Changelog
-Version 7.53.1 (24 Feb 2017)
+Version 7.59.0 (13 Mar 2018)
-Daniel Stenberg (24 Feb 2017)
-- release: 7.53.1
+Daniel Stenberg (13 Mar 2018)
+- release: 7.59.0
-- Revert "tests: use consistent environment variables for setting charset"
+Kamil Dudka (13 Mar 2018)
+- tests/.../spnego.py: fix identifier typo
- This reverts commit ecd1d020abdae3c3ce3643ddab3106501e62e7c0.
+ Detected by Coverity Analysis:
- That commit caused test failures on my Debian Linux machine for all
- changed test cases. We need to reconsider how that should get done.
-
-Dan Fandrich (23 Feb 2017)
-- tests: use consistent environment variables for setting charset
+ Error: IDENTIFIER_TYPO:
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
+ * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
+ * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
- Character set in POSIX is set by the locale defined (in decreasing order
- of precedence) by the LC_ALL, LC_CTYPE and LANG environment variables (I
- believe CHARSET is only historic). LC_ALL is cleared to ensure that
- LC_CTYPE takes effect, but LC_ALL is not used to set the locale to
- ensure that other parts of the locale aren't overriden, if set. Since
- there doesn't seem to be a cross-platform way of specifying a UTF-8
- locale, and not all systems may support UTF-8, a <precheck> is used
- (where relevant) to skip the test if UTF-8 isn't in use. Test 1035 was
- also converted to UTF-8 for consistency, as the actual character set
- used there is irrelevant to the test.
+ Closes #2379
-Jay Satiro (23 Feb 2017)
-- url: Default the CA proxy bundle location to CURL_CA_BUNDLE
+Daniel Stenberg (13 Mar 2018)
+- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
- If the compile-time CURL_CA_BUNDLE location is defined use it as the
- default value for the proxy CA bundle location, which is the same as
- what we already do for the regular CA bundle location.
+ Reported-by: Aron Bergman
+ Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
- Ref: https://github.com/curl/curl/pull/1257
-
-Daniel Stenberg (23 Feb 2017)
-- [Sergii Pylypenko brought this change]
+ [ci skip]
- rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
+- Revert "hostip: fix compiler warning: 'variable set but not used'"
- Closes #1285
+ This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
+
+ The assignment really needs to be there or we risk working with an
+ uninitialized pointer.
-- TODO: "OPTIONS *"
+Michael Kaufmann (12 Mar 2018)
+- limit-rate: fix compiler warning
- Closes #1280
+ follow-up to 72a0f62
-- RELEASE-NOTES: synced with 443e5b03a7d441
+Viktor Szakats (12 Mar 2018)
+- checksrc.pl: add -i and -m options
+
+ To sync it with changes made for the libssh2 project.
+ Also cleanup some whitespace.
-- THANKS-filter: shachaf
+- curl-openssl.m4: fix spelling [ci skip]
-- [İsmail Dönmez brought this change]
+- FAQ: fix a broken URL [ci skip]
- tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
+Daniel Stenberg (12 Mar 2018)
+- http2: mark the connection for close on GOAWAY
- Closes #1283
- Fixes #1277
+ ... don't consider it an error!
+
+ Assisted-by: Jay Satiro
+ Reported-by: Łukasz Domeradzki
+ Fixes #2365
+ Closes #2375
+
+- credits: Viktor prefers without accent
+
+- openldap: white space changes, fixed up the copyright years
-- bump: 7.53.1 coming up
+- openldap: check ldap_get_attribute_ber() results for NULL before using
- synced with df665f4df0f7a352
+ CVE-2018-1000121
+ Reported-by: Dario Weisser
+ Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
-- formdata: check for EOF when reading from stdin
+- FTP: reject path components with control codes
- Reported-by: shachaf@users.noreply.github.com
+ Refuse to operate when given path components featuring byte values lower
+ than 32.
- Fixes #1281
-
-Jay Satiro (22 Feb 2017)
-- docs: gitignore curl.1
+ Previously, inserting a %00 sequence early in the directory part when
+ using the 'singlecwd' ftp method could make curl write a zero byte
+ outside of the allocated buffer.
- curl.1 is generated by the cmdline-opts script since 4c49b83.
-
-Daniel Stenberg (22 Feb 2017)
-- TODO: HTTP Digest using SHA-256
+ Test case 340 verifies.
+
+ CVE-2018-1000120
+ Reported-by: Duy Phan Thanh
+ Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
-- TODO: brotli is deployed widely now
+- readwrite: make sure excess reads don't go beyond buffer end
+
+ CVE-2018-1000122
+ Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+
+ Detected by OSS-fuzz
-Jay Satiro (21 Feb 2017)
-- [Viktor Szakats brought this change]
+- BUGS: updated link to security process
- urldata: include curl_sspi.h when Windows SSPI is enabled
+- limit-rate: kick in even before "limit" data has been received
- f77dabe broke builds in Windows using Windows SSPI but not Windows SSL.
+ ... and make sure to avoid integer overflows with really large values.
- Bug: https://github.com/curl/curl/issues/1276
- Reported-by: jveazey@users.noreply.github.com
+ Reported-by: 刘佩东
+ Fixes #2371
+ Closes #2373
-- url: Improve CURLOPT_PROXY_CAPATH error handling
-
- - Change CURLOPT_PROXY_CAPATH to return CURLE_NOT_BUILT_IN if the option
- is not supported, which is the same as what we already do for
- CURLOPT_CAPATH.
+- docs/SECURITY.md -> docs/SECURITY-PROCESS.md
+
+- SECURITY.md: call it the security process
+
+Michael Kaufmann (11 Mar 2018)
+- Curl_range: fix FTP-only and FILE-only builds
- - Change the curl tool to handle CURLOPT_PROXY_CAPATH error
- CURLE_NOT_BUILT_IN as a warning instead of as an error, which is the
- same as what we already do for CURLOPT_CAPATH.
+ follow-up to e04417d
+
+- hostip: fix compiler warning: 'variable set but not used'
+
+Daniel Stenberg (11 Mar 2018)
+- HTTP: allow "header;" to replace an internal header with a blank one
- - Fix CAPATH docs to show that CURLE_NOT_BUILT_IN is returned when the
- respective CAPATH option is not supported by the SSL library.
+ Reported-by: Michael Kaufmann
+ Fixes #2357
+ Closes #2362
+
+- http2: verbose output new MAX_CONCURRENT_STREAMS values
- Ref: https://github.com/curl/curl/pull/1257
+ ... as it is interesting for many users.
-- cyassl: fix typo
+- SECURITY: distros' max embargo time is 14 days now
-Version 7.53.0 (22 Feb 2017)
+Patrick Monnerat (8 Mar 2018)
+- curl tool: accept --compressed also if Brotli is enabled and zlib is not.
-Daniel Stenberg (22 Feb 2017)
-- release: 7.53.0
+Daniel Stenberg (5 Mar 2018)
+- THANKS + mailmap: remove duplicates, fixup full names
-- cookie: fix declaration of 'dup' shadows a global declaration
+- [sergii.kavunenko brought this change]
-- TLS: make SSL_VERIFYSTATUS work again
+ WolfSSL: adding TLSv1.3
- The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
- and thus even if the status couldn't be verified, the connection would
- be allowed and the user would not be told about the failed verification.
+ Closes #2349
+
+- RELEASE-NOTES/THANKS: synced with cc1d4c505
+
+- [Richard Alcock brought this change]
+
+ winbuild: prefer documented zlib library names
- Regression since cb4e2be7c6d42ca
+ Check for existence of import and static libraries with documented names
+ and use them if they do. Fallback to previous names.
- CVE-2017-2629
- Bug: https://curl.haxx.se/docs/adv_20170222.html
+ According to
+ https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
+ Windows, the names of the import library is "zdll.lib" and static
+ library is "zlib.lib".
- Reported-by: Marcus Hoffmann
+ closes #2354
-Jay Satiro (21 Feb 2017)
-- digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
+Marcel Raad (4 Mar 2018)
+- krb5: use nondeprecated functions
- - If the server has provided another challenge use it as the replacement
- input token if stale=TRUE. Otherwise previous credentials have failed
- so return CURLE_LOGIN_DENIED.
+ gss_seal/gss_unseal have been deprecated in favor of
+ gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
+ version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
+ 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
+ "GSS_Unwrap() (formerly GSS_Unseal())".
- Prior to this change the stale directive was ignored and if another
- challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.
+ Use the nondeprecated functions to avoid deprecation warnings.
- Ref: https://tools.ietf.org/html/rfc2617#page-10
+ [1] https://tools.ietf.org/html/rfc2078
+ [2] https://tools.ietf.org/html/rfc1964
- Bug: https://github.com/curl/curl/issues/928
- Reported-by: tarek112@users.noreply.github.com
+ Closes https://github.com/curl/curl/pull/2356
-Daniel Stenberg (20 Feb 2017)
-- smb: use getpid replacement for windows UWP builds
-
- Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch
-
-- TODO: CURLOPT_RESOLVE for any port number
-
- Closes #1264
-
-- RELEASE-NOTES: synced with af30f1152d43dcdb
+Daniel Stenberg (4 Mar 2018)
+- curl.1: mention how to add numerical IP addresses in NO_PROXY
-- [Jean Gressmann brought this change]
+- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses
- sftp: improved checks for create dir failures
+- NO_PROXY: fix for IPv6 numericals in the URL
- Since negative values are errors and not only -1. This makes SFTP upload
- with --create-dirs work (again).
+ Added test 1265 that verifies.
- Closes #1269
+ Reported-by: steelman on github
+ Fixes #2353
+ Closes #2355
-Jay Satiro (20 Feb 2017)
-- [Max Khon brought this change]
-
- digest_sspi: Fix nonce-count generation in HTTP digest
+- build: get CFLAGS (including -werror) used for examples and tests
- - on the first invocation: keep security context returned by
- InitializeSecurityContext()
+ ... so that the CI and more detects compiler warnings/errors properly!
- - on subsequent invocations: use MakeSignature() instead of
- InitializeSecurityContext() to generate HTTP digest response
+ Closes #2337
+
+Marcel Raad (3 Mar 2018)
+- curl_ctype: fix macro redefinition warnings
- Bug: https://github.com/curl/curl/issues/870
- Reported-by: Andreas Roth
+ On MinGW and Cygwin, GCC and clang have been complaining about macro
+ redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
+ by undefining the macros before redefining them as suggested in
+ https://github.com/curl/curl/pull/2269.
- Closes https://github.com/curl/curl/pull/1251
-
-- examples/multi-uv: checksrc compliance
-
-Michael Kaufmann (19 Feb 2017)
-- string formatting: fix 4 printf-style format strings
+ Suggested-by: Daniel Stenberg
-Dan Fandrich (18 Feb 2017)
-- tests: removed the obsolete name parameter
+Dan Fandrich (2 Mar 2018)
+- unit1307: proper cleanup on OOM to fix torture tests
-Michael Kaufmann (18 Feb 2017)
-- speed caps: update the timeouts if the speed is too low/high
+Marcel Raad (28 Feb 2018)
+- unit1309: fix warning on Windows x64
- Follow-up to 4b86113
+ When targeting x64, MinGW-w64 complains about conversions between
+ 32-bit long and 64-bit pointers. Fix this by reusing the
+ GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
+ from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
+ CURLX_INTEGER_TO_POINTER_CAST.
- Fixes https://github.com/curl/curl/issues/793
- Fixes https://github.com/curl/curl/issues/942
+ Closes https://github.com/curl/curl/pull/2341
-- docs: fix timeout handling in multi-uv example
-
-- proxy: fix hostname resolution and IDN conversion
-
- Properly resolve, convert and log the proxy host names.
- Support the "--connect-to" feature for SOCKS proxies and for passive FTP
- data transfers.
+- travis: update compiler versions
- Follow-up to cb4e2be
+ Update clang to version 3.9 and GCC to version 6.
- Reported-by: Jay Satiro
- Fixes https://github.com/curl/curl/issues/1248
-
-Jay Satiro (17 Feb 2017)
-- [Isaac Boukris brought this change]
+ Closes https://github.com/curl/curl/pull/2345
- http: fix missing 'Content-Length: 0' while negotiating auth
-
- - While negotiating auth during PUT/POST if a user-specified
- Content-Length header is set send 'Content-Length: 0'.
+Daniel Stenberg (26 Feb 2018)
+- docs/MANUAL: formfind.pl is not accessible on the site anymore
- This is what we do already in HTTPREQ_POST_FORM and what we did in the
- HTTPREQ_POST case (regression since afd288b).
+ Fixes #2342
+
+Jay Satiro (24 Feb 2018)
+- curl-openssl.m4: Fix version check for OpenSSL 1.1.1
- Prior to this change no Content-Length header would be sent in such a
- case.
+ - Add OpenSSL 1.1.1 to the header/library version lists.
- Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
- Reported-by: Dominik Hölzl
+ - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
+ which was added in that version.
- Closes https://github.com/curl/curl/pull/1242
-
-Daniel Stenberg (16 Feb 2017)
-- [Simon Warta brought this change]
+ Prior to this change an erroneous header/library mismatch was caused by
+ lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
- winbuild: add note on auto-detection of MACHINE in Makefile.vc
+Viktor Szakats (23 Feb 2018)
+- lib655: silence compiler warning
- Closes #1265
-
-- RELEASE-PROCEDURE: update the upcoming release calendar
+ Closes https://github.com/curl/curl/pull/2335
-- TODO: consider file name from the redirected URL with -O ?
+- spelling fixes
- It isn't easily solved, but with some thinking someone could probably
- come up with a working approach?
+ Detected using the `codespell` tool.
- Closes #1241
-
-Jay Satiro (15 Feb 2017)
-- tool_urlglob: Allow a glob range with the same start and stop
+ Also contains one URL protocol upgrade.
- For example allow ranges like [1-1] and [a-a] etc.
+ Closes https://github.com/curl/curl/pull/2334
+
+Daniel Stenberg (24 Feb 2018)
+- projects/README: remove reference to dead IDN link/package
- Regression since 5ca96cb.
+ Reported-by: Stefan Kanthak and Rod Widdowson
- Bug: https://github.com/curl/curl/issues/1238
- Reported-by: R. Dennis Steed
+ Fixes #2325
-Daniel Stenberg (15 Feb 2017)
-- axtls: adapt to API changes
+Jay Satiro (23 Feb 2018)
+- [Rod Widdowson brought this change]
+
+ winbuild: Use macros for the names of some build utilities
- Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
- < 2.1.0 (the older API)
+ - Add macros to the top of the makefile for rc and mt utilities so that
+ it is easier to change their locations.
- ... and fix the session_id mixup brought in 04b4ee549
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
+ Reported-by: Stefan Kanthak
- Fixes #1220
+ Closes https://github.com/curl/curl/issues/2329
-- RELEASE-NOTES: synced with 690935390c29c
+Daniel Stenberg (23 Feb 2018)
+- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2
-- [Nick Draffen brought this change]
+- curl_share_setopt.3: connection cache is shared within multi handles
- curl: fix typo in time condition warning message
+Jay Satiro (22 Feb 2018)
+- [Rod Widdowson brought this change]
+
+ winbuild: Use CALL to run batch scripts
- The warning message had a typo. The argument long form is --time-cond
- not --timecond
+ Co-authored-by: Stefan Kanthak
- Closes #1263
+ Closes https://github.com/curl/curl/issues/2330
+ Closes https://github.com/curl/curl/pull/2331
-- smb: code indent
+Patrick Monnerat (22 Feb 2018)
+- os400: add curl_resolver_start_callback type to ILE/RPG binding
-Jay Satiro (14 Feb 2017)
-- configure: Allow disabling pthreads, fall back on Win32 threads
-
- When the threaded resolver option is specified for configure the default
- thread library is pthreads. This change makes it possible to
- --disable-pthreads and then configure can fall back on Win32 threads for
- native Windows builds.
-
- Closes https://github.com/curl/curl/pull/1260
+Daniel Stenberg (22 Feb 2018)
+- form.d: rephrased somewhat, added two example command lines
-Daniel Stenberg (13 Feb 2017)
-- http2: fix memory-leak when denying push streams
-
- Reported-by: zelinchen@users.noreply.github.com
- Fixes #1229
+Jay Satiro (21 Feb 2018)
+- [Francisco Sedano brought this change]
-Jay Satiro (11 Feb 2017)
-- tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
+ url: Add option CURLOPT_RESOLVER_START_FUNCTION
- When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
- the user explaining possible solutions such as --cacert and --insecure.
+ - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
+ will be called every time before a new resolve request is started
+ (ie before a host is resolved) with a pointer to backend-specific
+ resolver data. Currently this is only useful for ares.
- This change appends to that message similar options --proxy-cacert and
- --proxy-insecure when there's a specified HTTPS proxy.
+ - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
+ pass to the resolver start callback.
- Closes https://github.com/curl/curl/issues/1258
+ Closes https://github.com/curl/curl/pull/2311
-Daniel Stenberg (10 Feb 2017)
-- cmdline-opts/page-footer: ftp.sunet.se is no longer an FTP mirror
-
-- URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
-
- Fixes #1252
-
-Jay Satiro (9 Feb 2017)
-- cmdline-opts/socks*: Mention --preproxy in --socks* opts
+- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- - Document in --socks* opts they're still mutually exclusive of --proxy.
+ - In keeping with the naming of our other connect timeout options rename
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
- Partial revert of 423a93c; I had misinterpreted the SOCKS proxy +
- HTTP/HTTPS proxy combination.
+ This change adds the _MS suffix since the option expects milliseconds.
+ This is more intuitive for our users since other connect timeout options
+ that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
+ CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
- - Document in --socks* opts that --preproxy can be used to specify a
- SOCKS proxy at the same time --proxy is used with an HTTP/HTTPS proxy.
-
-Daniel Stenberg (9 Feb 2017)
-- CURLOPT_SSL_VERIFYPEER.3: also the https proxy version
-
-Kamil Dudka (9 Feb 2017)
-- nss: make FTPS work with --proxytunnel
+ The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
- If the NSS code was in the middle of a non-blocking handshake and it
- was asked to finish the handshake in blocking mode, it unexpectedly
- continued in the non-blocking mode, which caused a FTPS connection
- over CONNECT to fail with "(81) Socket not ready for send/recv".
+ Follow-up to 2427d94 which added the lib and tool option yesterday.
- Bug: https://bugzilla.redhat.com/1420327
+ Ref: https://github.com/curl/curl/pull/2260
-Daniel Stenberg (9 Feb 2017)
-- examples/multithread.c: link to our multi-thread docs
+Patrick Monnerat (21 Feb 2018)
+- sasl: prefer PLAIN mechanism over LOGIN
- ... instead of the OpenSSL mutex page.
+ SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
+ PLAIN should be used instead if available.
-- http_proxy: avoid freeing static memory
-
- Follow up to 7fe81ec298e0: make sure 'host' is either NULL or malloced.
+Daniel Stenberg (21 Feb 2018)
+- RELEASE-NOTES: synced with 2427d94c6
-- [Cameron MacMinn brought this change]
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
- http_proxy: Fix tiny memory leak upon edge case connecting to proxy
+ url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
- Fixes #1255
-
-Michael Kaufmann (8 Feb 2017)
-- polarssl, mbedtls: Fix detection of pending data
+ - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
+ eyeball timeout value.
- Reported-by: Dan Fandrich
- Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
-
-Dan Fandrich (7 Feb 2017)
-- test1139: Added the --manual keyword since the manual is required
-
-Daniel Stenberg (7 Feb 2017)
-- RELEASE-NOTES: synced with 102454459dd688c
-
-- THANKS-filter: polish some recent contributors
+ - Add new optval macro CURL_HET_DEFAULT to represent the default happy
+ eyeballs timeout value (currently 200 ms).
+
+ - Add new tool option --happy-eyeballs-timeout-ms to expose
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
+ other -timeout options in the tool expect seconds not milliseconds.
+
+ Closes https://github.com/curl/curl/pull/2260
-- http2: reset push header counter fixes crash
+- hostip: fix 'potentially uninitialized variable' warning
- When removing an easy handler from a multi before it completed its
- transfer, and it had pushed streams, it would segfault due to the pushed
- counted not being cleared.
+ Follow-up to 50d1b33.
- Fixed-by: zelinchen@users.noreply.github.com
- Fixes #1249
+ Caught by AppVeyor.
-- [Markus Westerlind brought this change]
+Daniel Stenberg (20 Feb 2018)
+- TODO: warning if curl version is not in sync with libcurl version
+
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
- transfer: only retry nobody-requests for HTTP
+ CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
- Using sftp to delete a file with CURLOPT_NOBODY set with a reused
- connection would fail as curl expected to get some data. Thus it would
- retry the command again which fails as the file has already been
- deleted.
+ This enables users to preresolve but still take advantage of happy
+ eyeballs and trying multiple addresses if some are not connecting.
- Fixes #1243
+ Ref: https://github.com/curl/curl/pull/2260
-Jay Satiro (7 Feb 2017)
-- [Daniel Gustafsson brought this change]
+Daniel Stenberg (20 Feb 2018)
+- [Sergio Borghese brought this change]
- telnet: Fix typos
+ examples/sftpuploadresume: resume upload via CURLOPT_APPEND
- Ref: https://github.com/curl/curl/pull/1245
+ URL: https://curl.haxx.se/mail/lib-2018-02/0072.html
-- [Daniel Gustafsson brought this change]
+- curl --version: show PSL if the run-time lib has it enabled
+
+ ... not of the #define was set at build-time!
- test552: Fix typos
+- TODO: "Support in-memory certs/ca certs/keys"
+
+ removed SSLKEYLOGFILE support (fixed)
- Closes https://github.com/curl/curl/pull/1245
+ removed "consider SSL patches" (outdated)
+
+ Closes #2310
-- [Daniel Gustafsson brought this change]
+- CURLOPT_HEADER.3: clarify problems with different data sizes
- darwinssl: Avoid parsing certificates when not in verbose mode
-
- The information extracted from the server certificates in step 3 is only
- used when in verbose mode, and there is no error handling or validation
- performed as that has already been done. Only run the certificate
- information extraction when in verbose mode and libcurl was built with
- verbose strings.
+- test1556: verify >16KB headers to the header callback
+
+- header callback: don't chop headers into smaller pieces
- Closes https://github.com/curl/curl/pull/1246
+ Reported-by: Guido Berhoerster
+ Fixes #2314
+ Closes #2316
-- [JDepooter brought this change]
+- test1154: verify that long HTTP headers get rejected
- schannel: Remove incorrect SNI disabled message
+- http: fix the max header length detection logic
- - Remove the SNI disabled when host verification disabled message
- since that is incorrect.
+ Previously, it would only check for max length if the existing alloc
+ buffer was to small to fit it, which often would make the header still
+ get used.
- - Show a message for legacy versions of Windows <= XP that connections
- may fail since those versions of WinSSL lack SNI, algorithms, etc.
+ Reported-by: Guido Berhoerster
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
- Bug: https://github.com/curl/curl/pull/1240
-
-Daniel Stenberg (7 Feb 2017)
-- CHANGES: spell fix, use correct path to script
+ Closes #2315
-- CHANGES.0: removed
+- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
- This is the previously manually edited changelog, not touched since Aug
- 2015. Still present in git for those who wants it.
+ Reported-by: Erik Johansson
+ Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495
-Dan Fandrich (6 Feb 2017)
-- cmdline-opts: Fixed build and test in out of source tree builds
+- CURLOPT_HEADERFUNCTION.3: mention folded headers
-Viktor Szakats (6 Feb 2017)
-- use *.sourceforge.io and misc URL updates
+- TODO: 1.1 Option to refuse usernames in URLs
- Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
- Closes: https://github.com/curl/curl/pull/1247
+ Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
-Jay Satiro (6 Feb 2017)
-- docs: Add more HTTPS proxy documentation
+- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies
+
+- ssh: add two missing state names
- - Document HTTPS proxy type.
+ The list of state names (used in debug builds) was out of sync in
+ relation to the list of states (used in all builds).
- - Document --write-out %{proxy_ssl_verify_result}.
+ I now added an assert to make sure the sizes of the two lists match, to
+ aid in detecting this mistake better in the future.
- - Document SOCKS proxy + HTTP/HTTPS proxy combination.
+ Regression since c92d2e14cf, shipped in 7.58.0.
- HTTPS proxy support was added in 7.52.0 for OpenSSL, GnuTLS and NSS.
+ Reported-by: Somnath Kundu
- Ref: https://github.com/curl/curl/commit/cb4e2be
+ Fixes #2312
+ Closes #2313
-- OS400: Fix symbols
+- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
- - s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
- Follow-up to 7907a2b and 845522c.
+ This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
- - Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.
+ Reported-by: Jay Satiro
+
+Jay Satiro (15 Feb 2018)
+- non-ascii: fix implicit declaration warning
- - Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.
+ Follow-up to b46cfbc.
- Bug: https://github.com/curl/curl/issues/1237
- Reported-by: jonrumsey@users.noreply.github.com
-
-- [Sean Burford brought this change]
+ Caught by Travis CI.
- cmake: Support curl --xattr when built with cmake
+Daniel Stenberg (15 Feb 2018)
+- travis: add build with iconv enabled
+
+ ... to verify it builds and works fine.
+
+ Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
- - Test for and set HAVE_FSETXATTR when support for extended file
- attributes is present.
+ Closes #1872
+
+- TODO: 18.18 retry on network is unreachable
- Closes https://github.com/curl/curl/pull/1176
+ Closes #1603
-- [Adam Langley brought this change]
+- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
+
+ Closes #1254
- openssl: Don't use certificate after transferring ownership
+Kamil Dudka (15 Feb 2018)
+- nss: use PK11_CreateManagedGenericObject() if available
- SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
- while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
- it's best to call SSL_CTX_add_client_CA before
- SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
- argument.
+ ... so that the memory allocated by applications using libcurl does not
+ grow per each TLS connection.
+
+ Bug: https://bugzilla.redhat.com/1510247
- Closes https://github.com/curl/curl/pull/1236
+ Closes #2297
-Daniel Stenberg (29 Jan 2017)
-- [Antoine Aubert brought this change]
+Daniel Stenberg (15 Feb 2018)
+- [Björn Stenberg brought this change]
- mbedtls: implement CTR-DRBG and HAVEGE random generators
+ TODO fixed: Detect when called from within callbacks
- closes #1227
+ Closes #2302
-- docs: we no longer ship HTML versions of man pages
+- BINDINGS: fix curb link (and remove ruby-curl-multi)
- ... refer to the web site for the web versions.
+ Reported-by: Klaus Stein
-- [railsnewbie257 brought this change]
+- curl_gssapi: make sure this file too uses our *printf()
- docs: proofread README.netware README.win32
+- libcurl-security.3: separate file:// section
- Closes #1231
+ ... just to make it more apparent. Even if it repeats
+ some pieces of information.
-- RELEASE-NOTES; synced with ab08d82648
-
-Michael Kaufmann (28 Jan 2017)
-- mbedtls: disable TLS session tickets
-
- SSL session reuse with TLS session tickets is not supported yet.
- Use SSL session IDs instead.
+- libcurl-security.3: the http://192.168.0.1/my_router_config case
- See https://github.com/curl/curl/issues/1109
+ Mentioned-By: Rich Moore
-- gnutls: disable TLS session tickets
-
- SSL session reuse with TLS session tickets is not supported yet.
- Use SSL session IDs instead.
-
- Fixes https://github.com/curl/curl/issues/1109
+- libcurl-security.3: mention the URL standards problems too
-- polarssl: fix hangs
+- libcurl-security.3: split out from libcurl-tutorial.3
- This bugfix is similar to commit c111178bd4.
-
-Daniel Stenberg (27 Jan 2017)
-- cookies: do not assume a valid domain has a dot
+ To make more accessible.
- This repairs cookies for localhost.
+ Merged in some new language from "URLs are dangerous things" as discussed on
+ the mailing list a few days ago:
- Non-PSL builds will now only accept "localhost" without dots, while PSL
- builds okeys everything not listed as PSL.
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html
+
+- RELEASE-NOTES: synced with e551910f8
+
+Patrick Monnerat (13 Feb 2018)
+- tests: new tests for http raw mode
- Added test 1258 to verify.
+ Test 319 checks proper raw mode data with non-chunked gzip
+ transfer-encoded server data.
+ Test 326 checks raw mode with chunked server data.
- This was a regression brought in a76825a5efa6b4
+ Bug: #2303
+ Closes #2308
-- TODO: remove "Support TLS v1.3"
+Kamil Dudka (12 Feb 2018)
+- tlsauthtype.d: works only if libcurl is built with TLS-SRP support
- Support is trickling in already.
-
-- [railsnewbie257 brought this change]
-
- INTERNALS.md: language improvements
+ Bug: https://bugzilla.redhat.com/1542256
- Closes #1226
+ Closes #2306
-- telnet: fix windows compiler warnings
+Patrick Monnerat (12 Feb 2018)
+- smtp: fix processing of initial dot in data
+
+ RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
+ should be taken into account when chasing the <CRLF>.<CRLF> end marker.
+ Thus a leading dot character in data is also subject to escaping.
- Thumbs-up-by: Jay Satiro
+ Tests 911 and test server are adapted to this situation.
+ New tests 951 and 952 check proper handling of initial dot in data.
- Closes #1225
+ Closes #2304
+
+Daniel Stenberg (12 Feb 2018)
+- sha256: avoid redefine
+
+- [Douglas Mencken brought this change]
-- VC: remove the makefile.vc6 build infra
+ sha256: build with OpenSSL < 0.9.8 too
- The winbuild/ build files is now the single MSVC makefile build choice.
+ support for SHA-2 was introduced in OpenSSL 0.9.8
- Closes #1215
+ Closes #2305
-- [Jay Satiro brought this change]
+- [Bruno Grasselli brought this change]
- cmdline-opts/gen.pl: Open input files in CRLF mode
+ README: language fix
- On Windows it's possible to have input files with CRLF line endings and
- a perl that defaults to LF line endings (eg msysgit). Currently that
- results in generator output of mixed line endings of CR, LF and CRLF.
+ s/off/from
- This change fixes that issue in the most succinct way by opening the
- files in :crlf text mode even when the perl being used does not default
- to that mode. (On operating systems that don't have a separate text mode
- it's essentially a no-op.) The output continues to be in the perl's
- native line ending.
+ Closes #2300
-- docs/curl.1: generate from the cmdline-opts script
+Patrick Monnerat (12 Feb 2018)
+- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
+
+ Bug: #2303
+ Reported-By: Henry Roeland
-- vtls: source indentation fix
+Daniel Stenberg (9 Feb 2018)
+- get_posix_time: only check for overflows if they can happen!
-- contri*.sh: cut off parentheses from names too
+Michael Kaufmann (9 Feb 2018)
+- schannel: fix "no previous prototype" compiler warning
-- RELEASE-NOTES: synced with 01ab7c30bba6f
+Jay Satiro (9 Feb 2018)
+- [Mohammad AlSaleh brought this change]
-- vtls: fix PolarSSL non-blocking handling
+ content_encoding: Add "none" alias to "identity"
- A regression brought in cb4e2be
+ Some servers return a "content-encoding" header with a non-standard
+ "none" value.
- Reported-by: Michael Kaufmann
- Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
-
-- [Antoine Aubert brought this change]
-
- vtls: fix mbedtls multi non blocking handshake.
+ Add "none" as an alias to "identity" as a work-around, to avoid
+ unrecognised content encoding type errors.
- When using multi, mbedtls handshake is in non blocking mode. vtls must
- set wait for read/write flags for the socket.
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
- Closes #1223
+ Closes https://github.com/curl/curl/pull/2298
-- [Richy Kim brought this change]
+Steve Holme (8 Feb 2018)
+- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output
- CURLOPT_BUFFERSIZE: support enlarging receive buffer
-
- Replace use of fixed macro BUFSIZE to define the size of the receive
- buffer. Reappropriate CURLOPT_BUFFERSIZE to include enlarging receive
- buffer size. Upon setting, resize buffer if larger than the current
- default size up to a MAX_BUFSIZE (512KB). This can benefit protocols
- like SFTP.
+- build-openssl.bat: Fixed incorrect move if destination build folder exists
+
+Michael Kaufmann (8 Feb 2018)
+- schannel: fix compiler warnings
- Closes #1222
+ Closes #2296
-- sws: use SOCKERRNO, not errno
+Steve Holme (7 Feb 2018)
+- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
- Reported-by: Gisle Vanem
+ Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
+ Added the necessary include file to curl_addrinfo.c.
+
+ Note: The SDK (which is considered beta) has to be installed, VS 2017
+ project file has to be re-targeted for Windows 10.0.17061 and #define
+ enabled in config-win32.h.
-Michael Kaufmann (19 Jan 2017)
-- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
+Patrick Monnerat (7 Feb 2018)
+- fnmatch: optimize processing of consecutive *s and ?s pattern characters
- This has been implemented with commit 9ad034e.
+ Reported-By: Daniel Stenberg
+ Fixes #2291
+ Closes #2293
-Viktor Szakats (19 Jan 2017)
-- *.rc: escape non-ASCII/non-UTF-8 character for clarity
+Steve Holme (6 Feb 2018)
+- build-openssl.bat/build-wolfssl.bat: Build platform is optional
+
+ Whilst the compiler parameter is mandatory, platform is optional as it
+ is automatically calculated by the :configure section.
- Closes https://github.com/curl/curl/pull/1217
+ This partially reverts commit 6d62d2c55d.
-Kamil Dudka (19 Jan 2017)
-- docs: non-blocking SSL handshake is now supported with NSS
+Daniel Stenberg (6 Feb 2018)
+- [Patrick Schlangen brought this change]
+
+ openssl: Don't add verify locations when verifypeer==0
- Implemented since curl-7_36_0-130-g8868a22
+ When peer verification is disabled, calling
+ SSL_CTX_load_verify_locations is not necessary. Only call it when
+ verification is enabled to save resources and increase performance.
- Reported-by: Fahim Chandurwala
+ Closes #2290
-Michael Kaufmann (18 Jan 2017)
-- CURLOPT_CONNECT_TO: Fix compile warnings
+Steve Holme (5 Feb 2018)
+- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
- Fix compile warnings that appeared only when curl has been configured
- with '--disable-verbose'.
+ ...and not just the Community Edition.
-Daniel Stenberg (18 Jan 2017)
-- usercertinmem.c: improve the short description
+- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
+
+ ...and not just the Community Edition.
-- parseurl: move back buffer to function scope
+Michael Kaufmann (5 Feb 2018)
+- time-cond: fix reading the file modification time on Windows
- Regression since 1d4202ad, which moved the buffer into a more narrow
- scope, but the data in that buffer was used outside of that more narrow
- scope.
+ On Windows, stat() may adjust the unix file time by a daylight saving time
+ offset. Avoid this by calling GetFileTime() instead.
- Reported-by: Dan Fandrich
- Bug: https://curl.haxx.se/mail/lib-2017-01/0093.html
+ Fixes #2164
+ Closes #2204
-Jay Satiro (17 Jan 2017)
-- openssl: Fix random generation
+Daniel Stenberg (5 Feb 2018)
+- formdata: use the mime-content type function
+
+ Reduce code duplication by making Curl_mime_contenttype available and
+ used by the formdata function. This also makes the formdata function
+ recognize a set of more file extensions by default.
- - Fix logic error in Curl_ossl_random.
+ PR #2280 brought this to my attention.
- Broken a few days ago in 807698d.
+ Closes #2282
-Daniel Stenberg (17 Jan 2017)
-- TODO: share OpenSSL contexts
+- getdate: return -1 for out of range
- By supporting this, subsequent connects would load a lot less data from
- disk.
+ ...as that's how the function is documented to work.
- Closes #1110
-
-- bump: next release will be 7.53.0
-
-Kamil Dudka (15 Jan 2017)
-- nss: use the correct lock in nss_find_slot_by_name()
-
-Alessandro Ghedini (15 Jan 2017)
-- http2: disable server push if not requested
+ Reported-by: Michael Kaufmann
+ Bug found in an autobuild with 32 bit time_t
- Ref: https://github.com/curl/curl/pull/1160
+ Closes #2278
-Daniel Stenberg (14 Jan 2017)
-- [railsnewbie257 brought this change]
+- [Ben Greear brought this change]
- docs: improved language in README.md HISTORY.md CONTRIBUTE.md
+ build: fix termios issue on android cross-compile
- Closes #1211
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
+ Signed-off-by: Ben Greear <greearb@candelatech.com>
-Alessandro Ghedini (14 Jan 2017)
-- http: print correct HTTP string in verbose output when using HTTP/2
+- time_t-fixes: remove typecasts to 'long' for info.filetime
- Before:
- ```
- % src/curl https://sigsegv.ninja/ -v --http2
- ...
- > GET / HTTP/1.1
- > Host: sigsegv.ninja
- > User-Agent: curl/7.52.2-DEV
- > Accept: */*
- >
- ...
- ```
+ They're now wrong.
- After:
- ```
- % src/curl https://sigsegv.ninja/ -v --http2
- ...
- > GET / HTTP/2
- > Host: sigsegv.ninja
- > User-Agent: curl/7.52.2-DEV
- > Accept: */*
- >
- ```
-
-Daniel Stenberg (14 Jan 2017)
-- TODO: send only part of --data
+ Reported-by: Michael Kaufmann
- Closes #1200
+ Closes #2277
-- TODO: implemened "--fail-fast to exit on first transfer fail"
+- curl_setup: move the precautionary define of SIZEOF_TIME_T
- Even though it is called --fail-early
-
-- TODO: Chunked transfer multipart formpost
+ ... up to before it may be used for the TIME_T_MAX/MIN logic.
- Closes #1139
+ Reported-by: Michael Kaufmann
-- TODO: Improve formpost API, not just add an easy argument
+- parsedate: s/#if/#ifdef
+
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
-- addrinfo: fix compiler warning on offsetof() use
+Patrick Monnerat (31 Jan 2018)
+- fnmatch: pattern syntax can no longer fail
- curl_addrinfo.c:519:20: error: conversion to ‘curl_socklen_t {aka
- unsigned int}’ from ‘long unsigned int’ may alter its value
- [-Werror=conversion]
+ Whenever an expected pattern syntax rule cannot be matched, the
+ character starting the rule loses its special meaning and the parsing
+ is resumed:
+ - backslash at the end of pattern string matches itself.
+ - Error in [:keyword:] results in set containing :\[dekorwy.
- Follow-up to 1d786faee1046f
-
-- THANKS-filter: Jiri Malak
+ Unit test 1307 updated for this new situation.
+
+ Closes #2273
-- RELEASE-NOTES: synced with a7c73ae309c
+- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
+
+ Also be more tolerant about set pattern syntax.
+ Update unit test 1307 accordingly.
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
-Peter Wu (13 Jan 2017)
-- [Isaac Boukris brought this change]
+- fnmatch: do not match the empty string with a character set
- unix_socket: add support for abstract unix domain socket
+Jay Satiro (30 Jan 2018)
+- build: fix windows build methods for curl_ctype.c
- In addition to unix domain sockets, Linux also supports an
- abstract namespace which is independent of the filesystem.
+ - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
+ curlx files since they are required by both src and lib.
- In order to support it, add new CURLOPT_ABSTRACT_UNIX_SOCKET
- option which uses the same storage as CURLOPT_UNIX_SOCKET_PATH
- internally, along with a flag to specify abstract socket.
+ Follow-up to 4272a0b which added curl_ctype.
+
+Daniel Stenberg (30 Jan 2018)
+- progress-bar.d: update to match implementation
- On non-supporting platforms, the abstract address will be
- interpreted as an empty string and fail gracefully.
+ ... since commit 993dd5651a6
- Also add new --abstract-unix-socket tool parameter.
+ Reported-by: Martin Dreher
+ Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
- Signed-off-by: Isaac Boukris <iboukris@gmail.com>
- Reported-by: Chungtsun Li (typeless)
- Reviewed-by: Daniel Stenberg
- Reviewed-by: Peter Wu
- Closes #1197
- Fixes #1061
+ Closes #2271
-Daniel Stenberg (13 Jan 2017)
-- write-out.d: 'time_total' is not always shown with ms precision
+- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
- We have higher resolution since 7.52.0
+ ... instead of doing it unconditionally in debug builds. It cluttered up
+ the output a little too much.
-- next.d: --trace and --trace-ascii are also global
+- [Max Dymond brought this change]
-- [Isaac Boukris brought this change]
+ file: Check the return code from Curl_range and bail out on error
- curl: reset the easy handle at --next
-
- So that only "global" options (verbose mostly) survive into the next
- transfer, and the others have to be set again unless default is fine.
+- [Max Dymond brought this change]
+
+ Curl_range: add check to ensure "from <= to"
-- [Frank Gevaerts brought this change]
+- [Max Dymond brought this change]
- docs: Add note about libcurl copying strings to CURLOPT_* manpages
+ Curl_range: commonize FTP and FILE range handling
- Closes #1169
+ Closes #2205
-- [Frank Gevaerts brought this change]
+- RELEASE-NOTES: synced with 811beab9f
- CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
+- curlver: next release will be 7.59.0
-- IDN: Use TR46 non-transitional
+- [Michał Janiszewski brought this change]
+
+ curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
- Assisted-by: Tim Rühsen
+ Closes #2275
-- IDN: revert use of the transitional option
+- time: support > year 2038 time stamps for system with 32bit long
- It made the german ß get converted to ss, IDNA2003 style, and we can't
- have that for the .de TLD - a primary reason for our switch to IDNA2008.
+ ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
+ CURLINFO_FILETIME_T.
- Test 165 verifies.
-
-- [Tim Rühsen brought this change]
+ Fixes #2238
+ Closes #2264
- IDN: Fix compile time detection of linidn2 TR46
+- curl_easy_reset: clear digest auth state
- Follow-up to f30cbcac1
-
- Closes #1207
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
+ Reported-by: Ruurd Beerstra
+ Fixes #2255
+ Closes #2272
-- [ERAMOTO Masaya brought this change]
+- [Adam Marcionek brought this change]
- url: --noproxy option overrides NO_PROXY environment variable
+ winbuild: make linker generate proper PDB
- Under condition using http_proxy env var, noproxy list was the
- combination of --noproxy option and NO_PROXY env var previously. Since
- this commit, --noproxy option overrides NO_PROXY environment variable
- even if use http_proxy env var.
+ Link.exe requires /DEBUG to properly generate a full pdb file on release
+ builds.
- Closes #1140
-
-- [ERAMOTO Masaya brought this change]
+ Closes #2274
- url: Refactor detect_proxy()
+- curl: add --proxy-pinnedpubkey
- If defined CURL_DISABLE_HTTP, detect_proxy() returned NULL. If not
- defined CURL_DISABLE_HTTP, detect_proxy() checked noproxy list.
+ To verify a proxy's public key. For when using HTTPS proxies.
- Thus refactor to set proxy to NULL instead of calling detect_proxy() if
- define CURL_DISABLE_HTTP, and refactor to call detect_proxy() if not
- define CURL_DISABLE_HTTP and the host is not in the noproxy list.
+ Fixes #2192
+ Closes #2268
-- [ERAMOTO Masaya brought this change]
-
- url: Fix NO_PROXY env var to work properly with --proxy option.
+- configure: set PATH_SEPARATOR to colon for PATH w/o separator
- The combination of --noproxy option and http_proxy env var works well
- both for proxied hosts and non-proxied hosts.
+ The logic tries to figure out what the path separator in the $PATH
+ variable is, but if there's only one directory in the $PATH it
+ fails. This change make configure *guess* on colon instead of erroring
+ out, simply because that is probably the more common character.
- However, when combining NO_PROXY env var with --proxy option,
- non-proxied hosts are not reachable while proxied host is OK.
