Changelog
-Daniel Stenberg (14 May 2010)
-- John-Mark Bell filed bug #3000052 that identified a problem (with an
- associated patch) with the OpenSSL handshake state machine when the multi
- interface is used:
-
- Performing an https request using a curl multi handle and using select or
- epoll to wait for events results in a hang. It appears that the cause is the
- fix for bug #2958179, which makes ossl_connect_common unconditionally return
- from the step 2 loop when fetching from a multi handle.
-
- When ossl_connect_step2 has completed, it updates connssl->connecting_state
- to ssl_connect_3. ossl_connect_common will then return to the caller, as a
- multi handle is in use. Eventually, the client code will call
- curl_multi_fdset to obtain an updated fdset to select or epoll on. For https
- requests, curl_multi_fdset will cause https_getsock to be called.
- https_getsock will only return a socket handle if the connecting_state is
- ssl_connect_2_reading or ssl_connect_2_writing. Therefore, the client will
- never obtain a valid fdset, and thus not drive the multi handle, resulting
- in a hang.
-
- (http://curl.haxx.se/bug/view.cgi?id=3000052)
-
-- Sebastian V reported bug #3000056 identifying a problem with redirect
- following. It showed that when curl followed redirects it didn't properly
- ignore the response body of the 30X response if that response was using
- compressed Content-Encoding!
-
- (http://curl.haxx.se/bug/view.cgi?id=3000056)
-
-Daniel Stenberg (12 May 2010)
-- Howard Chu brought support for RTMP. This is powered by the underlying
- librtmp library. It supports a range of variations and "sub-protocols"
- within the RTMP family.
-
-- Pavel Raiskup brought support for FTP directory wildcard matching to allow
- selective downloading. To provide that, a set of new options were added:
-
- CURLOPT_WILDCARDMATCH
- CURLOPT_CHUNK_BGN_FUNCTION
- CURLOPT_CHUNK_END_FUNCTION
- CURLOPT_CHUNK_DATA
- CURLOPT_FNMATCH_FUNCTION
-
- There were also a set of new tests added (574 - 577) to verify this.
-
-Kamil Dudka (11 May 2010)
-- CRL support in libcurl-NSS has been completely broken. Now it works. Original
- bug report: https://bugzilla.redhat.com/581926
-
-Daniel Stenberg (7 May 2010)
-- Dirk Manske reported a regression. When connecting with the multi interface,
- there were situations where libcurl wouldn't store connect time correctly as
- it used to (and is documented to) do.
-
- Using his fine sample program we could repeat it, and I wrote up test case
- 573 using that code. The problem does not easily show itself using the local
- test suite though.
-
- The fix, also as suggested by Dirk, is a bit on the ugly side as it adds yet
- another call to Curl_verboseconnect() and setting the TIMER_CONNECT time.
- That situation is subject for some closer inspection in the future.
-
-- Howard Chu split the I/O handling functions into private handlers.
-
- Howard Chu brought the bulk work of this patch that properly moves out the
- sending and recving of data to the parts of the code that are properly
- responsible for the various ways of doing so.
-
- Daniel Stenberg assisted with polishing a few bits and fixed some minor
- flaws in the original patch.
-
- Another upside of this patch is that we now abuse CURLcodes less with the
- "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
-
-Daniel Stenberg (5 May 2010)
-- Hoi-Ho Chan introduced support for using the PolarSSL library. You control
- this with the new configure option --with-polarssl.
-
-Daniel Stenberg (29 Apr 2010)
-- Ben Greear made telnet a lot better/easier to use by an application:
-
- The main change is to allow input from user-specified methods, when they are
- specified with CURLOPT_READFUNCTION. All calls to fflush(stdout) in
- telnet.c were removed, which makes using 'curl telnet://foo.com' painful
- since prompts and other data are not always returned to the user promptly.
- Use 'curl --no-buffer telnet://foo.com' instead. In general, the user
- should have their CURLOPT_WRITEFUNCTION do a fflush for interactive use.
-
- Also fix assumption that reading from stdin never returns < 0.
- Old code could crash in that case.
-
- Call progress functions in telnet main loop.
-
-Daniel Stenberg (26 Apr 2010)
-- Make use of the libssh2_init/exit functions that libssh2 added in version
- 1.2.5. Using them will improve how libcurl works in threaded situations when
- SCP and SFTP are transfered.
-
-Daniel Stenberg (25 Apr 2010)
-- Based on work by Kamil Dudka, I've introduced the new configure option
- --enable-threaded-resolver. When used, the configure script will check for
- pthreads and if around, it will build libcurl to use pthreads to do name
- resolving in a threaded manner. Note that this is just a fix to offer an
- option that can enable the code that already included. The threader resolver
- code was mostly added on Jan 26 2010.
-
-Daniel Stenberg (24 Apr 2010)
-- Alex Bligh introduced the --proto and -proto-redir options that limit what
- protocols curl accepts for the requests and when following redirects.
-
-Kamil Dudka (24 Apr 2010)
-- Fixed test536 in order to not fail with threaded DNS resolver and tweaked
- comments in certain examples using curl_multi_fdset().
-
-- Fixed SSL handshake timeout underflow in libcurl-NSS, which caused test405
- to hang on a slow machine.
-
-Daniel Stenberg (21 Apr 2010)
-- The -O option caused curl to crash on windows and DOS due to the tool
- writing out of boundary memory.
-
-Yang Tse (20 Apr 2010)
-- Ruslan Gazizov detected that MSVC makefiles were using wsock32.lib instead
- of ws2_32.lib, this generated linking issues on MSVC IPv6 enabled builds
- that were done using those makefiles.
-
-Daniel Stenberg (19 Apr 2010)
-- -J/--remote-header-name didn't strip trailing carriage returns or linefeeds
- properly, so they could be used in the file name.
-
-Daniel Stenberg (16 Apr 2010)
-- Jerome Vouillon made the GnuTLS SSL handshake phase non-blocking.
-
-- The recent overhaul of the SSL recv function made the GnuTLS specific code
- treat a zero returned from gnutls_record_recv() as an error, and this caused
- our HTTPS test cases to fail. We leave it to upper layer code to detect if
- an EOF is a problem or not.
-
-- I reverted the resolver fix from yesterday and instead removed all uses of
- AI_CANONNAME all over libcurl and made the only user of that info (krb5.c)
- use the host name from the URL instead. No reverse resolving is a good
- thing.
-
-- Paul Howarth made configure properly detect GSS "on ancient Linux distros"
- by editing in which order we use headers to detect GSS.
-
-Daniel Stenberg (15 Apr 2010)
-- Rainer Canavan filed bug report #2987196 that identified libcurl doing
- unnecesary reverse name lookups in many cases when built to use IPv4 and
- getaddrinfo(). The logic for ipv6 is now used for ipv4 too.
-
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
-
-Version 7.20.1 (14 April 2010)
-
-Daniel Stenberg (9 Apr 2010)
-- Prefixing the FTP quote commands with an asterisk really only worked for the
- postquote actions. This is now fixed and test case 227 has been extended to
- verify.
-
-Kamil Dudka (4 Apr 2010)
-- Eliminated a race condition in Curl_resolv_timeout().
-
-- Refactorized interface of Curl_ssl_recv()/Curl_ssl_send().
-
-- libcurl-NSS now provides more accurate messages and error codes in case of
- client certificate problem. Either during connection, or transfer phase.
-
-Daniel Stenberg (1 Apr 2010)
-- Matt Wixson found and fixed a bug in the SCP/SFTP area where the code
- treated a 0 return code from libssh2 to be the same as EAGAIN while in
- reality it isn't. The problem caused a hang in SFTP transfers from a
- MessageWay server.
-
-Daniel Stenberg (28 Mar 2010)
-- Ben Greear: If you pass a URL to pop3 that does not contain a message ID as
- part of the URL, it would previously ask for 'INBOX' which just causes the
- pop3 server to return an error.
-
- Now libcurl treats en empty message ID as a request for LIST (list of pop3
- message IDs). User's code could then parse this and download individual
- messages as desired.
-
-Daniel Stenberg (27 Mar 2010)
-- Ben Greear brought a patch that from now on allows all protocols to specify
- name and user within the URL, in the same manner HTTP and FTP have been
- allowed to in the past - although far from all of the libcurl supported
- protocls actually have that feature in their URL definition spec.
-
-Daniel Stenberg (26 Mar 2010)
-- Ben Greear brought code that makes the rate limiting code for the easy
- interface a bit smoother as it introduces sub-second sleeps during it and it
- also takes the buffer sizes into account.
-
-Daniel Stenberg (24 Mar 2010)
-- Bob Richmond: There's an annoying situation where libcurl will read new HTTP
- response data from a socket, then check if it's a timeout if one is set. If
- the last packet received constitutes the end of the response body, libcurl
- still treats it as a timeout condition and reports a message like:
-
- "Operation timed out after 3000 milliseconds with 876 out of 876 bytes
- received"
-
- It should only a timeout if the timer lapsed and we DIDN'T receive the end
- of the response body yet.
-
-- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER reported
- to us by Massimo Callegari. There's a new test case 572 that verifies this
- now.
-
-- The 'ares' subtree has been removed from the source repository. It was
- always a separate project that sort of piggybacked on the curl project since
- the dawn of times and now the time has come for it to go stand on its own
- legs and continue living its own life. All details on c-ares and its new
- source code repository is found at http://c-ares.haxx.se/
-
-Daniel Stenberg (23 Mar 2010)
-- Kenny To filed the bug report #2963679 with patch to fix a problem he
- experienced with doing multi interface HTTP POST over a proxy using
- PROXYTUNNEL. He found a case where it would connect fine but bits.tcpconnect
- was not set correct so libcurl didn't work properly.
-
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
-
-- Akos Pasztory filed debian bug report #572276
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276 mentioning a problem
- with a resource that returns chunked-encoded _and_ with a Content-Length
- and libcurl failed to properly ignore the latter information.
-
-- Hauke Duden provided an example program that made the multi interface crash.
- His example simply used the multi interface and did first one FTP transfer
- and after completion it used a second easy handle and did another FTP
- transfer on the same FTP server.
-
- This triggered a bug in the "delayed easy handle kill" system that curl
- uses: when an FTP connection is left alive it must keep an easy handle
- around internally - only for the purpose of having an easy handle when it
- later disconnects it. The code assumed that when the easy handle was removed
- and an internal reference was made, that version could be killed later on
- when a new easy handle came using the same connection. This was wrong as
- Hauke's example showed that the removed handle wasn't killed for real until
- later. This caused a double close attempt => segfault.
-
-Daniel Stenberg (22 Mar 2010)
-- Thomas Lopatic fixed the alarm()-based DNS timeout:
-
- Looking at the code of Curl_resolv_timeout() in hostip.c, I think that in
- case of a timeout, the signal handler for SIGALRM never gets removed. I
- think that in my case it gets executed at some point later on when execution
- has long left Curl_resolv_timeout() or even the cURL library.
-
- The code that is jumped to with siglongjmp() simply sets the error message
- to "name lookup timed out" and then returns with CURLRESOLV_ERROR. I guess
- that instead of simply returning without cleaning up, the code should have a
- goto that jumps to the spot right after the call to Curl_resolv().
-
-Kamil Dudka (22 Mar 2010)
-- Douglas Steinwand contributed a patch fixing insufficient initialization in
- Curl_clone_ssl_config()
-
-Daniel Stenberg (21 Mar 2010)
-- Ben Greear improved TFTP: the error code returning and the treatment
- of TSIZE == 0 when uploading.
-
-- We've switched from CVS to git. See http://curl.haxx.se/source.html
-
-Kamil Dudka (19 Mar 2010)
-- Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().
