013)
-- ftpserver: silence warnings
+Daniel Stenberg (27 Oct 2017)
+- HELP-US: rename the subtitle too since the label is changed
- Fix regressions in commit b56e3d43e5d. Make @data local and filter off
- non-numerical digits from $testno in STATUS_imap.
+ "PR-welcome" was the former name.
-Steve Holme (29 Apr 2013)
-- ftpserver.pl: Corrected the imap LOGIN response
-
- ...to be more realistic and consistent with the other imap responses.
+- curl_setup.h: oops, shorten the too long line
-- tests: Added imap STATUS command test
+- [Martin Storsjo brought this change]
-- tests: Corrected the SMTP tests to be RFC2821 compliant
+ curl_setup: Improve detection of CURL_WINDOWS_APP
- The emails that are sent to the server during these tests were
- incorrectly formatted as they contained one or more LF terminated lines
- rather than being CRLF terminated as per Section 2.3.7 of RFC-2821.
+ If WINAPI_FAMILY is defined, it should be safe to try to include
+ winapifamily.h to check what the define evaluates to.
- This wasn't a problem for the test suite as the <stdin> data matched the
- <upload> data but anyone using these tests as reference would be sending
- incorrect data to a server.
-
-- email: Tidy up of *_perform_authenticate()
+ This should fix detection of CURL_WINDOWS_APP if building with
+ _WIN32_WINNT set to 0x0600.
- Removed the hard returns from imap and pop3 by using the same style for
- sending the authentication string as smtp. Moved the "Other mechanisms
- not supported" check in smtp to match that of imap and pop3 to provide
- consistency between the three email protocols.
-
-- smtp: Updated limit check to be more readable like the check in pop3
+ Closes #2025
-- pop3: Added 255 octet limit check when sending initial response
+Jay Satiro (26 Oct 2017)
+- transfer: Fix chunked-encoding upload bug
- Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034.
-
-- DOCS: Corrected line length of recent Secure Transport changes
-
-Nick Zitzmann (27 Apr 2013)
-- darwinssl: add TLS crypto authentication
+ - When uploading via chunked-encoding don't compare file size to bytes
+ sent to determine whether the upload has finished.
+
+ Chunked-encoding adds its own overhead which why the bytes sent is not
+ equal to the file size. Prior to this change if a file was uploaded in
+ chunked-encoding and its size was known it was possible that the upload
+ could end prematurely without sending the final few chunks. That would
+ result in a server hang waiting for the remaining data, likely followed
+ by a disconnect.
+
+ The scope of this bug is limited to some arbitrary file sizes which have
+ not been determined. One size that triggers the bug is 475020.
- Users using the Secure Transport (darwinssl) back-end can now use a
- certificate and private key to authenticate with a site using TLS. Because
- Apple's security system is based around the keychain and does not have any
- non-public function to create a SecIdentityRef data structure from data
- loaded outside of the Keychain, the certificate and private key have to be
- loaded into the Keychain first (using the certtool command line tool or
- the Security framework's C API) before we can find it and use it.
+ Bug: https://github.com/curl/curl/issues/2001
+ Reported-by: moohoorama@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/2010
-Steve Holme (27 Apr 2013)
-- Corrected version numbers after bump
+Daniel Stenberg (26 Oct 2017)
+- timeval: make timediff_t also work on 32bit windows
+
+ ... by using curl_off_t for the typedef if time_t is larger than 4
+ bytes.
+
+ Reported-by: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co
+ mmitcomment-25205058
+ Closes #2019
-Daniel Stenberg (27 Apr 2013)
-- bump version
+- curl_fnmatch: return error on illegal wildcard pattern
+
+ ... instead of doing an infinite loop!
- Since we're adding new stuff, the next release will bump the minor
- version and we're looking forward to 7.31.0
+ Added test 1162 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #2015
+ Closes #2017
-Steve Holme (27 Apr 2013)
-- RELEASE-NOTES: synced with f4e6e201b146
+- [Max Dymond brought this change]
-- DOCS: Updated following the addition of CURLOPT_SASL_IR
+ wildcards: don't use with non-supported protocols
- Documented the the option in curl_easy_setopt() and added it to
- symbols-in-versions.
-
-- tests: Corrected command line arguments in test907 and test908
+ Fixes timeouts in the fuzzing tests for non-FTP protocols.
+
+ Closes #2016
-- tests: Added SMTP AUTH with initial response tests
+- [Max Dymond brought this change]
-- tests: Updated SMTP tests to decouple client initial response
+ multi: allow table handle sizes to be overridden
- Updated test903 and test904 following the addition of CURLOPT_SASL_IR
- as the default behaviour of SMTP AUTH responses is now to not include
- the initial response. New tests with --sasl-ir support to follow.
-
-- imap: Added support for overriding the SASL initial response
+ Allow users to specify their own hash define for
+ CURL_CONNECTION_HASH_SIZE so that both values can be overridden.
- In addition to checking for the SASL-IR capability the user can override
- the sending of the client's initial response in the AUTHENTICATION
- command with the use of CURLOPT_SASL_IR should the server erroneously
- not report SASL-IR when it does support it.
+ Closes #1982
-- smtp: Added support for disabling the SASL initial response
+- time: rename Curl_tvnow to Curl_now
- Updated the default behaviour of sending the client's initial response in the AUTH
- command to not send it and added support for CURLOPT_SASL_IR to allow the user to
- specify including the response.
+ ... since the 'tv' stood for timeval and this function does not return a
+ timeval struct anymore.
- Related Bug: http://curl.haxx.se/mail/lib-2012-03/0114.html
- Reported-by: Gokhan Sengun
-
-- pop3: Added support for enabling the SASL initial response
+ Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
+ clean up the descriptive comments.
- Allowed the user to specify whether to send the client's intial response
- in the AUTH command via CURLOPT_SASL_IR.
+ Closes #2011
-- sasl-ir: Added --sasl-ir option to curl command line tool
+- ftplistparser: follow-up cleanup to remove PL_ERROR()
-- sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial response
+- [Max Dymond brought this change]
-Daniel Stenberg (26 Apr 2013)
-- curl_easy_init: use less mallocs
+ ftplistparser: free off temporary memory always
- By introducing an internal alternative to curl_multi_init() that accepts
- parameters to set the hash sizes, easy handles will now use tiny socket
- and connection hash tables since it will only ever add a single easy
- handle to that multi handle.
+ When using the FTP list parser, ensure that the memory that's
+ allocated is always freed.
- This decreased the number mallocs in test 40 (which is a rather simple
- and typical easy interface use case) from 1142 to 138. The maximum
- amount of memory allocated used went down from 118969 to 78805.
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
+ Closes #2013
-Steve Holme (26 Apr 2013)
-- ftpserver.pl: Fixed imap logout confirmation data
+- timediff: return timediff_t from the time diff functions
- An IMAP server should response with the BYE continuation response before
- confirming the LOGOUT command was successful.
-
-Daniel Stenberg (26 Apr 2013)
-- ftp_state_pasv_resp: connect through proxy also when set by env
+ ... to cater for systems with unsigned time_t variables.
- When connecting back to an FTP server after having sent PASV/EPSV,
- libcurl sometimes didn't use the proxy properly even though the proxy
- was used for the initial connect.
+ - Renamed the functions to curlx_timediff and Curl_timediff_us.
- The function wrongly checked for the CURLOPT_PROXY variable to be set,
- which made it act wrongly if the proxy information was set with an
- environment variable.
+ - Added overflow protection for both of them in either direction for
+ both 32 bit and 64 bit time_ts
- Added test case 711 to verify (based on 707 which uses --socks5). Also
- added test712 to verify another variation of setting the proxy: with
- --proxy socks5://
+ - Reprefixed the curlx_time functions to use Curl_*
- Bug: http://curl.haxx.se/bug/view.cgi?id=1218
- Reported-by: Zekun Ni
+ Reported-by: Peter Piekarski
+ Fixes #2004
+ Closes #2005
-Kamil Dudka (26 Apr 2013)
-- [Zdenek Pavlas brought this change]
+- [Paul Howarth brought this change]
- url: initialize speed-check data for file:// protocol
+ libtest: Add required test libraries for lib1552 and lib1553
+
+ They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.
- ... in order to prevent an artificial timeout event based on stale
- speed-check data from a previous network transfer. This commit fixes
- a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e.
+ This fixes build failures on Fedora 13.
- Bug: https://bugzilla.redhat.com/906031
+ Closes #2006
-Daniel Stenberg (25 Apr 2013)
-- test709: clarify the test in the name
+- [Alessandro Ghedini brought this change]
-- sshserver: disable StrictHostKeyChecking
-
- I couldn't figure out why the host key logic isn't working, but having
- it set to yes prevents my SSH-based test cases to run. I also don't see
- a strong need to use strict host key checking on this test server.
+ libcurl-tutorial.3: fix typo
- So I disabled it.
+ closes #2008
-- runtests: log more commands in verbose mode
-
- ... to aid tracking down failures
+Alessandro Ghedini (23 Oct 2017)
+- curl_mime_filedata.3: fix typos
-Steve Holme (25 Apr 2013)
-- TODO: Corrected copy/paste typo
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: clean slate towards 7.57.0
-- TODO: Added new ideas for future SMTP, POP3 and IMAP features
+- [Max Dymond brought this change]
-- TODO: Updated following the addition of ;auth=<MECH> support
+ travis: exit if any steps fail
+
+ We don't expect any steps to fail in travis. Exit the script if they do.
+
+ Closes #1966
-- DOCS: Minor rewording / clarification of host name protocol detection
+Version 7.56.1 (23 Oct 2017)
-- RELEASE-NOTES: synced with a8c92cb60890
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: 7.56.1
-- DOCS: Added reference to IETF draft for SMTP URL Interface
-
- ...when mentioning login options. Additional minor clarification of
- "Windows builds" to be "Windows builds with SSPI"as a way of enabling
- NTLM as Windows builds may be built with OpenSSL to enable NTLM or
- without NTLM support altogether.
+- THANKS: update at 7.56.1 release time
-Linus Nielsen Feltzing (23 Apr 2013)
-- HISTORY: Fix spelling error.
+- [Jon DeVree brought this change]
-Steve Holme (23 Apr 2013)
-- DOCS: Reworked the scheme calculation explanation under CURLOPT_URL
+ mk-ca-bundle: Remove URL for aurora
+
+ Aurora is no longer used by Mozilla
+ https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
-- url: Added smtp and pop3 hostnames to the protocol detection list
+- [Jon DeVree brought this change]
-Daniel Stenberg (23 Apr 2013)
-- HISTORY: correct some years/dates
+ mk-ca-bundle: Fix URL for NSS
- Thanks to archive.org's wayback machine I updated this document with
- some facts from the early httpget/urlget web page:
+ The 'tip' is the most recent branch committed to, this should be
+ 'default' like the URLs for the browser are.
- http://web.archive.org/web/19980216125115/http://www.inf.ufrgs.br/~sagula/urlget.html
+ Closes #1998
-- [Alessandro Ghedini brought this change]
+- imap: if a FETCH response has no size, don't call write callback
+
+ CVE-2017-1000257
+
+ Reported-by: Brian Carpenter and 0xd34db347
+ Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
- tests: add test1511 to check timecond clean-up
+- ftp: reject illegal IP/port in PASV 227 response
+
+ ... by using range checks. Among other things, this avoids an undefined
+ behavior for a left shift that could happen on negative or very large
+ values.
+
+ Closes #1997
- Verifies the timecond fix in commit c49ed0b6c0f
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
-- [Alessandro Ghedini brought this change]
+Patrick Monnerat (20 Oct 2017)
+- test653: check reuse of easy handle after mime data change
+
+ See issue #1999
- getinfo.c: reset timecond when clearing session-info variables
+- mime: do not reuse previously computed multipart size
- Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783
- Reported-by: Ludovico Cavedon <cavedon@debian.org>
+ The contents might have changed: size must be recomputed.
+
+ Reported-by: moteus on github
+ Fixes #1999
-Steve Holme (22 Apr 2013)
-- DOCS: Added information about login options to CURLOPT_USERPWD
+- test308: disable if MultiSSL feature enabled
+
+ Even if OpenSSL is enabled, it might not be the default backend when
+ multi-ssl is enabled, causing the test to fail.
-- DOCS: Added information about login options in the URL
+- runtests: support MultiSSL client feature
-- url: Fixed missing length check in parse_proxy()
+- vtls: change struct Curl_ssl `close' field name to `close_one'.
- Commit 11332577b3cb removed the length check that was performed by the
- old scanf() code.
+ On OS/400, `close' is an ASCII system macro that corrupts the code if
+ not used in a context not targetting the close() system API.
-- url: Fixed crash when no username or password supplied for proxy
+- os400: add missing symbols in config file.
- Fixed an issue in parse_proxy(), introduced in commit 11332577b3cb,
- where an empty username or password (For example: http://:@example.com)
- would cause a crash.
+ Also adjust makefile to renamed files and warn about installation dirs mix-up.
-- url: Removed unused text length constants
+- test652: curl_mime_data + base64 encoder with large contents
-- url: Updated proxy URL parsing to use parse_login_details()
+- mime: limit bas64-encoded lines length to 76 characters
-- url: Tidy up of setstropt_userpwd() parameters
-
- Updated the naming convention of the login parameters to match those of
- other functions.
+Daniel Stenberg (16 Oct 2017)
+- RELEASE-NOTES: synced with f121575c0
-- url: Tidy up of code and comments following recent changes
+- setopt: range check most long options
- Tidy up of variable names and comments in setstropt_userpwd() and
- parse_login_details().
+ ... filter early instead of risking "funny values" having to be dealt
+ with elsewhere.
-- url: Simplified setstropt_userpwd() following recent changes
+- setopt: avoid integer overflows when setting millsecond values
- There is no need to perform separate clearing of data if a NULL option
- pointer is passed in. Instead this operation can be performed by simply
- not calling parse_login_details() and letting the rest of the code do
- the work.
-
-- url: Correction to scope of if statements when setting data
+ ... that are multiplied by 1000 when stored.
+
+ For 32 bit long systems, the max value accepted (2147483 seconds) is >
+ 596 hours which is unlikely to ever be set by a legitimate application -
+ and previously it didn't work either, it just caused undefined behavior.
+
+ Also updated the man pages for these timeout options to mention the
+ return code.
+
+ Closes #1938
-- url: Fixed memory leak in setstropt_userpwd()
+Viktor Szakats (15 Oct 2017)
+- makefile.m32: allow to override gcc, ar and ranlib
+
+ Allow to ovverride certain build tools, making it possible to
+ use LLVM/Clang to build curl. The default behavior is unchanged.
+ To build with clang (as offered by MSYS2), these settings can
+ be used:
- setstropt_userpwd() was calling setstropt() in commit fddb7b44a79d to
- set each of the login details which would duplicate the strings and
- subsequently cause a memory leak.
+ CURL_CC=clang
+ CURL_AR=llvm-ar
+ CURL_RANLIB=llvm-ranlib
+
+ Closes https://github.com/curl/curl/pull/1993
-- RELEASE-NOTES: synced with d535c4a2e1f7
+- ldap: silence clang warning
+
+ Use memset() to initialize a structure to avoid LLVM/Clang warning:
+ ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
+
+ Closes https://github.com/curl/curl/pull/1992
-- url: Added overriding of URL login options from CURLOPT_USERPWD
+Daniel Stenberg (14 Oct 2017)
+- runtests: use valgrind for torture as well
+
+ NOTE: it makes them terribly slow. I recommend only using valgrind for
+ specific torture tests or using lots of patience.
-- tool_paramhlp: Fixed options being included in username
+- memdebug: trace send, recv and socket
- Fix to prevent the options from being displayed when curl requests the
- user's password if the following command line is specified:
+ ... to allow them to be included in torture tests too.
- --user username;options
+ closes #1980
-- url: Added support for parsing login options from the CURLOPT_USERPWD
+- configure: remove the C++ compiler check
- In addition to parsing the optional login options from the URL, added
- support for parsing them from CURLOPT_USERPWD, to allow the following
- supported command line:
+ ... we used it only for the fuzzer, which we now have in a separate git
+ repo.
- --user username:password;options
+ Closes #1990
+
+Patrick Monnerat (13 Oct 2017)
+- mime: do not call failf() if easy handle is NULL.
+
+Daniel Stenberg (13 Oct 2017)
+- test651: curl_formadd with huge COPYCONTENTS
-- url: Added bounds checking to parse_login_details()
+- mime: fix the content reader to handle >16K data properly
- Added bounds checking when searching for the separator characters within
- the login string as this string may not be NULL terminated (For example
- it is the login part of a URL). We do this in preference to allocating a
- new string to copy the login details into which could then be passed to
- parse_login_details() for performance reasons.
+ Reported-by: Jeroen Ooms
+ Closes #1988
-- url: Added size_t cast to pointer based length calculations
+Patrick Monnerat (12 Oct 2017)
+- mime: keep "text/plain" content type if user-specified.
+
+ Include test cases in 554, 587, 650.
+
+ Fixes https://github.com/curl/curl/issues/1986
-- url: Corrected minor typo in comment
+- cli tool: use file2memory() to buffer stdin in -F option.
+
+ Closes PR https://github.com/curl/curl/pull/1985
-Daniel Stenberg (18 Apr 2013)
-- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
+- cli tool: reimplement stdin buffering in -F option.
+
+ If stdin is not a regular file, its content is memory-buffered to enable
+ a possible data "rewind".
+ In all cases, stdin data size is determined before real use to avoid
+ having an unknown part's size.
- When cross-compiling we can't scan and detect existing files or paths.
+ --libcurl generated code is left as an unbuffered stdin fread/fseek callback
+ part with unknown data size.
- Bug: http://curl.haxx.se/mail/lib-2013-04/0294.html
+ Buffering is not supported in deprecated curl_formadd() API.
-- [Ishan SinghLevett brought this change]
+Daniel Stenberg (12 Oct 2017)
+- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
- usercertinmem.c: add example showing user cert in memory
+- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
- Relies on CURLOPT_SSL_CTX_FUNCTION, which is OpenSSL specific
+ following the new github "standard"
-Steve Holme (18 Apr 2013)
-- url: Fix chksrc longer than 79 columns warning
+- RELEASE-NOTES: synced with 5505df7d2
-- url: Fix incorrect variable type for result code
+Jay Satiro (11 Oct 2017)
+- [Artak Galoyan brought this change]
-- url: Fix compiler warning
+ url: Update current connection SSL verify params in setopt
- signed and unsigned type in conditional expression
-
-- url: Moved parsing of login details out of parse_url_login()
+ Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
+ connection updates the current connection's (i.e.'connectdata'
+ structure) appropriate ssl_config (and ssl_proxy_config) structures
+ variables, making these options effective for ongoing connection.
- Separated the parsing of login details from the processing of them in
- parse_url_login() ready for use by setstropt_userpwd().
-
-- url: Re-factored set_userpass() and parse_url_userpass()
+ This functionality was available before and was broken by the
+ following change:
+ "proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
+ CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151.
- Re-factored these functions to reflect their new behaviour following the
- addition of login options.
+ Bug: https://github.com/curl/curl/issues/1941
+
+ Closes https://github.com/curl/curl/pull/1951
-- url: Reworked URL parsing to allow overriding by CURLOPT_USERPWD
+Daniel Stenberg (11 Oct 2017)
+- [David Benjamin brought this change]
-Daniel Stenberg (18 Apr 2013)
-- maketgz: make bzip2 creation work with Parallel BZIP2 too
+ openssl: don't use old BORINGSSL_YYYYMM macros
+
+ Those were temporary things we'd add and remove for our own convenience
+ long ago. The last few stayed around for too long as an oversight but
+ have since been removed. These days we have a running
+ BORINGSSL_API_VERSION counter which is bumped when we find it
+ convenient, but 2015-11-19 was quite some time ago, so just check
+ OPENSSL_IS_BORINGSSL.
- Apparently the previous usage didn't work with that implementation,
- while this updated version works with at least both Parallel BZIP2
- v1.1.8 and regular bzip "Version 1.0.6, 6-Sept-2010".
+ Closes #1979
-Linus Nielsen Feltzing (18 Apr 2013)
-- Add tests/http_pipe.py to the tarball build
+- test950; verify SMTP with custom request
-Steve Holme (16 Apr 2013)
-- smtp: Re-factored all perform based functions
+- ftpserver: support case insensitive commands
+
+- smtp_done: free data before returning (on send failure)
+
+ ... as otherwise it could leak that memory.
- Standardised the naming of all perform based functions to be in the form
- smtp_perform_something().
+ Detected by OSS-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600
+
+ Assisted-by: Max Dymond
+ Closes #1977
-- smtp: Added description comments to all perform based functions
+- FTP: URL decode path for dir listing in nocwd mode
+
+ Reported-by: Zenju on github
+
+ Test 244 added to verify
+ Fixes #1974
+ Closes #1976
-- smtp: Moved smtp_quit() to be with the other perform functions
+- test298: verify --ftp-method nowcwd with URL encoded path
+
+ Ref: #1974
-- smtp: Moved smtp_rcpt_to() to be with the other perform functions
+- CURLOPT_XFERINFODATA.3: fix duplicate see also
-- smtp: Moved smtp_mail() to be with the other perform functions
+- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
-Daniel Stenberg (16 Apr 2013)
-- [Wouter Van Rooy brought this change]
+- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
- curl-config: don't output static libs when they are disabled
+- openssl: enable PKCS12 support for !BoringSSL
- Curl-config outputs static libraries even when they are disabled in
- configure.
+ Enable PKCS12 for all non-boringssl builds without relying on configure
+ or cmake checks.
- This causes problems with the build of pycurl.
+ Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
+ Reported-by: Christian Schmitz
+ Closes #1948
-- [Dave Reisner brought this change]
+- [Kristiyan Tsaklev brought this change]
- docs/libcurl: fix formatting in manpage
+ curl: don't pass semicolons when parsing Content-Disposition
- Commit c3ea3eb6 introduced some minor cosmetic errors in
- curl_mutli_socket_action(3).
-
-- [Paul Howarth brought this change]
-
- Add extra libs for lib1900 and lib2033 test programs
+ Test 1422 updated to verify.
- These are needed in cases where clock_gettime is used, from librt.
+ Closes #1964
-Dan Fandrich (15 Apr 2013)
-- FAQ: mention that the network connection can be monitored
+Patrick Monnerat (9 Oct 2017)
+- mime: properly unbind mime structure in curl_mime_free().
- Also note the prohibition on sharing handles across threads.
-
-Steve Holme (15 Apr 2013)
-- pop3: Added missing comment for pop3_state_apop_resp()
-
-- smtp: Updated the coding style of smtp_state_servergreet_resp()
+ This allows freeing a mime structure bound to the easy handle before
+ curl_easy_cleanup().
- Updated the coding style, in this function, to be consistant with other
- response functions rather then performing a hard return on failure.
+ Fixes #1970.
-- pop3: Updated the coding style of pop3_state_servergreet_resp()
+Daniel Stenberg (9 Oct 2017)
+- RTSP: avoid integer overflow on funny RTSP response
- Updated the coding style, in this function, to be consistent with other
- response functions rather then performing a hard return on failure.
-
-- pop3: Re-factored all perform based functions
+ ... like a very large non-existing RTSP version number.
- Standardised the naming of all perform based functions to be in the form
- pop3_perform_something() following the changes made to IMAP.
+ Added test 577 to verify.
+
+ Detected by OSS-fuzz.
+ Closes #1969
-- pop3: Added description comments to all perform based functions
+Patrick Monnerat (8 Oct 2017)
+- ftpserver: properly reset $ftptargetdir.
-- pop3: Moved pop3_quit() to be with the other perform functions
+- test643: verify curl_mime_subparts() rejects cyclic additions.
-- pop3: Moved pop3_command() to be with the other perform functions
+- mime: refuse to add subparts to one of their own descendants.
- Started to apply the same tidy up to the POP3 code as applied to the
- IMAP code in the 7.30.0 release.
-
-- RELEASE-NOTES: Removed erroneous spaces
+ Reported-by: Alexey Melnichuk
+ Fixes #1962
-- RELEASE-NOTES: synced with 8723cade21fb
+- mime: avoid resetting a part's encoder when part's contents change.
-- smtp: Added support for ;auth=<mech> in the URL
+- mime: improve unbinding top multipart from easy handle.
- Added support for specifying the preferred authentication mechanism in
- the URL as per Internet-Draft 'draft-earhart-url-smtp-00'.
+ Also avoid dangling pointers in referencing parts.
-- pop3: Reworked authentication type constants
-
- ... to use left-shifted values, like those defined in curl.h, rather
- than 16-bit hexadecimal values.
+Daniel Stenberg (8 Oct 2017)
+- RELEASE-NOTES: synced with a4c1c75da30af1
-- pop3: Small consistency tidy up
+- curlver.h: next expected release is 7.57.0
-- pop3: Added support for ;auth=<mech> in the URL
-
- Added support for specifying the preferred authentication type and SASL
- mechanism in the URL as per RFC-2384.
+Patrick Monnerat (8 Oct 2017)
+- mime: be tolerant about setting twice the same header list in a part.
-- imap: Added support for ;auth=<mech> in the URL
+- docs: clarify form/mime usage of non-regular data files.
+
+Daniel Stenberg (8 Oct 2017)
+- Revert "multi_done: wait for name resolve to finish if still ongoing"
+
+ This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe.
- Added support for specifying the preferred authentication mechanism in
- the URL as per RFC-5092.
+ Caused memory leaks in the fuzzer, needs to be done differently.
+
+ Disable test 1553 for now too, as it causes memory leaks without this
+ commit!
-- sasl: Reworked SASL mechanism constants
+- remove_handle: call multi_done() first, then clear dns cache pointer
- ... to use left-shifted values, like those defined in curl.h, rather
- than 16-bit hexadecimal values.
+ Closes #1960
-- sasl: Added predefined preferred mechanism values
+- multi_done: wait for name resolve to finish if still ongoing
- In preparation for the upcoming changes to IMAP, POP3 and SMTP added
- preferred mechanism values.
+ ... as we must clean up memory.
-- url: Added support for parsing login options from the URL
+- pingpong: return error when trying to send without connection
- As well as parsing the username and password from the URL, added support
- for parsing the optional options part from the login details, to allow
- the following supported URL format:
+ When imap_done() got called before a connection is setup, it would try
+ to "finish up" and dereffed a NULL pointer.
- schema://username:password;options@example.com/path?q=foobar
+ Test case 1553 managed to reproduce. I had to actually use a host name
+ to try to resolve to slow it down, as using the normal local server IP
+ will make libcurl get a connection in the first curl_multi_perform()
+ loop and then the bug doesn't trigger.
- This will only be used by IMAP, POP3 and SMTP at present but any
- protocol that may be given login options in the URL will be able to
- add support for them.
+ Fixes #1953
+ Assisted-by: Max Dymond
-- smtp: Fix compiler warning
+Dan Fandrich (6 Oct 2017)
+- tests: added flaky keyword to tests 587 and 644
- warning: unused variable 'smtp' introduced in commit 73cbd21b5ee6.
+ These are around 5% flaky in my Linux x86 autobuilds.
-- smtp: Moved parsing of url path into separate function
+Marcel Raad (6 Oct 2017)
+- vtls: fix warnings with --disable-crypto-auth
+
+ When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
+ are not used.
-Daniel Stenberg (12 Apr 2013)
-- FTP: handle a 230 welcome response
+Daniel Stenberg (6 Oct 2017)
+- multi_cleanup: call DONE on handles that never got that
- ...instead of the 220 we otherwise expect.
+ ... fixes a memory leak with at least IMAP when remove_handle is never
+ called and the transfer is abruptly just abandoned early.
- Made the ftpserver.pl support sending a custom "welcome" and then
- created test 1219 to verify this fix with such a 230 welcome.
+ Test 1552 added to verify
- Bug: http://curl.haxx.se/mail/lib-2013-02/0102.html
- Reported by: Anders Havn
+ Detected by OSS-fuzz
+ Assisted-by: Max Dymond
+ Closes #1954
-- configure: try pthread_create without -lpthread
+- [Benbuck Nason brought this change]
+
+ strtoofft: Remove extraneous null check
- For libc variants without a spearate pthread lib (like bionic), try
- using pthreads without the pthreads lib first and only if that fails try
- the -lpthread linker flag.
+ Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
+ argument.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1216
- Reported by: Duncan
+ Closes #1952
-- FTP: access files in root dir correctly
-
- Accessing a file with an absolute path in the root dir but with no
- directory specified was not handled correctly. This fix comes with four
- new test cases that verify it.
+- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
- Bug: http://curl.haxx.se/mail/lib-2013-04/0142.html
- Reported by: Sam Deane
+ Reported-by: Javier Sixto
+ Fixes #1955
+ Closes #1956
-Steve Holme (12 Apr 2013)
-- pop3: Reworked the function description for Curl_pop3_write()
+Viktor Szakats (6 Oct 2017)
+- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
+
+ The source code is now prepared to handle the case when both
+ Win32 Crypto and OpenSSL/NSS crypto backends are enabled
+ at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
+ whenever the targeted Windows version supports it. Since this
+ matches the minimum Windows version supported by curl
+ (Windows 2000), enable it unconditionally for the Win32 platform.
+
+ This in turn enables SMB (and SMBS) protocol support whenever
+ Win32 Crypto is available, regardless of what other crypto backends
+ are enabled.
+
+ Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052
+
+ Closes https://github.com/curl/curl/pull/1943
-- pop3: Added function description to pop3_parse_custom_request()
+Daniel Stenberg (5 Oct 2017)
+- build: fix --disable-crypto-auth
+
+ Reported-by: Wyatt O'Day
+ Fixes #1945
+ Closes #1947
-- pop3: Moved utility functions to end of pop3.c
+Jay Satiro (5 Oct 2017)
+- [Nick Zitzmann brought this change]
-Nick Zitzmann (12 Apr 2013)
-- darwinssl: add TLS session resumption
+ darwinssl: add support for TLSv1.3
- This ought to speed up additional TLS handshakes, at least in theory.
+ Closes https://github.com/curl/curl/pull/1794
-Steve Holme (12 Apr 2013)
-- imap: Added function description to imap_parse_custom_request()
+Daniel Stenberg (4 Oct 2017)
+- [Felix Kaiser brought this change]
-- imap: Moved utility functions to end of imap.c (Part 3/3)
+ docs: fix typo in curl_mime_data_cb man page
- Moved imap_is_bchar() be with the other utility based functions.
+ Closes #1946
-- imap: Moved utility functions to end of imap.c (Part 2/3)
+Viktor Szakats (4 Oct 2017)
+- lib/Makefile.m32: allow customizing dll suffixes
- Moved imap_parse_url_path() and imap_parse_custom_request() to the end of the
- file allowing all utility functions to be grouped together.
-
-- imap: Moved utility functions to end of imap.c (Part 1/3)
+ - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
+ libcurl dll name. Useful to add `-x64` to 64-bit builds so that
+ it can live in the same directory as the 32-bit one. By default
+ this is empty.
+
+ - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
+ generated import library (implib) for libcurl .dll. It defaults
+ to `dll`, and it's useful to modify that to `.dll` to have the
+ standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
- Moved imap_atom() and imap_sendf() to the end of the file allowing all
- utility functions to be grouped together.
+ Closes https://github.com/curl/curl/pull/1942
-- imap: Corrected function description for imap_connect()
+Daniel Stenberg (4 Oct 2017)
+- [Max Dymond brought this change]
-Kamil Dudka (12 Apr 2013)
-- tests: prevent test206, test1060, and test1061 from failing
+ fuzzer: move to using external curl-fuzzer
- ... in case runtests.pl is invoked with non-default -b option
+ Use the external curl-fuzzer repository for fuzzing.
- Fixes a regression caused by 1e29d275c643ef6aab7948f0f55a7a9397e56b42.
+ Closes #1923
-Daniel Stenberg (12 Apr 2013)
-- [David Strauss brought this change]
+- failf: skip the sprintf() if there are no consumers
+
+ Closes #1936
- libcurl-share.3: update what it does and does not share.
+- ftp: UBsan fixup 'pointer index expression overflowed'
- Update sharing interface documentation to provide exhaustive list of
- what it does and does not share.
+ Closes #1939
-- THANKS: remove duplicated names
+- RELEASE-PROCEDURE: update the release schedule
-- bump: start working towards next release
+Version 7.56.0 (4 Oct 2017)
-- THANKS: added people from the 7.30.0 RELEASE-NOTES
+Daniel Stenberg (4 Oct 2017)
+- RELEASE-NOTES: curl 7.56.0
-Version 7.30.0 (12 Apr 2013)
+- THANKS: added new 7.56.0 contributors
-Daniel Stenberg (12 Apr 2013)
-- RELEASE-NOTES: cleaned up for 7.30 (synced with 5c5e1a1cd20)
+Jay Satiro (4 Oct 2017)
+- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported
- Most notable the security advisory:
- http://curl.haxx.se/docs/adv_20130412.html
+ Ref: https://github.com/curl/curl/issues/1002
+
+Michael Kaufmann (3 Oct 2017)
+- idn: fix source code comment
-- test1218: another cookie tailmatch test
+- vtls: compare and clone ssl configs properly
- ... and make 1216 also verify it with a file input
+ Compare these settings in Curl_ssl_config_matches():
+ - verifystatus (CURLOPT_SSL_VERIFYSTATUS)
+ - random_file (CURLOPT_RANDOM_FILE)
+ - egdsocket (CURLOPT_EGDSOCKET)
- These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie
- domain tailmatch" vulnerability. See
- http://curl.haxx.se/docs/adv_20130412.html
-
-- [YAMADA Yasuharu brought this change]
-
- cookie: fix tailmatching to prevent cross-domain leakage
+ Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
+ and copy the setting "sessionid" unconditionally.