+ PATH_SEPARATOR can always be set by the user to override the guessing.
- This patch allows us to access non-proxied hosts even if using NO_PROXY
- env var with --proxy option.
-
-- [Tim Rühsen brought this change]
+ (tricky bug to reproduce, as in my case for example the configure script
+ requires binaries in more than one directory so passing in a PATH with a
+ single dir fails.)
+
+ Reported-by: Earnestly on github
+ Fixes #2202
+ Closes #2265
- IDN: Use TR46 'transitional' for toASCII translations
+- curl_ctype: private is*() type macros and functions
- References: http://unicode.org/faq/idn.html
- http://unicode.org/reports/tr46
+ ... since the libc provided one are locale dependent in a way we don't
+ want. Also, the "native" isalnum() (for example) works differently on
+ different platforms which caused test 1307 failures on macos only.
- Closes #1206
-
-- [railsnewbie257 brought this change]
+ Closes #2269
- docs: FAQ MAIL-ETIQUETTE language fixes
+Marcel Raad (29 Jan 2018)
+- build: open VC15 projects with VS 2017
- Closes #1194
+ Previously, they were opened with Visual Studio 2015 by default, which
+ cannot build them.
-- [Marcus Hoffmann brought this change]
+Daniel Stenberg (29 Jan 2018)
+- RELEASE-NOTES: synced with 094647fca
- gnutls: check for alpn and ocsp in configure
-
- Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during
- configure instead of relying on the version number. GnuTLS has options
- to turn these features off and we ca just work with with such builds
- like we work with older versions.
-
- Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
+- TODO: UTF-8 filenames in Content-Disposition
- Closes #1204
+ Closes #1888
-Jay Satiro (12 Jan 2017)
-- url: Fix parsing for when 'file' is the default protocol
+- KNOWN_BUGS: DICT responses show the underlying protocol
- Follow-up to 3463408.
+ Closes #1809
+
+Jay Satiro (27 Jan 2018)
+- [Alessandro Ghedini brought this change]
+
+ docs: fix typos in man pages
- Prior to 3463408 file:// hostnames were silently stripped.
+ Closes https://github.com/curl/curl/pull/2266
+
+Patrick Monnerat (26 Jan 2018)
+- lib555: drop text conversion and encode data as ascii codes
- Prior to this commit it did not work when a schemeless url was used with
- file as the default protocol.
+ If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
+ giving a result that is different from what is expected.
+ This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
+ to upload in ascii.
- Ref: https://curl.haxx.se/mail/lib-2016-11/0081.html
- Closes https://github.com/curl/curl/pull/1124
+ Bug: https://github.com/curl/curl/pull/1872
+
+Daniel Stenberg (26 Jan 2018)
+- lib517: make variable static to avoid compiler warning
- Also fix for drive letters:
+ ... with clang on macos
+
+Patrick Monnerat (26 Jan 2018)
+- lib544: sync ascii code data with textual data
- - Support --proto-default file c:/foo/bar.txt
+ Data mismatch caused test 545 to fail when character encoding
+ conversion is enabled.
- - Support file://c:/foo/bar.txt
+ Bug: https://github.com/curl/curl/pull/1872
+
+Daniel Stenberg (25 Jan 2018)
+- [Travis Burtrum brought this change]
+
+ GSKit: restore pinnedpubkey functionality
- - Fail when a file:// drive letter is detected and not MSDOS/Windows.
+ inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
- Bug: https://github.com/curl/curl/issues/1187
- Reported-by: Anatol Belski
- Assisted-by: Anatol Belski
+ Closes #2263
-Daniel Stenberg (12 Jan 2017)
-- rand: make it work without TLS backing
+- [Dair Grant brought this change]
+
+ darwinssl: Don't import client certificates into Keychain on macOS
- Regression introduced in commit f682156a4fc6c4
+ Closes #2085
+
+- configure: fix the check for unsigned time_t
- Reported-by: John Kohl
- Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
+ Assign the time_t variable negative value and then check if it is
+ greater than zero, which will evaluate true for unsigned time_t but
+ false for signed time_t.
-Jay Satiro (12 Jan 2017)
-- STARTTLS: Don't print response character in denied messages
+- parsedate: fix date parsing for systems with 32 bit long
- Both IMAP and POP3 response characters are used internally, but when
- appended to the STARTTLS denial message likely could confuse the user.
+ Make curl_getdate() handle dates before 1970 as well (returning negative
+ values).
- Closes https://github.com/curl/curl/pull/1203
-
-- smtp: Fix STARTTLS denied error message
+ Make test 517 test dates for 64 bit time_t.
- - Format the numeric denial code as an integer instead of a character.
-
-Daniel Stenberg (11 Jan 2017)
-- http2_send: avoid unsigned integer wrap around
+ This fixes bug (3) mentioned in #2238
- ... when checking for a too large request.
+ Closes #2250
-Jay Satiro (9 Jan 2017)
-- [Jiri Malak brought this change]
+- [McDonough, Tim brought this change]
- cmake: Fix passing _WINSOCKAPI_ macro to compiler
+ openssl: fix pinned public key build error in FIPS mode
- Define _WINSOCKAPI_ blank rather than to 1 in order to match the value
- used by Microsoft's winsock header files.
+ Here is a version that should work with all versions of openssl 0.9.7
+ through 1.1.0.
- Closes https://github.com/curl/curl/pull/1195
-
-Daniel Stenberg (9 Jan 2017)
-- sws: retry send() on EWOULDBLOCK
+ Links to the docs:
+ https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
+ https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
- Fixes spurious test 1060 and 1061 failures on OpenBSD, Solaris and more.
+ At the very bottom of the 1.1.0 documentation there is a history section
+ that states, " stack allocated EVP_MD_CTXs are no longer supported."
- Bug: https://curl.haxx.se/mail/lib-2017-01/0009.html
- Reported-by: Christian Weisgerber
+ If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
+ simple mapping can be used as described here:
+ https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
+
+ Closes #2258
-- RELEASE-NOTES: synced with a41e8592d6b3e58
+- [Travis Burtrum brought this change]
-- examples: make the C++ examples follow our code style too
-
- At least mostly, not counting // comments.
+ SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum
-- [Aulddays brought this change]
+- [Travis Burtrum brought this change]
- asiohiper: improved socket handling
+ SChannel/WinSSL: Implement public key pinning
- libcurl requires CURLMOPT_SOCKETFUNCTION to KEEP watching socket events
- and notify back. Modify event_cb() to continue watching events when
- fired.
-
- Fixes #1191
- Closes #1192
- Fixed-by: Mingliang Zhu
+ Closes #1429
-- [Jiří Malák brought this change]
+- bump: towards 7.58.1
- lib506: fix build for Open Watcom
+- cookies: remove verbose "cookie size:" output
- Rename symbol lock to locks to not clash with OW CRTL function name.
+ It was once used for some debugging/verifying logic but should never have
+ ended up in git!
+
+- TODO: hardcode the "localhost" addresses
+
+- TODO: CURL_REFUSE_CLEARTEXT
- Closes #1196
+ An idea that popped up in discussions on twitter.
-- ROADMAP: 2017 cleanup
+- progress-bar: don't use stderr explicitly, use bar->out
- Removed items already fixed, clarified a few others.
+ Reported-By: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080
-- COPYING: update the generic copyright year range
+GitHub (24 Jan 2018)
+- [Gisle Vanem brought this change]
-- docs/silent: mention --show-error in --silent description
+ Fixes for MSDOS etc.
- Reported in #1190
- Reported-by: Dan Jacobson
-
-- docs/page-header: mention how to disable the progress meter
+ djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
+ But djgpp seems the only choice for MSDOS anyway.
- curl.1 is regenerated
+ PellesC do have a 'F_OK' defined in it's <unistd.h>.
- Fixes #1190
+ Update year in Copyright.
-Dan Fandrich (7 Jan 2017)
-- wolfssl: display negotiated SSL version and cipher
+- [Gisle Vanem brought this change]
-- wolfssl: support setting cipher list
+ Fix small typo.
-Patrick Monnerat (6 Jan 2017)
-- CIPHERS.md: document GSKit ciphers
+Version 7.58.0 (23 Jan 2018)
-Jay Satiro (5 Jan 2017)
-- [peterpih brought this change]
+Daniel Stenberg (23 Jan 2018)
+- RELEASE: 7.58.0
- TheArtOfHttpScripting: grammar
+- [Gisle Vanem brought this change]
-Nick Zitzmann (3 Jan 2017)
-- darwinssl: --insecure overrides --cacert if both settings are in use
-
- Fixes #1184
+ progress-bar: get screen width on windows
-Jay Satiro (2 Jan 2017)
-- docs/libcurl: TCP_KEEPALIVE start and interval default to 60
-
- Since the TCP keep-alive options were added in 705f0f7 the start and
- interval default values have been 60, but that wasn't documented.
-
- Bug: https://curl.haxx.se/mail/lib-2017-01/0000.html
- Reported-by: Praveen Pvs
+- test1454: --connect-to with IPv6 address w/o IPv6 support!
-Daniel Stenberg (29 Dec 2016)
-- curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
+- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
- This error code was once introduced when some library was dynamically
- loaded and a funciton within said library couldn't be found.
-
-- content_encoding: change return code on a failure
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
+ Reported-by: John Hascall
- Failure to decompress is now a write error instead of the weird
- "function not found".
+ Closes #2257
-- page-footer: error 36 is protocol agnostic!
+- docs: fix man page syntax to make test 1140 OK again
-Jay Satiro (28 Dec 2016)
-- tool_operate: Fix --remote-time incorrect times on Windows
+- http: prevent custom Authorization headers in redirects
- - Use Windows API SetFileTime to set the file time instead of utime.
+ ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+ curl already handles Authorization headers created internally.
- Avoid utime on Windows if possible because it may apply a daylight
- saving time offset to our UTC file time.
+ Note: this changes behavior slightly, for the sake of reducing mistakes.
- Bug: https://curl.haxx.se/mail/archive-2016-11/0033.html
- Reported-by: Tim
+ Added test 317 and 318 to verify.
- Closes https://github.com/curl/curl/pull/1121
-
-Daniel Stenberg (29 Dec 2016)
-- [Max Khon brought this change]
+ Reported-by: Craig de Stigter
+ Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
- digest_sspi: copy terminating NUL as well
+- curl: progress bar refresh, get width using ioctl()
- Curl_auth_decode_digest_http_message(): copy terminating NUL as later
- Curl_override_sspi_http_realm() expects a NUL-terminated string.
+ Get screen width from the environment variable COLUMNS first, if set. If
+ not, use ioctl(). If nether works, assume 79.
- Fixes #1180
-
-- curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
+ Closes #2242
+
+ The "refresh" is for the -# output when no total transfer size is
+ known. It will now only use a single updated line even for this case:
- Mentioned in #1013
+ The "-=O=-" ship moves when data is transferred. The four flying
+ "hashes" move (on a sine wave) on each refresh, independent of data.
-- [Kyselgov E.N brought this change]
+- RELEASE-NOTES: synced with bb0ffcc36
- cmake: use crypt32.lib when building with OpenSSL on windows
-
- Reviewed-by: Peter Wu
- Closes #1149
- Fixes #1147
+- libcurl-env.3: first take
+
+- TODO: two possible name resolver improvements
-- [Chris Araman brought this change]
+- [Kartik Mahajan brought this change]
- darwinssl: fix CFArrayRef leak
+ http2: don't close connection when single transfer is stopped
- Reviewed-by: Nick Zitzmann
- Closes #1173
+ Fixes #2237
+ Closes #2249
-- [Chris Araman brought this change]
+- test558: fix for multissl builds
+
+ vtls.c:multissl_init() might do a curl_free() call so strip that out to
+ make this work with more builds. We just want to verify that
+ memorytracking works so skipping one line is no harm.
- darwinssl: fix iOS build
+- examples/url2file.c: add missing curl_global_cleanup() call
- Reviewed-by: Nick Zitzmann
- Fixes #1172
+ Reported-by: XhstormR on github
+ Fixes #2245
+
+- [Michael Gmelin brought this change]
-- curl: remove superfluous include file
+ SSH: Fix state machine for ssh-agent authentication
- The <netinet/tcp.h> is a leftover from the past when TCP socket options
- were set in this file. This include causes build issues on AIX 4.3.
+ In case an identity didn't match[0], the state machine would fail in
+ state SSH_AUTH_AGENT instead of progressing to the next identity in
+ ssh-agent. As a result, ssh-agent authentication only worked if the
+ identity required happened to be the first added to ssh-agent.
- Reported-by: Kim Minjoong
+ This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which
+ stated that the "else" statement was required to prevent getting stuck
+ in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
+ interface I couldn't see how this could happen or reproduce it and I
+ also couldn't find a more detailed description of the problem which
+ would explain a test case to reproduce the problem this was supposed to
+ fix.
- Closes #1178
+ [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
+
+ Closes #2248
-- RELEASE-NOTES: synced with a7b38c9dc98481e
+- openssl: fix potential memory leak in SSLKEYLOGFILE logic
+
+ Coverity CID 1427646.
-- vtls: s/SSLEAY/OPENSSL
+- openssl: fix the libressl build again
- Fixed an old leftover use of the USE_SSLEAY define which would make a
- socket get removed from the applications sockets to monitor when the
- multi_socket API was used, leading to timeouts.
+ Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
+ late OpenSSL version...
- Bug: #1174
+ Fixes #2246
+ Closes #2247
+
+ Reported-by: jungle-boogie on github
+
+- unit1307: test many wildcards too
+
+- curl_fnmatch: only allow 5 '*' sections in a single pattern
+
+ ... to avoid excessive recursive calls. The number 5 is totally
+ arbitrary and could be modified if someone has a good motivation.
-- docs/ciphers: link to our own new page about ciphers
+- ftp-wildcard: fix matching an empty string with "*[^a]"
- ... as the former ones always go stale!
+ .... and avoid advancing the pointer to trigger an out of buffer read.
+
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
+ Assisted-by: Max Dymond
-- cmdline-opts/page-footer: add three more exit codes
+- SMB: fix numeric constant suffix and variable types
+
+ 1. don't use "ULL" suffix since unsupported in older MSVC
+ 2. use curl_off_t instead of custom long long ifdefs
+ 3. make get_posix_time() not do unaligned data access
- ... and regenerated curl.1
+ Fixes #2211
+ Closes #2240
+ Reported-by: Chester Liu
-- formdata: use NULL, not 0, when returning pointers
+- [rouzier brought this change]
-- ftp: failure to resolve proxy should return that error code
+ CURLOPT_TCP_NODELAY.3: fix typo
+
+ Closes #2239
-- configure: accept --with-libidn2 instead
+- smtp/pop3/imap_get_message: decrease the data length too...
- ... which the help text already implied since we switched to libidn2
- from libidn in commit 9c91ec778104ae3b back in October 2016.
+ Follow-up commit to 615edc1f73 which was incomplete.
- Reported-by: Christian Weisgerber
- Bug: https://curl.haxx.se/mail/lib-2016-12/0110.html
+ Assisted-by: Max Dymond
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
-- test1282: verify the ftp-gss check
+- openssl: enable SSLKEYLOGFILE support by default
+
+ Fixes #2210
+ Closes #2236
-- ftp-gss: check for init before use
+Patrick Monnerat (14 Jan 2018)
+- mime: clone mime tree upon easy handle duplication.
- To avoid dereferencing a NULL pointer.
+ A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
+ strongly bound to the handle: there is a pointer to the easy handle in
+ each item of the mime tree and following the parent pointer list
+ of mime items ends in a dummy part stored within the handle.
- Reported-by: Daniel Romero
-
-Jay Satiro (24 Dec 2016)
-- build-wolfssl: Sync config with wolfSSL 3.10
+ Because of this binding, a mime tree cannot be shared between different
+ easy handles, thus it needs to be cloned upon easy handle duplication.
- wolfSSL configure script relevant changes from 3.9 to 3.10:
+ There is no way for the caller to get the duplicated mime tree
+ handle: it is then set to be automatically destroyed upon freeing the
+ new easy handle.
- - DES3 no longer enabled by default
- - Shamir no longer enabled by default
- - Extended master secret enabled by default
- - RSA and ECC timing protections enabled by default
+ New test 654 checks proper mime structure duplication/release.
- For backwards compatibility I enabled DES3 and ECC shamir config options
- (ie no change from 3.9), and the other changes are included.
+ Add a warning note in curl_mime_data_cb() documentation about sharing
+ user data between duplicated handles.
+
+ Closes #2235
-- cyassl: use time_t instead of long for timeout
+- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
-Daniel Stenberg (23 Dec 2016)
-- bump: toward next release
+Daniel Stenberg (13 Jan 2018)
+- test395: HTTP with overflow Content-Length value
-- http: remove "Curl_http_done: called premature" message
-
- ... it only confuses people.
+- test394: verify abort of rubbish in Content-Length: value
-- openssl-random: check return code when asking for random
+- test393: verify --max-filesize with excessive Content-Length
+
+- HTTP: bail out on negative Content-Length: values
+
+ ... and make the max filesize check trigger if the value is too big.
- and fail appropriately if it returns error
+ Updates test 178.
+
+ Reported-by: Brad Spencer
+ Fixes #2212
+ Closes #2223
-- gnutls-random: check return code for failed random
+Marcel Raad (13 Jan 2018)
+- [Dan Johnson brought this change]
-Version 7.52.1 (22 Dec 2016)
+ configure.ac: append extra linker flags instead of prepending them.
+
+ Link order should list libraries after the libraries that use them,
+ so when we're guessing that we might also need to add -ldl in order
+ to use -lssl, we should add -ldl after -lssl.
+
+ Closes https://github.com/curl/curl/pull/2234
-Daniel Stenberg (22 Dec 2016)
-- RELEASE-NOTES: curl 7.52.1
+Daniel Stenberg (13 Jan 2018)
+- RELEASE-NOTES: synced with 6fa10c8fa
-- lib557.c: use a shorter MAXIMIZE representation
+Jay Satiro (13 Jan 2018)
+- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
- Since several compilers had problems with the previous one
+ Broken since f121575 (precedes 7.56.1).
- Reported-by: Ray Satiro
- Bug: https://curl.haxx.se/mail/lib-2016-12/0098.html
-
-- runtests: remove the valgrind parser
+ Bug: https://github.com/curl/curl/issues/2225
+ Reported-by: cmfrolick@users.noreply.github.com
- Old legacy parsing that 1) hid problems for us and 2) probably isn't
- needed anymore.
+ Closes https://github.com/curl/curl/pull/2227
-- [Kamil Dudka brought this change]
+Patrick Monnerat (13 Jan 2018)
+- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
+
+ This also upgrades ILE/RPG bindings with latest setopt options.
+
+ Reported-By: jonrumsey on github
+ Fixes #2230
+ Closes #2233
- randit: store the value in the buffer
+Jay Satiro (11 Jan 2018)
+- [Zhouyihai Ding brought this change]
-- tests/Makefile: run checksrc on debug builds
+ http2: fix incorrect trailer buffer size
- ... just like we already do in src/ and lib/
-
-- lib557: move the "enable LONGLINE" to allow more long lines
+ Prior to this change the stored byte count of each trailer was
+ miscalculated and 1 less than required. It appears any trailer
+ after the first that was passed to Curl_client_write would be truncated
+ or corrupted as well as the size. Potentially the size of some
+ subsequent trailer could be erroneously extracted from the contents of
+ that trailer, and since that size is used by client write an
+ out-of-bounds read could occur and cause a crash or be otherwise
+ processed by client write.
+
+ The bug appears to have been born in 0761a51 (precedes 7.49.0).
- This file is riddled with them...
+ Closes https://github.com/curl/curl/pull/2231
-- bump: toward next release
+- [Basuke Suzuki brought this change]
-Marcel Raad (21 Dec 2016)
-- lib: fix MSVC compiler warnings
+ easy: fix connection ownership in curl_easy_pause
- Visual C++ complained:
- warning C4267: '=': conversion from 'size_t' to 'long', possible loss of data
- warning C4701: potentially uninitialized local variable 'path' used
+ Before calling Curl_client_chop_write(), change the owner of connection
+ to the current Curl_easy handle. This will fix the issue #2217.
+
+ Fixes https://github.com/curl/curl/issues/2217
+ Closes https://github.com/curl/curl/pull/2221
-Version 7.52.0 (20 Dec 2016)
+Daniel Stenberg (9 Jan 2018)
+- [Dimitrios Apostolou brought this change]
-Daniel Stenberg (20 Dec 2016)
-- THANKS: 13 new contributors from 7.52.0
+ system.h: Additionally check __LONG_MAX__ for defining curl_off_t
+
+ __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced
+ in GCC 3.3.
+
+ Closes #2216
-- RELEASE-NOTES: 7.52.0
+- COPYING: it's 2018!
-- ssh: inhibit coverity warning with (void)
+- progress: calculate transfer speed on milliseconds if possible
- CID 1397391 (#1 of 1): Unchecked return value (CHECKED_RETURN)
-
-- Curl_recv_has_postponed_data: silence compiler warnings
+ to increase accuracy for quick transfers
- Follow-up to d00f2a8f2
+ Fixes #2200
+ Closes #2206
-Jay Satiro (19 Dec 2016)
-- tests: checksrc compliance
-
-- http_proxy: Fix proxy CONNECT hang on pending data
+Jay Satiro (7 Jan 2018)
+- scripts: allow all perl scripts to be run directly
+
+ - Enable execute permission (chmod +x)
- - Check for pending data before waiting on the socket.
+ - Change interpreter to /usr/bin/env perl
- Bug: https://github.com/curl/curl/issues/1156
- Reported-by: Adam Langley
+ Closes https://github.com/curl/curl/pull/2222
-Daniel Stenberg (19 Dec 2016)
-- cmdline-opts/tlsv1.d: rephrased
+- mail-rcpt.d: fix short-text description
-- [Dan McNulty brought this change]
+- build: remove HAVE_LIMITS_H check
+
+ .. because limits.h presence isn't optional, it's required by C89.
+
+ Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
+
+ Closes https://github.com/curl/curl/pull/2215
- schannel: fix wildcard cert name validation on Win CE
+- openssl: fix memory leak of SSLKEYLOGFILE filename
+
+ - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
+ initialization.
- Fixes a few issues in manual wildcard cert name validation in
- schannel support code for Win32 CE:
- - when comparing the wildcard name to the hostname, the wildcard
- character was removed from the cert name and the hostname
- was checked to see if it ended with the modified cert name.
- This allowed cert names like *.com to match the connection
- hostname. This violates recommendations from RFC 6125.
- - when the wildcard name in the certificate is longer than the
- connection hostname, a buffer overread of the connection
- hostname buffer would occur during the comparison of the
- certificate name and the connection hostname.
+ Caught by ASAN.
-- printf: fix floating point buffer overflow issues
+- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
- ... and add a bunch of floating point printf tests
+ This reverts commit c97648b55080343bb371522bf4233e94a2a13a99.
+
+ SIZEOF_LONG should not be checked in system.h since that macro is only
+ defined when building libcurl.
+
+ Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080
+ Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html
-- config-amigaos.h: (embarrassed) made the line shorter
+Michael Kaufmann (30 Dec 2017)
+- test1554: improve the error handling
-- config-amigaos.h: fix bug report email reference
+- test1554: add global initialization and cleanup
-- RELEASE-NOTES: synced with 4517158abfeba
+Daniel Stenberg (29 Dec 2017)
+- curl_version_info.3: call the argument 'age'
+
+ Reported-by: Pete Lomax
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html
-- CIPHERS.md: backtick the names to show underscores fine
+Patrick Monnerat (27 Dec 2017)
+- [Mikalai Ananenka brought this change]
-- form-string.d: fix format mistake
+ brotli: data at the end of content can be lost
- and regenerated curl.1
+ Decoding loop implementation did not concern the case when all
+ received data is consumed by Brotli decoder and the size of decoded
+ data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
+ For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
+ can result in the loss of data at the end of content.
- Reported-by: Gisle Vanem
+ Closes #2194
-Michael Kaufmann (18 Dec 2016)
-- openssl: simplify expression in Curl_ossl_version
-
-- curl_easy_recv: Improve documentation and example program
+Jay Satiro (26 Dec 2017)
+- examples/cacertinmem: ignore cert-already-exists error
- Follow-up to 82245ea: Fix the example program sendrecv.c (handle
- CURLE_AGAIN, handle incomplete send). Improve the documentation
- for curl_easy_recv() and curl_easy_send().
+ - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
+ since it's possible the cert may have already been loaded by libcurl.
- Reviewed-by: Frank Meier
- Assisted-by: Jay Satiro
+ - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
+ Instead have it direct the reader to this cacertinmem.c example.
+
+ - Fix the CA certificate to use the right CA for example.com, Digicert.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
+ Reported-by: Thomas van Hesteren
- See https://github.com/curl/curl/pull/1134
+ Closes https://github.com/curl/curl/pull/2182
-- [Isaac Boukris brought this change]
+- [Gisle Vanem brought this change]
- Curl_getconnectinfo: avoid checking if the connection is closed
+ tool_getparam: Support size modifiers for --max-filesize
- It doesn't benefit us much as the connection could get closed at
- any time, and also by checking we lose the ability to determine
- if the socket was closed by reading zero bytes.
+ - Move the size modifier detection code from limit-rate to its own
+ function so that it can also be used with max-filesize.
- Reported-by: Michael Kaufmann
+ Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc.
- Closes https://github.com/curl/curl/pull/1134
-
-Daniel Stenberg (18 Dec 2016)
-- CIPHERS.md: attempt to document TLS cipher names
+ For example --max-filesize 1G
- As the official docs seems really hard to keep track of and link to over
- time
-
-- curl.1: generated after 6cce4dbf830
-
-- cmdline-opts/post30X.d: fix the RFC references
-
-- curl.1: regenerated
+ Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html
- Fixed trailing whitespace and numerous formatting glitches
-
-- cmdline-opts: formatting fixes
+ Closes https://github.com/curl/curl/pull/2179
-- curl_easy_setopt.3: removed CURLOPT_SOCKS_PROXYTYPE
+Steve Holme (22 Dec 2017)
+- build: Fixed incorrect script termination from commit ad1dc10e61
-- tool_getparam.c: make comments use the up-to-date option names
+- Makefile.vc: Added our standard copyright header
-- manpage-scan.pl: allow deprecated options to get removed from curl.1
-
- --krb4, --ftp-ssl and --ftp-ssl-reqd no longer need to be documented in the
- man page
-
-- cmdline-opts/gen.pl: trim off trailing spaces
+- winbuild: Added support for VC15
-- cmdline-opts/proxy-tlsuser.d: remove trailing .d
+- build: Added Visual Studio 2017 project files
-- curl_easy_setopt.3: CURLOPT_PRE_PROXY instead of CURLOPT_SOCKS_PROXY
+- build-wolfssl.bat: Added support for VC15
-- symbols: removed two, added one
+- build-openssl.bat: Added support for VC15
-- cmdline-opts: include the man page split up files in the dist
+Jay Satiro (22 Dec 2017)
+- [Dimitrios Apostolou brought this change]
-- curl.1: generated with gen.pl
-
- This is the first time we replace the manually edited curt.1 with the
- generated one created by gen.pl and the individual option documentation
- pages.
-
- Do not edit this file, edit the individual pages and regenerate this
- output.
+ curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
- This file will be generated by the build system soon and then removed
- from git.
+ Closes https://github.com/curl/curl/pull/2186
-- cmdline-opts: added some missing info
+- [Mattias Fornander brought this change]
-- CURLINFO_SSL_VERIFYRESULT.3: language
-
-- HTTPS-PROXY docs: update/polish
-
-- cmdline-opts/page-header: mention it is generated
+ examples/rtsp: fix error handling macros
- ... to avoid people from trying to edit the pending curl.1 version that
- gets generated by gen.pl
+ Closes https://github.com/curl/curl/pull/2185
-- preproxy: renamed what was added as SOCKS_PROXY
+Patrick Monnerat (20 Dec 2017)
+- curl_easy_reset: release mime-related data.
- CURLOPT_SOCKS_PROXY -> CURLOPT_PRE_PROXY
+ Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
+ functions dealing with UserDefined structure contents.
+ This avoids memory leakages on curl-generated part mime headers.
+ New test 2073 checks this using the cli tool --next option: it
+ triggers a valgrind error if bug is present.
- Added the corresponding --preroxy command line option. Sets a SOCKS
- proxy to connect to _before_ connecting to a HTTP(S) proxy.
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
+ Reported-by: Martin Galvan
-- curl: normal socks proxies still use CURLOPT_PROXY
+- content_encoding: rework zlib_inflate
- ... the newly introduced CURLOPT_SOCKS_PROXY is special and should be
- asked for specially. (Needs new code.)
+ - When zlib version is < 1.2.0.4, process gzip trailer before considering
+ extra data as an error.
+ - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
+ and minimize corrupt data output.
+ - Do not try to restart deflate decompression in raw mode if output has
+ started or if the leading data is not available anymore.
+ - New test 232 checks inflating raw-deflated content.
- Unified proxy type to a single variable in the config struct.
+ Closes #2068
-- CURLOPT_SOCKS_PROXYTYPE: removed
+- brotli: allow compiling with version 0.6.0.
- This was added as part of the SOCKS+HTTPS proxy merge but there's no
- need to support this as we prefer to have the protocol specified as a
- prefix instead.
+ Some error codes were not yet defined in brotli 0.6.0: do not issue code
+ for them in this case.
-- curl_multi_socket.3: fix typo
-
-- checksrc: warn for assignments within if() expressions
+Daniel Stenberg (13 Dec 2017)
+- CURLOPT_READFUNCTION.3: refer to argument with correct name
+
+ Bug: #2175
- ... they're already frowned upon in our source code style guide, this
- now enforces the rule harder.
+ [ci skip]
-- checksrc: stricter no-space-before-paren enforcement
+- rand: add a clang-analyzer work-around
- In order to make the code style more uniform everywhere
+ scan-build would warn on a potential access of an uninitialized
+ buffer. I deem it a false positive and had to add this somewhat ugly
+ work-around to silence it.
-- ISSUE_TEMPLATE: try mentioning known bugs/todo in new issue template
+- krb5: fix a potential access of uninitialized memory
+
+ A scan-build warning.
-- RELEASE-NOTES: synced with 71a55534fa6
+- conncache: fix a return code [regression]
+
+ This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed
+ out by scan-build!
-- [Adam Langley brought this change]
+- curl: support >256 bytes warning messsages
+
+ Bug: #2174
- openssl: don't use OpenSSL's ERR_PACK.
+Michael Kaufmann (12 Dec 2017)
+- libssh: fix a syntax error in configure.ac
- ERR_PACK is an internal detail of OpenSSL. Also, when using it, a
- function name must be specified which is overly specific: the test will
- break whenever OpenSSL internally change things so that a different
- function creates the error.
+ Follow-up to c92d2e1
- Closes #1157
-
-Dan Fandrich (5 Dec 2016)
-- test2032: Mark test as flaky
+ Closes #2172
-Jay Satiro (3 Dec 2016)
-- [Jeremy Pearson brought this change]
+Daniel Stenberg (12 Dec 2017)
+- examples/smtp-mail.c: use separate defines for options and mail
+
+ ... to make it clearer that the options want address-only, while the
+ headers in an email can also have the real name.
+
+ Assisted-by: Sean MacLennan
- libcurl-multi.3: typo
+- THANKS: added missing names
- Closes https://github.com/curl/curl/pull/1153
+ ... as I reran the contrithanks script after the mailmap name fixups.
-Dan Fandrich (2 Dec 2016)
-- test1281: added http as a required feature
+- mailmap: added/clarified several names
-Daniel Stenberg (2 Dec 2016)
-- curl: support zero-length argument strings in config files
+- setopt: less *or equal* than INT_MAX/1000 should be fine
- ... like 'user-agent = ""'
+ ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and
+ CURLOPT_SERVER_RESPONSE_TIMEOUT range checks.
- Adjusted test 71 to verify.
-
-- http_proxy: simplify CONNECT response reading
+ Reported-by: Dominik Hölzl
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html
- Since it now reads responses one byte a time, a loop could be removed
- and it is no longer limited to get the whole response within 16K, it is
- now instead only limited to 16K maximum header line lengths.
+ Closes #2173
-- tests: fix CONNECT test cases to be more strict
-
- ... as they broke with the cleaned up CONNECT handling
+- [Dmitry Kostjuchenko brought this change]
-- CONNECT: read responses one byte at a time
+ vtls: replaced getenv() with curl_getenv()
- ... so that it doesn't read data that is actually coming from the
- remote. 2xx responses have no body from the proxy, that data is from the
- peer.
+ Fixed undefined symbol of getenv() which does not exist when compiling
+ for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
+ curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
+ is defined.
- Fixes #1132
+ Closes #2171
+
+- RELEASE-NOTES: synced with 3b9ea70ee
-- CONNECT: reject TE or CL in 2xx responses
+- TODO: Expose tried IP addresses that failed
- A server MUST NOT send any Transfer-Encoding or Content-Length header
- fields in a 2xx (Successful) response to CONNECT. (RFC 7231 section
- 4.3.6)
+ Suggested-by: Rainer Canavan
- Also fixes the three test cases that did this.
+ Closes #2126
-- URL parser: reject non-numerical port numbers
-
- Test 1281 added to verify
+- curl.1: mention http:// and https:// as valid proxy prefixes
-Dan Fandrich (30 Nov 2016)
-- runtests: made Servers: output be more consistent by removing OFF
+- curl.1: documented two missing valid exit codes
-- cyassl: fixed typo introduced in 4f8b1774
+- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
-Michael Kaufmann (30 Nov 2016)
-- CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries properly
-
- If a port number in a "connect-to" entry does not match, skip this
- entry instead of connecting to port 0.
+- Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
- If a port number in a "connect-to" entry matches, use this entry
- and look no further.
+ This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
- Reported-by: Jay Satiro
- Assisted-by: Jay Satiro, Daniel Stenberg
-
- Closes #1148
+ It was actually added rather recently in 8e8afa82cbb629 due to a crash
+ that would otherwise happen in the RTSP code. As I don't think we've
+ fixed that behavior yet, we better keep this work-around until we have
+ fixed it better.
-Daniel Stenberg (29 Nov 2016)
-- BUGS: describe bug handling process
+Michael Kaufmann (10 Dec 2017)
+- tests: mark data files as non-executable in git
-- RELEASE-NOTES: synced with 19613fb3
+- tests: update .gitignore for libtests
-Jay Satiro (28 Nov 2016)
-- http2: check nghttp2_session_set_local_window_size exists
+Daniel Stenberg (10 Dec 2017)
+- multi_done: prune DNS cache
- The function only exists since nghttp2 1.12.0.
+ Prune the DNS cache immediately after the dns entry is unlocked in
+ multi_done. Timed out entries will then get discarded in a more orderly
+ fashion.
- Bug: https://github.com/curl/curl/commit/a4d8888#commitcomment-19985676
- Reported-by: Michael Kaufmann
-
-Daniel Stenberg (28 Nov 2016)
-- [Anders Bakken brought this change]
-
- http2: Fix crashes when parent stream gets aborted
+ Test506 is updated
- Closes #1125
-
-- cmdline-docs: more options converted and fixed
+ Reported-by: Oleg Pudeyev
- Now all options are in the new system.
-
-- gen: include footer in mainpage output
+ Fixes #2169
+ Closes #2170
-Jay Satiro (28 Nov 2016)
-- lib1536: checksrc compliance
+- mailmap: fixup two old git Author "aliases"
-Daniel Stenberg (28 Nov 2016)
-- cmdline-opts: more command line options documented
+Jay Satiro (10 Dec 2017)
+- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
- Moved over to the new format
+ Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
+ like it does for other platforms. However, the Windows CRT does not
+ actually support line buffering (_IOLBF) and will use full buffering
+ (_IOFBF) instead. We can't use full buffering because multiple processes
+ may be writing to the file and that could lead to corruption, and since
+ full buffering is the only buffering available this commit disables
+ buffering for Windows SSLKEYLOGFILE entirely (_IONBF).
+
+ Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
-- curl: remove --proxy-ssl* options
+Daniel Stenberg (10 Dec 2017)
+- RESOLVE: output verbose text when trying to set a duplicate name
- There's mostly likely no need to allow setting SSLv2/3 version for HTTPS
- proxy. Those protocols are insecure by design and deprecated.
+ ... to help users understand what is or isn't done!
+
+- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
-- CURLOPT_PROXY_*.3: polished some proxy option man pages
+- [John DeHelian brought this change]
-Patrick Monnerat (26 Nov 2016)
-- os400: support CURLOPT_PROXY_PINNEDPUBLICKEY
+ sftp: allow quoted commands to use relative paths
- Also define it in ILE/RPG binding.
+ Closes #1900
-Daniel Stenberg (26 Nov 2016)
-- [Okhin Vasilij brought this change]
+Jay Satiro (8 Dec 2017)
+- [Richard Alcock brought this change]
- curl_version_info: add CURL_VERSION_HTTPS_PROXY
+ CURLOPT_PRIVATE.3: fix grammar
- Closes #1142
-
-- [Frank Gevaerts brought this change]
+ - Change "never does nothing" double-negative to "never does anything".
+
+ Closes https://github.com/curl/curl/pull/2168
- tests: Add some testcases for recent new features.
+Daniel Stenberg (8 Dec 2017)
+- curl: remove __EMX__ #ifdefs
- Add missing tests for CURLINFO_SCHEME, CURLINFO_PROTOCOL, %{scheme},
- and %{http_version}
+ These are OS/2-specific things added to the code in the year 2000. They
+ were always ugly. If there's any user left, they still don't need it
+ done this way.
- closes #1143
+ Closes #2166
-- [Frank Gevaerts brought this change]
-
- curl_easy_reset: clear info for CULRINFO_PROTOCOL and CURLINFO_SCHEME
-
-- CURLOPT_PROXY_CAINFO.3: clarify proxy use
-
-- CURLOPT_PROXY_CRLFILE.3: clarify https proxy and availability
-
-- curl_easy_setopt.3: add CURLOPT_PROXY_PINNEDPUBLICKEY
+Jay Satiro (8 Dec 2017)
+- openssl: improve data-pending check for https proxy
- Follow-up to 4f8b17743d7c55a
-
-- docs: include all opts man pages in dist
+ - Allow proxy_ssl to be checked for pending data even when connssl does
+ not yet have an SSL handle.
- Sorted the lists too.
+ This change is for posterity. Currently there doesn't seem to be a code
+ path that will cause a pending data check when proxyssl could have
+ pending data and the connssl handle doesn't yet exist [1].
- ... and include the new ones in the PDF and HTML generation targets
-
-- [Thomas Glanzmann brought this change]
-
- HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY
-
-- [Thomas Glanzmann brought this change]
+ [1]: Recall that an https proxy connection starts out in connssl but if
+ the destination is also https then the proxy SSL backend data is moved
+ from connssl to proxyssl, which means connssl handle is temporarily
+ empty until an SSL handle for the destination can be created.
+
+ Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542
+
+ Closes https://github.com/curl/curl/pull/1916
- url: proxy: Use 443 as default port for https proxies
+Daniel Stenberg (8 Dec 2017)
+- curl: don't set CURLOPT_INTERLEAVEDATA
+
+ That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
+ and that option isn't set or used by the curl tool!
+
+ Updates the 9 tests that verify --libcurl
+
+ Closes #2167
-- TODO: removed "HTTPS proxy"
+- curl.h: remove incorrect comment about ERRORBUFFER
+
+ ... error messages are _not_ sent to stderr if this is not set.
-- [Jan-E brought this change]
+- [Michael Felt brought this change]
- winbuild: add config option ENABLE_NGHTTP2
+ configure: add AX_CODE_COVERAGE only if using gcc
- Closes #1141
+ Fixes #2076
+ Closes #2125
-Jay Satiro (24 Nov 2016)
-- tool_urlglob: Improve sanity check in glob_range
+- curl: limit -# update frequency for unknown total size
- Prior to this change we depended on errno if strtol could not perform a
- conversion. POSIX says EINVAL *may* be set. Some implementations like
- Microsoft's will not set it if there's no conversion.
+ Make it use a max 10Hz update frequency for this case as well. Return
+ early if the "point" hasn't moved since last invoke.
- Ref: https://github.com/curl/curl/commit/ee4f7660#commitcomment-19658189
+ Reported-by: Elliot Saba
+
+ Fixes #2158
+ Closes #2163
-- tool_help: Change description for --retry-connrefused
+- BINDINGS: another PostgreSQL client
+
+ ...the former link is dead.
- Ref: https://github.com/curl/curl/pull/1064#issuecomment-260052409
+ Reported-by: Frank Gevaerts
-Patrick Monnerat (25 Nov 2016)
-- os400: sync ILE/RPG binding
+- [Zachary Seguin brought this change]
-Jay Satiro (24 Nov 2016)
-- test1135: Fix curl_easy_duphandle prototype for code style
+ CONNECT: keep close connection flag in http_connect_state struct
- Follow-up to dbadaeb which changed the style.
+ Fixes #2088
+ Closes #2157
+
+- [Per Malmberg brought this change]
-- x509asn1: Restore the parameter check in Curl_getASN1Element
+ include: get netinet/in.h before linux/tcp.h
- - Restore the removed parts of the parameter check.
+ ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc
+ 4.8.5)
- Follow-up to 945f60e which altered the parameter check.
+ Closes #2160
-Daniel Stenberg (25 Nov 2016)
-- RELEASE-NOTES: update option counters
+- openldap: fix checksrc nits
-- [Frank Gevaerts brought this change]
+- [Stepan Broz brought this change]
- add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
+ openldap: add commented out debug possibilities
- Adds access to the effectively used protocol/scheme to both libcurl and
- curl, both in string and numeric (CURLPROTO_*) form.
+ ... to aid debugging openldap library using its built-in debug messages.
- Note that the string form will be uppercase, as it is just the internal
- string.
+ Closes #2159
+
+- examples: move threaded-shared-conn.c to the "complicated" ones
- As these strings are declared internally as const, and all other strings
- returned by curl_easy_getinfo() are de-facto const as well, string
- handling in getinfo.c got const-ified.
+ ... due it relying on pthreads to link.
+
+- RELEASE-NOTES: synced with b261c44e8
- Closes #1137
+ ... and bump next release version to 7.58.0
-- RELEASE-NOTES: synced with 63198a4750aeb
+- [Jan Ehrhardt brought this change]
-- curl.1: the new --proxy options ship in 7.52.0
+ URL: tolerate backslash after drive letter for FILE:
+
+ ... as in "file://c:\some\path\curl.out"
+
+ Reviewed-by: Matthew Kerwin
+ Closes #2154
-- checksrc: move open braces to comply with function declaration style
+- [Randall S. Becker brought this change]
-- checksrc: detect wrongly placed open braces in func declarations
+ tests: added netinet/in6.h includes in test servers
-- checksrc: white space edits to comply to stricter checksrc
+- [Randall S. Becker brought this change]
-- checksrc: verify ASTERISKNOSPACE
+ configure: check for netinet/in6.h
- Detects (char*) and 'char*foo' uses.
-
-- checksrc: code style: use 'char *name' style
-
-- checksrc: add ASTERISKSPACE
+ Needed by HPE NonStop NSE and NSX systems
- Verifies a 'char *name' style, with no space after the asterisk.
+ Fixes #2146
+ Closes #2155
-- openssl: remove dead code
+- curl-config: add --ssl-backends
- Coverity CID 1394666
-
-- [Okhin Vasilij brought this change]
-
- HTTPS-proxy: fixed mbedtls and polishing
-
-- darwinssl: adopted to the HTTPS proxy changes
+ Lists all SSL backends that were enabled at build-time.