-
-Daniel Stenberg (15 Mar 2010)
-- Constantine Sapuntzakis brought a patch:
-
- The problem mentioned on Dec 10 2009
- (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
- Partially because an easy handle can be associated with many connections in
- the cache (e.g. if there is a redirect during the lifetime of the easy
- handle). The previous patch only cleaned up the first one. The new fix now
- removes the easy handle from all connections, not just the first one.
-
-Daniel Stenberg (6 Mar 2010)
-- Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
- the easy interface was used.
-
-Daniel Stenberg (5 Mar 2010)
-- Daniel Johnson provided fixes for building curl with the clang compiler.
-
-Yang Tse (5 Mar 2010)
-- Constantine Sapuntzakis detected and fixed a double free in builds done
- with threaded resolver enabled (Windows default configuration) that would
- get triggered when a curl handle is closed while doing DNS resolution.
-
-Daniel Stenberg (2 Mar 2010)
-- [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
- ran into some issues with the GSSAPI tests in configure.ac. The tests first
- try to determine the include dirs and libs and set CPPFLAGS and LIBS
- accordingly. It then checks for the headers and finally sets LIBS a second
- time, causing the libs to be included twice. The first setting of LIBS seems
- redundant and should be left out, since the first part is otherwise just
- about finding headers.
-
- My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
- useless and returns junk that, while it happens to work with gcc, causes
- clang to choke. For example, --libs returns $CFLAGS along with the libs,
- which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
- -lresolv"' on Darwin is sufficient.
-
-- Based on patch provided by Jacob Moshenko, the transfer logic now properly
- makes sure that when using sub-second timeouts, there's no final bad 1000ms
- wait. Previously, a sub-second timeout would often make the elapsed time end
- up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)
-
-- Andrei Benea filed bug report #2956698 and pointed out that the
- CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
- call. He provided the patch to fix it too.
-
- http://curl.haxx.se/bug/view.cgi?id=2956698
-
-- Markus Duft pointed out in bug #2961796 that even though Interix has a
- poll() function it doesn't quite work the way we want it so we must disable
- it, and he also provided a patch for it.
-
- http://curl.haxx.se/bug/view.cgi?id=2961796
-
-- Made the pingpong timeout code properly deal with the response timeout AND
- the global timeout if set. Also, as was reported in the bug report #2956437
- by Ryan Chan, the time stamp to use as basis for the per command timeout was
- not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
- that just now. This was a regression compared to 7.19.7 due to the
- conversion of FTP code over to the generic pingpong concepts.
-
- http://curl.haxx.se/bug/view.cgi?id=2956437
-
-Daniel Stenberg (1 Mar 2010)
-- Ben Greear provided an update for TFTP that fixes upload.
-
-- Wesley Miaw reported bug #2958179 which identified a case of looping during
- OpenSSL based SSL handshaking even though the multi interface was used and
- there was no good reason for it.
-
- http://curl.haxx.se/bug/view.cgi?id=2958179
-
-Daniel Stenberg (26 Feb 2010)
-- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
- chunked-encoding trailer.
+Version 7.59.0 (13 Mar 2018)
- http://curl.haxx.se/bug/view.cgi?id=2958474
-
-Daniel Fandrich (25 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code.
-
-Yang Tse (25 Feb 2010)
-- I fixed bug report #2958074 indicating
- (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
- option --trace-time did not use local time when timestamping trace lines.
- This could also happen on other systems depending on time souurce.
-
-Patrick Monnerat (22 Feb 2010)
-- Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
-- SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
-- Use of true local host name (i.e.: via gethostname()) when available, as
- default argument to SMTP HELO/EHLO.
-- Test case 804 for HELO fallback.
-
-Daniel Stenberg (20 Feb 2010)
-- Fixed the SMTP compliance by making sure RCPT TO addresses are specified
- properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
- get angle bracket wrapping automatically by libcurl unless the recipient
- starts with an angle bracket as then the app is assumed to deal with that
- properly on its own.
-
-- I made the SMTP code expect a 250 response back from the server after the
- full DATA has been sent, and I modified the test SMTP server to also send
- that response. As usual, the DONE operation that is made after a completed
- transfer is still not doable in a non-blocking way so this waiting for 250
- is unfortunately made blockingly.
-
-Yang Tse (14 Feb 2010)
-- Overhauled test suite getpart() function. Fixing potential out of bounds
- stack and memory overwrites triggered with huge test case definitions.
-
-Daniel Stenberg (13 Feb 2010)
-- Martin Hager reported and fixed a problem with a missing quote in libcurl.m4
-
- (http://curl.haxx.se/bug/view.cgi?id=2951319)
-
-- Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.
-
- (http://curl.haxx.se/bug/view.cgi?id=2951269)
-
-Daniel Stenberg (12 Feb 2010)
-- Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
- in the same RCPT TO line, when they should be sent in separate single
- commands. I updated test case 802 to verify this.
-
-- I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
- tool which made it try to output it as string for the --libcurl feature
- which could lead to crashes.
-
-Yang Tse (11 Feb 2010)
-- Steven M. Schweda fixed VMS builder bad behavior when used in a batch job,
- removed obsolete batch_compile.com and defines.com and updated VMS readme.
-
-Version 7.20.0 (9 February 2010)
-
-Daniel Stenberg (9 Feb 2010)
-- When downloading compressed content over HTTP and the app asked libcurl to
- automatically uncompress it with the CURLOPT_ENCODING option, libcurl could
- wrongly provide the callback with more data than the maximum documented
- amount. An application could thus get tricked into badness if the maximum
- limit was trusted to be enforced by libcurl itself (as it is documented).
-
- This is further detailed and explained in the libcurl security advisory
- 20100209 at
-
- http://curl.haxx.se/docs/adv_20100209.html
-
-Daniel Fandrich (3 Feb 2010)
-- Changed the Watcom makefiles to make them easier to keep in sync with
- Makefile.inc since that can't be included directly.
-
-Yang Tse (2 Feb 2010)
-- Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
- symbol will not be available when building with CURL_NO_OLDIES defined. Use
- of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
-
-Daniel Stenberg (1 Feb 2010)
-- Using the multi_socket API, it turns out at times it seemed to "forget"
- connections (which caused a hang). It turned out to be an existing (7.19.7)
- bug in libcurl (that's been around for a long time) and it happened like
- this:
-
- The app calls curl_multi_add_handle() to add a new easy handle, libcurl will
- then set it to timeout in 1 millisecond so libcurl will tell the app about
- it.
-
- The app's timeout fires off that there's a timeout, the app calls libcurl as
- we so often document it:
-
- do {
- res = curl_multi_socket_action(... TIMEOUT ...);
- } while(CURLM_CALL_MULTI_PERFORM == res);
-
- And this is the problem number one:
-
- When curl_multi_socket_action() is called with no specific handle, but only
- a timeout-action, it will *only* perform actions within libcurl that are
- marked to run at this time. In this case, the request would go from INIT to
- CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl
- again, there's no timer set for this handle so it remains in the CONNECT
- state. The CONNECT state is a transitional state in libcurl so it reports no
- sockets there, and thus libcurl never tells the app anything more about that
- easy handle/connection.
-
- libcurl _does_ set a 1ms timeout for the handle at the end of
- multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop
- is instant the new job is not ready to run at that point (and there's no
- code that makes libcurl call the app to update the timout for this new
- timeout). It will simply rely on that some other timeout will trigger later
- on or that something else will update the timeout callback. This makes the
- bug fairly hard to repeat.
-
- The fix made to adress this issue:
-
- We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
- simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
- benefit that this goes in line with my long-term wishes to get rid of the
- CURLM_CALL_MULTI_PERFORM all together from the public API.
-
- The downside of this fix, is that the counter we return in 'running_handles'
- in several of our public functions then gets a slightly new and possibly
- confusing behavior during times:
-
- If an app adds a handle that fails to connect (very quickly) it may just
- as well never appear as a 'running_handle' with this fix. Previously it
- would first bump the counter only to get it decreased again at next call.
- Even I have used that change in handle counter to signal "end of a
- transfer". The only *good* way to find the end of a individual transfer
- is calling curl_multi_info_read() to see if it returns one.
-
- Of course, if the app previously did the looping before it checked the
- counter, it really shouldn't be any new effect.
-
-Yang Tse (26 Jan 2010)
-- Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months
- relative to the asynchronous DNS lookups, along with with some integration
- adjustments I have done are finally committed to CVS.
-
- Currently these enhancements will benefit builds done using c-ares on any
- platform as well as Windows builds using the default threaded resolver.
-
- This release does not make generally available POSIX threaded DNS lookups
- yet. There is no configure option to enable this feature yet. It is possible
- to experimantally try this feature running configure with compiler flags that
- make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and
- HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones
- are required to link and properly use pthread_* functions on each platform.
-
-Daniel Stenberg (26 Jan 2010)
-- Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
- proxy that cannot be resolved when using c-ares. This matches the behaviour
- when not using c-ares.
-
-Björn Stenberg (23 Jan 2010)
-- Added a new flag: -J/--remote-header-name. This option tells the
- -O/--remote-name option to use the server-specified Content-Disposition
- filename instead of extracting a filename from the URL.
-
-Daniel Stenberg (21 Jan 2010)
-- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
- libcurl options for controlling what to get and how to receive posssibly
- interleaved RTP data.
-
-Daniel Stenberg (20 Jan 2010)
-- As was pointed out on the http-state mailing list, the order of cookies in a
- HTTP Cookie: header _needs_ to be sorted on the path length in the cases
- where two cookies using the same name are set more than once using
- (overlapping) paths. Realizing this, identically named cookies must be
- sorted correctly. But detecting only identically named cookies and take care
- of them individually is harder than just to blindly and unconditionally sort
- all cookies based on their path lengths. All major browsers also already do
- this, so this makes our behavior one step closer to them in the cookie area.
-
- Test case 8 was the only one that broke due to this change and I updated it
- accordingly.
-
-Daniel Stenberg (19 Jan 2010)
-- David McCreedy brought a fix and a new test case (129) to make libcurl work
- again when downloading files over FTP using ASCII and it turns out that the
- final size of the file is not the same as the initial size the server
- reported. This is very common since servers don't take the newline
- conversions into account.
-
-Kamil Dudka (14 Jan 2010)
-- Suppressed side effect of OpenSSL configure checks, which prevented NSS from
- being properly detected under certain circumstances. It had been caused by
- strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
- distinguishes among empty and non-existent environment variable in that case.
-
-Daniel Stenberg (12 Jan 2010)
-- Gil Weber reported a peculiar flaw with the multi interface when doing SFTP
- transfers: curl_multi_fdset() would return -1 and not set and file
- descriptors several times during a transfer of a single file. It turned out
- to be due to two different flaws now fixed. Gil's excellent recipe helped me
- nail this.
-
-Daniel Stenberg (11 Jan 2010)
-- Made sure that the progress callback is repeatedly called at a regular
- interval even during very slow connects.
-
-- The tests/runtests.pl script now checks to see if the test case that runs is
- present in the tests/data/Makefile.am and outputs a notice message on the
- screen if not. Each test file has to be included in that Makefile.am to get
- included in release archives and forgetting to add files there is a common
- mistake. This is an attempt to make it harder to forget.
-
-Daniel Stenberg (9 Jan 2010)
-- Johan van Selst found and fixed a OpenSSL session ref count leak:
-
- ossl_connect_step3() increments an SSL session handle reference counter on
- each call. When sessions are re-used this reference counter may be
- incremented many times, but it will be decremented only once when done (by
- Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
- if this reference count remains positive. When a session is re-used the
- reference counter should be corrected by explicitly calling
- SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
- introducing a memory leak.
-
- (http://curl.haxx.se/bug/view.cgi?id=2926284)
-
-Daniel Stenberg (7 Jan 2010)
-- Make sure the progress callback is called repeatedly even during very slow
- name resolves when c-ares is used for resolving.