- Cookies set for 'example.com' could accidentaly also be sent by libcurl
- to the 'bexample.com' (ie with a prefix to the first domain name).
+ This means that reusing connections that are secured with a client
+ certificate is now possible, and the statement "TLS session resumption
+ is disabled when a client certificate is used" in the old advisory at
+ https://curl.haxx.se/docs/adv_20170419.html is obsolete.
- This is a security vulnerabilty, CVE-2013-1944.
+ Reviewed-by: Daniel Stenberg
- Bug: http://curl.haxx.se/docs/adv_20130412.html
-
-Guenter Knauf (11 Apr 2013)
-- Enabled MinGW sync resolver builds.
-
-Yang Tse (10 Apr 2013)
-- if2ip.c: fix compiler warning
+ Closes #1917
-Guenter Knauf (10 Apr 2013)
-- Fixed lost OpenSSL output with "-t" - followup.
+- proxy: read the "no_proxy" variable only if necessary
- The previously applied patch didnt work on Windows; we cant rely
- on shell commands like 'echo' since they act diffently on each
- platform and each shell.
- In order to keep this script platform-independent the code must
- only use pure Perl.
+ Reviewed-by: Daniel Stenberg
+
+ Closes #1919
+
+Patrick Monnerat (3 Oct 2017)
+- libcurl-tutorial: add casts in example to avoid compilation warnings.
-Daniel Stenberg (9 Apr 2013)
-- test1217: verify parsing 257 responses with "rubbish" before path
+Daniel Stenberg (3 Oct 2017)
+- examples: bring back curl_formadd-using examples
- Test 1217 verifies commit e0fb2d86c9f78, and without that change this
- test fails.
+ ... now with a -formadd suffix. While the new mime API is introduced in
+ 7.56.0 we must acknowledge that lots of users can't upgrade their curl
+ versions immediately.
-- [Bill Middlecamp brought this change]
+- test1153: verify quoted double-qoutes in PWD response
- FTP: handle "rubbish" in front of directory name in 257 responses
+- FTP: zero terminate the entry path even on bad input
- When doing PWD, there's a 257 response which apparently some servers
- prefix with a comment before the path instead of after it as is
- otherwise the norm.
+ ... a single double quote could leave the entry path buffer without a zero
+ terminating byte. CVE-2017-1000254
- Failing to parse this, several otherwise legitimate use cases break.
+ Test 1152 added to verify.
- Bug: http://curl.haxx.se/mail/lib-2013-04/0113.html
+ Reported-by: Max Dymond
+ Bug: https://curl.haxx.se/docs/adv_20171004.html
-Guenter Knauf (9 Apr 2013)
-- Fixed ares-enabled builds with static makefiles.
+Jay Satiro (2 Oct 2017)
+- [Sergei Nikulov brought this change]
-- Fixed lost OpenSSL output with "-t".
+ cmake: disable tests and man generation if perl/nroff not found
- The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM
- output wrote to a temporary file. Consequently, the OpenSSL output was
- lost when the temp file was renamed to the final file at script finish
- (overwriting the final file written earlier by openssl).
- Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
-
-Daniel Stenberg (9 Apr 2013)
-- test1216: test tailmatching cookie domains
+ Fixes https://github.com/curl/curl/issues/1500
+ Reported-by: Jay Satiro
- This test is an attempt to repeat the problem YAMADA Yasuharu reported
- at http://curl.haxx.se/mail/lib-2013-04/0108.html
-
-- RELEASe-NOTES: synced with 29fdb2700f797
+ Fixes https://github.com/curl/curl/pull/1662
+ Assisted-by: Tom Seddon
+ Assisted-by: dpull@users.noreply.github.com
+ Assisted-by: elelel@users.noreply.github.com
- added "tcpkeepalive on Mac OS X"
+ Closes https://github.com/curl/curl/pull/1924
-Nick Zitzmann (8 Apr 2013)
-- darwinssl: disable insecure ciphers by default
-
- I noticed that aria2's SecureTransport code disables insecure ciphers such
- as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later.
- That's a good idea, and now we do the same thing in order to prevent curl
- from accessing a "secure" site that only negotiates insecure ciphersuites.
+Patrick Monnerat (2 Oct 2017)
+- libcurl-tutorial: fix two typos.
-Daniel Stenberg (8 Apr 2013)
-- [Robert Wruck brought this change]
+- TODO: remove deprecated form API items.
- tcpkeepalive: Support CURLOPT_TCP_KEEPIDLE on OSX
+- libcurl-tutorial: describe MIME API and deprecate form API.
- MacOS X doesn't have TCP_KEEPIDLE/TCP_KEEPINTVL but only a single
- TCP_KEEPALIVE (see
- http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ManPages/man4/tcp.4.html).
- Here is a patch for CURLOPT_TCP_KEEPIDLE on OSX platforms.
+ Include a guide to form/mime API conversion.
-- configure: remove CURL_CHECK_FUNC_RECVFROM
+Daniel Stenberg (30 Sep 2017)
+- cookie: fix memory leak if path was set twice in header
- 1 - We don't use the results from the test and we never did. recvfrom()
- is only used by the TFTP code and it has not caused any problems.
+ ... this will let the second occurance override the first.
- 2 - the CURL_CHECK_FUNC_RECVFROM function is extremely slow
+ Added test 1161 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #1932
+ Closes #1933
-Steve Holme (8 Apr 2013)
-- RELEASE-NOTES: Corrected duplicate NTLM memory leaks
+Dan Fandrich (30 Sep 2017)
+- test650: Use variable replacement to set the host address and port
+
+ Otherwise, the test fails when the -b test option is used to set a
+ different test port range.
-- RELEASE-NOTES: Removed trailing full stop
+- Set and use more necessary options when some protocols are disabled
+
+ When curl and libcurl are built with some protocols disabled, they stop
+ setting and receiving some options that don't make sense with those
+ protocols. In particular, when HTTP is disabled many options aren't set
+ that are used only by HTTP. However, some options that appear to be
+ HTTP-only are actually used by other protocols as well (some despite
+ having HTTP in the name) and should be set, but weren't. This change now
+ causes some of these options to be set and used for more (or for all)
+ protocols. In particular, this fixes tests 646 through 649 in an
+ HTTP-disabled build, which use the MIME API in the mail protocols.
-Daniel Stenberg (8 Apr 2013)
-- [Fabian Keil brought this change]
+Daniel Stenberg (29 Sep 2017)
+- test1160: verifies cookie leak for large cookies
+
+ The fix done in 20ea22ff735
- proxy: make ConnectionExists() check credential of proxyconnections too
+- cookie: fix memory leak on oversized rejection
- Previously it only compared credentials if the requested needle
- connection wasn't using a proxy. This caused NTLM authentication
- failures when using proxies as the authentication code wasn't send on
- the connection where the challenge arrived.
+ Regression brought by 2bc230de63b
- Added test 1215 to verify: NTLM server authentication through a proxy
- (This is a modified copy of test 67)
-
-- RELEASE-NOTES: sync with 704a5dfca9
-
-- TODO-RELEASE: cleaned up, not really maintained lately
-
-Marc Hoersken (7 Apr 2013)
-- if2ip.c: Fixed another warning: unused parameter 'remote_scope'
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
+ Assisted-by: Max Dymond
+
+ Closes #1930
-Daniel Stenberg (7 Apr 2013)
-- [Marc Hoersken brought this change]
+- [Anders Bakken brought this change]
- cookie.c: Made cookie sort function more deterministic
+ connect: fix race condition with happy eyeballs timeout
+
+ The timer should be started after conn->connecttime is set. Otherwise
+ the timer could expire without this condition being true:
+
+ /* should we try another protocol family? */
+ if(i == 0 && conn->tempaddr[1] == NULL &&
+ curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {
- Since qsort implementations vary with regards to handling the order
- of similiar elements, this change makes the internal sort function
- more deterministic by comparing path length first, then domain length
- and finally the cookie name. Spotted with testcase 62 on Windows.
+ Ref: #1928
-Marc Hoersken (7 Apr 2013)
-- curl_schannel.c: Follow up on memory leak fix ae4558d
+Michael Kaufmann (28 Sep 2017)
+- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
+
+ Closes #1922
-- Revert "getpart.pm: Strip carriage returns to fix Windows support"
+- docs: clarify the use of environment variables for proxy
- This reverts commit e51b23c925a2721cf7c29b2b376d3d8903cfb067.
- As discussed on the mailinglist, this was not the correct approach.
+ Closes #1921
-- http_negotiate.c: Fixed passing argument from incompatible pointer type
+- http: add custom empty headers to repeated requests
+
+ Closes #1920
-- ftp.c: Added missing brackets around ABOR command logic
+- reuse_conn: don't copy flags that are known to be equal
+
+ A connection can only be reused if the flags "conn_to_host" and
+ "conn_to_port" match. Therefore it is not necessary to copy these flags
+ in reuse_conn().
+
+ Closes #1918
-- sockfilt.c: Fixed detection of client-side connection close
+Daniel Stenberg (27 Sep 2017)
+- curl.h: include <sys/select.h> on cygwin too
- WINSOCK only:
- Since FD_CLOSE is only signaled once, it may trigger at the same
- time as FD_READ. Data actually being available makes it impossible
- to detect that the connection was closed by checking that recv returns
- zero. Another recv attempt could block the connection if it was
- not closed. This workaround abuses exceptfds in conjunction with
- readfds to signal that the connection has actually closed.
+ When building with -std=c++14 on cygwin, this header won't be
+ automatically included as it otherwise is.
+
+ The <sys/select.h> include decision should ideally be reversed and be
+ avoided where that header file doesn't exist.
+
+ Reported-by: Ian Fette
+ Fixes #1925
-- curl_schannel.c: Fixed memory leak if connection was not successful
+- RELEASE-NOTES: synced with d8ab5dc50
-- if2ip.c: Fixed warning: unused parameter 'remote_scope'
+Michael Kaufmann (24 Sep 2017)
+- tests: adjust .gitignore for new tests
-- runtests.pl: Fixed --verbose parameter passed to http_pipe.py
+Jay Satiro (23 Sep 2017)
+- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
+
+ .. and include the core NTLM header in all NTLM-related source files.
+
+ Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
+ but did not include vtls.h where it was defined.
+
+ Closes https://github.com/curl/curl/pull/1911
-- sockfilt.c: Reduce CPU load while running under a Windows PIPE
+Daniel Stenberg (23 Sep 2017)
+- file_range: avoid integer overflow when figuring out byte range
+
+ When trying to bump the value with one and the value is already at max,
+ it causes an integer overflow.
+
+ Closes #1908
+ Detected by oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
+
+ Assisted-by: Max Dymond
-- tftpd.c: Apply sread timeout to the whole data transfer session
+Michael Kaufmann (23 Sep 2017)
+- tests: fix a compiler warning in test 643
-- getpart.pm: Strip carriage returns to fix Windows support
+Jay Satiro (23 Sep 2017)
+- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry
+
+ - Use spaces instead of tabs as the delimiter.
+
+ Follow up to 7c52b12 which added the entry. The entry had used tabs but
+ the symbol-scan parser doesn't recognize tabs and would fail the symbol.
-Daniel Stenberg (6 Apr 2013)
-- ftp tests: libcurl returns CURLE_FTP_ACCEPT_FAILED better now
+Viktor Szakats (22 Sep 2017)
+- metalink: fix NSS issue in MultiSSL builds
- Since commit 57aeabcc1a20f, it handles errors on the control connection
- while waiting for the data connection better.
+ In MultiSSL mode (i.e. when more than one SSL backend is compiled
+ in), we cannot use the compile time flag `USE_NSS` as indicator that
+ the NSS backend is in use. As far as Metalink is concerned, the SSL
+ backend is only used for MD5, SHA-1 and SHA-256 calculations,
+ therefore one of the available SSL backends is selected at compile
+ time, in a strict order of preference.
- Test 591 and 592 are updated accordingly.
+ Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
+ to determine whether the SSL backend used for Metalink is the NSS
+ backend, and use that to guard the code that wants to de-initialize
+ the NSS-specific data structure.
+
+ Ref: https://github.com/curl/curl/pull/1848
-- FTP: wait on both connections during active STOR state
+- ntlm: use strict order for SSL backend #if branches
+
+ With the recently introduced MultiSSL support multiple SSL backends
+ can be compiled into cURL That means that now the order of the SSL
- When doing PORT and upload (STOR), this function needs to extract the
- file descriptor for both connections so that it will respond immediately
- when the server eventually connects back.
+ One option would be to use the same SSL backend as was configured
+ via `curl_global_sslset()`, however, NTLMv2 support would appear
+ to be available only with some SSL backends. For example, when
+ eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
+ support for NTLMv1 using Windows' Crypt API, it specifically did
+ *not* introduce NTLMv2 support using Crypt API at the same time.
- This flaw caused active connections to become unnecessary slow but they
- would still often work due to the normal polling on a timeout. The bug
- also would not occur if the server connected back very fast, like when
- testing on local networks.
+ So let's select one specific SSL backend for NTLM support when
+ compiled with multiple SSL backends, using a priority order such
+ that we support NTLMv2 even if only one compiled-in SSL backend can
+ be used for that.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1183
- Reported by: Daniel Theron
+ Ref: https://github.com/curl/curl/pull/1848
-Marc Hoersken (6 Apr 2013)
-- tftpd.c: Follow up cleanup and restore of previous sockopt
+Daniel Stenberg (22 Sep 2017)
+- symbols-in-versions: add CURLSSLSET_NO_BACKENDS
+
+ ...fixup from b8e0fe19ec
-Daniel Stenberg (6 Apr 2013)
-- [Kim Vandry brought this change]
+- imap: quote atoms properly when escaping characters
+
+ Updates test 800 to verify
+
+ Fixes #1902
+ Closes #1903
- connect: treat an interface bindlocal() problem as a non-fatal error
+- tests: make the imap server not verify user+password
- I am using curl_easy_setopt(CURLOPT_INTERFACE, "if!something") to force
- transfers to use a particular interface but the transfer fails with
- CURLE_INTERFACE_FAILED, "Failed binding local connection end" if the
- interface I specify has no IPv6 address. The cause is as follows:
+ ... as the test cases themselves do that and it makes it easier to add
+ crazy test cases.
- The remote hostname resolves successfully and has an IPv6 address and an
- IPv4 address.
+ Test 800 updated to use user name + password that need quoting.
- cURL attempts to connect to the IPv6 address first.
+ Test 856 updated to trigger an auth fail differently.
- bindlocal (in lib/connect.c) fails because Curl_if2ip cannot find an
- IPv6 address on the interface.
+ Ref: #1902
+
+- vtls: provide curl_global_sslset() even in non-SSL builds
- This is a fatal error in singleipconnect()
+ ... it just returns error:
- This change will make cURL try the next IP address in the list.
+ Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
+ Reported-by: Marcel Raad
- Also included are two changes related to IPv6 address scope:
+ Closes #1906
+
+Patrick Monnerat (22 Sep 2017)
+- form/mime: field names are not allowed to contain zero-valued bytes.
- - Filter the choice of address in Curl_if2ip to only consider addresses
- with the same scope ID as the connection address (mismatched scope for
- local and remote address does not result in a working connection).
+ Also suppress length argument of curl_mime_name() (names are always
+ zero-terminated).
+
+Daniel Stenberg (21 Sep 2017)
+- [Dirk Feytons brought this change]
+
+ openssl: only verify RSA private key if supported
- - bindlocal was ignoring the scope ID of addresses returned by
- Curl_if2ip . Now it uses them.
+ In some cases the RSA key does not support verifying it because it's
+ located on a smart card, an engine wants to hide it, ...
+ Check the flags on the key before trying to verify it.
+ OpenSSL does the same thing internally; see ssl/ssl_rsa.c
- Bug: http://curl.haxx.se/bug/view.cgi?id=1189
+ Closes #1904
-Marc Hoersken (6 Apr 2013)
-- tftpd.c: Fixed sread timeout on Windows by setting it manually
+Marcel Raad (21 Sep 2017)
+- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
+
+ Otherwise, typecheck-gcc.h warns on MinGW-w64.
-- ftp.pm: Added tskill to support Windows XP Home
+Patrick Monnerat (20 Sep 2017)
+- mime: rephrase the multipart output state machine (#1898) ...
+
+ ... in hope coverity will like it much.
-- runtests.pl: Modularization of MinGW/Msys compatibility functions
+- mime: fix an explicit null dereference (#1899)
-- ftp.pm: Made Perl testsuite able to handle Windows processes
+Daniel Stenberg (20 Sep 2017)
+- curl: check fseek() return code and bail on error
+
+ Detected by coverity. CID 1418137.
-- util.c: Revert workaround eeefcdf, 6eb56e7 and e3787e8
+- smtp: fix memory leak in OOM
+
+ Regression since ce0881edee
+
+ Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
+ torture testing.
-- ftp.pm: Made Perl testsuite able to kill Windows processes
+- RELEASE-NOTES: synced with 5fe85587c
-- util.c: Follow up cleanup on eeefcdf
+- [Pavel Pavlov brought this change]
-Daniel Stenberg (6 Apr 2013)
-- cpp: use #ifdef __MINGW32__ to avoid compiler complaints
+ cookies: use lock when using CURLINFO_COOKIELIST
- ... instead of just #if
+ Closes #1896
-Marc Hoersken (6 Apr 2013)
-- util.c: Made write_pidfile write the correct PID on MinGW/Msys
+- [Max Dymond brought this change]
+
+ ossfuzz: changes before merging the generated corpora
+
+ Before merging in the oss-fuzz corpora from Google, there are some changes
+ to the fuzzer.
+ - Add a read corpus script, to display corpus files nicely.
+ - Change the behaviour of the fuzzer so that TLV parse failures all now
+ go down the same execution paths, which should reduce the size of the
+ corpora.
+ - Make unknown TLVs a failure to parse, which should decrease the size
+ of the corpora as well.
- This workaround fixes an issue on MinGW/Msys regarding the Perl
- testsuite scripts not being able to signal or control the server
- processes. The MinGW Perl runtime only sees the Msys processes and
- their corresponding PIDs, but sockfilt (and other servers) wrote the
- Windows PID into their PID-files. Since this PID is useless to the
- testsuite, the write_pidfile function was changed to search for the
- Msys PID and write that into the PID-file.
+ Closes #1881
-Daniel Stenberg (5 Apr 2013)
-- RELEASE-NOTES: synced with 5e722b2d09087
+- mime:escape_string minor clarification change
- 3 more bug fixes, 6 more contributors
+ ... as it also removes a warning with old gcc versions.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
+ Reported-by: Ben Greear
-Marc Hoersken (5 Apr 2013)
-- sockfilt.c: Fixed handling of multiple fds being signaled
+- [Max Dymond brought this change]
-Kamil Dudka (5 Apr 2013)
-- curl_global_init.3: improve description of CURL_GLOBAL_ALL
+ ossfuzz: don't write out to stdout
+
+ Don't make the fuzzer write out to stdout - instead write some of the
+ contents to a memory block so we exercise the data output code but
+ quietly.
- Reported by: Tomas Mlcoch
+ Closes #1885
-- examples/multi-single.c: fix the order of destructions
+- cookies: reject oversized cookies
+
+ ... instead of truncating them.
+
+ There's no fixed limit for acceptable cookie names in RFC 6265, but the
+ entire cookie is said to be less than 4096 bytes (section 6.1). This is
+ also what browsers seem to implement.
+
+ We now allow max 5000 bytes cookie header. Max 4095 bytes length per
+ cookie name and value. Name + value together may not exceed 4096 bytes.
+
+ Added test 1151 to verify
- ... so that it adheres to the API documentation.
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
+ Reported-by: Kevin Smith
- Reported by: Tomas Mlcoch
+ Closes #1894
-Daniel Stenberg (5 Apr 2013)
-- Curl_open: restore default MAXCONNECTS to 5
+- travis: on mac, don't install openssl or libidn
- At some point recently we lost the default value for the easy handle's
- connection cache, and this change puts it back to 5 - which is the
- former default value and it is documented in the curl_easy_setopt.3 man
- page.
+ - openssl is already installed and causes warnings when trying to
+ install again
+
+ - libidn isn't used these days, and homebrew doesn't seem to have a
+ libidn2 package to replace with easily
+
+ Closes #1895
-Marc Hoersken (4 Apr 2013)
-- sockfilt.c: Added wrapper functions to fix Windows console issues
+- curl: make str2udouble not return values on error
- The new read and write wrapper functions support reading from stdin
- and writing to stdout/stderr on Windows by using the appropriate
- Windows API functions and data types.
+ ... previously it would store a return value even when it returned
+ error, which could make the value get used anyway!
+
+ Reported-by: Brian Carpenter
+ Closes #1893
-Yang Tse (4 Apr 2013)
-- lib1509.c: fix compiler warnings
+Jay Satiro (18 Sep 2017)
+- socks: fix incorrect port number in SOCKS4 error message
+
+ Prior to this change it appears the SOCKS5 port parsing was erroneously
+ used for the SOCKS4 error message, and as a result an incorrect port
+ would be shown in the error message.
+
+ Bug: https://github.com/curl/curl/issues/1892
+ Reported-by: Jackarain@users.noreply.github.com
-- easy.c: fix compiler warning
+- [Marc Aldorasi brought this change]
-Daniel Stenberg (4 Apr 2013)
-- --engine: spellfix the help message
+ schannel: Support partial send for when data is too large
+
+ Schannel can only encrypt a certain amount of data at once. Instead of
+ failing when too much data is to be sent at once, send as much data as
+ we can and let the caller send the remaining data by calling send again.
- Reported by: Fredrik Thulin
+ Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html
+
+ Closes https://github.com/curl/curl/pull/1890
-Yang Tse (4 Apr 2013)
-- http_negotiate.c: follow-up for commit 3dcc1a9c
+- [David Benjamin brought this change]
-Linus Nielsen Feltzing (4 Apr 2013)
-- easy: Fix the broken CURLOPT_MAXCONNECTS option
+ openssl: add missing includes
- Copy the CURLOPT_MAXCONNECTS option to CURLMOPT_MAXCONNECTS in
- curl_easy_perform().
+ lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
+ their headers directly rather than relying on other OpenSSL headers
+ including things.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1212
- Reported-by: Steven Gu
+ Closes https://github.com/curl/curl/pull/1891
-Guenter Knauf (4 Apr 2013)
-- Updated copyright date.
+Daniel Stenberg (15 Sep 2017)
+- conversions: fix several compiler warnings
-- Another small output fix for --help and --version.
+- server/getpart: provide dummy function to build conversion enabled
-Yang Tse (4 Apr 2013)
-- http_negotiate.c: fix several SPNEGO memory handling issues
+- non-ascii: use iconv() with 'char **' argument
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
-Guenter Knauf (4 Apr 2013)
-- Added a cont to specify base64 line wrap.
+- escape.c: error: pointer targets differ in signedness
-- Fixed version output.
+- docs: clarify the CURLOPT_INTERLEAVE* options behavior
-- Added support for --help and --version options.
+- [Max Dymond brought this change]
-- Added option to specify length of base64 output.
+ rtsp: Segfault in rtsp.c when using WRITEDATA
- Based on a patch posted to the list by Richard Michael.
-
-Daniel Stenberg (3 Apr 2013)
-- curl_easy_setopt.3: CURLOPT_HTTPGET disables CURLOPT_UPLOAD
+ If the INTERLEAVEFUNCTION is defined, then use that plus the
+ INTERLEAVEDATA information when writing RTP. Otherwise, use
+ WRITEFUNCTION and WRITEDATA.
+
+ Fixes #1880
+ Closes #1884
-- [Yasuharu Yamada brought this change]
+Marcel Raad (15 Sep 2017)
+- [Isaac Boukris brought this change]
- Curl_cookie_add: only increase numcookies for new cookies
+ tests: enable gssapi in travis-ci linux build
- Count up numcookies in Curl_cookie_add() only when cookie is new one
+ Closes https://github.com/curl/curl/pull/1687
-- SO_SNDBUF: don't set SNDBUF for win32 versions vista or later
+- [Isaac Boukris brought this change]
+
+ tests: add initial gssapi test using stub implementation
- The Microsoft knowledge-base article
- http://support.microsoft.com/kb/823764 describes how to use SNDBUF to
- overcome a performance shortcoming in winsock, but it doesn't apply to
- Windows Vista and later versions. If the described SNDBUF magic is
- applied when running on those more recent Windows versions, it seems to
- instead have the reversed effect in many cases and thus make libcurl
- perform less good on those systems.
+ The stub implementation is pre-loaded using LD_PRELOAD
+ and emulates common gssapi uses (only builds if curl is
+ initially built with gssapi support).
- This fix thus adds a run-time version-check that does the SNDBUF magic
- conditionally depending if it is deemed necessary or not.
+ The initial tests are currently disabled for debug builds
+ as LD_PRELOAD is not used then.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1188
- Reported by: Andrew Kurushin
- Tested by: Christian Hägele
+ Ref: https://github.com/curl/curl/pull/1687
-Nick Zitzmann (1 Apr 2013)
-- darwinssl: additional descriptive messages of SSL handshake errors
+Daniel Stenberg (15 Sep 2017)
+- test1150: verify same host fetch using different ports over proxy
- (This doesn't need to appear in the release notes.)
-
-Guenter Knauf (1 Apr 2013)
-- Added dns and connect time to output.
+ Closes #1889
-Daniel Stenberg (1 Apr 2013)
-- RELEASE-NOTES: synced with 0614b902136
+- URL: on connection re-use, still pick the new remote port
+
+ ... as when a proxy connection is being re-used, it can still get a
+ different remote port.
+
+ Fixes #1887
+ Reported-by: Oli Kingshott
-- code-policed
+- RELEASE-NOTES: synced with 87501e57f
-- tcpkeepalive: support TCP_KEEPIDLE/TCP_KEEPINTVL on win32
+- code style: remove wrong uses of multiple spaces
- Patch by: Robert Wruck
- Bug: http://curl.haxx.se/bug/view.cgi?id=1209
+ Closes #1878
-- BINDINGS: BBHTTP is a cocoa binding, Julia has a binding
+- checksrc: detect and warn for multiple spaces
-- ftp_sendquote: use PPSENDF, not FTPSENDF
-
- The last remaining code piece that still used FTPSENDF now uses PPSENDF.
- In the problematic case, a PREQUOTE series was done on a re-used
- connection when Curl_pp_init() hadn't been called so it had messed up
- pointers. The init call is done properly from Curl_pp_sendf() so this
- change fixes this particular crash.
-
- Bug: http://curl.haxx.se/mail/lib-2013-03/0319.html
- Reported by: Sam Deane
+- code style: use space after semicolon
-Steve Holme (27 Mar 2013)
-- RELEASE-NOTES: Corrected typo
+- checksrc: verify space after semicolons
-Daniel Stenberg (27 Mar 2013)
-- [Clemens Gruber brought this change]
+- code style: use spaces around pluses
- multi-uv.c: remove unused variable
+- checksrc: detect and warn for lack of spaces next to plus signs
-- RELEASE-NOTES: add two references
+- code style: use spaces around equals signs
-- test1509: verify proxy header response headers count
+- checksrc: verify spaces around equals signs
- Modified sws to support and use custom CONNECT responses instead of the
- previously naive hard-coded version. Made the HTTP test server able to
- extract test case number from the host name in a CONNECT request by
- finding the number after the last dot. It makes 'machine.moo.123' use
- test case 123.
+ ... as the code style mandates.
+
+- Curl_checkheaders: make it available for IMAP and SMTP too
- Adapted a larger amount of tests to the new <connect> style.
+ ... not only HTTP uses this now.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1204
- Reported by: Martin Jansen
-
-- [Clemens Gruber brought this change]
+ Closes #1875
- Added libuv example multi-uv.c
+- travis: add build without HTTP/SMTP/IMAP
-Yang Tse (25 Mar 2013)
-- NTLM: fix several NTLM code paths memory leaks
+Jay Satiro (10 Sep 2017)
+- mbedtls: enable CA path processing
+
+ CA path processing was implemented when mbedtls.c was added to libcurl
+ in fe7590f, but it was never enabled.
+
+ Bug: https://github.com/curl/curl/issues/1877
+ Reported-by: SBKarr@users.noreply.github.com
-- WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage
+Daniel Stenberg (8 Sep 2017)
+- rtsp: do not call fwrite() with NULL pointer FILE *
- As of 25-mar-2013 wcsdup() _wcsdup() and _tcsdup() are only used in
- WIN32 specific code, so tracking of these has not been extended for
- other build targets. Without this fix, memory tracking system on
- WIN32 builds, when using these functions, would provide misleading
- results.
+ If the default write callback is used and no destination has been set, a
+ NULL pointer would be passed to fwrite()'s 4th argument.
- In order to properly extend this support for all targets curl.h
- would have to define curl_wcsdup_callback prototype and consequently
- wchar_t should be visible before that in curl.h. IOW curl_wchar_t
- defined in curlbuild.h and this pulling whatever system header is
- required to get wchar_t definition.
+ OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
+ (not publicly open yet)
- Additionally a new curl_global_init_mem() function that also receives
- user defined wcsdup() callback would be required.
+ Detected by OSS-fuzz
+ Closes #1874
-- curl_ntlm_msgs.c: revert commit 463082bea4
+- configure: use -Wno-varargs on clang 3.9[.X] debug builds
- reverts unreleased invalid memory leak fix
+ ... to avoid a clang bug
-Daniel Stenberg (23 Mar 2013)
-- RELEASE-NOTES: synced with bc6037ed3ec02
-
- More changes, bugfixes and contributors!
+- [Max Dymond brought this change]
-- [Martin Jansen brought this change]
+ ossfuzz: add some more handled CURL options
+
+ Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT,
+ MAIL_FROM and uploading data.
- Curl_proxyCONNECT: count received headers
+- configure: check for C++ compiler after C, to make it non-fatal
- Proxy servers tend to add their own headers at the beginning of
- responses. The size of these headers was not taken into account by
- CURLINFO_HEADER_SIZE before this change.
+ The tests for object file/executable file extensions are presumably only
+ done for the first of these macros in the configure file.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1204
+ Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515
+ Reported-by: Marcel Raad
+ Closes #1873
-Steve Holme (21 Mar 2013)
-- sasl: Corrected a few violations of the curl coding standards
+Patrick Monnerat (7 Sep 2017)
+- form API: add new test 650.
- Corrected some incorrectly positioned pointer variable declarations to
- be "char *" rather than "char* ".
+ Now that the form API is deprecated and not used anymore in curl tool,
+ a lot of its features left untested. Test 650 attempts to check all these
+ features not tested elsewhere.
-- multi.c: Corrected a couple of violations of the curl coding standards
+Jay Satiro (7 Sep 2017)
+- configure: fix curl_off_t check's include order
- Corrected some incorrectly positioned pointer variable declarations to
- be "type *" rather than "type* ".
-
-- imap-tests: Added CRLF to reply data to be compliant with RFC-822
+ - Prepend srcdir include path instead of append.
- Updated the reply data in tests: 800, 801, 802, 804 and 1321 to possess
- the CRLF as per RFC-822.
-
-- multi.c: Fix compilation warning
+ Prior to this change it was possible that during the check for the size
+ of curl_off_t the include path of a user's already installed curl could
+ come before the include path of the to-be-built curl, resulting in the
+ system.h of the former being incorrectly included for that check.
- warning: an enumerated type is mixed with another type
+ Closes https://github.com/curl/curl/pull/1870
-- multi.c: fix compilation error
-
- warning: conversion from enumeration type to different enumeration type
+Daniel Stenberg (7 Sep 2017)
+- [Jakub Zakrzewski brought this change]
-- lib1900.c: fix compilation warning
+ KNOWN_BUGS: Remove CMake symbol hiding issue
- warning: declaration of 'time' shadows a global declaration
-
-Yang Tse (20 Mar 2013)
-- [John E. Malmberg brought this change]
+ It has already been fixed in 6140dfc
- build_vms.com: use existing curlbuild.h and parsing fix
+- http-proxy: when not doing CONNECT, that phase is done immediately
- This patch removes building curlbuild.h from the build_vms.com procedure
- and uses the one in the daily or release tarball instead.
+ `conn->connect_state` is NULL when doing a regular non-CONNECT request
+ over the proxy and should therefor be considered complete at once.
- packages/vms/build_curlbuild_h.com is obsolete with this change.
+ Fixes #1853
+ Closes #1862
+ Reported-by: Lawrence Wagerfield
+
+- [Johannes Schindelin brought this change]
+
+ OpenSSL: fix yet another mistake while encapsulating SSL backend data
- Accessing the library module name "tool_main" needs different handling
- when the optional extended parsing is enabled.
+ Another mistake in my manual fixups of the largely mechanical
+ search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
+ commit concerning HTTPS proxies (and hence not caught during my
+ earlier testing).
- Tested on IA64/VMS 8.4 and VAX/VMS 7.3
-
-Nick Zitzmann (19 Mar 2013)
-- darwinssl: disable ECC ciphers under Mountain Lion by default
+ Fixes #1855
+ Closes #1871
- I found out that ECC doesn't work as of OS X 10.8.3, so those ciphers are
- turned off until the next point release of OS X.
-
-Steve Holme (18 Mar 2013)
-- FEATURES: Small tidy up for constancy and grammar
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (18 Mar 2013)
-- [Oliver Schindler brought this change]
+- [Johannes Schindelin brought this change]
- Curl_proxyCONNECT: clear 'rewindaftersend' on success
+ OpenSSL: fix erroneous SSL backend encapsulation
- After having done a POST over a CONNECT request, the 'rewindaftersend'
- boolean could be holding the previous value which could lead to badness.
+ In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
+ data, 2017-06-21), this developer prepared for a separation of the
+ private data of the SSL backends from the general connection data.
- This should be tested for in a new test case!
+ This conversion was partially automated (search-and-replace) and
+ partially manual (e.g. proxy_ssl's backend data).