- It builds and runs all test cases. No adaptations for actual HTTPS proxy
- support has been made.
+ Suggested-by: Oleg Pudeyev
+ Fixes #2128
-- gtls: fix indent to silence compiler warning
+- conncache: only allow multiplexing within same multi handle
- vtls/gtls.c: In function ‘Curl_gtls_data_pending’:
- vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
- if(conn->proxy_ssl[connindex].session &&
- ^~
- vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
- return res;
-
-- [Thomas Glanzmann brought this change]
+ Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing
+ only get additional transfers added to them if the existing connection
+ is held by the same multi or easy handle. libcurl does not support doing
+ HTTP/2 streams in different threads using a shared connection.
+
+ Closes #2152
- mbedtls: Fix compile errors
+- threaded-shared-conn.c: fixed typo in commenta
-- [Alex Rousskov brought this change]
+- threaded-shared-conn.c: new example
- proxy: Support HTTPS proxy and SOCKS+HTTP(s)
+- conncache: fix several lock issues
- * HTTPS proxies:
+ If the lock is released before the dealings with the bundle is over, it may
+ have changed by another thread in the mean time.
- An HTTPS proxy receives all transactions over an SSL/TLS connection.
- Once a secure connection with the proxy is established, the user agent
- uses the proxy as usual, including sending CONNECT requests to instruct
- the proxy to establish a [usually secure] TCP tunnel with an origin
- server. HTTPS proxies protect nearly all aspects of user-proxy
- communications as opposed to HTTP proxies that receive all requests
- (including CONNECT requests) in vulnerable clear text.
-
- With HTTPS proxies, it is possible to have two concurrent _nested_
- SSL/TLS sessions: the "outer" one between the user agent and the proxy
- and the "inner" one between the user agent and the origin server
- (through the proxy). This change adds supports for such nested sessions
- as well.
+ Fixes #2132
+ Fixes #2151
+ Closes #2139
+
+- libssh: remove dead code in sftp_qoute
- A secure connection with a proxy requires its own set of the usual SSL
- options (their actual descriptions differ and need polishing, see TODO):
+ ... by removing a superfluous NULL pointer check that also confuses
+ Coverity.
- --proxy-cacert FILE CA certificate to verify peer against
- --proxy-capath DIR CA directory to verify peer against
- --proxy-cert CERT[:PASSWD] Client certificate file and password
- --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
- --proxy-ciphers LIST SSL ciphers to use
- --proxy-crlfile FILE Get a CRL list in PEM format from the file
- --proxy-insecure Allow connections to proxies with bad certs
- --proxy-key KEY Private key file name
- --proxy-key-type TYPE Private key file type (DER/PEM/ENG)
- --proxy-pass PASS Pass phrase for the private key
- --proxy-ssl-allow-beast Allow security flaw to improve interop
- --proxy-sslv2 Use SSLv2
- --proxy-sslv3 Use SSLv3
- --proxy-tlsv1 Use TLSv1
- --proxy-tlsuser USER TLS username
- --proxy-tlspassword STRING TLS password
- --proxy-tlsauthtype STRING TLS authentication type (default SRP)
+ Fixes #2143
+ Closes #2153
+
+- sasl_getmesssage: make sure we have a long enough string to pass
- All --proxy-foo options are independent from their --foo counterparts,
- except --proxy-crlfile which defaults to --crlfile and --proxy-capath
- which defaults to --capath.
+ For pop3/imap/smtp, added test 891 to somewhat verify the pop3
+ case.
- Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
- similar to the existing %{ssl_verify_result} variable.
+ For this, I enhanced the pingpong test server to be able to send back
+ responses with LF-only instead of always using CRLF.
- Supported backends: OpenSSL, GnuTLS, and NSS.
+ Closes #2150
+
+- libssh2: remove dead code from SSH_SFTP_QUOTE
- * A SOCKS proxy + HTTP/HTTPS proxy combination:
+ Figured out while reviewing code in the libssh backend. The pointer was
+ checked for NULL after having been dereferenced, so we know it would
+ always equal true or it would've crashed.
- If both --socks* and --proxy options are given, Curl first connects to
- the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
- proxy.
+ Pointed-out-by: Nikos Mavrogiannopoulos
- TODO: Update documentation for the new APIs and --proxy-* options.
- Look for "Added in 7.XXX" marks.
-
-Patrick Monnerat (24 Nov 2016)
-- Declare endian read functions argument as a const pointer.
- This is done for all functions of the form Curl_read[136][624]_[lb]e.
+ Bug #2143
+ Closes #2148
-- Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
- See CRL-01-006.
+- ssh-libssh.c: please checksrc
-Jay Satiro (22 Nov 2016)
-- url: Fix conn reuse for local ports and interfaces
+Nikos Mavrogiannopoulos (4 Dec 2017)
+- libssh: fixed dereference in statvfs access
- - Fix connection reuse for when the proposed new conn 'needle' has a
- specified local port but does not have a specified device interface.
+ The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS
+ handling fails.
- Bug: https://curl.haxx.se/mail/lib-2016-11/0137.html
- Reported-by: bjt3[at]hotmail.com
+ Fixes #2142
-Daniel Stenberg (21 Nov 2016)
-- rand: pass in number of randoms as an unsigned argument
+Daniel Stenberg (4 Dec 2017)
+- [Guitared brought this change]
-Jay Satiro (20 Nov 2016)
-- rand: Fix potentially uninitialized result warning
+ RESOURCES: update spec names
+
+ Closes #2145
-Marcel Raad (19 Nov 2016)
-- vtls: fix build warnings
+Nikos Mavrogiannopoulos (3 Dec 2017)
+- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
- Fix warnings about conversions from long to time_t in openssl.c and
- schannel.c.
+ The previous code was incorrectly following the libssh2 error detection
+ for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs.
- Follow-up to de4de4e3c7c
-
-Daniel Stenberg (18 Nov 2016)
-- [Marcel Raad brought this change]
+ Fixes #2142
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
- lib: fix compiler warnings after de4de4e3c7c
+- libssh: no need to call sftp_get_error as ssh_get_error is sufficient
- Visual C++ now complains about implicitly casting time_t (64-bit) to
- long (32-bit). Fix this by changing some variables from long to time_t,
- or explicitly casting to long where the public interface would be
- affected.
+ Fixes #2141
- Closes #1131
-
-Peter Wu (17 Nov 2016)
-- [Isaac Boukris brought this change]
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
- Don't mix unix domain sockets with regular ones
+Daniel Stenberg (2 Dec 2017)
+- libssh: fix minor static code analyzer nits
- When reusing a connection, make sure the unix domain
- socket option matches.
-
-Jay Satiro (17 Nov 2016)
-- tests: Fix HTTP2-Settings header for huge window size
+ - remove superfluous NULL check which otherwise tricks the static code
+ analyzers to assume NULL pointer dereferences.
- Follow-up to a4d8888. Changing the window size in that commit resulted
- in a different HTTP2-Settings upgrade header, causing test 1800 to fail.
+ - fix fallthrough in switch()
+
+ - indent mistake
-- http2: Use huge HTTP/2 windows
+- openssl: pkcs12 is supported by boringssl
- - Improve performance by using a huge HTTP/2 window size.
+ Removes another #ifdef for BoringSSL
- Bug: https://github.com/curl/curl/issues/1102
- Reported-by: afrind@users.noreply.github.com
- Assisted-by: Tatsuhiro Tsujikawa
-
-Daniel Stenberg (16 Nov 2016)
-- cmdline-docs: more conversion
-
-- gen: support 'protos'
+ Pointed-out-by: David Benjamin
- and warn on unrecognized lines
-
-- gen: support 'single' to make an individual page man page
+ Closes #2134
-- cmdline-docs: more options converted over
+- [Jay Satiro brought this change]
-- gen: support 'redirect'
+ travis: use pip2 instead of pip
+
+ .. since now mac osx image expects pip2 or pip3, and doesn't know pip:
- ... and warn for too long --help lines
+ 0.01s$ pip install --user cpp-coveralls
+ /Users/travis/.travis/job_stages: line 57: pip: command not found
+
+ Ref: https://github.com/travis-ci/travis-ci/issues/8829
+
+ Closes https://github.com/curl/curl/pull/2133
-- cmdline/gen: replace options in texts better
+- [Nikos Mavrogiannopoulos brought this change]
-Jay Satiro (16 Nov 2016)
-- http2: Fix address sanitizer memcpy warning
+ lib582: do not verify host for SFTP
- - In Curl_http2_switched don't call memcpy when src is NULL.
+ This SFTP test fails with libssh back-end due to failure to verify
+ the peer. Disable peer verification in the test as there seems to
+ be the intention of the test.
- Curl_http2_switched can be called like:
+ Note that the libssh back-end automatically verifies the peer's
+ host using the default known_hosts file.
- Curl_http2_switched(conn, NULL, 0);
-
- .. and prior to this change memcpy was then called like:
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ libssh: added SFTP support
- memcpy(dest, NULL, 0)
+ The SFTP back-end supports asynchronous reading only, limited
+ to 32-bit file length. Writing is synchronous with no other
+ limitations.
- .. causing address sanitizer to warn:
+ This also brings keyboard-interactive authentication.
- http2.c:2057:3: runtime error: null pointer passed as argument 2, which
- is declared to never be null
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- tool_help: Clarify --dump-header only writes received headers
+- [Nikos Mavrogiannopoulos brought this change]
-- curl.1: Clarify --dump-header only writes received headers
+ symbols-in-versions: added new symbols with 7.56.3 version
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Daniel Stenberg (15 Nov 2016)
-- [Alex Chan brought this change]
+- [Nikos Mavrogiannopoulos brought this change]
- docs: Spelling fixes
+ .travis.yml: added build --with-libssh
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Kamil Dudka (15 Nov 2016)
-- docs: the next release will be 7.52.0
+- [Nikos Mavrogiannopoulos brought this change]
-Daniel Stenberg (15 Nov 2016)
-- cmdline-opts: support generating the --help output
+ libssh2: return CURLE_UPLOAD_FAILED on failure to upload
+
+ This brings its in sync with the error code returned by the
+ libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- [David Schweikert brought this change]
+- [Nikos Mavrogiannopoulos brought this change]
- darwinssl: fix SSL client certificate not found on MacOS Sierra
+ libssh2: send the correct CURLE error code on scp file not found
+
+ That also updates tests to expect the right error code
- Reviewed-by: Nick Zitzmann
+ libssh2 back-end returns CURLE_SSH error if the remote file
+ is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND
+ which is sent by the libssh backend.
- Closes #1105
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-- curl: add --fail-early to help output
+- [Nikos Mavrogiannopoulos brought this change]
+
+ Added support for libssh SSH SCP back-end
+
+ libssh is an alternative library to libssh2.
+ https://www.libssh.org/
- Fixes test 1139 failures
+ That patch set also introduces support for ECDSA
+ ed25519 keys, as well as gssapi authentication.
- Follow-up to f82bbe01c8835
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-- glob: fix [a-c] globbing regression
+- RELEASE-NOTES: synced with af8cc7a69
+
+- curlver: towards 7.57.1
+
+- [W. Mark Kubacki brought this change]
+
+ lib: don't export all symbols, just everything curl_*
+
+ Absent any 'symbol map' or script to limit what gets exported, static
+ linking of libraries previously resulted in a libcurl with curl's and
+ those other symbols being (re-)exported.
- Brought in ee4f76606cf
+ This did not happen if 'versioned symbols' were enabled (which is not
+ the default) because then a version script is employed.
- Added test case 1280 to verify
+ This limits exports to everything starting in 'curl_*'., which is
+ what "libcurl.vers" exports.
- Reported-by: Dave Reisner
+ This avoids strange side-effects such as with mixing methods
+ from system libraries and those erroneously offered by libcurl.
- Bug: https://github.com/curl/curl/commit/ee4f76606cfa4ee068bf28edd37c8dae7e8db317#commitcomment-19823146
+ Closes #2127
-- curl: add --fail-early
+- [Johannes Schindelin brought this change]
+
+ SSL: Avoid magic allocation of SSL backend specific data
- Exit with an error on the first transfer error instead of continuing to
- do the rest of the URLs.
+ Originally, my idea was to allocate the two structures (or more
+ precisely, the connectdata structure and the four SSL backend-specific
+ strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so
+ that they all could be free()d together.
- Discussion: https://curl.haxx.se/mail/archive-2016-11/0038.html
-
-- Curl_rand: fixed and moved to rand.c
+ However, getting the alignment right is tricky. Too tricky.
- Now Curl_rand() is made to fail if it cannot get the necessary random
- level.
+ So let's just bite the bullet and allocate the SSL backend-specific
+ data separately.
- Changed the proto of Curl_rand() slightly to provide a number of ints at
- once.
+ As a consequence, we now have to be very careful to release the memory
+ allocated for the SSL backend-specific data whenever we release any
+ connectdata.
- Moved out from vtls, since it isn't a TLS function and vtls provides
- Curl_ssl_random() for this to use.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
- Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
+ Closes #2119
-- cmdline-opts: first test version of a new man page generator kit
+- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
- See MANPAGE.md for the description of how this works. Each command line
- option is now described in a separate .d file.
+ Reported-by: Dima Tisnek
-- time_t fix: follow-up to de4de4e3c7c
+- travis: add boringssl build
- Blah, I accidentally wrote size_t instead of time_t for two variables.
+ Uses a separate build without --enable-debug and no valgrind.
- Reported-by: Dave Reisner
-
-- timeval: prefer time_t to hold seconds instead of long
+ The debug option causes far too many warnings in boringssl's headers
+ (C++ comments, trailing commas etc). Valgrind triggers some false
+ positive errors in thread-local data used by boringssl.
- ... as long is still 32bit on modern 64bit windows machines, while
- time_t is generally 64bit.
+ Closes #2118
-Dan Fandrich (12 Nov 2016)
-- tests: fixed variable might be clobbered warning
-
- This stops the compiler from potentially making invalid assumptions
- about the immutability of sdp and sap across the longjmp boundary.
+Version 7.57.0 (29 Nov 2017)
-Daniel Stenberg (12 Nov 2016)
-- RELEASE-NOTES: synced with 346340808c
+Daniel Stenberg (29 Nov 2017)
+- RELEASE-NOTES: curl 7.57.0
-- URL-parser: for file://[host]/ URLs, the [host] must be localhost
+- THANKS: added contributors from 7.57.0 release
+
+- openssl: fix boringssl build again
- Previously, the [host] part was just ignored which made libcurl accept
- strange URLs misleading users. like "file://etc/passwd" which might've
- looked like it refers to "/etc/passwd" but is just "/passwd" since the
- "etc" is an ignored host name.
+ commit d3ab7c5a21e broke the boringssl build since it doesn't have
+ RSA_flags(), so we disable that code block for boringssl builds.
- Reported-by: Mike Crowe
- Assisted-by: Kamil Dudka
-
-- test558: adapt to 0649433da
+ Reported-by: W. Mark Kubacki
+ Fixes #2117
-- openssl: make sure to fail in the unlikely event that PRNG seeding fails
+- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided
-- openssl: avoid unnecessary seeding if already done
-
- 1.1.0+ does more of this by itself so we can avoid extra processing this
- way.
+- libcurl-share.3: the connection cache is shareable now
-- openssl: RAND_status always exists in OpenSSL >= 0.9.7
+- global_init: ignore CURL_GLOBAL_SSL's absense
- and remove RAND_screen from configure since nothing is using that
- function
-
-- Curl_pgrsUpdate: use dedicated function for time passed
-
-- realloc: use Curl_saferealloc to avoid common mistakes
+ This bit is no longer used. It is not clear what it meant for users to
+ "init the TLS" in a world with different TLS backends and since the
+ introduction of multissl, libcurl didn't properly work if inited without
+ this bit set.
- Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
-
-- [Daniel Hwang brought this change]
-
- curl: Add --retry-connrefused
+ Not a single user responded to the call for users of it:
+ https://curl.haxx.se/mail/lib-2017-11/0072.html
- to consider ECONNREFUSED as a transient error.
+ Reported-by: Evgeny Grin
+ Assisted-by: Jay Satiro
- Closes #1064
+ Fixes #2089
+ Fixes #2083
+ Closes #2107
-- openssl: raise the max_version to 1.3 if asked for
+- ntlm: avoid integer overflow for malloc size
- Now I've managed to negotiate TLS 1.3 with https://enabled.tls13.com/ when
- using boringssl.
-
-Jay Satiro (9 Nov 2016)
-- vtls: Fail on unrecognized param for CURLOPT_SSLVERSION
+ Reported-by: Alex Nichols
+ Assisted-by: Kamil Dudka and Max Dymond
- - Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the
- TLS 1.3 support was added in 6ad3add.
+ CVE-2017-8816
- - Homogenize across code for all backends the error message when TLS 1.3
- is not available to "<backend>: TLS 1.3 is not yet supported".
+ Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+
+- wildcardmatch: fix heap buffer overflow in setcharset
- - Return an error when a user-specified ssl version is unrecognized.
+ The code would previous read beyond the end of the pattern string if the
+ match pattern ends with an open bracket when the default pattern
+ matching function is used.
- ---
+ Detected by OSS-Fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
- Prior to this change our code for some of the backends used the
- 'default' label in the switch statement (ie ver unrecognized) for
- ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT.
+ CVE-2017-8817
- Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html
- Reported-by: Kamil Dudka
+ Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
-Daniel Stenberg (9 Nov 2016)
-- [Isaac Boukris brought this change]
+- [Jay Satiro brought this change]
- SPNEGO: Fix memory leak when authentication fails
+ url: fix alignment of ssl_backend_data struct
- If SPNEGO fails, cleanup the negotiate handle right away.
+ - Align the array of ssl_backend_data on a max 32 byte boundary.
- Fixes #1115
+ 8 is likely to be ok but I went with 32 for posterity should one of
+ the ssl_backend_data structs change to contain a larger sized variable
+ in the future.
- Signed-off-by: Isaac Boukris <iboukris@gmail.com>
- Reported-by: ashman-p
-
-- CODE_STYLE.md: link to INTERNALS.md correctly
-
-- bump: next version will be 7.52.0
-
-- RELEASE-NOTES: synced with dfcdaaba371e9a3
-
-- examples/fileupload.c: fclose the file as well
-
-- printf: fix ".*f" handling
+ Prior to this change (since dev 70f1db3, release 7.56) the connectdata
+ structure was undersized by 4 bytes in 32-bit builds with ssl enabled
+ because long long * was mistakenly used for alignment instead of
+ long long, with the intention being an 8 byte boundary. Also long long
+ may not be an available type.
- It would always use precision 1 instead of reading it from the argument
- list as intended.
+ The undersized connectdata could lead to oob read/write past the end in
+ what was expected to be the last 4 bytes of the connection's secondary
+ socket https proxy ssl_backend_data struct (the secondary socket in a
+ connection is used by ftp, others?).
- Reported-by: Ray Satiro
+ Closes https://github.com/curl/curl/issues/2093
- Bug: #1113
-
-- curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
+ CVE-2017-8818
- Reported-by: Frank Gevaerts
+ Bug: https://curl.haxx.se/docs/adv_2017-af0a.html
-Kamil Dudka (7 Nov 2016)
-- nss: silence warning 'SSL_NEXT_PROTO_EARLY_VALUE not handled in switch'
+- ssh: remove check for a NULL pointer (!)
- ... with nss-3.26.0 and newer
+ With this check present, scan-build warns that we might dereference this
+ point in other places where it isn't first checked for NULL. Thus, if it
+ *can* be NULL we have a problem on a few places. However, this pointer
+ should not be possible to be NULL here so I remove the check and thus
+ also three different scan-build warnings.
- Reported-by: Daniel Stenberg
+ Closes #2111
-Daniel Stenberg (7 Nov 2016)
-- openssl: initial TLS 1.3 adaptions
-
- BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough
- to get it working.
+- [Matthew Kerwin brought this change]
-- ssh: check md5 fingerprints case insensitively (regression)
-
- Revert the change from ce8d09483eea but use the new function
-
- Reported-by: Kamil Dudka
- Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
+ test: add test for bad UNC/SMB path in file: URL
-Kamil Dudka (7 Nov 2016)
-- curl: introduce the --tlsv1.3 option to force TLS 1.3
-
- Fully implemented with the NSS backend only for now.
-
- Reviewed-by: Ray Satiro
+- [Matthew Kerwin brought this change]
-- vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
-
- Fully implemented with the NSS backend only for now.
-
- Reviewed-by: Ray Satiro
+ test: add tests to ensure basic file: URLs
+
+- [Matthew Kerwin brought this change]
-- nss: map CURL_SSLVERSION_DEFAULT to NSS default
+ URL: update "file:" URL handling
- ... but make sure we use at least TLSv1.0 according to libcurl API
+ * LOTS of comment updates
+ * explicit error for SMB shares (e.g. "file:////share/path/file")
+ * more strict handling of authority (i.e. "//localhost/")
+ * now accepts dodgy old "C:|" drive letters
+ * more precise handling of drive letters in and out of Windows
+ (especially recognising both "file:c:/" and "file:/c:/")
- Reported-by: Cure53
- Reviewed-by: Ray Satiro
+ Closes #2110
-Daniel Stenberg (7 Nov 2016)
-- s/cURL/curl
+- metalink: fix memory-leak and NULL pointer dereference
- We're mostly saying just "curl" in lower case these days so here's a big
- cleanup to adapt to this reality. A few instances are left as the
- project could still formally be considered called cURL.
+ Reported by scan-build
+
+ Closes #2109
-Jay Satiro (7 Nov 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+- [Alessandro Ghedini brought this change]
- http2: Don't send header fields prohibited by HTTP/2 spec
+ connect: add support for new TCP Fast Open API on Linux
- Previously, we just ignored "Connection" header field. But HTTP/2
- specification actually prohibits few more header fields. This commit
- ignores all of them so that we don't send these bad header fields.
+ The new API added in Linux 4.11 only requires setting a socket option
+ before connecting, without the whole sento() machinery.
- Bug: https://curl.haxx.se/mail/archive-2016-10/0033.html
- Reported-by: Ricki Hirner
+ Notably, this makes it possible to use TFO with SSL connections on Linux
+ as well, without the need to mess around with OpenSSL (or whatever other
+ SSL library) internals.
- Closes https://github.com/curl/curl/pull/1092
+ Closes #2056
-Daniel Stenberg (7 Nov 2016)
-- curl.1: explain the SMTP data expected for -T
+- make: fix "make distclean"
- Fixes #1107
-
- Reported-by: Adam Piggott
+ Fixes #2097
+ Closes #2108
-Peter Wu (6 Nov 2016)
-- cmake: disable poll for macOS
-
- Mirrors the autotools behavior introduced with curl-7_50_3-83-ga34c7ce.
-
- Fixes #1089
+- RELEASE-NOTES: synced with 31f18d272
-Jay Satiro (5 Nov 2016)
-- easy: Initialize info variables on easy init and duphandle
+Jay Satiro (23 Nov 2017)
+- connect: improve the bind error message
- - Call Curl_initinfo on init and duphandle.
+ eg consider a non-existent interface eth8, curl --interface eth8
- Prior to this change the statistical and informational variables were
- simply zeroed by calloc on easy init and duphandle. While zero is the
- correct default value for almost all info variables, there is one where
- it isn't (filetime initializes to -1).
+ Before: curl: (45) Could not resolve host: eth8
+ After: curl: (45) Couldn't bind to 'eth8'
- Bug: https://github.com/curl/curl/issues/1103
- Reported-by: Neal Poole
-
-Daniel Stenberg (5 Nov 2016)
-- [Mauro Rappa brought this change]
+ Bug: https://github.com/curl/curl/issues/2104
+ Reported-by: Alfonso Martone
- curl -w: added more decimal digits to timing counters
+Daniel Stenberg (23 Nov 2017)
+- examples/rtsp: clear RANGE again after use
- Now showing microsecond resolution.
-
- Closes #1106
+ Fixes #2106
+ Reported-by: youngchopin on github
+
+- [Michael Kaufmann brought this change]
-Jakub Zakrzewski (4 Nov 2016)
-- dist: add CMakeLists.txt to the tarball
+ test1264: verify URL with space in host name being rejected
-Daniel Stenberg (4 Nov 2016)
-- mbedtls: fix build with mbedtls versions < 2.4.0
+- url: reject ASCII control characters and space in host names
- Regression added in 62a8095e714
+ Host names like "127.0.0.1 moo" would otherwise be accepted by some
+ getaddrinfo() implementations.
- Reported-by: Tony Kelman
+ Updated test 1034 and 1035 accordingly.
- Discussed in #1087
+ Fixes #2073
+ Closes #2092
-- configure: verify that compiler groks -Werror=partial-availability
-
- Reported-by: bemoody
+- Curl_open: fix OOM return error correctly
- Fixes #1104
+ Closes #2098
-- docs: shorten and simplify the top comment in multi-uv.c
-
- and change URL to use https
+- http2: fix "Value stored to 'end' is never read" scan-build error
-- [Andrei Sedoi brought this change]
+- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
- docs: handle CURL_POLL_INOUT in multi-uv example
+- openssl: fix "Value stored to 'rc' is never read" scan-build error
-- [Andrei Sedoi brought this change]
+- mime: fix "Value stored to 'sz' is never read" scan-build error
- docs: multi-uv: don't use CURLMsg after cleanup
+- Curl_llist_remove: fix potential NULL pointer deref
+
+ Fixes a scan-build warning.
-- [Andrei Sedoi brought this change]
+- ntlm: remove unnecessary NULL-check to please scan-build
- docs: remove unused variables in multi-uv example
+- BUGS: spellchecked
-- bump: start working on 7.51.1
+Jay Satiro (18 Nov 2017)
+- [fmmedeiros brought this change]
-- winbuild: remove strcase.obj from curl build
+ examples/curlx: Fix code style
- Reported-by: Bruce Stephens
+ - Add braces around multi-line if statement.
- Fixes #1098
+ Closes https://github.com/curl/curl/pull/2096
-Dan Fandrich (2 Nov 2016)
-- msvc: removed a straggling reference to strequal.c
+Daniel Stenberg (17 Nov 2017)
+- resolve: allow IP address within [] brackets
- Follow-up to 502acba2
-
-Version 7.51.0 (2 Nov 2016)
-
-Daniel Stenberg (2 Nov 2016)
-- THANKS: synced with 7.51.0
-
-- RELEASE-NOTES: 7.51.0
-
-- ftp_done: don't clobber the passed in error code
+ ... so that IPv6 addresses can be passed like they can for connect-to
+ and how they're used in URLs.
- Coverity CID 1374359 pointed out the unused result value.
-
-- ftp: remove dead code in ftp_done
+ Added test 1324 to verify
+ Reported-by: Alex Malinovich
- Coverity CID 1374358
+ Fixes #2087
+ Closes #2091
-Jay Satiro (1 Nov 2016)
-- generate.bat: Include include/curl in libcurl VS projects
-
- .. because including those headers helps Visual Studio's Intellisense.
+- [Pavol Markovic brought this change]
-- generate.bat: Remove strcase.[ch] from curl tool VS projects
+ macOS: Fix missing connectx function with Xcode version older than 9.0
- ..because they're no longer needed in the tool build. strcase is still
- built by the libcurl project and exports curl_str(n)equal which is used
- by the curl tool.
+ The previous fix https://github.com/curl/curl/pull/1788 worked just for
+ Xcode 9. This commit extends the fix to older Xcode versions effectively
+ by not using connectx function.
- Bug: https://github.com/curl/curl/commit/9363f1a#all_commit_comments
+ Fixes https://github.com/curl/curl/issues/1330
+ Fixes https://github.com/curl/curl/issues/2080
+ Closes https://github.com/curl/curl/pull/1336
+ Closes #2082
-Daniel Stenberg (2 Nov 2016)
-- metalink: simplify the hex parsing function
-
- ... and now it avoids using the libcurl toupper() function
+- [Dirk Feytons brought this change]
-Michael Kaufmann (1 Nov 2016)
-- file: fix compiler warning
+ openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
- follow-up to 46133aa5
+ Fixes #2079
+ Closes #2081
-Dan Fandrich (1 Nov 2016)
-- strcase: fixed Metalink builds by redefining checkprefix()
-
- ...to use the public function curl_strnequal(). This isn't ideal because
- it adds extra overhead to any internal calls to checkprefix.
+- TODO: ignore private IP addresses in PASV response
- follow-up to 95bd2b3e
+ Closes #1455
-Daniel Stenberg (1 Nov 2016)
-- curl.1: typo
+- RELEASE-NOTES: synced with ae7369b6d
-- curl.1: expand on how multiple uses of -o looks
+Michael Kaufmann (14 Nov 2017)
+- URL: return error on malformed URLs with junk after IPv6 bracket
- Suggested-by: Dan Jacobson
- Issue: https://github.com/curl/curl/issues/1097
-
-- tests/util: get a private strncasecompare clone
+ Follow-up to aadb7c7. Verified by new test 1263.
- ... since the curlx_* code no longer provides one and we don't link
- libcurl to these test servers.
+ Closes #2072
-- strcase: make the tool use curl_str[n]equal instead
-
- As they are after all part of the public API. Saves space and reduces
- complexity. Remove the strcase defines from the curlx_ family.
-
- Suggested-by: Dan Fandrich
- Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
+Daniel Stenberg (14 Nov 2017)
+- INTERNALS: we may use libidn2 now, not libidn
-Kamil Dudka (31 Oct 2016)
-- gskit, nss: do not include strequal.h
+Patrick Monnerat (13 Nov 2017)
+- zlib/brotli: only include header files in modules needing them
+
+ There is a conflict on symbol 'free_func' between openssl/crypto.h and
+ zlib.h on AIX. This is an attempt to resolve it.
- follow-up to 811a693b80
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
+ Reported-By: Michael Felt
-Dan Fandrich (31 Oct 2016)
-- strcasecompare: include curl.h in strcase.c
+Daniel Stenberg (13 Nov 2017)
+- SMB: fix uninitialized local variable
- This should fix the "warning: 'curl_strequal' redeclared without
- dllimport attribute: previous dllimport ignored" message and subsequent
- link error on Windows because of the missing CURL_EXTERN on the
- prototype.
+ Reported-by: Brian Carpenter
-Daniel Stenberg (31 Oct 2016)
-- strcase: fix the remaining rawstr users
+- [Orgad Shaneh brought this change]
-- msvc builds: s/rawstr/strcase
+ connect.c: remove executable bit on file
- Follow-up to 811a693b
+ Closes #2071
-Dan Fandrich (31 Oct 2016)
-- strcasecompare: replaced remaining rawstr.h with strcase.h
-
- This is a followup to commit 811a693b
+- [hsiao yi brought this change]
-Marcel Raad (31 Oct 2016)
-- digest_sspi: fix include
+ README.md: fixed layout
- Fix compile break from 811a693b80
+ Closes #2069
-Dan Fandrich (31 Oct 2016)
-- libauthretry: use the external function curl_strequal
+- setopt: split out curl_easy_setopt() to its own file
- The internal version strcasecompare isn't available outside libcurl
-
-Daniel Stenberg (31 Oct 2016)
-- RELEASE-NOTES: synced with d14538d2501ef0da
-
-- configure: raise the default minimum version for macos to 10.8
+ ... to make url.c smaller.
- follow-up to 4f8d0b6f02aa7043. Since the darwinssl code breaks
- otherwise. If you build without darwinssl 10.5 works fine.
+ Closes #1944
-- unit1301: keep testing curl_strequal
-
- as that is still part of the API, fix from 8fe4bd084412f30
+Jay Satiro (10 Nov 2017)
+- [John Starks brought this change]
-- ldap: fix include
+ cmake: Add missing setmode check
- Fix bug from 811a693b80
-
-- url: remove unconditional idn2.h include
+ Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this,
+ curl will corrupt binary files when writing them to stdout on Windows.
- Mistake brought by 9c91ec778104a
+ Closes https://github.com/curl/curl/pull/2067
-- curl_strequal: part of public API/ABI, needs to be kept
+Daniel Stenberg (10 Nov 2017)
+- curl_share_setopt: va_end was not called if conncache errors
- These two public functions have been mentioned as deprecated since a
- very long time but since they are still part of the API and ABI we need
- to keep them around.
+ CID 984459, detected by Coverity
-- strcase: s/strequal/strcasecompare
-
- some more follow-ups to 811a693b80
+Sergei Nikulov (10 Nov 2017)
+- [John Starks brought this change]
-- ldap: fix strcase use
+ cmake: Correctly include curl.rc in Windows builds (#2064)
- follow-up to 811a693b80
+ Update CMakeLists.txt to add curl.rc to the correct list.
-- test165: adapted to the libidn2 use and IDNA2008 fix
+Daniel Stenberg (9 Nov 2017)
+- RELEASE-NOTES: synced with 32828cc4f
-- cookie: replace use of fgets() with custom version
+- [Luca Boccassi brought this change]
+
+ --interface: add support for Linux VRF
- ... that will ignore lines that are too long to fit in the buffer.
+ The --interface command (CURLOPT_INTERFACE option) already uses
+ SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
+ address first, which fails in case the user passes a VRF.
- CVE-2016-8615
+ Try to use the socket option immediately and parse it as a fallback
+ instead. Update the documentation to mention this feature, and that it
+ requires the binary to be ran by root or with CAP_NET_RAW capabilities
+ for this to work.
- Bug: https://curl.haxx.se/docs/adv_20161102A.html
- Reported-by: Cure53
+ Closes #2024
-- strcasecompare: all case insensitive string compares ignore locale now
+- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT
- We had some confusions on when each function was used. We should not act
- differently on different locales anyway.
+ Closes #2043
-- strcasecompare: is the new name for strequal()
-
- ... to make it less likely that we forget that the function actually
- does case insentive compares. Also replaced several invokes of the
- function with a plain strcmp when case sensitivity is not an issue (like
- comparing with "-").
+- examples: add shared-connection-cache
-- ftp: check for previous patch must be case sensitive!
-
- ... otherwise example.com/PATH and example.com/path would be assumed to
- be the same and they usually aren't!
+- test1554: verify connection cache sharing
-- SSH: check md5 fingerprint case sensitively
+- share: add support for sharing the connection cache
-- connectionexists: use case sensitive user/password comparisons
+- imap: deal with commands case insensitively
- CVE-2016-8616
+ As documented in RFC 3501 section 9:
+ https://tools.ietf.org/html/rfc3501#section-9
- Bug: https://curl.haxx.se/docs/adv_20161102B.html
- Reported-by: Cure53
+ Closes #2061
-- base64: check for integer overflow on large input
+- connect: store IPv6 connection status after valid connection
- CVE-2016-8617
+ ... previously it would store it already in the happy eyeballs stage
+ which could lead to the IPv6 bit being set for an IPv4 connection,
+ leading to curl not wanting to do EPSV=>PASV for FTP transfers.
- Bug: https://curl.haxx.se/docs/adv_20161102C.html
- Reported-by: Cure53
+ Closes #2053
-- krb5: avoid realloc(0)
-
- If the requested size is zero, bail out with error instead of doing a
- realloc() that would cause a double-free: realloc(0) acts as a free()
- and then there's a second free in the cleanup path.
+- curl_multi_fdset.3: emphasize curl_multi_timeout
- CVE-2016-8619
-
- Bug: https://curl.haxx.se/docs/adv_20161102E.html
- Reported-by: Cure53
+ ... even when there's no socket to wait for, the timeout can still be
+ very short.
-- aprintf: detect wrap-around when growing allocation
+Jay Satiro (9 Nov 2017)
+- content_encoding: fix inflate_stream for no bytes available
- On 32bit systems we could otherwise wrap around after 2GB and allocate 0
- bytes and crash.
+ - Don't call zlib's inflate() when avail_in stream bytes is 0.
- CVE-2016-8618
+ This is a follow up to the parent commit 19e66e5. Prior to that change
+ libcurl's inflate_stream could call zlib's inflate even when no bytes
+ were available, causing inflate to return Z_BUF_ERROR, and then
+ inflate_stream would treat that as a hard error and return
+ CURLE_BAD_CONTENT_ENCODING.
- Bug: https://curl.haxx.se/docs/adv_20161102D.html
- Reported-by: Cure53
-
-- range: reject char globs with missing end like '[L-]'
+ According to the zlib FAQ, Z_BUF_ERROR is not fatal.
- ... which previously would lead to out of boundary reads.
+ This bug would happen randomly since packet sizes are arbitrary. A test
+ of 10,000 transfers had 55 fail (ie 0.55%).
- Reported-by: Luật Nguyễn
+ Ref: https://zlib.net/zlib_faq.html#faq05
+
+ Closes https://github.com/curl/curl/pull/2060
-- glob_next_url: make sure to stay within the given output buffer
+Patrick Monnerat (7 Nov 2017)
+- content_encoding: do not write 0 length data
-- range: prevent negative end number in a glob range
+Daniel Stenberg (6 Nov 2017)
+- fnmatch: remove dead code
- CVE-2016-8620
+ There was a duplicate check for backslashes in the setcharset()
+ function.
- Bug: https://curl.haxx.se/docs/adv_20161102F.html
- Reported-by: Luật Nguyễn
+ Coverity CID 1420611
-- parsedate: handle cut off numbers better
-
- ... and don't read outside of the given buffer!
+- url: remove unncessary NULL-check
- CVE-2016-8621
-
- bug: https://curl.haxx.se/docs/adv_20161102G.html
- Reported-by: Luật Nguyễn
-
-- escape: avoid using curl_easy_unescape() internally
+ Since 'conn' won't be NULL in there and we also access the pointer in
+ there without the check.
- Since the internal Curl_urldecode() function has a better API.
+ Coverity CID 1420610
-- unescape: avoid integer overflow
+Viktor Szakats (6 Nov 2017)
+- src/Makefile.m32: fix typo in brotli lib customization
- CVE-2016-8622
-
- Bug: https://curl.haxx.se/docs/adv_20161102H.html
- Reported-by: Cure53
+ Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31
-- cookies: getlist() now holds deep copies of all cookies
-
- Previously it only held references to them, which was reckless as the
- thread lock was released so the cookies could get modified by other
- handles that share the same cookie jar over the share interface.
+- Makefile.m32: allow to customize brotli libs
- CVE-2016-8623
+ It adds the ability to link against static brotli libs.
- Bug: https://curl.haxx.se/docs/adv_20161102I.html
- Reported-by: Cure53
+ Also fix brotli include path.
-- TODO: remove IDNA2008
+Patrick Monnerat (5 Nov 2017)
+- travis: add a job with brotli enabled
-- idn: switch to libidn2 use and IDNA2008 support
-
- CVE-2016-8625
-
- Bug: https://curl.haxx.se/docs/adv_20161102K.html
- Reported-by: Christian Heimes
+- [Viktor Szakats brought this change]
-- test1246: verify URL parsing with host name ending with '#'
+ Makefile.m32: add brotli support
-- urlparse: accept '#' as end of host name
+- HTTP: implement Brotli content encoding
- 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
- for the '/' document with the rest of the URL being a fragment.
+ This uses the brotli external library (https://github.com/google/brotli).
+ Brotli becomes a feature: additional curl_version_info() bit and
+ structure fields are provided for it and CURLVERSION_NOW bumped.
- CVE-2016-8624
+ Tests 314 and 315 check Brotli content unencoding with correct and
+ erroneous data.
- Bug: https://curl.haxx.se/docs/adv_20161102J.html
- Reported-by: Fernando Muñoz
+ Some tests are updated to accomodate with the now configuration dependent
+ parameters of the Accept-Encoding header.
-Jay Satiro (31 Oct 2016)
-- INTERNALS: better markdown (follow-up)
-
- - Wrap more words with underscores in backticks.
+- HTTP: support multiple Content-Encodings
- Follow-up to 13f4913.
-
-Daniel Stenberg (30 Oct 2016)
-- INTERNALS: better markdown
+ This is implemented as an output streaming stack of unencoders, the last
+ calling the client write procedure.
- words with underscore need to be within `these`
+ New test 230 checks this feature.
- Bug: https://github.com/curl/curl-www/issues/19
- Reported-by : Jay Satiro
+ Bug: https://github.com/curl/curl/pull/2002
+ Reported-By: Daniel Bankhead
-Jay Satiro (30 Oct 2016)
-- mk-ca-bundle.vbs: Fix UTF-8 output
+Jay Satiro (4 Nov 2017)
+- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
- - Change initial message box to mention delay when downloading/parsing.
+ Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
+ check on this option is incorrect; we have to accept any value.
- Since there is no progress meter it was somewhat unexpected that after
- choosing a filename nothing appears to happen, when actually the cert
- data is in the process of being downloaded and parsed.
+ Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
+ erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.
- - Warn if OpenSSL is not present.
+ Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120
+
+Daniel Stenberg (4 Nov 2017)
+- ntlm: avoid malloc(0) for zero length passwords
- - Use a UTF-8 stream to make the ca-bundle data.
+ It triggers an assert() when built with memdebug since malloc(0) may
+ return NULL *or* a valid pointer.
- - Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
+ Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
- ---
+ Assisted-by: Max Dymond
+ Closes #2054
+
+- RELEASE-NOTES: synced with ee8016b3d
+
+- curl: speed up handling of many URLs
- This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
- ANSI due to corrupt UTF-8 output, now fixed.
+ By properly keeping track of the last entry in the list of URLs/uploads
+ to handle, curl now avoids many meaningless traverses of the list which
+ speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K
+ URLs).
- This change completes making the default certificate bundle output of
- mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
- should make it easier to review any difference between their output.
+ Added test 1291, to verify that it doesn't take ages - but we don't have
+ any detection of "too slow" command in the test suite.
- Ref: https://github.com/curl/curl/pull/1012
+ Reported-by: arainchik on github
+ Fixes #1959
+ Closes #2052
-Daniel Stenberg (28 Oct 2016)
-- BINDINGS: converted to markdown
+- curl: pass through [] in URLs instead of calling globbing error
- To make it render better on the web site, at the price of it becoming
- slightly less readable as text.
+ Assisted-by: Per Lundberg
+ Fixes #2044
+ Closes #2046
+ Closes #2048
-Jay Satiro (27 Oct 2016)
-- CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
+- CURLOPT_INFILESIZE: accept -1
- - Clarify that this option is only for HTTP/1.1 pipelining.
-
- Bug: https://github.com/curl/curl/issues/1059
- Reported-by: Jeroen Ooms
+ Regression since f121575
- Assisted-by: Daniel Stenberg
+ Reported-by: Petr Voytsik
+ Fixes #2047
-Daniel Stenberg (27 Oct 2016)
-- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
+Jay Satiro (2 Nov 2017)
+- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
- Closes #927
+ Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
+ erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.
-- KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
+Dan Fandrich (1 Nov 2017)
+- http2: Fixed OOM handling in upgrade request
- Closes #893
+ This caused the torture tests on test 1800 to fail.
-Michael Osipov (27 Oct 2016)
-- configure.in: Fix test syntax
+- tests: Fixed torture tests on tests 556 and 650
- Some versions of test allow == for equality, but others (such as the HP-UX
- version) do not. Use a single = for correctness.
-
- Error output:
- checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
+ Test cleanup after OOM wasn't being consistently performed.
-Daniel Stenberg (27 Oct 2016)
-- SECURITY: minor updates
+Daniel Stenberg (1 Nov 2017)
+- CURLOPT_MAXREDIRS: allow -1 as a value
- - we allow the security push up to 48 hours before the release
+ ... which is valid according to documentation. Regression since
+ f121575c0b5f.
- - add a mention about possible pre-notifications
+ Verified now in test 501.