-
-Claes Jakobsson (6 Jan 2010)
-- Julien Chaffraix fixed so that the fragment part in an URL is not sent
- to the server anymore.
-
-Kamil Dudka (3 Jan 2010)
-- Julien Chaffraix eliminated a duplicated initialization in singlesocket().
-
-Daniel Stenberg (2 Jan 2010)
-- Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific
- versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to
- control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old
- option names are still working but the new ones are the ones listed and
- documented.
-
-Daniel Stenberg (1 Jan 2010)
-- Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This
- command is a special "hack" used by the drftpd server, but even though it is
- a custom extension I've deemed it fine to add to libcurl since this server
- seems to survive and people keep using it and want libcurl to support
- it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also
- usable from the curl tool with --ftp-pret. Using this option on a server
- that doesn't support this command will make libcurl fail.
-
- I added test cases 1107 and 1108 to verify the functionality.
-
- The PRET command is documented at
- http://www.drftpd.org/index.php/Distributed_PASV
-
-Yang Tse (30 Dec 2009)
-- Steven M. Schweda improved VMS build system, and Craig A. Berry helped
- with the patch and testing.
-
-Daniel Stenberg (26 Dec 2009)
-- Renato Botelho and Peter Pentchev brought a patch that makes the libcurl
- headers work correctly even on FreeBSD systems before v8.
-
- (http://curl.haxx.se/bug/view.cgi?id=2916915)
-
-Daniel Stenberg (17 Dec 2009)
-- David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when
- available.
-
-- Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I
- was a bit too quick and broke test case 1101 with that change. The order of
- some of the setups is sensitive. I now changed it slightly again to make
- sure we do them in this order:
-
- 1 - parse URL and figure out what protocol is used in the URL
- 2 - prepend protocol:// to URL if missing
- 3 - parse name+password off URL, which needs to know what protocol is used
- (since only some allows for name+password in the URL)
- 4 - figure out if a proxy should be used set by an option
- 5 - if no proxy option, check proxy environment variables
- 6 - run the protocol-specific setup function, which needs to have the proxy
- already set
-
-Daniel Stenberg (15 Dec 2009)
-- Jon Nelson found a regression that turned out to be a flaw in how libcurl
- detects and uses proxies based on the environment variables. If the proxy
- was given as an explicit option it worked, but due to the setup order
- mistake proxies would not be used fine for a few protocols when picked up
- from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added
- test case 1106 that verifies this functionality.
-
- (http://curl.haxx.se/bug/view.cgi?id=2913886)
-
-Daniel Stenberg (12 Dec 2009)
-- IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S
- and SMTPS) are now supported. The current state may not yet be solid, but
- the foundation is in place and the test suite has some initial support for
- these protocols. Work will now persue to make them nice libcurl citizens
- until release.
-
- The work with supporting these new protocols was sponsored by
- networking4all.com - thanks!
-
-Daniel Stenberg (10 Dec 2009)
-- Siegfried Gyuricsko found out that the curl manual said --retry would retry
- on FTP errors in the transient 5xx range. Transient FTP errors are in the
- 4xx range. The code itself only tried on 5xx errors that occured _at login_.
- Now the retry code retries on all FTP transfer failures that ended with a
- 4xx response.
-
- (http://curl.haxx.se/bug/view.cgi?id=2911279)
-
-- Constantine Sapuntzakis figured out a case which would lead to libcurl
- accessing alredy freed memory and thus crash when using HTTPS (with
- OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order
- of cleaning things up. I fixed it.
-
- (http://curl.haxx.se/bug/view.cgi?id=2905220)
-
-Daniel Stenberg (7 Dec 2009)
-- Martin Storsjo made libcurl use the Expect: 100-continue header for posts
- with unknown size. Previously it was only used for posts with a known size
- larger than 1024 bytes.
-
-Daniel Stenberg (1 Dec 2009)
-- If the Expect: 100-continue header has been set by the application through
- curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set
- data->state.expect100header accordingly - the current code (in 7.19.7 at
- least) doesn't handle this properly. Martin Storsjo provided the fix!
-
-Yang Tse (28 Nov 2009)
-- Added Diffie-Hellman parameters to several test harness certificate files in
- PEM format. Required by several stunnel versions used by our test harness.
-
-Daniel Stenberg (28 Nov 2009)
-- Markus Koetter provided a polished and updated version of Chad Monroe's TFTP
- rework patch that now integrates TFTP properly into libcurl so that it can
- be used non-blocking with the multi interface and more. BLKSIZE also works.
-
- The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from
- the command line.
-
-Daniel Stenberg (26 Nov 2009)
-- Extended and fixed the change I did on Dec 11 for the the progress
- meter/callback during FTP command/response sequences. It turned out it was
- really lame before and now the progress meter SHOULD get called at least
- once per second.
-
-Daniel Stenberg (23 Nov 2009)
-- Bjorn Augustsson reported a bug which made curl not report any problems even
- though it failed to write a very small download to disk (done in a single
- fwrite call). It turned out to be because fwrite() returned success, but
- there was insufficient error-checking for the fclose() call which tricked
- curl to believe things were fine.
-
-Yang Tse (23 Nov 2009)
-- David Byron modified Makefile.dist vc8 and vc9 targets in order to allow
- finer granularity control when generating src and lib makefiles.
-
-Yang Tse (22 Nov 2009)
-- I modified configure to force removal of the curlbuild.h file included in
- distribution tarballs for use by non-configure systems. As intended, this
- would get overwriten when doing in-tree builds. But VPATH builds would end
- having two curlbuild.h files, one in the source tree and another in the
- build tree. With the modification I introduced 5 Nov 2009 this could become
- an issue when running libcurl's test suite.
-
-Daniel Stenberg (20 Nov 2009)
-- Constantine Sapuntzakis identified a write after close, as the sockets were
- closed by libcurl before the SSL lib were shutdown and they may write to its
- socket. Detected to at least happen with OpenSSL builds.
-
-- Jad Chamcham pointed out a bug with connection re-use. If a connection had
- CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
- same proxy with the tunnel option disabled would still wrongly re-use that
- previous connection and the outcome would only be badness.
-
-Yang Tse (18 Nov 2009)
-- I modified the memory tracking system to make it intolerant with zero sized
- malloc(), calloc() and realloc() function calls.
-
-Daniel Stenberg (17 Nov 2009)
-- Constantine Sapuntzakis provided another fix for the DNS cache that could
- end up with entries that wouldn't time-out:
-
- 1. Set up a first web server that redirects (307) to a http://server:port
- that's down
- 2. Have curl connect to the first web server using curl multi
-
- After the curl_easy_cleanup call, there will be curl dns entries hanging
- around with in_use != 0.
-
- (http://curl.haxx.se/bug/view.cgi?id=2891591)
-
-- Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into
- its pkg-config file. So -Wl stuff ended up in the .pc file, which is really
- bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in
- PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592)
-
-Kamil Dudka (15 Nov 2009)
-- David Byron improved the configure script to use pkg-config to find OpenSSL
- (and in particular the list of required libraries) even if a path is given
- as argument to --with-ssl
-
-Yang Tse (15 Nov 2009)
-- I removed enable-thread / disable-thread configure option. These were only
- placebo options. The library is always built as thread safe as possible on
- every system.
-
-Claes Jakobsson (14 Nov 2009)
-- curl-config now accepts '--configure' to see what arguments was
- passed to the configure script when building curl.
-
-Daniel Stenberg (14 Nov 2009)
-- Claes Jakobsson restored the configure functionality to detect NSS when
- --with-nss is set but not "yes".
-
- I think we can still improve that to check for pkg-config in that path etc,
- but at least this patch brings back the same functionality we had before.
-
-- Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for
- the client certificate. It also disable the key name test as some engines
- can select a private key/cert automatically (When there is only one key
- and/or certificate on the hardware device used by the engine)
-
-Yang Tse (14 Nov 2009)
-- Constantine Sapuntzakis provided the fix that ensures that an SSL connection
- won't be reused unless protection level for peer and host verification match.
-
- I refactored how preprocessor symbol _THREAD_SAFE definition is done.
-
-Kamil Dudka (12 Nov 2009)
-- Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly
- closed NSPR descriptor. The issue was hard to find, reported several times
- before and always closed unresolved. More info at the RH bug:
- https://bugzilla.redhat.com/534176
-
-- libcurl-NSS now tries to reconnect with TLS disabled in case it detects
- a broken TLS server. However it does not happen if SSL version is selected
- manually. The approach was originally taken from PSM. Kaspar Brand helped me
- to complete the patch. Original bug reports:
- https://bugzilla.redhat.com/525496
- https://bugzilla.redhat.com/527771
-
-Yang Tse (12 Nov 2009)
-- I modified configure script to make the getaddrinfo function check also
- verify if the function is thread safe.
-
-Yang Tse (11 Nov 2009)
-- Marco Maggi reported that compilation failed when configured --with-gssapi
- and GNU GSS installed due to a missing mutual exclusion of header files in
- the Kerberos 5 code path. He also verified that my patch worked for him.
-
-Daniel Stenberg (11 Nov 2009)
-- Constantine Sapuntzakis posted bug #2891595
- (http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry
- in the DNS cache would linger too long if the request that added it was in
- use that long. He also provided the patch that now makes libcurl capable of
- still doing a request while the DNS hash entry may get timed out.
-
-- Christian Schmitz noticed that the progress meter/callback was not properly
- used during the FTP connection phase (after the actual TCP connect), while
- it of course should be. I also made the speed check get called correctly so
- that really slow servers will trigger that properly too.
-
-Kamil Dudka (5 Nov 2009)
-- Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works
- in non-blocking mode.
-
-Yang Tse (5 Nov 2009)
-- I removed leading 'curl' path on the 'curlbuild.h' include statement in
- curl.h, adjusting auto-makefiles include path, to enhance portability to
- OS's without an orthogonal directory tree structure such as OS/400.
-
-Daniel Stenberg (4 Nov 2009)
-- I fixed several problems with the transfer progress meter. It showed the
- wrong percentage for small files, most notable for <1000 bytes and could
- easily end up showing more than 100% at the end. It also didn't show any
- percentage, transfer size or estimated transfer times when transferring
- less than 100 bytes.
-
-Version 7.19.7 (4 November 2009)
-
-Daniel Stenberg (2 Nov 2009)
-- As reported independent by both Stan van de Burgt and Didier Brisebourg,
- CURLINFO_SIZE_DOWNLOAD (the -w variable size_download) didn't work when
- getting data from ldap!
-
-Daniel Stenberg (31 Oct 2009)
-- Gabriel Kuri reported a problem with CURLINFO_CONTENT_LENGTH_DOWNLOAD if the
- download was 0 bytes, as libcurl would then return the size as unknown (-1)
- and not 0. I wrote a fix and test case 566 to verify it.
-
-Daniel Stenberg (30 Oct 2009)
-- Liza Alenchery mentioned a problem with re-used SCP connection when a bad
- auth is used, as it caused a crash. I failed to repeat the issue, but still
- made a change that now forces the TCP connection used for a freed SCP
- session to get closed and not be re-used.
-
-- "Tom" posted a bug report that mentioned how libcurl did wrong when doing a
- POST using a read callback, with Digest authentication and
- "Transfer-Encoding: chunked" enforced. I would then cause the first request
- to be wrongly sent and then basically hang until the server closed the
- connection. I fixed the problem and added test case 565 to verify it.
-
-Daniel Stenberg (25 Oct 2009)
-- Dima Barsky made the curl cookie parser accept cookies even with blank or
- unparsable expiry dates and then treat them as session cookies - previously
- libcurl would reject cookies with a date format it couldn't parse. Research
- shows that the major browser treat such cookies as session cookies. I
- modified test 8 and 31 to verify this.
-
-Daniel Stenberg (21 Oct 2009)
-- Attempt to use pkg-config for finding out libssh2 installation details
- during configure.