- Bug: https://groups.google.com/d/msg/msysgit/B31LNftR4BI/KhRTz0iuGmUJ
-
-Steve Holme (18 Mar 2013)
-- TODO: Reordered the protocol and security sections
+ Sadly, there was a crucial error in the manual part, where the wrong
+ handle was used: rather than connecting ssl[sockindex]' BIO to the
+ proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
+ was an incorrect location to paste "BACKEND->"... d'oh.
- Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the
- other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and
- GnuTLS as these are all security related.
+ Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.
- Additionally fixed numbering of the SSL and GnuTLS sections as they
- weren't consecutive.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Yang Tse (18 Mar 2013)
-- tests: specify 'text' mode for some output files in verify section
+- [Jay Satiro brought this change]
-Steve Holme (17 Mar 2013)
-- imap: Fixed incorrect initial response generation for SASL AUTHENTICATE
+ vtls: fix memory corruption
- Fixed incorrect initial response generation for the NTLM and LOGIN SASL
- authentication mechanisms when the SASL-IR was detected.
+ Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
+ 2017-07-28), the code handling HTTPS proxies was broken because the
+ pointer to the SSL backend data was not swapped between
+ conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
+ instead set to NULL (causing segmentation faults).
- Introduced in commit: 6da7dc026c14.
-
-- FEATURES: Expanded the supported enhanced IMAP command list
-
-- TODO: Corrected typo in TOC
-
-- TODO: Added IMAP section and removed unused Other protocols section
-
-- TODO: Added graceful base64 decoding failure to SMTP and POP3
-
-- TODO: Corrected typo on section 10.2 heading
+ [jes: provided the commit message, tested and verified the patch]
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Yang Tse (16 Mar 2013)
-- tests: 96, 558, 1330: strip build subdirectory dependent leading path
+- vtls: switch to CURL_SHA256_DIGEST_LENGTH define
+
+ ... instead of the prefix-less version since WolfSSL 3.12 now uses an
+ enum with that name that causes build failures for us.
+
+ Fixes #1865
+ Closes #1867
+ Reported-by: Gisle Vanem
-Steve Holme (15 Mar 2013)
-- TODO: Added section 10.2 Initial response to POP3 to do list
+- travis: add c-ares enabled builds linux + osx
+
+ Closes #1868
-- imap-tests: Corrected copy/paste error in test808 reply data
+- HISTORY: added some recent items
-Yang Tse (15 Mar 2013)
-- unit1330.c: fix date
+Jay Satiro (6 Sep 2017)
+- SSL: fix unused parameter warnings
-- tests: add #96 #558 and #1330
+Patrick Monnerat (6 Sep 2017)
+- mime: drop internal FILE * support.
- These verfy that the 'memory tracking' subsystem is actually doing its
- job when using curl tool (#96), a test in libtest (#558) and also a unit
- test (#1330), in order to prevent regressions in this functionallity.
+ - The part kind MIMEKIND_FILE and associated code are suppressed.
+ - Seek data origin offset not used anymore: suppressed.
+ - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
+ renamed accordingly.
+ - Curl_getformdata() processes stdin via a callback.
-Steve Holme (15 Mar 2013)
-- imap-tests: Added test808 for custom EXAMINE command
-
-Daniel Stenberg (15 Mar 2013)
-- HTTP proxy: insert slash in URL if missing
-
- curl has been accepting URLs using slightly wrong syntax for a long
- time, such as when completely missing as slash "http://example.org" or
- missing a slash when a query part is given
- "http://example.org?q=foobar".
-
- curl would translate these into a legitimate HTTP request to servers,
- although as was shown in bug #1206 it was not adjusted properly in the
- cases where a HTTP proxy was used.
-
- Test 1213 and 1214 were added to the test suite to verify this fix.
+Daniel Stenberg (6 Sep 2017)
+- configure: remove --enable-soname-bump and SONAME_BUMP
- The test HTTP server was adjusted to allow us to specify test number in
- the host name only without using any slashes in a given URL.
+ Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we
+ determine the native type for `curl_off_t`. To really make sure we
+ didn't break ABI without bumping SONAME, we introduced logic that
+ attempted to detect that it would use a different size and thus not be
+ compatible. We also provided a manual switch that allowed users to tell
+ configure to bump SONAME by force.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1206
- Reported by: ScottJi
-
-Steve Holme (14 Mar 2013)
-- ftpserver.pl: Added EXAMINE_imap() for IMAP EXAMINE commands
+ Today, we know of no one who ever got a SONAME bump auto-detected and we
+ don't know of anyone who's using the manual bump feature. The auto-
+ detection is also no longer working since we introduced defining
+ curl_off_t in system.h (7.55.0).
- Used hard coded data from RFC-3501 section 6.3.2.
-
-Yang Tse (14 Mar 2013)
-- curl_memory.h: introduce CURLX_NO_MEMORY_CALLBACKS usage possibility
+ Finally, this bumping logic is not present in the cmake build.
- This commit alone does not fix anything nor modifies existing
- interfaces or behaviors, although it is a prerequisite for other
- fixes.
+ Closes #1861
-- Makefile.vc6: add missing files
-
-Linus Nielsen Feltzing (14 Mar 2013)
-- pipelining: Remove dead code.
+Jay Satiro (6 Sep 2017)
+- [Gisle Vanem brought this change]
-- Multiple pipelines and limiting the number of connections.
+ vtls: select ssl backend case-insensitive (follow-up)
- Introducing a number of options to the multi interface that
- allows for multiple pipelines to the same host, in order to
- optimize the balance between the penalty for opening new
- connections and the potential pipelining latency.
+ - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.
- Two new options for limiting the number of connections:
+ - Change Curl_strcasecompare calls to strcasecompare
+ (maps to the former but shorter).
- CURLMOPT_MAX_HOST_CONNECTIONS - Limits the number of running connections
- to the same host. When adding a handle that exceeds this limit,
- that handle will be put in a pending state until another handle is
- finished, so we can reuse the connection.
+ Follow-up to c290b8f.
- CURLMOPT_MAX_TOTAL_CONNECTIONS - Limits the number of connections in total.
- When adding a handle that exceeds this limit,
- that handle will be put in a pending state until another handle is
- finished. The free connection will then be reused, if possible, or
- closed if the pending handle can't reuse it.
+ Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313
- Several new options for pipelining:
+ Co-authored-by: Jay Satiro
+
+- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
- CURLMOPT_MAX_PIPELINE_LENGTH - Limits the pipeling length. If a
- pipeline is "full" when a connection is to be reused, a new connection
- will be opened if the CURLMOPT_MAX_xxx_CONNECTIONS limits allow it.
- If not, the handle will be put in a pending state until a connection is
- ready (either free or a pipe got shorter).
+ This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.
- CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE - A pipelined connection will not
- be reused if it is currently processing a transfer with a content
- length that is larger than this.
+ The first one, written for old OpenSSL versions:
+ https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
- CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE - A pipelined connection will not
- be reused if it is currently processing a chunk larger than this.
+ The second one, written for BoringSSL and new OpenSSL versions:
+ https://github.com/curl/curl/pull/1346
- CURLMOPT_PIPELINING_SITE_BL - A blacklist of hosts that don't allow
- pipelining.
+ Note the first one is GPL licensed but the author gave permission to
+ waive that license for libcurl.
- CURLMOPT_PIPELINING_SERVER_BL - A blacklist of server types that don't allow
- pipelining.
+ As of right now this feature is disabled by default, and does not have
+ a configure option to enable it. To enable this feature define
+ ENABLE_SSLKEYLOGFILE when building libcurl and set environment
+ variable SSLKEYLOGFILE to a pathname that will receive the keys.
- See the curl_multi_setopt() man page for details.
-
-Yang Tse (13 Mar 2013)
-- tool_main.c: remove redundant vms_show storage-class specifier
+ And in Wireshark change your preferences to point to that key file:
+ Edit > Preferences > Protocols > SSL > Master-Secret
- vms_show 'extern' storage-class specifier removed from tool_main.c due to...
+ Co-authored-by: Peter Wu
- - Advice from Tor Arntsen: http://curl.haxx.se/mail/lib-2013-03/0164.html
+ Ref: https://github.com/curl/curl/pull/1030
+ Ref: https://github.com/curl/curl/pull/1346
- - HP OpenVMS docs stating that 'Extern is the default storage class for
- variables declared outside a function.'
- http://h71000.www7.hp.com/commercial/c/docs/dec_c_help_5.html
- (Storage_Classes section)
+ Closes https://github.com/curl/curl/pull/1866
-- test509: libcurl initialization with memory callbacks and actual usage
+Patrick Monnerat (5 Sep 2017)
+- mime: fix a trivial warning.
-Steve Holme (13 Mar 2013)
-- pop3: Removed unnecessary transfer cancellation
+- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
- Following commit e450f66a02d8 and the changes in the multi interface
- being used internally, from 7.29.0, the transfer cancellation in
- pop3_dophase_done() is no longer required.
-
-Yang Tse (13 Mar 2013)
-- Makefile.am: add VMS files not being included in tarball
-
-- [Tom Grace brought this change]
+ mime_state is now a typedef.
- build_vms.com: VMS build fixes
+- mime: implement encoders.
- Added missing slash in cc_full_list.
- Removed unwanted extra quotes inside symbol tool_main
- for non-VAX architectures that triggered link failure.
- Replaced curl_sys_inc with sys_inc.
+ curl_mime_encoder() is operational and documented.
+ curl tool -F option is extended with ";encoder=".
+ curl tool --libcurl option generates calls to curl_mime_encoder().
+ New encoder tests 648 & 649.
+ Test 1404 extended with an encoder specification.
-- [Tom Grace brought this change]
+- runtests.pl: support attribute "nonewline" in part verify/upload.
- tool_main.c: fix VMS global variable storage-class specifier
-
- An extern submits a psect and a global reference to the linker to point
- to it. Using "extern int vms_show = 0" also creates a globaldef.
-
- The use of the extern by itself does declare a psect but does not declare
- a globalsymbol. It does declare a globalref. But the linker needs one and
- only one globaldef or there is an error.
+- [Daniel Stenberg brought this change]
+
+ fixup data/test1135
-Patrick Monnerat (12 Mar 2013)
-- OS400: synchronize RPG binding
+- [Daniel Stenberg brought this change]
-Steve Holme (12 Mar 2013)
-- pop3: Fixed continuous wait when using --ftp-list
+ mime: unified to use the typedef'd mime structs everywhere
- Don't initiate a transfer when using --ftp-list.
+ ... and slightly edited to follow our code style better.
-Kamil Dudka (12 Mar 2013)
-- [Zdenek Pavlas brought this change]
+- [Daniel Stenberg brought this change]
- curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag
-
- The flag can be used in pycurl-based applications where using the multi
- interface would not be acceptable because of the performance lost caused
- by implementing the select() loop in python.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1168
- Downstream Bug: https://bugzilla.redhat.com/919127
+ curl.h: use lower case curl_mime* as for all public symbols
-- easy: do not ignore poll() failures other than EINTR
+- [Daniel Stenberg brought this change]
+
+ docs/curl_mime_*.3: use correct variable types in examples
-Yang Tse (12 Mar 2013)
-- curl.h: stricter CURL_EXTERN linkage decorations logic
+Kamil Dudka (5 Sep 2017)
+- openssl: use OpenSSL's default ciphers by default
- No API change involved.
+ Up2date versions of OpenSSL maintain the default reasonably secure
+ without breaking compatibility, so it is better not to override the
+ default by curl. Suggested at https://bugzilla.redhat.com/1483972
- Info: http://curl.haxx.se/mail/lib-2013-02/0234.html
+ Closes #1846
-Daniel Stenberg (11 Mar 2013)
-- THANKS: Latin-1'ified Jiri's name
+Viktor Szakats (5 Sep 2017)
+- examples/mime: minor example code fixes
-Steve Holme (11 Mar 2013)
-- test806: Added CRLF to reply data to be compliant with RFC-822
+Daniel Stenberg (5 Sep 2017)
+- docs/curl_mime_*.3: added examples
-Daniel Stenberg (11 Mar 2013)
-- test805: added crlf newlines to make data size match
+- configure: add MultiSSL to FEATURES when enabled
- since mails sent are supposed to have CRLF line endings I added them and
- now the data size after (\Seen) matches again properly
+ ...for curl-config and its corresponding test 1014
-- test: fix newline for the data check of 807
+- http-proxy: treat all 2xx as CONNECT success
+
+ Added test 1904 to verify.
+
+ Reported-by: Lawrence Wagerfield
+ Fixes #1859
+ Closes #1860
-Yang Tse (11 Mar 2013)
-- test801 to test807: fix protocol section line endings
+- MAIL-ETIQUETTE: added "1.9 Your emails are public"
-Steve Holme (10 Mar 2013)
-- Makefile.am: Corrected a couple of spurious tab characters
+- curl.h: fix "unused checksrc ignore", remove dangling reference
- Corrected a couple of tab characters between test702 and test703, and
- between test900 and test901 which should be spaces.
+ ... to a README file that doesn't exist anymore
-- [Jiri Hruska brought this change]
+Viktor Szakats (4 Sep 2017)
+- docs: Update to secure URL versions
- imap: Added test807 for custom request functionality (STORE)
+- mime: use CURL_ZERO_TERMINATED in examples
+
+ and some minor whitespace fixes
+
+Daniel Stenberg (4 Sep 2017)
+- schannel: return CURLE_SSL_CACERT on failed verification
+
+ ... not *CACERT_BADFILE as it isn't really because of a bad file.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html
+ Closes #1858
-- [Jiri Hruska brought this change]
+- test1135: fixed after bd8070085f9
- imap: Added test806 for IMAP (folder) LIST command
+- examples/post-callback: stop returning one byte at a time
+
+ ... since people copy and paste code from this example and thus they get
+ an inefficient POST operation without a good reason and sometimes
+ without understanding why.
+
+ Instead this now returns as much data as possible.
-- [Jiri Hruska brought this change]
+- RELEASE-NOTES: fixed the function counter script
- imap: Added test805 for APPEND functionality
+- curl.h: make the curl_strequal() protos use the same style
+
+ ... as the other functions. Makes it easier to machine-parse!
-- [Jiri Hruska brought this change]
+- docs: curl_mime_*.3 man page formatting edits
- imap: Added test804 for skipping SELECT if in the same mailbox
+- RELEASE-NOTES: synced with 1ab9e9b50
-- [Jiri Hruska brought this change]
+Patrick Monnerat (4 Sep 2017)
+- lib: bump version info (soname). Adapt and reenable test 1135.
- imap: Added test802 and test803 for UIDVALIDITY verification
+Daniel Stenberg (3 Sep 2017)
+- headers: move the global_sslset() proto from multi.h to curl.h
- Added one test for a request with matching UIDVALIDITY and one which is
- a mismatched request that will fail.
+ As it was added to multi.h simply to not break test 1135, which now has
+ been disabled due to the mime API addition anyway and su we can now move
+ the sslset stuff to where the other curl_global_* prototypes are.
-- [Jiri Hruska brought this change]
+Patrick Monnerat (3 Sep 2017)
+- mime: fix signed/unsigned conversions.
+
+ Use and generate CURL_ZERO_TERMINATED in curl tool and tests.
- imap: Added test801 for UID and SECTION URL parameters
+Jay Satiro (3 Sep 2017)
+- tool_formparse: fix some trivial warnings
-- [Jiri Hruska brought this change]
+Patrick Monnerat (3 Sep 2017)
+- mime: use size_t instead of ssize_t in public API interface.
+
+ To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED
+ has been introduced.
+
+ Documentation updated accordingly.
+
+ symbols in versions updated. Added form API symbols deprecation info.
- imap-tests: Accept quoted parameters in ftpserver.pl
+- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata().
+
+ This feature is badly supported in Windows: as a replacement, a caller has
+ to use curl_mime_data_cb() with fread, fseek and possibly fclose
+ callbacks to process opened files.
- Any IMAP parameter can come in escaped and in double quotes. Added a
- simple function to unquote the command parameters and applied it to
- the IMAP command handlers.
+ The cli tool and documentation are updated accordingly.
+
+ The feature is however kept internally for form API compatibility, with
+ the known caveats it always had.
+
+ As a side effect, stdin size is not determined by the cli tool even if
+ possible and this results in a chunked transfer encoding. Test 173 is
+ updated accordingly.
-- [Jiri Hruska brought this change]
+- mime: fix some implicit curl_off_t --> size_t conversion warnings.
- tests: Fix ftpserver.pl indentation
+- mime: tests and examples.
- The whole of FETCH_imap() had one extra space of indentation, whilst
- APPEND_imap() used indentation of 2 instead of 4 in places.
+ Additional mime-specific tests.
+ Existing tests updated to reflect small differences (Expect: 100-continue,
+ data size change due to empty lines, etc).
+ Option -F headers= keyword added to tests.
+ test1135 disabled until the entry point order change is resolved.
+ New example smtp-mime.
+ Examples postit2 and multi-post converted from form API to mime API.
-- Makefile.am: Corrected end of line filler character
+- mime: use in curl cli tool instead of form API.
- The majority of lines, that specify a test file for inclusion, end with
- a tab character before the slash whilst some end with a space. Corrected
- those that end with a space to end with a tab character as well.
+ Extended -F option syntax to support multipart mail messages.
+ -F keyword headers= added to include custom headers in parts.
+ Documentation upgraded.
-- email-tests: Updated the test data that corresponds to the test number
+- mime: new MIME API.
- Finished segregating the email protocol tests, into their own protocol
- based ranges, in preparation of adding more e-mail related tests to the
- test suite.
+ Available in HTTP, SMTP and IMAP.
+ Deprecates the FORM API.
+ See CURLOPT_MIMEPOST.
+ Lib code and associated documentation.
-- email-tests: Renamed the IMAP test to be 800
+- test564: Add a warning comment about shell profile output.
- Continued segregating the email protocol tests, into their own protocol
- based ranges, in preparation of adding more e-mail related tests to the
- test suite.
+ Shell profile output makes the SSH server failing and this problem reason
+ is not easy to find when no hint is given.
-- email-tests: Renamed the SMTP tests to be in the range 900-906
+- checksrc: disable SPACEBEFOREPAREN for case statement.
- Continued segregating the email protocol tests, into their own protocol
- based ranges, in preparation of adding more e-mail related tests to the
- test suite.
+ The case keyword may be followed by a constant expression and thus should
+ allow it to start with an open parenthesis.
-- email-tests: Renamed the POP3 tests to be in the range 850-857
+- runtests.pl: allow <file[1-4]> tags in client section.
- Started segregating the email protocol tests, into their own protocol
- based ranges, in preparation of adding more e-mail related tests to the
- test suite.
+ This enables tests to create more than one file on the client side.
-Daniel Stenberg (10 Mar 2013)
-- hiperfifo: updated to use current libevent API
+- runtests.pl: Apply strippart to upload too.
- Patch by: Myk Taylor
+ This will allow substitution of boundaries in mail messages.
-Steve Holme (10 Mar 2013)
-- imap: Reworked some function descriptions
+- Curl_base64_encode: always call with a real data handle.
+
+ Some calls in different modules were setting the data handle to NULL, causing
+ segmentation faults when using builds that enable character code conversions.
-- imap: Added some missing comments to imap_sendf()
+- non-ascii: allow conversion functions to be called with a NULL data handle.
-- email: Removed hard returns from init functions
+- http: fix a memory leakage in checkrtspprefix().
-Daniel Stenberg (9 Mar 2013)
-- curl_multi_wait: avoid second loop if nothing to do
-
- ... hopefully this will also make clang-analyzer stop warning on
- potentional NULL dereferences (which were false positives anyway).
+Daniel Stenberg (2 Sep 2017)
+- [Max Dymond brought this change]
-- multi_runsingle: avoid NULL dereference
+ ossfuzz: Move to C++ for curl_fuzzer.
- When Curl_do() returns failure, the connection pointer could be NULL so
- the code path following needs to that that into account.
-
- Bug: http://curl.haxx.se/mail/lib-2013-03/0062.html
- Reported by: Eric Hu
+ Automake gets confused if you want to use C++ static libraries with C
+ code - basically we need to involve the clang++ linker. The easiest way
+ of achieving this is to rename the C code as C++ code. This gets us a
+ bit further along the path and ought to be compatible with Google's
+ version of clang.
-Steve Holme (9 Mar 2013)
-- imap: Re-factored all perform based functions
+- curl_global_sslset: select backend by name case insensitively
- Standardised the naming of all perform based functions to be in the form
- imap_perform_something().
+ Closes #1849
-Daniel Stenberg (9 Mar 2013)
-- [Cédric Deltheil brought this change]
+- [Max Dymond brought this change]
- examples/getinmemory.c: abort the transfer if not enough memory
+ ossfuzz: additional seed corpora
- No more use exit(3) but instead tell libcurl that no byte has been
- written to let it return a `CURLE_WRITE_ERROR`. In addition, check
- curl easy handle return code.
-
-- RELEASE-NOTES: synced with ca3c0ed3a9c
+ Create simple seed corpora for:
+ - FTP
+ - telnet
+ - dict
+ - tftp
+ - imap
+ - pop3
- 8 more bugfixes, one change and a bunch of contributors
-
-Yang Tse (9 Mar 2013)
-- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility
+ based off the tests of the same number.
+
+ Closes #1842
-Steve Holme (9 Mar 2013)
-- imap: Added description comments to all perform based functions
+- [Max Dymond brought this change]
-- imap: Removed the need for separate custom request functions
+ ossfuzz: moving towards the ideal integration
- Moved the custom request processing into the LIST command as the logic
- is the same.
+ - Start with the basic code from the ossfuzz project.
+ - Rewrite fuzz corpora to be binary files full of Type-Length-Value
+ data, and write a glue layer in the fuzzing function to convert
+ corpora into CURL options.
+ - Have supporting functions to generate corpora from existing tests
+ - Integrate with Makefile.am
-- imap: Corrected typo in comment
+- strcase: corrected comment header for Curl_strcasecompare()
-Yang Tse (9 Mar 2013)
-- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility
+- unit1301: fix error message on first test
-Steve Holme (9 Mar 2013)
-- imap: Moved imap_logout() to be grouped with the other perform functions
+- curl_global_sslset.3: show the struct and enum too
+
+ ... so that users can actually write code based on the man page alone,
+ not having to read the header file.
-- email: Updated the function descriptions for the logout / quit functions
+Jay Satiro (31 Aug 2017)
+- darwinssl: handle long strings in TLS certs (follow-up)
+
+ - Fix handling certificate subjects that are already UTF-8 encoded.
+
+ Follow-up to b3b75d1 from two days ago. Since then a copy would be
+ skipped if the subject was already UTF-8, possibly resulting in a NULL
+ deref later on.
+
+ Ref: https://github.com/curl/curl/issues/1823
+ Ref: https://github.com/curl/curl/pull/1831
- Updated the function description comments following commit 4838d196fdbf.
+ Closes https://github.com/curl/curl/pull/1836
-- email: Simplified the logout / quit functions
+Daniel Stenberg (31 Aug 2017)
+- cyassl: call it the "WolfSSL" backend
- Moved the blocking state machine to the disconnect functions so that the
- logout / quit functions are only responsible for sending the actual
- command needed to logout or quit.
+ ... instead of cyassl, as this is the current name for it.
- Additionally removed the hard return on failure.
+ Closes #1844
-- email: Tidied up the *_regular_transfer() functions
+- polarssl: fix multissl breakage
- Added comments and simplified convoluted dophase_done comparison.
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
+ Closes #1843
-- email: Simplified nesting of if statements in *_doing() functions
+- configure: remove the leading comma from the backends list
+
+ ... when darwinssl is used.
+
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493
+
+ Closes #1845
-Daniel Stenberg (8 Mar 2013)
-- RELEASE-NOTES: mention that krb4 is up for consideration
+Kamil Dudka (30 Aug 2017)
+- examples/sslbackend.c: fix failure of 'make checksrc'
+
+ ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE)
+ } else if(isdigit(*name)) {
+ ^
+ ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE)
+ } else
+ ^
-Steve Holme (8 Mar 2013)
-- imap: Fixed handling of untagged responses for the STORE custom command
+Viktor Szakats (30 Aug 2017)
+- makefile.m32: add multissl support
- Added an exception, for the STORE command, to the untagged response
- processor in imap_endofresp() as servers will back respones containing
- the FETCH keyword instead.
+ Closes https://github.com/curl/curl/pull/1840
-Yang Tse (8 Mar 2013)
-- curlbuild.h.dist: enhance non-configure GCC ABI detection logic
+Daniel Stenberg (30 Aug 2017)
+- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
- GCC specific adjustments:
+ The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for
+ CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk
+ for a similar mistake, define the backend aliases to use the enum values
+ instead.
- - check __ILP32__ before 32 and 64bit processor architectures in
- order to detect ILP32 programming model on 64 bit processors
- which, of course, also support LP64 programming model, when using
- gcc 4.7 or newer.
+ Reported-by: Gisle Vanem
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
+
+- curl_global_sslset.3: clarify
- - keep 32bit processor architecture checks in order to support gcc
- versions older than 4.7 which don't define __ILP32__
+ it is a one time *set*, not necessarily a one time use... it can be
+ called again if the first call failed or just listed the alternatives.
- - check __LP64__ for gcc 3.3 and newer, while keeping 64bit processor
- architecture checks for older versions which don't define __LP64__
-
-- curlbuild.h.dist: fix GCC build on ARM systems without configure script
+ clarify that the available backends are the ones this build supports
- Bug: http://curl.haxx.se/bug/view.cgi?id=1205
- Reported by: technion
-
-- [Gisle Vanem brought this change]
+ plus add some formatting
+
+ Reported-by: Rich Gray
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
- polarssl.c: fix header filename typo
+- curl/multi.h: remove duplicated closing c++ brace
+
+ Regression since 1328f69d53f2f2e93
+
+ Fixes #1841
+ Reported-by: Andrei Karas
-- configure: use XC_LIBTOOL for portability across libtool versions
+- RELEASE-NOTES: synced with 8c33c963a
-- xc-lt-iface.m4: provide XC_LIBTOOL macro
+- HELP-US.md: spelling
-Steve Holme (7 Mar 2013)
-- imap: Fixed SELECT not being performed for custom requests
+- HELP-US.md: "How to get started helping out in the curl project"
+
+ Closes #1837
-- email: Minor code tidy up following recent changes
+Dan Fandrich (29 Aug 2017)
+- asyn-thread: Fixed cleanup after OOM
- Removed unwanted braces and added variable initialisation.
+ destroy_async_data() assumes that if the flag "done" is not set yet, the
+ thread itself will clean up once the request is complete. But if an
+ error (generally OOM) occurs before the thread even has a chance to
+ start, it will never get a chance to clean up and memory will be leaked.
+ By clearing "done" only just before starting the thread, the correct
+ cleanup sequence will happen in all cases.
-- DOCS: Corrected the IMAP URL grammar of the UIDVALIDITY parameter
+Daniel Stenberg (28 Aug 2017)
+- curl_global_init.3: mention curl_global_sslset(3)
-- FEATURES: Provided a little clarity in some IMAP features
+Dan Fandrich (28 Aug 2017)
+- unit1606: Fixed shadowed variable warning
-- email: Optimised block_statemach() functions
-
- Optimised the result test in each of the block_statemach() functions.
+- asyn-thread: Improved cleanup after OOM situations
-- DOCS: Added the list command to the IMAP URL section
+- asyn-thread: Set errno to the proper value ENOMEM in OOM situation
- Added examples of the list command and clarified existing example URLs
- following recent changes.
+ This used to be set in some configurations to EAI_MEMORY which is not a
+ valid value for errno and caused Curl_strerror to fail an assertion.
-- FEATURES: Updated for recent imap additions
+Daniel Stenberg (28 Aug 2017)
+- [Johannes Schindelin brought this change]
+
+ configure: Handle "MultiSSL" specially When versioning symbols
+
+ There is a mode in which libcurl is compiled with versioned symbols,
+ depending on the active SSL backend.
- Updated the imap features list, corrected a typo in the smtp features
- and clarified a pop3 feature.
+ When multiple SSL backends are active, it does not make sense to favor
+ one over the others, so let's not: introduce a new prefix for the case
+ where multiple SSL backends are compiled into cURL.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (7 Mar 2013)
-- version bump: the next release will be 7.30.0
+- [Johannes Schindelin brought this change]
-- checksrc: ban unsafe functions
+ configure: allow setting the default SSL backend
- The list of unsafe functions currently consists of sprintf, vsprintf,
- strcat, strncat and gets.
+ Previously, we used as default SSL backend whatever was first in the
+ `available_backends` array.
- Subsequently, some existing code needed updating to avoid warnings on
- this.
-
-Steve Holme (7 Mar 2013)
-- RELEASE-NOTES: Added missing imap fixes and additions
+ However, some users may want to override that default without patching
+ the source code.
- With all the recent imap changes it wasn't clear what new features and
- fixes should be included in the release notes.
-
-Nick Zitzmann (6 Mar 2013)
-- RELEASE-NOTES: brought this up-to-date with the latest changes
+ Now they can: with the --with-default-ssl-backend=<backend> option of
+ the ./configure script.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Steve Holme (6 Mar 2013)
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Fixed test801 and test1321 to specify a message UID
+ vtls: use Curl_ssl_multi pseudo backend only when needed
- Just a folder list would be retrieved if UID was not specified now.
+ When only one SSL backend is configured, it is totally unnecessary to
+ let multissl_init() configure the backend at runtime, we can select the
+ correct backend at build time already.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Fixed ftpserver.pl to allow verification even through LIST command
+ version: if built with more than one SSL backend, report all of them
- Commit 198012ee inadvertently broke LIST_imap().
-
-- imap: Tidied up the APPEND and final APPEND response functions
+ To discern the active one from the inactive ones, put the latter into
+ parentheses.
- Removed unnecessary state changes on failure and setting of result codes
- on success.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- imap: Tidied up the final FETCH response function
-
- Removed unnecessary state change on failure and setting of result code on
- success.
+- [Johannes Schindelin brought this change]
-- imap: Tidied up the LIST response function
+ version: add the CURL_VERSION_MULTI_SSL feature flag
- Reworked comments as they referenced custom commands, removed
- unnecessary state change on failure and setting of result code on
- success.
-
-- imap: Removed the custom request response function
+ This new feature flag reports When cURL was built with multiple SSL
+ backends.
- Removed imap_state_custom_resp() as imap_state_list_resp() provides the
- same functionality.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Updated ftpserver.pl to be more compliant, added new commands
+ metalink: allow compiling with multiple SSL backends
- Enriched IMAP capabilities of ftpserver.pl in order to be able to
- add tests for the new IMAP features.
+ Previously, the code assumed that at most one of the SSL backends would
+ be compiled in, emulating OpenSSL's functions if the configured backend
+ was not OpenSSL itself.
- * Added support for APPEND - Saves uploaded data to log/upload.$testno
- * Added support for LIST - Returns the contents of <reply/> section in
- the current test, like e.g FETCH.
- * Added support for STORE - Returns hardcoded updated flags
- * Changed handling of SELECT - Returns much more information in the
- usual set of untagged responses; uses hardcoded data from an example
- in the IMAP RFC
- * Changed handling of FETCH - Fixed response format
-
-- imap: Added check for empty UID in FETCH command
+ However, now we allow building with multiple SSL backends and choosing
+ one at runtime. Therefore, metalink needs to be adjusted to handle this
+ scenario, too.
- As the UID has to be specified by the user for the FETCH command to work
- correctly, added a check to imap_fetch(), although strictly speaking it
- is protected by the call from imap_perform().
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Kamil Dudka (6 Mar 2013)
-- nss: fix misplaced code enabling non-blocking socket mode
-
- The option needs to be set on the SSL socket. Setting it on the model
- takes no effect. Note that the non-blocking mode is still not enabled
- for the handshake because the code is not yet ready for that.
+- [Johannes Schindelin brought this change]
-Daniel Stenberg (6 Mar 2013)
-- imap: fix compiler warning
+ docs/examples: demonstrate how to select SSL backends
- imap.c:694:21: error: unused variable 'imapc' [-Werror=unused-variable]
+ The newly-introduced curl_global_sslset() function deserves to be
+ show-cased.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Steve Holme (5 Mar 2013)
-- imap: Added support for list command
+- [Johannes Schindelin brought this change]
-- imap: Added list perform and response handler functions
+ Add a man page for curl_global_sslset()
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- imap: Introduced IMAP_LIST state
+- [Johannes Schindelin brought this change]
-- imap: Small tidy up of imap_select() to match imap_append()
+ vtls: introduce curl_global_sslset()
- Updated the style of imap_select() before adding the LIST command.
-
-- imap: Moved mailbox check from the imap_do() function
+ Let's add a compile time safe API to select an SSL backend. This
+ function needs to be called *before* curl_global_init(), and can be
+ called only once.
- In preparation for the addition of the LIST command, moved the mailbox
- check from imap_do() to imap_select() and imap_append().
-
-- curl_setup.h: Added S_IRDIR() macro for compilers that don't support it
+ Side note: we do not explicitly test that it is called before
+ curl_global_init(), but we do verify that it is not called multiple times
+ (even implicitly).
- Commit 26eaa8383001 introduces the use of S_ISDIR() yet some compilers,
- such as MSVC don't support it, so we must define a substitute using
- file flags and mask.
-
-Daniel Stenberg (4 Mar 2013)
-- AddFormData: prevent only directories from being posted
+ If SSL is used before the function was called, it will use whatever the
+ CURL_SSL_BACKEND environment variable says (or default to the first
+ available SSL backend), and if a subsequent call to
+ curl_global_sslset() disagrees with the previous choice, it will fail
+ with CURLSSLSET_TOO_LATE.