- - lower case the 'curl-security' title
-
-- [Andrei Sedoi brought this change]
+ Reported-by: cbartl on github
+ Fixes #2038
+ Closes #2039
- docs: fix req->data in multi-uv example
-
- Closes #1088
+- include: remove conncache.h inclusion from where its not needed
-- mbedtls: stop using deprecated include file
+Jay Satiro (1 Nov 2017)
+- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
- Reported-by: wyattoday
- Fixes #1087
-
-Kamil Dudka (25 Oct 2016)
-- [Martin Frodl brought this change]
-
- nss: fix tight loop in non-blocking TLS handhsake over proxy
+ .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.
- ... in case the handshake completes before entering
- CURLM_STATE_PROTOCONNECT
+ Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
+ erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.
- Bug: https://bugzilla.redhat.com/1388162
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
+ Reported-by: Andrew Lambert
-Jay Satiro (25 Oct 2016)
-- mk-ca-bundle: Update the vbscript version
+Daniel Stenberg (31 Oct 2017)
+- cookie: avoid NULL dereference
- Bring the VBScript version more in line with the perl version:
+ ... when expiring old cookies.
- - Change timestamp to UTC.
+ Reported-by: Pavel Gushchin
+ Fixes #2032
+ Closes #2035
+
+Marcel Raad (30 Oct 2017)
+- memdebug: use send/recv signature for curl_dosend/curl_dorecv
- - Change URL retrieval to HTTPS-only by default.
+ This avoids build errors and warnings caused by implicit casts.
- - Comment out the options that disabled SSL cert checking by default.
+ Closes https://github.com/curl/curl/pull/2031
+
+Daniel Stenberg (30 Oct 2017)
+- [Juro Bystricky brought this change]
+
+ mkhelp.pl: support reproducible build
- - Assume OpenSSL is present, get SHA256. And add a flag to toggle it.
+ Do not generate line with the current date, such as:
- - Fix cert issuer name output.
+ * Generation time: Tue Oct-24 18:01:41 2017
- The cert issuer output is now ansi, converted from UTF-8. Prior to this
- it was corrupt UTF-8. It turns out though we can work with UTF-8 the
- FSO object that writes ca-bundle can't write UTF-8, so there will have
- to be some alternative if UTF-8 is needed (like an ADODB.Stream).
+ This will improve reproducibility. The generated string is only
+ part of a comment, so there should be no adverse consequences.
- - Disable the certificate text info feature.
+ Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
- The certificate text info doesn't work properly with any recent OpenSSL.
+ closes #2026
-Daniel Stenberg (24 Oct 2016)
-- TODO: indent code to make it render properly
+Dan Fandrich (30 Oct 2017)
+- runtests.pl: Fixed typo in message
-- TODO: Remove the generated include file
-
-- TODO: add "--retry should resume"
-
- See #1084
-
-- mk-ca-bundle.1: document -k
+Daniel Stenberg (30 Oct 2017)
+- curlx: the timeval functions are no longer provided as curlx_*
- Brought in 1ad2bdcf110266c. Now does HTTPS by default and needs -k to
- fall back to plain HTTP.
-
-- [Jay Satiro brought this change]
+ Pointed-out-by: Dmitri Tikhonov
+ Bug: #2034
- mk-ca-bundle: Change URL retrieval to HTTPS-only by default
-
- - Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).
-
- - New option -k to allow URLs other than HTTPS and enable HTTP fallback.
-
- Prior to this change the default URL retrieval mode was to fall back to
- HTTP if HTTPS didn't work.
+- select: update comments
- Reported-by: Gregory Szorc
-
- Closes #1012
+ s/curlx_tvnow/Curl_now
-- RELEASE-NOTES: synced with 50ee3aaf1a9b22d
+- INTERNALS: remove curlx_tv* functions no longer provided
-Dan Fandrich (23 Oct 2016)
-- INSTALL.md: Updated minimum file sizes for 7.50.3
+- [Dmitri Tikhonov brought this change]
-Daniel Stenberg (22 Oct 2016)
-- multi: force connections to get closed in close_all_connections
-
- Several independent reports on infinite loops hanging in the
- close_all_connections() function when closing a multi handle, can be
- fixed by first marking the connection to get closed before calling
- Curl_disconnect.
+ timeval: use mach time on MacOS
- This is more fixing-the-symptom rather than the underlying problem
- though.
+ If clock_gettime() is not supported, use mach_absolute_time() on MacOS.
- Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html
- Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html
-
- Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović
-
-- [Anders Bakken brought this change]
+ closes #2033
- curl_multi_remove_handle: fix a double-free
-
- In short the easy handle needs to be disconnected from its connection at
- this point since the connection still is serving other easy handles.
-
- In our app we can reliably reproduce a crash in our http2 stress test
- that is fixed by this change. I can't easily reproduce the same test in
- a small example.
-
- This is the gdb/asan output:
-
- ==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
- READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
- #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666
-
- 0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
- freed by thread T13 (RESOURCE_HTTP) here:
- #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
- #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
- #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
- #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
- #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
- #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
- #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
- #7 0x9c445e0 in ...
- #8 0x9c4cf1d in ...
- #9 0xa2be6b5 in ...
- #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
- #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
-
- previously allocated by thread T13 (RESOURCE_HTTP) here:
- #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
- #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
- #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
- #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
- #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
- #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
- #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
- #7 0x9c445e0 in ...
- #8 0x9c4cf1d in ...
- #9 0xa2be6b5 in ...
- #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
- #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
-
- SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
- Shadow bytes around the buggy address:
- 0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
- 0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- =>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Partially addressable: 01 02 03 04 05 06 07
- Heap left redzone: fa
- Heap right redzone: fb
- Freed heap region: fd
- Stack left redzone: f1
- Stack mid redzone: f2
- Stack right redzone: f3
- Stack partial redzone: f4
- Stack after return: f5
- Stack use after scope: f8
- Global redzone: f9
- Global init order: f6
- Poisoned by user: f7
- Container overflow: fc
- Array cookie: ac
- Intra object redzone: bb
- ASan internal: fe
- Left alloca redzone: ca
- Right alloca redzone: cb
- ==11785==ABORTING
-
- Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
- [Switching to Thread 0xf27bfb40 (LWP 12324)]
- 0xf7fd8be9 in __kernel_vsyscall ()
- (gdb) bt
- #0 0xf7fd8be9 in __kernel_vsyscall ()
- #1 0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
- #2 0xf4c803e7 in __GI_abort () at abort.c:89
- #3 0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
- #4 0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
- #5 0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
- #6 0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
- #7 0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
- #8 0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
- #9 0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
- #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
- #11 0x09c6de3f in ...
- #12 0x09c378c5 in ...
- #13 0x09c48133 in ...
- #14 0x09c4d092 in ...
- #15 0x0a2be6b6 in ...
- #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
- #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
- #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114
-
- Fixes #1083
-
-- testcurl.1: fix the URL to the autobuild summary
-
-- testcurl.1: update URLs
-
-- INSTALL: converted to markdown => INSTALL.md
-
- Also heavily edited for content. Removed lots of old cruft that we added
- like 10+ years ago that is likely incorrect by now.
-
- Also removed INSTALL.devcpp for same reason.
+monnerat (29 Oct 2017)
+- [Patrick Monnerat brought this change]
-- [Martin Storsjo brought this change]
+ cli tool: improve ";type=" handling in -F option arguments
- configure: Check for other variants of the -m*os*-version-min flags
-
- In addition to -miphoneos-version-min, the same version can be set
- using -mios-version-min. And for WatchOS and TvOS, there's
- -mwatchos-version-min and -mtvos-version-min.
+- [Patrick Monnerat brought this change]
-- configure: set min version flags for builds on mac
-
- This helps building binaries that can work on multiple macOS versions.
+ cli tool: in -F option arg, comma is a delimiter for files only
- Help-by: Martin Storsjö
+ Also upgrade test 1133 to cover this case and clarify man page about
+ form data quoting.
- Fixes #1069
+ Bug: https://github.com/curl/curl/issues/2022
+ Reported-By: omau on github
-- curl_multi_add_handle: set timeouts in closure handles
-
- The closure handle only ever has default timeouts set. To improve the
- state somewhat we clone the timeouts from each added handle so that the
- closure handle always has the same timeouts as the most recently added
- easy handle.
-
- Fixes #739
+Daniel Stenberg (29 Oct 2017)
+- timeleft: made two more users of Curl_timeleft use timediff_t
-- configure/CURL_CHECK_FUNC_POLL: disable poll completely on mac
+Jakub Zakrzewski (28 Oct 2017)
+- cmake: Export libcurl and curl targets to use by other cmake projects
- ... so that the same libcurl build easier can run on any version.
+ The config files define curl and libcurl targets as imported targets
+ CURL::curl and CURL::libcurl. For backward compatibility with CMake-
+ provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
+ also set.
- Follow-up to issue #1057
+ Closes #1879
-- RELEASE-NOTES: synced with f36f8c14551efc6772
+Daniel Stenberg (28 Oct 2017)
+- RELEASE-NOTES: synced with f20cbac97
-- test14xx: fixed --libcurl output tests again after 8e8afa82cbb
+- [Florin Petriuc brought this change]
-- s/cURL/curl
+ auth: Added test cases for RFC7616
+
+ Updated docs to include support for RFC7616
+
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
- The tool was never called cURL, only the project. But even so, we have
- more and more over time switched to just use lower case.
+ Closes #1934
-- polarssl: indented code, removed unused variables
+- [Florin Petriuc brought this change]
-- polarssl: reduce #ifdef madness with a macro
+ auth: add support for RFC7616 - HTTP Digest access authentication
+
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
-- polarssl: fix unaligned SSL session-id lock
+- [Daniel Bankhead brought this change]
-- Curl_polarsslthreadlock_thread_setup: clear array at init
+ TODO: support multiple Content-Encodings
- ... since if it fails to init the entire array and then tries to clean
- it up, it would attempt to work on an uninitialized pointer.
+ Closes #2002
-- curl: set INTERLEAVEDATA too
+- ROADMAP: cleanup
- As otherwise the callback could be called with a NULL pointer when RTSP
- data is provided.
+ Removed done stuff. Removed entries no longer considered for the near
+ term.
-- gopher: properly return error for poll failures
+- [Magicansk brought this change]
-- select: switch to macros in uppercase
-
- Curl_select_ready() was the former API that was replaced with
- Curl_select_check() a while back and the former arg setup was provided
- with a define (in order to leave existing code unmodified).
+ ROADMAP.md: spelling fixes
- Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
- common shortcuts where only one socket is checked. They're also more
- visibly macros.
+ Closes #2028
-- select: use more proper macro-looking names
+- Curl_timeleft: change return type to timediff_t
- ... so that it becomes more obvious in the code what is what. Also added
- a typecast for one of the calculations.
+ returning 'time_t' is problematic when that type is unsigned and we
+ return values less than zero to signal "already expired", used in
+ several places in the code.
+
+ Closes #2021
-- Curl_socket_check: add extra check to avoid integer overflow
+- appveyor: add a win32 build
-- maketgz: make it support "only" generating version info
+- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
+
+ Regression since f121575c0b5f
- ... to allow you to update the local repository with the given version
- number data.
+ Reported-by: Rob Cotrone
-Jay Satiro (17 Oct 2016)
-- url: skip to-be-closed connections when pipelining (follow-up)
+Marcel Raad (27 Oct 2017)
+- resolvers: only include anything if needed
- - Change back behavior so that pipelining is considered possible for
- connections that have not yet reached the protocol level.
+ This avoids warnings about unused stuff.
- This is a follow-up to e5f0b1a which had changed the behavior of
- checking if pipelining is possible to ignore connections that had
- 'bits.close' set. Connections that have not yet reached the protocol
- level also have that bit set, and we need to consider pipelining
- possible on those connections.
+ Closes https://github.com/curl/curl/pull/2023
-Daniel Stenberg (17 Oct 2016)
-- HTTP2: mention the tool's limited support
+Daniel Stenberg (27 Oct 2017)
+- HELP-US: rename the subtitle too since the label is changed
+
+ "PR-welcome" was the former name.
-- RELEASE-NOTES: synced with a1a5cd04877fd6fd
+- curl_setup.h: oops, shorten the too long line
-- [David Woodhouse brought this change]
+- [Martin Storsjo brought this change]
- curl: do not set CURLOPT_SSLENGINEDEFAULT automatically
+ curl_setup: Improve detection of CURL_WINDOWS_APP
- There were bugs in the PKCS#11 engine, and fixing them triggers bugs in
- OpenSSL. Just don't get involved; there's no need to be making the
- engine methods the default anyway.
+ If WINAPI_FAMILY is defined, it should be safe to try to include
+ winapifamily.h to check what the define evaluates to.
- https://github.com/OpenSC/libp11/pull/108
- https://github.com/openssl/openssl/pull/1639
+ This should fix detection of CURL_WINDOWS_APP if building with
+ _WIN32_WINNT set to 0x0600.
- Merges #1042
+ Closes #2025
-- KNOWN_BUGS: two more existing problems
-
-Marcel Raad (16 Oct 2016)
-- win: fix Universal Windows Platform build
+Jay Satiro (26 Oct 2017)
+- transfer: Fix chunked-encoding upload bug
- This fixes a merge error in commit 7f3df80 caused by commit 332e8d6.
+ - When uploading via chunked-encoding don't compare file size to bytes
+ sent to determine whether the upload has finished.
- Additionally, this changes Curl_verify_windows_version for Windows App
- builds to assume to always be running on the target Windows version.
- There seems to be no way to determine the Windows version from a
- UWP app. Neither GetVersion(Ex), nor VerifyVersionInfo, nor the
- Version Helper functions are supported.
+ Chunked-encoding adds its own overhead which why the bytes sent is not
+ equal to the file size. Prior to this change if a file was uploaded in
+ chunked-encoding and its size was known it was possible that the upload
+ could end prematurely without sending the final few chunks. That would
+ result in a server hang waiting for the remaining data, likely followed
+ by a disconnect.
- Bug: https://github.com/curl/curl/pull/820#issuecomment-250889878
- Reported-by: Paul Joyce
+ The scope of this bug is limited to some arbitrary file sizes which have
+ not been determined. One size that triggers the bug is 475020.
- Closes https://github.com/curl/curl/pull/1048
-
-Daniel Stenberg (16 Oct 2016)
-- KNOWN_BUGS: minor formatting edit
-
-Jay Satiro (14 Oct 2016)
-- [Rider Linden brought this change]
+ Bug: https://github.com/curl/curl/issues/2001
+ Reported-by: moohoorama@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/2010
- url: skip to-be-closed connections when pipelining
+Daniel Stenberg (26 Oct 2017)
+- timeval: make timediff_t also work on 32bit windows
- No longer attempt to use "doomed" to-be-closed connections when
- pipelining. Prior to this change connections marked for deletion (e.g.
- timeout) would be erroneously used, resulting in sporadic crashes.
+ ... by using curl_off_t for the typedef if time_t is larger than 4
+ bytes.
- As originally reported and fixed by Carlo Wood (origin unknown).
+ Reported-by: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co
+ mmitcomment-25205058
+ Closes #2019
+
+- curl_fnmatch: return error on illegal wildcard pattern
- Bug: https://github.com/curl/curl/issues/627
- Reported-by: Rider Linden
+ ... instead of doing an infinite loop!
- Closes https://github.com/curl/curl/pull/1075
- Participation-by: nopjmp@users.noreply.github.com
-
-Daniel Stenberg (13 Oct 2016)
-- vtls: only re-use session-ids using the same scheme
+ Added test 1162 to verify.
- To make it harder to do cross-protocol mistakes
+ Reported-by: Max Dymond
+ Fixes #2015
+ Closes #2017
-Jay Satiro (11 Oct 2016)
-- [Torben Dannhauer brought this change]
+- [Max Dymond brought this change]
- dist: add missing cmake modules to the tarball
+ wildcards: don't use with non-supported protocols
- Closes https://github.com/curl/curl/pull/1070
-
-Daniel Stenberg (11 Oct 2016)
-- configure: detect the broken poll() in macOS 10.12
+ Fixes timeouts in the fuzzing tests for non-FTP protocols.
- Fixes #1057
+ Closes #2016
-- dist: remove PDF and HTML converted docs from the releases
+- [Max Dymond brought this change]
-- [Remo E brought this change]
-
- cmake: add nghttp2 support
+ multi: allow table handle sizes to be overridden
- Closes #922
-
-- [Andreas Streichardt brought this change]
-
- resolve: add error message when resolving using SIGALRM
+ Allow users to specify their own hash define for
+ CURL_CONNECTION_HASH_SIZE so that both values can be overridden.
- Closes #1066
+ Closes #1982
-- GIT-INFO: remove the Mac 10.1-specific details
+- time: rename Curl_tvnow to Curl_now
- There shouldn't be many devs out there anymore using such outdated macOS
- versions. And it removes the dead link.
+ ... since the 'tv' stood for timeval and this function does not return a
+ timeval struct anymore.
- Closes #1049
-
-- RELEASE-NOTES: spellfix
-
-- RELEASE-NOTES: synced with 82720490628cb53a
+ Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
+ clean up the descriptive comments.
- 5 more fixes, 2 more contributors
-
-- [Tobias Stoeckmann brought this change]
+ Closes #2011
- smb: properly check incoming packet boundaries
-
- Not all reply messages were properly checked for their lengths, which
- made it possible to access uninitialized memory (but this does not lead
- to out of boundary accesses).
-
- Closes #1052
+- ftplistparser: follow-up cleanup to remove PL_ERROR()
-- test557: verify printf() with 128 and 129 arguments
+- [Max Dymond brought this change]
-- mprintf: return error on too many arguments
+ ftplistparser: free off temporary memory always
- 128 arguments should be enough for everyone
+ When using the FTP list parser, ensure that the memory that's
+ allocated is always freed.
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
+ Closes #2013
-- ftp: fix Curl_ftpsendf()
+- timediff: return timediff_t from the time diff functions
- ... it no longer takes printf() arguments since it was only really taken
- advantage by one user and it was not written and used in a safe
- way. Thus the 'f' is removed from the function name and the proto is
- changed.
+ ... to cater for systems with unsigned time_t variables.
- Although the current code wouldn't end up in badness, it was a risk that
- future changes could end up springf()ing too large data or passing in a
- format string inadvertently.
-
-- formpost: avoid silent snprintf() truncation
+ - Renamed the functions to curlx_timediff and Curl_timediff_us.
- The previous use of snprintf() could make libcurl silently truncate some
- input data and not report that back on overly large input, which could
- make data get sent over the network in a bad format.
+ - Added overflow protection for both of them in either direction for
+ both 32 bit and 64 bit time_ts
- Example:
+ - Reprefixed the curlx_time functions to use Curl_*
- $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
+ Reported-by: Peter Piekarski
+ Fixes #2004
+ Closes #2005
-- TODO: build: Enable PIE and RELRO by default
+- [Paul Howarth brought this change]
-- TODO: Support better than MD5 hostkey hash (for ssh)
+ libtest: Add required test libraries for lib1552 and lib1553
+
+ They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.
+
+ This fixes build failures on Fedora 13.
+
+ Closes #2006
-- [Daniel Gustafsson brought this change]
+- [Alessandro Ghedini brought this change]
- tests: Fix a small typo in the tests README (#1060)
+ libcurl-tutorial.3: fix typo
- The subdirectory for logs in tests/ is named log/ without an 's'
- at the end.
+ closes #2008
-- TODO: Introduce --fail-fast to exit on first transfer fail
-
- See #1054
+Alessandro Ghedini (23 Oct 2017)
+- curl_mime_filedata.3: fix typos
-- TODO: Leave secure cookies alone
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: clean slate towards 7.57.0
-- [Rainer Müller brought this change]
+- [Max Dymond brought this change]
- CURLOPT_DEBUGFUNCTION.3: unused argument warning (#1056)
+ travis: exit if any steps fail
- The 'userp' argument is unused in this example code.
-
-- TODO: TCP Fast Open for windows
+ We don't expect any steps to fail in travis. Exit the script if they do.
+
+ Closes #1966
-- RELEASE-NOTES: synced with 8fd2a754f0de
+Version 7.56.1 (23 Oct 2017)
-- CURLOPT_KEEP_SENDING_ON_ERROR.3: mention when it is added
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: 7.56.1
-- memdup: use 'void *' as return and source type
+- THANKS: update at 7.56.1 release time
-- TODO: Add easy argument to formpost functions
+- [Jon DeVree brought this change]
-- formpost: trying to attach a directory no longer crashes
+ mk-ca-bundle: Remove URL for aurora
- The error path would previously add a freed entry to the linked list.
+ Aurora is no longer used by Mozilla
+ https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
+
+- [Jon DeVree brought this change]
+
+ mk-ca-bundle: Fix URL for NSS
- Reported-by: Toby Peterson
+ The 'tip' is the most recent branch committed to, this should be
+ 'default' like the URLs for the browser are.
- Fixes #1053
+ Closes #1998
-- [Sergei Kuzmin brought this change]
+- imap: if a FETCH response has no size, don't call write callback
+
+ CVE-2017-1000257
+
+ Reported-by: Brian Carpenter and 0xd34db347
+ Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
- cookies: same domain handling changed to match browser behavior
+- ftp: reject illegal IP/port in PASV 227 response
- Cokie with the same domain but different tailmatching property are now
- considered different and do not replace each other. If header contains
- following lines then two cookies will be set: Set-Cookie: foo=bar;
- domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz;
- domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033
+ ... by using range checks. Among other things, this avoids an undefined
+ behavior for a left shift that could happen on negative or very large
+ values.
- This matches Chrome, Opera, Safari, and Firefox behavior. When sending
- stored tokens to foo.com Chrome, Opera, Firefox store send them in the
- stored order, while Safari pre-sort the cookies.
+ Closes #1997
- Closes #1050
-
-- [Stephen Brokenshire brought this change]
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
- FAQ: Fix typos in section 5.14 (#1047)
+Patrick Monnerat (20 Oct 2017)
+- test653: check reuse of easy handle after mime data change
- Type required for YourClass::func C++ function (using size_t in line
- with the documentation for CURLOPT_WRITEFUNCTION) and missing second
- colon when specifying the static function for CURLOPT_WRITEFUNCTION.
+ See issue #1999
-- [Sebastian Mundry brought this change]
+- mime: do not reuse previously computed multipart size
+
+ The contents might have changed: size must be recomputed.
+
+ Reported-by: moteus on github
+ Fixes #1999
- KNOWN_BUGS: Fix typos in section 5.8.
+- test308: disable if MultiSSL feature enabled
- Closes #1046
+ Even if OpenSSL is enabled, it might not be the default backend when
+ multi-ssl is enabled, causing the test to fail.
-- [mundry brought this change]
+- runtests: support MultiSSL client feature
- CONTRIBUTE.md: Fix typo in 'About pull requests' section. (#1045)
+- vtls: change struct Curl_ssl `close' field name to `close_one'.
+
+ On OS/400, `close' is an ASCII system macro that corrupts the code if
+ not used in a context not targetting the close() system API.
-- curl.1: --trace supports % for sending to stderr!
+- os400: add missing symbols in config file.
+
+ Also adjust makefile to renamed files and warn about installation dirs mix-up.
-- KNOWN_BUGS: 5.8 configure finding libs in wrong directory
+- test652: curl_mime_data + base64 encoder with large contents
-Dan Fandrich (24 Sep 2016)
-- configure: Fixed builds with libssh2 in a custom location
-
- A libssh2 library in the standard system location was being used in
- preference to the desired one while linking.
+- mime: limit bas64-encoded lines length to 76 characters
-Daniel Stenberg (23 Sep 2016)
-- SECURITY: remove the top ascii logo
+Daniel Stenberg (16 Oct 2017)
+- RELEASE-NOTES: synced with f121575c0
-Michael Kaufmann (22 Sep 2016)
-- New libcurl option to keep sending on error
+- setopt: range check most long options
- Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
- sending the request body shall be completed when the server responds
- early with an error status code.
+ ... filter early instead of risking "funny values" having to be dealt
+ with elsewhere.
+
+- setopt: avoid integer overflows when setting millsecond values
- This is suitable for manual NTLM authentication.
+ ... that are multiplied by 1000 when stored.
- Reviewed-by: Jay Satiro
+ For 32 bit long systems, the max value accepted (2147483 seconds) is >
+ 596 hours which is unlikely to ever be set by a legitimate application -
+ and previously it didn't work either, it just caused undefined behavior.
- Closes https://github.com/curl/curl/pull/904
-
-Kamil Dudka (22 Sep 2016)
-- nss: add chacha20-poly1305 cipher suites if supported by NSS
-
-- nss: add cipher suites using SHA384 if supported by NSS
-
-- nss: fix typo in ecdhe_rsa_null cipher suite string
+ Also updated the man pages for these timeout options to mention the
+ return code.
- As it seems to be a rarely used cipher suite (for securely established
- but _unencrypted_ connections), I believe it is fine not to provide an
- alias for the misspelled variant.
+ Closes #1938
-Jay Satiro (21 Sep 2016)
-- docs: Remove that --proto is just used for initial retrieval
+Viktor Szakats (15 Oct 2017)
+- makefile.m32: allow to override gcc, ar and ranlib
- .. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not
- override protocols denied by --proto and CURLOPT_PROTOCOLS.
+ Allow to ovverride certain build tools, making it possible to
+ use LLVM/Clang to build curl. The default behavior is unchanged.
+ To build with clang (as offered by MSYS2), these settings can
+ be used:
- - Add a test to enforce: --proto deny must override --proto-redir allow
+ CURL_CC=clang
+ CURL_AR=llvm-ar
+ CURL_RANLIB=llvm-ranlib
- Closes https://github.com/curl/curl/pull/1031
+ Closes https://github.com/curl/curl/pull/1993
-Daniel Stenberg (21 Sep 2016)
-- dist: add CurlSymbolHiding.cmake to the tarball
+- ldap: silence clang warning
- Follow-up to 6140dfcf3e784
+ Use memset() to initialize a structure to avoid LLVM/Clang warning:
+ ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
- Reported-by: Alexander Sinditskiy
+ Closes https://github.com/curl/curl/pull/1992
-- curl_global_cleanup.3: don't unload the lib with sub threads running
-
- Discussed in #997
+Daniel Stenberg (14 Oct 2017)
+- runtests: use valgrind for torture as well
- Assisted-by: Jay Satiro
+ NOTE: it makes them terribly slow. I recommend only using valgrind for
+ specific torture tests or using lots of patience.
-- MAIL-ETIQUETTE: language
+- memdebug: trace send, recv and socket
+
+ ... to allow them to be included in torture tests too.
+
+ closes #1980
-Jay Satiro (20 Sep 2016)
-- easy: Reset all statistical session info in curl_easy_reset
+- configure: remove the C++ compiler check
- Bug: https://github.com/curl/curl/issues/1017
- Reported-by: Jeroen Ooms
+ ... we used it only for the fuzzer, which we now have in a separate git
+ repo.
+
+ Closes #1990
-Daniel Stenberg (19 Sep 2016)
-- RELEASE-NOTES: synced with 79607eec51055
+Patrick Monnerat (13 Oct 2017)
+- mime: do not call failf() if easy handle is NULL.
-Jay Satiro (19 Sep 2016)
-- [Daniel Gustafsson brought this change]
+Daniel Stenberg (13 Oct 2017)
+- test651: curl_formadd with huge COPYCONTENTS
- darwinssl: Fix typo in comment
+- mime: fix the content reader to handle >16K data properly
- Closes https://github.com/curl/curl/pull/1028
-
-Daniel Stenberg (19 Sep 2016)
-- [Bernard Spil brought this change]
+ Reported-by: Jeroen Ooms
+ Closes #1988
- libressl: fix version output
-
- LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all
- versions returning `LibreSSL/2.0.0` for any LibreSSL version.
+Patrick Monnerat (12 Oct 2017)
+- mime: keep "text/plain" content type if user-specified.
- This change provides a local OpenSSL_version_num function replacement
- returning LIBRESSL_VERSION_NUMBER instead.
-
- Closes #1029
-
-- [rugk brought this change]
-
- TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
+ Include test cases in 554, 587, 650.
- Closes #1025
- Closes #1026
- Closes #1027
+ Fixes https://github.com/curl/curl/issues/1986
-- openssl: don't call ERR_remote_thread_state on >= 1.1.0
+- cli tool: use file2memory() to buffer stdin in -F option.
- Follow-up fix to d9321562
+ Closes PR https://github.com/curl/curl/pull/1985
-- openssl: don’t call CRYTPO_cleanup_all_ex_data
+- cli tool: reimplement stdin buffering in -F option.
- The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
- multiple times without crashing - and other libs might call it! We
- basically cannot call it without risking a crash. The function is a
- no-op since OpenSSL 1.1.0.
+ If stdin is not a regular file, its content is memory-buffered to enable
+ a possible data "rewind".
+ In all cases, stdin data size is determined before real use to avoid
+ having an unknown part's size.
- Not calling this function only risks a small memory leak with OpenSSL <
- 1.1.0.
+ --libcurl generated code is left as an unbuffered stdin fread/fseek callback
+ part with unknown data size.
- Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
- Reported-by: Todd Short
-
-- TODO: Support SSLKEYLOGFILE
+ Buffering is not supported in deprecated curl_formadd() API.
-Jay Satiro (18 Sep 2016)
-- CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
+Daniel Stenberg (12 Oct 2017)
+- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
-Nick Zitzmann (18 Sep 2016)
-- darwinssl: disable RC4 cipher-suite support
+- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
- RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
+ following the new github "standard"
-- configure: change "iOS/Mac OS X native" to "Apple OS native"
-
- Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
+- RELEASE-NOTES: synced with 5505df7d2
-Jay Satiro (18 Sep 2016)
-- test2048: fix url
+Jay Satiro (11 Oct 2017)
+- [Artak Galoyan brought this change]
-- examples/imap-append: Set size of data to be uploaded
+ url: Update current connection SSL verify params in setopt
+
+ Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
+ connection updates the current connection's (i.e.'connectdata'
+ structure) appropriate ssl_config (and ssl_proxy_config) structures
+ variables, making these options effective for ongoing connection.
- Prior to this commit this example failed with error
- 'Cannot APPEND with unknown input file size'.
+ This functionality was available before and was broken by the
+ following change:
+ "proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
+ CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151.
- Bug: https://github.com/curl/curl/issues/1008
- Reported-by: lukaszgn@users.noreply.github.com
+ Bug: https://github.com/curl/curl/issues/1941
- Closes https://github.com/curl/curl/pull/1011
+ Closes https://github.com/curl/curl/pull/1951
-Daniel Stenberg (16 Sep 2016)
-- [Tony Kelman brought this change]
+Daniel Stenberg (11 Oct 2017)
+- [David Benjamin brought this change]
- LICENSE-MIXING.md: update with mbedTLS dual licensing
+ openssl: don't use old BORINGSSL_YYYYMM macros
- Recent versions of mbedTLS are available under either Apache 2.0 or GPL
- 2.0, see https://tls.mbed.org/how-to-get
+ Those were temporary things we'd add and remove for our own convenience
+ long ago. The last few stayed around for too long as an oversight but
+ have since been removed. These days we have a running
+ BORINGSSL_API_VERSION counter which is bumped when we find it
+ convenient, but 2015-11-19 was quite some time ago, so just check
+ OPENSSL_IS_BORINGSSL.
- Closes #1019
+ Closes #1979
-- KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixed
+- test950; verify SMTP with custom request
-- http2: debug ouput sent HTTP/2 request headers
+- ftpserver: support case insensitive commands
-- http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
+- smtp_done: free data before returning (on send failure)
- ... but don't send the actual header over the wire as it isn't accepted.
- Chunked uploading is still triggered using this method.
+ ... as otherwise it could leak that memory.
- Fixes #1013
- Fixes #662
+ Detected by OSS-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600
+
+ Assisted-by: Max Dymond
+ Closes #1977
-- openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2
+- FTP: URL decode path for dir listing in nocwd mode
+
+ Reported-by: Zenju on github
- OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
- so we need to clean it when easy handles are freed, in case the thread
- will be killed in which the easy handle was used. All OpenSSL code in
- libcurl should extract the error in association with the error already
- so clearing this queue here should be harmless at worst.
+ Test 244 added to verify
+ Fixes #1974
+ Closes #1976
+
+- test298: verify --ftp-method nowcwd with URL encoded path
- Fixes #964
+ Ref: #1974
-- RELEASE-NOTES: reset and go toward 7.51.0 (again)
+- CURLOPT_XFERINFODATA.3: fix duplicate see also
-Version 7.50.3 (14 Sep 2016)
+- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
-Daniel Stenberg (14 Sep 2016)
-- THANKS: updated with curl 7.50.3 contributors
+- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
-- RELEASE-NOTES: curl 7.50.3
+- openssl: enable PKCS12 support for !BoringSSL
+
+ Enable PKCS12 for all non-boringssl builds without relying on configure
+ or cmake checks.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
+ Reported-by: Christian Schmitz
+ Closes #1948
-- test1605: verify negative input lengths to (un)escape functions
+- [Kristiyan Tsaklev brought this change]
-- curl_easy_unescape: deny negative string lengths as input
+ curl: don't pass semicolons when parsing Content-Disposition
- CVE-2016-7167
+ Test 1422 updated to verify.
- Bug: https://curl.haxx.se/docs/adv_20160914.html
+ Closes #1964
-- curl_easy_escape: deny negative string lengths as input
+Patrick Monnerat (9 Oct 2017)
+- mime: properly unbind mime structure in curl_mime_free().
- CVE-2016-7167
+ This allows freeing a mime structure bound to the easy handle before
+ curl_easy_cleanup().
- Bug: https://curl.haxx.se/docs/adv_20160914.html
+ Fixes #1970.
-- curl: make --create-dirs on windows grok both forward and backward slashes
+Daniel Stenberg (9 Oct 2017)
+- RTSP: avoid integer overflow on funny RTSP response
+
+ ... like a very large non-existing RTSP version number.
- Reported-by: Ryan Scott
+ Added test 577 to verify.
- Fixes #1007
+ Detected by OSS-fuzz.
+ Closes #1969
-- RELEASE-NOTES: synced with 665694979b6
+Patrick Monnerat (8 Oct 2017)
+- ftpserver: properly reset $ftptargetdir.
-- [Tony Kelman brought this change]
+- test643: verify curl_mime_subparts() rejects cyclic additions.
- mbedtls: switch off NTLM in build if md4 isn't available
+- mime: refuse to add subparts to one of their own descendants.
- NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
- is built with the MD4 functions available, which it isn't in default
- builds. This now adapts if the funtion isn't there and builds libcurl
- without NTLM support if so.
-
- Fixes #1004
+ Reported-by: Alexey Melnichuk
+ Fixes #1962
-Jay Satiro (12 Sep 2016)
-- CODE_STYLE: fix long-line guideline
-
- - Change maximum allowed line length from 80 to 79.
+- mime: avoid resetting a part's encoder when part's contents change.
-- CODE_STYLE: add column alignment section
+- mime: improve unbinding top multipart from easy handle.
- Note that since the added examples are for column alignment I had to
- encapsulate with ~~~c markdown to preserve their alignment.
+ Also avoid dangling pointers in referencing parts.
-Peter Wu (11 Sep 2016)
-- cmake: fix curl-config --static-libs
-
- The `curl-config --static-libs` command should not output paths like
- -l/usr/lib/libssl.so, instead print the absolute path without `-l`.
-
- This also removes the confusing message "Static linking is broken" which
- was printed because curl-config --static-libs was disfunctional even
- though the static libcurl.a library works properly.
-
- Fixes https://github.com/curl/curl/issues/841
+Daniel Stenberg (8 Oct 2017)
+- RELEASE-NOTES: synced with a4c1c75da30af1
+
+- curlver.h: next expected release is 7.57.0
-Daniel Stenberg (11 Sep 2016)
-- http: refuse to pass on response body with NO_NODY was set
+Patrick Monnerat (8 Oct 2017)
+- mime: be tolerant about setting twice the same header list in a part.
+
+- docs: clarify form/mime usage of non-regular data files.
+
+Daniel Stenberg (8 Oct 2017)
+- Revert "multi_done: wait for name resolve to finish if still ongoing"
- ... like when a HTTP/0.9 response comes back without any headers at all
- and just a body this now prevents that body from being sent to the
- callback etc.
+ This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe.
- Adapted test 1144 to verify.
+ Caused memory leaks in the fuzzer, needs to be done differently.
- Fixes #973
+ Disable test 1553 for now too, as it causes memory leaks without this
+ commit!
+
+- remove_handle: call multi_done() first, then clear dns cache pointer
- Assisted-by: Ray Satiro
+ Closes #1960
-- RELEASE-NOTES: synced with 257bf3ac67eb6
+- multi_done: wait for name resolve to finish if still ongoing
+
+ ... as we must clean up memory.
-Jakub Zakrzewski (10 Sep 2016)
-- CMake: Don't build unit tests if private symbols are hidden
+- pingpong: return error when trying to send without connection
- This only excludes building unit tests from default build ( 'all' Make
- target or "Build Solution" in VisualStudio). The projects and Make
- targets will still be generated and shown in supporting IDEs.
+ When imap_done() got called before a connection is setup, it would try
+ to "finish up" and dereffed a NULL pointer.
- Fixes https://github.com/curl/curl/issues/981
- Reported-by: Randy Armstrong
+ Test case 1553 managed to reproduce. I had to actually use a host name
+ to try to resolve to slow it down, as using the normal local server IP
+ will make libcurl get a connection in the first curl_multi_perform()
+ loop and then the bug doesn't trigger.
- Closes https://github.com/curl/curl/pull/990
+ Fixes #1953
+ Assisted-by: Max Dymond
-- CMake: Try to (un-)hide private library symbols
-
- Detect support for compiler symbol visibility flags and apply those
- according to CURL_HIDDEN_SYMBOLS option.
- It should work true to the autotools build except it tries to unhide
- symbols on Windows when requested and prints warning if it fails.
+Dan Fandrich (6 Oct 2017)
+- tests: added flaky keyword to tests 587 and 644
- Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
- Reported-by: Daniel Stenberg
+ These are around 5% flaky in my Linux x86 autobuilds.
-Daniel Stenberg (9 Sep 2016)
-- openssl: fix bad memory free (regression)
-
- ... by partially reverting f975f06033b1. The allocation could be made by
- OpenSSL so the free must be made with OPENSSL_free() to avoid problems.
+Marcel Raad (6 Oct 2017)
+- vtls: fix warnings with --disable-crypto-auth
- Reported-by: Harold Stuart
- Fixes #1005
+ When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
+ are not used.
-- http2: support > 64bit sized uploads
+Daniel Stenberg (6 Oct 2017)
+- multi_cleanup: call DONE on handles that never got that
- ... by making sure we don't count down the "upload left" counter when the
- uploaded size is unknown and then it can be allowed to continue forever.
+ ... fixes a memory leak with at least IMAP when remove_handle is never
+ called and the transfer is abruptly just abandoned early.
- Fixes #996
+ Test 1552 added to verify
+
+ Detected by OSS-fuzz
+ Assisted-by: Max Dymond
+ Closes #1954
+
+- [Benbuck Nason brought this change]
-Jay Satiro (7 Sep 2016)
-- errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
+ strtoofft: Remove extraneous null check
- Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
- more of a generic "failed to parse" introduce an alias without FTP in
- the name.
+ Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
+ argument.
- Closes https://github.com/curl/curl/pull/975
-
-Daniel Stenberg (7 Sep 2016)
-- bump: toward 7.51.0
+ Closes #1952
-- HISTORY: remove ascii logo to render nicer on web
+- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
+
+ Reported-by: Javier Sixto
+ Fixes #1955
+ Closes #1956
-- curl: whitelist use of strtok() in non-threaded context
+Viktor Szakats (6 Oct 2017)
+- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
+
+ The source code is now prepared to handle the case when both
+ Win32 Crypto and OpenSSL/NSS crypto backends are enabled
+ at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
+ whenever the targeted Windows version supports it. Since this
+ matches the minimum Windows version supported by curl
+ (Windows 2000), enable it unconditionally for the Win32 platform.
+
+ This in turn enables SMB (and SMBS) protocol support whenever
+ Win32 Crypto is available, regardless of what other crypto backends
+ are enabled.
+
+ Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052
+
+ Closes https://github.com/curl/curl/pull/1943
-- checksrc: detect strtok() use
+Daniel Stenberg (5 Oct 2017)
+- build: fix --disable-crypto-auth
- ... as that function slipped through once before.
+ Reported-by: Wyatt O'Day
+ Fixes #1945
+ Closes #1947
-GitHub (7 Sep 2016)
-- [Viktor Szakats brought this change]
+Jay Satiro (5 Oct 2017)
+- [Nick Zitzmann brought this change]
- mk-ca-bundle.pl: use SHA256 instead of SHA1
+ darwinssl: add support for TLSv1.3
- This hash is used to verify the original downloaded certificate bundle
- and also included in the generated bundle's comment header. Also
- rename related internal symbols to algorithm-agnostic names.
+ Closes https://github.com/curl/curl/pull/1794
-Version 7.50.2 (7 Sep 2016)
+Daniel Stenberg (4 Oct 2017)
+- [Felix Kaiser brought this change]
-Daniel Stenberg (7 Sep 2016)
-- RELEASE-NOTES: curl 7.50.2 release
+ docs: fix typo in curl_mime_data_cb man page
+
+ Closes #1946
-- THANKS: updated for 7.50.2
+Viktor Szakats (4 Oct 2017)
+- lib/Makefile.m32: allow customizing dll suffixes
+
+ - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
+ libcurl dll name. Useful to add `-x64` to 64-bit builds so that
+ it can live in the same directory as the 32-bit one. By default
+ this is empty.
+
+ - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
+ generated import library (implib) for libcurl .dll. It defaults
+ to `dll`, and it's useful to modify that to `.dll` to have the
+ standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
+
+ Closes https://github.com/curl/curl/pull/1942
-Jay Satiro (6 Sep 2016)
-- [Gaurav Malhotra brought this change]
+Daniel Stenberg (4 Oct 2017)
+- [Max Dymond brought this change]
- openssl: fix CURLINFO_SSL_VERIFYRESULT
+ fuzzer: move to using external curl-fuzzer
- CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
- result when SSL_connect fails because of a certificate verification
- error.
+ Use the external curl-fuzzer repository for fuzzing.
- This fix saves the result of SSL_get_verify_result so that it is
- returned by CURLINFO_SSL_VERIFYRESULT.
-
- Closes https://github.com/curl/curl/pull/995
+ Closes #1923
-Daniel Stenberg (6 Sep 2016)
-- [Daniel Gustafsson brought this change]
+- failf: skip the sprintf() if there are no consumers
+
+ Closes #1936
- darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
+- ftp: UBsan fixup 'pointer index expression overflowed'
- While noErr and errSecSuccess are defined as the same value, the API
- documentation states that SecPKCS12Import() returns errSecSuccess if
- there were no errors in importing. Ensure that a future change of the
- defined value doesn't break (however unlikely) and be consistent with
- the API docs.
+ Closes #1939
-- [Daniel Gustafsson brought this change]
+- RELEASE-PROCEDURE: update the release schedule
- docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
+Version 7.56.0 (4 Oct 2017)
-- [Marcel Raad brought this change]
+Daniel Stenberg (4 Oct 2017)
+- RELEASE-NOTES: curl 7.56.0
- openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
-
- With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
- functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
- replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
- OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
- now called OpenSSL_version_num().
-
- [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
- [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
+- THANKS: added new 7.56.0 contributors
+
+Jay Satiro (4 Oct 2017)
+- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported
- Closes #992
+ Ref: https://github.com/curl/curl/issues/1002
-- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
+Michael Kaufmann (3 Oct 2017)
+- idn: fix source code comment
-- http2: return EOF when done uploading without known size
+- vtls: compare and clone ssl configs properly
+
+ Compare these settings in Curl_ssl_config_matches():
+ - verifystatus (CURLOPT_SSL_VERIFYSTATUS)
+ - random_file (CURLOPT_RANDOM_FILE)
+ - egdsocket (CURLOPT_EGDSOCKET)
+
+ Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
+ and copy the setting "sessionid" unconditionally.