-
-- A patch in bug report #2883177 (http://curl.haxx.se/bug/view.cgi?id=2883177)
- by Johan van Selst introduced the --crlfile option to curl, which makes curl
- tell libcurl about a file with CRL (certificate revocation list) data to
- read.
-
-Daniel Stenberg (18 Oct 2009)
-- Ray Dassen provided a patch in Debian's bug tracker (bug number #551461)
- that now makes curl_getdate(3) actually handles RFC 822 formatted dates that
- use the "single letter military timezones".
- http://www.rfc-ref.org/RFC-TEXTS/822/chapter5.html has the details.
-
-- Fixed memory leak in the SCP/SFTP code as it never freed the knownhosts
- data!
-
-- John Dennis filed bug report #2873666
- (http://curl.haxx.se/bug/view.cgi?id=2873666) which identified a problem
- which made libcurl loop infinitely when given incorrect credentials when
- using HTTP GSS negotiate authentication. He also provided a small and simple
- patch for it.
-
-- Kevin Baughman found a double close() problem with libcurl-NSS, as when
- libcurl called NSS to close the SSL "session" it also closed the actual
- socket.
-
-Yang Tse (17 Oct 2009)
-- Bug report #2866724 indicated
- (http://curl.haxx.se/bug/view.cgi?id=2866724) that curl on Windows failed
- when writing files whose file names originally contained characters which
- are not valid for file names on Windows. Dan Fandrich provided an initial
- patch and another revised one to fix this issue.
-
-Daniel Stenberg (1 Oct 2009)
-- Tom Mueller correctly reported in bug report #2870221
- (http://curl.haxx.se/bug/view.cgi?id=2870221) that libcurl returned an
- incorrect return code from the internal trynextip() function which caused
- him grief. This is a regression that was introduced in 7.19.1 and I find it
- strange it hasn't hit us harder, but I won't persue into figuring out
- exactly why.
-
-- Constantine Sapuntzakis: The current implementation will always set
- SO_SNDBUF to CURL_WRITE_SIZE even if the SO_SNDBUF starts out larger. The
- patch doesn't do a setsockopt if SO_SNDBUF is already greater than
- CURL_WRITE_SIZE. This should help folks who have set up their computer with
- large send buffers.
-
-Daniel Stenberg (27 Sep 2009)
-- I introduced a maximum limit for received HTTP headers. It is controlled by
- the define CURL_MAX_HTTP_HEADER which is even exposed in the public header
- file to allow for users to fairly easy rebuild libcurl with a modified
- limit. The rationale for a fixed limit is that libcurl is realloc()ing a
- buffer to be able to put a full header into it, so that it can call the
- header callback with the entire header, but that also risk getting it into
- trouble if a server by mistake or willingly sends a header that is more or
- less without an end. The limit is set to 100K.
-
-Daniel Stenberg (26 Sep 2009)
-- John P. McCaskey posted a bug report that showed how libcurl did wrong when
- saving received cookies with no given path, if the path in the request had a
- query part. That is means a question mark (?) and characters on the right
- side of that. I wrote test case 1105 and fixed this problem.
-
-Kamil Dudka (26 Sep 2009)
-- Implemented a protocol independent way to specify blocking direction, used by
- transfer.c for blocking. It is currently used only by SCP and SFTP protocols.
- This enhancement resolves an issue with 100% CPU usage during SFTP upload,
- reported by Vourhey.
-
-Daniel Stenberg (25 Sep 2009)
-- Chris Mumford filed bug report #2861587
- (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
- the OpenSSL function X509_load_crl_file() wrongly and failed if it would
- load a CRL file with more than one certificate within. This is now fixed.
-
-Daniel Stenberg (16 Sep 2009)
-- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
- powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
- field in the certficate it had to match and so even if non-DNS and non-IP
- entry was present it caused the verification to fail.
-
-Daniel Fandrich (15 Sep 2009)
-- Moved the libssh2 checks after the SSL library checks. This helps when
- statically linking since libssh2 needs the SSL library link flags to be
- set up already to satisfy its dependencies. This wouldn't be necessary if
- the libssh2 configure check was changed to use pkg-config since the
- --static flag would add the dependencies automatically.
-
-Yang Tse (14 Sep 2009)
-- Revert Joshua Kwan's patch committed 11 Sep 2009.
-
- Some systems poll function sets POLLHUP in revents without setting
- POLLIN, and sets POLLERR without setting POLLIN and POLLOUT. In some
- libcurl code execution paths this could trigger busy wait loops with
- high CPU usage until a timeout condition aborted the loop.
-
- The reverted patch addressed the above issue for a very specific case,
- when awaiting c-ares to resolve. A libcurl-wide fix for Curl_poll now
- superceeds this one.
-
-Guenter Knauf (11 Sep 2009)
-- Joshua Kwan provided a patch to pass POLLERR / POLLHUP back to c-ares.
- This fixes a loop problem with high CPU usage.
-
-Daniel Stenberg (10 Sep 2009)
-- Claes Jakobsson fixed a problem with cookie expiry dates at exctly the epoch
- start second "Thu Jan 1 00:00:00 GMT 1970" as the date parser then returns 0
- which internally then is treated as a session cookie. That particular date
- is now made to get the value of 1.
-
-Daniel Stenberg (2 Sep 2009)
-- Daniel Johnson found a flaw in the code converting sftp-errors to libcurl
- errors.
-
-Daniel Stenberg (1 Sep 2009)
-- Peter Sylvester made a debug feature for Curl_resolv() that now will force
- libcurl to resolve 'localhost' whatever name you use in the URL *if* you set
- the --interface option to (exactly) "LocalHost". This will enable us to
- write tests for custom hosts names but still use a local host server.
-
-- configure now tries to use pkg-config for a number of sub-dependencies even
- when cross-compiling. The key to success is then you properly setup
- PKG_CONFIG_PATH before invoking configure.
-
- I also improved how NSS is detected by trying nss-config if pkg-config isn't
- present, and as a last resort just use the lib name and force the user to
- setup the LIBS/LDFLAGS/CFLAGS etc properly. The previous last resort would
- add a range of various libs that would almost never be quite correct.
-
-Daniel Stenberg (31 Aug 2009)
-- When using the multi interface with FTP and you asked for NOBODY, you did no
- QUOTE commands and the request used the same path as the connection had
- already changed to, it would decide that no commands would be necessary for
- the "DO" action and that was not handled properly but libcurl would instead
- hang.
-
-Kamil Dudka (28 Aug 2009)
-- Improved error message for not matching certificate subject name in
- libcurl-NSS. Originally reported at:
- https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
-
-Patrick Monnerat (24 Aug 2009)
-- Introduced a SYST-based test to properly set-up name format when dealing
- with the OS/400 FTP server.
-
-- Fixed an ftp_readresp() bug preventing detection of failing control socket
- and causing FTP client to loop forever.
-
-Daniel Stenberg (24 Aug 2009)
-- Marc de Bruin pointed out that configure --with-gnutls=PATH didn't work
- properly and provided a fix. http://curl.haxx.se/bug/view.cgi?id=2843008
-
-- Eric Wong introduced support for the new option -T. (dot) that makes curl
- read stdin in a non-blocking fashion. This also brings back -T- (minus) to
- the previous blocking behavior since it could break stuff for people at
- times.
-
-Michal Marek (21 Aug 2009)
-- With CURLOPT_PROXY_TRANSFER_MODE, avoid sending invalid URLs like
- ftp://example.com;type=i if the user specified ftp://example.com without the
- slash.
-
-Daniel Stenberg (21 Aug 2009)
-- Andre Guibert de Bruet pointed out a missing return code check for a
- strdup() that could lead to segfault if it returned NULL. I extended his
- suggest patch to now have Curl_retry_request() return a regular return code
- and better check that.
-
-- Lots of good work by Krister Johansen, mostly related to pipelining:
-
- Fix SIGSEGV on free'd easy_conn when pipe unexpectedly breaks
- Fix data corruption issue with re-connected transfers
- Fix use after free if we're completed but easy_conn not NULL
-
-Kamil Dudka (13 Aug 2009)
-- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
- verbose error messages. Originally reported at:
- https://bugzilla.redhat.com/show_bug.cgi?id=516056
-
-Daniel Stenberg (12 Aug 2009)
-- Karl Moerder fixed the Makefile.vc* makefiles to include the new file
- nonblock.c so that they work fine again
-
-- I expanded test 517 with a bunch of more dates that originate from the
- Chrome browser test suite. It turns out most of them get parsed the same
- way.
-
-Version 7.19.6 (12 August 2009)
-
-Daniel Stenberg (12 Aug 2009)
-- Carsten Lange reported a bug and provided a patch for TFTP upload and the
- sending of the TSIZE option. I don't like fixing bugs just hours before
- a release, but since it was broken and the patch fixes this for him I decided
- to get it in anyway.
-
-Daniel Stenberg (11 Aug 2009)
-- Peter Sylvester made the HTTPS test server use specific certificates for
- each test, so that the test suite can now be used to actually test the
- verification of cert names etc. This made an error show up in the OpenSSL-
- specific code where it would attempt to match the CN field even if a
- subjectAltName exists that doesn't match. This is now fixed and verified
- in test 311.
-
-- Benbuck Nason posted the bug report #2835196
- (http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler
- warnings when mixing ints and bools.
-
-Daniel Fandrich (10 Aug 2009)
-- Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.
-
-Daniel Fandrich (9 Aug 2009)
-- Fixed some memory leaks in the command-line tool that caused most of the
- torture tests to fail.
-
-Daniel Stenberg (2 Aug 2009)
-- Curt Bogmine reported a problem with SNI enabled on a particular server. We
- should introduce an option to disable SNI, but as we're in feature freeze
- now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
- shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
- Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
- option for SNI, or are we simply not using it?
-
-Daniel Stenberg (1 Aug 2009)
-- Scott Cantor posted the bug report #2829955
- (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
- verification flaw found and exploited by Moxie Marlinspike. The presentation
- he did at Black Hat is available here:
- https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
-
- Apparently at least one CA allowed a subjectAltName or CN that contain a
- zero byte, and thus clients that assumed they would never have zero bytes
- were exploited to OK a certificate that didn't actually match the site. Like
- if the name in the cert was "example.com\0theatualsite.com", libcurl would
- happily verify that cert for example.com.
-
- libcurl now better uses the length of the extracted name, not using the zero
- termination for getting the string length.
-
- This fixing only made and needed in OpenSSL interfacing code.
-
-- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
- only in some OpenSSL installs - like on Windows) isn't thread-safe and we
- agreed that moving it to the global_init() function is a decent way to deal
- with this situation.
-
-- Alexander Beedie provided the patch for a noproxy problem: If I have set
- CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
- could still end up using a proxy if a proxy environment variable was set.
-
-Daniel Stenberg (27 Jul 2009)
-- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
- CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
- send when using FTP, as a sign that libcurl shall simply ignore the response
- from the server instead of treating it as an error. Not treating a 400+ FTP
- response code as an error means that failed commands will not abort the
- chain of commands, nor will they cause the connection to get disconnected.
-
-Daniel Stenberg (26 Jul 2009)
-- Johan van Selst posted bug report #2825989
- (http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that
- OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and
- provided the solution too: to use OpenSSL_add_all_algorithms() in addition
- to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
- OpenSSL 0.9.5
-
-Daniel Stenberg (23 Jul 2009)
-- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
- They introduce known_host support for SSH keys to libcurl. See docs for
- details. Note that this feature depends on a new enough libssh2 version, to
- be supported in libssh2 1.2 and later (or current git repo at this time).
-
-Michal Marek (22 Jul 2009)
-- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
- (https://bugzilla.novell.com/523919). When looking at the code, I found that
- also the ptr pointer can leak.