- Commit f4cc54cb4746ae5a6d (shipped as part of the 7.29.0 release) was a
- bug fix that introduced a regression in that while trying to avoid
- allowing directory names, it also forbade "special" files like character
- devices and more. like "/dev/null" as was used by Oliver who reported
- this regression.
+ The function also accepts an "avail" parameter to point to a (read-only)
+ NULL-terminated list of available backends. This comes in real handy if
+ an application wants to let the user choose between whatever SSL backends
+ the currently available libcurl has to offer: simply call
- Reported by: Oliver Gondža
- Bug: http://curl.haxx.se/mail/archive-2013-02/0040.html
-
-Nick Zitzmann (3 Mar 2013)
-- darwinssl: fix infinite loop if server disconnected abruptly
+ curl_global_sslset(-1, NULL, &avail);
- If the server hung up the connection without sending a closure alert,
- then we'd keep probing the socket for data even though it's dead. Now
- we're ready for this situation.
+ which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
+ variable to point to the relevant information to present to the user.
- Bug: http://curl.haxx.se/mail/lib-2013-03/0014.html
- Reported by: Aki Koskinen
-
-Steve Holme (3 Mar 2013)
-- imap: Added comments to imap_append()
-
-- [Jiri Hruska brought this change]
-
- imap: Added required mailbox check for FETCH and APPEND commands
+ Just like with the HTTP/2 push functions, we have to add the function
+ declaration of curl_global_sslset() function to the header file
+ *multi.h* because VMS and OS/400 require a stable order of functions
+ declared in include/curl/*.h (where the header files are sorted
+ alphabetically). This looks a bit funny, but it cannot be helped.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- pingpong.c: Fix enumerated type mixed with another type
+- [Johannes Schindelin brought this change]
-- smtp: Updated the coding style for state changes after a send operation
+ vtls: refactor out essential information about the SSL backends
- Some state changes would be performed after a failure test that
- performed a hard return, whilst others would be performed within a test
- for success. Updated the code, for consistency, so all instances are
- performed within a success test.
-
-- pop3: Updated the coding style for state changes after a send operation
+ There is information about the compiled-in SSL backends that is really
+ no concern of any code other than the SSL backend itself, such as which
+ function (if any) implements SHA-256 summing.
- Some state changes would be performed after a failure test that
- performed a hard return, whilst others would be performed within a test
- for success. Updated the code, for consistency, so all instances are
- performed within a success test.
-
-- imap: Fixed typo in variable assignment
-
-- [Jiri Hruska brought this change]
-
- imap: Fixed custom request handling in imap_done()
+ And there is information that is really interesting to the user, such as
+ the name, or the curl_sslbackend value.
- Fixed imap_done() so that neither the FINAL states are not entered when
- a custom command has been performed.
-
-- [Jiri Hruska brought this change]
-
- imap: Enabled custom requests in imap_select_resp()
+ Let's factor out the latter into a publicly visible struct. This
+ information will be used in the upcoming API to set the SSL backend
+ globally.
- Changed imap_select_resp() to invoke imap_custom() instead of
- imap_fetch() after the mailbox has been selected if a custom
- command has been set.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Enabled custom requests in imap_perform()
+ vtls: allow selecting which SSL backend to use at runtime
- Modified imap_perform() to start with the custom command instead of
- SELECT when a custom command is to be performed and no mailbox has
- been given.
-
-- [Jiri Hruska brought this change]
-
- imap: Added custom request perform and response handler functions
+ When building software for the masses, it is sometimes not possible to
+ decide for all users which SSL backend is appropriate.
- Added imap_custom(), which initiates the custom command processing,
- and an associated response handler imap_state_custom_resp(), which
- handles any responses by sending them to the client as body data.
+ Git for Windows, for example, uses cURL to perform clones, fetches and
+ pushes via HTTPS, and some users strongly prefer OpenSSL, while other
+ users really need to use Secure Channel because it offers
+ enterprise-ready tools to manage credentials via Windows' Credential
+ Store.
- All untagged responses with the same name as the first word of the
- custom request string are accepted, with the exception of SELECT and
- EXAMINE which have responses that cannot be easily identified. An
- extra check has been provided for them so that any untagged responses
- are accepted for them.
-
-- pop3: Fixed unnecessary parent structure reference
+ The current Git for Windows versions use the ugly work-around of
+ building libcurl once with OpenSSL support and once with Secure Channel
+ support, and switching out the binaries in the installer depending on
+ the user's choice.
+
+ Needless to say, this is a super ugly workaround that actually only
+ works in some cases: Git for Windows also comes in a portable form, and
+ in a form intended for third-party applications requiring Git
+ functionality, in which cases this "swap out libcurl-4.dll" simply is
+ not an option.
+
+ Therefore, the Git for Windows project has a vested interest in teaching
+ cURL to make the SSL backend a *runtime* option.
+
+ This patch makes that possible.
- Updated pop3 code following recent imap changes.
+ By running ./configure with multiple --with-<backend> options, cURL will
+ be built with multiple backends.
+
+ For the moment, the backend can be configured using the environment
+ variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
+ "schannel").
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Added custom request parsing
+ vtls: fold the backend ID into the Curl_ssl structure
- Added imap_parse_custom_request() for parsing the CURLOPT_CUSTOMREQUEST
- parameter which URL decodes the value and separates the request from
- any parameters - This makes it easier to filter untagged responses
- by the request command.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Introduced custom request parameters
+ curl_ntlm_core: don't complain but #include OpenSSL header if needed
- Added custom request parameters to the per-request structure.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Introduced IMAP_CUSTOM state
-
-- imap: Minor code tidy up
+ vtls: encapsulate SSL backend-specific data
- Minor tidy up of code layout and comments following recent changes.
-
-- imap: Simplified the imap_state_append_resp() function
+ So far, all of the SSL backends' private data has been declared as
+ part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
+ block.
- Introduced the result code variable to simplify the state changes and
- remove the hard returns.
-
-- imap: Changed successful response logic in imap_state_append_resp()
+ This can only work as long as the SSL backend is a compile-time option,
+ something we want to change in the next commits.
- For consistency changed the logic of the imap_state_append_resp()
- function to test for an unsucessful continuation response rather than a
- succesful one.
-
-- imap: Standardised imapcode condition tests
+ Therefore, let's encapsulate the exact data needed by each SSL backend
+ into a private struct, and let's avoid bleeding any SSL backend-specific
+ information into urldata.h. This is also necessary to allow multiple SSL
+ backends to be compiled in at the same time, as e.g. OpenSSL's and
+ CyaSSL's headers cannot be included in the same .c file.
- For consistency changed two if(constant != imapcode) tests to be
- if(imapcode != constant).
-
-- imap: Moved imap_append() to be with the other perform functions
-
-- [Jiri Hruska brought this change]
-
- imap: Enabled APPEND support in imap_perform()
+ To avoid too many malloc() calls, we simply append the private structs
+ to the connectdata struct in allocate_conn().
- Added logic in imap_perform() to perform an APPEND rather than SELECT
- and FETCH if an upload has been specified.
-
-- [Jiri Hruska brought this change]
-
- imap: Implemented APPEND final processing
+ This requires us to take extra care of alignment issues: struct fields
+ often need to be aligned on certain boundaries e.g. 32-bit values need to
+ be stored at addresses that divide evenly by 4 (= 32 bit / 8
+ bit-per-byte).
- The APPEND operation needs to be performed in several steps:
- 1) We send "<tag> APPEND <mailbox> <flags> {<size>}\r\n"
- 2) Server responds with continuation respose "+ ...\r\n"
- 3) We start the transfer and send <size> bytes of data
- 4) Only now we end the request command line by sending "\r\n"
- 5) Server responds with "<tag> OK ...\r\n"
+ We do that by assuming that no SSL backend's private data contains any
+ fields that need to be aligned on boundaries larger than `long long`
+ (typically 64-bit) would need. Under this assumption, we simply add a
+ dummy field of type `long long` to the `struct connectdata` struct. This
+ field will never be accessed but acts as a placeholder for the four
+ instances of ssl_backend_data instead. the size of each ssl_backend_data
+ struct is stored in the SSL backend-specific metadata, to allow
+ allocate_conn() to know how much extra space to allocate, and how to
+ initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
+ pointers.
- This commit performs steps 4 and 5, in the DONE phase, as more
- processing is required after the transfer.
-
-- [Jiri Hruska brought this change]
-
- imap: Added APPEND perform and response handler functions
+ This would appear to be a little complicated at first, but is really
+ necessary to encapsulate the private data of each SSL backend correctly.
+ And we need to encapsulate thusly if we ever want to allow selecting
+ CyaSSL and OpenSSL at runtime, as their headers cannot be included within
+ the same .c file (there are just too many conflicting definitions and
+ declarations for that).
- Added imap_append() function to initiate upload and imap_append_resp()
- to handle the continuation response and start the transfer.
-
-- [Jiri Hruska brought this change]
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
- imap: Introduced IMAP_APPEND and IMAP_APPEND_FINAL states
+- [Johannes Schindelin brought this change]
-- [Jiri Hruska brought this change]
-
- imap: Updated setting of transfer variables in imap_state_fetch_resp()
+ vtls: prepare the SSL backends for encapsulated private data
- Add number of bytes retrieved from the PP cache to req.bytecount and set
- req.maxdownload only when starting a proper download.
-
-- [Jiri Hruska brought this change]
-
- imap: Improved FETCH response parsing
+ At the moment, cURL's SSL backend needs to be configured at build time.
+ As such, it is totally okay for them to hard-code their backend-specific
+ data in the ssl_connect_data struct.
- Added safer parsing of the untagged FETCH response line and the size of
- continuation data.
-
-- imap: Fixed accidentally lossing the result code
+ In preparation for making the SSL backend a runtime option, let's make
+ the access of said private data a bit more abstract so that it can be
+ adjusted later in an easy manner.
- Accidentally lost the result code in imap_state_capability() and
- imap_state_login() with commit b06a78622609.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- imap: Another minor comment addition / tidy up
+- [Johannes Schindelin brought this change]
-- imap: Updated the coding style for state changes after a send operation
+ urldata.h: move SSPI-specific #include to correct location
- Some state changes would be performed after a failure test that
- performed a hard return, whilst others would be performed within a test
- for success. Updated the code, for consistency, so all instances are
- performed within a success test.
-
-- pop3 / smtp: Small comment tidy up
+ In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables,
+ 2014-12-03), an SSPI-specific field was added to the kerberos5data
+ struct without moving the #include "curl_sspi.h" later in the same file.
+
+ This broke the build when SSPI was enabled, unless Secure Channel was
+ used as SSL backend, because it just so happens that Secure Channel also
+ requires "curl_sspi.h" to be #included.
- Small tidy up to keep some comments consistant across each of the email
- protocols.
+ In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled,
+ 2017-02-21), this bug was fixed incorrectly: Instead of moving the
+ appropriate conditional #include, the Secure Channel-conditional part
+ was now also SSPI-conditional.
+
+ Fix this problem by moving the correct #include instead.
+
+ This is also required for an upcoming patch that moves all the Secure
+ Channel-specific stuff out of urldata.h and encapsulates it properly in
+ vtls/schannel.c instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: FETCH response handler cleanup before further changes
+ urldata.h: remove support for obsolete PolarSSL version
- Removed superfluous NULL assignment after Curl_safefree() and rewrote
- some comments and logging messages.
-
-- pop3: Small tidy up of function arguments
+ Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require
+ a newer PolarSSL version. No need to keep code trying to support any
+ older version.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- imap: Small tidy up of function arguments
+- [Johannes Schindelin brought this change]
-- smtp: Corrected debug message for POP3_AUTH_FINAL constant
+ getinfo: access SSL internals via Curl_ssl
- Following commit ad3177da24b8 corrected the debug message in state()
- from AUTH to AUTH_FINAL.
-
-- pop3: Corrected debug message for POP3_AUTH_FINAL constant
+ In the ongoing endeavor to abstract out all SSL backend-specific
+ functionality, this is the next step: Instead of hard-coding how the
+ different SSL backends access their internal data in getinfo.c, let's
+ implement backend-specific functions to do that task.
- Following commit afad1ce753a1 corrected the debug message in state()
- from AUTH to AUTH_FINAL.
-
-- imap: Corrected debug message for IMAP_AUTHENTICATE_FINAL constant
+ This will also allow for switching SSL backends as a runtime option.
- Following commit 13006f3de9ec corrected the debug message in state()
- from AUTHENTICATE to AUTHENTICATE_FINAL.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Fixed error code returned for invalid FETCH response
+ vtls: move SSL backends' private constants out of their header files
- If the FETCH command does not result in an untagged response the the
- UID is probably invalid. As such do not return CURLE_OK.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Added processing of the final FETCH responses
+ axtls: use Curl_none_* versions of init() and cleanup()
+
+ There are convenient no-op versions of the init/cleanup functions now,
+ no need to define private ones for axTLS.
- Not processing the final FETCH responses was not optimal, not only
- because the response code would be ignored but it would also leave data
- unread on the socket which would prohibit connection reuse.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Introduced FETCH_FINAL state for processing final fetch responses
+ vtls: remove obsolete declarations of SSL backend functionality
- A typical FETCH response can be broken down into four parts:
+ These functions are all available via the Curl_ssl struct now, no need
+ to declare them separately anymore.
- 1) "* <uid> FETCH (<what> {<size>}\r\n", using continuation syntax
- 2) <size> bytes of the actual message
- 3) ")\r\n", finishing the untagged response
- 4) "<tag> OK ...", finishing the command
+ As the global declarations are removed, the corresponding function
+ definitions are marked as file-local. The only two exceptions here are
+ Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
+ declarations were removed, there are no function definitions to mark
+ file-local.
- Part 1 is read in imap_fetch_resp(), part 2 is consumed in the PERFORM
- phase by the transfer subsystem, parts 3 and 4 are currently ignored.
-
-- imap: fix autobuild warning
+ Please note that Curl_nss_force_init() is *still* declared globally, as
+ the only SSL backend-specific function, because it was introduced
+ specifically for the use case where cURL was compiled with
+ `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
+ support for NSS, 2010-06-27).
- Removed whitespace from imap_perform()
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- imap: fix compiler warning
-
- error: declaration of 'imap' shadows a previous local
+- [Johannes Schindelin brought this change]
-- smtp: Re-factored the final SMTP_AUTH constant
+ schannel: reorder functions topologically
- Changed the final SMTP_AUTH constant to SMTP_AUTH_FINAL for consistency
- with the response function.
-
-- pop3: Re-factored the final POP3_AUTH constant
+ The _shutdown() function calls the _session_free() function; While this
+ is not a problem now (because schannel.h declares both functions), a
+ patch looming in the immediate future with make all of these functions
+ file-local.
- Changed the final POP3_AUTH constant to POP3_AUTH_FINAL for consistency
- with the response function.
-
-- imap: Re-factored final IMAP_AUTHENTICATE constant
+ So let's just move the _session_free() function's definition before it
+ is called.
- Changed the final IMAP_AUTHENTICATE constant to IMAP_AUTHENTICATE_FINAL
- for consistency with the response function.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- imap: Updated the coding style of imap_state_servergreet_resp()
-
- Updated the coding style, in this function, to be consistant with other
- response functions rather then performing a hard return on failure.
+- [Johannes Schindelin brought this change]
-- imap: Reversed the logic of the (un)successful tagged SELECT response
+ axtls: reorder functions topologically
- Reversed the logic of the unsuccessful vs successful tagged SELECT
- response in imap_state_select_resp() to be more logical to read.
-
-- imap: Reversed the logic of the (un)successful tagged CAPABILITY response
+ The connect_finish() function (like many other functions after it) calls
+ the Curl_axtls_close() function; While this is not a problem now
+ (because axtls.h declares the latter function), a patch looming in the
+ immediate future with make all of these functions file-local.
- Reversed the logic of the unsuccessful vs successful tagged CAPABILITY
- response in imap_state_capability_resp() to be more logical to read.
-
-- imap: Corrected char* references with char *
+ So let's just move the Curl_axtls_close() function's definition before
+ it is called.
- Corrected char* references made in commit: 709b3506cd9b.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Added processing of more than one response when sent in same packet
+ vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
- Added a loop to imap_statemach_act() in which Curl_pp_readresp() is
- called until the cache is drained. Without this multiple responses
- received in a single packet could result in a hang or delay.
-
-- [Jiri Hruska brought this change]
-
- imap: Added skipping of SELECT command if already in the same mailbox
+ That will allow us to choose the SSL backend at runtime.
- Added storage and checking of the last mailbox userd to prevent
- unnecessary switching.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Introduced the mailbox variable
+ vtls: convert the have_curlssl_* constants to runtime flags
- Added the mailbox variable to the per-connection structure in
- preparation for checking for an already selected mailbox.
-
-- email: Slight reordering of connection based variables
+ The entire idea of introducing the Curl_ssl struct to describe SSL
+ backends is to prepare for choosing the SSL backend at runtime.
- Reordered the state and ssl_done variables in order to provide more
- consistency between the email protocols as well as for for an upcoming
- change.
-
-- imap: Tidied up comments for connection based variables
-
-- DOCS: Added the IMAP UIDVALIDITY property to the CURLOPT_URL section
-
-- [Jiri Hruska brought this change]
-
- imap: Added verification of UIDVALIDITY mailbox attribute
+ To that end, convert all the #ifdef have_curlssl_* style conditionals
+ to use bit flags instead.
- Added support for checking the UIDVALIDITY, and aborting the request, if
- it has been specified in the URL and the server response is different.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Added support for parsing the UIDVALIDITY property
+ vtls: move sha256sum into the Curl_ssl struct
- Added support for parsing the UIDVALIDITY property from the SELECT
- response and storing it in the per-connection structure.
-
-- [Jiri Hruska brought this change]
-
- imap: Introduced the mailbox_uidvalidity variable
+ The SHA-256 checksumming is also an SSL backend-specific function.
+ Let's include it in the struct declaring the functionality of SSL
+ backends.
- Added the mailbox_uidvalidity variable to the per-connection structure
- in preparation for checking the UIDVALIDITY mailbox attribute.
+ In contrast to MD5, there is no fall-back code. To indicate this, the
+ respective entries are NULL for those backends that offer no support for
+ SHA-256 checksumming.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- imap: Corrected comment in imap_endofresp()
+- [Johannes Schindelin brought this change]
-- imap: Corrected whitespace
+ vtls: move md5sum into the Curl_ssl struct
+
+ The MD5 summing is also an SSL backend-specific function. So let's
+ include it, offering the previous fall-back code as a separate function
+ now: Curl_none_md5sum(). To allow for that, the signature had to be
+ changed so that an error could be returned from the implementation
+ (Curl_none_md5sum() can run out of memory).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Added filtering of CAPABILITY and FETCH untagged responses
+ vtls: use the Curl_ssl struct to access all SSL backends' functionality
+
+ This is the first step to unify the SSL backend handling. Now all the
+ SSL backend-specific functionality is accessed via a global instance of
+ the Curl_ssl struct.
- Only responses that contain "CAPABILITY" and "FETCH", respectively,
- will be sent to their response handler.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Added a helper function for upcoming untagged response filtering
+ vtls: declare Curl_ssl structs for every SSL backend
- RFC 3501 states that "the client MUST be prepared to accept any response
- at all times" yet we assume anything received with "* " at the beginning
- is the untagged response we want.
+ The idea of introducing the Curl_ssl struct was to unify how the SSL
+ backends are declared and called. To this end, we now provide an
+ instance of the Curl_ssl struct for each and every SSL backend.
- Introduced a helper function that checks whether the input looks like a
- response to specified command, so that we may filter the ones we are
- interested in according to the current state.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Moved CAPABILITY response handling to imap_state_capability_resp()
+ vtls: introduce a new struct for SSL backends
- Introduced similar handling to the FETCH responses, where even the
- untagged data responses are handled by the response handler of the
- individual state.
-
-Linus Nielsen Feltzing (26 Feb 2013)
-- Remove unused variable in smtp_state_data_resp()
+ This new struct is similar in nature to Curl_handler: it will define the
+ functions and capabilities of all the SSL backends (where Curl_handler
+ defines the functions and capabilities of protocol handlers).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Steve Holme (25 Feb 2013)
-- email: Small tidy up following recent changes
+- [Johannes Schindelin brought this change]
-- smtp: Removed bytecountp from the per-request structure
+ vtls: make sure every _sha256sum()'s first arg is const
- Removed this pointer to a downloaded bytes counter because it was set in
- smtp_init() to point to the same variable the transfer functions keep
- the count in (k->bytecount), effectively making the code in transfer.c
- "*k->bytecountp = k->bytecount" a no-op.
-
-- pop3: Removed bytecountp from the per-request structure
+ This patch makes the signature of the _sha256sum() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
- Removed this pointer to a downloaded bytes counter because it was set in
- pop3_init() to point to the same variable the transfer functions keep
- the count in (k->bytecount), effectively making the code in transfer.c
- "*k->bytecountp = k->bytecount" a no-op.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Removed bytecountp from the per-request structure
+ vtls: make sure all _data_pending() functions return bool
+
+ This patch makes the signature of the _data_pending() functions
+ consistent among the SSL backends, in preparation for unifying the way
+ all SSL backends are accessed.
- Removed this pointer to a downloaded bytes counter because it was set in
- imap_init() to point to the same variable the transfer functions keep
- the count in (k->bytecount), effectively making the code in transfer.c
- "*k->bytecountp = k->bytecount" a no-op.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Adjusted SELECT and FETCH function order
+ vtls: make sure all _cleanup() functions return void
- Moved imap_select() and imap_fetch() to be grouped with the other
- perform functions.
+ This patch makes the signature of the _cleanup() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Adjusted SELECT and FETCH state order in imap_statemach_act()
+ vtls: use consistent signature for _random() implementations
- Exchanged the position of these states in the switch statements to
- match the state enum, execution and function order.
-
-- imap: Minor tidy up of comments in imap_parse_url_path()
+ This will make the upcoming multissl backend much easier to implement.
- Tidy up of comments before next round of imap changes.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- imap: Fixed incorrect comparison for STARTTLS in imap_endofresp()
+- strtooff: fix build for systems with long long but no strtoll option
- Corrected the comparison type in addition to commit 1dac29fa83a9.
-
-- DOCS: Corrected IMAP URL examples according to RFC5092
+ Closes #1829
- URL examples that included the UID weren't technically correct although
- would pass the curl parser.
+ Reported-by: Dan Fandrich
+ Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615
-Nick Zitzmann (24 Feb 2013)
-- darwinssl: fix undefined $ssllib warning in runtests.pl
+- darwinssl: handle long strings in TLS certs
- I also added --with-darwinssl to the list of SSL options in configure.
-
-Steve Holme (24 Feb 2013)
-- imap: Added check for new internal imap response code
-
-- imap: Changed the order of the response types in imap_endofresp()
+ ... as the previous fixed length 128 bytes buffer was sometimes too
+ small.
- From a maintenance point of view the code reads better to view tagged
- responses, then untagged followed by continuation responses.
+ Fixes #1823
+ Closes #1831
- Additionally, this matches the order of responses in POP3.
-
-- [Jiri Hruska brought this change]
+ Reported-by: Benjamin Sergeant
+ Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
- imap: Added stricter parsing of continuation responses
+- system.h: include sys/poll.h for AIX
- Enhanced the parsing to only allow continuation responses in some
- states.
+ ... to get the event/revent defines that might be used for the poll
+ struct.
+
+ Reported-by: Michael Smith
+ Fixes #1828
+ Closes #1833
-- imap: Simplified memcmp() in tagged response parsing
+Dan Fandrich (26 Aug 2017)
+- tests: Make sure libtests & unittests call curl_global_cleanup()
+
+ These were missed in commit c468c27b.
-- [Jiri Hruska brought this change]
+Jay Satiro (26 Aug 2017)
+- [theantigod brought this change]
- imap: Reworked the logic of untagged command responses
+ winbuild: fix embedded manifest option
+
+ Embedded manifest option didn't work due to incorrect path.
+
+ Fixes https://github.com/curl/curl/issues/1832
-- imap: Corrected spacing of trailing brace
+Daniel Stenberg (25 Aug 2017)
+- fuzz/Makefile.am: remove curlbuild.h leftovers
-- [Jiri Hruska brought this change]
+- examples/threaded-ssl: mention that this is for openssl before 1.1
- imap: Added stricter parsing of tagged command responses
+- imap: use defined names for response codes
- Enhanced the parsing of tagged responses which must start with "OK",
- "NO" or "BAD"
+ When working on this code I found the previous setup a bit weird while
+ using proper defines increases readability.
+
+ Closes #1824
+
+- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
-- [Jiri Hruska brought this change]
+- imap: support PREAUTH
+
+ It is a defined possible greeting at server startup that means the
+ connection is already authenticated. See
+ https://tools.ietf.org/html/rfc3501#section-7.1.4
+
+ Test 846 added to verify.
+
+ Fixes #1818
+ Closes #1820
- imap: Simplified command response test in imap_endofresp()
+Jay Satiro (23 Aug 2017)
+- config-tpf: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
+
+ Bug: https://github.com/curl/curl/issues/1816
-- [Jiri Hruska brought this change]
+Dan Fandrich (23 Aug 2017)
+- test1453: Fixed <features>
- imap: Corrected comment in imap_endofresp()
+Daniel Stenberg (22 Aug 2017)
+- [Gisle Vanem brought this change]
-- DOCS: Corrected layout of POP3 and IMAP URL examples
+ config-dos: add missing defines, SIZEOF_* and two others
- Corrected layout issues with the POP3 and IMAP URL examples introduced
- in commit cb3ae6894fb2.
+ Bug: #1816
-- DOCS: Updated CURLOPT_URL section following recent POP3 and IMAP changes
+- curl: shorten and clean up CA cert verification error message
- Updated the POP3 sub-section to refer to message ID rather than mailbox.
+ The previous message was just too long for ordinary people and it was
+ encouraging users to use `--insecure` a little too easy.
- Added an IMAP sub-section with example URLs depicting the specification
- of mailbox, uid and section.
-
-- pop3: Refactored the mailbox variable as it didn't reflect it's purpose
+ Based-on-work-by: Frank Denis
- Updated the mailbox variable to correctly reflect it's purpose. The
- name mailbox was a leftover from when IMAP and POP3 support was
- initially added to curl.
+ Closes #1810
+ Closes #1817
-- FEATURES: Updated following recent IMAP changes
+- request-target.d: mention added in 7.55.0
-- [Jiri Hruska brought this change]
+Marcel Raad (22 Aug 2017)
+- tool_main: turn off MinGW CRT's globbing
+
+ By default, the MinGW CRT globs command-line arguments. This prevents
+ getting a single asterisk into an argument as test 1299 does. Turn off
+ globbing by setting the global variable _CRT_glob to 0 for MinGW.
+
+ Fixes https://github.com/curl/curl/issues/1751
+ Closes https://github.com/curl/curl/pull/1813
- imap: Added the ability to FETCH a specific UID and SECTION
+Viktor Szakats (22 Aug 2017)
+- makefile.m32: add support for libidn2
- Updated the FETCH command to send the UID and SECTION parsed from the
- URL. By default the BODY specifier doesn't include a section, BODY[] is
- now sent whereas BODY[TEXT] was previously sent. In my opinion
- retrieving just the message text is rarely useful when dealing with
- emails, as the headers are required for example, so that functionality
- is not retained. In can however be simulated by adding SECTION=TEXT to
- the URL.
+ libidn was replaced with libidn2 last year in configure.
+ Caveat: libidn2 may depend on a list of further libs.
+ These can be manually specified via CURL_LDFLAG_EXTRAS.
- Also updated test801 and test1321 due to the BODY change.
+ Closes https://github.com/curl/curl/pull/1815
-- email: Additional tidy up of comments following recent changes
+Jay Satiro (22 Aug 2017)
+- [Viktor Szakats brought this change]
-- smtp: Removed some FTP heritage leftovers
+ config-win32: define SIZEOF_LONG
- Removed user and passwd from the SMTP struct as these cannot be set on
- a per-request basis and are leftover from legacy FTP code.
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
- Changed some comments still using FTP terminology.
+ Closes https://github.com/curl/curl/pull/1814
-- smtp: Moved the per-request variables to the per-request data structure
+Daniel Stenberg (20 Aug 2017)
+- cmake: enable picky compiler options with clang and gcc
- Moved the rcpt variable from the per-connection struct smtp_conn to the
- new per-request struct and fixed references accordingly.
+ closes #1799
-- pop3: Introduced a custom SMTP structure for per-request data
+- curl/system.h: fix build for hppa
- Created a new SMTP structure and changed the type of the smtp proto
- variable in connectdata from FTP* to SMTP*.
+ Reported-by: John David Anglin
+ Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10
-unknown (23 Feb 2013)
-- [Steve Holme brought this change]
+- [Even Rouault brought this change]
- imap: Minor correction of comments for max line length
+ tftp: fix memory leak on too long filename
+
+ Fixes
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+
+ ==9752== Memcheck, a memory error detector
+ ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
+ ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
+ ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+ ==9752==
+ curl: (71) TFTP file name too long
+
+ ==9752==
+ ==9752== HEAP SUMMARY:
+ ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11
+ ==9752== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==9752== by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x40E849: operate (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x402693: main (in /home/even/install-curl-git/bin/curl)
+
+ Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568
+ Credit to OSS Fuzz
+
+ Closes #1808
-Daniel Stenberg (23 Feb 2013)
-- strcasestr: remove check for this unused function
+Dan Fandrich (19 Aug 2017)
+- runtests: fixed case insensitive matching of keywords
+
+ Commit 5c2aac71 didn't work in the case of mixed-case keywords given on
+ the command-line.
-- pop3: fix compiler warning
+- tests: Make sure libtests call curl_global_cleanup()
- error: declaration of 'pop3' shadows a previous local
+ This ensures that global data allocations are freed so Valgrind stays
+ happy. This was a problem with at least PolarSSL and mbedTLS.
-Steve Holme (23 Feb 2013)
-- [Jiri Hruska brought this change]
+Daniel Stenberg (18 Aug 2017)
+- RELEASE-NOTES: synced with 8baead425
- imap: Added URL parsing of new variables
-
- Updated the imap_parse_url_path() function to parse uidvalidity, uid and
- section parameters based on RFC-5092.
+- scripts/contri*sh: use "git log --use-mailmap"
-- [Jiri Hruska brought this change]
+- mailmap: de-duplify some git authors
- imap: Introduced imap_is_bchar() function
+- http2_recv: return error better on fatal h2 errors
- Added imap_is_bchar() for testing if a given character is a valid bchar
- or not.
+ Ref #1012
+ Figured-out-by: Tatsuhiro Tsujikawa
-- [Jiri Hruska brought this change]
+- KNOWN_BUGS: HTTP test server 'connection-monitor' problems
+
+ Closes #868
- imap: Introduced new per-request veriables
+- curl/system.h: check for __ppc__ as well
- Added uidvalidity, uid and section variables to the per-request IMAP
- structure in preparation for upcoming URL parsing.
+ ... regression since issue #1774 (commit 10b3df10596a) since obviously
+ some older gcc doesn't know __powerpc__ while some newer doesn't know
+ __ppc__ ...
+
+ Fixes #1797
+ Closes #1798
+ Reported-by: Ryan Schmidt
-- pingpong: Renamed curl_ftptransfer to curl_pp_transfer
+- [Jan Alexander Steffens (heftig) brought this change]
-- pop3: Removed some FTP heritage leftovers
+ http: Don't wait on CONNECT when there is no proxy
- Removed user and passwd from the POP3 struct as these cannot be set on
- a per-request basis and are leftover from legacy FTP code.
+ Since curl 7.55.0, NetworkManager almost always failed its connectivity
+ check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
+ CONNECT process entirely non-blocking).
- Changed some comments still using FTP terminology.
-
-- pop3: Moved the per-request variables to the per-request data structure
+ This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
+ which returns false if the CONNECT state was left uninitialized and lets
+ the connection continue.
- Moved the mailbox and custom request variables from the per-connection
- struct pop3_conn to the new per-request struct and fixed references
- accordingly.
-
-- pop3: Introduced a custom POP3 structure for per-request data
+ Closes #1803
+ Fixes #1804
- Created a new POP3 structure and changed the type of the pop3 proto
- variable in connectdata from FTP* to POP*.
+ Also-fixed-by: Gergely Nagy
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
- imap: Fixed escaping of mailbox names
+ metalink: adjust source code style
- Used imap_atom() to escape mailbox names in imap_select().
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- pingpong: Moved curl_ftptransfer definition to pingpong.h
-
- Moved the ftp transfer structure into pingpong.h so other protocols that
- require it don't have to include ftp.h.
+- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG
-- urldata.h: Fixed comment for opt_no_body variable
-
- Corrected comment for opt_no_body variable to CURLOPT_NOBODY.
+- lib557: no longer use CURL_SIZEOF_* defines
-- email: Minor tidy up following IMAP changes
+- config-win32: define SIZEOF_CURL_OFF_T
-- [Jiri Hruska brought this change]
+- cmake: sizeof curl_off_t, remove unused detections
- imap: Removed more FTP leftovers
+- system.h: remove all CURL_SIZEOF_* defines
+
+ ... as they're not used externally and internally we check for the sizes
+ already in configure etc.
- Changed some variables and comments still using FTP terminology.
+ Closes #1767
-- [Jiri Hruska brought this change]
+- ftp: fix CWD when doing multicwd then nocwd on same connection
+
+ Fixes #1782
+ Closes #1787
+ Reported-by: Peter Lamare
- imap: Removed some FTP heritage leftovers
+- CURLOPT_SSH_COMPRESSION.3: enable with 1L
- Removed user and passwd from the IMAP struct as these cannot be set on
- a per-request basis and are leftover from legacy FTP code.