+
+ This means that reusing connections that are secured with a client
+ certificate is now possible, and the statement "TLS session resumption
+ is disabled when a client certificate is used" in the old advisory at
+ https://curl.haxx.se/docs/adv_20170419.html is obsolete.
+
+ Reviewed-by: Daniel Stenberg
- Fixes #982
+ Closes #1917
-- http2: skip the content-length parsing, detect unknown size
+- proxy: read the "no_proxy" variable only if necessary
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #1919
-- http2: minor white space edit
+Patrick Monnerat (3 Oct 2017)
+- libcurl-tutorial: add casts in example to avoid compilation warnings.
-- http2: use named define instead of magic constant in read callback
+Daniel Stenberg (3 Oct 2017)
+- examples: bring back curl_formadd-using examples
+
+ ... now with a -formadd suffix. While the new mime API is introduced in
+ 7.56.0 we must acknowledge that lots of users can't upgrade their curl
+ versions immediately.
-- [Craig Davison brought this change]
+- test1153: verify quoted double-qoutes in PWD response
- configure: make the cpp -P detection not clobber CPPFLAGS
+- FTP: zero terminate the entry path even on bad input
- CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
+ ... a single double quote could leave the entry path buffer without a zero
+ terminating byte. CVE-2017-1000254
- Fixes #958
+ Test 1152 added to verify.
+
+ Reported-by: Max Dymond
+ Bug: https://curl.haxx.se/docs/adv_20171004.html
-- [Olivier Brunel brought this change]
+Jay Satiro (2 Oct 2017)
+- [Sergei Nikulov brought this change]
- speed caps: not based on average speeds anymore
+ cmake: disable tests and man generation if perl/nroff not found
- Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
- CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
- with the cumulative average speed of the entire transfer; While this
- might work at times with good/constant connections, in other cases it
- can result to the limits simply being "ignored" for more than "short
- bursts" (as told in man page).
+ Fixes https://github.com/curl/curl/issues/1500
+ Reported-by: Jay Satiro
- Consider a download that goes on much slower than the limit for some
- time (because bandwidth is used elsewhere, server is slow, whatever the
- reason), then once things get better, curl would simply ignore the limit
- up until the average speed (since the beginning of the transfer) reached
- the limit. This could prove the limit useless to effectively avoid
- using the entire bandwidth (at least for quite some time).
+ Fixes https://github.com/curl/curl/pull/1662
+ Assisted-by: Tom Seddon
+ Assisted-by: dpull@users.noreply.github.com
+ Assisted-by: elelel@users.noreply.github.com
- So instead, we now use a "moving starting point" as reference, and every
- time at least as much as the limit as been transferred, we can reset
- this starting point to the current position. This gets a good limiting
- effect that applies to the "current speed" with instant reactivity (in
- case of sudden speed burst).
+ Closes https://github.com/curl/curl/pull/1924
+
+Patrick Monnerat (2 Oct 2017)
+- libcurl-tutorial: fix two typos.
+
+- TODO: remove deprecated form API items.
+
+- libcurl-tutorial: describe MIME API and deprecate form API.
- Closes #971
+ Include a guide to form/mime API conversion.
-- HISTORY.md: the multi socket was put in the wrong year!
+Daniel Stenberg (30 Sep 2017)
+- cookie: fix memory leak if path was set twice in header
+
+ ... this will let the second occurance override the first.
+
+ Added test 1161 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #1932
+ Closes #1933
-- [Mark Hamilton brought this change]
+Dan Fandrich (30 Sep 2017)
+- test650: Use variable replacement to set the host address and port
+
+ Otherwise, the test fails when the -b test option is used to set a
+ different test port range.
- tool_helpers.c: fix comment typo (#989)
+- Set and use more necessary options when some protocols are disabled
+
+ When curl and libcurl are built with some protocols disabled, they stop
+ setting and receiving some options that don't make sense with those
+ protocols. In particular, when HTTP is disabled many options aren't set
+ that are used only by HTTP. However, some options that appear to be
+ HTTP-only are actually used by other protocols as well (some despite
+ having HTTP in the name) and should be set, but weren't. This change now
+ causes some of these options to be set and used for more (or for all)
+ protocols. In particular, this fixes tests 646 through 649 in an
+ HTTP-disabled build, which use the MIME API in the mail protocols.
-- [Mark Hamilton brought this change]
+Daniel Stenberg (29 Sep 2017)
+- test1160: verifies cookie leak for large cookies
+
+ The fix done in 20ea22ff735
- libtest/test.h: fix typo (#988)
+- cookie: fix memory leak on oversized rejection
+
+ Regression brought by 2bc230de63b
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
+ Assisted-by: Max Dymond
+
+ Closes #1930
-- CURLMOPT_PIPELINING.3: language
+- [Anders Bakken brought this change]
-- CURLMOPT_PIPELINING.3: extended and clarified
+ connect: fix race condition with happy eyeballs timeout
- Especially in regards to the multiplexing part.
+ The timer should be started after conn->connecttime is set. Otherwise
+ the timer could expire without this condition being true:
+
+ /* should we try another protocol family? */
+ if(i == 0 && conn->tempaddr[1] == NULL &&
+ curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {
+
+ Ref: #1928
-Steve Holme (31 Aug 2016)
-- curl_sspi.c: Updated function description comments
+Michael Kaufmann (28 Sep 2017)
+- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
- * Added description to Curl_sspi_free_identity()
- * Added parameter and return explanations to Curl_sspi_global_init()
- * Added parameter explaination to Curl_sspi_global_cleanup()
+ Closes #1922
-- README: Corrected the supported Visual Studio versions
+- docs: clarify the use of environment variables for proxy
- Missed from commit 8356022d17.
+ Closes #1921
-- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
+- http: add custom empty headers to repeated requests
+
+ Closes #1920
-- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
+- reuse_conn: don't copy flags that are known to be equal
+
+ A connection can only be reused if the flags "conn_to_host" and
+ "conn_to_port" match. Therefore it is not necessary to copy these flags
+ in reuse_conn().
- ...and discuss a possible solution.
+ Closes #1918
-Daniel Stenberg (30 Aug 2016)
-- connect: fix #ifdefs for debug versions of conn/streamclose() macros
+Daniel Stenberg (27 Sep 2017)
+- curl.h: include <sys/select.h> on cygwin too
- CURLDEBUG is for the memory debugging
+ When building with -std=c++14 on cygwin, this header won't be
+ automatically included as it otherwise is.
- DEBUGBUILD is for the extra debug stuff
+ The <sys/select.h> include decision should ideally be reversed and be
+ avoided where that header file doesn't exist.
- Pointed-out-by: Steve Holme
+ Reported-by: Ian Fette
+ Fixes #1925
-- KNOWN_BUGS: mention some cmake "support gaps"
+- RELEASE-NOTES: synced with d8ab5dc50
-Nick Zitzmann (28 Aug 2016)
-- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
+Michael Kaufmann (24 Sep 2017)
+- tests: adjust .gitignore for new tests
+
+Jay Satiro (23 Sep 2017)
+- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
+
+ .. and include the core NTLM header in all NTLM-related source files.
- In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
+ Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
+ but did not include vtls.h where it was defined.
+
+ Closes https://github.com/curl/curl/pull/1911
-Daniel Stenberg (28 Aug 2016)
-- http2: return CURLE_HTTP2_STREAM for unexpected stream close
+Daniel Stenberg (23 Sep 2017)
+- file_range: avoid integer overflow when figuring out byte range
- Follow-up to c3e906e9cd0f, seems like a more appropriate error code
+ When trying to bump the value with one and the value is already at max,
+ it causes an integer overflow.
- Suggested-by: Jay Satiro
+ Closes #1908
+ Detected by oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
+
+ Assisted-by: Max Dymond
+
+Michael Kaufmann (23 Sep 2017)
+- tests: fix a compiler warning in test 643
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (23 Sep 2017)
+- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry
+
+ - Use spaces instead of tabs as the delimiter.
+
+ Follow up to 7c52b12 which added the entry. The entry had used tabs but
+ the symbol-scan parser doesn't recognize tabs and would fail the symbol.
- http2: handle closed streams when uploading
+Viktor Szakats (22 Sep 2017)
+- metalink: fix NSS issue in MultiSSL builds
- Fixes #986
+ In MultiSSL mode (i.e. when more than one SSL backend is compiled
+ in), we cannot use the compile time flag `USE_NSS` as indicator that
+ the NSS backend is in use. As far as Metalink is concerned, the SSL
+ backend is only used for MD5, SHA-1 and SHA-256 calculations,
+ therefore one of the available SSL backends is selected at compile
+ time, in a strict order of preference.
+
+ Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
+ to determine whether the SSL backend used for Metalink is the NSS
+ backend, and use that to guard the code that wants to de-initialize
+ the NSS-specific data structure.
+
+ Ref: https://github.com/curl/curl/pull/1848
-- http2: make sure stream errors don't needlessly close the connection
+- ntlm: use strict order for SSL backend #if branches
+
+ With the recently introduced MultiSSL support multiple SSL backends
+ can be compiled into cURL That means that now the order of the SSL
+
+ One option would be to use the same SSL backend as was configured
+ via `curl_global_sslset()`, however, NTLMv2 support would appear
+ to be available only with some SSL backends. For example, when
+ eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
+ support for NTLMv1 using Windows' Crypt API, it specifically did
+ *not* introduce NTLMv2 support using Crypt API at the same time.
- With HTTP/2 each transfer is made in an indivial logical stream over the
- connection, making most previous errors that caused the connection to get
- forced-closed now instead just kill the stream and not the connection.
+ So let's select one specific SSL backend for NTLM support when
+ compiled with multiple SSL backends, using a priority order such
+ that we support NTLMv2 even if only one compiled-in SSL backend can
+ be used for that.
- Fixes #941
+ Ref: https://github.com/curl/curl/pull/1848
-- Curl_verify_windows_version: minor edit to avoid compiler warnings
+Daniel Stenberg (22 Sep 2017)
+- symbols-in-versions: add CURLSSLSET_NO_BACKENDS
- ... instead of if() before the switch(), add a default to the switch so
- that the compilers don't warn on "warning: enumeration value
- 'PLATFORM_DONT_CARE' not handled in switch" anymore.
+ ...fixup from b8e0fe19ec
-Steve Holme (27 Aug 2016)
-- RELEASE-NOTES: Added missing fix from commit 15592143f
+- imap: quote atoms properly when escaping characters
+
+ Updates test 800 to verify
+
+ Fixes #1902
+ Closes #1903
-Jay Satiro (26 Aug 2016)
-- schannel: Disable ALPN for Wine since it is causing problems
+- tests: make the imap server not verify user+password
- - Disable ALPN on Wine.
+ ... as the test cases themselves do that and it makes it easier to add
+ crazy test cases.
- - Don't pass input secbuffer when ALPN is disabled.
+ Test 800 updated to use user name + password that need quoting.
- When ALPN support was added a change was made to pass an input secbuffer
- to initialize the context. When ALPN is enabled the buffer contains the
- ALPN information, and when it's disabled the buffer is empty. In either
- case this input buffer caused problems with Wine and connections would
- not complete.
+ Test 856 updated to trigger an auth fail differently.
- Bug: https://github.com/curl/curl/issues/983
- Reported-by: Christian Fillion
+ Ref: #1902
-Kamil Dudka (26 Aug 2016)
-- [Peter Wang brought this change]
-
- nss: work around race condition in PK11_FindSlotByName()
+- vtls: provide curl_global_sslset() even in non-SSL builds
- Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
- a multi-threaded environment. The underlying cause is a race condition
- in nssSlot_IsTokenPresent().
+ ... it just returns error:
- Bug: https://bugzilla.mozilla.org/1297397
+ Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
+ Reported-by: Marcel Raad
- Closes #985
+ Closes #1906
-- nss: refuse previously loaded certificate from file
+Patrick Monnerat (22 Sep 2017)
+- form/mime: field names are not allowed to contain zero-valued bytes.
- ... when we are not asked to use a certificate from file
+ Also suppress length argument of curl_mime_name() (names are always
+ zero-terminated).
+
+Daniel Stenberg (21 Sep 2017)
+- [Dirk Feytons brought this change]
-Daniel Stenberg (26 Aug 2016)
-- ftp_done: remove dead code
+ openssl: only verify RSA private key if supported
+
+ In some cases the RSA key does not support verifying it because it's
+ located on a smart card, an engine wants to hide it, ...
+ Check the flags on the key before trying to verify it.
+ OpenSSL does the same thing internally; see ssl/ssl_rsa.c
+
+ Closes #1904
-- TLS: random file/egd doesn't have to match for conn reuse
+Marcel Raad (21 Sep 2017)
+- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
+
+ Otherwise, typecheck-gcc.h warns on MinGW-w64.
-- test161: add comment for the exit code
+Patrick Monnerat (20 Sep 2017)
+- mime: rephrase the multipart output state machine (#1898) ...
+
+ ... in hope coverity will like it much.
-Dan Fandrich (26 Aug 2016)
-- test219: Add http as a required feature
+- mime: fix an explicit null dereference (#1899)
-Daniel Stenberg (25 Aug 2016)
-- [Michael Kaufmann brought this change]
+Daniel Stenberg (20 Sep 2017)
+- curl: check fseek() return code and bail on error
+
+ Detected by coverity. CID 1418137.
- HTTP: stop parsing headers when switching to unknown protocols
+- smtp: fix memory leak in OOM
- - unknown protocols probably won't send more headers (e.g. WebSocket)
- - improved comments and moved them to the correct case statements
+ Regression since ce0881edee
- Closes #899
+ Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
+ torture testing.
+
+- RELEASE-NOTES: synced with 5fe85587c
+
+- [Pavel Pavlov brought this change]
-- openssl: make build with 1.1.0 again
+ cookies: use lock when using CURLINFO_COOKIELIST
- synced with OpenSSL git master commit cc06906707
+ Closes #1896
-- INTERNALS: fix title
+- [Max Dymond brought this change]
-- configure: detect zlib with our pkg-config macros
+ ossfuzz: changes before merging the generated corpora
- ... instead of relying on the pkg-config autoconf macros to be present.
+ Before merging in the oss-fuzz corpora from Google, there are some changes
+ to the fuzzer.
+ - Add a read corpus script, to display corpus files nicely.
+ - Change the behaviour of the fuzzer so that TLV parse failures all now
+ go down the same execution paths, which should reduce the size of the
+ corpora.
+ - Make unknown TLVs a failure to parse, which should decrease the size
+ of the corpora as well.
- Fixes #972 (again...)
+ Closes #1881
-Jay Satiro (25 Aug 2016)
-- http2: Remove incorrect comments
+- mime:escape_string minor clarification change
- .. also remove same from scp
+ ... as it also removes a warning with old gcc versions.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
+ Reported-by: Ben Greear
-Daniel Stenberg (23 Aug 2016)
-- [Ales Novak brought this change]
+- [Max Dymond brought this change]
- ftp: fix wrong poll on the secondary socket
-
- When we're uploading using FTP and the server issues a tiny pause
- between opening the connection to the client's secondary socket, the
- client's initial poll() times out, which leads to second poll() which
- does not wait for POLLIN on the secondary socket. So that poll() also
- has to time out, creating a long (200ms) pause.
+ ossfuzz: don't write out to stdout
- This patch adds the correct flag to the secondary socket, making the
- second poll() correctly wait for the connection there too.
+ Don't make the fuzzer write out to stdout - instead write some of the
+ contents to a memory block so we exercise the data output code but
+ quietly.
- Signed-off-by: Ales Novak <alnovak@suse.cz>
-
- Closes #978
-
-- RELEASE-NOTES: synced with 95ded2c56
+ Closes #1885
-- configure: make it work without PKG_CHECK_MODULES
+- cookies: reject oversized cookies
- With commit c2f9b78 we added a new dependency on pkg-config for
- developers which may be unwanted. This change make the configure script
- still work as before if pkg-config isn't installed, it'll just use the
- old zlib detection logic without pkg-config.
+ ... instead of truncating them.
- Reported-by: Marc Hörsken
+ There's no fixed limit for acceptable cookie names in RFC 6265, but the
+ entire cookie is said to be less than 4096 bytes (section 6.1). This is
+ also what browsers seem to implement.
- Fixes #972
-
-Marc Hoersken (21 Aug 2016)
-- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
+ We now allow max 5000 bytes cookie header. Max 4095 bytes length per
+ cookie name and value. Name + value together may not exceed 4096 bytes.
- This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
+ Added test 1151 to verify
- As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
-
-Daniel Stenberg (21 Aug 2016)
-- [Marco Deckel brought this change]
-
- win: Basic support for Universal Windows Platform apps
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
+ Reported-by: Kevin Smith
- Closes #820
+ Closes #1894
-Steve Holme (21 Aug 2016)
-- sasl: Don't use GSSAPI authentication when domain name not specified
+- travis: on mac, don't install openssl or libidn
- Only choose the GSSAPI authentication mechanism when the user name
- contains a Windows domain name or the user is a valid UPN.
+ - openssl is already installed and causes warnings when trying to
+ install again
- Fixes #718
-
-- vauth: Added check for supported SSPI based authentication mechanisms
+ - libidn isn't used these days, and homebrew doesn't seem to have a
+ libidn2 package to replace with easily
- Completing commit 00417fd66c and 2708d4259b.
+ Closes #1895
-- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
+- curl: make str2udouble not return values on error
- From commit 2708d4259b.
+ ... previously it would store a return value even when it returned
+ error, which could make the value get used anyway!
+
+ Reported-by: Brian Carpenter
+ Closes #1893
-Marc Hoersken (20 Aug 2016)
-- socks.c: display the hostname returned by the SOCKS5 proxy server
+Jay Satiro (18 Sep 2017)
+- socks: fix incorrect port number in SOCKS4 error message
- Instead of displaying the requested hostname the one returned
- by the SOCKS5 proxy server is used in case of connection error.
- The requested hostname is displayed earlier in the connection sequence.
+ Prior to this change it appears the SOCKS5 port parsing was erroneously
+ used for the SOCKS4 error message, and as a result an incorrect port
+ would be shown in the error message.
- The upper-value of the port is moved to a temporary variable and
- replaced with a 0-byte to make sure the hostname is 0-terminated.
+ Bug: https://github.com/curl/curl/issues/1892
+ Reported-by: Jackarain@users.noreply.github.com
-Steve Holme (20 Aug 2016)
-- urldata.h: Corrected comment for httpcode which is also populated by SMTP
-
- As of 7.25.0 and commit 5430007222.
+- [Marc Aldorasi brought this change]
-Marc Hoersken (20 Aug 2016)
-- socks.c: use Curl_printable_address in SOCKS5 connection sequence
+ schannel: Support partial send for when data is too large
- Replace custom string formatting with Curl_printable_address.
- Add additional debug and error output in case of failures.
-
-- socks.c: align SOCKS4 connection sequence with SOCKS5
+ Schannel can only encrypt a certain amount of data at once. Instead of
+ failing when too much data is to be sent at once, send as much data as
+ we can and let the caller send the remaining data by calling send again.
- Calling sscanf is not required since the raw IPv4 address is
- available and the protocol can be detected using ai_family.
-
-Steve Holme (20 Aug 2016)
-- http.c: Corrected indentation change from commit 2708d4259b
+ Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html
- Made by Visual Studio's auto-correct feature and missed by me in my own
- code reviews!
+ Closes https://github.com/curl/curl/pull/1890
-- http: Added calls to Curl_auth_is_<mechansism>_supported()
+- [David Benjamin brought this change]
+
+ openssl: add missing includes
- Hooked up the HTTP authentication layer to query the new 'is mechanism
- supported' functions when deciding what mechanism to use.
+ lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
+ their headers directly rather than relying on other OpenSSL headers
+ including things.
- As per commit 00417fd66c existing functionality is maintained for now.
+ Closes https://github.com/curl/curl/pull/1891
-Marc Hoersken (20 Aug 2016)
-- socks.c: improve verbose output of SOCKS5 connection sequence
+Daniel Stenberg (15 Sep 2017)
+- conversions: fix several compiler warnings
-- configure.ac: add missing quotes to PKG_CHECK_MODULES
+- server/getpart: provide dummy function to build conversion enabled
-Steve Holme (20 Aug 2016)
-- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
-
- Hooked up the SASL authentication layer to query the new 'is mechanism
- supported' functions when deciding what mechanism to use.
+- non-ascii: use iconv() with 'char **' argument
- For now existing functionality is maintained.
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
-Daniel Stenberg (19 Aug 2016)
-- [Miroslav Franc brought this change]
+- escape.c: error: pointer targets differ in signedness
- spnego_sspi: fix memory leak in case *outlen is zero (#970)
+- docs: clarify the CURLOPT_INTERLEAVE* options behavior
-- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
+- [Max Dymond brought this change]
-Steve Holme (18 Aug 2016)
-- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
+ rtsp: Segfault in rtsp.c when using WRITEDATA
- As Windows SSPI authentication calls fail when a particular mechanism
- isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
- and Negotiate to allow both HTTP and SASL authentication the opportunity
- to query support for a supported mechanism before selecting it.
+ If the INTERLEAVEFUNCTION is defined, then use that plus the
+ INTERLEAVEDATA information when writing RTP. Otherwise, use
+ WRITEFUNCTION and WRITEDATA.
- For now each function returns TRUE to maintain compatability with the
- existing code when called.
+ Fixes #1880
+ Closes #1884
-Daniel Stenberg (18 Aug 2016)
-- test1144: verify HEAD with body-only response
+Marcel Raad (15 Sep 2017)
+- [Isaac Boukris brought this change]
-Steve Holme (17 Aug 2016)
-- RELEASE-PROCEDURE: Added some more future release dates
+ tests: enable gssapi in travis-ci linux build
- ...and removed some old ones
+ Closes https://github.com/curl/curl/pull/1687
-Daniel Stenberg (17 Aug 2016)
-- [David Woodhouse brought this change]
+- [Isaac Boukris brought this change]
- curl: allow "pkcs11:" prefix for client certificates
+ tests: add initial gssapi test using stub implementation
- RFC7512 provides a standard method to reference certificates in PKCS#11
- tokens, by means of a URI starting 'pkcs11:'.
+ The stub implementation is pre-loaded using LD_PRELOAD
+ and emulates common gssapi uses (only builds if curl is
+ initially built with gssapi support).
- We're working on fixing various applications so that whenever they would
- have been able to use certificates from a file, users can simply insert
- a PKCS#11 URI instead and expect it to work. This expectation is now a
- part of the Fedora packaging guidelines, for example.
+ The initial tests are currently disabled for debug builds
+ as LD_PRELOAD is not used then.
- This doesn't work with cURL because of the way that the colon is used
- to separate the certificate argument from the passphrase. So instead of
-
- curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
-
- I instead need to invoke cURL with the colon escaped, like this:
-
- curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
+ Ref: https://github.com/curl/curl/pull/1687
+
+Daniel Stenberg (15 Sep 2017)
+- test1150: verify same host fetch using different ports over proxy
- This is suboptimal because we want *consistency* — the URI should be
- usable in place of a filename anywhere, without having strange
- differences for different applications.
+ Closes #1889
+
+- URL: on connection re-use, still pick the new remote port
- This patch therefore disables the processing in parse_cert_parameter()
- when the string starts with 'pkcs11:'. It means you can't pass a
- passphrase with an unescaped PKCS#11 URI, but there's no need to do so
- because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
- the URI itself.
+ ... as when a proxy connection is being re-used, it can still get a
+ different remote port.
- Also, if users are already using RFC7512 URIs with the colon escaped as
- in the above example — even providing a passphrase for cURL to handling
- instead of using a pin-value attribute, that will continue to work
- because their string will start 'pkcs11\:' and won't match the check.
+ Fixes #1887
+ Reported-by: Oli Kingshott
+
+- RELEASE-NOTES: synced with 87501e57f
+
+- code style: remove wrong uses of multiple spaces
- What *does* break with this patch is the extremely unlikely case that a
- user has a file which is in the local directory and literally named
- just "pkcs11", and they have a passphrase on it. If that ever happened,
- the user would need to refer to it as './pkcs11:<passphrase>' instead.
+ Closes #1878
+
+- checksrc: detect and warn for multiple spaces
-- nss: make the global variables static
+- code style: use space after semicolon
-- openssl: use regular malloc instead of OPENSSL_malloc
+- checksrc: verify space after semicolons
+
+- code style: use spaces around pluses
+
+- checksrc: detect and warn for lack of spaces next to plus signs
+
+- code style: use spaces around equals signs
+
+- checksrc: verify spaces around equals signs
- This allows for better memmory debugging and torture tests.
+ ... as the code style mandates.
-- proxy: fix tests as follow-up to 93b0d907d5
+- Curl_checkheaders: make it available for IMAP and SMTP too
- This fixes tests that were added after 113f04e664b as the tests would
- fail otherwise.
+ ... not only HTTP uses this now.
- We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
- regressions with old and stupid proxies, but we could possibly switch to
- using it only for CONNECT or only for NTLM in a future if we want to
- gradually reduce it.
+ Closes #1875
+
+- travis: add build without HTTP/SMTP/IMAP
+
+Jay Satiro (10 Sep 2017)
+- mbedtls: enable CA path processing
- Fixes #954
+ CA path processing was implemented when mbedtls.c was added to libcurl
+ in fe7590f, but it was never enabled.
- Reported-by: János Fekete
+ Bug: https://github.com/curl/curl/issues/1877
+ Reported-by: SBKarr@users.noreply.github.com
-- Revert "Proxy-Connection: stop sending this header by default"
+Daniel Stenberg (8 Sep 2017)
+- rtsp: do not call fwrite() with NULL pointer FILE *
+
+ If the default write callback is used and no destination has been set, a
+ NULL pointer would be passed to fwrite()'s 4th argument.
+
+ OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
+ (not publicly open yet)
- This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
+ Detected by OSS-fuzz
+ Closes #1874
-- CURLOPT_PROXY.3: unsupported schemes cause errors now
+- configure: use -Wno-varargs on clang 3.9[.X] debug builds
- Follow-up to a96319ebb9 (document the new behavior)
+ ... to avoid a clang bug
-- tests/README: mention nghttpx for HTTP/2 tests
+- [Max Dymond brought this change]
-- README.md: add our CII Best Practices badge
+ ossfuzz: add some more handled CURL options
+
+ Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT,
+ MAIL_FROM and uploading data.
-- proxy: polished the error message for unsupported schemes
+- configure: check for C++ compiler after C, to make it non-fatal
+
+ The tests for object file/executable file extensions are presumably only
+ done for the first of these macros in the configure file.
- Follow up to a96319ebb93
+ Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515
+ Reported-by: Marcel Raad
+ Closes #1873
-- test219: verify unsupported scheme for proxies get rejected
+Patrick Monnerat (7 Sep 2017)
+- form API: add new test 650.
+
+ Now that the form API is deprecated and not used anymore in curl tool,
+ a lot of its features left untested. Test 650 attempts to check all these
+ features not tested elsewhere.
-- proxy: reject attempts to use unsupported proxy schemes
+Jay Satiro (7 Sep 2017)
+- configure: fix curl_off_t check's include order
+
+ - Prepend srcdir include path instead of append.
- I discovered some people have been using "https://example.com" style
- strings as proxy and it "works" (curl doesn't complain) because curl
- ignores unknown schemes and then assumes plain HTTP instead.
+ Prior to this change it was possible that during the check for the size
+ of curl_off_t the include path of a user's already installed curl could
+ come before the include path of the to-be-built curl, resulting in the
+ system.h of the former being incorrectly included for that check.
- I think this misleads users into believing curl uses HTTPS to proxies
- when it doesn't. Now curl rejects proxy strings using unsupported
- schemes instead of just ignoring and defaulting to HTTP.
+ Closes https://github.com/curl/curl/pull/1870
-- RELEASE-NOTES: synced with b7ee5316c2fd5b
+Daniel Stenberg (7 Sep 2017)
+- [Jakub Zakrzewski brought this change]
-Marc Hoersken (14 Aug 2016)
-- socks.c: Correctly calculate position of port in response packet
+ KNOWN_BUGS: Remove CMake symbol hiding issue
- Third commit to fix issue #944 regarding SOCKS5 error handling.
-
- Reported-by: David Kalnischkies
+ It has already been fixed in 6140dfc
-- socks.c: Do not modify and invalidate calculated response length
+- http-proxy: when not doing CONNECT, that phase is done immediately
- Second commit to fix issue #944 regarding SOCKS5 error handling.
+ `conn->connect_state` is NULL when doing a regular non-CONNECT request
+ over the proxy and should therefor be considered complete at once.
- Reported-by: David Kalnischkies
+ Fixes #1853
+ Closes #1862
+ Reported-by: Lawrence Wagerfield
+
+- [Johannes Schindelin brought this change]
-- socks.c: Move error output after reading the whole response packet
+ OpenSSL: fix yet another mistake while encapsulating SSL backend data
- First commit to fix issue #944 regarding SOCKS5 error handling.
+ Another mistake in my manual fixups of the largely mechanical
+ search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
+ commit concerning HTTPS proxies (and hence not caught during my
+ earlier testing).
- Reported-by: David Kalnischkies
+ Fixes #1855
+ Closes #1871
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (13 Aug 2016)
-- [Ronnie Mose brought this change]
+- [Johannes Schindelin brought this change]
- MANUAL: Remove invalid link to LDAP documentation (#962)
+ OpenSSL: fix erroneous SSL backend encapsulation
- The server developer.netscape.com does not resolve into any
- ip address and can be removed.
-
-Jay Satiro (13 Aug 2016)
-- openssl: accept subjectAltName iPAddress if no dNSName match
+ In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
+ data, 2017-06-21), this developer prepared for a separation of the
+ private data of the SSL backends from the general connection data.
- Undo change introduced in d4643d6 which caused iPAddress match to be
- ignored if dNSName was present but did not match.
+ This conversion was partially automated (search-and-replace) and
+ partially manual (e.g. proxy_ssl's backend data).
- Also, if iPAddress is present but does not match, and dNSName is not
- present, fail as no-match. Prior to this change in such a case the CN
- would be checked for a match.
+ Sadly, there was a crucial error in the manual part, where the wrong
+ handle was used: rather than connecting ssl[sockindex]' BIO to the
+ proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
+ was an incorrect location to paste "BACKEND->"... d'oh.
- Bug: https://github.com/curl/curl/issues/959
- Reported-by: wmsch@users.noreply.github.com
+ Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (12 Aug 2016)
-- [Dambaev Alexander brought this change]
+- [Jay Satiro brought this change]
- configure.ac: add zlib search with pkg-config
+ vtls: fix memory corruption
- Closes #956
-
-- rtsp: ignore whitespace in session id
+ Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
+ 2017-07-28), the code handling HTTPS proxies was broken because the
+ pointer to the SSL backend data was not swapped between
+ conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
+ instead set to NULL (causing segmentation faults).
- Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
- whitespace as well.
+ [jes: provided the commit message, tested and verified the patch]
- Help-by: Erik Janssen
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- HTTP: retry failed HEAD requests too
+- vtls: switch to CURL_SHA256_DIGEST_LENGTH define
- Mark's new document about HTTP Retries
- (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
- spotted that we don't retry failed HEAD requests which seems totally
- inconsistent and I can't see any reason for that separate treatment.
+ ... instead of the prefix-less version since WolfSSL 3.12 now uses an
+ enum with that name that causes build failures for us.
- So, no separate treatment for HEAD starting now. A HTTP request sent
- over a reused connection that gets cut off before a single byte is
- received will be retried on a fresh connection.
+ Fixes #1865
+ Closes #1867
+ Reported-by: Gisle Vanem
+
+- travis: add c-ares enabled builds linux + osx
- Made-aware-by: Mark Nottingham
+ Closes #1868
-- mk-ca-bundle.1: document -m, added in 1.26
+- HISTORY: added some recent items
-- RELEASE-NOTES: synced with e577c43bb5
+Jay Satiro (6 Sep 2017)
+- SSL: fix unused parameter warnings
-- [Erik Janssen brought this change]
+Patrick Monnerat (6 Sep 2017)
+- mime: drop internal FILE * support.
+
+ - The part kind MIMEKIND_FILE and associated code are suppressed.
+ - Seek data origin offset not used anymore: suppressed.
+ - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
+ renamed accordingly.
+ - Curl_getformdata() processes stdin via a callback.
- rtsp: accept any RTSP session id
+Daniel Stenberg (6 Sep 2017)
+- configure: remove --enable-soname-bump and SONAME_BUMP
+
+ Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we
+ determine the native type for `curl_off_t`. To really make sure we
+ didn't break ABI without bumping SONAME, we introduced logic that
+ attempted to detect that it would use a different size and thus not be
+ compatible. We also provided a manual switch that allowed users to tell
+ configure to bump SONAME by force.
+
+ Today, we know of no one who ever got a SONAME bump auto-detected and we
+ don't know of anyone who's using the manual bump feature. The auto-
+ detection is also no longer working since we introduced defining
+ curl_off_t in system.h (7.55.0).
- Makes libcurl work in communication with gstreamer-based RTSP
- servers. The original code validates the session id to be in accordance
- with the RFC. I think it is better not to do that:
+ Finally, this bumping logic is not present in the cmake build.
- - For curl the actual content is a don't care.
+ Closes #1861
+
+Jay Satiro (6 Sep 2017)
+- [Gisle Vanem brought this change]
+
+ vtls: select ssl backend case-insensitive (follow-up)
- - The clarity of the RFC is debatable, is $ allowed or only as \$, that
- is imho not clear
+ - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.
- - Gstreamer seems to url-encode the session id but % is not allowed by
- the RFC
+ - Change Curl_strcasecompare calls to strcasecompare
+ (maps to the former but shorter).
- - less code
+ Follow-up to c290b8f.
- With this patch curl will correctly handle real-life lines like:
- Session: biTN4Kc.8%2B1w-AF.; timeout=60
+ Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313
- Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
+ Co-authored-by: Jay Satiro
-- symbols-in-versions: add CURL_STRICTER
+- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
- Added in 5fce88aa8c12564
-
-- [Simon Warta brought this change]
-
- winbuild: Allow changing C compiler via environment variable CC (#952)
+ This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.
+
+ The first one, written for old OpenSSL versions:
+ https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
+
+ The second one, written for BoringSSL and new OpenSSL versions:
+ https://github.com/curl/curl/pull/1346
- This makes it possible to use specific compilers or a cache.
+ Note the first one is GPL licensed but the author gave permission to
+ waive that license for libcurl.
- Sample use for clcache:
- set CC=clcache.bat
- nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
+ As of right now this feature is disabled by default, and does not have
+ a configure option to enable it. To enable this feature define
+ ENABLE_SSLKEYLOGFILE when building libcurl and set environment
+ variable SSLKEYLOGFILE to a pathname that will receive the keys.
+
+ And in Wireshark change your preferences to point to that key file:
+ Edit > Preferences > Protocols > SSL > Master-Secret
+
+ Co-authored-by: Peter Wu
+
+ Ref: https://github.com/curl/curl/pull/1030
+ Ref: https://github.com/curl/curl/pull/1346
+
+ Closes https://github.com/curl/curl/pull/1866
-- LICENSE-MIXING.md: switched to markdown
+Patrick Monnerat (5 Sep 2017)
+- mime: fix a trivial warning.
-- docs-make: have markdown files use .md
+- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
+
+ mime_state is now a typedef.
+
+- mime: implement encoders.
+
+ curl_mime_encoder() is operational and documented.
+ curl tool -F option is extended with ";encoder=".
+ curl tool --libcurl option generates calls to curl_mime_encoder().
+ New encoder tests 648 & 649.
+ Test 1404 extended with an encoder specification.
-- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
+- runtests.pl: support attribute "nonewline" in part verify/upload.
-- HISTORY.md: use markdown extension
+- [Daniel Stenberg brought this change]
-- SSLCERTS.md: renamed to markdown extension
+ fixup data/test1135
-- INTERNALS.md: use markdown extension for markdown content
+- [Daniel Stenberg brought this change]
-- CONTRIBUTE.md: markdown extension
+ mime: unified to use the typedef'd mime structs everywhere
+
+ ... and slightly edited to follow our code style better.
-- CONTRIBUTE: changed to markdown
+- [Daniel Stenberg brought this change]
-- CONTRIBUTE: refreshed
+ curl.h: use lower case curl_mime* as for all public symbols
-- TODO: added an SSH section and two SFTP things to do
+- [Daniel Stenberg brought this change]
-- TODO: remove the 1.22 duplicated item
+ docs/curl_mime_*.3: use correct variable types in examples
-- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
+Kamil Dudka (5 Sep 2017)
+- openssl: use OpenSSL's default ciphers by default
+
+ Up2date versions of OpenSSL maintain the default reasonably secure
+ without breaking compatibility, so it is better not to override the
+ default by curl. Suggested at https://bugzilla.redhat.com/1483972
+
+ Closes #1846
-- TODO: API for URL parsing/splitting
+Viktor Szakats (5 Sep 2017)
+- examples/mime: minor example code fixes
-- TODO: move QUIC to the HTTP section
+Daniel Stenberg (5 Sep 2017)
+- docs/curl_mime_*.3: added examples
-- [Simon Warta brought this change]
+- configure: add MultiSSL to FEATURES when enabled
+
+ ...for curl-config and its corresponding test 1014
- winbuild: Free name $(CC) in Makefile (#950)
+- http-proxy: treat all 2xx as CONNECT success
- In the old line number 290, CC and CURL_CC had the same value. After
- that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
+ Added test 1904 to verify.
- This gets rid of the CC variable entirely. It is a first step to make it
- possible to manualyl set a CC variable in order to be able to change the
- compiler.
+ Reported-by: Lawrence Wagerfield
+ Fixes #1859
+ Closes #1860
-- TODO: Use huge HTTP/2 windows
+- MAIL-ETIQUETTE: added "1.9 Your emails are public"
-- [Simon Warta brought this change]
+- curl.h: fix "unused checksrc ignore", remove dangling reference
+
+ ... to a README file that doesn't exist anymore
- winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
+Viktor Szakats (4 Sep 2017)
+- docs: Update to secure URL versions
+
+- mime: use CURL_ZERO_TERMINATED in examples
- $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
- all arguments in CURL_CFLAGS have been added twice.
+ and some minor whitespace fixes
-Jay Satiro (8 Aug 2016)
-- cmake: Enable win32 threaded resolver by default
+Daniel Stenberg (4 Sep 2017)
+- schannel: return CURLE_SSL_CACERT on failed verification
- - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
+ ... not *CACERT_BADFILE as it isn't really because of a bad file.
- This change is similar to what we already do in the autotools build.
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html
+ Closes #1858
+
+- test1135: fixed after bd8070085f9
-- cmake: Enable win32 large file support by default
+- examples/post-callback: stop returning one byte at a time
- All compilers used by cmake in Windows should support large files.
+ ... since people copy and paste code from this example and thus they get
+ an inefficient POST operation without a good reason and sometimes
+ without understanding why.
- - Add test SIZEOF_OFF_T
- - Remove outdated test SIZEOF_CURL_OFF_T
- - Turn on USE_WIN32_LARGE_FILES in Windows
- - Check for 'Largefile' during the features output
+ Instead this now returns as much data as possible.
-Daniel Stenberg (7 Aug 2016)
-- TODO: added several ideas, removed SPDY
+- RELEASE-NOTES: fixed the function counter script
-- http2: always wait for readable socket
+- curl.h: make the curl_strequal() protos use the same style
- Since the server can at any time send a HTTP/2 frame to us, we need to
- wait for the socket to be readable during all transfers so that we can
- act on incoming frames even when uploading etc.
-
- Reminded-by: Tatsuhiro Tsujikawa
+ ... as the other functions. Makes it easier to machine-parse!
-- RELEASE-NOTES: synced with 7b4bf37a44791
+- docs: curl_mime_*.3 man page formatting edits
-- [Thomas Glanzmann brought this change]
+- RELEASE-NOTES: synced with 1ab9e9b50
- mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
-
- In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
- to 0. This patch also adds a comment how mbedtls must be compiled in
- order to make debugging work, and explains the possible debug levels.
+Patrick Monnerat (4 Sep 2017)
+- lib: bump version info (soname). Adapt and reenable test 1135.
-- CURLOPT_TCP_NODELAY: now enabled by default
+Daniel Stenberg (3 Sep 2017)
+- headers: move the global_sslset() proto from multi.h to curl.h
- After a few wasted hours hunting down the reason for slowness during a
- TLS handshake that turned out to be because of TCP_NODELAY not being
- set, I think we have enough motivation to toggle the default for this
- option. We now enable TCP_NODELAY by default and allow applications to
- switch it off.
-
- This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
- used to disable it.
+ As it was added to multi.h simply to not break test 1135, which now has
+ been disabled due to the mime API addition anyway and su we can now move
+ the sslset stuff to where the other curl_global_* prototypes are.
+
+Patrick Monnerat (3 Sep 2017)
+- mime: fix signed/unsigned conversions.
- Thanks-to: Tim Rühsen
- Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
+ Use and generate CURL_ZERO_TERMINATED in curl tool and tests.
-- [Serj Kalichev brought this change]
+Jay Satiro (3 Sep 2017)
+- tool_formparse: fix some trivial warnings
- TFTP: Fix upload problem with piped input
+Patrick Monnerat (3 Sep 2017)
+- mime: use size_t instead of ssize_t in public API interface.
- When input stream for curl is stdin and input stream is not a file but
- generated by a script then curl can truncate data transfer to arbitrary
- size since a partial packet is treated as end of transfer by TFTP.
+ To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED
+ has been introduced.
- Fixes #857
-
-- mk-ca-bundle.pl: -m keeps ca cert meta data in output
-
- Makes the script pass on comments holding meta data to the output
- file. Like fingerprinters, issuer, date ranges etc.
+ Documentation updated accordingly.
- Closes #937
+ symbols in versions updated. Added form API symbols deprecation info.
-- multi: make Curl_expire() work with 0 ms timeouts
+- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata().
- Previously, passing a timeout of zero to Curl_expire() was a magic code
- for clearing all timeouts for the handle. That is now instead made with
- the new Curl_expire_clear() function and thus a 0 timeout is fine to set
- and will trigger a timeout ASAP.
+ This feature is badly supported in Windows: as a replacement, a caller has
+ to use curl_mime_data_cb() with fread, fseek and possibly fclose
+ callbacks to process opened files.
- This will help removing short delays, in particular notable when doing
- HTTP/2.
-
-- transfer: return without select when the read loop reached maxcount
+ The cli tool and documentation are updated accordingly.
- Regression added in 790d6de48515. The was then added to avoid one
- particular transfer to starve out others. But when aborting due to
- reading the maxcount, the connection must be marked to be read from
- again without first doing a select as for some protocols (like SFTP/SCP)
- the data may already have been read off the socket.
+ The feature is however kept internally for form API compatibility, with
+ the known caveats it always had.
- Reported-by: Dan Donahue
- Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
-
-Steve Holme (3 Aug 2016)
-- [Bill Nagel brought this change]
+ As a side effect, stdin size is not determined by the cli tool even if
+ possible and this results in a chunked transfer encoding. Test 173 is
+ updated accordingly.
- mbedtls: Added support for NTLM
+- mime: fix some implicit curl_off_t --> size_t conversion warnings.
-Daniel Stenberg (3 Aug 2016)
-- [Sergei Nikulov brought this change]
-
- travis: removed option to rebuild autotool from source
+- mime: tests and examples.