-
-Kamil Dudka (20 Jul 2009)
-- Claes Jakobsson improved the support for client certificates handling in
- NSS-powered libcurl. Now the client certificates can be selected
- automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
- slots is no more performed. It used to cause problems with HW tokens.
-
-- Fixed reference counting for NSS client certificates. Now the PEM reader
- module should be always properly unloaded on Curl_nss_cleanup(). If the
- unload fails though, libcurl will try to reuse the already loaded instance.
-
-Daniel Fandrich (15 Jul 2009)
-- Added nonblock.c to the non-automake makefiles (note that the dependencies
- in the Watcom makefiles aren't quite correct).
-
-Michal Marek (15 Jul 2009)
-- Changed the description of CURLINFO_OS_ERRNO to make it clear that the
- errno is not reset on success.
-
-Guenter Knauf (14 Jul 2009)
-- renamed generated config.h to curl_config.h to avoid any future clashes
- with config.h from other projects.
-
-Daniel Stenberg (9 Jul 2009)
-- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
- setting a file descriptor non-blocking. Used by the functionality Eric
- himself brough on June 15th.
-
-Daniel Stenberg (8 Jul 2009)
-- Constantine Sapuntzakis posted bug report #2813123
- (http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
- problem:
-
- Url A is accessed using auth. Url A redirects to Url B (on a different
- server0. Url B reuses a persistent connection. Url B has auth, even though
- it's on a different server.
-
- Note: if Url B does not reuse a persistent connection, auth is not sent.
-
- reason:
-
- data->state.first_host is not initialized becuase Curl_http_connect is not
- called when a connection is reused.
-
- Solution:
-
- move initialization of data->state.first_host to Curl_http. No code before
- Curl_http uses data->state.first_host anyway.
-
-Guenter Knauf (4 Jul 2009)
-- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a
- couple of both IPv4 and IPv6 autobuilds.
-
-Daniel Stenberg (29 Jun 2009)
-- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
- range if given colon-separated after the host name/address part. Like
- "192.168.0.1:2000-10000"
-
-- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
- don't know how they got wrong in the first place, but using this output
- format makes it possible to quite easily separate the string into an array
- of multiple items.
-
-Daniel Fandrich (16 June 2009)
-- Added a few more compiler warning options for gcc.
-
-Daniel Stenberg (16 Jun 2009)
-- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
- (no newline translations). Use -B/--use-ascii if you rather get the ascii
- approach.
-
-Michal Marek (16 Jun 2009)
-- When doing non-anonymous ftp via http proxies and the password is not
- provided in the url, add it there (squid needs this).
-
-Daniel Stenberg (15 Jun 2009)
-- Eric Wong's patch:
-
- This allows curl(1) to be used as a client-side tunnel for arbitrary stream
- protocols by abusing chunked transfer encoding in both the HTTP request and
- HTTP response. This requires server support for sending a response while a
- request is still being read, of course.
-
- If attempting to read from stdin returns EAGAIN, then we pause our sender.
- This leaves curl to attempt to read from the socket while reading from stdin
- (and thus sending) is paused.
-
- This change was needed to allow successfully tunneling the git protocol over
- HTTP (--no-buffer is needed, as well).
-
-Patrick Monnerat (15 Jun 2009)
-- Replaced use of standard C library rand()/srand() by our own pseudo-random
- number generator.
-
-Yang Tse (11 Jun 2009)
-- I adapted testcurl script to allow building test harness programs when
- cross-compiling for a *-*-mingw* host.
-
-Daniel Stenberg (10 Jun 2009)
-- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and
- contributed a range of patches to fix them.
-
-Yang Tse (10 Jun 2009)
-- I introduced configure script option --enable-curldebug which now allows
- the decoupled enabling or disabling of the curl debug memory tracking
- feature from the --enable-debug option which no longer controls this.
-
- curl --version will list 'Debug' feature for debug enabled builds, and
- will list 'TrackMemory' feature for curl debug memory tracking capable
- builds. These features are independent and can be controlled when running
- the configure script. When --enable-debug is given both features will be
- enabled, unless some restriction prevents memory tracking from being used.
-
- Internally, definition of preprocessor symbol DEBUGBUILD restricts code
- which is only compiled for debug enabled builds. And symbol CURLDEBUG is
- used to differentiate code which is _only_ used for memory tracking.
-
-Yang Tse (9 Jun 2009)
-- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not
- initializing the fread callback pointer and this triggered a compiler
- warning, also provided a friendly suggestion on how to fix it.
-
-Daniel Stenberg (8 Jun 2009)
-- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
- issue with client certs that caused issues like segfaults.
- http://curl.haxx.se/mail/lib-2009-05/0316.html
-
-- Triggered by bug report #2798852 and the patch in there, I fixed configure
- to detect gnutls build options with pkg-config only and not libgnutls-config
- anymore since GnuTLS has stopped distributing that tool. If an explicit path
- is given to configure, we will instead guess on how to link and use that
- lib. I did not use the patch from the bug report.
-
-Yang Tse (8 Jun 2009)
-- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers
- included from Makefile.inc, and provided docs\INSTALL VxWorks section.
-
-- I removed buildconf.bat from release and daily snapshot archives. This
- file is only for CVS tree checkout builds.
-
-Daniel Stenberg (8 Jun 2009)
-- Eric Wong fixed --no-buffer to actually switch off output buffering. Been
- broken since 7.19.0
-
-Bill Hoffman (6 Jun 2009)
-- Added some cmake docs and fixed socklen_t in the build.
-
-Yang Tse (5 Jun 2009)
-- John E. Malmberg provided VMS specific patch: "This fixes an existing bug
- in urlglob.c where it was not converting the Curl Unix exit code to a VMS
- DCL compatible exit code. This fix required the enhancement described next.
- This also adds an enhancement to main.c so that when curl is run under a
- Unix shell like Bash on VMS, it will return the standard Unix exit codes
- and messages." And another patch for docs/examples.
-
- I introduced os-specific.c and os-specific.h for use in curl tool code
- and adjusted John E. Malmberg's patch placement to use these new files
- as an effort to prevent main.c from growing ad infinitum. Code already
- existing in main.c which is OS specific should be moved into these files.
-
-Daniel Stenberg (4 June 2009)
-- Setting the Content-Length: header from your app when you do a POST or PUT
- is almost always a VERY BAD IDEA. Yet there are still apps out there doing
- this, and now recently it triggered a bug/side-effect in libcurl as when
- libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
- knows it will just get a 401/407 back. If the app then replaced the
- Content-Length header, it caused the server to wait for input that libcurl
- wouldn't send. Aaron Oneal reported this problem in bug report #2799008
- (http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
-
-Yang Tse (4 Jun 2009)
-- Igor Novoseltsev provided patches and information, that after some
- adjustments to better fit curl's way of doing things, have resulted
- in the posibility of building libcurl for VxWorks.
-
-Daniel Fandrich (2 June 2009)
-- Checked in a Google Android make file. To use it, you must first
- create a config.h file by running configure in the Android environment,
- which doesn't seem to be easy to do. If no easy way can be found, a
- static config-android.h may need to be created and checked in to the
- libcurl source tree.
-
-Daniel Stenberg (1 June 2009)
-- Claes Jakobsson fixed the configure script to better find and use NSS
- without pkg-config.
-
-Yang Tse (1 Jun 2009)
-- John E. Malmberg provided a VMS specific clean-up for curl.h, and pointed
- out that the configure script was failing to detect the timeval struct on
- VMS when building with _XOPEN_SOURCE_EXTENDED undefined due to definition
- taking place in socket.h instead of time.h. I have adjusted configure
- script to also include this header when checking struct timeval.
-
-Daniel Stenberg (27 May 2009)
-- Frank McGeough provided a small OpenSSL #include fix to make libcurl compile
- fine with Nokia 5th edition 1.0 SDK for Symbian.
-
-- Andre Guibert de Bruet found a call to a OpenSSL function that didn't check
- for a failure properly.
-
-- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear
- the auth credentials back in 7.19.0 and earlier while now you have to set ""
- to get the same effect. His patch brings back the ability to use NULL.
-
-- Claes Jakobsson fixed libcurl-NSS to build fine even without the
- PK11_CreateGenericObject() function.
-
-Daniel Stenberg (25 May 2009)
-- bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
- out that the cookie parser would leak memory when it parses cookies that are
- received with domain, path etc set multiple times in the same header. While
- such a cookie is questionable, they occur in the wild and libcurl no longer
- leaks memory for them. I added such a header to test case 8.
-
-Daniel Fandrich (22 May 2009)
-- Removed some obsolete digest code that caused a valgrind error in test 551.
-
-Daniel Fandrich (20 May 2009)
-- Added "non-existing host" test keywords to make it easy to skip those
- tests on machines that have broken DNS configurations (such as
- those configured to use OpenDNS).
-
-Daniel Stenberg (19 May 2009)
-- Kamil Dudka brought the patch from the Redhat bug entry
- https://bugzilla.redhat.com/show_bug.cgi?id=427966 which was libcurl closing
- a bad file descriptor when closing down the FTP data connection. Caolan
- McNamara seems to be the original author of it.
-
-Version 7.19.5 (18 May 2009)
-
-Daniel Stenberg (17 May 2009)
-- James Bursa posted a patch to the mailing list that fixed a problem with
- no_proxy which made it not skip the proxy if the URL entered contained a
- user name. I added test case 1101 to verify.
-
-Daniel Stenberg (11 May 2009)
-- Balint Szilakszi reported a memory leak when libcurl did gzip decompression
- of streams that had some parts (legitimately) missing. We now provide and use
- a proper cleanup function for the content encoding submodule.
- http://curl.haxx.se/mail/lib-2009-05/0092.html
-
-- Kamil Dudka provided a fix for libcurl-NSS reported by Michael Cronenworth
- at https://bugzilla.redhat.com/show_bug.cgi?id=453612#c12
-
- If an incorrect password is given while loading a private key, libcurl ends
- up in an infinite loop consuming memory. The bug is critical.
-
-- I fixed the problem with doing NTLM, POST and then following a 302 redirect,
- as reported by Ebenezer Ikonne (on curl-users) and Laurent Rabret (on
- curl-library). The transfer was mistakenly marked to get more data to send
- but since it didn't actually have that, it just hung there...
-
-Daniel Stenberg (10 May 2009)
-- Andre Guibert de Bruet correctly pointed out an over-alloc with one wasted
- byte in the digest code.
-
-Yang Tse (9 May 2009)
-- Removed DOS and TPF package's subdirectory Makefile.am, it was only used
- to include some files in the distribution tarball serving no other purpose.
- Files from the DOS and TPF subdirectories are now included in the EXTRA_DIST
- of the Makefile in the parent subdirectory.
-
-Yang Tse (8 May 2009)
-- Changed host name literal in several tests to one under the haxx.se domain.
-
-- Renamed vc6 workspace and project files to avoid filename clash when used
- for conversion to later VS versions.
-
-Daniel Stenberg (8 May 2009)
-- Constantine Sapuntzakis fixed bug report #2784055
- (http://curl.haxx.se/bug/view.cgi?id=2784055) identifying a problem to
- connect to SOCKS proxies when using the multi interface. It turned out to
- almost not work at all previously. We need to wait for the TCP connect to
- be properly verified before doing the SOCKS magic.
-
- There's still a flaw in the FTP code for this.
-
-Daniel Stenberg (7 May 2009)
-- Made the SO_SNDBUF setting for the data connection socket for ftp uploads as
- well. See change 28 Apr 2009.
-
-Yang Tse (7 May 2009)
-- Fixed an issue affecting FTP transfers, introduced with the transfer.c
- patch committed May 4.
-
-Daniel Stenberg (7 May 2009)
-- Man page *roff problems fixed thanks to input from Colin Watson. Problems
- reported in the Debian package.