+ (leaves other values reserved for the future)
+
+- compressed-ssh.d: "Added: 7.56.0"
-- [Jiri Hruska brought this change]
+- curl/system.h: checksrc compliance
- imap: Introduced a custom IMAP structure for per-request data
+Jay Satiro (17 Aug 2017)
+- [Viktor Szakats brought this change]
+
+ ssh: add the ability to enable compression (for SCP/SFTP)
- Created a new IMAP structure and changed the type of the imap proto
- variable in connectdata from FTP* to the new IMAP*.
+ The required low-level logic was already available as part of
+ `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
+ option.)
- Moved the mailbox variable from the per-connection struct imap_conn to
- the new per-request struct and fixed references accordingly.
-
-- pop3: Updated do phrase clean-up comment
+ This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
+ (boolean) and the new `curl` command-line option `--compressed-ssh`
+ to request this `libssh2` feature. To have compression enabled, it
+ is required that the SSH server supports a (zlib) compatible
+ compression method and that `libssh2` was built with `zlib` support
+ enabled.
- Following commit 65644b833532 for the IMAP module updated the clean-up
- comment in POP3.
-
-- imap: Fixed memory leak when performing multiple selects
+ [1] https://www.libssh2.org/libssh2_session_flag.html
- Moved the clean-up of the mailbox variable from imap_disconnect() to
- imap_done() as this variable is allocated in the do phase, yet would
- have only been freed only once if multiple selects where preformed
- on a single connection.
+ Ref: https://github.com/curl/curl/issues/1732
+ Closes https://github.com/curl/curl/pull/1735
-Daniel Stenberg (22 Feb 2013)
-- [Alexander Klauer brought this change]
+- examples/ftpuploadresume: checksrc compliance
- Documentation: Typo in docs/CONTRIBUTE
+- [Maksim Stsepanenka brought this change]
+
+ http_proxy: fix build error for CURL_DOES_CONVERSIONS
- Fixes a typo get → git in docs/CONTRIBUTE.
+ Closes https://github.com/curl/curl/pull/1793
-- [Alexander Klauer brought this change]
+GitHub (16 Aug 2017)
+- [Nick Zitzmann brought this change]
- repository: ignore patch files generated by git
+ configure: check for __builtin_available() availability (#1788)
- Ignores the patch files generated by the 'git format-patch' command.
+ This change does two things:
+ 1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
+ failing trying to compile connectx() in lib/connect.c.)
+ 2. It finally weak-links the connectx() function, and falls back on
+ connect() when run on older operating systems.
-- [Alexander Klauer brought this change]
-
- libcurl documentation: clarifications and typos
+Daniel Stenberg (16 Aug 2017)
+- travis: add metalink to some osx builds
- * Elaborates on default values of some curl_easy_setopt() options.
- * Reminds the user to cast variadic arguments to curl_easy_setopt() to
- 'void *' where curl internally interprets them as such.
- * Clarifies the working of the CURLOPT_SEEKFUNCTION option for
- curl_easy_setopt().
- * Fixes typo 'forth' → 'fourth'.
- * Elaborates on CURL_SOCKET_TIMEOUT.
- * Adds some missing periods.
- * Notes that the return value of curl_version() must not be passed to
- free().
+ Closes #1790
-- [Alexander Klauer brought this change]
+- [Max Dymond brought this change]
- lib/url.c: Generic read/write data pointers
+ coverage: Use two coveralls commands to get lib/vtls results
- Always interprets the pointer passed with the CURLOPT_WRITEDATA or
- CURLOPT_READDATA options of curl_easy_setopt() as a void pointer in
- order to avoid problems in environments where FILE and void pointers
- have non-trivial conversion.
+ closes #1747
-- [Alexander Klauer brought this change]
+- darwinssi: fix error: variable length array used
- libcurl documentation: updates HTML index
+- m4/curl-compilers.m4: use proper quotes around string, not backticks
- * Adds several links to documentation of library functions which were
- missing.
- * Marks documentation of deprecated library functions "(deprecated)".
- * Removes spurious .html suffixes.
-
-- ossl_seed: avoid recursive seeding!
+ ... when setting clang version to assume 3.7
+
+ Caused a lot of "integer expression expected" warnings by configure.
-Steve Holme (22 Feb 2013)
-- [Jiri Hruska brought this change]
+- [Benbuck Nason brought this change]
- Fixed checking the socket if there is data waiting in the cache
+ cmake: remove dead code for DISABLED_THREADSAFE
- Use Curl_pp_moredata() in Curl_pp_multi_statemach() to check if there is
- more data to be received, rather than the socket state, as a task could
- hang waiting for more data from the socket itself.
+ Closes #1786
+
+Jay Satiro (15 Aug 2017)
+- [Jakub Zakrzewski brought this change]
-- imap.c: Fixed an incorrect variable reference
+ curl-confopts.m4: fix --disable-threaded-resolver
- Fixed an incorrect variable reference which was introduced in commit
- a1701eea289f as a result of a copy and paste from SMTP/POP3.
+ Closes https://github.com/curl/curl/issues/1784
-- [Jiri Hruska brought this change]
+Daniel Stenberg (15 Aug 2017)
+- [Ryan Winograd brought this change]
- pingpong: Introduce Curl_pp_moredata()
+ progress: Track total times following redirects
- A simple function to test whether the PP is not sending and there are
- still more data in its receiver cache. This will be later utilized to:
+ Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`,
+ `t_pretransfer`, and `t_starttransfer` to track the total times for
+ these activities when a redirect is followed. Previously, only the times
+ for the most recent request would be tracked.
- 1) Change Curl_pp_multi_statemach() and Curl_pp_easy_statemach() to
- not test socket state and just call user's statemach_act() function
- when there are more data to process, because otherwise the task would
- just hang, waiting for more data from the socket.
+ Related changes:
- 2) Allow PP users to read multiple responses by looping as long as there
- are more data available and current phase is not finished.
- (Currently needed for correct processing of IMAP SELECT responses.)
-
-Nick Zitzmann (19 Feb 2013)
-- FEATURES: why yes, we do support metalink
+ - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes`
+ now that the function only resets transfer sizes and no longer
+ modifies any of the progress timers.
- I just noticed Metalink support wasn't listed as a feature of the tool.
-
-- metalink: fix improbable crash parsing metalink filename
+ - Add a bool to the `Progress` struct that is used to prevent
+ double-counting `t_starttransfer` times.
- The this_url pointer wasn't being initialized, so if strdup() would return
- null when copying the filename in a metalink file, then hilarity would
- ensue during the cleanup phase. This change was brought to you by clang,
- which noticed this and raised a warning.
-
-Yang Tse (19 Feb 2013)
-- smtp.c: fix enumerated type mixed with another type
+ Added test case 1399.
+
+ Fixes #522 and Known Bug 1.8
+ Closes #1602
+ Reported-by: joshhe on github
-- polarssl threadlock cleanup
+- [Benbuck Nason brought this change]
-Nick Zitzmann (18 Feb 2013)
-- docs: schannel and darwinssl documentation improvements
+ cmake: remove dead code for CURL_DISABLE_RTMP
- Schannel and darwinssl use the certificates built into the
- OS to do vert verification instead of bundles. darwinssl
- is thread-safe. Corrected typos in the NSS docs.
+ Closes #1785
-Daniel Stenberg (18 Feb 2013)
-- resolver_error: remove wrong error message output
+Kamil Dudka (15 Aug 2017)
+- zsh.pl: produce a working completion script again
- The attempt to use gai_strerror() or alternative function didn't work as
- the 'sock_error' field didn't contain the proper error code. But since
- this hasn't been reported and thus isn't really a big deal I decided to
- just scrap the whole attempt to output the detailed resolver error and
- instead remain with just stating that the resolving of the name failed.
+ Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
+ to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
+ produce a broken completion script:
+
+ % curl --<TAB>
+ _curl:10: no such file or directory: seconds
+
+ Closes #1779
-- [Kim Vandry brought this change]
+Daniel Stenberg (15 Aug 2017)
+- curlver: toward 7.56.0?
- Curl_resolver_is_resolved: show proper host name on failed resolve
+- RELEASE-NOTES: synced with 91c46dc44
-- Curl_resolver_is_resolved: fix compiler warning
-
- conversion to 'int' from 'long int' may alter its value
+- test1449: FTP download range with an too large size
-- compiler warning fix
+- strtoofft: reduce integer overflow risks globally
+
+ ... make sure we bail out on overflows.
- follow-up to commit ed7174c6f66, rename 'wait' to 'block'
+ Reported-by: Brian Carpenter
+ Closes #1758
-- compiler warning fix: declaration of 'wait' shadows a global declaration
+- travis: build the examples too
- It seems older gcc installations (at least) will cause warnings if we
- name a variable 'wait'. Now changed to 'block' instead.
+ to make sure they keep building warning-free
- Reported by: Jiří Hruška
- Bug: http://curl.haxx.se/mail/lib-2013-02/0247.html
+ Closes #1777
-Nick Zitzmann (17 Feb 2013)
-- MacOSX-Framework: Make script work in Xcode 4.0 and later
+- runtests: match keywords case insensitively
+
+- examples/ftpuploadresume.c: use portable code
- Apple made a number of changes to Xcode 4. The SDKs were moved, the entire
- Developer folder was moved, and PowerPC support was removed. The script
- will now adapt to those changes and should be future-proofed against
- additional changes in case Apple moves the Developer folder ever again.
- Also, the minimum OS X version compiler option was removed, so that the
- framework can be built against the latest SDK but still run in older cats.
+ ... converted from the MS specific _snscanf()
-Daniel Stenberg (17 Feb 2013)
-- docs: refer to CURLOPT_ACCEPT_ENCODING instead of the old name
+Version 7.55.1 (13 Aug 2017)
-Steve Holme (16 Feb 2013)
-- email: Tidied up result code variables
-
- Tidied up result variables to be consistent in name, declaration order
- and default values.
+Daniel Stenberg (13 Aug 2017)
+- RELEASE-NOTES/THANKS: curl 7.55.1 release time
-Nick Zitzmann (16 Feb 2013)
-- ntlm_core: fix compiler warning when building with clang
-
- Fixed a 64-to-32 compiler warning raised when building with
- clang and the --with-darwinssl option.
+- gitignore: ignore .xz now instead of .lzma
-Daniel Stenberg (16 Feb 2013)
-- Guile-curl: a new libcurl binding
+- [Sergei Nikulov brought this change]
-- polarsslthreadlock: #include the proper memory and debug includes
+ cmake: Threads detection update. ref: #1702
- Pointed out by Steve Holme
+ Closes #1719
-Steve Holme (16 Feb 2013)
-- email: Removed unnecessary forward declaration
+- ipv6_scope: support unique local addresses
- Due to the reordering of functions in commit 586f5d361474 the forward
- declaration to state_upgrade_tls() are no longer required.
+ Fixes #1764
+ Closes #1773
+ Reported-by: James Slaughter
-- pop3.c: Added reference to RFC-5034
+- [Alex Potapenko brought this change]
-Daniel Stenberg (15 Feb 2013)
-- [Willem Sparreboom brought this change]
-
- PolarSSL: Change to cURL coding style
+ curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__
- Repaired all curl/lib/checksrc.pl warnings in the previous four patches
-
-- [Willem Sparreboom brought this change]
+ Closes #1774
- PolarSSL: WIN32 threading support for entropy
+- test1448: verify redirect to IDN using URL
- Added WIN32 threading support for PolarSSL entropy if
- --enable-threaded-resolver config flag is set and process.h can be found.
+ Closes #1772
-- [Willem Sparreboom brought this change]
+- [Salah-Eddin Shaban brought this change]
- PolarSSL: pthread support for entropy
+ redirect: skip URL encoding for host names
- Added pthread support for polarssl entropy if --enable-threaded-resolver
- config flag is set and pthread.h can be found.
+ This fixes redirects to IDN URLs
+
+ Fixes #1441
+ Closes #1762
+ Reported by: David Lord
-- [Willem Sparreboom brought this change]
+- test2032: mark as flaky (again)
- PolarSSL: changes to entropy/ctr_drbg/HAVEGE_RANDOM
+- travis: test cmake build on tarball too
- Add non-threaded entropy and ctr_drbg and removed HAVEGE_RANDOM define
+ Could've prevented #1755
-- [Willem Sparreboom brought this change]
+- [Simon Warta brought this change]
- PolarSSL: added human readable error strings
+ cmake: allow user to override CMAKE_DEBUG_POSTFIX
- Print out human readable error strings for PolarSSL related errors
-
-Steve Holme (15 Feb 2013)
-- pop3: Removed unnecessary state changes on failure
+ Closes #1763
-- imap: Removed unnecessary state change on failure
+- connect-to.d: better language
-Daniel Stenberg (15 Feb 2013)
-- metalink_cleanup: yet another follow-up fix
+- connect-to.d: clarified
-- metalink_cleanup: define it without argument
+- bagder/Curl_tvdiff_us: fix the math
- Since the function takes no argument, the macro shouldn't take one as
- some compilers will error out on that.
-
-- rename "easy" statemachines: call them block instead
+ Regression since adef394ac5 (released in 7.55.0)
- ... since they're not used by the easy interface really, I wanted to
- remove the association. Also, I unified the pingpong statemachine driver
- into a single function with a 'wait' argument: Curl_pp_statemach.
-
-Yang Tse (15 Feb 2013)
-- [Gisle Vanem brought this change]
+ Reported-by: Han Qiao
+ Fixes #1769
+ Closes #1771
- curl_setup_once.h: definition of HAVE_CLOSE_S defines sclose() to close_s()
+- curl/system.h: add Oracle Solaris Studio
+
+ Fixes #1752
-- [Gisle Vanem brought this change]
+- [Alessandro Ghedini brought this change]
- config-dos.h: define HAVE_CLOSE_S for MSDOS/Watt-32
+ docs: fix typo funtion -> function
+
+ Closes #1770
-- [Gisle Vanem brought this change]
+Alessandro Ghedini (12 Aug 2017)
+- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description
- config-dos.h: define strerror() to strerror_s_() for High-C
+- docs: fix typo stuct -> struct
-- [Gisle Vanem brought this change]
+Dan Fandrich (12 Aug 2017)
+- test1447: require a curl with http support
- config-dos.h: define HAVE_TERMIOS_H only for djgpp
+Daniel Stenberg (11 Aug 2017)
+- [Thomas Petazzoni brought this change]
-Steve Holme (14 Feb 2013)
-- smtp.c: Fixed a trailing whitespace
+ curl/system.h: support more architectures
- Remove tailing whitespace introduced in commit 7ed689d24a4e.
-
-- pop3: Fixed blocking SSL connect when connecting via POP3S
+ The long list of architectures in include/curl/system.h is annoying to
+ maintain, and needs to be extended for each and every architecture to
+ support.
- A call to Curl_ssl_connect() was accidentally left in when the SSL/TLS
- connection layer was reworked in 7.29. Not only would this cause the
- connection to block but had the additional overhead of calling the
- non-blocking connect a little bit later.
-
-- smtp: Refactored the smtp_state_auth_resp() function
+ Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler
+ (we are in the GNUC condition anyway), which tells us if long is 4
+ bytes or 8 bytes.
- Renamed smtp_state_auth_resp() function to match the implementations in
- IMAP and POP3.
-
-Daniel Stenberg (14 Feb 2013)
-- remove ifdefs
+ This fixes the build of libcurl 7.55.0 on architectures such as
+ OpenRISC or ARC.
- Clarify the code by reducing ifdefs
+ Closes #1766
+
+ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-- strlcat: remove function
+- test2033: this went flaky again
- This function was only used twice, both in places where performance
- isn't crucial (socks + if2ip). Removing the use of this function removes
- the need to have our private version for systems without it == reduced
- amount of code.
+ Suspicion: when we enabled the threaded resolver by default.
+
+- test1447: verifies the parse proxy fix in 6e0e152ce5c
+
+- [Even Rouault brought this change]
+
+ parse_proxy(): fix memory leak in case of invalid proxy server name
- Also, in the SOCKS case it is clearly better to fail gracefully rather
- than to truncate the results.
+ Fixes the below leak:
- This work was triggered by a bug report on the strcal prototype in
- strequal.h.
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1
+ curl: (5) Couldn't resolve proxy name
+ ==5048==
+ ==5048== HEAP SUMMARY:
+ ==5048== in use at exit: 532 bytes in 12 blocks
+ ==5048== total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CB79: parse_login_details (url.c:5614)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CBB6: parse_login_details (url.c:5621)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
- strlcat was added in commit db70cd28 in February 2001!
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984
+ Credit to OSS Fuzz for discovery
- Bug: http://curl.haxx.se/bug/view.cgi?id=1192
- Reported by: Jeremy Huddleston
+ Closes #1761
-- Curl_FormBoundary: made static
-
- As Curl_FormBoundary() is no longer used outside of this file (since
- commit ad7291c1a9d), it is now renamed to formboundary() and is made
- static.
+- RELEASE-NOTES: synced with 37f2195a9
+
+- curlver: bump to 7.55.1
-- ossl_seed: fix the last resort PRNG seeding
+- openssl: fix "error: this statement may fall through"
- Instead of just abusing the pseudo-randomizer from Curl_FormBoundary(),
- this now uses Curl_ossl_random() to get entropy.
+ A gcc7 warning.
-Steve Holme (13 Feb 2013)
-- email: Tidy up before additional IMAP work
+- [David Benjamin brought this change]
+
+ openssl: remove CONST_ASN1_BIT_STRING.
- Replaced two explicit comparisons of CURLE_OK with boolean alternatives.
+ Just making the pointer as const works for the pre-1.1.0 path too.
- General tidy up of comments.
+ Closes #1759
-- smtp: Removed duplicate pingpong structure initialisation
+- maketgz: remove old *.dist files before making the tarball
- The smtp_connect() function was setting the member variables of the
- pingpong structure twice, once before calling Curl_pp_init() and once
- after!
-
-Yang Tse (13 Feb 2013)
-- move msvc IDE related files to 'vs' directory tree
+ To avoid "old crap" unintentionally getting shipped.
- Use 'vs' directory tree given that 'vc' intended one clashes
- with an already existing build target in file Makefile.dist.
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html
+ Reported-by: Christian Weisgerber
-Daniel Stenberg (13 Feb 2013)
-- install-sh: updated to support multiple source files as arguments
+Jay Satiro (10 Aug 2017)
+- mkhelp.pl: allow executing this script directly
- Version 7.29.0 uses Makefiles generated with a newer version of the
- autotools than the previous 7.28.1. These Makefiles try to install
- e.g. header files by calling install-sh with multiple source files as
- arguments. The bundled install-sh is to old and does not support this.
+ - Enable execute permission (chmod +x)
- The problem only occurs, if install-sh is actually being used, ie. the
- platform install executable is to old or not usable. Example: Solaris
- 10.
+ - Change interpreter to /usr/bin/env perl
- The files install-sh and mkinstalldirs are now updated with the automake
- 1.11.3 versions. A better fix might be to completely remove them from
- git and force the files to be added/created during buildconf.
+ Ref: https://github.com/curl/curl/issues/1743
+
+Daniel Stenberg (10 Aug 2017)
+- configure: use the threaded resolver backend by default if possible
- Bug: http://curl.haxx.se/bug/view.cgi?id=1195
- Reported by: Rainer Jung
+ Closes #1647
-Yang Tse (13 Feb 2013)
-- move msvc IDE related files to 'vc' directory tree
+- cmake: move cmake_uninstall.cmake to CMake/
+
+ Closes #1756
-- msvc IDE 'vc' directory tree preparation
+- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
-Steve Holme (12 Feb 2013)
-- imap: Corrected a whitespace issue from previous commit
+- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too
- Fixed a small whitespace issue that crept in there in commit
- 508cdf4da4d7.
+ Fixes #1755
-- email: Another post optimisation of endofresp() tidy up
+- travis: verify "make install"
+
+ Help-by: Jay Satiro
+ Closes #1753
-- sasl: Fixed null pointer reference when decoding empty digest challenge
+Marcel Raad (10 Aug 2017)
+- build: check out *.sln files with Windows line endings
- Fixed a null pointer reference when an empty challenge is passed to the
- Curl_sasl_create_digest_md5_message() function.
+ Visual Studio doesn't like LF line endings in solution files and always
+ converts them to CRLF when doing changes to the solution. Notably, this
+ affects the solutions in the release archive.
- Bug: http://sourceforge.net/p/curl/bugs/1193/
- Reported by: Saran Neti
+ Closes https://github.com/curl/curl/pull/1746
-- email: Post optimisation of endofresp() tidy up
+- gitignore: ignore top-level .vs folder
- Removed unnecessary end of line check and return.
+ This folder is generated when using the CMake build system from within
+ Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/1746
-Nick Zitzmann (12 Feb 2013)
-- darwinssl: Fix send glitchiness with data > 32 or so KB
+Jay Satiro (10 Aug 2017)
+- digest_sspi: Don't reuse context if the user/passwd has changed
+
+ Bug: https://github.com/curl/curl/issues/1685
+ Reported-by: paulharris@users.noreply.github.com
- An ambiguity in the SSLWrite() documentation lead to a bad inference in the
- code where we assumed SSLWrite() returned the amount of bytes written to
- the socket, when that is not actually true; it returns the amount of data
- that is buffered for writing to the socket if it returns errSSLWouldBlock.
- Now darwinssl_send() returns CURLE_AGAIN if data is buffered but not written.
+ Assisted-by: Isaac Boukris
- Reference URL: http://curl.haxx.se/mail/lib-2013-02/0145.html
+ Closes https://github.com/curl/curl/pull/1742
-Steve Holme (12 Feb 2013)
-- pingpong.h: Fixed line length over 78 characters from b56c9eb48e3c
+Daniel Stenberg (9 Aug 2017)
+- [Adam Sampson brought this change]
-- pingpong: Optimised the endofresp() function
+ dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST
- Reworked the pp->endofresp() function so that the conndata, line and
- line length are passed down to it just as with Curl_client_write()
- rather than each implementation of the function having to query
- these values.
+ These weren't included in the 7.55.0 release, but are required in order
+ to run the full test suite.
- Additionally changed the int return type to bool as this is more
- representative of the function's usage.
+ Closes #1744
-- email: Post STARTLS capability code tidy up (Part Three)
-
- Corrected the order of the upgrade_tls() functions and moved the handler
- upgrade and getsock() functions out from the middle of the state related
- functions.
+- [Adam Sampson brought this change]
-- email: Post STARTLS capability code tidy up (Part Two)
+ curl: do bounds check using a double comparison
+
+ The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+ complete: if the parsed number in num is larger than will fit in a long,
+ the conversion is undefined behaviour (causing test1427 to fail for me
+ on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
+ rid of the cast means the comparison will be done using doubles.
- Corrected the order of the pop3_state_capa() / imap_state_capability()
- and the pop3_state_capa_resp() / imap_state_capability_resp() functions
- to match the execution order.
+ It might make more sense for the max argument to also be a double...
+
+ Fixes #1750
+ Closes #1749
-Daniel Stenberg (11 Feb 2013)
-- [ulion brought this change]
+- make install: add 8 missing man pages to the installation
- SOCKS: fix socks proxy when noproxy matched
+- build: fix 'make install' with configure, install docs/libcurl/* too
- Test 1212 added to verify
+ Broken since d24838d4da9faa
- Bug: http://curl.haxx.se/bug/view.cgi?id=1190
-
-Steve Holme (11 Feb 2013)
-- ntlm: Updated comments for the addition of SASL support to IMAP in v7.29
+ Reported-by: Bernard Spil
-- RELEASE-NOTES: Updated following the recent imap/pop3/smtp changes
+Version 7.55.0 (9 Aug 2017)
-Linus Nielsen Feltzing (10 Feb 2013)
-- Fix NULL pointer reference when closing an unused multi handle.
+Daniel Stenberg (9 Aug 2017)
+- RELEASE-NOTES: curl 7.55.0
-Steve Holme (10 Feb 2013)
-- email: Post STARTLS capability code tidy up (Part One)
-
- Corrected the order of the CAPA / CAPABILITY state machine constants to
- match the execution order.
+- THANKS: 20 new contributors in 7.55.0
-- imap: Fixed memory leak following commit f6010d9a0359
+- [Viktor Szakats brought this change]
-- smtp: Added support for the STARTTLS capability (Part Two)
+ docs/comments: Update to secure URL versions
- Added honoring of the tls_supported flag when starting a TLS upgrade
- rather than unconditionally attempting it. If the use_ssl flag is set
- to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
- connection will continue to authenticate. If this flag is set to
- CURLUSESSL_ALL then the connection will complete with a failure as it
- did previously.
+ Closes #1741
-- pop3: Added support for the STLS capability (Part Three)
+- configure: fix recv/send/select detection on Android
- Added honoring of the tls_supported flag when starting a TLS upgrade
- rather than unconditionally attempting it. If the use_ssl flag is set
- to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
- connection will continue to authenticate. If this flag is set to
- CURLUSESSL_ALL then the connection will complete with a failure as it
- did previously.
-
-- imap: Added support for the STARTTLS capability (Part Three)
+ ... since they now provide several functions as
+ __attribute__((overloadable)), the argument detection logic need
+ updates.
- Added honoring of the tls_supported flag when starting a TLS upgrade
- rather than unconditionally attempting it. If the use_ssl flag is set
- to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
- connection will continue to authenticate. If this flag is set to
- CURLUSESSL_ALL then the connection will complete with a failure as it
- did previously.
+ Patched-by: destman at github
+
+ Fixes #1738
+ Closes #1739
-Daniel Stenberg (10 Feb 2013)
-- [Alessandro Ghedini brought this change]
+Marcel Raad (8 Aug 2017)
+- ax_code_coverage.m4: update to latest version
+
+ This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
+ from August 01, 2017. Notably, this removes the lconv version whitelist.
+
+ Closes https://github.com/curl/curl/pull/1716
- htmltitle: fix suggested build command
+Daniel Stenberg (7 Aug 2017)
+- test1427: verify command line parser integer overflow detection
-Steve Holme (10 Feb 2013)
-- pop3: Added support for the STLS capability (Part Two)
+- curl: detect and bail out early on parameter integer overflows
- Added sending of initial CAPA command before STLS is sent. This allows
- for the detection of the capability before trying to upgrade the
- connection.
-
-- imap: Added support for the STARTTLS capability (Part Two)
+ Make the number parser aware of the maximum limit curl accepts for a
+ value and return an error immediately if larger, instead of running an
+ integer overflow later.
- Added sending of initial CAPABILITY command before STARTTLS is sent.
- This allows for the detection of the capability before trying to
- upgrade the connection.
+ Fixes #1730
+ Closes #1736
-- smtp: Added support for the STLS capability (Part One)
+- glob: do not continue parsing after a strtoul() overflow range
- Introduced detection of the STARTTLS capability, in order to add support
- for TLS upgrades without unconditionally sending the STARTTLS command.
-
-- pop3: Added support for the STLS capability (Part One)
+ Added test 1289 to verify.
- Introduced detection of the STLS capability, in order to add support
- for TLS upgrades without unconditionally sending the STLS command.
+ CVE-2017-1000101
+
+ Bug: https://curl.haxx.se/docs/adv_20170809A.html
+ Reported-by: Brian Carpenter
-- imap: Added support for the STARTTLS capability (Part One)
+- tftp: reject file name lengths that don't fit
+
+ ... and thereby avoid telling send() to send off more bytes than the
+ size of the buffer!
- Introduced detection of the STARTTLS capability, in order to add support
- for TLS upgrades without unconditionally sending the STARTTLS command.
+ CVE-2017-1000100
+
+ Bug: https://curl.haxx.se/docs/adv_20170809B.html
+ Reported-by: Even Rouault
+
+ Credit to OSS-Fuzz for the discovery
-- RELEASE-NOTES: synced with 92f7606f29b704
+- [Even Rouault brought this change]
-- smtp: Fixed an issue when processing EHLO failure responses (Part 3)
+ file: output the correct buffer to the user
- Follow up fix to commit 62bd21746443 to cater for servers that don't
- respond with a 250 in their EHLO responses. Additionally updated the
- SMTP tests to respond with a 250 response code as per RFC5321.
-
-- pop3: Fixed SASL authentication capability detection
+ Regression brought by 7c312f84ea930d8 (April 2017)
- Fixed the SASL capability detection to include the space character
- before the authentication mechanism list. Otherwise a capability such
- as SASLSOMETHING would be interpreted as enabling SASL and potentially
- trying to identify SOMETHING as a mechanism.
-
-- pop3: Fixed incorrect return value from pop3_endofresp()
+ CVE-2017-1000099
- Corrected an incorrect return value when -ERR is received from the
- server - introduced in commit b5bb61ee697b (June 2012).
-
-- smtp: Fixed an issue when processing EHLO failure responses (Part 2)
+ Bug: https://curl.haxx.se/docs/adv_20170809C.html
- Follow up fix to commit 23d17190ee32 as EHLO capabilities can exist
- within a positive response line.
+ Credit to OSS-Fuzz for the discovery
-- smtp: Fixed an issue with missing capabilities after the AUTH line
+- easy_events: make event data static
- Follow up to commit 40f9bb787f05 to fix missing capabilities after an
- AUTH line.
-
-Nick Zitzmann (8 Feb 2013)
-- darwinssl: Make certificate errors less techy
+ First: this function is only used in debug-builds and not in
+ release/real builds. It is used to drive tests using the event-based
+ API.
- Previously if a problem was found with one of the server's certificates,
- we'd log an OSStatus for the end user to look up. Now we explain what
- was wrong with the site's certificate chain. Also un-did part of the
- previous commit where the code wouldn't catch errSSLServerAuthCompleted
- if built under Leopard.
+ A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
+ CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
+ funtion returns, namely when curl_multi_remove_handle() is called.
+
+ Reported-by: Brian Carpenter
-Guenter Knauf (9 Feb 2013)
-- Updated dependency libs.
+- getparameter: avoid returning uninitialized 'usedarg'
+
+ Fixes #1728
-Steve Holme (9 Feb 2013)
-- imap: Corrected some comments
+Marcel Raad (5 Aug 2017)
+- [Isaac Boukris brought this change]
-- smtp: Fixed an issue when processing EHLO failure responses
+ gssapi: fix memory leak of output token in multi round context
- Fixed a small issue where smtp_endofresp() would look for capabilities
- in the description part of a failure response. In theory a server
- shouldn't respond with SIZE or AUTH in an EHLO command's failure
- response but if it did then capabilities would be unnecessarily set
- before eventually failing.
+ When multiple rounds are needed to establish a security context
+ (usually ntlm), we overwrite old token with a new one without free.
+ Found by proposed gss tests using stub a gss implementation (by
+ valgrind error), though I have confirmed the leak with a real
+ gssapi implementation as well.
+
+ Closes https://github.com/curl/curl/pull/1733
-- pop3: Reworked pop3_endofresp() to simplify it little
+- darwinssl: fix compiler warning
+
+ clang complains:
+ vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
+ [-Werror,-Wextra-tokens]
- Reworked pop3_endofresp() to simplify it and provide consistency between
- imap and smtp.
+ This breaks the darwinssl build on Travis. Fix it by making this token
+ a comment.
+
+ Closes https://github.com/curl/curl/pull/1734
-- imap: Renamed state variables in imap_authenticate()
+- CMake: fix CURL_WERROR for MSVC
- Renamed the authstate1 and authstate2 variables in imap_authenticate()
- as the old name was a left over from when there was only one state
- variable which was named due to a clash with the state() function.
+ When using CURL_WERROR in MSVC builds, the debug flags were overridden
+ by the release flags and /WX got added twice in debug mode.
- Additionally this provides consistency with the smtp module.
+ Closes https://github.com/curl/curl/pull/1715
-- smtp: Reworked smtp_endofresp() to allow for extra capability detection
+Daniel Stenberg (4 Aug 2017)
+- RELEASE-NOTES: synced with 561e9217c
-- smtp: Renamed smtp_state_auth_passwd_resp() function
+- test1010: verify that #1718 is fixed
- Renamed the login password response function to better describe it's
- purpose as well as for consistency with the imap and pop3 modules.
-
-Daniel Stenberg (8 Feb 2013)
-- [Gisle Vanem brought this change]
+ ... by doing two transfers in nocwd mode and check that there's no
+ superfluous CWD command.
- ntlm: fix memory leak
+- FTP: skip unnecessary CWD when in nocwd mode
- Running tests\libtest\libntlmconnect.exe reveals a 1 byte (!) leak in
- ./lib/curl_ntlm_msgs.c:
+ ... when reusing a connection. If it didn't do any CWD previously.
- perl ..\memanalyze.pl c:memdebug.curl
- Leak detected: memory still allocated: 1 bytes
- At 9771e8, there's 1 bytes.
- allocated by curl_ntlm_msgs.c:399
+ Fixes #1718
+
+Marcel Raad (4 Aug 2017)
+- travis: explicitly specify dist
- Snippet from curl_ntlm_msgs.c:
- /* setup ntlm identity's domain and length */
- dup_domain.tchar_ptr = malloc(sizeof(TCHAR) * (domlen + 1));
+ This makes the builds more reproducible as travis is currently rolling
+ out trusty as default dist [1]. Specifically, this avoids coverage
+ check failures when trusty is used as seen in [2] until we figure out
+ what's wrong.
- (my domlen == 0).
+ [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
+ [2] https://github.com/curl/curl/pull/1692
- 'dup_domain.tbyte_ptr' looks to be freed in Curl_ntlm_sspi_cleanup() via
- 'ntlm->identity.Domain'. But I see no freeing of 'dup_domain.tchar_ptr'.
+ Closes https://github.com/curl/curl/pull/1725
-- DONE: consider callback-aborted transfers premature
-
- This bug report properly identified that when doing SMTP and aborting
- the transfer with a callback, it must be considered aborted prematurely
- by the code to avoid QUIT etc to be attempted as that would cause a
- hang.
-
- The new test case 1507 verifies this behavior.