- Fixes #943
-
-- bump: start working toward 7.50.2
-
-Version 7.50.1 (3 Aug 2016)
+ Additional mime-specific tests.
+ Existing tests updated to reflect small differences (Expect: 100-continue,
+ data size change due to empty lines, etc).
+ Option -F headers= keyword added to tests.
+ test1135 disabled until the entry point order change is resolved.
+ New example smtp-mime.
+ Examples postit2 and multi-post converted from form API to mime API.
-Daniel Stenberg (3 Aug 2016)
-- THANKS: 7 new contributors from the 7.50.1 release
-
-- RELEASE-NOTES: 7.50.1
-
-- TLS: only reuse connections with the same client cert
+- mime: use in curl cli tool instead of form API.
- CVE-2016-5420
- Bug: https://curl.haxx.se/docs/adv_20160803B.html
+ Extended -F option syntax to support multipart mail messages.
+ -F keyword headers= added to include custom headers in parts.
+ Documentation upgraded.
-- TLS: switch off SSL session id when client cert is used
+- mime: new MIME API.
- CVE-2016-5419
- Bug: https://curl.haxx.se/docs/adv_20160803A.html
- Reported-by: Bru Rom
- Contributions-by: Eric Rescorla and Ray Satiro
+ Available in HTTP, SMTP and IMAP.
+ Deprecates the FORM API.
+ See CURLOPT_MIMEPOST.
+ Lib code and associated documentation.
-- curl_multi_cleanup: clear connection pointer for easy handles
+- test564: Add a warning comment about shell profile output.
- CVE-2016-5421
- Bug: https://curl.haxx.se/docs/adv_20160803C.html
- Reported-by: Marcelo Echeverria and Fernando Muñoz
+ Shell profile output makes the SSH server failing and this problem reason
+ is not easy to find when no hint is given.
-- KNOWN_BUGS: SOCKS proxy not working via IPv6
+- checksrc: disable SPACEBEFOREPAREN for case statement.
- Closes #835
+ The case keyword may be followed by a constant expression and thus should
+ allow it to start with an open parenthesis.
-- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
+- runtests.pl: allow <file[1-4]> tags in client section.
- Closes #768
+ This enables tests to create more than one file on the client side.
-- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
+- runtests.pl: Apply strippart to upload too.
- Closes #662
+ This will allow substitution of boundaries in mail messages.
-- TODO: Provide cmake config-file
+- Curl_base64_encode: always call with a real data handle.
- Closes #885
+ Some calls in different modules were setting the data handle to NULL, causing
+ segmentation faults when using builds that enable character code conversions.
-Patrick Monnerat (2 Aug 2016)
-- os400: define BUILDING_LIBCURL in make script.
+- non-ascii: allow conversion functions to be called with a NULL data handle.
-Daniel Stenberg (1 Aug 2016)
-- RELEASE-NOTES: synced with aa9f536a18b
+- http: fix a memory leakage in checkrtspprefix().
-Jay Satiro (1 Aug 2016)
-- [Thomas Glanzmann brought this change]
+Daniel Stenberg (2 Sep 2017)
+- [Max Dymond brought this change]
- mbedtls: Fix debug function name
+ ossfuzz: Move to C++ for curl_fuzzer.
- This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
- defined.
+ Automake gets confused if you want to use C++ static libraries with C
+ code - basically we need to involve the clang++ linker. The easiest way
+ of achieving this is to rename the C code as C++ code. This gets us a
+ bit further along the path and ought to be compatible with Google's
+ version of clang.
+
+- curl_global_sslset: select backend by name case insensitively
- Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
+ Closes #1849
-Daniel Stenberg (1 Aug 2016)
-- [Sergei Nikulov brought this change]
+- [Max Dymond brought this change]
- travis: fix OSX build by re-installing libtool
+ ossfuzz: additional seed corpora
- Apparently due to a broken homebrew install
+ Create simple seed corpora for:
+ - FTP
+ - telnet
+ - dict
+ - tftp
+ - imap
+ - pop3
- fixes #934
- Closes #939
+ based off the tests of the same number.
+
+ Closes #1842
-- [Martin Vejnár brought this change]
+- [Max Dymond brought this change]
- win32: fix a potential memory leak in Curl_load_library
+ ossfuzz: moving towards the ideal integration
- If a call to GetSystemDirectory fails, the `path` pointer that was
- previously allocated would be leaked. This makes sure that `path` is
- always freed.
+ - Start with the basic code from the ossfuzz project.
+ - Rewrite fuzz corpora to be binary files full of Type-Length-Value
+ data, and write a glue layer in the fuzzing function to convert
+ corpora into CURL options.
+ - Have supporting functions to generate corpora from existing tests
+ - Integrate with Makefile.am
+
+- strcase: corrected comment header for Curl_strcasecompare()
+
+- unit1301: fix error message on first test
+
+- curl_global_sslset.3: show the struct and enum too
- Closes #938
+ ... so that users can actually write code based on the man page alone,
+ not having to read the header file.
-- include: revert 9adf3c4 and make public types void * again
+Jay Satiro (31 Aug 2017)
+- darwinssl: handle long strings in TLS certs (follow-up)
- Many applications assume the actual contents of the public types and use
- that do for example forward declarations (saving them from including our
- public header) which then breaks when we switch from void * to a struct
- *.
+ - Fix handling certificate subjects that are already UTF-8 encoded.
- I'm not convinced we were wrong, but since this practise seems
- widespread enough I'm willing to (partly) step down.
+ Follow-up to b3b75d1 from two days ago. Since then a copy would be
+ skipped if the subject was already UTF-8, possibly resulting in a NULL
+ deref later on.
- Now libcurl uses the struct itself when it is built and it allows
- applications to use the struct type if CURL_STRICTER is defined at the
- time of the #include.
+ Ref: https://github.com/curl/curl/issues/1823
+ Ref: https://github.com/curl/curl/pull/1831
- Reported-by: Peter Frühberger
- Fixes #926
+ Closes https://github.com/curl/curl/pull/1836
-Jay Satiro (28 Jul 2016)
-- [Yonggang Luo brought this change]
-
- cmake: Fix for schannel support
+Daniel Stenberg (31 Aug 2017)
+- cyassl: call it the "WolfSSL" backend
- The check_library_exists_concat do not check crypt32 library properly.
- So include it directly.
+ ... instead of cyassl, as this is the current name for it.
- Bug: https://github.com/curl/curl/pull/917
- Reported-by: Yonggang Luo
+ Closes #1844
+
+- polarssl: fix multissl breakage
- Bug: https://github.com/curl/curl/issues/935
- Reported-by: Alain Danteny
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
+ Closes #1843
-- Revert "travis: Install libtool for OS X builds"
+- configure: remove the leading comma from the backends list
- Didn't work.
+ ... when darwinssl is used.
- This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
-
-- travis: Install libtool for OS X builds
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493
- CI is failing due to missing libtoolize, so I'm trying this.
+ Closes #1845
-Daniel Stenberg (26 Jul 2016)
-- [Viktor Szakats brought this change]
+Kamil Dudka (30 Aug 2017)
+- examples/sslbackend.c: fix failure of 'make checksrc'
+
+ ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE)
+ } else if(isdigit(*name)) {
+ ^
+ ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE)
+ } else
+ ^
- TODO: minor typo in last commit
+Viktor Szakats (30 Aug 2017)
+- makefile.m32: add multissl support
- merged #931
+ Closes https://github.com/curl/curl/pull/1840
-- TODO: Timeout idle connections from the pool
+Daniel Stenberg (30 Aug 2017)
+- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
+
+ The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for
+ CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk
+ for a similar mistake, define the backend aliases to use the enum values
+ instead.
+
+ Reported-by: Gisle Vanem
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
-Patrick Monnerat (25 Jul 2016)
-- os400: minimum supported OS version: V6R1M0.
- Do not log compilation informational messages.
+- curl_global_sslset.3: clarify
+
+ it is a one time *set*, not necessarily a one time use... it can be
+ called again if the first call failed or just listed the alternatives.
+
+ clarify that the available backends are the ones this build supports
+
+ plus add some formatting
+
+ Reported-by: Rich Gray
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
-Jay Satiro (24 Jul 2016)
-- tests: Fix for http/2 feature
+- curl/multi.h: remove duplicated closing c++ brace
+
+ Regression since 1328f69d53f2f2e93
- Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
- Reported-by: Paul Howarth
+ Fixes #1841
+ Reported-by: Andrei Karas
-Steve Holme (23 Jul 2016)
-- README: Mention wolfSSL in the 'Dependencies' section
+- RELEASE-NOTES: synced with 8c33c963a
-- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
-
- As SPNEGO is only defined when these pre-processor variables are defined
- there is no need to query them explicitly.
+- HELP-US.md: spelling
-- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
+- HELP-US.md: "How to get started helping out in the curl project"
- Typo introduced in commit ad5e9bfd5d.
+ Closes #1837
-Daniel Stenberg (22 Jul 2016)
-- SECURITY: mention how to get windows-specific CVEs
+Dan Fandrich (29 Aug 2017)
+- asyn-thread: Fixed cleanup after OOM
- ... and make the distros link a proper link
-
-Dan Fandrich (21 Jul 2016)
-- test558: fix test by stripping file paths from FD lines
+ destroy_async_data() assumes that if the flag "done" is not set yet, the
+ thread itself will clean up once the request is complete. But if an
+ error (generally OOM) occurs before the thread even has a chance to
+ start, it will never get a chance to clean up and memory will be leaked.
+ By clearing "done" only just before starting the thread, the correct
+ cleanup sequence will happen in all cases.
-Kamil Dudka (21 Jul 2016)
-- tests: distribute the http2-server.pl script, too
+Daniel Stenberg (28 Aug 2017)
+- curl_global_init.3: mention curl_global_sslset(3)
-- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
+Dan Fandrich (28 Aug 2017)
+- unit1606: Fixed shadowed variable warning
-Daniel Stenberg (21 Jul 2016)
-- bump: start working on 7.50.1
+- asyn-thread: Improved cleanup after OOM situations
-Version 7.50.0 (21 Jul 2016)
-
-Daniel Stenberg (21 Jul 2016)
-- RELEASE-NOTES: version 7.50.0 ready
+- asyn-thread: Set errno to the proper value ENOMEM in OOM situation
+
+ This used to be set in some configurations to EAI_MEMORY which is not a
+ valid value for errno and caused Curl_strerror to fail an assertion.
-- THANKS: 13 new contributors from the 7.50.0 release
+Daniel Stenberg (28 Aug 2017)
+- [Johannes Schindelin brought this change]
-Jay Satiro (21 Jul 2016)
-- winbuild: fix embedded manifest option
+ configure: Handle "MultiSSL" specially When versioning symbols
- Embedded manifest option didn't work due to typo.
+ There is a mode in which libcurl is compiled with versioned symbols,
+ depending on the active SSL backend.
- Reported-by: Stefan Kanthak
-
-- vauth: Fix memleak by freeing credentials if out of memory
+ When multiple SSL backends are active, it does not make sense to favor
+ one over the others, so let's not: introduce a new prefix for the case
+ where multiple SSL backends are compiled into cURL.
- This is a follow up to the parent commit dcdd4be which fixes one leak
- but creates another by failing to free the credentials handle if out of
- memory. Also there's a second location a few lines down where we fail to
- do same. This commit fixes both of those issues.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (20 Jul 2016)
-- [Saurav Babu brought this change]
+- [Johannes Schindelin brought this change]
- vauth: Fixed memory leak due to function returning without free
+ configure: allow setting the default SSL backend
- This patch allocates memory to "output_token" only when it is required
- so that memory is not leaked if function returns.
-
-- test558: updated after ipv6-check move
+ Previously, we used as default SSL backend whatever was first in the
+ `available_backends` array.
- Follow-up commit to c50980807c5 to make this test pass.
-
-Jay Satiro (20 Jul 2016)
-- connect: disable TFO on Linux when using SSL
+ However, some users may want to override that default without patching
+ the source code.
- - Linux TFO + TLS is not implemented yet.
+ Now they can: with the --with-default-ssl-backend=<backend> option of
+ the ./configure script.
- Bug: https://github.com/curl/curl/issues/907
-
-Daniel Stenberg (19 Jul 2016)
-- ROADMAP: QUIC and TLS 1.3
-
-- RELEASE-NOTES: synced with c50980807c5
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Jay Satiro (18 Jul 2016)
-- [Brian Prodoehl brought this change]
+- [Johannes Schindelin brought this change]
- curl_global_init: Check if IPv6 works
+ vtls: use Curl_ssl_multi pseudo backend only when needed
- - Curl_ipv6works() is not thread-safe until after the first call, so
- call it once during global init to avoid a possible race condition.
+ When only one SSL backend is configured, it is totally unnecessary to
+ let multissl_init() configure the backend at runtime, we can select the
+ correct backend at build time already.
- Bug: https://github.com/curl/curl/issues/915
- PR: https://github.com/curl/curl/pull/918
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Timothy Polich brought this change]
+- [Johannes Schindelin brought this change]
- CURLMOPT_SOCKETFUNCTION.3: fix typo
+ version: if built with more than one SSL backend, report all of them
- Closes https://github.com/curl/curl/pull/914
-
-- [Miroslav Franc brought this change]
-
- library: Fix memory leaks found during static analysis
+ To discern the active one from the inactive ones, put the latter into
+ parentheses.
- Closes https://github.com/curl/curl/pull/913
-
-- [Viktor Szakats brought this change]
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
- cookie.c: Fix misleading indentation
-
- Closes https://github.com/curl/curl/pull/911
+- [Johannes Schindelin brought this change]
-- FAQ: Update FTP directory listing section for MLSD command
+ version: add the CURL_VERSION_MULTI_SSL feature flag
- Explain how some FTP servers support the machine readable listing
- format MLSD from RFC 3659 and compare it to LIST.
+ This new feature flag reports When cURL was built with multiple SSL
+ backends.
- Ref: https://github.com/curl/curl/issues/906
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (1 Jul 2016)
-- [Sergei Nikulov brought this change]
+- [Johannes Schindelin brought this change]
- Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
+ metalink: allow compiling with multiple SSL backends
+
+ Previously, the code assumed that at most one of the SSL backends would
+ be compiled in, emulating OpenSSL's functions if the configured backend
+ was not OpenSSL itself.
+
+ However, now we allow building with multiple SSL backends and choosing
+ one at runtime. Therefore, metalink needs to be adjusted to handle this
+ scenario, too.
- Closes #892
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- TODO: 17.4 also brings more HTTP/2 support
+- [Johannes Schindelin brought this change]
-- TODO: try next proxy if one doesn't work
+ docs/examples: demonstrate how to select SSL backends
- Closes #896
-
-- conn: don't free easy handle data in handler->disconnect
+ The newly-introduced curl_global_sslset() function deserves to be
+ show-cased.
- Reported-by: Gou Lingfeng
- Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
-
-- test1244: test different proxy ports same URL
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- curl_global_init.3: improved formatting of the flags
+- [Johannes Schindelin brought this change]
-- curl_global_init.3: expand on the SSL and WIN32 bits purpose
+ Add a man page for curl_global_sslset()
- Reported-by: Richard Gray
- Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Michael Kaufmann brought this change]
+- [Johannes Schindelin brought this change]
- cleanup: minor code cleanup in Curl_http_readwrite_headers()
+ vtls: introduce curl_global_sslset()
- - the expression of an 'if' was always true
- - a 'while' contained a condition that was always true
- - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
- - fixed a typo
+ Let's add a compile time safe API to select an SSL backend. This
+ function needs to be called *before* curl_global_init(), and can be
+ called only once.
- Closes #889
-
-- SFTP: set a generic error when no SFTP one exists...
+ Side note: we do not explicitly test that it is called before
+ curl_global_init(), but we do verify that it is not called multiple times
+ (even implicitly).
- ... as otherwise we could get a 0 which would count as no error and we'd
- wrongly continue and could end up segfaulting.
+ If SSL is used before the function was called, it will use whatever the
+ CURL_SSL_BACKEND environment variable says (or default to the first
+ available SSL backend), and if a subsequent call to
+ curl_global_sslset() disagrees with the previous choice, it will fail
+ with CURLSSLSET_TOO_LATE.
- Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
- Reported-by: 暖和的和暖
-
-- ROADMAP: http2 tests are merged, mention http2 perf
-
-- docs/README.md: to render nicer pages on github
+ The function also accepts an "avail" parameter to point to a (read-only)
+ NULL-terminated list of available backends. This comes in real handy if
+ an application wants to let the user choose between whatever SSL backends
+ the currently available libcurl has to offer: simply call
- ... as previously the README.cmake would be picked and put at the bottom
- of the docs page there and it wasn't very representative!
-
-- README.md: change host name for the svg logo
+ curl_global_sslset(-1, NULL, &avail);
- rawgit.com asks to use the domain cdn.rawgit.com for production
+ which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
+ variable to point to the relevant information to present to the user.
- See #900
-
-- [Viktor Szakats brought this change]
-
- README.md: use the SVG logo
+ Just like with the HTTP/2 push functions, we have to add the function
+ declaration of curl_global_sslset() function to the header file
+ *multi.h* because VMS and OS/400 require a stable order of functions
+ declared in include/curl/*.h (where the header files are sorted
+ alphabetically). This looks a bit funny, but it cannot be helped.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- README.md: logo on top!
+- [Johannes Schindelin brought this change]
-- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
+ vtls: refactor out essential information about the SSL backends
- Closes #740
-
-- RELEASE-NOTES: synced with d61c80515aa8
+ There is information about the compiled-in SSL backends that is really
+ no concern of any code other than the SSL backend itself, such as which
+ function (if any) implements SHA-256 summing.
+
+ And there is information that is really interesting to the user, such as
+ the name, or the curl_sslbackend value.
+
+ Let's factor out the latter into a publicly visible struct. This
+ information will be used in the upcoming API to set the SSL backend
+ globally.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Michael Osipov brought this change]
+- [Johannes Schindelin brought this change]
- acinclude.m4: improve autodetection of CA bundle on FreeBSD
+ vtls: allow selecting which SSL backend to use at runtime
- The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
- to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
- discovery process.
+ When building software for the masses, it is sometimes not possible to
+ decide for all users which SSL backend is appropriate.
- This change also removes the former FreeBSD path that has been obsolete
- for 8 years since this FreeBSD ports commit:
- https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
+ Git for Windows, for example, uses cURL to perform clones, fetches and
+ pushes via HTTPS, and some users strongly prefer OpenSSL, while other
+ users really need to use Secure Channel because it offers
+ enterprise-ready tools to manage credentials via Windows' Credential
+ Store.
- Closes #894
-
-- configure: don't specify .lib for libs on windows
+ The current Git for Windows versions use the ugly work-around of
+ building libcurl once with OpenSSL support and once with Secure Channel
+ support, and switching out the binaries in the installer depending on
+ the user's choice.
- Another follow up for crypt32.lib linking with winssl
-
-- configure: fix winssl LIBS change typo
+ Needless to say, this is a super ugly workaround that actually only
+ works in some cases: Git for Windows also comes in a portable form, and
+ in a form intended for third-party applications requiring Git
+ functionality, in which cases this "swap out libcurl-4.dll" simply is
+ not an option.
- follow-up from 120bf29e
-
-- TODO: "TCP Fast Open" is done, add monitor pool connections
-
-- configure: add crypt32.lib for winssl builds
+ Therefore, the Git for Windows project has a vested interest in teaching
+ cURL to make the SSL backend a *runtime* option.
- Necessary since 6cabd78531f
-
-- Makefile.vc: link with crypt32.lib for winssl builds
+ This patch makes that possible.
- Necessary since 6cabd78531f
+ By running ./configure with multiple --with-<backend> options, cURL will
+ be built with multiple backends.
- Fixes #853
+ For the moment, the backend can be configured using the environment
+ variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
+ "schannel").
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Joel Depooter brought this change]
+- [Johannes Schindelin brought this change]
- VC: Add crypt32.lib to Visual Sudio project template files
+ vtls: fold the backend ID into the Curl_ssl structure
- Closes #854
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- vc: fix the build for schannel certinfo support
-
- Broken since 6cabd785, which adds use of the Curl_extract_certinfo
- function from the x509asn1.c file.
+- [Johannes Schindelin brought this change]
-- typedefs: use the full structs in internal code...
+ curl_ntlm_core: don't complain but #include OpenSSL header if needed
- ... and save the typedef'ed names for headers and external APIs.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- internals: rename the SessionHandle struct to Curl_easy
+- [Johannes Schindelin brought this change]
-- headers: forward declare CURL, CURLM and CURLSH as structs
+ vtls: encapsulate SSL backend-specific data
- Instead of typedef'ing to void, typedef to their corresponding actual
- struct names to allow compilers to type-check.
+ So far, all of the SSL backends' private data has been declared as
+ part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
+ block.
- Assisted-by: Reinhard Max
-
-Jay Satiro (22 Jun 2016)
-- vtls: Only call add/getsession if session id is enabled
+ This can only work as long as the SSL backend is a compile-time option,
+ something we want to change in the next commits.
- Prior to this change we called Curl_ssl_getsessionid and
- Curl_ssl_addsessionid regardless of whether session ID reusing was
- enabled. According to comments that is in case session ID reuse was
- disabled but then later enabled.
+ Therefore, let's encapsulate the exact data needed by each SSL backend
+ into a private struct, and let's avoid bleeding any SSL backend-specific
+ information into urldata.h. This is also necessary to allow multiple SSL
+ backends to be compiled in at the same time, as e.g. OpenSSL's and
+ CyaSSL's headers cannot be included in the same .c file.
- The old way was not intuitive and probably not something users expected.
- When a user disables session ID caching I'd guess they don't expect the
- session ID to be cached anyway in case the caching is later enabled.
-
-Daniel Stenberg (22 Jun 2016)
-- curl.1: the used progress meter suffix is k in lower case
+ To avoid too many malloc() calls, we simply append the private structs
+ to the connectdata struct in allocate_conn().
- Closes #883
+ This requires us to take extra care of alignment issues: struct fields
+ often need to be aligned on certain boundaries e.g. 32-bit values need to
+ be stored at addresses that divide evenly by 4 (= 32 bit / 8
+ bit-per-byte).
+
+ We do that by assuming that no SSL backend's private data contains any
+ fields that need to be aligned on boundaries larger than `long long`
+ (typically 64-bit) would need. Under this assumption, we simply add a
+ dummy field of type `long long` to the `struct connectdata` struct. This
+ field will never be accessed but acts as a placeholder for the four
+ instances of ssl_backend_data instead. the size of each ssl_backend_data
+ struct is stored in the SSL backend-specific metadata, to allow
+ allocate_conn() to know how much extra space to allocate, and how to
+ initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
+ pointers.
+
+ This would appear to be a little complicated at first, but is really
+ necessary to encapsulate the private data of each SSL backend correctly.
+ And we need to encapsulate thusly if we ever want to allow selecting
+ CyaSSL and OpenSSL at runtime, as their headers cannot be included within
+ the same .c file (there are just too many conflicting definitions and
+ declarations for that).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Sergei Nikulov brought this change]
+- [Johannes Schindelin brought this change]
- cmake: now using BUILD_TESTING=ON/OFF
+ vtls: prepare the SSL backends for encapsulated private data
- CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
- tests and enabling CTest integration. Options BUILD_CURL_TESTS and
- BUILD_DASHBOARD_REPORTS was removed.
+ At the moment, cURL's SSL backend needs to be configured at build time.
+ As such, it is totally okay for them to hard-code their backend-specific
+ data in the ssl_connect_data struct.
- Closes #882
+ In preparation for making the SSL backend a runtime option, let's make
+ the access of said private data a bit more abstract so that it can be
+ adjusted later in an easy manner.
- Reviewed-by: Brad King
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Michael Kaufmann brought this change]
+- [Johannes Schindelin brought this change]
- cleanup: fix method names in code comments
+ urldata.h: move SSPI-specific #include to correct location
- Closes #887
-
-Kamil Dudka (21 Jun 2016)
-- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
+ In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables,
+ 2014-12-03), an SSPI-specific field was added to the kerberos5data
+ struct without moving the #include "curl_sspi.h" later in the same file.
- Some builds of GCC produce output on both stdout and stderr when --help
- --verbose is used. The 2>&1 redirection caused them to be arbitrarily
- interleaved with each other because of stream buffering. Consequently,
- grep failed to match the fvisibility= string in the mixed output, even
- though the string was present in GCC's standard output.
+ This broke the build when SSPI was enabled, unless Secure Channel was
+ used as SSL backend, because it just so happens that Secure Channel also
+ requires "curl_sspi.h" to be #included.
- This led to silently disabling symbol hiding in some builds of curl.
-
-Daniel Stenberg (19 Jun 2016)
-- tests: fix the HTTP/2 tests
+ In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled,
+ 2017-02-21), this bug was fixed incorrectly: Instead of moving the
+ appropriate conditional #include, the Secure Channel-conditional part
+ was now also SSPI-conditional.
- The HTTP/2 tests brought with commit bf05606ef1f were using the internal
- name 'http2' for the HTTP/2 server, while in fact that name was already
- used for the second instance of the HTTP server. This made tests using
- the second instance (like test 2050) fail after a HTTP/2 test had run.
+ Fix this problem by moving the correct #include instead.
- The server is now known as HTTP/2 internally and within the <server>
- section in test cases. 1700, 1701 and 1702 were updated accordingly.
-
-- openssl: use more 'const' to fix build warnings with 1.1.0 branch
-
-- curl.1: missed 'T' in the progress unit suffixes
-
-- curl.1: mention the unix for the progress meter
+ This is also required for an upcoming patch that moves all the Secure
+ Channel-specific stuff out of urldata.h and encapsulates it properly in
+ vtls/schannel.c instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Patrick Monnerat (16 Jun 2016)
-- os400: add new definitions to ILE/RPG binding.
+- [Johannes Schindelin brought this change]
-Daniel Stenberg (16 Jun 2016)
-- openssl: fix cert check with non-DNS name fields present
+ urldata.h: remove support for obsolete PolarSSL version
- Regression introduced in 5f5b62635 (released in 7.48.0)
+ Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require
+ a newer PolarSSL version. No need to keep code trying to support any
+ older version.
- Reported-by: Fabian Ruff
- Fixes #875
-
-Dan Fandrich (16 Jun 2016)
-- axtls: Use Curl_wait_ms instead of the less-portable usleep
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- axtls: Fixed compile after compile 31c521b0
+- [Johannes Schindelin brought this change]
-- tests: Added HTTP proxy keywords to tests 1141 & 1142
+ getinfo: access SSL internals via Curl_ssl
+
+ In the ongoing endeavor to abstract out all SSL backend-specific
+ functionality, this is the next step: Instead of hard-coding how the
+ different SSL backends access their internal data in getinfo.c, let's
+ implement backend-specific functions to do that task.
+
+ This will also allow for switching SSL backends as a runtime option.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Jay Satiro (15 Jun 2016)
-- [Sergei Nikulov brought this change]
+- [Johannes Schindelin brought this change]
- cmake: Fix build with winldap
+ vtls: move SSL backends' private constants out of their header files
- Bug: https://github.com/curl/curl/pull/874
- Reported-by: Sergei Nikulov
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
-
- When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
- zero-byte POST. Prior to this change it was documented as sending data
- from the read callback.
+- [Johannes Schindelin brought this change]
+
+ axtls: use Curl_none_* versions of init() and cleanup()
- This also changes the wording of what happens when empty or NULL so that
- it's hopefully easier to understand for people whose primary language
- isn't English.
+ There are convenient no-op versions of the init/cleanup functions now,
+ no need to define private ones for axTLS.
- Bug: https://github.com/curl/curl/issues/862
- Reported-by: Askar Safin
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Michael Wallner brought this change]
+- [Johannes Schindelin brought this change]
- curl_multi_socket_action.3: Fix rewording
+ vtls: remove obsolete declarations of SSL backend functionality
+
+ These functions are all available via the Curl_ssl struct now, no need
+ to declare them separately anymore.
+
+ As the global declarations are removed, the corresponding function
+ definitions are marked as file-local. The only two exceptions here are
+ Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
+ declarations were removed, there are no function definitions to mark
+ file-local.
- - Remove some erroneous text.
+ Please note that Curl_nss_force_init() is *still* declared globally, as
+ the only SSL backend-specific function, because it was introduced
+ specifically for the use case where cURL was compiled with
+ `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
+ support for NSS, 2010-06-27).
- Closes https://github.com/curl/curl/pull/865
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Luo Jinghua brought this change]
+- [Johannes Schindelin brought this change]
- resolve: enable protocol family logic for synthesized IPv6
+ schannel: reorder functions topologically
- - Enable protocol family logic for IPv6 resolves even when support
- for synthesized addresses is enabled.
+ The _shutdown() function calls the _session_free() function; While this
+ is not a problem now (because schannel.h declares both functions), a
+ patch looming in the immediate future with make all of these functions
+ file-local.
- This is a follow up to the parent commit that added support for
- synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
- logic needed for IPv6 was inadvertently excluded if support for
- synthesized addresses was enabled.
+ So let's just move the _session_free() function's definition before it
+ is called.
- Bug: https://github.com/curl/curl/issues/863
- Ref: https://github.com/curl/curl/pull/866
- Ref: https://github.com/curl/curl/pull/867
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (7 Jun 2016)
-- [Luo Jinghua brought this change]
+- [Johannes Schindelin brought this change]
- resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
+ axtls: reorder functions topologically
- Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
- If the current network interface doesn’t support IPv4, but supports
- IPv6, NAT64, and DNS64.
+ The connect_finish() function (like many other functions after it) calls
+ the Curl_axtls_close() function; While this is not a problem now
+ (because axtls.h declares the latter function), a patch looming in the
+ immediate future with make all of these functions file-local.
- Closes #866
- Fixes #863
-
-- tests: two more HTTP/2 tests
+ So let's just move the Curl_axtls_close() function's definition before
+ it is called.
- 1701 and 1702
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- runtests: don't display logs when http2 server fails to start
+- [Johannes Schindelin brought this change]
-- runtests: make stripfile work on stdout as well
+ vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
+
+ That will allow us to choose the SSL backend at runtime.
- ... and have test 1700 use that to strip out the nghttpx server: headers
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- http2-tests: test1700 is the first real HTTP/2 test
+- [Johannes Schindelin brought this change]
+
+ vtls: convert the have_curlssl_* constants to runtime flags
- It requires that 'nghttpx' is in the PATH, and it will run the tests
- using nghttpx as a front-end proxy in front of the standard HTTP/1 test
- server. This uses HTTP/2 over plain TCP.
+ The entire idea of introducing the Curl_ssl struct to describe SSL
+ backends is to prepare for choosing the SSL backend at runtime.
- If you like me have nghttpx installed in a custom path, you can run test 1700
- like this:
+ To that end, convert all the #ifdef have_curlssl_* style conditionals
+ to use bit flags instead.
- $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- RELEASE-NOTES: synced with 34855feeb4c299
+- [Johannes Schindelin brought this change]
-Steve Holme (6 Jun 2016)
-- schannel: Disable ALPN on Windows < 8.1
+ vtls: move sha256sum into the Curl_ssl struct
- Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
- fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
+ The SHA-256 checksumming is also an SSL backend-specific function.
+ Let's include it in the struct declaring the functionality of SSL
+ backends.
- Inspiration provide by: Daniel Seither
+ In contrast to MD5, there is no fall-back code. To indicate this, the
+ respective entries are NULL for those backends that offer no support for
+ SHA-256 checksumming.
- Closes #848
- Fixes #840
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Jay Satiro (5 Jun 2016)
-- checksrc: Add LoadLibrary to the banned functions list
-
- LoadLibrary was supplanted by Curl_load_library for security
- reasons in 6df916d.
+- [Johannes Schindelin brought this change]
-- http: Fix HTTP/2 connection reuse
+ vtls: move md5sum into the Curl_ssl struct
- - Change the parser to not require a minor version for HTTP/2.
+ The MD5 summing is also an SSL backend-specific function. So let's
+ include it, offering the previous fall-back code as a separate function
+ now: Curl_none_md5sum(). To allow for that, the signature had to be
+ changed so that an error could be returned from the implementation
+ (Curl_none_md5sum() can run out of memory).
- HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
- in 8243a95 because the parser still expected a minor version.
-
- Bug: https://github.com/curl/curl/issues/855
- Reported-by: Andrew Robbins, Frank Gevaerts
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Steve Holme (4 Jun 2016)
-- connect.c: Fixed compilation warning from commit 332e8d6164
-
- connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
+- [Johannes Schindelin brought this change]
-- win32: Used centralised verify windows version function
+ vtls: use the Curl_ssl struct to access all SSL backends' functionality
- Closes #845
-
-- win32: Added verify windows version functionality
+ This is the first step to unify the SSL backend handling. Now all the
+ SSL backend-specific functionality is accessed via a global instance of
+ the Curl_ssl struct.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- win32: Introduced centralised verify windows version function
+- [Johannes Schindelin brought this change]
-Kamil Dudka (3 Jun 2016)
-- tool_urlglob: fix off-by-one error in glob_parse()
+ vtls: declare Curl_ssl structs for every SSL backend
- ... causing SIGSEGV while parsing URL with too many globs.
- Minimal example:
+ The idea of introducing the Curl_ssl struct was to unify how the SSL
+ backends are declared and called. To this end, we now provide an
+ instance of the Curl_ssl struct for each and every SSL backend.
- $ curl $(for i in $(seq 101); do printf '{a}'; done)
-
- Reported-by: Romain Coltel
- Bug: https://bugzilla.redhat.com/1340757
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (1 Jun 2016)
-- [Benjamin Kircher brought this change]
+- [Johannes Schindelin brought this change]
- libcurl-multi.3: fix small typo
+ vtls: introduce a new struct for SSL backends
+
+ This new struct is similar in nature to Curl_handler: it will define the
+ functions and capabilities of all the SSL backends (where Curl_handler
+ defines the functions and capabilities of protocol handlers).
- Closes #850
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Viktor Szakats brought this change]
+- [Johannes Schindelin brought this change]
- makefile.m32: add crypt32 for winssl builds
+ vtls: make sure every _sha256sum()'s first arg is const
- Dependency added by 6cabd78
+ This patch makes the signature of the _sha256sum() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
- Closes #849
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Ivan Avdeev brought this change]
+- [Johannes Schindelin brought this change]
- vtls: fix ssl session cache race condition
+ vtls: make sure all _data_pending() functions return bool
- Sessionid cache management is inseparable from managing individual
- session lifetimes. E.g. for reference-counted sessions (like those in
- SChannel and OpenSSL engines) every session addition and removal
- should be accompanied with refcount increment and decrement
- respectively. Failing to do so synchronously leads to a race condition
- that causes symptoms like use-after-free and memory corruption.
- This commit:
- - makes existing session cache locking explicit, thus allowing
- individual engines to manage lock's scope.
- - fixes OpenSSL and SChannel engines by putting refcount management
- inside this lock's scope in relevant places.
- - adds these explicit locking calls to other engines that use
- sessionid cache to accommodate for this change. Note, however,
- that it is unknown whether any of these engines could also have
- this race.
+ This patch makes the signature of the _data_pending() functions
+ consistent among the SSL backends, in preparation for unifying the way
+ all SSL backends are accessed.
- Bug: https://github.com/curl/curl/issues/815
- Fixes #815
- Closes #847
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Andrew Kurushin brought this change]
+- [Johannes Schindelin brought this change]
- schannel: add CURLOPT_CERTINFO support
+ vtls: make sure all _cleanup() functions return void
+
+ This patch makes the signature of the _cleanup() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
- Closes #822
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- RELEASE-NOTES: synced with 142ee9fa15002315
+- [Johannes Schindelin brought this change]
-- openssl: rename the private SSL_strerror
+ vtls: use consistent signature for _random() implementations
- ... to make it not look like an OpenSSL function
-
-- [Michael Kaufmann brought this change]
-
- openssl: Use correct buffer sizes for error messages
+ This will make the upcoming multissl backend much easier to implement.
- Closes #844
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- curl: fix -q [regression]
+- strtooff: fix build for systems with long long but no strtoll option
- This broke in 7.49.0 with commit e200034425a7625
+ Closes #1829
- Fixes #842
+ Reported-by: Dan Fandrich
+ Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615
-- URL parser: allow URLs to use one, two or three slashes
+- darwinssl: handle long strings in TLS certs
- Mostly in order to support broken web sites that redirect to broken URLs
- that are accepted by browsers.
+ ... as the previous fixed length 128 bytes buffer was sometimes too
+ small.
- Browsers are typically even more leniant than this as the WHATWG URL
- spec they should allow an _infinite_ amount. I tested 8000 slashes with
- Firefox and it just worked.
+ Fixes #1823
+ Closes #1831
- Added test case 1141, 1142 and 1143 to verify the new parser.
-
- Closes #791
+ Reported-by: Benjamin Sergeant
+ Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
-- [Renaud Lehoux brought this change]
+- system.h: include sys/poll.h for AIX
+
+ ... to get the event/revent defines that might be used for the poll
+ struct.
+
+ Reported-by: Michael Smith
+ Fixes #1828
+ Closes #1833
- cmake: Added missing mbedTLS support
+Dan Fandrich (26 Aug 2017)
+- tests: Make sure libtests & unittests call curl_global_cleanup()
- Closes #837
+ These were missed in commit c468c27b.
-- [Renaud Lehoux brought this change]
+Jay Satiro (26 Aug 2017)
+- [theantigod brought this change]
- mbedtls: removed unused variables
+ winbuild: fix embedded manifest option
- Closes #838
+ Embedded manifest option didn't work due to incorrect path.
+
+ Fixes https://github.com/curl/curl/issues/1832
+
+Daniel Stenberg (25 Aug 2017)
+- fuzz/Makefile.am: remove curlbuild.h leftovers
-- [Frank Gevaerts brought this change]
+- examples/threaded-ssl: mention that this is for openssl before 1.1
- http: add CURLINFO_HTTP_VERSION and %{http_version}
+- imap: use defined names for response codes
- Adds access to the effectively used http version to both libcurl and
- curl.
+ When working on this code I found the previous setup a bit weird while
+ using proper defines increases readability.
- Closes #799
+ Closes #1824
-- bump: start the journey toward 7.50.0
+- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
-- [Marcel Raad brought this change]
+- imap: support PREAUTH
+
+ It is a defined possible greeting at server startup that means the
+ connection is already authenticated. See
+ https://tools.ietf.org/html/rfc3501#section-7.1.4
+
+ Test 846 added to verify.
+
+ Fixes #1818
+ Closes #1820
- openssl: fix build with OPENSSL_NO_COMP
+Jay Satiro (23 Aug 2017)
+- config-tpf: define SIZEOF_LONG
- With OPENSSL_NO_COMP defined, there is no function
- SSL_COMP_free_compression_methods
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
- Closes #836
+ Bug: https://github.com/curl/curl/issues/1816
+
+Dan Fandrich (23 Aug 2017)
+- test1453: Fixed <features>
+Daniel Stenberg (22 Aug 2017)
- [Gisle Vanem brought this change]
- memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
+ config-dos: add missing defines, SIZEOF_* and two others
- Fixes #828
+ Bug: #1816
-- [Jonathan brought this change]
-
- README.md: polish
+- curl: shorten and clean up CA cert verification error message
+
+ The previous message was just too long for ordinary people and it was
+ encouraging users to use `--insecure` a little too easy.
- Closes #834
+ Based-on-work-by: Frank Denis
+
+ Closes #1810
+ Closes #1817
-- RELEASE-NOTES: fix vuln link
+- request-target.d: mention added in 7.55.0
-Version 7.49.1 (30 May 2016)
+Marcel Raad (22 Aug 2017)
+- tool_main: turn off MinGW CRT's globbing
+
+ By default, the MinGW CRT globs command-line arguments. This prevents
+ getting a single asterisk into an argument as test 1299 does. Turn off
+ globbing by setting the global variable _CRT_glob to 0 for MinGW.
+
+ Fixes https://github.com/curl/curl/issues/1751
+ Closes https://github.com/curl/curl/pull/1813
-Daniel Stenberg (30 May 2016)
-- RELEASE-NOTES: 7.49.1
+Viktor Szakats (22 Aug 2017)
+- makefile.m32: add support for libidn2
+
+ libidn was replaced with libidn2 last year in configure.
+ Caveat: libidn2 may depend on a list of further libs.
+ These can be manually specified via CURL_LDFLAG_EXTRAS.
+
+ Closes https://github.com/curl/curl/pull/1815
-- [Steve Holme brought this change]
+Jay Satiro (22 Aug 2017)
+- [Viktor Szakats brought this change]
- loadlibrary: Only load system DLLs from the system directory
+ config-win32: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
- Inspiration provided by: Daniel Stenberg and Ray Satiro
+ Closes https://github.com/curl/curl/pull/1814
+
+Daniel Stenberg (20 Aug 2017)
+- cmake: enable picky compiler options with clang and gcc
- Bug: https://curl.haxx.se/docs/adv_20160530.html
+ closes #1799
+
+- curl/system.h: fix build for hppa
- Ref: Windows DLL hijacking with curl, CVE-2016-4802
+ Reported-by: John David Anglin
+ Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10
-- ssh: fix version number check typo
+- [Even Rouault brought this change]
-Jay Satiro (29 May 2016)
-- curl_share_setopt.3: Add min ver needed for ssl session lock
+ tftp: fix memory leak on too long filename
+
+ Fixes
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
- Bug: https://github.com/curl/curl/issues/826
- Reported-by: Michael Wallner
+ ==9752== Memcheck, a memory error detector
+ ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
+ ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
+ ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+ ==9752==
+ curl: (71) TFTP file name too long
+
+ ==9752==
+ ==9752== HEAP SUMMARY:
+ ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11
+ ==9752== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==9752== by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x40E849: operate (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x402693: main (in /home/even/install-curl-git/bin/curl)
+
+ Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568
+ Credit to OSS Fuzz
+
+ Closes #1808
-Daniel Stenberg (29 May 2016)
-- ssh: fix build for libssh2 before 1.2.6
+Dan Fandrich (19 Aug 2017)
+- runtests: fixed case insensitive matching of keywords
- The statvfs functionality was added to libssh2 in that version, so we
- switch off that functionality when built with older libraries.
+ Commit 5c2aac71 didn't work in the case of mixed-case keywords given on
+ the command-line.
+
+- tests: Make sure libtests call curl_global_cleanup()
- Fixes #831
+ This ensures that global data allocations are freed so Valgrind stays
+ happy. This was a problem with at least PolarSSL and mbedTLS.
+
+Daniel Stenberg (18 Aug 2017)
+- RELEASE-NOTES: synced with 8baead425
+
+- scripts/contri*sh: use "git log --use-mailmap"
+
+- mailmap: de-duplify some git authors
-- mbedtls: fix includes so snprintf() works
+- http2_recv: return error better on fatal h2 errors
- Regression from the previous *printf() rearrangements, this file missed to
- include the correct header to make sure snprintf() works universally.
+ Ref #1012
+ Figured-out-by: Tatsuhiro Tsujikawa
+
+- KNOWN_BUGS: HTTP test server 'connection-monitor' problems
- Reported-by: Moti Avrahami
- Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
+ Closes #868
-Steve Holme (23 May 2016)
-- checksrc.pl: Added variants of strcat() & strncat() to banned function list
+- curl/system.h: check for __ppc__ as well
+
+ ... regression since issue #1774 (commit 10b3df10596a) since obviously
+ some older gcc doesn't know __powerpc__ while some newer doesn't know
+ __ppc__ ...
- Added support for checking the tchar, unicode and mbcs variants of
- strcat() and strncat() in the banned function list.