-
-- Vijay G filed bug report #2723236
- (http://curl.haxx.se/bug/view.cgi?id=2723236) identifying a problem with
- libcurl's TFTP code and its lack of dealing with the OACK packet.
-
-Yang Tse (5 May 2009)
-- Fixed the --ftp-port address of test #251 to the CLIENTIP address, and
- reverted the change affecting test suite harness committed 4 May.
-
-Daniel Stenberg (5 May 2009)
-- Inspired by Michael Smith's session id fix for OpenSSL, I did the
- corresponding fix in the GnuTLS code: make sure to store the new session id
- in case the previous re-used one is rejected.
-
-Daniel Stenberg (4 May 2009)
-- Michael Smith posted bug report #2786255
- (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how
- libcurl did not deal with SSL session ids properly if the server rejected a
- re-use of one. Starting now, it will forget the rejected one and remember
- the new. This change was for OpenSSL only, it is likely that other SSL lib
- code needs similar fixes.
-
-Yang Tse (4 May 2009)
-- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and
- non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems:
- 1) On non-ASCII platforms not all of the protocol portions of the PUT are
- being translated to ASCII. 2) On all platforms the line endings of part of
- the protocol portions are mangled from CRLF to CRCRLF if data->set.crlf or
- data->set.prefer_ascii are set (depending on CURL_DO_LINEEND_CONV).
-
-- Applied David McCreedy's patch to fix test suite harness to allow test FTP
- server and client on different machines, providing FTP client address when
- running the FTP test server.
-
-Daniel Fandrich (3 May 2009)
-- Added and disabled test case 563 which shows KNOWN_BUGS #59. The bug
- report failed to mention that a proxy must be used to reproduce it.
-
-Yang Tse (2 May 2009)
-- Use a build-time configured curl_socklen_t data type instead of socklen_t.
-
-Yang Tse (1 May 2009)
-- Applied David McCreedy's patches "TPF-platform specific changes to various
- files" and "http.c fix to Curl_proxyCONNECT for non-ASCII platforms", the
- former with minor edits.
-
-Daniel Stenberg (30 Apr 2009)
-- I was going to fix issue #59 in KNOWN_BUGS
-
- If the CURLOPT_PORT option is used on an FTP URL like
- "ftp://example.com/file;type=A" the ";type=A" is stripped off.
-
- I added test case 562 to verify, only to find out that I couldn't repeat
- this bug so I hereby consider it not a bug anymore!
-
-Daniel Stenberg (29 Apr 2009)
-- Based on bug report #2723219 (http://curl.haxx.se/bug/view.cgi?id=2723219)
- I've now made TFTP "connections" not being kept for re-use within libcurl.
- TFTP is UDP-based so the benefit was really low (if even existing) to begin
- with so instead of tracking down to fix this problem we instead removed the
- re-use. I also enabled test case 1099 that I wrote a few days ago to verify
- that this change fixes the reported problem.
-
-Daniel Stenberg (28 Apr 2009)
-- Constantine Sapuntzakis filed bug report #2783090
- (http://curl.haxx.se/bug/view.cgi?id=2783090) pointing out that on windows
- we need to grow the SO_SNDBUF buffer somewhat to get really good upload
- speeds. http://support.microsoft.com/kb/823764 has the details. Friends
- confirmed that simply adding 32 to CURL_MAX_WRITE_SIZE is enough.
-
-- Bug report #2709004 (http://curl.haxx.se/bug/view.cgi?id=2709004) by Tim
- Chen pointed out how curl couldn't upload with resume when reading from a
- pipe.
-
- This ended up with the introduction of a new return code for the
- CURLOPT_SEEKFUNCTION callback that basically says that the seek failed but
- that libcurl may try to resolve the situation anyway. In our case this means
- libcurl will attempt to instead read that much data from the stream instead
- of seeking and that way curl can now upload with resume when data is read
- from a stream!
-
-Daniel Stenberg (26 Apr 2009)
-- Bug report #2779733 (http://curl.haxx.se/bug/view.cgi?id=2779733) by Sven
- Wegener pointed out that CURLINFO_APPCONNECT_TIME didn't work with the multi
- interface and provided a patch that fixed the problem!
-
-Daniel Stenberg (24 Apr 2009)
-- Kamil Dudka fixed another NSS-related leak when client certs were used.
-
-- Bug report #2779245 (http://curl.haxx.se/bug/view.cgi?id=2779245) by Rainer
- Koenig pointed out that the man page didn't tell that the *_proxy
- environment variables can be specified lower case or UPPER CASE and the
- lower case takes precedence,
-
-Daniel Fandrich (21 Apr 2009)
-- Added new libcurl source files to Amiga, RiscOS and VC6 build files.
-
-Yang Tse (21 Apr 2009)
-- Moved potential inclusion of system's malloc.h and memory.h header files to
- setup_once.h. Inclusion of each header file is based on the definition of
- NEED_MALLOC_H and NEED_MEMORY_H respectively.
-
- Renamed libcurl's memory.h to curl_memory.h
-
-Daniel Stenberg (20 Apr 2009)
-- Leanic Lefever reported a crash and did some detailed research on why and
- how it occurs (http://curl.haxx.se/mail/lib-2009-04/0289.html). The
- conclusion was that if an error is detected and Curl_done() is called for
- the connection, ftp_done() could at times return another error code that
- then would take precedence and that new code confused existing logic that
- works for the first error code (CURLE_SEND_ERROR) only.
-
-- Gisle Vanem noticed that --libtool would produce bogus strings at times for
- OBJECTPOINT options. Now we've introduced a new function - my_setopt_str -
- within the app for setting plain string options to avoid the risk of this
- mistake happening.
-
-Daniel Stenberg (17 Apr 2009)
-- Pramod Sharma reported and tracked down a bug when doing FTP over a HTTP
- proxy. libcurl would then wrongly close the connection after each
- request. In his case it had the weird side-effect that it killed NTLM auth
- for the proxy causing an inifinite loop!
-
- I added test case 1098 to verify this fix. The test case does however not
- properly verify that the transfers are done persistently - as I couldn't
- think of a clever way to achieve it right now - but you need to read the
- stderr output after a test run to see that it truly did the right thing.
-
-Daniel Stenberg (13 Apr 2009)
-- bug report #2727981 (http://curl.haxx.se/bug/view.cgi?id=2727981) by Martin
- Storsjö pointed out how setting CURLOPT_NOBODY to 0 could be downright
- confusing as it set the method to either GET or HEAD. The example he showed
- looked like:
-
- curl_easy_setopt(curl, CURLOPT_PUT, 1);
- curl_easy_setopt(curl, CURLOPT_NOBODY, 0);
-
- The new way doesn't alter the method until the request is about to start. If
- CURLOPT_NOBODY is then 1 the HTTP request will be HEAD. If CURLOPT_NOBODY is
- 0 and the request happens to have been set to HEAD, it will then instead be
- set to GET. I believe this will be less surprising to users, and hopefully
- not hit any existing users badly.
-
-- Toshio Kuratomi reported a memory leak problem with libcurl+NSS that turned
- out to be leaking cacerts. Kamil Dudka helped me complete the fix. The issue
- is found in Redhat's bug tracker:
- https://bugzilla.redhat.com/show_bug.cgi?id=453612
-
- There are still memory leaks present, but they seem to have other reasons.
-
-Daniel Fandrich (11 Apr 2009)
-- Added new libcurl source files to Symbian OS build files.
-- Improved Symbian support for SSL.
-
-Yang Tse (10 Apr 2009)
-- Daniel Johnson improved the MacOSX-Framework shell script to now perform all
- the steps required to build a Mac OS X four way fat ppc/i386/ppc64/x86_64
- libcurl.framework. Four way fat framework requires OS X 10.5 SDK or later.
-
-Yang Tse (8 Apr 2009)
-- Removed Sun compilers preprocessor block from curlbuild.h.dist, this also
- removes it from the curlbuild.h file originally distributed by the cURL
- project as this file is intended for systems not capable of running the
- configure script. For those who have been building curl out of the source
- code curl distribution tarball provided by curl.haxx.se the change implies
- nothing. Previous change in this area committed 2 Apr becomes irrelevant.
-
-Daniel Stenberg (6 Apr 2009)
-- I clarified in the docs that CURLOPT_SEEKFUNCTION should return 0 on success
- and 1 on fatal errors. Previously it only mentioned non-zero on fatal
- errors. This is a slight change in meaning, but it follows what we've done
- elsewhere before and it opens up for LOTS of more useful return codes
- whenever we can think of them...
-
-Yang Tse (2 Apr 2009)
-- Fix curl_off_t definition for builds done using Sun compilers and a
- non-configured libcurl. In this case curl_off_t data type was gated
- to the off_t data type which depends on the _FILE_OFFSET_BITS. This
- configuration is exactly the unwanted configuration for our curl_off_t
- data type which must not depend on such setting. This breaks ABI for
- libcurl libraries built with Sun compilers which were built without
- having run the configure script with _FILE_OFFSET_BITS different than
- 64 and using the ILP32 data model.
-
-Daniel Stenberg (1 Apr 2009)
-- Andre Guibert de Bruet fixed a NULL pointer use in an infof() call if a
- strdup() call failed.
-
-Daniel Fandrich (31 Mar 2009)
-- Properly return an error code in curl_easy_recv (reported by Jim Freeman).
-
-Daniel Stenberg (18 Mar 2009)
-- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when
- NSS is used. These ciphers were added in NSS 3.4 and require to be enabled
- explicitly.
-
-Daniel Stenberg (13 Mar 2009)
-- Use libssh2_version() to present the libssh2 version in case the libssh2
- library is found to support it.
-
-Yang Tse (12 Mar 2009)
-- Added missing Curl_read() return code checking in TELNET transfers.
-
-- Pierre Brico found and fixed TELNET transfers not being aborted upon
- a write callback failure.
-
-Daniel Stenberg (11 Mar 2009)
-- Kamil Dudka made the curl tool properly call curl_global_init() before any
- other libcurl function.
-
-Yang Tse (11 Mar 2009)
-- Added missing TELNET timeout support for Windows builds. This issue was
- reported by Pierre Brico.
-
-Daniel Stenberg (9 Mar 2009)
-- Frank Hempel found out a bug and provided the fix:
-
- curl_easy_duphandle did not necessarily duplicate the CURLOPT_COOKIEFILE
- option. It only enabled the cookie engine in the destination handle if
- data->cookies is not NULL (where data is the source handle). In case of a
- newly initialized handle which just had the cookie support enabled by a
- curl_easy_setopt(handle, CURL_COOKIEFILE, "")-call, handle->cookies was
- still NULL because the setopt-call only appends the value to
- data->change.cookielist, hence duplicating this handle would not have the
- cookie engine switched on.
-
- We also concluded that the slist-functionality would be suitable for being
- put in its own module rather than simply hanging out in lib/sendf.c so I
- created lib/slist.[ch] for them.
-
-- Andreas Farber made the 'buildconf' script check for the presence of m4
- scripts to make it detect a bad checkout earlier. People with older
- checkouts who don't do cvs update with the -d option won't get the new dirs
- and then will get funny outputs that can be a bit hard to understand and
+Daniel Stenberg (13 Mar 2018)
+- release: 7.59.0
+
+Kamil Dudka (13 Mar 2018)
+- tests/.../spnego.py: fix identifier typo
+
+ Detected by Coverity Analysis:
+
+ Error: IDENTIFIER_TYPO:
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
+ * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
+ * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
+
+ Closes #2379
+
+Daniel Stenberg (13 Mar 2018)
+- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
+
+ Reported-by: Aron Bergman
+ Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
+
+ [ci skip]
+
+- Revert "hostip: fix compiler warning: 'variable set but not used'"
+
+ This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
+
+ The assignment really needs to be there or we risk working with an
+ uninitialized pointer.