+Daniel Stenberg (4 Aug 2017)
+- travis: BUILD_TYPE => T
- Reported by: Patricia Muscalu
- Bug: http://curl.haxx.se/bug/view.cgi?id=1184
+ (to make the full line appear nicer on travis web UI)
-- FAQ: refreshed some phrases
+- travis: add osx build with darwinssl
+
+ Closes #1706
-Nick Zitzmann (7 Feb 2013)
-- darwinssl: Fix build under Leopard
+- darwin: silence compiler warnings
+
+ With a clang pragma and three type fixes
- It turns out that Leopard (OS X 10.5) doesn't have constants for the ECDH
- ciphers in its headers, so the cases for them have been taken out of the
- build when building under Leopard. Also added a standard function for
- getting a string description of a SecCertificateRef.
+ Fixes #1722
-Steve Holme (7 Feb 2013)
-- RELEASE-NOTES: Added new imap features
+- BUILD.WINDOWS: mention buildconf.bat for builds off git
-- imap: Added support for SASL-IR extension (Part 2)
-
- Modified imap_authenticate() to add support for sending the initial
- response with the AUTHENTICATE command, as per RFC4959.
+- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
-- smtp: Updated SMTP_AUTH_PASSWD state constant
-
- Changed the SMTP_AUTH_PASSWD state constant to SMTP_AUTH_LOGIN_PASSWD to
- better describe the state as the second part of an AUTH LOGIN command,
- as well as for consistency with the imap and pop3 modules.
+- test130: verify comments in .netrc
-- imap: Added support for SASL-IR extension (Part 1)
-
- Introduced detection of the SASL-IR capability, in order to add support
- for sending the initial response with the AUTHENTICATE command, as per
- RFC4959.
+- [Gisle Vanem brought this change]
-Daniel Stenberg (7 Feb 2013)
-- Revert "vc: remove explicit MSVC6 IDE project file and documentation"
+ netrc: skip lines starting with '#'
- This reverts commit 0e66d5878edc3d7ffc445116d194b58bbc7504b9.
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
-Steve Holme (7 Feb 2013)
-- imap: Changed response tag generation to be completely unique
+Marcel Raad (3 Aug 2017)
+- CMake: set MSVC warning level to 4
- Updated the automatic response tag generation to follow the examples
- given in RC3501, which list a 4 character string such as A001, A002,
- etc.
+ The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
+ consistent with the Visual Studio and NMake builds. Disable level 4
+ warning C4127 for the library and additionally C4306 for the test
+ servers to get a clean CURL_WERROR build as that warning is raised in
+ some macros in older Visual Studio versions.
- As a unique identifier should be generated for each command the string
- generation is based on the connection id and the incrementing command
- id.
+ Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
+ Closes https://github.com/curl/curl/pull/1711
-Dan Fandrich (6 Feb 2013)
-- Tweak the Android.mk file for its new location
+Daniel Stenberg (2 Aug 2017)
+- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
- This is untested, but ought to be enough to still allow it
- to work automatically when the entire curl source tree is
- dropped into a full Android source tree.
+ Reported-by: Viktor Szakats
-Daniel Stenberg (6 Feb 2013)
-- vc: remove explicit MSVC6 IDE project file and documentation
+- CURLOPT_NETRC.3: mention the file name on windows
- VC6 is _very_ old and we provide working makefiles even for that
- compiler. Users who build with the IDE never use that method and project
- file anyway and it was just lingering in the root dir.
+ ... and CURLOPT_NETRC_FILE(3).
-Steve Holme (6 Feb 2013)
-- imap: Small variable rename in preparation for upcoming change
-
- Renamed a couple of variables and updated some comments in
- preparation for upcoming command id / response tag change.
+- travis: build osx with libressl too
-Daniel Stenberg (6 Feb 2013)
-- msvc: move Makefile.msvc.names into winbuild/
-
- In an attempt to clear up misc files from the root dir
+- travis: build osx with openssl too
-- build: move Android.mk to packages/Android/
+- tests/server/util: fix curltime mistake from 4dee50b9c80f9
-- emacs files: remove from git and dist
+Marcel Raad (1 Aug 2017)
+- curl_threads: fix MSVC compiler warning
- We don't need them and I doubt many people used them. We also don't have
- any configs for other editors and we wouldn't want that.
+ Use LongToHandle to convert from long to HANDLE in the Win32
+ implementation.
+ This should fix the following warning when compiling with
+ MSVC 11 (2012) in 64-bit mode:
+ lib\curl_threads.c(113): warning C4306:
+ 'type cast' : conversion from 'long' to 'HANDLE' of greater size
+
+ Closes https://github.com/curl/curl/pull/1717
-Steve Holme (6 Feb 2013)
-- email: Moved starttls code in separate functions
+Daniel Stenberg (1 Aug 2017)
+- BUGS: improved phrasing about security bugs
- To help maintain the readability of the code in imap.c, pop3.c and
- smtp.c moved the starttls code into state_starttls() functions.
+ Reported-by: Max Dymond
-- [Nick Zitzmann brought this change]
+- BUGS: clarify how to report security related bugs
- FEATURES: More NTLM and SSL changes, added two others, fixed typo
+- [Brad Spencer brought this change]
+
+ multi: fix request timer management
+
+ There are some bugs in how timers are managed for a single easy handle
+ that causes the wrong "next timeout" value to be reported to the
+ application when a new minimum needs to be recomputed and that new
+ minimum should be an existing timer that isn't currently set for the
+ easy handle. When the application drives a set of easy handles via the
+ `curl_multi_socket_action()` API (for example), it gets told to wait the
+ wrong amount of time before the next call, which causes requests to
+ linger for a long time (or, it is my guess, possibly forever).
- Added IDN and HTTP data compression as they were left out of the
- document until now.
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
+
+Jay Satiro (1 Aug 2017)
+- curl_setup: Define CURL_NO_OLDIES for building libcurl
- Added notes for qssl, schannel and Secure Transport supporting SSLv2,
- Secure Transport supports NTLM, and axTLS does not support SSLv3.
+ .. to catch accidental use of deprecated error codes.
- There was also a typo; "AUTH TSL" should be "AUTH TLS".
+ Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
-Kamil Dudka (6 Feb 2013)
-- curl-config.in: do not randomly mix tabs and spaces
+Daniel Stenberg (1 Aug 2017)
+- [Jeremy Tan brought this change]
-Daniel Stenberg (6 Feb 2013)
-- 7.29.1: onwards!
+ configure: fix the check for IdnToUnicode
+
+ Fixes #1669
+ Closes #1713
-- THANKS: 12 contributors from 7.29.0
+- http: fix response code parser to avoid integer overflow
+
+ test 1429 and 1433 were updated to work with the stricter HTTP status line
+ parser.
+
+ Closes #1714
+ Reported-by: Brian Carpenter
-Version 7.29.0 (6 Feb 2013)
+Jay Satiro (31 Jul 2017)
+- [Dwarakanath Yadavalli brought this change]
-Daniel Stenberg (6 Feb 2013)
-- vms: config-vms.h is removed, no use trying to distribute it
+ libcurl: Stop using error codes defined under CURL_NO_OLDIES
+
+ Fixes https://github.com/curl/curl/issues/1688
+ Closes https://github.com/curl/curl/pull/1712
-- RELEASE-NOTES: mention the SASL buffer overflow
+- include.d: clarify --include is only for response headers
+
+ Follow-up to 171f8de and de6de94.
+
+ Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
+ Reported-by: Daniel Stenberg
-- [Eldar Zaitov brought this change]
+Daniel Stenberg (30 Jul 2017)
+- [Jason Juang brought this change]
- Curl_sasl_create_digest_md5_message: fix buffer overflow
+ cmake: support make uninstall
- When negotiating SASL DIGEST-MD5 authentication, the function
- Curl_sasl_create_digest_md5_message() uses the data provided from the
- server without doing the proper length checks and that data is then
- appended to a local fixed-size buffer on the stack.
+ Closes #1674
+
+- RELEASE-NOTES: synced with 001701c47
+
+Marcel Raad (29 Jul 2017)
+- AppVeyor: now really use CURL_WERROR
- This vulnerability can be exploited by someone who is in control of a
- server that a libcurl based program is accessing with POP3, SMTP or
- IMAP. For applications that accept user provided URLs, it is also
- thinkable that a malicious user would feed an application with a URL to
- a server hosting code targetting this flaw.
+ It was misspelled as CURL_ERROR in commit
+ 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4.
- Bug: http://curl.haxx.se/docs/adv_20130206.html
+ Closes https://github.com/curl/curl/pull/1686
-Steve Holme (6 Feb 2013)
-- FEATURES: Removed erroneous whitespace
+Jay Satiro (29 Jul 2017)
+- tool_help: clarify --include is only for response headers
- Removed whitespace introduced in commit 5f8f20f5e65b that caused
- formatting issues when generating the website docs.
-
-Yang Tse (6 Feb 2013)
-- setup-vms.h: post VMS patch cleanup - III
+ Follow-up to 171f8de.
- - rename post-config-vms.h to setup-vms.h
- - move its inclusion into proper location in curl_setup.h
+ Ref: https://github.com/curl/curl/issues/1704
-- vms_show: post VMS patch cleanup - II
+- splay: fix signed/unsigned mismatch warning
- - remove multiple declarations of vms_show and add comments
-
-- tool_main.c: post VMS patch cleanup - I
+ Follow-up to 4dee50b.
- - remove header inclusion already done in curl_setup_once.h
+ Ref: https://github.com/curl/curl/pull/1693
-Steve Holme (6 Feb 2013)
-- FEATURES: Added SSPI to list of NTLM libraries
+Daniel Stenberg (28 Jul 2017)
+- include.d: clarify that it concerns the response headers
+
+ Reported-by: olesteban at github
+ Fixes #1704
-- FEATURES: Added Secure Transport and qssl to list of SSL libraries
+- [Johannes Schindelin brought this change]
-- FEATURES: Added email feature set
+ curl_rtmp: fix a compiler warning
- Added SMTP, SMTPS, POP3, POP3S, IMAP and IMAPS features.
-
-- imap.h: Corrected incorrect comment clarification
+ The headers of librtmp declare the socket as `int`, and on Windows, that
+ disagrees with curl_socket_t.
- Corrected comment clarification made in commit 167717b8069a.
-
-- COPYING: Updated copyright year to include 2013
-
-Daniel Stenberg (5 Feb 2013)
-- RELEASE-NOTES: synced with 25f351424b3538
+ Bug: #1652
- 8 more bug fixes mentioned
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [John E. Malmberg brought this change]
+- test1323: verify curlx_tvdiff
- VMS: fix and generate the VMS build config
+- timeval: struct curltime is a struct timeval replacement
- config_h.com is a new file that generates a config.h file based on the
- curl_config.h.in file and a quick scan of the configure script. This is
- actually a generic procedure that is shared with other VMS packages.
+ ... to make all libcurl internals able to use the same data types for
+ the struct members. The timeval struct differs subtly on several
+ platforms so it makes it cumbersome to use everywhere.
- The existing pre-built config-vms.h had over 100 entries that were not
- correct and in some cases conflicted with the build options available in
- the build_vms.com.
+ Ref: #1652
+ Closes #1693
+
+- darwinssl: fix variable type mistake (regression)
- generate_config_vms_h_curl.com is a helper procedure to the
- config_h.com. It covers the cases that the generic config_h.com is not
- able to figure out, and accepts input from the build_vms.com procedure.
+ ... which made --tlsv1.2 not work because it would blank the max tls
+ version variable.
- build_curlbuild_h.com is a new file to generate the curlbuild.h file
- that Curl is now using when it is using a curl_config.h file.
+ Reported-by: Nick Miyake
+ Bug: #1703
+
+- multi: mention integer overflow risk if using > 500 million sockets
- post-config-vms.h is a new file that is needed to provide VMS specific
- definitions, and most of them need to be set before the system header
- files are included.
+ Reported-by: ovidiu-benea@users.noreply.github.com
- The VMS build procedure is fixed:
+ Closes #1675
+ Closes #1683
+
+- checksrc: escape open brace in regex
- 1. Fixed to link in the correct HP ssl library.
- 2. Fixed to detect if HP Kerberos is installed.
- 3. Fixed to detect if HP LDAP is installed.
- 4. Fixed to detect if gnv$libzshr is installed.
- 5. Simplified the input parameter parsing to not use a loop.
- 6. Warn that 64 bit pointer option support is not complete
- in comments.
- 7. Default to IEEE floating if platform supports it so
- resulting libcurl will be compatible with other
- open source projects on VMS.
- 8. Default to LARGEFILE if platform supports it.
- 9. Default to enable SSL, LDAP, Kerberos, libz
- if the libraries are present.
- 10. Build with exact case global symbols for libcurl.
- 11. Generate linker option file needed.
- 12. Compiler list option only commonly needed items.
- 13. fulllist option for those who really want it.
- 14. Create debug symbol file on Alpha, IA64.
+ ... to silence warning.
-- Curl_proxyCONNECT: return once CONNECT is sent
+Kamil Dudka (20 Jul 2017)
+- nss: fix a possible use-after-free in SelectClientCert()
- By doing this unconditionally, we infer a simpler and more defined
- behavior. This also has the upside that test 1021 no longer fails for me
- even if I run with valgrind.
+ ... causing a SIGSEGV in showit() in case the handle used to initiate
+ the connection has already been freed.
- Also fixed some wrong comments.
-
-Steve Holme (5 Feb 2013)
-- email: Reworked comments in the endofresp() functions
+ This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
- Tidied up the comments in the endofresp() functions to be more
- meaningful prior to release.
+ Reported-by: Rob Sanders
+ Bug: https://bugzilla.redhat.com/1436158
-Marc Hoersken (5 Feb 2013)
-- schannel: Removed extended error connection setup flag
+- nss: unify the coding style of nss_send() and nss_recv()
- According KB975858 this flag may cause problems on Windows 7 and
- Windows Server 2008 R2 systems. Extended error information is not
- currently used by libcurl and therefore not a requirement.
+ No changes in behavior intended by this commit.
+
+Marcel Raad (18 Jul 2017)
+- tests/server/resolve.c: fix deprecation warning
- The flag may improve the SSL-connection shutdown in case of an
- error. This means it might be a good improvement in the future.
+ MSVC warns that gethostbyname is deprecated. Always use getaddrinfo
+ instead to fix this when IPv6 is enabled, also for IPv4 resolves. This
+ is also consistent with what libcurl does.
- Fixes bug/issue #1187 - thanks for the report
+ Closes https://github.com/curl/curl/pull/1682
-Daniel Stenberg (5 Feb 2013)
-- [Tor Arntsen brought this change]
+Jay Satiro (17 Jul 2017)
+- darwinssl: fix pinnedpubkey build error
+
+ - s/SessionHandle/Curl_easy/
+
+ Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
+ Reported-by: Gisle Vanem
- singleipconnect: Update *sockp for all CURLE_OK
+Marcel Raad (16 Jul 2017)
+- rtspd: fix GCC warning after MSVC warning fix
- The 56b7c87c7 change left a case where a good sockfd was not copied to
- *sockp before returning with CURLE_OK
+ Older GCC warns:
+ /tests/server/rtspd.c:1194:10: warning: missing braces around
+ initializer [-Wmissing-braces]
+
+ Fix this by using memset instead of an initializer.
-- curl_easy_perform: Value stored to 'mcode' is never read
+- libtest: fix MSVC warning C4706
- pointed out by clang-analyzer
+ With warning level 4, MSVC warns about assignments within conditional
+ expressions. Change the while loop to a do-while loop to fix this. This
+ change is also consistent with CODE_STYLE.md.
-- singleipconnect: remove dead assignment
+- sockfilt: suppress conversion warning with explicit cast
- pointed out by clang-analyzer
+ MSVC warns when implicitly casting -1 to unsigned long.
-Linus Nielsen Feltzing (5 Feb 2013)
-- CURLMOPT_MAXCONNECTS: restore functionality
+- rtspd: fix MSVC level 4 warning
- When a connection is no longer used, it is kept in the cache. If the
- cache is full, the oldest idle connection is closed. If no connection is
- idle, the current one is closed instead.
+ warning C4701: potentially uninitialized local variable 'req' used
-Steve Holme (5 Feb 2013)
-- RELEASE-NOTES: Updated following recent changes to the email protocols
+- winbuild: re-enable warning C4127 for curl tool
- Added recent additions and fixes following the changes to imap, pop3
- and smtp. Additionally added another contributor that helped to test
- the imap sasl changes.
+ Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to
+ be disabled for libcurl.
-- email: Provided extra comments following recent pop3/imap fixes
+- winbuild: build with warning level 4
+
+ This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which
+ changed the warning level from 3 to 4 for the Visual Studio project
+ files. But disable the level 4 warning C4127 "conditional expression is
+ constant", as that one is issued by older versions of the Windows SDK
+ as well as curl itself under some circumstances.
- Provided additional clarification about the logic of the authenticate()
- functions following commit 6b6bdc83bd36 and b4270a9af1d0.
+ Closes https://github.com/curl/curl/pull/1667
-Daniel Stenberg (5 Feb 2013)
-- [Andrei Kurushin brought this change]
+Jay Satiro (12 Jul 2017)
+- [Max Dymond brought this change]
- winbuild: include version info for .dll .exe
+ travis: install libidn2
- Bug: http://curl.haxx.se/bug/view.cgi?id=1186
-
-- FAQ: clarify 5.13 How do I stop an ongoing transfer
+ Install libidn2 to increase test coverage (IDN tests)
- Rich Gray provided good feedback and we now clarify that you can in fact
- stop a multi transfer at any point you like by removing the easy handle.
-
-- [Matt Arsenault brought this change]
+ Closes https://github.com/curl/curl/pull/1673
- cmake: Fix mingw build
+Marcel Raad (12 Jul 2017)
+- travis: enable warnings also in release mode
+
+ ... to get warnings also on Linux/GCC and OSX/clang.
+
+ Closes https://github.com/curl/curl/pull/1666
-- [Sergei Nikulov brought this change]
+Daniel Stenberg (12 Jul 2017)
+- [Max Dymond brought this change]
- cmake: updated OpenSSL build
+ travis: install libssh2
+
+ Install libssh2 to increase test coverage (SFTP, SCP)
-Steve Holme (4 Feb 2013)
-- pop3.c: Updated variable names to use shorter / more readable variant
+Marcel Raad (12 Jul 2017)
+- system.h: include winsock2.h before windows.h
- Tidied up code from commit 6b6bdc83bdUpdated where a few instances of
- the pop3c struct variable used the longer conndata struct rather than
- matching what other code in pop3_authenticate() used.
+ ... to avoid compiler warnings if the user doesn't want
+ WIN32_LEAN_AND_MEAN.
-Guenter Knauf (4 Feb 2013)
-- updated copyright years.
+- build: remove WIN32_LEAN_AND_MEAN from individual build systems
+
+ It's defined for all build systems in curl_setup.h since commit
+ beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro
+ redefinition warnings in the configure builds.
+
+ Closes https://github.com/curl/curl/pull/1677
-- configure: update the copyright years for the output.
+Jay Satiro (11 Jul 2017)
+- ISSUE_TEMPLATE: Add a comment not to file security issues on github
-Steve Holme (3 Feb 2013)
-- imap: Fixed no known authentication mechanism when fallback is required
+Marcel Raad (11 Jul 2017)
+- curl_setup: always define WIN32_LEAN_AND_MEAN on Windows
- Fixed an issue where (lib)curl is compiled without support for a
- supported challenge-response based SASL authentication mechanism, such
- as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
- mechanisms and (lib)curl doesn't fallback to Clear Text authentication.
+ Make sure to always define WIN32_LEAN_AND_MEAN before including any
+ Windows headers to avoid pulling in unnecessary headers. This avoids
+ unnecessary macro clashes and compiler warnings.
- Note: In order to fallback to Clear Text authentication properly this
- fix adds support for the LOGINDISABLED server capability.
- imap: Fixed no known authentication mechanism when fallback is required
+ Ref: https://github.com/curl/curl/issues/1562
+ Closes https://github.com/curl/curl/pull/1672
+
+Jay Satiro (11 Jul 2017)
+- strerror: Preserve Windows error code in some functions
+
+ This is a follow-up to af02162 which removed (SET_)ERRNO macros. That
+ commit was an earlier draft that I committed by mistake, which was then
+ remedied by a5834e5 and e909de6, and now this commit. With this commit
+ there is now no difference between the current code and the changes that
+ were approved in the final draft.
- Fixed an issue where (lib)curl is compiled without support for a
- supported challenge-response based SASL authentication mechanism, such
- as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
- mechanisms and (lib)curl doesn't fallback to Clear Text authentication.
+ Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem
+ Ref: https://github.com/curl/curl/pull/1589
+
+Marcel Raad (10 Jul 2017)
+- [Max Dymond brought this change]
+
+ tests: Fix up issues with errno in test files
- Note: In order to fallback to Clear Text authentication properly this
- fix adds support for the LOGINDISABLED server capability.
+ Closes https://github.com/curl/curl/pull/1671
+
+Daniel Stenberg (10 Jul 2017)
+- errno: fix non-windows builds after af0216251b94e7
+
+- [Ryan Winograd brought this change]
+
+ make: fix docs build on OpenBSD
- Related bug: http://curl.haxx.se/mail/lib-2013-02/0004.html
- Reported by: Stanislav Ivochkin
+ Ref: #1591
-- pop3: Fixed no known authentication mechanism when fallback is required
+Marcel Raad (10 Jul 2017)
+- ldap: fix MinGW compiler warning
- Fixed an issue where (lib)curl is compiled without support for a
- supported challenge-response based SASL authentication mechanism, such
- as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
- mechanisms and (lib)curl doesn't fallback to APOP or Clear Text
- authentication.
+ ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with
+ the latest original MinGW, resulting in compiler warnings since commit
+ f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI
+ case by using ldap_simple_bind_s again instead of ldap_bind_s with
+ LDAP_AUTH_SIMPLE.
- Bug: http://curl.haxx.se/mail/lib-2013-02/0004.html
- Reported by: Stanislav Ivochkin
+ Closes https://github.com/curl/curl/pull/1664
-Daniel Stenberg (1 Feb 2013)
-- singleipconnect: simplify and clean up
+- curl-compilers.m4: disable warning spam with Cygwin's clang
- Remove timeout argument that's never used.
+ When building with Cygwin or MinGW, libtool uses a wrapper executable
+ instead of a wrapper script [1], which is written in C and throws
+ missing-variable-declarations warnings. Don't enable these warnings on
+ Cygwin and MinGW in order to avoid warnings for every executable built,
+ which spams the test suite output when using Cygwin's clang.
- Make the actual connection get detected on a single spot to reduce code
- duplication.
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Wrapper-executables.html
- Store the IPv6 state already when the connection is attempted.
+ Closes https://github.com/curl/curl/pull/1665
-- Curl_perfom: removed
+Jay Satiro (10 Jul 2017)
+- curl_setup_once: Remove ERRNO/SET_ERRNO macros
- Curl_perfom is no longer used anywhere since the always-multi commit
- c43127414d89ccb9, and some related functions were used only from within
- Curl_perfom.
-
-Guenter Knauf (30 Jan 2013)
-- Updated date.
-
-Yang Tse (30 Jan 2013)
-- zz40-xc-ovr.m4: fix 'wc' detection - follow-up 2
+ Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError
+ for Win32 and regular errno otherwise.
- - Fix a pair of single quotes to double quotes.
+ I reviewed the code and found no justifiable reason for conflating errno
+ on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno,
+ and any Win32 multithreaded CRT supports thread-local errno.
- URL: http://curl.haxx.se/mail/lib-2013-01/0355.html
- Reported by: Tor Arntsen
+ Fixes https://github.com/curl/curl/issues/895
+ Closes https://github.com/curl/curl/pull/1589
+
+- tool_getparam: fix potentially uninitialized err
-- zz40-xc-ovr.m4: fix 'wc' detection - follow-up
+Marcel Raad (9 Jul 2017)
+- smb: rename variable to fix shadowing warning
- - Take into account that 'wc' may return leading spaces and/or tabs.
+ GCC 4.6.3 on travis complains:
+ smb.c: In function ‘get_posix_time’:
+ smb.c:725:13: error: declaration of ‘time’ shadows a global declaration
+ [-Werror=shadow]
- - Set initial IFS to space, tab and newline.
+ Fix this by renaming the variable.
-- zz40-xc-ovr.m4: fix 'wc' detection
+- tool_cb_wrt: fix variable shadowing warning
- - Take into account that 'wc' may return leading spaces.
+ GCC 4.4 complains:
+ tool_cb_wrt.c:81: error: declaration of ‘isatty’ shadows a global
+ declaration
+ /usr/include/unistd.h:782: error: shadowed declaration is here
- - Set internationalization behavior variables.
+ Fix this by renaming the variable.
- Tor Arntsen analyzed and reported the issue.
-
- URL: http://curl.haxx.se/mail/lib-2013-01/0351.html
+ Closes https://github.com/curl/curl/pull/1661
+
+Daniel Stenberg (8 Jul 2017)
+- RELEASE-NOTES: synced with be2c999b8
-- zz40-xc-ovr.m4: check another three basic utilities
+- travis: install stunnel
-Guenter Knauf (29 Jan 2013)
-- Fixed debug.c to work again unchanged.
+- valgrind.supp: supress OpenSSL false positive seen on travis
+
+- travis: detect and use valgrind for normal builds
- Added CURLOPT_FOLLOWLOCATION since example.com is now redirected.
+ Closes #1653
-Daniel Stenberg (29 Jan 2013)
-- [Nick Zitzmann brought this change]
+- travis: add SMB, DICT, TELNET torture to coverage test
- darwinssl: Fix bug where packets were sometimes transmitted twice
+- [Paul Harris brought this change]
+
+ cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC
- There was a bug where, if SSLWrite() returned errSSLWouldBlock but did
- succeed in transmitting at least something, then we'd incorrectly
- resend the packet. Now we never take errSSLWouldBlock as a sign that
- nothing was transferred to/from the server.
+ Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere.
- Bug: http://curl.haxx.se/mail/lib-2013-01/0295.html
- Reported by: Bruno de Carvalho
+ Closes #1649
-- [Nick Zitzmann brought this change]
+- CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
- FAQ: "Darwinssl" is AKA "Secure Transport" and supports NTLM
+- [Max Dymond brought this change]
-- RELEASE-NOTES: only list Nick once
+ test1452: add telnet negotiation
- Even though he's a fine dude, once is enough for this time!
-
-Yang Tse (28 Jan 2013)
-- zz40-xc-ovr.m4: 1.0 interface stabilization
+ Add a basic telnet server for negotiating some telnet options before
+ echoing back any data that's sent to it.
- - Stabilization results in 4 public interface m4 macros:
- XC_CONFIGURE_PREAMBLE
- XC_CONFIGURE_PREAMBLE_VER_MAJOR
- XC_CONFIGURE_PREAMBLE_VER_MINOR
- XC_CHECK_PATH_SEPARATOR
- - Avoid one level of internal indirection
- - Update comments
- - Drop XC_OVR_ZZ40 macro
+ Closes #1645
-Kamil Dudka (28 Jan 2013)
-- docs: fix typos in man pages
+- travis: do more tests in the coverage run
- Reported by: Jiri Jaburek
- Bug: https://bugzilla.redhat.com/896544
+ I added a selection of torture and event tests that run "fast enough"
-- docs: update the comments about loading CA certs with NSS
+- curl_easy_escape.3: mention the (lack of) encoding
- Bug: https://bugzilla.redhat.com/696783
+ Fixes #1612
+ Reported-by: Jeroen Ooms
-Guenter Knauf (28 Jan 2013)
-- Updated dependency libs.
+- [Gisle Vanem brought this change]
-- Fixed simple.c to work again unchanged.
+ memdebug: don't setbuf() if the file open failed
- Added CURLOPT_FOLLOWLOCATION since example.com is now redirected.
+ Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151
-Steve Holme (27 Jan 2013)
-- smtp.c: Fixed unnecessary state change if starttls fails
-
- The state machine should only be changed to SMTP_STARTTLS when the
- STARTTLS command has been successfully sent to the server.
+- appveyor: enable CURL_WERROR on all builds
-- pop3.c: Fixed unnecessary state change if starttls fails
-
- The state machine should only be changed to POP3_STARTTLS when the
- STLS command has been successfully sent to the server.
+- cmake: add CURL_WERROR for enabling "warning as errors"
-- imap.c: Fixed unnecessary state change if starttls fails
+- [Hannes Magnusson brought this change]
+
+ cmake: remove spurious "-l" from linker flags
- The state machine should only be changed to IMAP_STARTTLS when the
- STARTTLS command has been successfully sent to the server.
+ Fixes #1552
+
+- test506: skip if threaded-resolver
-- email: Updated comment regarding ssldone usage
+- runtests: support "threaded-resolver" as a feature
- Updated the ssldone comment as multi mode is always used internally now.
+ ... to let tests require it or skip if present
-Yang Tse (26 Jan 2013)
-- zz40-xc-ovr.m4: emit witness message in configure BODY
+- asyn-thread.c: fix unused variable warnings on macOS
+
+- http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLD
- This avoids witness message in output when running configure --help,
- while sending the message to config.log for other configure runs.
+ Make the name reflect its use better, and add a short comment describing
+ what it's for.
-Steve Holme (25 Jan 2013)
-- smtp.c: Added comments to smtp_endofresp()
+- cmake: if inet_pton is used, bump _WIN32_WINNT
+
+ ... and make sure inet_pton is always checked for when *not* using Windows,
+ which is a regression from 4fc6ebe18.
- Minor code tidy up to add comments similar to those used in the pop3
- and imap end of resp functions, in order to assist anyone reading the
- code and highlight the similarities between each of these protocols.
+ Idea-by: Sergei Nikulov
-Yang Tse (25 Jan 2013)
-- zz40-xc-ovr.m4: truly do version conditional overriding
+- select.h: avoid macro redefinition harder
- - version conditional overriding
- - catch unexpanded XC macros
- - fix double words in comments
+ ... by checking the POLLIN define, as the header file checks don't work
+ on Windows.
-- zz40-xc-ovr.m4: fix variable assignment of subshell output bashism
+- inet_pton: fix include on windows to get prototype
- Tor Arntsen analyzed and reported the issue.
+ inet_pton() exists on Windows and gets used by our cmake builds. Make
+ sure the correct header file is included to avoid compiler warnings.
- URL: http://curl.haxx.se/mail/lib-2013-01/0306.html
+ Closes #1639
-- zz40-xc-ovr.m4: reinstate strict AC_REQUIRE macro dependencies
+- TODO: 1.10 auto-detect proxy
+
+ Closes #1572
-- zz40-xc-ovr.m4: avoid double single-quote usage
+- TODO: HTTP proxy CONNECT is non-blocking now
-- zz40-xc-ovr.m4: parentheses balancing of 'case' statements
+- cmake: fix send/recv argument scanner for windows
+
+ ... by simply trying the Windows argument types first.
- m4 quadrigraph shell comment technique allows proper autoconf
- parentheses balancing in shell 'case' statements. The presence
- of unbalanced parentheses may otherwise trigger expansion bugs.
+ Fixes #1640
+
+- RELEASE-NOTES: synced with 596cfb6c0
+
+- [Gisle Vanem brought this change]
-Steve Holme (24 Jan 2013)
-- smtp.c: Corrected RFC references
+ smb: add support for CURLOPT_FILETIME
- The most recent version of the SMTP RFC is RFC5321 and not RFC2821 as
- previously documented.
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
- Added RFC1870 and re-ordered list numerically.
+ Closes #1643
-- smtp.c: Fixed failure detection during TLS upgrade
+- travis: install nghttp2 on linux builds
- smtp_state_upgrade_tls() would attempt to incorrectly complete the
- upgrade to smtps and start the EHLO command if
- Curl_ssl_connect_nonblocking() returned a failure code and if ssldone
- was set to TRUE. This would only happen when a non-blocking API hadn't
- been provided by the SSL implementation and curlssl_connect() was
- called underneath.
+ Closes #1642
-- pop3.c: Fixed failure detection during TLS upgrade
-
- pop3_state_upgrade_tls() would attempt to incorrectly complete the
- upgrade to pop3s and start the CAPA command if
- Curl_ssl_connect_nonblocking() returned a failure code and if ssldone
- was set to TRUE. This would only happen when a non-blocking API hadn't
- been provided by the SSL implementation and curlssl_connect() was
- called underneath.
+- [Gisle Vanem brought this change]
-- imap.c: Fixed failure detection during TLS upgrade
+ smb: fix build for djgpp/MSDOS
- imap_state_upgrade_tls() would attempt to incorrectly complete the
- upgrade to imaps and start the CAPABILITY command if
- Curl_ssl_connect_nonblocking() returned a failure code and if ssldone
- was set to TRUE. This would only happen when a non-blocking API hadn't
- been provided by the SSL implementation and curlssl_connect() was
- called underneath.
+ bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
-Yang Tse (24 Jan 2013)
-- zz40-xc-ovr.m4: internals overhauling
+- configure: try ldap/lber in reversed order first
- - Update comments
- - Execute commands in subshells
- - Faster path separator check
- - Fix missing 'test' command
- - Rename private macros
- - Minimize AC_REQUIRE usage
-
-Steve Holme (23 Jan 2013)
-- email: Removed unnecessary return statements
+ When scanning for which LDAP libraries to use, try the -lldap -llber
+ combination before the reversed order since it has a greater chance of
+ working when linking with libcurl statically.
- Small tidy up to remove unnecessary return statements prior to the next
- fix.