+ Fixes #1797
+ Closes #1798
+ Reported-by: Ryan Schmidt
-Daniel Stenberg (23 May 2016)
-- smtp: minor ident (white space) fixes
+- [Jan Alexander Steffens (heftig) brought this change]
-- THANKS: updated after script fixes
+ http: Don't wait on CONNECT when there is no proxy
+
+ Since curl 7.55.0, NetworkManager almost always failed its connectivity
+ check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
+ CONNECT process entirely non-blocking).
- Now giving credit properly to github user names, fixed some UTF-8 issues
- and added names discovered when contrithanks was improved.
+ This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
+ which returns false if the CONNECT state was left uninitialized and lets
+ the connection continue.
+
+ Closes #1803
+ Fixes #1804
+
+ Also-fixed-by: Gergely Nagy
-- THANKS-filter: more name cleanups
+- [Johannes Schindelin brought this change]
-- contrithanks.sh: exclude existing names case insensitively
+ metalink: adjust source code style
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
+- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG
-- contributors.sh: better grep pattern, use grep -a
+- lib557: no longer use CURL_SIZEOF_* defines
-- THANKS-filter: fix more names
+- config-win32: define SIZEOF_CURL_OFF_T
-- contrithanks.sh: do the same github fix as contributors.sh
-
- from 1577bfa35ba
+- cmake: sizeof curl_off_t, remove unused detections
-Jay Satiro (23 May 2016)
-- contributors: Show GitHub username if real name unknown
+- system.h: remove all CURL_SIZEOF_* defines
- Prior to this change if a GitHub contributor's real name was unknown
- they would be omitted from the list.
+ ... as they're not used externally and internally we check for the sizes
+ already in configure etc.
- Bug: https://github.com/curl/curl/issues/824
-
-Daniel Stenberg (21 May 2016)
-- RELEASE-NOTES: synced with 3caaeffbe8ded4
+ Closes #1767
-Jay Satiro (20 May 2016)
-- openssl: cleanup must free compression methods
+- ftp: fix CWD when doing multicwd then nocwd on same connection
- - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
+ Fixes #1782
+ Closes #1787
+ Reported-by: Peter Lamare
+
+- CURLOPT_SSH_COMPRESSION.3: enable with 1L
- Bug: https://github.com/curl/curl/issues/817
- Reported-by: jveazey@users.noreply.github.com
+ (leaves other values reserved for the future)
-Daniel Stenberg (20 May 2016)
-- [Gisle Vanem brought this change]
+- compressed-ssh.d: "Added: 7.56.0"
+
+- curl/system.h: checksrc compliance
+
+Jay Satiro (17 Aug 2017)
+- [Viktor Szakats brought this change]
- curl_multibyte: fix compiler error
+ ssh: add the ability to enable compression (for SCP/SFTP)
+
+ The required low-level logic was already available as part of
+ `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
+ option.)
- While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
- getting:
+ This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
+ (boolean) and the new `curl` command-line option `--compressed-ssh`
+ to request this `libssh2` feature. To have compression enabled, it
+ is required that the SSH server supports a (zlib) compatible
+ compression method and that `libssh2` was built with `zlib` support
+ enabled.
- f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
- to follow 'CURL_EXTERN'
+ [1] https://www.libssh2.org/libssh2_session_flag.html
- f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
- 'curl_domalloc': not in formal parameter list
+ Ref: https://github.com/curl/curl/issues/1732
+ Closes https://github.com/curl/curl/pull/1735
-- THANKS-filter: make Jan-E get proper credit
+- examples/ftpuploadresume: checksrc compliance
-- [Jan-E brought this change]
+- [Maksim Stsepanenka brought this change]
- winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
+ http_proxy: fix build error for CURL_DOES_CONVERSIONS
- Closes #818
+ Closes https://github.com/curl/curl/pull/1793
-- [Alexander Traud brought this change]
+GitHub (16 Aug 2017)
+- [Nick Zitzmann brought this change]
- libcurl.m4: Avoid obsolete warning
+ configure: check for __builtin_available() availability (#1788)
- Closes #821
+ This change does two things:
+ 1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
+ failing trying to compile connectx() in lib/connect.c.)
+ 2. It finally weak-links the connectx() function, and falls back on
+ connect() when run on older operating systems.
-Jay Satiro (20 May 2016)
-- [Michael Kaufmann brought this change]
+Daniel Stenberg (16 Aug 2017)
+- travis: add metalink to some osx builds
+
+ Closes #1790
+
+- [Max Dymond brought this change]
- CURLOPT_CONNECT_TO.3: user must not free the list prematurely
+ coverage: Use two coveralls commands to get lib/vtls results
- The connect-to list isn't copied so as long as the handle may be used
- for a transfer the list must be valid.
+ closes #1747
+
+- darwinssi: fix error: variable length array used
+
+- m4/curl-compilers.m4: use proper quotes around string, not backticks
- Bug: https://github.com/curl/curl/pull/819
- Reported-by: Michael Kaufmann
+ ... when setting clang version to assume 3.7
+
+ Caused a lot of "integer expression expected" warnings by configure.
-Daniel Stenberg (19 May 2016)
-- RELEASE-NOTES: synced with 48114a8634242c
+- [Benbuck Nason brought this change]
-- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
+ cmake: remove dead code for DISABLED_THREADSAFE
- See OpenSSL commit 21e001747d4a
+ Closes #1786
-- http2: use HTTP/2 in the HTTP/1.1-alike header
+Jay Satiro (15 Aug 2017)
+- [Jakub Zakrzewski brought this change]
+
+ curl-confopts.m4: fix --disable-threaded-resolver
- ... when generating them, not "2.0" as the protocol is called just
- HTTP/2 and nothing else.
+ Closes https://github.com/curl/curl/issues/1784
+
+Daniel Stenberg (15 Aug 2017)
+- [Ryan Winograd brought this change]
-Jay Satiro (19 May 2016)
-- dist: include curl_multi_socket_all.3
+ progress: Track total times following redirects
+
+ Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`,
+ `t_pretransfer`, and `t_starttransfer` to track the total times for
+ these activities when a redirect is followed. Previously, only the times
+ for the most recent request would be tracked.
- Closes https://github.com/curl/curl/pull/816
+ Related changes:
+
+ - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes`
+ now that the function only resets transfer sizes and no longer
+ modifies any of the progress timers.
+
+ - Add a bool to the `Progress` struct that is used to prevent
+ double-counting `t_starttransfer` times.
+
+ Added test case 1399.
+
+ Fixes #522 and Known Bug 1.8
+ Closes #1602
+ Reported-by: joshhe on github
+
+- [Benbuck Nason brought this change]
-Steve Holme (18 May 2016)
-- bump: Start work on 7.49.1
+ cmake: remove dead code for CURL_DISABLE_RTMP
+
+ Closes #1785
-Daniel Stenberg (18 May 2016)
-- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
+Kamil Dudka (15 Aug 2017)
+- zsh.pl: produce a working completion script again
- The preprocessor check that sets up the 32bit defines for non-configure
- builds didn't work properly for MIPS systems as __mips__ is defined for
- both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
+ Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
+ to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
+ produce a broken completion script:
- Reported-by: Tomas Jakobsson
- Fixes #813
+ % curl --<TAB>
+ _curl:10: no such file or directory: seconds
+
+ Closes #1779
+
+Daniel Stenberg (15 Aug 2017)
+- curlver: toward 7.56.0?
-- [Marcel Raad brought this change]
+- RELEASE-NOTES: synced with 91c46dc44
- schannel: fix compile break with MSVC XP toolset
+- test1449: FTP download range with an too large size
+
+- strtoofft: reduce integer overflow risks globally
- For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
- 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
+ ... make sure we bail out on overflows.
- Closes #812
+ Reported-by: Brian Carpenter
+ Closes #1758
-- dist: include CHECKSRC.md
+- travis: build the examples too
+
+ to make sure they keep building warning-free
- Reported-by: Paul Howarth
- Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
+ Closes #1777
-- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
+- runtests: match keywords case insensitively
+
+- examples/ftpuploadresume.c: use portable code
- Reported-by: Ray Satiro
- Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
+ ... converted from the MS specific _snscanf()
+
+Version 7.55.1 (13 Aug 2017)
-Version 7.49.0 (17 May 2016)
+Daniel Stenberg (13 Aug 2017)
+- RELEASE-NOTES/THANKS: curl 7.55.1 release time
-Daniel Stenberg (17 May 2016)
-- THANKS: 24 new names from 7.49.0 release notes
+- gitignore: ignore .xz now instead of .lzma
-- RELEASE-NOTES: 7.49.0
+- [Sergei Nikulov brought this change]
-- mbedtls/polarssl: set "hostname" unconditionally
+ cmake: Threads detection update. ref: #1702
- ...as otherwise the TLS libs will skip the CN/SAN check and just allow
- connection to any server. curl previously skipped this function when SNI
- wasn't used or when connecting to an IP address specified host.
+ Closes #1719
+
+- ipv6_scope: support unique local addresses
+
+ Fixes #1764
+ Closes #1773
+ Reported-by: James Slaughter
+
+- [Alex Potapenko brought this change]
+
+ curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__
- CVE-2016-3739
+ Closes #1774
+
+- test1448: verify redirect to IDN using URL
- Bug: https://curl.haxx.se/docs/adv_20160518A.html
- Reported-by: Moti Avrahami
+ Closes #1772
-- [Frank Gevaerts brought this change]
+- [Salah-Eddin Shaban brought this change]
- CURLOPT_RESOLVE.3: fix typo
+ redirect: skip URL encoding for host names
+
+ This fixes redirects to IDN URLs
- Closes #811
+ Fixes #1441
+ Closes #1762
+ Reported by: David Lord
-- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
+- test2032: mark as flaky (again)
-- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
+- travis: test cmake build on tarball too
- Closes #762
+ Could've prevented #1755
-- CURLOPT_HTTPPOST.3: the data needs to be around while in use
+- [Simon Warta brought this change]
-- openssl: get_cert_chain: fix NULL dereference
+ cmake: allow user to override CMAKE_DEBUG_POSTFIX
- CID 1361815: Explicit null dereferenced (FORWARD_NULL)
+ Closes #1763
+
+- connect-to.d: better language
-- openssl: get_cert_chain: avoid NULL dereference
+- connect-to.d: clarified
+
+- bagder/Curl_tvdiff_us: fix the math
+
+ Regression since adef394ac5 (released in 7.55.0)
- CID 1361811: Explicit null dereferenced (FORWARD_NULL)
+ Reported-by: Han Qiao
+ Fixes #1769
+ Closes #1771
-- dprintf_formatf: fix (false?) Coverity warning
+- curl/system.h: add Oracle Solaris Studio
- CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
- we run over 'workend' but the condition says <= workend and for all I
- can see it should be safe. Compensating for the warning by adding a byte
- margin in the buffer.
+ Fixes #1752
+
+- [Alessandro Ghedini brought this change]
+
+ docs: fix typo funtion -> function
- Also, removed the extra brace level indentation in the code and made it
- so that 'workend' is only assigned once within the function.
+ Closes #1770
-- RELEASE-NOTES: synced with 2dcb5adc72d6
+Alessandro Ghedini (12 Aug 2017)
+- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description
-- THANKS-filter: fixed Jonathan Cardoso
+- docs: fix typo stuct -> struct
-Jay Satiro (15 May 2016)
-- ftp: fix incorrect out-of-memory code in Curl_pretransfer
+Dan Fandrich (12 Aug 2017)
+- test1447: require a curl with http support
+
+Daniel Stenberg (11 Aug 2017)
+- [Thomas Petazzoni brought this change]
+
+ curl/system.h: support more architectures
- - Return value type must match function type.
+ The long list of architectures in include/curl/system.h is annoying to
+ maintain, and needs to be extended for each and every architecture to
+ support.
- s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
+ Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler
+ (we are in the GNUC condition anyway), which tells us if long is 4
+ bytes or 8 bytes.
- Caught by Travis CI
-
-Daniel Stenberg (15 May 2016)
-- ftp wildcard: segfault due to init only in multi_perform
+ This fixes the build of libcurl 7.55.0 on architectures such as
+ OpenRISC or ARC.
- The proper FTP wildcard init is now more properly done in Curl_pretransfer()
- and the corresponding cleanup in Curl_close().
+ Closes #1766
- The previous place of init/cleanup code made the internal pointer to be NULL
- when this feature was used with the multi_socket() API, as it was made within
- the curl_multi_perform() function.
+ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+- test2033: this went flaky again
- Reported-by: Jonathan Cardoso Machado
- Fixes #800
+ Suspicion: when we enabled the threaded resolver by default.
+
+- test1447: verifies the parse proxy fix in 6e0e152ce5c
+
+- [Even Rouault brought this change]
-Jay Satiro (13 May 2016)
-- libcurl-tlibcurl-thread: Update OpenSSL links
+ parse_proxy(): fix memory leak in case of invalid proxy server name
- Because the old OpenSSL link now redirects to their master documentation
- (currently 1.1.0), which does not document the required actions for
- OpenSSL <= 1.0.2.
+ Fixes the below leak:
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1
+ curl: (5) Couldn't resolve proxy name
+ ==5048==
+ ==5048== HEAP SUMMARY:
+ ==5048== in use at exit: 532 bytes in 12 blocks
+ ==5048== total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CB79: parse_login_details (url.c:5614)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CBB6: parse_login_details (url.c:5621)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984
+ Credit to OSS Fuzz for discovery
+
+ Closes #1761
-Daniel Stenberg (13 May 2016)
-- [Viktor Szakats brought this change]
+- RELEASE-NOTES: synced with 37f2195a9
- darwinssl.c: fix OS X codename typo in comment
+- curlver: bump to 7.55.1
-- RELEASE-NOTES: synced with 68701e51c1f7
+- openssl: fix "error: this statement may fall through"
- Added 8 bug fixes and 5 more contrbutors
+ A gcc7 warning.
-- [Jay Satiro brought this change]
+- [David Benjamin brought this change]
- mprintf: Fix processing of width and prec args
+ openssl: remove CONST_ASN1_BIT_STRING.
+
+ Just making the pointer as const works for the pre-1.1.0 path too.
- Prior to this change a width arg could be erroneously output, and also
- width and precision args could not be used together without crashing.
+ Closes #1759
+
+- maketgz: remove old *.dist files before making the tarball
- "%0*d%s", 2, 9, "foo"
+ To avoid "old crap" unintentionally getting shipped.
- Before: "092"
- After: "09foo"
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html
+ Reported-by: Christian Weisgerber
+
+Jay Satiro (10 Aug 2017)
+- mkhelp.pl: allow executing this script directly
- "%*.*s", 5, 2, "foo"
+ - Enable execute permission (chmod +x)
- Before: crash
- After: " fo"
+ - Change interpreter to /usr/bin/env perl
- Test 557 is updated to verify this and more
+ Ref: https://github.com/curl/curl/issues/1743
-- [Michael Kaufmann brought this change]
+Daniel Stenberg (10 Aug 2017)
+- configure: use the threaded resolver backend by default if possible
+
+ Closes #1647
- ConnectionExists: follow-up fix for proxy re-use
+- cmake: move cmake_uninstall.cmake to CMake/
- Follow-up commit to 5823179
+ Closes #1756
+
+- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
+
+- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too
- Closes #648
+ Fixes #1755
-- [Per Malmberg brought this change]
+- travis: verify "make install"
+
+ Help-by: Jay Satiro
+ Closes #1753
- darwinssl: fix certificate verification disable on OS X 10.8
+Marcel Raad (10 Aug 2017)
+- build: check out *.sln files with Windows line endings
- The new way of disabling certificate verification doesn't work on
- Mountain Lion (OS X 10.8) so we need to use the old way in that version
- too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
- and 10.11.
+ Visual Studio doesn't like LF line endings in solution files and always
+ converts them to CRLF when doing changes to the solution. Notably, this
+ affects the solutions in the release archive.
- Closes #802
+ Closes https://github.com/curl/curl/pull/1746
-- [Cory Benfield brought this change]
+- gitignore: ignore top-level .vs folder
+
+ This folder is generated when using the CMake build system from within
+ Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/1746
- http2: Add space between colon and header value
+Jay Satiro (10 Aug 2017)
+- digest_sspi: Don't reuse context if the user/passwd has changed
- curl's representation of HTTP/2 responses involves transforming the
- response to a format that is similar to HTTP/1.1. Prior to this change,
- curl would do this by separating header names and values with only a
- colon, without introducing a space after the colon.
+ Bug: https://github.com/curl/curl/issues/1685
+ Reported-by: paulharris@users.noreply.github.com
- While this is technically a valid way to represent a HTTP/1.1 header
- block, it is much more common to see a space following the colon. This
- change introduces that space, to ensure that incautious tools are safely
- able to parse the header block.
+ Assisted-by: Isaac Boukris
- This also ensures that the difference between the HTTP/1.1 and HTTP/2
- response layout is as minimal as possible.
+ Closes https://github.com/curl/curl/pull/1742
+
+Daniel Stenberg (9 Aug 2017)
+- [Adam Sampson brought this change]
+
+ dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST
- Bug: https://github.com/curl/curl/issues/797
+ These weren't included in the 7.55.0 release, but are required in order
+ to run the full test suite.
- Closes #798
- Fixes #797
+ Closes #1744
+
+- [Adam Sampson brought this change]
-Kamil Dudka (12 May 2016)
-- openssl: fix compile-time warning in Curl_ossl_check_cxn()
+ curl: do bounds check using a double comparison
+
+ The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+ complete: if the parsed number in num is larger than will fit in a long,
+ the conversion is undefined behaviour (causing test1427 to fail for me
+ on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
+ rid of the cast means the comparison will be done using doubles.
- ... introduced in curl-7_48_0-293-g2968c83:
+ It might make more sense for the max argument to also be a double...
- Error: COMPILER_WARNING:
- lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
- lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
- may alter its value [-Wconversion]
+ Fixes #1750
+ Closes #1749
-Jay Satiro (11 May 2016)
-- openssl: stricter connection check function
+- make install: add 8 missing man pages to the installation
+
+- build: fix 'make install' with configure, install docs/libcurl/* too
- - In the case of recv error, limit returning 'connection still in place'
- to EINPROGRESS, EAGAIN and EWOULDBLOCK.
+ Broken since d24838d4da9faa
- This is an improvement on the parent commit which changed the openssl
- connection check to use recv MSG_PEEK instead of SSL_peek.
+ Reported-by: Bernard Spil
+
+Version 7.55.0 (9 Aug 2017)
+
+Daniel Stenberg (9 Aug 2017)
+- RELEASE-NOTES: curl 7.55.0
+
+- THANKS: 20 new contributors in 7.55.0
+
+- [Viktor Szakats brought this change]
+
+ docs/comments: Update to secure URL versions
- Ref: https://github.com/curl/curl/commit/856baf5#comments
+ Closes #1741
-Daniel Stenberg (11 May 2016)
-- [Anders Bakken brought this change]
+- configure: fix recv/send/select detection on Android
+
+ ... since they now provide several functions as
+ __attribute__((overloadable)), the argument detection logic need
+ updates.
+
+ Patched-by: destman at github
+
+ Fixes #1738
+ Closes #1739
- TLS: SSL_peek is not a const operation
+Marcel Raad (8 Aug 2017)
+- ax_code_coverage.m4: update to latest version
- Calling SSL_peek can cause bytes to be read from the raw socket which in
- turn can upset the select machinery that determines whether there's data
- available on the socket.
+ This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
+ from August 01, 2017. Notably, this removes the lconv version whitelist.
- Since Curl_ossl_check_cxn only tries to determine whether the socket is
- alive and doesn't actually need to see the bytes SSL_peek seems like
- the wrong function to call.
+ Closes https://github.com/curl/curl/pull/1716
+
+Daniel Stenberg (7 Aug 2017)
+- test1427: verify command line parser integer overflow detection
+
+- curl: detect and bail out early on parameter integer overflows
- We're able to occasionally reproduce a connect timeout due to this
- bug. What happens is that Curl doesn't know to call SSL_connect again
- after the peek happens since data is buffered in the SSL buffer and thus
- select won't fire for this socket.
+ Make the number parser aware of the maximum limit curl accepts for a
+ value and return an error immediately if larger, instead of running an
+ integer overflow later.
- Closes #795
+ Fixes #1730
+ Closes #1736
-Jay Satiro (9 May 2016)
-- [Daniel Stenberg brought this change]
+- glob: do not continue parsing after a strtoul() overflow range
+
+ Added test 1289 to verify.
+
+ CVE-2017-1000101
+
+ Bug: https://curl.haxx.se/docs/adv_20170809A.html
+ Reported-by: Brian Carpenter
- TLS: move the ALPN/NPN enable bits to the connection
+- tftp: reject file name lengths that don't fit
- Only protocols that actually have a protocol registered for ALPN and NPN
- should try to get that negotiated in the TLS handshake. That is only
- HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
- would wrongly be used in all handshakes if libcurl was built with it
- enabled.
+ ... and thereby avoid telling send() to send off more bytes than the
+ size of the buffer!
- Reported-by: Jay Satiro
+ CVE-2017-1000100
+
+ Bug: https://curl.haxx.se/docs/adv_20170809B.html
+ Reported-by: Even Rouault
- Fixes #789
+ Credit to OSS-Fuzz for the discovery
-Daniel Stenberg (8 May 2016)
-- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
+- [Even Rouault brought this change]
-- [Antonio Larrosa brought this change]
+ file: output the correct buffer to the user
+
+ Regression brought by 7c312f84ea930d8 (April 2017)
+
+ CVE-2017-1000099
+
+ Bug: https://curl.haxx.se/docs/adv_20170809C.html
+
+ Credit to OSS-Fuzz for the discovery
- connect: fix invalid "Network is unreachable" errors
+- easy_events: make event data static
- Sometimes, in systems with both ipv4 and ipv6 addresses but where the
- network doesn't support ipv6, Curl_is_connected returns an error
- (intermittently) even if the ipv4 socket connects successfully.
+ First: this function is only used in debug-builds and not in
+ release/real builds. It is used to drive tests using the event-based
+ API.
- This happens because there's a for-loop that iterates on the sockets but
- the error variable is not resetted when the ipv4 is checked and is ok.
+ A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
+ CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
+ funtion returns, namely when curl_multi_remove_handle() is called.
- This patch fixes this problem by setting error to 0 when checking the
- second socket and not having a result yet.
+ Reported-by: Brian Carpenter
+
+- getparameter: avoid returning uninitialized 'usedarg'
- Fixes #794
+ Fixes #1728
-Jay Satiro (5 May 2016)
-- FAQ: refer to thread safety guidelines
+Marcel Raad (5 Aug 2017)
+- [Isaac Boukris brought this change]
-Daniel Stenberg (3 May 2016)
-- connections: non-HTTP proxies on different ports aren't reused either
+ gssapi: fix memory leak of output token in multi round context
- Reported-by: Oleg Pudeyev and fuchaoqun
+ When multiple rounds are needed to establish a security context
+ (usually ntlm), we overwrite old token with a new one without free.
+ Found by proposed gss tests using stub a gss implementation (by
+ valgrind error), though I have confirmed the leak with a real
+ gssapi implementation as well.
- Fixes #648
+ Closes https://github.com/curl/curl/pull/1733
-- http: make sure a blank header overrides accept_decoding
+- darwinssl: fix compiler warning
- Reported-by: rcanavan
- Assisted-by: Isaac Boukris
- Closes #785
+ clang complains:
+ vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
+ [-Werror,-Wextra-tokens]
+
+ This breaks the darwinssl build on Travis. Fix it by making this token
+ a comment.
+
+ Closes https://github.com/curl/curl/pull/1734
-- CHECKSRC.md: clarified, explained the whitelist file
+- CMake: fix CURL_WERROR for MSVC
+
+ When using CURL_WERROR in MSVC builds, the debug flags were overridden
+ by the release flags and /WX got added twice in debug mode.
+
+ Closes https://github.com/curl/curl/pull/1715
+
+Daniel Stenberg (4 Aug 2017)
+- RELEASE-NOTES: synced with 561e9217c
-- nroff-scan.pl: verify that references are made with \fI
+- test1010: verify that #1718 is fixed
+
+ ... by doing two transfers in nocwd mode and check that there's no
+ superfluous CWD command.
-- docs: unified man page references to use \fI
+- FTP: skip unnecessary CWD when in nocwd mode
+
+ ... when reusing a connection. If it didn't do any CWD previously.
+
+ Fixes #1718
-- TODO: 17.14 --fail without --location should treat 3xx as a failure
+Marcel Raad (4 Aug 2017)
+- travis: explicitly specify dist
- Closes #727
+ This makes the builds more reproducible as travis is currently rolling
+ out trusty as default dist [1]. Specifically, this avoids coverage
+ check failures when trusty is used as seen in [2] until we figure out
+ what's wrong.
+
+ [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
+ [2] https://github.com/curl/curl/pull/1692
+
+ Closes https://github.com/curl/curl/pull/1725
-- RELEASE-NOTES: synced with 7987f5cb14d
+Daniel Stenberg (4 Aug 2017)
+- travis: BUILD_TYPE => T
+
+ (to make the full line appear nicer on travis web UI)
-- [Isaac Boukris brought this change]
+- travis: add osx build with darwinssl
+
+ Closes #1706
- CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
+- darwin: silence compiler warnings
- Mention possible content-length mismatch with sum of bytes reported
- by write callbacks when auto decoding is enabled.
+ With a clang pragma and three type fixes
- See #785
+ Fixes #1722
-- test1140: run nroff-scan to verify man pages
+- BUILD.WINDOWS: mention buildconf.bat for builds off git
-- nroff-scan.pl: verify the .BR references as well
+- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
-- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
+- test130: verify comments in .netrc
-- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
+- [Gisle Vanem brought this change]
-- curl_easy_pause.3: fix man page reference
+ netrc: skip lines starting with '#'
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
-Jay Satiro (1 May 2016)
-- tool_cb_hdr: Fix --remote-header-name with schemeless URL
+Marcel Raad (3 Aug 2017)
+- CMake: set MSVC warning level to 4
+
+ The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
+ consistent with the Visual Studio and NMake builds. Disable level 4
+ warning C4127 for the library and additionally C4306 for the test
+ servers to get a clean CURL_WERROR build as that warning is raised in
+ some macros in older Visual Studio versions.
- - Move the existing scheme check from tool_operate.
+ Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
+ Closes https://github.com/curl/curl/pull/1711
+
+Daniel Stenberg (2 Aug 2017)
+- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
- In the case of --remote-header-name we want to parse Content-disposition
- for a filename, but only if the scheme is http or https. A recent
- adjustment 0dc4d8e was made to account for schemeless URLs however it's
- not 100% accurate. To remedy that I've moved the scheme check to the
- header callback, since at that point the library has already determined
- the scheme.
+ Reported-by: Viktor Szakats
+
+- CURLOPT_NETRC.3: mention the file name on windows
- Bug: https://github.com/curl/curl/issues/760
- Reported-by: Kai Noda
+ ... and CURLOPT_NETRC_FILE(3).
+
+- travis: build osx with libressl too
+
+- travis: build osx with openssl too
+
+- tests/server/util: fix curltime mistake from 4dee50b9c80f9
-Daniel Stenberg (1 May 2016)
-- tls: make setting pinnedkey option fail if not supported
+Marcel Raad (1 Aug 2017)
+- curl_threads: fix MSVC compiler warning
- to make it obvious to users trying to use the feature with TLS backends
- not supporting it.
+ Use LongToHandle to convert from long to HANDLE in the Win32
+ implementation.
+ This should fix the following warning when compiling with
+ MSVC 11 (2012) in 64-bit mode:
+ lib\curl_threads.c(113): warning C4306:
+ 'type cast' : conversion from 'long' to 'HANDLE' of greater size
- Discussed in #781
- Reported-by: Travis Burtrum
+ Closes https://github.com/curl/curl/pull/1717
-- nroff-scan.pl: verifies nroff pages
+Daniel Stenberg (1 Aug 2017)
+- BUGS: improved phrasing about security bugs
- ... not used by any test yet but can be used stand-alone.
+ Reported-by: Max Dymond
-- opts: fix broken/bad references
+- BUGS: clarify how to report security related bugs
-- [Michael Kaufmann brought this change]
+- [Brad Spencer brought this change]
- docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
+ multi: fix request timer management
- Closes #786
-
-- CURLOPT_ACCEPT_ENCODING.3: clarified
+ There are some bugs in how timers are managed for a single easy handle
+ that causes the wrong "next timeout" value to be reported to the
+ application when a new minimum needs to be recomputed and that new
+ minimum should be an existing timer that isn't currently set for the
+ easy handle. When the application drives a set of easy handles via the
+ `curl_multi_socket_action()` API (for example), it gets told to wait the
+ wrong amount of time before the next call, which causes requests to
+ linger for a long time (or, it is my guess, possibly forever).
- As discussed in #785
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
-- curl.1: --mail-rcpt can be used multiple times
+Jay Satiro (1 Aug 2017)
+- curl_setup: Define CURL_NO_OLDIES for building libcurl
+
+ .. to catch accidental use of deprecated error codes.
- Reported-by: mgendre
- Closes #784
+ Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
-- [Karlson2k brought this change]
+Daniel Stenberg (1 Aug 2017)
+- [Jeremy Tan brought this change]
- tests: Use 'pathhelp' for paths conversions in secureserver.pl
+ configure: fix the check for IdnToUnicode
+
+ Fixes #1669
+ Closes #1713
+
+- http: fix response code parser to avoid integer overflow
+
+ test 1429 and 1433 were updated to work with the stricter HTTP status line
+ parser.
- Closes #675
+ Closes #1714
+ Reported-by: Brian Carpenter
-- [Karlson2k brought this change]
+Jay Satiro (31 Jul 2017)
+- [Dwarakanath Yadavalli brought this change]
- tests: Use 'pathhelp' for paths conversions in sshserver.pl
+ libcurl: Stop using error codes defined under CURL_NO_OLDIES
+
+ Fixes https://github.com/curl/curl/issues/1688
+ Closes https://github.com/curl/curl/pull/1712
-- [Karlson2k brought this change]
+- include.d: clarify --include is only for response headers
+
+ Follow-up to 171f8de and de6de94.
+
+ Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
+ Reported-by: Daniel Stenberg
- tests: Use 'pathhelp' for current path in runtests.pl
+Daniel Stenberg (30 Jul 2017)
+- [Jason Juang brought this change]
-- [Karlson2k brought this change]
+ cmake: support make uninstall
+
+ Closes #1674
- tests: pathhelp.pm to process paths on Msys/Cygwin
+- RELEASE-NOTES: synced with 001701c47
-- lib: include curl_printf.h as one of the last headers
+Marcel Raad (29 Jul 2017)
+- AppVeyor: now really use CURL_WERROR
- curl_printf.h defines printf to curl_mprintf, etc. This can cause
- problems with external headers which may use
- __attribute__((format(printf, ...))) markers etc.
+ It was misspelled as CURL_ERROR in commit
+ 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4.
- To avoid that they cause problems with system includes, we include
- curl_printf.h after any system headers. That makes the three last
- headers to always be, and we keep them in this order:
+ Closes https://github.com/curl/curl/pull/1686
+
+Jay Satiro (29 Jul 2017)
+- tool_help: clarify --include is only for response headers
- curl_printf.h
- curl_memory.h
- memdebug.h
+ Follow-up to 171f8de.
- None of them include system headers, they all do funny #defines.
+ Ref: https://github.com/curl/curl/issues/1704
+
+- splay: fix signed/unsigned mismatch warning
- Reported-by: David Benjamin
+ Follow-up to 4dee50b.
- Fixes #743
+ Ref: https://github.com/curl/curl/pull/1693
-- memdebug.h: remove inclusion of other headers
+Daniel Stenberg (28 Jul 2017)
+- include.d: clarify that it concerns the response headers
- Mostly because they're not needed, because memdebug.h is always included
- last of all headers so the others already included the correct ones.
-
- But also, starting now we don't want this to accidentally include any
- system headers, as the header included _before_ this header may add
- defines and other fun stuff that we won't want used in system includes.
+ Reported-by: olesteban at github
+ Fixes #1704
-- [Jay Satiro brought this change]
+- [Johannes Schindelin brought this change]
- curl -J: make it work even without http:// scheme on URL
-
- It does open up a miniscule risk that one of the other protocols that
- libcurl could use would send back a Content-Disposition header and then
- curl would act on it even if not HTTP.
+ curl_rtmp: fix a compiler warning
- A future mitigation for this risk would be to allow the callback to ask
- libcurl which protocol is being used.
+ The headers of librtmp declare the socket as `int`, and on Windows, that
+ disagrees with curl_socket_t.
- Verified with test 1312
+ Bug: #1652
- Closes #760
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- manpage-scan.pl: also verify the command line option docs
+- test1323: verify curlx_tvdiff
+
+- timeval: struct curltime is a struct timeval replacement
+
+ ... to make all libcurl internals able to use the same data types for
+ the struct members. The timeval struct differs subtly on several
+ platforms so it makes it cumbersome to use everywhere.
- This script now also scans src/tool_getparam.c, docs/curl.1 and
- src/tool_help.c and will warn if any of them lists a command line option
- not mentioned in one of the other places.
+ Ref: #1652
+ Closes #1693
-- curl: show the long option version of -q in the -h list
+- darwinssl: fix variable type mistake (regression)
+
+ ... which made --tlsv1.2 not work because it would blank the max tls
+ version variable.
+
+ Reported-by: Nick Miyake
+ Bug: #1703
-- curl: remove "--socks" as "--socks5" turned 8
+- multi: mention integer overflow risk if using > 500 million sockets
+
+ Reported-by: ovidiu-benea@users.noreply.github.com
- In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
- and it has not been documented since. The more explicit socks options
- (like --socks4 or --socks5) should be used.
+ Closes #1675
+ Closes #1683
-- curl.1: document the deprecated --ftp-ssl option
+- checksrc: escape open brace in regex
+
+ ... to silence warning.
-- curl: remove --http-request
+Kamil Dudka (20 Jul 2017)
+- nss: fix a possible use-after-free in SelectClientCert()
+
+ ... causing a SIGSEGV in showit() in case the handle used to initiate
+ the connection has already been freed.
- It was mentioned as deprecated already in commit ae1912cb0d4 from
- 1999. It has not been documented in this millennium.
+ This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
+
+ Reported-by: Rob Sanders
+ Bug: https://bugzilla.redhat.com/1436158
-- curl: mention --ntlm-wb in -h list
+- nss: unify the coding style of nss_send() and nss_recv()
+
+ No changes in behavior intended by this commit.
-- curl: -h output lacked --proxy-header
+Marcel Raad (18 Jul 2017)
+- tests/server/resolve.c: fix deprecation warning
+
+ MSVC warns that gethostbyname is deprecated. Always use getaddrinfo
+ instead to fix this when IPv6 is enabled, also for IPv4 resolves. This
+ is also consistent with what libcurl does.
+
+ Closes https://github.com/curl/curl/pull/1682
-- curl.1: document --ntlm-wb
+Jay Satiro (17 Jul 2017)
+- darwinssl: fix pinnedpubkey build error
+
+ - s/SessionHandle/Curl_easy/
+
+ Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
+ Reported-by: Gisle Vanem
-- curl.1: document the long format of -q: --disable
+Marcel Raad (16 Jul 2017)
+- rtspd: fix GCC warning after MSVC warning fix
+
+ Older GCC warns:
+ /tests/server/rtspd.c:1194:10: warning: missing braces around
+ initializer [-Wmissing-braces]
+
+ Fix this by using memset instead of an initializer.
-- curl.1: mention the deprecated --krb4 option
+- libtest: fix MSVC warning C4706
+
+ With warning level 4, MSVC warns about assignments within conditional
+ expressions. Change the while loop to a do-while loop to fix this. This
+ change is also consistent with CODE_STYLE.md.
-- curl.1: document --ftp-ssl-reqd
+- sockfilt: suppress conversion warning with explicit cast
- Even if deprecated, document it so that people will find it as old
- scripts may still use it.
+ MSVC warns when implicitly casting -1 to unsigned long.
-- curl: use --telnet-option as documented
+- rtspd: fix MSVC level 4 warning
- The code said "telnet-options" but no documentation ever said so. It
- worked fine since the code is fine with a unique match of the first
- part.
+ warning C4701: potentially uninitialized local variable 'req' used
-- getparam: remove support for --ftpport
+- winbuild: re-enable warning C4127 for curl tool
- It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
- 2003). --ftp-port is the proper long option name.
+ Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to
+ be disabled for libcurl.
-- curl: make --disable work as long form of -q
+- winbuild: build with warning level 4
+
+ This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which
+ changed the warning level from 3 to 4 for the Visual Studio project
+ files. But disable the level 4 warning C4127 "conditional expression is
+ constant", as that one is issued by older versions of the Windows SDK
+ as well as curl itself under some circumstances.
- To make the aliases list reflect reality.
+ Closes https://github.com/curl/curl/pull/1667
-- aliases: remove trailing space from capath string
+Jay Satiro (12 Jul 2017)
+- [Max Dymond brought this change]
-- cmdline parse: only single letter options have single-letter strings
+ travis: install libidn2
+
+ Install libidn2 to increase test coverage (IDN tests)
- ... moved around options so that parsing the code to find all
- single-letter options easier.
+ Closes https://github.com/curl/curl/pull/1673
-Jay Satiro (28 Apr 2016)
-- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
+Marcel Raad (12 Jul 2017)
+- travis: enable warnings also in release mode
- Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
- Reported-by: Bru Rom
+ ... to get warnings also on Linux/GCC and OSX/clang.
+
+ Closes https://github.com/curl/curl/pull/1666
-Daniel Stenberg (28 Apr 2016)
-- curl_easy_getinfo.3: remove superfluous blank lines
+Daniel Stenberg (12 Jul 2017)
+- [Max Dymond brought this change]
-- test1139: verifies libcurl option man page presence
+ travis: install libssh2
- - checks that each option has its own man page present
+ Install libssh2 to increase test coverage (SFTP, SCP)
+
+Marcel Raad (12 Jul 2017)
+- system.h: include winsock2.h before windows.h
- - checks that each option is mentioned in its corresponding index man
- page
+ ... to avoid compiler warnings if the user doesn't want
+ WIN32_LEAN_AND_MEAN.
-- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
+- build: remove WIN32_LEAN_AND_MEAN from individual build systems
+
+ It's defined for all build systems in curl_setup.h since commit
+ beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro
+ redefinition warnings in the configure builds.
- ... although it is deprecated.
+ Closes https://github.com/curl/curl/pull/1677
-Jay Satiro (28 Apr 2016)
-- mbedtls: Fix session resume
+Jay Satiro (11 Jul 2017)
+- ISSUE_TEMPLATE: Add a comment not to file security issues on github
+
+Marcel Raad (11 Jul 2017)
+- curl_setup: always define WIN32_LEAN_AND_MEAN on Windows
- This also fixes PolarSSL session resume.
+ Make sure to always define WIN32_LEAN_AND_MEAN before including any
+ Windows headers to avoid pulling in unnecessary headers. This avoids
+ unnecessary macro clashes and compiler warnings.
- Prior to this change the TLS session information wasn't properly
- saved and restored for PolarSSL and mbedTLS.
+ Ref: https://github.com/curl/curl/issues/1562
+ Closes https://github.com/curl/curl/pull/1672
+
+Jay Satiro (11 Jul 2017)
+- strerror: Preserve Windows error code in some functions
- Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
- Reported-by: Thomas Glanzmann
+ This is a follow-up to af02162 which removed (SET_)ERRNO macros. That
+ commit was an earlier draft that I committed by mistake, which was then
+ remedied by a5834e5 and e909de6, and now this commit. With this commit
+ there is now no difference between the current code and the changes that
+ were approved in the final draft.
- Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
- Reported-by: Moti Avrahami
+ Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem
+ Ref: https://github.com/curl/curl/pull/1589
-Daniel Stenberg (27 Apr 2016)
-- RELEASE-NOTES: synced with f4298fcc6d2
+Marcel Raad (10 Jul 2017)
+- [Max Dymond brought this change]
-- [Michael Kaufmann brought this change]
+ tests: Fix up issues with errno in test files
+
+ Closes https://github.com/curl/curl/pull/1671
+
+Daniel Stenberg (10 Jul 2017)
+- errno: fix non-windows builds after af0216251b94e7
+
+- [Ryan Winograd brought this change]
- opts: Fix some syntax errors in example code fragments
+ make: fix docs build on OpenBSD
- Fixes #779
+ Ref: #1591
-- openssl: avoid BN_print a NULL bignum
+Marcel Raad (10 Jul 2017)
+- ldap: fix MinGW compiler warning
- OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
- numbers so make sure the function handles this.
+ ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with
+ the latest original MinGW, resulting in compiler warnings since commit
+ f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI
+ case by using ldap_simple_bind_s again instead of ldap_bind_s with
+ LDAP_AUTH_SIMPLE.
- Reported-by: Linus Nordberg
+ Closes https://github.com/curl/curl/pull/1664
-- [Marcel Raad brought this change]
-
- CONNECT_ONLY: don't close connection on GSS 401/407 reponses
+- curl-compilers.m4: disable warning spam with Cygwin's clang
- Previously, connections were closed immediately before the user had a
- chance to extract the socket when the proxy required Negotiate
- authentication.
+ When building with Cygwin or MinGW, libtool uses a wrapper executable
+ instead of a wrapper script [1], which is written in C and throws
+ missing-variable-declarations warnings. Don't enable these warnings on
+ Cygwin and MinGW in order to avoid warnings for every executable built,
+ which spams the test suite output when using Cygwin's clang.
- This regression was brought in with the security fix in commit
- 79b9d5f1a42578f
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Wrapper-executables.html
- Closes #655
+ Closes https://github.com/curl/curl/pull/1665
-- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
+Jay Satiro (10 Jul 2017)
+- curl_setup_once: Remove ERRNO/SET_ERRNO macros
+
+ Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError
+ for Win32 and regular errno otherwise.
+
+ I reviewed the code and found no justifiable reason for conflating errno
+ on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno,
+ and any Win32 multithreaded CRT supports thread-local errno.
+
+ Fixes https://github.com/curl/curl/issues/895
+ Closes https://github.com/curl/curl/pull/1589
-- mbedtls.c: silly spellfix of a comment
+- tool_getparam: fix potentially uninitialized err
-- KNOWN_BUGS: 1.10 Strips trailing dot from host name
+Marcel Raad (9 Jul 2017)
+- smb: rename variable to fix shadowing warning
- Closes #716
-
-- test1322: verify stripping of trailing dot from host name
+ GCC 4.6.3 on travis complains:
+ smb.c: In function ‘get_posix_time’:
+ smb.c:725:13: error: declaration of ‘time’ shadows a global declaration
+ [-Werror=shadow]
- While being debated (in #716) and a violation of RFC 7230 section 5.4,
- this test verifies that the existing functionality works as intended. It
- strips the dot from the host name and uses the host without dot
- throughout the internals.
+ Fix this by renaming the variable.
-- multi: accidentally used resolved host name instead of proxy
+- tool_cb_wrt: fix variable shadowing warning
+
+ GCC 4.4 complains:
+ tool_cb_wrt.c:81: error: declaration of ‘isatty’ shadows a global
+ declaration
+ /usr/include/unistd.h:782: error: shadowed declaration is here
- Regression introduced in 09b5a998
+ Fix this by renaming the variable.
- Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
- Reported-by: BoBo
+ Closes https://github.com/curl/curl/pull/1661
+
+Daniel Stenberg (8 Jul 2017)
+- RELEASE-NOTES: synced with be2c999b8
-- symbols-in-versions: added new CURLSSLBACKEND_ symbols
+- travis: install stunnel
-- test148: fixed after the --ftp-create-dirs retry change
+- valgrind.supp: supress OpenSSL false positive seen on travis
+
+- travis: detect and use valgrind for normal builds
- follow-up commit to 3c1e84f569 as it made curl try a little harder
+ Closes #1653
-- curl.h: clarify curl_sslbackend for openssl clones and renames
+- travis: add SMB, DICT, TELNET torture to coverage test
-- [Karlson2k brought this change]
+- [Paul Harris brought this change]
- url.c: fixed DEBUGASSERT() for WinSock workaround
+ cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC
- If buffer is allocated, but nothing is received during prereceive
- stage, than number of processed bytes must be zero.
+ Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere.
- Closes #778
+ Closes #1649
+
+- CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
+
+- [Max Dymond brought this change]
-- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
+ test1452: add telnet negotiation
- Closes #686 for now.
+ Add a basic telnet server for negotiating some telnet options before
+ echoing back any data that's sent to it.
+
+ Closes #1645
-- TODO: 1.17 Add support for IRIs
+- travis: do more tests in the coverage run
- Adding support for IRIs is a mouthful, but is probably interesting at
- least for areas and countries where the use of such "URLs" are growing
- popularity.
+ I added a selection of torture and event tests that run "fast enough"
+
+- curl_easy_escape.3: mention the (lack of) encoding
- Closes #776
+ Fixes #1612
+ Reported-by: Jeroen Ooms
-- THANKS-filter: Travis Burtrum
+- [Gisle Vanem brought this change]
+
+ memdebug: don't setbuf() if the file open failed
+
+ Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151
-- lib1517: checksrc compliance
+- appveyor: enable CURL_WERROR on all builds
-- [moparisthebest brought this change]
+- cmake: add CURL_WERROR for enabling "warning as errors"
- PolarSSL: Implement public key pinning
+- [Hannes Magnusson brought this change]
-Patrick Monnerat (22 Apr 2016)
-- os400: upgrade ILE/RPG binding
+ cmake: remove spurious "-l" from linker flags
+
+ Fixes #1552
-- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
+- test506: skip if threaded-resolver
-Daniel Stenberg (22 Apr 2016)
-- contributors.sh: make --releasenotes implied
+- runtests: support "threaded-resolver" as a feature
- It got too annoying to type =)
+ ... to let tests require it or skip if present
-- RELEASE-NOTES: synced with 3c1e84f5693d8093
+- asyn-thread.c: fix unused variable warnings on macOS
-- curl: make --ftp-create-dirs retry on failure
+- http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLD
- The underlying libcurl option used for this feature is
- CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
- creation, but it was never set to do that by the command line tool.
+ Make the name reflect its use better, and add a short comment describing
+ what it's for.
+
+- cmake: if inet_pton is used, bump _WIN32_WINNT
- Now it does.
+ ... and make sure inet_pton is always checked for when *not* using Windows,
+ which is a regression from 4fc6ebe18.
- Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
- Reported-by: John Wanghui
- Help-by: Leif W
+ Idea-by: Sergei Nikulov
-- [Henrik Gaßmann brought this change]
+- select.h: avoid macro redefinition harder
+
+ ... by checking the POLLIN define, as the header file checks don't work
+ on Windows.
- winbuild: add mbedtls support
+- inet_pton: fix include on windows to get prototype
- Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
- options mutual exclusive.
+ inet_pton() exists on Windows and gets used by our cmake builds. Make
+ sure the correct header file is included to avoid compiler warnings.
- Closes #606
+ Closes #1639
-- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
+- TODO: 1.10 auto-detect proxy
- As of commit d9f3b365a3
+ Closes #1572
-- [Irfan Adilovic brought this change]
+- TODO: HTTP proxy CONNECT is non-blocking now
- configure: ac_cv_ -> curl_cv_ for write-only vars
+- cmake: fix send/recv argument scanner for windows
- These configure vars are modified in a curl-specific way but never
- evaluated or loaded from cache, even though they are designated as
- _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
- remove them completely.
+ ... by simply trying the Windows argument types first.
- Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
- AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
- the first configure run with caching.
+ Fixes #1640
+
+- RELEASE-NOTES: synced with 596cfb6c0
+
+- [Gisle Vanem brought this change]
+
+ smb: add support for CURLOPT_FILETIME
- `ac_cv_func_strcasecmp` is curious, see #770.
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
- `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
- tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
- would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
- which works the same as AC_CHECK_FUNCS but relies on caching the values
- of curl_cv_func_* variables, without modifiying ac_cv_func_*.
+ Closes #1643
-- [Irfan Adilovic brought this change]
+- travis: install nghttp2 on linux builds
+
+ Closes #1642
+
+- [Gisle Vanem brought this change]
- configure: ac_cv_ -> curl_cv_ for r/w vars
+ smb: fix build for djgpp/MSDOS
- These configure vars are modified in a curl-specific way and modified by
- the configure process, but are never loaded from cache, even though they
- are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
- them eventually.
+ bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
-- [Irfan Adilovic brought this change]
+- configure: try ldap/lber in reversed order first
+
+ When scanning for which LDAP libraries to use, try the -lldap -llber
+ combination before the reversed order since it has a greater chance of
+ working when linking with libcurl statically.
+
+ Fixes #1619
+ Closes #1634
+ Reported-by: David E. Narváez
- configure: ac_cv_func_clock_gettime -> curl_...
+- configure: remove checks for 5 functions never used
- This variable must not be cached in its current form, as any cached
- information will prevent the next configure run from determining the
- correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
- just `curl_`.
+ fork, getprotobyname, inet_addr, perror, uname
+
+ closes #1638
+
+- dist: add SMB python deps into the tarball
-- [Irfan Adilovic brought this change]
+- [Max Dymond brought this change]
- configure: ac_cv_ -> curl_cv_ for all cached vars
+ test1451: add SMB support to the testbed
- This was automated by:
+ Add test 1451 which does some very basic SMB testing using the impacket
+ SMB server.
+
+ Closes #1630
+
+- [Max Dymond brought this change]
+
+ test: add impacket for SMB testing
- sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
- ack -o 'ac_cv_.*?\b' | \
- sort -u | xargs -n1 bash -c \
- 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
- $(git ls-files)
+ Import impacket 0.9.15 for use in SMB testing. This was generated by
+ doing "pip2.7 install -t . impacket"
- This only changed the prefix for 16 variables actually checked with
- AC_CACHE_CHECK.
+ Unnecessary files for current testing were deleted.
-- openssl: builds with OpenSSL 1.1.0-pre5
+- travis.yml: use --enable-werror on debug builds
- The RSA, DSA and DH structs are now opaque and require use of new APIs
+ ... to better detect and fault on compiler warnings/errors
- Fixes #763
+ Closes #1637
-Steve Holme (20 Apr 2016)
-- url.c: Prefer we don't use explicit NULLs in conditions
+- tool_sleep: typecast to avoid macos compiler warning
- Fixed commit fa5fa65a30 to not use NULLs in if condition.
+ tool_sleep.c:54:24: error: implicit conversion loses integer precision:
+ 'long' to '__darwin_suseconds_t' (aka 'int')
+ [-Werror,-Wshorten-64-to-32]
-Daniel Stenberg (20 Apr 2016)
-- [Isaac Boukris brought this change]
+- [Martin Kepplinger brought this change]
- NTLM: check for NULL pointer before deferencing
+ timeval.c: Use long long constant type for timeval assignment
- At ConnectionExists, both check->proxyuser and check->proxypasswd
- could be NULL, so make sure to check first.
+ On a 64 bit host, sparse says:
- Fixes #765
-
-- [Karlson2k brought this change]
+ timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long
+ timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long
+
+ so let's use long long constant types in order to prevent undesired overflow
+ failures.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html
+
+ Closes #1636
+
+ Signed-off-by: Martin Kepplinger <martink@posteo.de>
- tests: added test1517
+- url: make the original string get used on subsequent transfers
- ... for checking ability to receive full HTTP response when POST request
- is used with slow read callback function.
+ ... since CURLOPT_URL should follow the same rules as other options:
+ they remain set until changed or cleared.
- This test checks for bug #657 and verifies the work-around from
- 72d5e144fbc6.
+ Added test 1551 to verify.
- Closes #720
+ Fixes #1631
+ Closes #1632
+ Reported-by: Pavel Rochnyak
-- [Karlson2k brought this change]
+- [Johannes Schindelin brought this change]
- sendf.c: added ability to call recv() before send() as workaround
+ gtls: fix build when sizeof(long) < sizeof(void *)
- WinSock destroys recv() buffer if send() is failed. As result - server
- response may be lost if server sent it while curl is still sending
- request. This behavior noticeable on HTTP server short replies if
- libcurl use several send() for request (usually for POST request).
- To workaround this problem, libcurl use recv() before every send() and
- keeps received data in intermediate buffer for further processing.
+ - Change gnutls pointer/int macros to pointer/curl_socket_t.
+ Prior to this change they used long type as well.
- Fixes: #657
- Closes: #668
-
-Kamil Dudka (19 Apr 2016)
-- connect: make sure that rc is initialized in singleipconnect()
+ The size of the `long` data type can be shorter than that of pointer
+ types. This is the case most notably on Windows.
+
+ If C99 were acceptable, we could simply use `intptr_t` here. But we
+ want to retain C89 compatibility.
+
+ Simply use the trick of performing pointer arithmetic with the NULL
+ pointer: to convert an integer `i` to a pointer, simply take the
+ address of the `i`th element of a hypothetical character array
+ starting at address NULL. To convert back, simply cast the pointer
+ difference.
- This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
+ Thanks to Jay Satiro for the initial modification to use curl_socket_t
+ instead of int/long.
- Error: CLANG_WARNING:
- lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
- 1118| }
- 1119|
- 1120|-> if(-1 == rc)
- 1121| error = SOCKERRNO;
- 1122| }
+ Closes #1617
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (19 Apr 2016)
-- make/checksrc: use $srcdir, not $top_srcdir
+- [Ryan Winograd brought this change]
-- src/checksrc.whitelist: removed
+ unit1399: fix integer overflow
+
+ Bug: #1616
+ Closes #1633
-- tool_operate: switch to inline checksrc ignore
+- [Per Malmberg brought this change]
-- lib/checksrc.whitelist: not needed anymore
+ cmake: Added compatibility options for older Windows versions
- ... as checksrc now skips comments
-
-- vtls.h: remove a space before semicolon
+ CURL_STATIC_CRT and ENABLE_INET_PTON
- ... that the new checksrc detected
+ Closes #1621
-- darwinssl: removed commented out code
+- unit1399: add logging to time comparison
+
+ ... to enable tracking down why autobuilds fail on this
+
+ Bug: #1616
-- http_chunks: removed checksrc disable
+- make: build the docs subdir only from within src
- ... since checksrc now skips comments
+ ... and don't build at all in include
+
+ Prompted-by-work-by: Simon Warta
+ Ref: #1590
+ Closes #1591
-- imap: inlined checksrc disable instead of whitelist edit
+- [Max Dymond brought this change]
-- checksrc: taught to skip comments
+ test1450: fix up DICT server in torture mode
- ... but output non-stripped version of the line, even if that then can
- make the script identify the wrong position in the line at
- times. Showing the line stripped (ie without comments) is just too
- surprising.
-
-- opts/Makefile.am: list all docs file one by one
+ As per https://github.com/curl/curl/pull/1615, the DICT server is a
+ little spammy in torture mode due to the sockets being torn down
+ unexpectedly. Fix this by adding some error handling to the handling
+ function.
- ... to make it easier to add lines in patches that won't just break all
- other patches trying to add lines too.
+ Closes #1629
-- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
+- [Max Dymond brought this change]
-- RELEASE-NOTES: synced with 03de4e4b219
+ test1450: add simple testing for DICT
+
+ Add a new server which provides a DICT interface. This is intended to
+ begin coverage testing for lib/dict.c
- (since we just merged two major features)
+ Closes #1615
-- [Alessandro Ghedini brought this change]
+- [Dan Fandrich brought this change]
- connect: implement TCP Fast Open for Linux
+ test1521: fix out-of-tree builds, broken with 467da3af
+
+ The test.h file is no longer in the same directory as the source file,
+ so that directory needs to be added to the include path.
- Closes #660
+ Fixes #1627
+ Closes #1628
-- [Alessandro Ghedini brought this change]
+- [Max Dymond brought this change]
- tool: add --tcp-fastopen option
+ http2: handle PING frames
+
+ Add a connection check function to HTTP2 based off RTSP. This causes
+ PINGs to be handled the next time the connection is reused.
+
+ Closes #1521
-- [Alessandro Ghedini brought this change]
+- [Max Dymond brought this change]
- connect: implement TCP Fast Open for OS X
+ handler: refactor connection checking
+
+ Add a new type of callback to Curl_handler which performs checks on
+ the connection. Alter RTSP so that it uses this callback to do its
+ own check on connection health.
-- [Alessandro Ghedini brought this change]
+- [Dmitry Kostjuchenko brought this change]
- url: add CURLOPT_TCP_FASTOPEN option
+ openssl: improve fallback seed of PRNG with a time based hash
+
+ Fixes #1620
-- checksrc: pass on -D so the whitelists are found correctly
+- [Ryan Winograd brought this change]
-- configure: remove check for libresolve
+ progress: prevent resetting t_starttransfer
+
+ Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked
+ with `TIMER_STARTTRANSFER` more than once during a single request.
- 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
- but this check is broken and most likely adds nothing useful. Removing
- now.
+ When a redirect occurs, this is considered a new request and
+ `t_starttransfer` can be updated to reflect the `t_starttransfer` time
+ of the redirect request.
- Reported-by: Irfan Adilovic
+ Closes #1616
- Discussed in #770
+ Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370
-- scripts/make: use $(EXEEXT) for executables
+- curl_strequal.3: fix typo in SYNOPSIS
- Reported-by: bodop
+ Reported-by: Jesse Chisholm
- Fixes #771
+ Fixes #1623
-- includes: avoid duplicate memory callback typdefs even harder
+- RELEASE-NOTES: synced with ce2c3ebda
-- checksrc/makefile.am: use $top_srcdir to find source files
+Kamil Dudka (28 Jun 2017)
+- curl --socks5-{basic,gssapi}: control socks5 auth
- ... to properly support out of source tree builds.
+ Closes https://github.com/curl/curl/pull/1454
-- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
+- CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth
+
+ If libcurl was built with GSS-API support, it unconditionally advertised
+ GSS-API authentication while connecting to a SOCKS5 proxy. This caused
+ problems in environments with improperly configured Kerberos: a stock
+ libcurl failed to connect, despite libcurl built without GSS-API
+ connected fine using username and password.
+
+ This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
+ allowed methods for SOCKS5 authentication at run time.
+
+ Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
+ for compatibility reasons because the set of authentication methods
+ allowed by default was different for HTTP and SOCKS5 proxies.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
+ Closes https://github.com/curl/curl/pull/1454
-- opts: fix option references missing (section)
+- socks: deduplicate the code for auth request
-- [Michael Kaufmann brought this change]
+- socks: use proxy_user instead of proxy_name
+
+ ... to make it obvious what the data is used for
- news: CURLOPT_CONNECT_TO and --connect-to
+Daniel Stenberg (27 Jun 2017)
+- libtest/make: generate lib1521.c
+
+ ... instead of having the generated code checked in. This saves space in
+ the tarball but primarily automatically adapts to newly added options.
- Makes curl connect to the given host+port instead of the host+port found
- in the URL.
+ Closes #1614
-- makefile.vc6: use d suffix on debug object
+Jay Satiro (26 Jun 2017)
+- tool_getparam: fix memory leak on test 1147 OOM (torture tests)
- To allow both release and debug builds in parallel.
+ Bug: https://github.com/curl/curl/pull/1486#issuecomment-310926872
+ Reported-by: Dan Fandrich
+
+Dan Fandrich (25 Jun 2017)
+- test1537: fixed memory leak on OOM
+
+Marcel Raad (25 Jun 2017)
+- test1521: fix compiler warnings
- Reported-by: Rod Widdowson
+ The integer literal 3123123123 doesn't fit into a 32-bit signed
+ integer, so GCC with 32-bit long warns in C90 mode:
+ this decimal constant is unsigned only in ISO C90 [enabled by default]
+ Fix this by using ULONG_MAX, which should fit in any curl_off_t and has
+ the correct suffix to not issue any warnings.
+ Also adds the missing CURLOPT_REQUEST_TARGET from commit
+ 9b167fd090f596eac828817d48c247eeae53407f.
- Fixes #769
+ Closes https://github.com/curl/curl/pull/1611
-Jay Satiro (12 Apr 2016)
-- http2: Use size_t type for data drain count
+Daniel Stenberg (24 Jun 2017)
+- curl/system.h: add check for XTENSA for 32bit gcc
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Reported-by: Neil Kolban
+ Fixes: 1598
-- http2: Improve header parsing
+- [Henrik S. Gaßmann brought this change]
+
+ winbuild: fix boringssl build
- - Error if a header line is larger than supported.
+ Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from
+ including too much clutter including `wincrypt.h` which in turn contains
+ some preprocessor macros that clash with boringssl symbols.
- - Warn if cumulative header line length may be larger than supported.
+ Detect boringssl by checking the existance of `is_boringssl.h` and set
+ the corresponding `HAVE_BORINGSSL` for compilation which is used in
+ `ldap.c` to undefine the evil macros.
- - Allow spaces when parsing the path component.
+ Closes #1610
+
+- progress: progress.timespent needs to be us
- - Make sure each header line ends in \r\n. This fixes an out of bounds.
+ follow-up to 64ed44a815e4e to fix test 500 failures
+
+Marcel Raad (24 Jun 2017)
+- curl-compilers.m4: fix unknown-warning-option on Apple clang
- - Disallow header continuation lines until we decide what to do.
+ Since 5598b0bd63f690c151074494ce47ef872f004ab4, clang -v is used to
+ detect the clang version. The version number was expected to come after
+ the word "version". For Apple clang, this doesn't work as it has its
+ own versioning scheme.
+ The version number is now first searched after the string
+ "based on LLVM". This works for Apple clang before version 7, and also
+ for e.g. Ubuntu's clang up to version 3.7. If it's not found and the
+ version string contains "Apple LLVM version", clang version 3.7 is
+ assumed, which is the version that comes with Xcode 7. Otherwise, the
+ version number is still expected after the word "version", which works
+ for very old Apple clang versions.
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Ref: https://trac.macports.org/wiki/XcodeVersionInfo
+ Fixes https://github.com/curl/curl/issues/1606
+ Closes https://github.com/curl/curl/pull/1607
-- http2: Add Curl_http2_strerror for HTTP/2 error codes
+Daniel Stenberg (24 Jun 2017)
+- progress: fix "time spent", broke in adef394ac
+
+- CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ ... supported since 7.54.1
-- [Tatsuhiro Tsujikawa brought this change]
+- maketgz: switch to -6e for xz
+
+ To reduce the memory requirement for decompress, and still do almost as
+ good compression as with -9e.
+
+ Pointed-out-by: Dan Fandrich
- http2: Don't increment drain when one header field is received
+- libtest/Makefile: remove unused lib1541 variables
+
+- CONTRIBUTE.md: mention the out-of-tree build test too
+
+- maketgz: switch to xz instead of lzma
- Sicne we write header field in temporary location, not in the memory
- that upper layer provides, incrementing drain should not happen.
+ The compressed output size seems to be a tad bit smaller, but generally
+ xz seems more preferred these days and is used directly by for example
+ gentoo instead of bz2.
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ "Users of LZMA Utils should move to XZ Utils" =>
+ https://tukaani.org/lzma/
+
+ Closes #1604
-- [Tatsuhiro Tsujikawa brought this change]
+- --request-target: instead of --strip-path-slash
+
+ ... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH.
+
+ This option instead provides the full "alternative" target to use in the
+ request, instead of extracting the path from the URL.
+
+ Test 1298 and 1299 updated accordingly.
+
+ Idea-by: Evert Pot
+ Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373
+
+ Closes #1593
+
+Marcel Raad (21 Jun 2017)
+- lib1521: fix missing-variable-declarations clang warnings
+
+ Declare TU-local variables static.
- http2: Ensure that http2_handle_stream_close is called
+- travis: enable typecheck-gcc warnings
- This commit ensures that streams which was closed in on_stream_close
- callback gets passed to http2_handle_stream_close. Previously, this
- might not happen. To achieve this, we increment drain property to
- forcibly call recv function for that stream.
+ - switch debug and release configurations so that we get an optimized
+ build with GCC 4.3+ as required by typecheck-gcc
+ - enable warnings-as-errors for release builds
+ (which have warnings disabled)
- To more accurately check that we have no pending event before shutting
- down HTTP/2 session, we sum up drain property into
- http_conn.drain_total. We only shutdown session if that value is 0.
+ Closes https://github.com/curl/curl/pull/1595
+
+- typecheck-gcc: add support for CURLINFO_OFF_T
- With this commit, when stream was closed before reading response
- header fields, error code CURLE_HTTP2_STREAM is returned even if
- HTTP/2 level error is NO_ERROR. This signals the upper layer that
- stream was closed by error just like TCP connection close in HTTP/1.
+ typecheck-gcc expected curl_socket_t instead of curl_off_t arguments
+ for CURLINFO_OFF_T. Detected by test1521, unfortunately only when run
+ locally.
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Closes https://github.com/curl/curl/pull/1592
+
+Daniel Stenberg (21 Jun 2017)
+- [Simon Warta brought this change]
-- [Tatsuhiro Tsujikawa brought this change]
+ ci: whitelist branches to avoid testing feature branches twice
- http2: Process paused data first before tear down http2 session
+- [Gisle Vanem brought this change]
+
+ lib: fix the djgpp build
+
+ Bug: https://github.com/curl/curl/commit/73a2fcea0b4adea6ba342cd7ed1149782c214ae3#commitcomment-22655993
+
+Marcel Raad (20 Jun 2017)
+- if2ip: fix compiler warning in ISO C90 mode
+
+ remote_scope_id is only used when both HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID
+ and ENABLE_IPV6 are defined instead of only one of them.
+
+Daniel Stenberg (20 Jun 2017)
+- travis: do the distcheck test build out-of-tree as well
+
+- http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASH
+
+ ... to enable sending "OPTIONS *" which wasn't possible previously.
- This commit ensures that data from network are processed before HTTP/2
- session is terminated. This is achieved by pausing nghttp2 whenever
- different stream than current easy handle receives data.
+ This option currently only works for HTTP.
- This commit also fixes the bug that sometimes processing hangs when
- multiple HTTP/2 streams are multiplexed.
+ Added test cases 1298 + 1299 to verify
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Fixes #1280
+ Closes #1462
-- [Tatsuhiro Tsujikawa brought this change]
+- test1521: test getinfo's OFF_T types too
+
+ Closes #1588
- http2: Check session closure early in http2_recv
+- lib1521: add curl_easy_getinfo calls to the test set
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Also added return value checks to make sure no unexpected return codes
+ are used.
-- [Tatsuhiro Tsujikawa brought this change]
+- [Simon Warta brought this change]
- http2: Add handling stream level error
+ automake: use $(MKHELP) variable instead if constant mkhelp.pl
- Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
- by RST_STREAM, underlying TCP connection was dropped. This is
- undesirable since there may be other streams multiplexed and they are
- very much fine. This change introduce new error code
- CURLE_HTTP2_STREAM, which indicates stream error that only affects the
- relevant stream, and connection should be kept open. The existing
- CURLE_HTTP2 means connection error in general.
+ this improves symmetry with the rule above
+
+- [Simon Warta brought this change]
+
+ mkhelp.pl: fix script name in usage text
+
+- RELEASE-NOTES: synced with 3b80d3ca4
+
+- getinfo: return sizes as curl_off_t
+
+ This change introduces new alternatives for the existing six
+ curl_easy_getinfo() options that return sizes or speeds as doubles. The
+ new versions are named like the old ones but with an appended '_T':
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
+ CURLINFO_CONTENT_LENGTH_UPLOAD_T
+ CURLINFO_SIZE_DOWNLOAD_T
+ CURLINFO_SIZE_UPLOAD_T
+ CURLINFO_SPEED_DOWNLOAD_T
+ CURLINFO_SPEED_UPLOAD_T
+
+ Closes #1511
-Daniel Stenberg (11 Apr 2016)
-- http2: drain the socket better...
+- PIPELINING_SERVER_BL: cleanup the internal list use
- ... but ignore EAGAIN if the stream has ended so that we don't end up in
- a loop. This is a follow-up to c8ab613 in order to avoid the problem
- d261652 was made to fix.
+ The list was freed incorrectly since the llist refactor of
+ cbae73e1dd959. Added test 1550 to verify that it works and avoid future
+ regressions.
- Reported-by: Jay Satiro
- Clues-provided-by: Tatsuhiro Tsujikawa
+ Reported-by: Pascal Terjan
- Discussed in #750
+ Fixes #1584
+ Closes #1585
-- KNOWN_BUGS: added info for "Hangs with PolarSSL"
+- http2: fix OOM crash
+
+ torture mode with test 1021 found it
-- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
+- CURLOPT_PREQUOTE.3: spellfix man page reference
+
+Marcel Raad (18 Jun 2017)
+- http_proxy: fix build with http and proxy
+
+ After deff7de0eb0e22d2d142b96b9cc84cd8db5d2a48, the build without
+ CURL_DISABLE_PROXY and CURL_DISABLE_HTTP was failing because of missing
+ includes.
+
+- http_proxy: fix compiler warning
- Closes #750
+ With CURL_DISABLE_PROXY or CURL_DISABLE_HTTP, GCC complained about a
+ missing prototype for Curl_connect_free.
-- build: include scripts/ in the dist
+Daniel Stenberg (18 Jun 2017)
+- TODO: update the TOC too
-Steve Holme (9 Apr 2016)
-- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
+- TODO: implement support for CURLOPT_PREQUOTE with SFTP
- As these two options provide identical functionality, the former for
- SOCK5 proxies and the latter for HTTP proxies, merged the two options
- together.
+ ... also updated the CURLOPT_PREQUOTE.3 man page to mention the correct
+ protocol support.
- As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
- 7.49.0.
+ Closes #1514
-- urldata: Use bool for socks5_gssapi_nec as it is a flag
+- tool_wrte_cb: remove check for config == NULL
- This value is set to TRUE or FALSE so should be a bool and not a long.
+ ... as it really cannot have reached this far with config being NULL,
+ thus this is unnecesary and misleading.
+
+ Bug: https://news.ycombinator.com/item?id=14577585 and
+ https://daniel.haxx.se/blog/2017/06/17/curl-doesnt-spew-binary-anymore/comment-page-1/#comment-18356
+
+ Forwarded-to-us-by: Jakub Wilk
-- url: Ternary operator code style changes
+- curl: prevent binary output spewed to terminal
+
+ ... unless "--output -" is used. Binary detection is done by simply
+ checking for a binary zero in early data.
+
+ Added test 1425 1426 to verify.
+
+ Closes #1512
-- CODE_STYLE: Added ternary operator example to 'Space around operators'
+Marcel Raad (16 Jun 2017)
+- Makefile.m32: enable -W for MinGW32 build
- Following conversation on the libcurl mailing list.
+ The configure-based build also has this in addition to -Wall.
+
+ Closes https://github.com/curl/curl/pull/1578
-- sasl: Fixed compilation errors from commit 9d89a0387
+- curl-compilers.m4: enable comma clang warning
+
+ It usually warns when using commas instead of semicolons or other
+ operators by accident.
- ...when GSS-API or Windows SSPI are not used.
+ Closes https://github.com/curl/curl/pull/1578
-- url: Corrected comments following 9d89a0387
+- curl-compilers.m4: enable missing-variable-declarations clang warning
+
+ It usually warns when forgetting to declare TU-local variables static.
+
+ Closes https://github.com/curl/curl/pull/1578
-- docs: Added clarification following commit 9d89a0387
+- curl-compilers.m4: enable double-promotion warning
+
+ Enable -Wdouble-promotion for both GCC and clang. It warns on implicit
+ promotion from float to double.
+
+ Closes https://github.com/curl/curl/pull/1578
-- Makefile: Fixed echo of checksrc check
+- curl-compilers.m4: enable vla warning for clang
+
+ Previously, that warning was only implicitly active in C90 mode.
+ Enable it unconditionally as already done for GCC.
+
+ Closes https://github.com/curl/curl/pull/1578
-- checksrc: Fix issue with the autobuilds not picking up the whitelist
+Daniel Stenberg (16 Jun 2017)
+- http-proxy: fix chunked-encoded CONNECT responses
+
+ Regression since 5113ad0424.
+
+ ... and remove 'flaky' from test 1061 again
+
+ Closes #1579
-- checksrc: Added missing vauth and vtls directories
+- http-proxy: deal with EAGAIN
+
+ ... the previous code would reset the header length wrongly (since
+ 5113ad0424). This makes test 1060 reliable again.
+
+ Also: make sws send even smaller chunks of data to increase the
+ likeliness of this happening.
-- ftp/imap/pop3/smtp: Allow the service name to be overridden
+- libtest/libntlmconnect: fix compiler warnings from f94fcdb
+
+- [Jay Satiro brought this change]
+
+ HTTPS-Proxy: don't offer h2 for https proxy connections
+
+ Bug: https://github.com/curl/curl/issues/1254
- Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
- authentication in FTP, IMAP, POP3 and SMTP.
+ Closes #1546
-- http_negotiate: Calculate service name and proxy service name locally
+- tests: stabilize test 2032 and 2033
+
+ Both these tests run the same underlying test code: libntlmconnect.c -
+ this test code made some assumptions about socket ordering when it used
+ curl_easy_fdset() and when we changed timing or got accidental changes
+ in libcurl the tests would fail.
- Calculate the service name and proxy service names locally, rather than
- in url.c which will allow for us to support overriding the service name
- for other protocols such as FTP, IMAP, POP3 and SMTP.
+ The tests verify that the different transfers keep using the same
+ connections, which I now instead made sure by adding the number of bytes
+ each transfer gets and then verifies that they always get the same
+ amount as when these tests worked.
+
+ Closes #1576
-- ROADMAP: Updated following the move of the authentication code
+- test1148: verify the -# progressbar
+
+ Closes #1569
-Patrick Monnerat (8 Apr 2016)
-- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
+- test1061: mark as flaky
+
+ Fails intermittently on travis builds since a few days. Likely due to
+ 5113ad0424.
-Daniel Stenberg (8 Apr 2016)
-- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
+Jay Satiro (16 Jun 2017)
+- url: refactor the check for Windows drive letter in path
- Closes #603
+ - Move the logic to detect a Windows drive letter prefix
+ (eg c: in c:foo) into a function-like macro.
+
+ Closes https://github.com/curl/curl/pull/1571
-- KNOWN_BUGS: 11.2 error buffer not set...
+- mk-ca-bundle.pl: Check curl's exit code after certdata download
+
+ - No longer allow partial downloads of certdata.
+
+ Prior to this change partial downloads were (erroneously?) allowed since
+ only the server code was checked to be 200.
- Closes #544
+ Bug: https://github.com/curl/curl/pull/1577
+ Reported-by: Matteo B.
-- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
+Daniel Stenberg (16 Jun 2017)
+- dist: add the fuzz dir to the tarball
+
+- configure: disable nghttp2 too if HTTP has been disabled
+
+- http-proxy: fix build with --disable-proxy or --disable-http
- Closes #543
+ Reported-by: Dan Fandrich
-- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
+- fuzz/README: document how to build
- Closes #522
+ Fixes #1476
-- TODO: HTTP/2 "prior knowledge" is implemented!
+- [Frederik B brought this change]
-- [Damien Vielpeau brought this change]
+ fuzz: corpora file structure, initial commit
- mbedtls: fix MBEDTLS_DEBUG builds
+- [Frederik B brought this change]
-- mbedtls: implement and provide *_data_pending()
+ fuzz: bring oss-fuzz initial code converted to C89
+
+- http-proxy: only attempt FTP over HTTP proxy
- ... as otherwise we might get stuck thinking there's no more data to
- handle.
+ ... all other non-HTTP protocol schemes are now defaulting to "tunnel
+ trough" mode if a HTTP proxy is specified. In reality there are no HTTP
+ proxies out there that allow those other schemes.
- Reported-by: Damien Vielpeau
+ Assisted-by: Ray Satiro, Michael Kaufmann
- Fixes #737
+ Closes #1505
-- mbedtls: follow-up for the previous commit
+- TODO: the generated include file is gone
+
+ ... since commit 73a2fcea0b
-- mbedtls.c: name space pollution fix, Use 'Curl_'
+- curl_setup.h: error out on CURL_WANTS_CA_BUNDLE_ENV use
+
+ ... to make it really apparent if there's any user using this on purpose.
+
+ Suggested-by: Jay Satiro
+
+ Closes #1542
-- mbedtls.c: changed private prefix to mbed_
+- lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
- mbedtls_ is the prefix used by the mbedTLS library itself so we should
- avoid using that for our private functions.
+ When this define was set, libcurl would check the environment variable
+ named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This
+ feature was only defined by the watcom and m32 makefiles and caused
+ inconsistent behaviours among libcurls built on different platforms.
+
+ The curl tool does already feature its own similar logic and the library
+ does not really need it, and it isn't documented libcurl behavior. So
+ this change removes it.
+
+ Ref: #1538
-- mbedtls.h: fix compiler warnings
+- test1147: verify -H on a file
-- Revert "winbuild: trying to set some files eol=crlf for git"
+- curl: allow --header and --proxy-header read from file
- This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
+ So many headers can be provided as @filename.
- Didn't help. Caused problems.
+ Suggested-by: Timothe Litt
- Fixes #756
+ Closes #1486
+
+- RELEASE-NOTES: synced with 2ad80eec5
-- curl.1: use example.com more
+- curl/curlver.h: start working on 7.55.0
+
+- http-proxy: do the HTTP CONNECT process entirely non-blocking
+
+ Mentioned as a problem since 2007 (8f87c15bdac63) and of course it
+ existed even before that.
- Make (most) example snippets use the example.com domain instead of the
- random ones picked and used before. Some of those were probably
- legitimate sites and some not. example.com is designed for this purpose.
+ Closes #1547
-- [Michael Kaufmann brought this change]
+- progress: let "current speed" be UL + DL speeds combined
+
+ Bug #1556
+ Reported-by: Paul Harris
+ Closes #1559
- HTTP2: Add a space character after the status code
+Marcel Raad (14 Jun 2017)
+- system.h: fix MinGW build
+
+ CURLSYS_PULL_WS2TCPIP_H got renamed to CURL_PULL_WS2TCPIP_H in commit
+ 73a2fcea0b4adea6ba342cd7ed1149782c214ae3.
+
+Daniel Stenberg (14 Jun 2017)
+- timers: store internal time stamps as time_t instead of doubles
+
+ This gives us accurate precision and it allows us to avoid storing "no
+ time" for systems with too low timer resolution as we then bump the time
+ up to 1 microsecond. Should fix test 573 on windows.
- The space character after the status code is mandatory, even if the
- reason phrase is empty (see RFC 7230 section 3.1.2)
+ Remove the now unused curlx_tvdiff_secs() function.
- Closes #755
+ Maintains the external getinfo() API with using doubles.
+
+ Fixes #1531
-- [Viktor Szakats brought this change]
+- dist: make the hugehelp.c not get regenerated unnecessarily
+
+ The maketgz script now makes sure the generated hugehelp.c file in the
+ tarball is newer than the generated curl.1 man page, so that it doesn't
+ have to get unnecessarily rebuilt first thing in a typical build. It
+ thus also removes the need for perl to build off a plain release
+ tarball.
+
+ Fixes #1565
- URLs: change http to https in many places
+- includes: remove curl/curlbuild.h and curl/curlrules.h
+
+ Rely entirely on curl/system.h now.
+
+ Introduced in Aug 2008 with commit 14240e9e109f. Now gone.
- Closes #754
+ Fixes #1456
-- winbuild: trying to set some files eol=crlf for git
+Version 7.54.1 (14 Jun 2017)
+
+Daniel Stenberg (14 Jun 2017)
+- release: 7.54.1
+
+Dan Fandrich (13 Jun 2017)
+- mk-lib1521.pl: updated to match the test changes in 916ec30a
+
+Daniel Stenberg (13 Jun 2017)
+- [Stuart Henderson brought this change]
+
+ libressl: OCSP and intermediate certs workaround no longer needed
+
+ lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed
+ by intermediate certs, this was fixed in LibreSSL in
+ https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0
- Thinking it might help to apply patches etc with git.
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
-- [Theodore Dubois brought this change]
+- url: fix buffer overwrite with file protocol (CVE-2017-9502)
+
+ Bug: https://github.com/curl/curl/issues/1540
+ Advisory: https://curl.haxx.se/docs/adv_20170614.html
+
+ Assisted-by: Ray Satiro
+ Reported-by: Marcel Raad
- curl.1: change example for -F
+- urlglob: fix division by zero
- It's a bad idea to send your passwords anywhere, especially over HTTP.
- Modified example to send a picture instead.
+ The multiply() function that is used to avoid integer overflows, was
+ itself reason for a possible division by zero error when passed a
+ specially formatted glob.
- Fixes #752
+ Reported-by: GwanYeong Kim
+
+- configure: update the copyright year in the output
-- KNOWN_BUGS: reorganized and cleaned up
+- [ygrek brought this change]
+
+ BINDINGS: update SP-Forth and OCaml urls
+
+Michael Kaufmann (11 Jun 2017)
+- FindWin32CACert: Use a temporary buffer on the stack
+
+ Don't malloc() the temporary buffer, and use the correct type:
+ SearchPath() works with TCHAR, but SearchPathA() works with char.
+ Set the buffer size to MAX_PATH, because the terminating null byte
+ is already included in MAX_PATH.
- Now sorted into categories and organized in the same style we do the
- TODO document. It will make each issue linked properly on the
- https://curl.haxx.se/docs/knownbugs.html web page.
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
- The sections should make it easier to find issues and issues related to
- areas of the reader's specific interest.
+ Closes #1548
-Jay Satiro (6 Apr 2016)
-- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
+Dan Fandrich (11 Jun 2017)
+- test1521: fixed OOM handling
-Steve Holme (6 Apr 2016)
-- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
+Daniel Stenberg (9 Jun 2017)
+- RELEASE-PROCEDURE: updated future release dates
-- CHECKSRC.md: Corrected some typos
+- [Paul Harris brought this change]
-- RELEASE-NOTES: Corrected last updated
+ gitignore: ignore all vim swap files
- Included a summary of the checksrc.bat updates and combined two krb5
- changes as they should have been implemented at the same time.
+ Closes #1561
-- vauth: Corrected a number of typos in comments
+- lib1521: fix compiler warnings on the use of bad 'long' values
- Reported-by: Michael Osipov
+ Reported-by: Marcel Raad
+ Bug: https://github.com/curl/curl/commit/cccac4fb2b20d6ed87da7978408c3ecacc464fe4#commitcomment-22453387
-Jay Satiro (5 Apr 2016)
-- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
+- setopt: check CURLOPT_ADDRESS_SCOPE option range
- Bug: https://github.com/curl/curl/issues/536
- Reported-by: eXeC64@users.noreply.github.com
+ ... and return error instead of triggering an assert() when being way
+ out of range.
+
+Jay Satiro (8 Jun 2017)
+- [TheAssassin brought this change]
-Daniel Stenberg (5 Apr 2016)
-- KNOWN_BUGS: remove 68, 70 and 72.
+ cmake: Fix inconsistency regarding mbed TLS include directory
- Due to their age (we don't fully know if they actually remain) and lack
- of detail - very few people will bother to find out what they're about
- or work on them. If people truly still suffer from any of these, I
- assume they will be reported again and then we'll deal with them.
+ Previously, one had to set MBEDTLS_INCLUDE_DIR to make CMake find the
+ headers, but the system complained that mbed TLS wasn't found due to
+ MBEDTLS_INCLUDE_DIRS (note the trailing s) was not set. This commit
+ attempts to fix that.
- 72. "Pausing pipeline problems."
- https://curl.haxx.se/mail/lib-2009-07/0214.html
+ Closes https://github.com/curl/curl/pull/1541
+
+Daniel Stenberg (8 Jun 2017)
+- [Ryuichi KAWAMATA brought this change]
+
+ examples/multi-uv.c: fix deprecated symbol
+
+ Closes #1557
+
+- asyn-ares: s/Curl_expire_latest/Curl_expire
+
+- expire: remove Curl_expire_latest()
- 70. Problem re-using easy handle after call to curl_multi_remove_handle
- https://curl.haxx.se/mail/lib-2009-07/0249.html
+ With the introduction of expire IDs and the fact that existing timers
+ can be removed now and thus never expire, the concept with adding a
+ "latest" timer is not working anymore as it risks to not expire at all.
- 68. "More questions about ares behavior".
- https://curl.haxx.se/mail/lib-2009-08/0012.html
+ So, to be certain the timers actually are in line and will expire, the
+ plain Curl_expire() needs to be used. The _latest() function was added
+ as a sort of shortcut in the past that's quite simply not necessary
+ anymore.
+
+ Follow-up to 31b39c40cf90
+
+ Reported-by: Paul Harris
+
+ Closes #1555
-- KNOWN_BUGS: remove 92 and 88, fixed
+- [Chris Carlmar brought this change]
-- http2: fix connection reuse when PING comes after last DATA
+ configure: fix link with librtmp when specifying path
- It turns out the google GFE HTTP/2 servers send a PING frame immediately
- after a stream ends and its last DATA has been received by curl. So if
- we don't drain that from the socket, it makes the socket readable in
- subsequent checks and libcurl then (wrongly) assumes the connection is
- dead when trying to reuse the connection.
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0017.html
+
+- file: make speedcheck use current time for checks
- Reported-by: Joonas Kuorilehto
+ ... as it would previously just get the "now" timestamp before the
+ transfer starts and then not update it again.
- Discussed in #750
+ Closes #1550
-- multi: remove trailing space in debug output
+- metalink: remove unused printf() argument
-- RELEASE-NOTES: synced with 86e97b642fb
+- travis: let some builds *not* use --enable-debug
+
+ typecheck-gcc and other things require optimized builds
+
+ Closes #1544
-- CHECKSRC.md: mention cmdline options, fix the bullet list
+- README.md: show the coverall coverage on github
-- docs/CHECKSRC.md: initial version
+- lib1521: fix compiler warnings
-Steve Holme (3 Apr 2016)
-- checksrc.bat: Added support for the examples
+- test1521: make the code < 80 columns wide
-Daniel Stenberg (3 Apr 2016)
-- lib/src: fix the checksrc invoke
+- test1121: use stricter types to work with typcheck-gcc
+
+- typecheck-gcc: allow CURLOPT_STDERR to be NULL too
+
+- test1521: test *all* curl_easy_setopt options
+
+ mk-lib1521.pl generates a test program (lib1521.c) that calls
+ curl_easy_setopt() for every known option with a few typical values to
+ make sure they work (ignoring the return codes).
+
+ Some small changes were necessary to avoid asserts and NULL accesses
+ when doing this.
+
+ The perl script needs to be manually rerun when we add new options.
+
+ Closes #1543
+
+Dan Fandrich (5 Jun 2017)
+- test1538: added "verbose logs" keyword
+
+ These error messages are not displayed with --disable-verbose
+
+Daniel Stenberg (5 Jun 2017)
+- test1262: verify ftp download with -z for "if older than this"
+
+Marcel Raad (5 Jun 2017)
+- curl_ntlm_core: use Curl_raw_toupper instead of toupper
+
+ This was the only remaining use of toupper in the entire source code.
- ... now works correctly when invoke from the root makefile
+ Suggested-by: Daniel Stenberg
+
+Daniel Stenberg (4 Jun 2017)
+- RELEASE-NOTES: synced with 65ba92650