+
+Michael Kaufmann (12 Mar 2018)
+- limit-rate: fix compiler warning
+
+ follow-up to 72a0f62
+
+Viktor Szakats (12 Mar 2018)
+- checksrc.pl: add -i and -m options
+
+ To sync it with changes made for the libssh2 project.
+ Also cleanup some whitespace.
+
+- curl-openssl.m4: fix spelling [ci skip]
+
+- FAQ: fix a broken URL [ci skip]
+
+Daniel Stenberg (12 Mar 2018)
+- http2: mark the connection for close on GOAWAY
+
+ ... don't consider it an error!
+
+ Assisted-by: Jay Satiro
+ Reported-by: Łukasz Domeradzki
+ Fixes #2365
+ Closes #2375
+
+- credits: Viktor prefers without accent
+
+- openldap: white space changes, fixed up the copyright years
+
+- openldap: check ldap_get_attribute_ber() results for NULL before using
+
+ CVE-2018-1000121
+ Reported-by: Dario Weisser
+ Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
+
+- FTP: reject path components with control codes
+
+ Refuse to operate when given path components featuring byte values lower
+ than 32.
+
+ Previously, inserting a %00 sequence early in the directory part when
+ using the 'singlecwd' ftp method could make curl write a zero byte
+ outside of the allocated buffer.
+
+ Test case 340 verifies.
+
+ CVE-2018-1000120
+ Reported-by: Duy Phan Thanh
+ Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
+
+- readwrite: make sure excess reads don't go beyond buffer end
+
+ CVE-2018-1000122
+ Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+
+ Detected by OSS-fuzz
+
+- BUGS: updated link to security process
+
+- limit-rate: kick in even before "limit" data has been received
+
+ ... and make sure to avoid integer overflows with really large values.
+
+ Reported-by: 刘佩东
+ Fixes #2371
+ Closes #2373
+
+- docs/SECURITY.md -> docs/SECURITY-PROCESS.md
+
+- SECURITY.md: call it the security process
+
+Michael Kaufmann (11 Mar 2018)
+- Curl_range: fix FTP-only and FILE-only builds
+
+ follow-up to e04417d
+
+- hostip: fix compiler warning: 'variable set but not used'
+
+Daniel Stenberg (11 Mar 2018)
+- HTTP: allow "header;" to replace an internal header with a blank one
+
+ Reported-by: Michael Kaufmann
+ Fixes #2357
+ Closes #2362
+
+- http2: verbose output new MAX_CONCURRENT_STREAMS values
+
+ ... as it is interesting for many users.
+
+- SECURITY: distros' max embargo time is 14 days now
+
+Patrick Monnerat (8 Mar 2018)
+- curl tool: accept --compressed also if Brotli is enabled and zlib is not.
+
+Daniel Stenberg (5 Mar 2018)
+- THANKS + mailmap: remove duplicates, fixup full names
+
+- [sergii.kavunenko brought this change]
+
+ WolfSSL: adding TLSv1.3
+
+ Closes #2349
+
+- RELEASE-NOTES/THANKS: synced with cc1d4c505
+
+- [Richard Alcock brought this change]
+
+ winbuild: prefer documented zlib library names
+
+ Check for existence of import and static libraries with documented names
+ and use them if they do. Fallback to previous names.
+
+ According to
+ https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
+ Windows, the names of the import library is "zdll.lib" and static
+ library is "zlib.lib".
+
+ closes #2354
+
+Marcel Raad (4 Mar 2018)
+- krb5: use nondeprecated functions
+
+ gss_seal/gss_unseal have been deprecated in favor of
+ gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
+ version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
+ 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
+ "GSS_Unwrap() (formerly GSS_Unseal())".
+
+ Use the nondeprecated functions to avoid deprecation warnings.
+
+ [1] https://tools.ietf.org/html/rfc2078
+ [2] https://tools.ietf.org/html/rfc1964
+
+ Closes https://github.com/curl/curl/pull/2356
+
+Daniel Stenberg (4 Mar 2018)
+- curl.1: mention how to add numerical IP addresses in NO_PROXY
+
+- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses
+
+- NO_PROXY: fix for IPv6 numericals in the URL
+
+ Added test 1265 that verifies.
+
+ Reported-by: steelman on github
+ Fixes #2353
+ Closes #2355
+
+- build: get CFLAGS (including -werror) used for examples and tests
+
+ ... so that the CI and more detects compiler warnings/errors properly!
+
+ Closes #2337
+
+Marcel Raad (3 Mar 2018)
+- curl_ctype: fix macro redefinition warnings
+
+ On MinGW and Cygwin, GCC and clang have been complaining about macro
+ redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
+ by undefining the macros before redefining them as suggested in
+ https://github.com/curl/curl/pull/2269.
+
+ Suggested-by: Daniel Stenberg
+
+Dan Fandrich (2 Mar 2018)
+- unit1307: proper cleanup on OOM to fix torture tests
+
+Marcel Raad (28 Feb 2018)
+- unit1309: fix warning on Windows x64
+
+ When targeting x64, MinGW-w64 complains about conversions between
+ 32-bit long and 64-bit pointers. Fix this by reusing the
+ GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
+ from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
+ CURLX_INTEGER_TO_POINTER_CAST.
+
+ Closes https://github.com/curl/curl/pull/2341
+
+- travis: update compiler versions
+
+ Update clang to version 3.9 and GCC to version 6.
+
+ Closes https://github.com/curl/curl/pull/2345
+
+Daniel Stenberg (26 Feb 2018)
+- docs/MANUAL: formfind.pl is not accessible on the site anymore
+
+ Fixes #2342
+
+Jay Satiro (24 Feb 2018)
+- curl-openssl.m4: Fix version check for OpenSSL 1.1.1
+
+ - Add OpenSSL 1.1.1 to the header/library version lists.
+
+ - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
+ which was added in that version.
+
+ Prior to this change an erroneous header/library mismatch was caused by
+ lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
+
+Viktor Szakats (23 Feb 2018)
+- lib655: silence compiler warning
+
+ Closes https://github.com/curl/curl/pull/2335
+
+- spelling fixes
+
+ Detected using the `codespell` tool.
+
+ Also contains one URL protocol upgrade.
+
+ Closes https://github.com/curl/curl/pull/2334
+
+Daniel Stenberg (24 Feb 2018)
+- projects/README: remove reference to dead IDN link/package
+
+ Reported-by: Stefan Kanthak and Rod Widdowson
+
+ Fixes #2325
+
+Jay Satiro (23 Feb 2018)
+- [Rod Widdowson brought this change]
+
+ winbuild: Use macros for the names of some build utilities
+
+ - Add macros to the top of the makefile for rc and mt utilities so that
+ it is easier to change their locations.
+
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
+ Reported-by: Stefan Kanthak
+
+ Closes https://github.com/curl/curl/issues/2329
+
+Daniel Stenberg (23 Feb 2018)
+- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2
+
+- curl_share_setopt.3: connection cache is shared within multi handles
+
+Jay Satiro (22 Feb 2018)
+- [Rod Widdowson brought this change]
+
+ winbuild: Use CALL to run batch scripts
+
+ Co-authored-by: Stefan Kanthak
+
+ Closes https://github.com/curl/curl/issues/2330
+ Closes https://github.com/curl/curl/pull/2331
+
+Patrick Monnerat (22 Feb 2018)
+- os400: add curl_resolver_start_callback type to ILE/RPG binding
+
+Daniel Stenberg (22 Feb 2018)
+- form.d: rephrased somewhat, added two example command lines
+
+Jay Satiro (21 Feb 2018)
+- [Francisco Sedano brought this change]
+
+ url: Add option CURLOPT_RESOLVER_START_FUNCTION
+
+ - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
+ will be called every time before a new resolve request is started
+ (ie before a host is resolved) with a pointer to backend-specific
+ resolver data. Currently this is only useful for ares.
+
+ - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
+ pass to the resolver start callback.
+
+ Closes https://github.com/curl/curl/pull/2311
+
+- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
+
+ - In keeping with the naming of our other connect timeout options rename
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
+
+ This change adds the _MS suffix since the option expects milliseconds.
+ This is more intuitive for our users since other connect timeout options
+ that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
+ CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
+
+ The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
+
+ Follow-up to 2427d94 which added the lib and tool option yesterday.
+
+ Ref: https://github.com/curl/curl/pull/2260
+
+Patrick Monnerat (21 Feb 2018)
+- sasl: prefer PLAIN mechanism over LOGIN
+
+ SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
+ PLAIN should be used instead if available.
+
+Daniel Stenberg (21 Feb 2018)
+- RELEASE-NOTES: synced with 2427d94c6
+
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
+
+ url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
+
+ - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
+ eyeball timeout value.
+
+ - Add new optval macro CURL_HET_DEFAULT to represent the default happy
+ eyeballs timeout value (currently 200 ms).
+
+ - Add new tool option --happy-eyeballs-timeout-ms to expose
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
+ other -timeout options in the tool expect seconds not milliseconds.
+
+ Closes https://github.com/curl/curl/pull/2260
+
+- hostip: fix 'potentially uninitialized variable' warning
+
+ Follow-up to 50d1b33.
+
+ Caught by AppVeyor.
+
+Daniel Stenberg (20 Feb 2018)
+- TODO: warning if curl version is not in sync with libcurl version
+
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
+
+ CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
+
+ This enables users to preresolve but still take advantage of happy
+ eyeballs and trying multiple addresses if some are not connecting.
+
+ Ref: https://github.com/curl/curl/pull/2260
+
+Daniel Stenberg (20 Feb 2018)
+- [Sergio Borghese brought this change]
+
+ examples/sftpuploadresume: resume upload via CURLOPT_APPEND
+
+ URL: https://curl.haxx.se/mail/lib-2018-02/0072.html
+
+- curl --version: show PSL if the run-time lib has it enabled
+
+ ... not of the #define was set at build-time!
+
+- TODO: "Support in-memory certs/ca certs/keys"
+
+ removed SSLKEYLOGFILE support (fixed)
+
+ removed "consider SSL patches" (outdated)
+
+ Closes #2310
+
+- CURLOPT_HEADER.3: clarify problems with different data sizes
+
+- test1556: verify >16KB headers to the header callback
+
+- header callback: don't chop headers into smaller pieces
+
+ Reported-by: Guido Berhoerster
+ Fixes #2314
+ Closes #2316
+
+- test1154: verify that long HTTP headers get rejected
+
+- http: fix the max header length detection logic
+
+ Previously, it would only check for max length if the existing alloc
+ buffer was to small to fit it, which often would make the header still
+ get used.
+
+ Reported-by: Guido Berhoerster
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
+
+ Closes #2315
+
+- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
+
+ Reported-by: Erik Johansson
+ Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495
+
+- CURLOPT_HEADERFUNCTION.3: mention folded headers
+
+- TODO: 1.1 Option to refuse usernames in URLs
+
+ Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
+
+- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies
+
+- ssh: add two missing state names
+
+ The list of state names (used in debug builds) was out of sync in
+ relation to the list of states (used in all builds).
+
+ I now added an assert to make sure the sizes of the two lists match, to
+ aid in detecting this mistake better in the future.
+
+ Regression since c92d2e14cf, shipped in 7.58.0.
+
+ Reported-by: Somnath Kundu
+
+ Fixes #2312
+ Closes #2313
+
+- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
+
+ This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
+
+ Reported-by: Jay Satiro
+
+Jay Satiro (15 Feb 2018)
+- non-ascii: fix implicit declaration warning
+
+ Follow-up to b46cfbc.
+
+ Caught by Travis CI.
+
+Daniel Stenberg (15 Feb 2018)
+- travis: add build with iconv enabled
+
+ ... to verify it builds and works fine.
+
+ Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
+
+ Closes #1872
+
+- TODO: 18.18 retry on network is unreachable
+
+ Closes #1603
+
+- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
+
+ Closes #1254
+
+Kamil Dudka (15 Feb 2018)
+- nss: use PK11_CreateManagedGenericObject() if available
+
+ ... so that the memory allocated by applications using libcurl does not
+ grow per each TLS connection.