+ Fixes #1619
+ Closes #1634
+ Reported-by: David E. Narváez
-Yang Tse (23 Jan 2013)
-- zz40-xc-ovr.m4: redirect errors and warnings to stderr
+- configure: remove checks for 5 functions never used
+
+ fork, getprotobyname, inet_addr, perror, uname
+
+ closes #1638
-- zz40-xc-ovr.m4: AC_REQUIRE also XC_CONFIGURE_PREAMBLE success message
+- dist: add SMB python deps into the tarball
-- zz60-xc-ovr.m4: tighten XC_OVR_ZZ60 macro placement requirements
+- [Max Dymond brought this change]
-- configure: use XC_CONFIGURE_PREAMBLE early checks
+ test1451: add SMB support to the testbed
+
+ Add test 1451 which does some very basic SMB testing using the impacket
+ SMB server.
- Some basic checks we make were placed early enough in generated
- configure script when using autoconf 2.5X versions. Newer autoconf
- versions expand these checks much further into the configure script,
- rendering them useless. Using XC_CONFIGURE_PREAMBLE fixes placement
- of early intended checks across all our autoconf supported versions.
+ Closes #1630
-- zz40-xc-ovr.m4: provide XC_CONFIGURE_PREAMBLE macro
+- [Max Dymond brought this change]
-Daniel Stenberg (23 Jan 2013)
-- FAQ: update the SSL lib list and wording in question 2.2
+ test: add impacket for SMB testing
+
+ Import impacket 0.9.15 for use in SMB testing. This was generated by
+ doing "pip2.7 install -t . impacket"
+
+ Unnecessary files for current testing were deleted.
-Steve Holme (22 Jan 2013)
-- curl_sasl.c: Corrected references to RFC
+- travis.yml: use --enable-werror on debug builds
- The most recent version of the RFC is RFC4422 and not RFC2222 as
- previously documented.
+ ... to better detect and fault on compiler warnings/errors
+
+ Closes #1637
-- email: Corrected references to SASL RFC
+- tool_sleep: typecast to avoid macos compiler warning
- The most recent version of the SASL RFC is RFC4422 and not RFC2222 as
- previously documented.
+ tool_sleep.c:54:24: error: implicit conversion loses integer precision:
+ 'long' to '__darwin_suseconds_t' (aka 'int')
+ [-Werror,-Wshorten-64-to-32]
+
+- [Martin Kepplinger brought this change]
-Daniel Stenberg (22 Jan 2013)
-- [Ulion brought this change]
+ timeval.c: Use long long constant type for timeval assignment
+
+ On a 64 bit host, sparse says:
+
+ timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long
+ timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long
+
+ so let's use long long constant types in order to prevent undesired overflow
+ failures.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html
+
+ Closes #1636
+
+ Signed-off-by: Martin Kepplinger <martink@posteo.de>
- formpost: support quotes, commas and semicolon in file names
+- url: make the original string get used on subsequent transfers
- - document the double-quote and backslash need be escaped if quoting.
- - libcurl formdata escape double-quote in filename by backslash.
- - curl formparse can parse filename both contains '"' and ',' or ';'.
- - curl now can uploading file with ',' or ';' in filename.
+ ... since CURLOPT_URL should follow the same rules as other options:
+ they remain set until changed or cleared.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1171
+ Added test 1551 to verify.
+
+ Fixes #1631
+ Closes #1632
+ Reported-by: Pavel Rochnyak
-- memanalyze.pl: handle fopen() of file names with quotes
+- [Johannes Schindelin brought this change]
-Yang Tse (21 Jan 2013)
-- xc-cc-check.m4: re-evaluate exporting and AC_SUBST'ing vars
+ gtls: fix build when sizeof(long) < sizeof(void *)
- Notes:
+ - Change gnutls pointer/int macros to pointer/curl_socket_t.
+ Prior to this change they used long type as well.
- When running a configure script that has nested packages (for example
- libcurl's configure with --enable-ares and c-ares sources embedded in
- curl tree) and AC_CONFIG_SUBDIRS([nested-subdir]) machinery is used to
- automatically run the nested configure script from within the parent
- configure script, it happens that the nested _shell_ script will
- inherit shell variables exported from the parent _shell_ script.
+ The size of the `long` data type can be shorter than that of pointer
+ types. This is the case most notably on Windows.
- If for example parent configure script sets and exports LDFLAGS and LIBS
- variables with proper values in order to link either a parent library or
- program with a library which will be configured and built by a nested
- package; It will happen that when the nested configure script runs, the
- nested library does not exist yet and _any_ link-test done in the nested
- configure will fail, such as those that autoconf macros perform in order
- to detect existing compiler and its characteristics, the result is that
- the nested configure script will fail with errors such as:
+ If C99 were acceptable, we could simply use `intptr_t` here. But we
+ want to retain C89 compatibility.
- configure: error: C compiler cannot create executables
+ Simply use the trick of performing pointer arithmetic with the NULL
+ pointer: to convert an integer `i` to a pointer, simply take the
+ address of the `i`th element of a hypothetical character array
+ starting at address NULL. To convert back, simply cast the pointer
+ difference.
- For now, we no longer export variables previously exported here.
+ Thanks to Jay Satiro for the initial modification to use curl_socket_t
+ instead of int/long.
- On the other hand, AC_SUBST'ing them is appropriate and even with nested
- packages each package's config.status gets its own package values.
+ Closes #1617
- So we reinstate AC_SUBST'ing previously AC_SUBST'ed variables.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (21 Jan 2013)
-- FAQ: 3.22 curl -X gives me HTTP problems
+- [Ryan Winograd brought this change]
-Yang Tse (21 Jan 2013)
-- xc-cc-check.m4: avoid recursive package automake'ing breakage
+ unit1399: fix integer overflow
+
+ Bug: #1616
+ Closes #1633
-- xc-cc-check.m4: mark earlier variables that are to be exported
+- [Per Malmberg brought this change]
-- configure: autotools compatibility fixes - step I
+ cmake: Added compatibility options for older Windows versions
- Fix proper macro expansion order across autotools versions for
- C compiler and preprocessor program checks.
-
-Steve Holme (20 Jan 2013)
-- pop3.c: Fixed conditional compilation of the apop response function
+ CURL_STATIC_CRT and ENABLE_INET_PTON
- Extended the fix from commit 8b15c84ea91e to additionally exclude
- pop3_state_apop_resp() if the CURL_DISABLE_CRYPTO_AUTH flag is
- defined.
-
-Yang Tse (20 Jan 2013)
-- Makefile.inc: fix $(top_srcdir) not allowed in _SOURCES variables
+ Closes #1621
-Daniel Stenberg (19 Jan 2013)
-- formadd: reject trying to read a directory where a file is expected
+- unit1399: add logging to time comparison
- Bug: http://curl.haxx.se/mail/archive-2013-01/0017.html
- Reported by: Ulrich Doehner
-
-- curl_easy_send.3: document return codes
+ ... to enable tracking down why autobuilds fail on this
- Reported by: Craig Davison
- Bug: http://curl.haxx.se/mail/lib-2013-01/0234.html
+ Bug: #1616
-- curl_easy_recv.3: document return codes
+- make: build the docs subdir only from within src
- Reported by: Craig Davison
- Bug: http://curl.haxx.se/mail/lib-2013-01/0234.html
-
-Steve Holme (19 Jan 2013)
-- email: General code tidy up
+ ... and don't build at all in include
- Corrected some function argument definitions to maximize the 80
- character line length limit and be in keeping with the curl
- coding style.
+ Prompted-by-work-by: Simon Warta
+ Ref: #1590
+ Closes #1591
-- pop3.c: Fixed a problem with pop3s connections not connecting properly
+- [Max Dymond brought this change]
+
+ test1450: fix up DICT server in torture mode
- Fixed an issue where Curl_ssl_connect_nonblocking() wouldn't complete
- correctly and the ssldone flag wouldn't be set to true for pop3s based
- connections.
+ As per https://github.com/curl/curl/pull/1615, the DICT server is a
+ little spammy in torture mode due to the sockets being torn down
+ unexpectedly. Fix this by adding some error handling to the handling
+ function.
- Bug introduced in commit: 4ffb8a6398ed.
+ Closes #1629
-Daniel Stenberg (18 Jan 2013)
-- RELEASE-NOTES: add references to several bugfixes+changes
+- [Max Dymond brought this change]
-Steve Holme (18 Jan 2013)
-- RELEASE-NOTES: Added missing imap fix
+ test1450: add simple testing for DICT
- Added missing imap fix as per commit 709b3506cd9b.
-
-Yang Tse (18 Jan 2013)
-- runtests.pl: make VPATH builds find valgrind.supp
+ Add a new server which provides a DICT interface. This is intended to
+ begin coverage testing for lib/dict.c
+
+ Closes #1615
-Daniel Stenberg (18 Jan 2013)
-- RELEASE-NOTES: synced with c43127414d89
+- [Dan Fandrich brought this change]
-- always-multi: always use non-blocking internals
-
- Remove internal separated behavior of the easy vs multi intercace.
- curl_easy_perform() is now using the multi interface itself.
+ test1521: fix out-of-tree builds, broken with 467da3af
- Several minor multi interface quirks and bugs have been fixed in the
- process.
+ The test.h file is no longer in the same directory as the source file,
+ so that directory needs to be added to the include path.
- Much help with debugging this has been provided by: Yang Tse
+ Fixes #1627
+ Closes #1628
-Yang Tse (17 Jan 2013)
-- url.c: fix HTTP CONNECT tunnel establishment upon delayed response
+- [Max Dymond brought this change]
+
+ http2: handle PING frames
- Fixes initial proxy response being processed by the tunneled protocol
- handler instead of the HTTP wrapper handler. This issue would trigger
- upon delayed CONNECT response from the proxy.
+ Add a connection check function to HTTP2 based off RTSP. This causes
+ PINGs to be handled the next time the connection is reused.
- Additionally fixes a multi interface code-path in which connections
- would not time out properly.
+ Closes #1521
+
+- [Max Dymond brought this change]
+
+ handler: refactor connection checking
- This does not fix known bug #39.
+ Add a new type of callback to Curl_handler which performs checks on
+ the connection. Alter RTSP so that it uses this callback to do its
+ own check on connection health.
+
+- [Dmitry Kostjuchenko brought this change]
+
+ openssl: improve fallback seed of PRNG with a time based hash
- URL: http://curl.haxx.se/mail/lib-2013-01/0191.html
+ Fixes #1620
-Daniel Stenberg (16 Jan 2013)
-- [Yves Arrouye brought this change]
+- [Ryan Winograd brought this change]
- --libcurl: fix for non-zero default options
+ progress: prevent resetting t_starttransfer
+
+ Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked
+ with `TIMER_STARTTRANSFER` more than once during a single request.
- If the default value for an option taking a long as its value is non
- zero, and it is set by zero by a command line option, then that command
- line option is not reflected in --libcurl's output. This is because line
- 520-521 of tool_setopt.c look like:
+ When a redirect occurs, this is considered a new request and
+ `t_starttransfer` can be updated to reflect the `t_starttransfer` time
+ of the redirect request.
- if(!lval)
- skip = TRUE;
+ Closes #1616
- An example of a command-line option doing so is the -k option that sets
- CURLOPT_SLL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to 0L, when the
- defaults are non-zero.
+ Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370
-- FTP: reject illegal port numbers in EPSV 229 responses
+- curl_strequal.3: fix typo in SYNOPSIS
+
+ Reported-by: Jesse Chisholm
+
+ Fixes #1623
-Yang Tse (15 Jan 2013)
-- commit bc682cbd follow-up
+- RELEASE-NOTES: synced with ce2c3ebda
-- build: use per-target '_CPPFLAGS' for those currently using default
+Kamil Dudka (28 Jun 2017)
+- curl --socks5-{basic,gssapi}: control socks5 auth
- Automake documents that doing this will make it choose a different name
- for intermediate object files even when sharing source files across
- targets of same Makefile.am.
+ Closes https://github.com/curl/curl/pull/1454
+
+- CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth
- Up to automake 1.13.1 target's intermediate object files were placed
- in the build subdirectory of the target. We depended on this, probably
- undocumented behavior, to achieve same behavior as if a per-target flag
- had been specified when building targets that actually belong to
- different Makefile.am files.
+ If libcurl was built with GSS-API support, it unconditionally advertised
+ GSS-API authentication while connecting to a SOCKS5 proxy. This caused
+ problems in environments with improperly configured Kerberos: a stock
+ libcurl failed to connect, despite libcurl built without GSS-API
+ connected fine using username and password.
- It seems automake 1.13.2 is going to break behavior mentioned above.
+ This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
+ allowed methods for SOCKS5 authentication at run time.
- So, lets use a documented behavior in order to achieve same purpose,
- across automake versions, no matter where automake wishes to place
- intermediate object files.
+ Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
+ for compatibility reasons because the set of authentication methods
+ allowed by default was different for HTTP and SOCKS5 proxies.
- Our build targets that already were using a per-target '_CFLAGS' or
- '_CPPFLAGS' need no 'fixing', these were already 'fixed'. The only
- Makefile.am or Makefile.in files in libcurl's source tree touched by
- this 'fix' are tests/libtest/Makefile.inc and tests/unit/Makefile.inc.
-
-- tests/libtest/Makefile.inc: sort build targets
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
+ Closes https://github.com/curl/curl/pull/1454
-- tests/Makefile.am: remove wildcard usage in EXTRA_DIST
+- socks: deduplicate the code for auth request
-Kamil Dudka (15 Jan 2013)
-- nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
+- socks: use proxy_user instead of proxy_name
- Do not use the error messages from NSS for errors not occurring in NSS.
+ ... to make it obvious what the data is used for
-Steve Holme (14 Jan 2013)
-- TODO: Updated following IMAP SASL additions
-
-Yang Tse (14 Jan 2013)
-- configure: fix automake 1.13 compatibility
+Daniel Stenberg (27 Jun 2017)
+- libtest/make: generate lib1521.c
- Tested with:
+ ... instead of having the generated code checked in. This saves space in
+ the tarball but primarily automatically adapts to newly added options.
- buildconf: autoconf version 2.69
- buildconf: autom4te version 2.69
- buildconf: autoheader version 2.69
- buildconf: automake version 1.13.1
- buildconf: aclocal version 1.13.1
- buildconf: libtool version 2.4
- buildconf: GNU m4 version 1.4.16
+ Closes #1614
-Daniel Stenberg (13 Jan 2013)
-- BUGS: update bug tracker URL
+Jay Satiro (26 Jun 2017)
+- tool_getparam: fix memory leak on test 1147 OOM (torture tests)
- ... and refresh number of lines of code
+ Bug: https://github.com/curl/curl/pull/1486#issuecomment-310926872
+ Reported-by: Dan Fandrich
-- Curl_resolver_getsock: fix the function description comment
-
- It referred to it by the wrong name and said it returned the wrong value.
-
- Reported by: Gisle Vanem
+Dan Fandrich (25 Jun 2017)
+- test1537: fixed memory leak on OOM
-Kamil Dudka (11 Jan 2013)
-- nss: clear session cache if a client cert from file is used
-
- This commit fixes a regression introduced in 052a08ff.
+Marcel Raad (25 Jun 2017)
+- test1521: fix compiler warnings
- NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback
- and if we connect second time to the same server, the cached cert/key
- pair is used. If we use multiple client certificates for different
- paths on the same server, we need to clear the session cache to force
- NSS to call the hook again. The commit 052a08ff prevented the session
- cache from being cleared if a client certificate from file was used.
+ The integer literal 3123123123 doesn't fit into a 32-bit signed
+ integer, so GCC with 32-bit long warns in C90 mode:
+ this decimal constant is unsigned only in ISO C90 [enabled by default]
+ Fix this by using ULONG_MAX, which should fit in any curl_off_t and has
+ the correct suffix to not issue any warnings.
+ Also adds the missing CURLOPT_REQUEST_TARGET from commit
+ 9b167fd090f596eac828817d48c247eeae53407f.
- The condition is now fixed to cover both cases: consssl->client_nickname
- is not NULL if a client certificate from the NSS database is used and
- connssl->obj_clicert is not NULL if a client certificate from file is
- used.
-
- Review by: Kai Engert
+ Closes https://github.com/curl/curl/pull/1611
-Yang Tse (11 Jan 2013)
-- sockfilt.c: log file descriptor number on read/write error
+Daniel Stenberg (24 Jun 2017)
+- curl/system.h: add check for XTENSA for 32bit gcc
+
+ Reported-by: Neil Kolban
+ Fixes: 1598
-- [Gisle Vanem brought this change]
+- [Henrik S. Gaßmann brought this change]
- packages/DOS/common.dj: remove COFF debug info generation
-
- gcc on DOS hasn't really supported COFF-debug (-gcoff) on djgpp for a
- long time.
+ winbuild: fix boringssl build
- "Sounds like the COFF debug info generation has bit-rotted in GCC.
- Nothing new here, no other platform uses COFF AFAIK."
+ Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from
+ including too much clutter including `wincrypt.h` which in turn contains
+ some preprocessor macros that clash with boringssl symbols.
- So lets drop it too.
+ Detect boringssl by checking the existance of `is_boringssl.h` and set
+ the corresponding `HAVE_BORINGSSL` for compilation which is used in
+ `ldap.c` to undefine the evil macros.
- URL: http://curl.haxx.se/mail/lib-2013-01/0130.html
+ Closes #1610
-- curl: ignore SIGPIPE - compilation fix - follow-up
+- progress: progress.timespent needs to be us
+
+ follow-up to 64ed44a815e4e to fix test 500 failures
-- test servers: handle W32/W64 SIGBREAK with exit_signal_handler
+Marcel Raad (24 Jun 2017)
+- curl-compilers.m4: fix unknown-warning-option on Apple clang
+
+ Since 5598b0bd63f690c151074494ce47ef872f004ab4, clang -v is used to
+ detect the clang version. The version number was expected to come after
+ the word "version". For Apple clang, this doesn't work as it has its
+ own versioning scheme.
+ The version number is now first searched after the string
+ "based on LLVM". This works for Apple clang before version 7, and also
+ for e.g. Ubuntu's clang up to version 3.7. If it's not found and the
+ version string contains "Apple LLVM version", clang version 3.7 is
+ assumed, which is the version that comes with Xcode 7. Otherwise, the
+ version number is still expected after the word "version", which works
+ for very old Apple clang versions.
+
+ Ref: https://trac.macports.org/wiki/XcodeVersionInfo
+ Fixes https://github.com/curl/curl/issues/1606
+ Closes https://github.com/curl/curl/pull/1607
-- test servers: fix errno, ERRNO and SOCKERRNO usage for W32/W64
+Daniel Stenberg (24 Jun 2017)
+- progress: fix "time spent", broke in adef394ac
-- sockfilt.c: fix some W64 compiler warnings
+- CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
+
+ ... supported since 7.54.1
-Daniel Stenberg (9 Jan 2013)
-- [Nick Zitzmann brought this change]
+- maketgz: switch to -6e for xz
+
+ To reduce the memory requirement for decompress, and still do almost as
+ good compression as with -9e.
+
+ Pointed-out-by: Dan Fandrich
- docs: the --with-darwinssl option is available on Apple OSes
+- libtest/Makefile: remove unused lib1541 variables
-Yang Tse (9 Jan 2013)
-- curl: ignore SIGPIPE - compilation fix
+- CONTRIBUTE.md: mention the out-of-tree build test too
-- build: fix circular header inclusion with other packages
+- maketgz: switch to xz instead of lzma
+
+ The compressed output size seems to be a tad bit smaller, but generally
+ xz seems more preferred these days and is used directly by for example
+ gentoo instead of bz2.
- This commit renames lib/setup.h to lib/curl_setup.h and
- renames lib/setup_once.h to lib/curl_setup_once.h.
+ "Users of LZMA Utils should move to XZ Utils" =>
+ https://tukaani.org/lzma/
- Removes the need and usage of a header inclusion guard foreign
- to libcurl. [1]
+ Closes #1604
+
+- --request-target: instead of --strip-path-slash
- Removes the need and presence of an alarming notice we carried
- in old setup_once.h [2]
+ ... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH.
- ----------------------------------------
+ This option instead provides the full "alternative" target to use in the
+ request, instead of extracting the path from the URL.
- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard
- up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H,
- this single inclusion guard is enough to ensure that inclusion of
- lib/setup_once.h done from lib/setup.h is only done once.
+ Test 1298 and 1299 updated accordingly.
- Additionally lib/setup.h has always used __SETUP_ONCE_H macro to
- protect inclusion of setup_once.h even after commit ec691ca3, this
- was to avoid a circular header inclusion triggered when building a
- c-ares enabled version with c-ares sources available which also has
- a setup_once.h header. Commit ec691ca3 exposes the real nature of
- __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard
- foreign to libcurl belonging to c-ares's setup_once.h
+ Idea-by: Evert Pot
+ Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373
- The renaming this commit does, fixes the circular header inclusion,
- and as such removes the need and usage of a header inclusion guard
- foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl.
+ Closes #1593
+
+Marcel Raad (21 Jun 2017)
+- lib1521: fix missing-variable-declarations clang warnings
- 2 - Due to the circular interdependency of old lib/setup_once.h and the
- c-ares setup_once.h header, old file lib/setup_once.h has carried
- back from 2006 up to now days an alarming and prominent notice about
- the need of keeping libcurl's and c-ares's setup_once.h in sync.
+ Declare TU-local variables static.
+
+- travis: enable typecheck-gcc warnings
- Given that this commit fixes the circular interdependency, the need
- and presence of mentioned notice is removed.
+ - switch debug and release configurations so that we get an optimized
+ build with GCC 4.3+ as required by typecheck-gcc
+ - enable warnings-as-errors for release builds
+ (which have warnings disabled)
- All mentioned interdependencies come back from now old days when
- the c-ares project lived inside a curl subdirectory. This commit
- removes last traces of such fact.
+ Closes https://github.com/curl/curl/pull/1595
-Daniel Stenberg (8 Jan 2013)
-- curl: ignore SIGPIPE
+- typecheck-gcc: add support for CURLINFO_OFF_T
- This is a work-around for bug #1180 which is really libcurl's inability
- to ignore SIGPIPE in a few cases. With this work-around at least curl
- won't suffer from it!
+ typecheck-gcc expected curl_socket_t instead of curl_off_t arguments
+ for CURLINFO_OFF_T. Detected by test1521, unfortunately only when run
+ locally.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1180
- Reported by: Lluís Batlle i Rossell
+ Closes https://github.com/curl/curl/pull/1592
-Yang Tse (8 Jan 2013)
-- sockfilt.c: fix some compiler warnings
+Daniel Stenberg (21 Jun 2017)
+- [Simon Warta brought this change]
-Daniel Stenberg (8 Jan 2013)
-- Revert "configure: update req to 2.59"
-
- This reverts commit 7a6d8b1b1a8fcc184c36d6b6e741e32250b4bacb.
+ ci: whitelist branches to avoid testing feature branches twice
+
+- [Gisle Vanem brought this change]
+
+ lib: fix the djgpp build
- URL: http://curl.haxx.se/mail/lib-2013-01/0103.html
+ Bug: https://github.com/curl/curl/commit/73a2fcea0b4adea6ba342cd7ed1149782c214ae3#commitcomment-22655993
-Steve Holme (8 Jan 2013)
-- pop3: Added support for non-blocking SSL upgrade
+Marcel Raad (20 Jun 2017)
+- if2ip: fix compiler warning in ISO C90 mode
- Added support for asynchronous SSL upgrade when using the
- multi-interface.
+ remote_scope_id is only used when both HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID
+ and ENABLE_IPV6 are defined instead of only one of them.
+
+Daniel Stenberg (20 Jun 2017)
+- travis: do the distcheck test build out-of-tree as well
-Daniel Stenberg (8 Jan 2013)
-- configure: update req to 2.59
+- http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASH
- I ran the 2.59 version of autoupdate that updates obsoleted configure.ac
- constructs to the 2.59 standard. With a little hands-on fiddling I
- prevented it from ruining the quoting in AS_HELP_STRING() uses.
+ ... to enable sending "OPTIONS *" which wasn't possible previously.
- I subsequently also bumped the required autoconf version to 2.59
- (released in December 2003) as I don't have an older autoconf version
- around to test with and I can't be bothered to install one either...
+ This option currently only works for HTTP.
- Inspired by: Björn Stenberg
- Related blog post: http://cazfi.livejournal.com/195108.html
-
-Steve Holme (7 Jan 2013)
-- imap.c: Small tidy up to add missing comment
-
-- imap: Added support for sasl digest-md5 authentication
-
-- imap: Added support for sasl cram-md5 authentication
-
-Marc Hoersken (7 Jan 2013)
-- tests/server/sockfilt.c: Fixed integer comparison warning
+ Added test cases 1298 + 1299 to verify
+
+ Fixes #1280
+ Closes #1462
-- tests/server/sockfilt.c: Include required Win32 headers
+- test1521: test getinfo's OFF_T types too
+
+ Closes #1588
-Steve Holme (7 Jan 2013)
-- imap: Added support for sasl ntlm authentication
+- lib1521: add curl_easy_getinfo calls to the test set
+
+ Also added return value checks to make sure no unexpected return codes
+ are used.
-- imap: Added support for sasl login authentication
+- [Simon Warta brought this change]
-- pop3.c: Fixed default authentication detection
+ automake: use $(MKHELP) variable instead if constant mkhelp.pl
- Fixed an issue where a server may positively respond to the CAPA command
- but not list clear text as a valid authentication type.
-
-- curl_sasl.c: Small code tidy up following imap changes
+ this improves symmetry with the rule above
-- smtp.c: Small code tidy up following imap changes
+- [Simon Warta brought this change]
-- pop3.c: Small code tidy up following imap changes
+ mkhelp.pl: fix script name in usage text
-- imap: Added support for sasl plain text authentication
+- RELEASE-NOTES: synced with 3b80d3ca4
-Marc Hoersken (6 Jan 2013)
-- tests/server/sockfilt.c: Fixed support for listening sockets
+- getinfo: return sizes as curl_off_t
- This commit fixes support for sockets that are ready to accept
- a new connection and have previously been put into listening mode.
+ This change introduces new alternatives for the existing six
+ curl_easy_getinfo() options that return sizes or speeds as doubles. The
+ new versions are named like the old ones but with an appended '_T':
- It also includes changes which are the result of investigation
- regarding Windows STDIN. These changes are the preparation for further
- improvements regarding support for reading data from STDIN on Windows.
+ CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
+ CURLINFO_CONTENT_LENGTH_UPLOAD_T
+ CURLINFO_SIZE_DOWNLOAD_T
+ CURLINFO_SIZE_UPLOAD_T
+ CURLINFO_SPEED_DOWNLOAD_T
+ CURLINFO_SPEED_UPLOAD_T
- Open issue: WaitForMultipleObjectsEx does not support PIPE handles
- which are returned by GetStdHandle while running without a GUI.
+ Closes #1511
-- tests/server/sockfilt.c: Set Windows Console to binary mode
+- PIPELINING_SERVER_BL: cleanup the internal list use
+
+ The list was freed incorrectly since the llist refactor of
+ cbae73e1dd959. Added test 1550 to verify that it works and avoid future
+ regressions.
+
+ Reported-by: Pascal Terjan
+
+ Fixes #1584
+ Closes #1585
-- tests/server/sockfilt.c: Improved log error messages
+- http2: fix OOM crash
- Include error code and parameters in error messages.
+ torture mode with test 1021 found it
-Steve Holme (6 Jan 2013)
-- imap: Introduced the continue response in imap_endofresp()
+- CURLOPT_PREQUOTE.3: spellfix man page reference
-- imap: Added support for SASL based authentication mechanism detection
+Marcel Raad (18 Jun 2017)
+- http_proxy: fix build with http and proxy
- Added support for detecting the supported SASL authentication mechanisms
- via the CAPABILITY command.
+ After deff7de0eb0e22d2d142b96b9cc84cd8db5d2a48, the build without
+ CURL_DISABLE_PROXY and CURL_DISABLE_HTTP was failing because of missing
+ includes.
-Yang Tse (6 Jan 2013)
-- Revert changes relative to lib/*.[ch] recent renaming
-
- This reverts renaming and usage of lib/*.h header files done
- 28-12-2012, reverting 2 commits:
+- http_proxy: fix compiler warning
- f871de0... build: make use of 76 lib/*.h renamed files
- ffd8e12... build: rename 76 lib/*.h files
+ With CURL_DISABLE_PROXY or CURL_DISABLE_HTTP, GCC complained about a
+ missing prototype for Curl_connect_free.
+
+Daniel Stenberg (18 Jun 2017)
+- TODO: update the TOC too
+
+- TODO: implement support for CURLOPT_PREQUOTE with SFTP
- This also reverts removal of redundant include guard (redundant thanks
- to changes in above commits) done 2-12-2013, reverting 1 commit:
+ ... also updated the CURLOPT_PREQUOTE.3 man page to mention the correct
+ protocol support.
- c087374... curl_setup.h: remove redundant include guard
+ Closes #1514
+
+- tool_wrte_cb: remove check for config == NULL
- This also reverts renaming and usage of lib/*.c source files done
- 3-12-2013, reverting 3 commits:
+ ... as it really cannot have reached this far with config being NULL,
+ thus this is unnecesary and misleading.
- 13606bb... build: make use of 93 lib/*.c renamed files
- 5b6e792... build: rename 93 lib/*.c files
- 7d83dff... build: commit 13606bbfde follow-up 1
+ Bug: https://news.ycombinator.com/item?id=14577585 and
+ https://daniel.haxx.se/blog/2017/06/17/curl-doesnt-spew-binary-anymore/comment-page-1/#comment-18356
- Start of related discussion thread:
+ Forwarded-to-us-by: Jakub Wilk
+
+- curl: prevent binary output spewed to terminal
- http://curl.haxx.se/mail/lib-2013-01/0012.html
+ ... unless "--output -" is used. Binary detection is done by simply
+ checking for a binary zero in early data.
- Asking for confirmation on pushing this revertion commit:
+ Added test 1425 1426 to verify.
- http://curl.haxx.se/mail/lib-2013-01/0048.html
+ Closes #1512
+
+Marcel Raad (16 Jun 2017)
+- Makefile.m32: enable -W for MinGW32 build
- Confirmation summary:
+ The configure-based build also has this in addition to -Wall.
- http://curl.haxx.se/mail/lib-2013-01/0079.html
+ Closes https://github.com/curl/curl/pull/1578
+
+- curl-compilers.m4: enable comma clang warning
- NOTICE: The list of 2 files that have been modified by other
- intermixed commits, while renamed, and also by at least one
- of the 6 commits this one reverts follows below. These 2 files
- will exhibit a hole in history unless git's '--follow' option
- is used when viewing logs.
+ It usually warns when using commas instead of semicolons or other
+ operators by accident.
- lib/curl_imap.h
- lib/curl_smtp.h
+ Closes https://github.com/curl/curl/pull/1578
-Daniel Stenberg (6 Jan 2013)
-- mk-ca-bundle.1: convert syntax to what's used elsewhere
+- curl-compilers.m4: enable missing-variable-declarations clang warning
- ... mostly to make sure roffit works better on it, but also to make our
- man pages use a more unified style.
-
-- mk-ca-bundle.1: mention new -f, fix outputfile output
+ It usually warns when forgetting to declare TU-local variables static.
- also edited a few sentences to become more verbose
+ Closes https://github.com/curl/curl/pull/1578
-- mk-ca-bundle: add -f, support passing to stdout and more
+- curl-compilers.m4: enable double-promotion warning
- 1. When the downloaded data file from Mozilla is current, but the output
- bundle does not exist: continue processing to create the bundle. The
- goal is to have the output file - not just download the latest input.
+ Enable -Wdouble-promotion for both GCC and clang. It warns on implicit
+ promotion from float to double.
- 2. added -f option to force re-processing the file. Useful for
- debugging/testing the process.
+ Closes https://github.com/curl/curl/pull/1578
+
+- curl-compilers.m4: enable vla warning for clang
- 3. added support for output to '-' (stdout), allowing the output to be
- piped.
+ Previously, that warning was only implicitly active in C90 mode.
+ Enable it unconditionally as already done for GCC.
- 4. All progress and error messages go to STDERR rather than STDOUT (3)
+ Closes https://github.com/curl/curl/pull/1578
+
+Daniel Stenberg (16 Jun 2017)
+- http-proxy: fix chunked-encoded CONNECT responses
- 5. The script opened and closed the output file many times
- unnecessarily. It now opens it once, does the output and closes it.
+ Regression since 5113ad0424.
- 6. Backup of the input files happens after successful processing, not
- before.
+ ... and remove 'flaky' from test 1061 again
- 7. The output is written to a temporary file, and renamed to the
- requested name after backup - this greatly reduces the window where the
- file can be seen partially written.
+ Closes #1579
+
+- http-proxy: deal with EAGAIN
- 8. all die calls have a \n at the end to suppress perl's traceback - the
- traceback isn't useful to end users.
+ ... the previous code would reset the header length wrongly (since
+ 5113ad0424). This makes test 1060 reliable again.
- Patch: http://curl.haxx.se/mail/lib-2013-01/0045.html
+ Also: make sws send even smaller chunks of data to increase the
+ likeliness of this happening.
-Yang Tse (5 Jan 2013)
-- imap test server: fix typo in name of SELECT_imap() sub definition
-
- IMAP test server breaking typo introduced with commit b708a522a1
+- libtest/libntlmconnect: fix compiler warnings from f94fcdb
-Steve Holme (4 Jan 2013)
-- imap test server: Added support for the CAPABILITY command
-
- Added support for the CAPABILITY command in preparation of upcoming
- changes.
-
-Daniel Stenberg (3 Jan 2013)
-- writeout: -w now supports remote_ip/port and local_ip/port
-
- Added mention to the curl.1 man page.
-
- Test case 1223 verifies remote_ip/port.
-
-Yang Tse (3 Jan 2013)
-- test 1222: 8 chars object name generation && test 1221: adjustments
-
-Daniel Stenberg (3 Jan 2013)
-- INTERNALS: remove "footnote" never used
-
-Yang Tse (3 Jan 2013)
-- build: commit 13606bbfde follow-up 1
-
-Daniel Stenberg (3 Jan 2013)
-- FAQ: Can I write a server with libcurl?
-
-Yang Tse (3 Jan 2013)
-- build: rename 93 lib/*.c files
-
- 93 lib/*.c source files renamed to use our standard naming scheme.
-
- This commit only does the file renaming.
-
- ----------------------------------------
-
- renamed: lib/amigaos.c -> lib/curl_amigaos.c
- renamed: lib/asyn-ares.c -> lib/curl_asyn_ares.c
- renamed: lib/asyn-thread.c -> lib/curl_asyn_thread.c
- renamed: lib/axtls.c -> lib/curl_axtls.c
- renamed: lib/base64.c -> lib/curl_base64.c
- renamed: lib/bundles.c -> lib/curl_bundles.c
- renamed: lib/conncache.c -> lib/curl_conncache.c
- renamed: lib/connect.c -> lib/curl_connect.c
- renamed: lib/content_encoding.c -> lib/curl_content_encoding.c
- renamed: lib/cookie.c -> lib/curl_cookie.c
- renamed: lib/cyassl.c -> lib/curl_cyassl.c
- renamed: lib/dict.c -> lib/curl_dict.c
- renamed: lib/easy.c -> lib/curl_easy.c
- renamed: lib/escape.c -> lib/curl_escape.c
- renamed: lib/file.c -> lib/curl_file.c
- renamed: lib/fileinfo.c -> lib/curl_fileinfo.c
- renamed: lib/formdata.c -> lib/curl_formdata.c
- renamed: lib/ftp.c -> lib/curl_ftp.c
- renamed: lib/ftplistparser.c -> lib/curl_ftplistparser.c
- renamed: lib/getenv.c -> lib/curl_getenv.c
- renamed: lib/getinfo.c -> lib/curl_getinfo.c
- renamed: lib/gopher.c -> lib/curl_gopher.c
- renamed: lib/gtls.c -> lib/curl_gtls.c
- renamed: lib/hash.c -> lib/curl_hash.c
- renamed: lib/hmac.c -> lib/curl_hmac.c
- renamed: lib/hostasyn.c -> lib/curl_hostasyn.c
- renamed: lib/hostcheck.c -> lib/curl_hostcheck.c
- renamed: lib/hostip.c -> lib/curl_hostip.c
- renamed: lib/hostip4.c -> lib/curl_hostip4.c
- renamed: lib/hostip6.c -> lib/curl_hostip6.c
- renamed: lib/hostsyn.c -> lib/curl_hostsyn.c
- renamed: lib/http.c -> lib/curl_http.c
- renamed: lib/http_chunks.c -> lib/curl_http_chunks.c
- renamed: lib/http_digest.c -> lib/curl_http_digest.c
- renamed: lib/http_negotiate.c -> lib/curl_http_negotiate.c
- renamed: lib/http_negotiate_sspi.c -> lib/curl_http_negotiate_sspi.c
- renamed: lib/http_proxy.c -> lib/curl_http_proxy.c
- renamed: lib/idn_win32.c -> lib/curl_idn_win32.c
- renamed: lib/if2ip.c -> lib/curl_if2ip.c
- renamed: lib/imap.c -> lib/curl_imap.c
- renamed: lib/inet_ntop.c -> lib/curl_inet_ntop.c
- renamed: lib/inet_pton.c -> lib/curl_inet_pton.c
- renamed: lib/krb4.c -> lib/curl_krb4.c
- renamed: lib/krb5.c -> lib/curl_krb5.c
- renamed: lib/ldap.c -> lib/curl_ldap.c
- renamed: lib/llist.c -> lib/curl_llist.c
- renamed: lib/md4.c -> lib/curl_md4.c
- renamed: lib/md5.c -> lib/curl_md5.c
- renamed: lib/memdebug.c -> lib/curl_memdebug.c
- renamed: lib/mprintf.c -> lib/curl_mprintf.c
- renamed: lib/multi.c -> lib/curl_multi.c
- renamed: lib/netrc.c -> lib/curl_netrc.c
- renamed: lib/non-ascii.c -> lib/curl_non_ascii.c
- renamed: lib/curl_non-ascii.h -> lib/curl_non_ascii.h
- renamed: lib/nonblock.c -> lib/curl_nonblock.c
- renamed: lib/nss.c -> lib/curl_nss.c
- renamed: lib/nwlib.c -> lib/curl_nwlib.c
- renamed: lib/nwos.c -> lib/curl_nwos.c
- renamed: lib/openldap.c -> lib/curl_openldap.c
- renamed: lib/parsedate.c -> lib/curl_parsedate.c
- renamed: lib/pingpong.c -> lib/curl_pingpong.c
- renamed: lib/polarssl.c -> lib/curl_polarssl.c
- renamed: lib/pop3.c -> lib/curl_pop3.c
- renamed: lib/progress.c -> lib/curl_progress.c
- renamed: lib/qssl.c -> lib/curl_qssl.c
- renamed: lib/rawstr.c -> lib/curl_rawstr.c
- renamed: lib/rtsp.c -> lib/curl_rtsp.c
- renamed: lib/security.c -> lib/curl_security.c
- renamed: lib/select.c -> lib/curl_select.c
- renamed: lib/sendf.c -> lib/curl_sendf.c
- renamed: lib/share.c -> lib/curl_share.c
- renamed: lib/slist.c -> lib/curl_slist.c
- renamed: lib/smtp.c -> lib/curl_smtp.c
- renamed: lib/socks.c -> lib/curl_socks.c
- renamed: lib/socks_gssapi.c -> lib/curl_socks_gssapi.c
- renamed: lib/socks_sspi.c -> lib/curl_socks_sspi.c
- renamed: lib/speedcheck.c -> lib/curl_speedcheck.c
- renamed: lib/splay.c -> lib/curl_splay.c
- renamed: lib/ssh.c -> lib/curl_ssh.c
- renamed: lib/sslgen.c -> lib/curl_sslgen.c
- renamed: lib/ssluse.c -> lib/curl_ssluse.c
- renamed: lib/strdup.c -> lib/curl_strdup.c
- renamed: lib/strequal.c -> lib/curl_strequal.c
- renamed: lib/strerror.c -> lib/curl_strerror.c
- renamed: lib/strtok.c -> lib/curl_strtok.c
- renamed: lib/strtoofft.c -> lib/curl_strtoofft.c
- renamed: lib/telnet.c -> lib/curl_telnet.c
- renamed: lib/tftp.c -> lib/curl_tftp.c
- renamed: lib/timeval.c -> lib/curl_timeval.c
- renamed: lib/transfer.c -> lib/curl_transfer.c
- renamed: lib/url.c -> lib/curl_url.c
- renamed: lib/version.c -> lib/curl_version.c
- renamed: lib/warnless.c -> lib/curl_warnless.c
- renamed: lib/wildcard.c -> lib/curl_wildcard.c
-
- ----------------------------------------
-
-- build: make use of 93 lib/*.c renamed files
-
- 93 *.c source files renamed to use our standard naming scheme.
-
- This change affects 77 files in libcurl's source tree.
-
-Daniel Stenberg (3 Jan 2013)
-- INSTALL: unify the SSL library texts
-
- Make them smaller and more similar for each separate SSL library
- supported by the configure build
-
-Yang Tse (2 Jan 2013)
-- curl_setup.h: remove redundant include guard
-
-- build and tests: curl_10char_object_name() shell function
-
- lib/objnames.inc provides definition of curl_10char_object_name() shell
- function. The intended purpose of this function is to transliterate a
- (*.c) source file name that may be longer than 10 characters, or not,
- into a string with at most 10 characters which may be used as an OS/400
- object name.
-
- Test case 1221 does unit testng of this function and also verifies
- that it is possible to generate distinct short object names for all
- curl and libcurl *.c source file names.
-
- lib/objnames-test.sh is the shell script used for test case 1221.
-
- tests/runtests.pl modified to accept shell script test cases.
-
- More details inside lib/objnames.inc and lib/objnames-test.sh
+- [Jay Satiro brought this change]
-- configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS
+ HTTPS-Proxy: don't offer h2 for https proxy connections
- automake 1.13 errors if AM_CONFIG_HEADER is used in configure script.
- automake 1.13 no longer autoupdates AM_CONFIG_HEADER to
- AC_CONFIG_HEADERS, thing which automake has been doing since automake
- version 1.7
+ Bug: https://github.com/curl/curl/issues/1254
+
+ Closes #1546
+
+- tests: stabilize test 2032 and 2033
- Given that our first automake supported version is automake 1.7,
- simply replacing AM_CONFIG_HEADER usage with AC_CONFIG_HEADERS seems
- enough to yet support same automake versions.
+ Both these tests run the same underlying test code: libntlmconnect.c -
+ this test code made some assumptions about socket ordering when it used
+ curl_easy_fdset() and when we changed timing or got accidental changes
+ in libcurl the tests would fail.
- Dave Reisner reported issue with 1.13 and provided patch.
+ The tests verify that the different transfers keep using the same
+ connections, which I now instead made sure by adding the number of bytes
+ each transfer gets and then verifies that they always get the same
+ amount as when these tests worked.
- http://curl.haxx.se/mail/lib-2012-12/0246.html
+ Closes #1576
-- curl-override.m4: provide AC_CONFIG_MACRO_DIR definition conditionally
+- test1148: verify the -# progressbar
- Provide a 'traceable' AC_CONFIG_MACRO_DIR definition only when using
- an autoconf version that does not provide it, instead of what we were
- doing up to now of providing and overriding AC_CONFIG_MACRO_DIR for
- all autoconf versions.
+ Closes #1569
-Steve Holme (30 Dec 2012)
-- imap.c: Minor follow up tidy up
+- test1061: mark as flaky
+
+ Fails intermittently on travis builds since a few days. Likely due to
+ 5113ad0424.
-- imap: Code tidy up prior to adding support for the CAPABILITY command
+Jay Satiro (16 Jun 2017)
+- url: refactor the check for Windows drive letter in path
- * Changing the order of the state machine to represent the order in
- which commands are sent to the server.
+ - Move the logic to detect a Windows drive letter prefix
+ (eg c: in c:foo) into a function-like macro.
- * Reworking the imap_endofresp() function as the FETCH response doesn't
- include the command id and shouldn't be part of the length comparison
- that takes into account the id string.
+ Closes https://github.com/curl/curl/pull/1571
-- pop3_doing: Applied debug info message when function fails
+- mk-ca-bundle.pl: Check curl's exit code after certdata download
- Applied the same debug message as used in smtp_doing() and imap_doing()
- when pop3_multi_statemach() fails.
-
-- imap_doing: don't call imap_dophase_done() if already failed
+ - No longer allow partial downloads of certdata.
- Applied the POP3 fix from commit 2897ce7dc2e1 so imap_dophase_done()
- isn't called if imap_multi_statemach() fails.
-
-- smtp_doing: don't call smtp_dophase_done() if already failed
+ Prior to this change partial downloads were (erroneously?) allowed since
+ only the server code was checked to be 200.
- Applied the POP3 fix from commit 2897ce7dc2e1 so smtp_dophase_done()
- isn't called if smtp_multi_statemach() fails.
+ Bug: https://github.com/curl/curl/pull/1577
+ Reported-by: Matteo B.
-Yang Tse (29 Dec 2012)
-- examples/certinfo.c: fix compiler warning
+Daniel Stenberg (16 Jun 2017)
+- dist: add the fuzz dir to the tarball
-Steve Holme (29 Dec 2012)
-- pop3.c: Removed unnecessary POP3_STOP state changes
-
- Removed unnecessary state changes in pop3_state_starttls_resp()
- following previous fix in IMAP module.
+- configure: disable nghttp2 too if HTTP has been disabled
-- smtp.c: Added extra comments around SMTP_STOP state change
+- http-proxy: fix build with --disable-proxy or --disable-http
- Provided extra comments in the SMTP module following previous IMAP fix.
+ Reported-by: Dan Fandrich
-- imap.c: Fixed bad state error when logging in with invalid credentials
+- fuzz/README: document how to build
- Fixed a problem with the state machine when attempting to log in with
- invalid credentials. The server would report login failure but libcurl
- would not read the response due to inappropriate IMAP_STOP states being
- set after the login was sent.
+ Fixes #1476
-Yang Tse (29 Dec 2012)
-- imap.c: remove trailing whitespace
+- [Frederik B brought this change]
-Steve Holme (28 Dec 2012)
-- imap.c: Code tidy up - Part 2
-
-- imap.c: Code tidy up - Part 1
-
- Applied some of the comment and layout changes that had already been
- applied to the pop3 and smtp code over the last 6 to 9 months.
-
- This is in preparation of adding SASL based authentication.
-
-- pop3.c: Minor code tidy up
-
- Minor tidy up of comments and layout prior to next part of imap work.
-
-- smtp: Minor code tidy up
-
- Minor tidy up of comments and layout prior to next part of imap work.
-
-- curl_imap.h: Tidy up of comments to be more readable
-
-- imap.c: Code tidy up renaming imapsendf() to imap_sendf()
-
- Renamed imapsendf() to imap_sendf() to be more in keeping with the
- other imap functions as well as Curl_pp_sendf() that it replaces.
-
-Yang Tse (28 Dec 2012)
-- build: rename 76 lib/*.h files
-
- 76 private header files renamed to use our standard naming scheme.
-
- This commit only does the file renaming.
-
- ----------------------------------------
-
- renamed: amigaos.h -> curl_amigaos.h
- renamed: arpa_telnet.h -> curl_arpa_telnet.h
- renamed: asyn.h -> curl_asyn.h
- renamed: axtls.h -> curl_axtls.h
- renamed: bundles.h -> curl_bundles.h
- renamed: conncache.h -> curl_conncache.h
- renamed: connect.h -> curl_connect.h
- renamed: content_encoding.h -> curl_content_encoding.h
- renamed: cookie.h -> curl_cookie.h
- renamed: cyassl.h -> curl_cyassl.h
- renamed: dict.h -> curl_dict.h
- renamed: easyif.h -> curl_easyif.h
- renamed: escape.h -> curl_escape.h
- renamed: file.h -> curl_file.h
- renamed: fileinfo.h -> curl_fileinfo.h
- renamed: formdata.h -> curl_formdata.h
- renamed: ftp.h -> curl_ftp.h
- renamed: ftplistparser.h -> curl_ftplistparser.h
- renamed: getinfo.h -> curl_getinfo.h
- renamed: gopher.h -> curl_gopher.h
- renamed: gtls.h -> curl_gtls.h
- renamed: hash.h -> curl_hash.h
- renamed: hostcheck.h -> curl_hostcheck.h
- renamed: hostip.h -> curl_hostip.h
- renamed: http.h -> curl_http.h
- renamed: http_chunks.h -> curl_http_chunks.h
- renamed: http_digest.h -> curl_http_digest.h
- renamed: http_negotiate.h -> curl_http_negotiate.h
- renamed: http_proxy.h -> curl_http_proxy.h
- renamed: if2ip.h -> curl_if2ip.h
- renamed: imap.h -> curl_imap.h
- renamed: inet_ntop.h -> curl_inet_ntop.h
- renamed: inet_pton.h -> curl_inet_pton.h
- renamed: krb4.h -> curl_krb4.h
- renamed: llist.h -> curl_llist.h
- renamed: memdebug.h -> curl_memdebug.h
- renamed: multiif.h -> curl_multiif.h
- renamed: netrc.h -> curl_netrc.h
- renamed: non-ascii.h -> curl_non-ascii.h
- renamed: nonblock.h -> curl_nonblock.h
- renamed: nssg.h -> curl_nssg.h
- renamed: parsedate.h -> curl_parsedate.h
- renamed: pingpong.h -> curl_pingpong.h
- renamed: polarssl.h -> curl_polarssl.h
- renamed: pop3.h -> curl_pop3.h
- renamed: progress.h -> curl_progress.h
- renamed: qssl.h -> curl_qssl.h
- renamed: rawstr.h -> curl_rawstr.h
- renamed: rtsp.h -> curl_rtsp.h
- renamed: select.h -> curl_select.h
- renamed: sendf.h -> curl_sendf.h
- renamed: setup.h -> curl_setup.h
- renamed: setup_once.h -> curl_setup_once.h
- renamed: share.h -> curl_share.h
- renamed: slist.h -> curl_slist.h
- renamed: smtp.h -> curl_smtp.h
- renamed: sockaddr.h -> curl_sockaddr.h
- renamed: socks.h -> curl_socks.h
- renamed: speedcheck.h -> curl_speedcheck.h
- renamed: splay.h -> curl_splay.h
- renamed: ssh.h -> curl_ssh.h
- renamed: sslgen.h -> curl_sslgen.h
- renamed: ssluse.h -> curl_ssluse.h
- renamed: strdup.h -> curl_strdup.h
- renamed: strequal.h -> curl_strequal.h
- renamed: strerror.h -> curl_strerror.h
- renamed: strtok.h -> curl_strtok.h
- renamed: strtoofft.h -> curl_strtoofft.h
- renamed: telnet.h -> curl_telnet.h
- renamed: tftp.h -> curl_tftp.h
- renamed: timeval.h -> curl_timeval.h
- renamed: transfer.h -> curl_transfer.h
- renamed: url.h -> curl_url.h
- renamed: urldata.h -> curl_urldata.h
- renamed: warnless.h -> curl_warnless.h
- renamed: wildcard.h -> curl_wildcard.h
-
- ----------------------------------------
-
-- build: make use of 76 lib/*.h renamed files
-
- 76 private header files renamed to use our standard naming scheme.
-
- This change affects 322 files in libcurl's source tree.
-
-- lib/*.h: use our standard naming scheme for header inclusion guards
-
-Steve Holme (28 Dec 2012)
-- imsp.c: Fixed usernames and passwords that contain escape characters
-
- Fixed a problem with sending usernames and passwords that contain
- backslash, quotation mark and space characters.
-
-Daniel Stenberg (27 Dec 2012)
-- curl.1: extend the -X, --request description
-
-- RELEASE-NOTES: synced with e3ed2b82e6
+ fuzz: corpora file structure, initial commit
-- [Nick Zitzmann brought this change]
+- [Frederik B brought this change]
+
+ fuzz: bring oss-fuzz initial code converted to C89
- darwinssl: Fixed inability to disable peer verification
+- http-proxy: only attempt FTP over HTTP proxy
- ... on Snow Leopard and Lion
+ ... all other non-HTTP protocol schemes are now defaulting to "tunnel
+ trough" mode if a HTTP proxy is specified. In reality there are no HTTP
+ proxies out there that allow those other schemes.
- Snow Leopard introduced the SSLSetSessionOption() function, but it
- doesn't disable peer verification as expected on Snow Leopard or
- Lion (it works as expected in Mountain Lion). So we now use sysctl()
- to detect whether or not the user is using Snow Leopard or Lion,
- and if that's the case, then we now use the deprecated
- SSLSetEnableCertVerify() function instead to disable peer verification.
-
-Yang Tse (26 Dec 2012)
-- curl tool: rename hugehelp files to tool_hugehelp
+ Assisted-by: Ray Satiro, Michael Kaufmann
+
+ Closes #1505
-- curl tool: renaming hugehelp files to tool_hugehelp
+- TODO: the generated include file is gone
+
+ ... since commit 73a2fcea0b
-- sockfilt.c: commit b44da5a82a follow-up 2
+- curl_setup.h: error out on CURL_WANTS_CA_BUNDLE_ENV use
+
+ ... to make it really apparent if there's any user using this on purpose.
+
+ Suggested-by: Jay Satiro
+
+ Closes #1542
-- sockfilt.c: commit b44da5a82a follow-up
+- lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
+
+ When this define was set, libcurl would check the environment variable
+ named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This
+ feature was only defined by the watcom and m32 makefiles and caused
+ inconsistent behaviours among libcurls built on different platforms.
+
+ The curl tool does already feature its own similar logic and the library
+ does not really need it, and it isn't documented libcurl behavior. So
+ this change removes it.
+
+ Ref: #1538
-- sockfilt.c: fix some compiler warnings
+- test1147: verify -H on a file
-- curl_multi_remove_handle: commit 0aabfd9963 follow-up
+- curl: allow --header and --proxy-header read from file
+
+ So many headers can be provided as @filename.
+
+ Suggested-by: Timothe Litt
+
+ Closes #1486
-Daniel Stenberg (25 Dec 2012)
-- lib556: enable VERBOSE to ease debugging on failures
+- RELEASE-NOTES: synced with 2ad80eec5
-Marc Hoersken (25 Dec 2012)
-- socklift.c: Quick fix to re-add missing code
+- curl/curlver.h: start working on 7.55.0
-- socklift.c: Added select_ws function to support Windows
+- http-proxy: do the HTTP CONNECT process entirely non-blocking
- WinSock select() does not support standard file descriptors,
- it can only check SOCKETs. The following function is an attempt
- to create a select() function with support for other handles.
-
-Yang Tse (25 Dec 2012)
-- Enable tests 1503, 1504 and 1505
+ Mentioned as a problem since 2007 (8f87c15bdac63) and of course it
+ existed even before that.
+
+ Closes #1547
-- curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
+- progress: let "current speed" be UL + DL speeds combined
+
+ Bug #1556
+ Reported-by: Paul Harris
+ Closes #1559
-- Curl_hash_clean: OOM handling fix
+Marcel Raad (14 Jun 2017)
+- system.h: fix MinGW build
+
+ CURLSYS_PULL_WS2TCPIP_H got renamed to CURL_PULL_WS2TCPIP_H in commit
+ 73a2fcea0b4adea6ba342cd7ed1149782c214ae3.
-- test 1504 and 1505: same as 1502 but with different cleanup sequences
+Daniel Stenberg (14 Jun 2017)
+- timers: store internal time stamps as time_t instead of doubles
+
+ This gives us accurate precision and it allows us to avoid storing "no
+ time" for systems with too low timer resolution as we then bump the time
+ up to 1 microsecond. Should fix test 573 on windows.
+
+ Remove the now unused curlx_tvdiff_secs() function.
+
+ Maintains the external getinfo() API with using doubles.
+
+ Fixes #1531
-Daniel Stenberg (24 Dec 2012)
-- Curl_conncache_foreach: allow callback to break loop
+- dist: make the hugehelp.c not get regenerated unnecessarily
- ... and have it take a proper 'struct connectdata *' as first argument
+ The maketgz script now makes sure the generated hugehelp.c file in the
+ tarball is newer than the generated curl.1 man page, so that it doesn't
+ have to get unnecessarily rebuilt first thing in a typical build. It
+ thus also removes the need for perl to build off a plain release
+ tarball.
+
+ Fixes #1565
-- pop3_doing: don't call pop3_dophase_done() if already failed
+- includes: remove curl/curlbuild.h and curl/curlrules.h
+
+ Rely entirely on curl/system.h now.
- ... it also clobbered the 'result' return value so that it wouldn't
- return the error back to the parent function properly, which broke test
- 809 when run with 'multi-always'.
+ Introduced in Aug 2008 with commit 14240e9e109f. Now gone.
+
+ Fixes #1456
-Yang Tse (23 Dec 2012)
-- test 1503: same as 1502 but with a different cleanup sequence
+Version 7.54.1 (14 Jun 2017)
-- test 1502: OOM handling fixes
+Daniel Stenberg (14 Jun 2017)
+- release: 7.54.1
-- curl_multi_wait: OOM handling fix
+Dan Fandrich (13 Jun 2017)
+- mk-lib1521.pl: updated to match the test changes in 916ec30a
-- [Daniel Stenberg brought this change]
+Daniel Stenberg (13 Jun 2017)
+- [Stuart Henderson brought this change]
- curl_multi_wait: avoid an unnecessary memory allocation
+ libressl: OCSP and intermediate certs workaround no longer needed
+
+ lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed
+ by intermediate certs, this was fixed in LibreSSL in
+ https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0
+
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
+
+- url: fix buffer overwrite with file protocol (CVE-2017-9502)
+
+ Bug: https://github.com/curl/curl/issues/1540
+ Advisory: https://curl.haxx.se/docs/adv_20170614.html
+
+ Assisted-by: Ray Satiro
+ Reported-by: Marcel Raad
-- runtests.pl: prepend $srcdir to HTTPTLS server config files path
+- urlglob: fix division by zero
+
+ The multiply() function that is used to avoid integer overflows, was
+ itself reason for a possible division by zero error when passed a
+ specially formatted glob.
+
+ Reported-by: GwanYeong Kim
-- multi.c: OOM handling fix
+- configure: update the copyright year in the output
-- lib543.c: OOM handling fixes
+- [ygrek brought this change]
-- configure: add internal sanity check (warn only) on vars for makefiles
+ BINDINGS: update SP-Forth and OCaml urls
-Daniel Stenberg (21 Dec 2012)
-- SCP: relative path didn't work
+Michael Kaufmann (11 Jun 2017)
+- FindWin32CACert: Use a temporary buffer on the stack
+
+ Don't malloc() the temporary buffer, and use the correct type:
+ SearchPath() works with TCHAR, but SearchPathA() works with char.
+ Set the buffer size to MAX_PATH, because the terminating null byte
+ is already included in MAX_PATH.
- When prefixing a path with /~/ it is supposed to be used relative to the
- user's home directory but it didn't work. Now we cut off the entire
- three byte sequenct "/~/" which seems to be how OpenSSH does it.
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
- Bug: http://curl.haxx.se/bug/view.cgi?id=1173
- Reported by: Balaji Parasuram
+ Closes #1548
-Yang Tse (21 Dec 2012)
-- configure: LIBMETALINK_CFLAGS actually is LIBMETALINK_CPPFLAGS
+Dan Fandrich (11 Jun 2017)
+- test1521: fixed OOM handling
-- configure: add minimal sanity check on user provided CFLAGS and CPPFLAGS
+Daniel Stenberg (9 Jun 2017)
+- RELEASE-PROCEDURE: updated future release dates
-- bundles connection caching: some out of memory handling fixes
+- [Paul Harris brought this change]
-- libntlmconnect.c: fix compiler warnings and OOM handling
+ gitignore: ignore all vim swap files
+
+ Closes #1561
-- configure.ac: clear local test intended variables before use
+- lib1521: fix compiler warnings on the use of bad 'long' values
+
+ Reported-by: Marcel Raad
+ Bug: https://github.com/curl/curl/commit/cccac4fb2b20d6ed87da7978408c3ecacc464fe4#commitcomment-22453387
-- VC6 IDE: link with advapi32.lib when using WIN32 crypto API (md5.c)
+- setopt: check CURLOPT_ADDRESS_SCOPE option range
+
+ ... and return error instead of triggering an assert() when being way
+ out of range.
-- curl-functions.m4: improve gethostname arg 2 data type check
+Jay Satiro (8 Jun 2017)
+- [TheAssassin brought this change]
-- setup_once.h: HP-UX specific 'bool', 'false' and 'true' definitions.
+ cmake: Fix inconsistency regarding mbed TLS include directory
- Also reverts commit f254c59dc7
-
-- configure: check if compiler halts on function prototype mismatch
+ Previously, one had to set MBEDTLS_INCLUDE_DIR to make CMake find the
+ headers, but the system complained that mbed TLS wasn't found due to
+ MBEDTLS_INCLUDE_DIRS (note the trailing s) was not set. This commit
+ attempts to fix that.
+
+ Closes https://github.com/curl/curl/pull/1541
-- warnless.c: fix compiler warnings
+Daniel Stenberg (8 Jun 2017)
+- [Ryuichi KAWAMATA brought this change]
-- curl-functions.m4: add gethostname arg 2 data type check and definition
+ examples/multi-uv.c: fix deprecated symbol
+
+ Closes #1557
-Daniel Stenberg (14 Dec 2012)
-- [Nick Zitzmann brought this change]
+- asyn-ares: s/Curl_expire_latest/Curl_expire
- darwinssl: Fix implicit conversion compiler warnings
+- expire: remove Curl_expire_latest()
- The Clang compiler found a few implicit conversion problems that have
- now been fixed.
-
-Yang Tse (14 Dec 2012)
-- setup_once.h: HP-UX <sys/socket.h> issue workaround
+ With the introduction of expire IDs and the fact that existing timers
+ can be removed now and thus never expire, the concept with adding a
+ "latest" timer is not working anymore as it risks to not expire at all.
- Issue: When building a 32bit target with large file support HP-UX
- <sys/socket.h> header file may simultaneously provide two different
- sets of declarations for sendfile and sendpath functions, one with
- static and another with external linkage. Given that we do not use
- mentioned functions we really don't care which linkage is the
- appropriate one, but on the other hand, the double declaration emmits
- warnings when using the HP-UX compiler and errors when using modern
- gcc versions resulting in fatal compilation errors.
+ So, to be certain the timers actually are in line and will expire, the
+ plain Curl_expire() needs to be used. The _latest() function was added
+ as a sort of shortcut in the past that's quite simply not necessary
+ anymore.
- Mentioned issue is now fixed as long as we don't use sendfile nor
- sendpath functions.
-
-- setup_once.h: refactor inclusion of <unistd.h> and <sys/socket.h>
+ Follow-up to 31b39c40cf90
+
+ Reported-by: Paul Harris
- Inclusion of top two most included header files now done in setup_once.h
+ Closes #1555
-- setup_once.h: HP-UX specific TRUE and FALSE definitions
+- [Chris Carlmar brought this change]
+
+ configure: fix link with librtmp when specifying path
- Some HP-UX system headers require TRUE defined to 1 and FALSE to 0.
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0017.html
-Daniel Stenberg (12 Dec 2012)
-- gopher: #include cleanup
+- file: make speedcheck use current time for checks
- Remove all system file includes from this file as they're not needed
+ ... as it would previously just get the "now" timestamp before the
+ transfer starts and then not update it again.
- Reported by: Dan Fandrich
+ Closes #1550
-Yang Tse (11 Dec 2012)
-- examples/simplessl.c: fix compiler warning
+- metalink: remove unused printf() argument
-- examples/externalsocket.c: fix SunPro compilation issue
+- travis: let some builds *not* use --enable-debug
+
+ typecheck-gcc and other things require optimized builds
+
+ Closes #1544
-- examples/simplessl.c: fix compiler warning
+- README.md: show the coverall coverage on github
-- build: add bundles and conncache files to other build systems
+- lib1521: fix compiler warnings
-- conncache: fix enumerated type mixed with another type
+- test1521: make the code < 80 columns wide
-- examples/anyauthput.c: fix Tru64 compilation issue
+- test1121: use stricter types to work with typcheck-gcc
-Daniel Stenberg (8 Dec 2012)
-- [Colin Watson brought this change]
+- typecheck-gcc: allow CURLOPT_STDERR to be NULL too
- configure: fix cross pkg-config detection
-
- When cross-compiling, CURL_CHECK_PKGCONFIG was checking for the cross
- pkg-config using ${host}-pkg-config.
+- test1521: test *all* curl_easy_setopt options
- The gold standard for doing this correctly is pkg-config's own macro,
- PKG_PROG_PKG_CONFIG. However, on the assumption that you have a good
- reason not to use that directly (reduced dependencies for maintainer
- builds?), the behaviour of cURL's version should at least match.
- PKG_PROG_PKG_CONFIG uses AC_PATH_TOOL, which ultimately ends up trying
- ${host_alias}-pkg-config; this is not quite the same as what cURL does,
- and may differ because ${host} has been run through config.sub. For
- instance, when cross-building to the armhf architecture on Ubuntu,
- ${host_alias} is arm-linux-gnueabihf while ${host} is
- arm-unknown-linux-gnueabihf. This may also have been the cause of the
- problem reported at http://curl.haxx.se/mail/lib-2012-04/0224.html.
-
- AC_PATH_TOOL is significantly simpler than cURL's current code, and
- dates back to well before the current minimum of Autoconf 2.57, so let's
- use it instead.
-
-- [Linus Nielsen Feltzing brought this change]
-
- Introducing a new persistent connection caching system using "bundles".
+ mk-lib1521.pl generates a test program (lib1521.c) that calls
+ curl_easy_setopt() for every known option with a few typical values to
+ make sure they work (ignoring the return codes).
- A bundle is a list of all persistent connections to the same host.
- The connection cache consists of a hash of bundles, with the
- hostname as the key.
- The benefits may not be obvious, but they are two:
+ Some small changes were necessary to avoid asserts and NULL accesses
+ when doing this.
- 1) Faster search for connections to reuse, since the hash
- lookup only finds connections to the host in question.
- 2) It lays out the groundworks for an upcoming patch,
- which will introduce multiple HTTP pipelines.
+ The perl script needs to be manually rerun when we add new options.
- This patch also removes the awkward list of "closure handles",
- which were needed to send QUIT commands to the FTP server
- when closing a connection.
- Now we allocate a separate closure handle and use that
- one to close all connections.
+ Closes #1543
+
+Dan Fandrich (5 Jun 2017)
+- test1538: added "verbose logs" keyword
- This has been tested in a live system for a few weeks, and of
- course passes the test suite.
+ These error messages are not displayed with --disable-verbose
-- [Fabian Keil brought this change]
+Daniel Stenberg (5 Jun 2017)
+- test1262: verify ftp download with -z for "if older than this"
- runtests and friends: Do not add undefined values to @INC
+Marcel Raad (5 Jun 2017)
+- curl_ntlm_core: use Curl_raw_toupper instead of toupper
- On FreeBSD this fixes the warning:
- Use of uninitialized value $p in string eq at /usr/local/lib/perl5/5.14.2/BSDPAN/BSDPAN.pm line 36.
-
-Steve Holme (5 Dec 2012)
-- Merge pull request #52 from isn-/master
+ This was the only remaining use of toupper in the entire source code.
- small compilation fix
+ Suggested-by: Daniel Stenberg
+
+Daniel Stenberg (4 Jun 2017)
+- RELEASE-NOTES: synced with 65ba92650