+
+ Bug: https://bugzilla.redhat.com/1510247
+
+ Closes #2297
+
+Daniel Stenberg (15 Feb 2018)
+- [Björn Stenberg brought this change]
+
+ TODO fixed: Detect when called from within callbacks
+
+ Closes #2302
+
+- BINDINGS: fix curb link (and remove ruby-curl-multi)
+
+ Reported-by: Klaus Stein
+
+- curl_gssapi: make sure this file too uses our *printf()
+
+- libcurl-security.3: separate file:// section
+
+ ... just to make it more apparent. Even if it repeats
+ some pieces of information.
+
+- libcurl-security.3: the http://192.168.0.1/my_router_config case
+
+ Mentioned-By: Rich Moore
+
+- libcurl-security.3: mention the URL standards problems too
+
+- libcurl-security.3: split out from libcurl-tutorial.3
+
+ To make more accessible.
+
+ Merged in some new language from "URLs are dangerous things" as discussed on
+ the mailing list a few days ago:
+
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html
+
+- RELEASE-NOTES: synced with e551910f8
+
+Patrick Monnerat (13 Feb 2018)
+- tests: new tests for http raw mode
+
+ Test 319 checks proper raw mode data with non-chunked gzip
+ transfer-encoded server data.
+ Test 326 checks raw mode with chunked server data.
+
+ Bug: #2303
+ Closes #2308
+
+Kamil Dudka (12 Feb 2018)
+- tlsauthtype.d: works only if libcurl is built with TLS-SRP support
+
+ Bug: https://bugzilla.redhat.com/1542256
+
+ Closes #2306
+
+Patrick Monnerat (12 Feb 2018)
+- smtp: fix processing of initial dot in data
+
+ RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
+ should be taken into account when chasing the <CRLF>.<CRLF> end marker.
+ Thus a leading dot character in data is also subject to escaping.
+
+ Tests 911 and test server are adapted to this situation.
+ New tests 951 and 952 check proper handling of initial dot in data.
+
+ Closes #2304
+
+Daniel Stenberg (12 Feb 2018)
+- sha256: avoid redefine
+
+- [Douglas Mencken brought this change]
+
+ sha256: build with OpenSSL < 0.9.8 too
+
+ support for SHA-2 was introduced in OpenSSL 0.9.8
+
+ Closes #2305
+
+- [Bruno Grasselli brought this change]
+
+ README: language fix
+
+ s/off/from
+
+ Closes #2300
+
+Patrick Monnerat (12 Feb 2018)
+- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
+
+ Bug: #2303
+ Reported-By: Henry Roeland
+
+Daniel Stenberg (9 Feb 2018)
+- get_posix_time: only check for overflows if they can happen!
+
+Michael Kaufmann (9 Feb 2018)
+- schannel: fix "no previous prototype" compiler warning
+
+Jay Satiro (9 Feb 2018)
+- [Mohammad AlSaleh brought this change]
+
+ content_encoding: Add "none" alias to "identity"
+
+ Some servers return a "content-encoding" header with a non-standard
+ "none" value.
+
+ Add "none" as an alias to "identity" as a work-around, to avoid
+ unrecognised content encoding type errors.
+
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
+
+ Closes https://github.com/curl/curl/pull/2298
+
+Steve Holme (8 Feb 2018)
+- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output
+
+- build-openssl.bat: Fixed incorrect move if destination build folder exists
+
+Michael Kaufmann (8 Feb 2018)
+- schannel: fix compiler warnings
+
+ Closes #2296
+
+Steve Holme (7 Feb 2018)
+- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
+
+ Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
+ Added the necessary include file to curl_addrinfo.c.
+
+ Note: The SDK (which is considered beta) has to be installed, VS 2017
+ project file has to be re-targeted for Windows 10.0.17061 and #define
+ enabled in config-win32.h.
+
+Patrick Monnerat (7 Feb 2018)
+- fnmatch: optimize processing of consecutive *s and ?s pattern characters
+
+ Reported-By: Daniel Stenberg
+ Fixes #2291
+ Closes #2293
+
+Steve Holme (6 Feb 2018)
+- build-openssl.bat/build-wolfssl.bat: Build platform is optional
+
+ Whilst the compiler parameter is mandatory, platform is optional as it
+ is automatically calculated by the :configure section.
+
+ This partially reverts commit 6d62d2c55d.
+
+Daniel Stenberg (6 Feb 2018)
+- [Patrick Schlangen brought this change]
+
+ openssl: Don't add verify locations when verifypeer==0
+
+ When peer verification is disabled, calling
+ SSL_CTX_load_verify_locations is not necessary. Only call it when
+ verification is enabled to save resources and increase performance.
+
+ Closes #2290
+
+Steve Holme (5 Feb 2018)
+- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
+
+ ...and not just the Community Edition.
+
+- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
+
+ ...and not just the Community Edition.
+
+Michael Kaufmann (5 Feb 2018)
+- time-cond: fix reading the file modification time on Windows
+
+ On Windows, stat() may adjust the unix file time by a daylight saving time
+ offset. Avoid this by calling GetFileTime() instead.
+
+ Fixes #2164
+ Closes #2204
+
+Daniel Stenberg (5 Feb 2018)
+- formdata: use the mime-content type function
+
+ Reduce code duplication by making Curl_mime_contenttype available and
+ used by the formdata function. This also makes the formdata function
+ recognize a set of more file extensions by default.
+
+ PR #2280 brought this to my attention.
+
+ Closes #2282
+
+- getdate: return -1 for out of range
+
+ ...as that's how the function is documented to work.
+
+ Reported-by: Michael Kaufmann
+ Bug found in an autobuild with 32 bit time_t
+
+ Closes #2278
+
+- [Ben Greear brought this change]
+
+ build: fix termios issue on android cross-compile
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
+ Signed-off-by: Ben Greear <greearb@candelatech.com>
+
+- time_t-fixes: remove typecasts to 'long' for info.filetime
+
+ They're now wrong.
+
+ Reported-by: Michael Kaufmann
+
+ Closes #2277
+
+- curl_setup: move the precautionary define of SIZEOF_TIME_T
+
+ ... up to before it may be used for the TIME_T_MAX/MIN logic.
+
+ Reported-by: Michael Kaufmann
+
+- parsedate: s/#if/#ifdef
+
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
+
+Patrick Monnerat (31 Jan 2018)
+- fnmatch: pattern syntax can no longer fail
+
+ Whenever an expected pattern syntax rule cannot be matched, the
+ character starting the rule loses its special meaning and the parsing
+ is resumed:
+ - backslash at the end of pattern string matches itself.
+ - Error in [:keyword:] results in set containing :\[dekorwy.
+
+ Unit test 1307 updated for this new situation.
+
+ Closes #2273
+
+- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
+
+ Also be more tolerant about set pattern syntax.
+ Update unit test 1307 accordingly.
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
+
+- fnmatch: do not match the empty string with a character set
+
+Jay Satiro (30 Jan 2018)
+- build: fix windows build methods for curl_ctype.c
+
+ - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
+ curlx files since they are required by both src and lib.
+
+ Follow-up to 4272a0b which added curl_ctype.
+
+Daniel Stenberg (30 Jan 2018)
+- progress-bar.d: update to match implementation
+
+ ... since commit 993dd5651a6
+
+ Reported-by: Martin Dreher
+ Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
+
+ Closes #2271
+
+- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
+
+ ... instead of doing it unconditionally in debug builds. It cluttered up
+ the output a little too much.
+
+- [Max Dymond brought this change]
+
+ file: Check the return code from Curl_range and bail out on error
+
+- [Max Dymond brought this change]
+
+ Curl_range: add check to ensure "from <= to"
+
+- [Max Dymond brought this change]
+
+ Curl_range: commonize FTP and FILE range handling
+
+ Closes #2205
+
+- RELEASE-NOTES: synced with 811beab9f
+
+- curlver: next release will be 7.59.0
+
+- [Michał Janiszewski brought this change]
+
+ curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
+
+ Closes #2275
+
+- time: support > year 2038 time stamps for system with 32bit long
+
+ ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
+ CURLINFO_FILETIME_T.
+
+ Fixes #2238
+ Closes #2264
+
+- curl_easy_reset: clear digest auth state
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
+ Reported-by: Ruurd Beerstra
+ Fixes #2255
+ Closes #2272
+
+- [Adam Marcionek brought this change]
+
+ winbuild: make linker generate proper PDB
+
+ Link.exe requires /DEBUG to properly generate a full pdb file on release
+ builds.
+
+ Closes #2274
+
+- curl: add --proxy-pinnedpubkey
+
+ To verify a proxy's public key. For when using HTTPS proxies.
+
+ Fixes #2192
+ Closes #2268
+
+- configure: set PATH_SEPARATOR to colon for PATH w/o separator
+
+ The logic tries to figure out what the path separator in the $PATH
+ variable is, but if there's only one directory in the $PATH it
+ fails. This change make configure *guess* on colon instead of erroring
+ out, simply because that is probably the more common character.
+
+ PATH_SEPARATOR can always be set by the user to override the guessing.
+
+ (tricky bug to reproduce, as in my case for example the configure script
+ requires binaries in more than one directory so passing in a PATH with a
+ single dir fails.)
+
+ Reported-by: Earnestly on github
+ Fixes #2202
+ Closes #2265
+
+- curl_ctype: private is*() type macros and functions
+
+ ... since the libc provided one are locale dependent in a way we don't
+ want. Also, the "native" isalnum() (for example) works differently on
+ different platforms which caused test 1307 failures on macos only.
+
+ Closes #2269
+
+Marcel Raad (29 Jan 2018)
+- build: open VC15 projects with VS 2017
+
+ Previously, they were opened with Visual Studio 2015 by default, which
+ cannot build them.
+
+Daniel Stenberg (29 Jan 2018)
+- RELEASE-NOTES: synced with 094647fca
+
+- TODO: UTF-8 filenames in Content-Disposition
+
+ Closes #1888
+
+- KNOWN_BUGS: DICT responses show the underlying protocol
+
+ Closes #1809
+
+Jay Satiro (27 Jan 2018)
+- [Alessandro Ghedini brought this change]
+
+ docs: fix typos in man pages
+
+ Closes https://github.com/curl/curl/pull/2266
+
+Patrick Monnerat (26 Jan 2018)
+- lib555: drop text conversion and encode data as ascii codes
+
+ If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
+ giving a result that is different from what is expected.
+ This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
+ to upload in ascii.
+
+ Bug: https://github.com/curl/curl/pull/1872
+
+Daniel Stenberg (26 Jan 2018)
+- lib517: make variable static to avoid compiler warning
+
+ ... with clang on macos
+
+Patrick Monnerat (26 Jan 2018)
+- lib544: sync ascii code data with textual data
+
+ Data mismatch caused test 545 to fail when character encoding
+ conversion is enabled.
+
+ Bug: https://github.com/curl/curl/pull/1872
+
+Daniel Stenberg (25 Jan 2018)
+- [Travis Burtrum brought this change]
+
+ GSKit: restore pinnedpubkey functionality
+
+ inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
+
+ Closes #2263
+
+- [Dair Grant brought this change]
+
+ darwinssl: Don't import client certificates into Keychain on macOS
+
+ Closes #2085
+
+- configure: fix the check for unsigned time_t
+
+ Assign the time_t variable negative value and then check if it is
+ greater than zero, which will evaluate true for unsigned time_t but
+ false for signed time_t.
+
+- parsedate: fix date parsing for systems with 32 bit long
+
+ Make curl_getdate() handle dates before 1970 as well (returning negative
+ values).
+
+ Make test 517 test dates for 64 bit time_t.
+
+ This fixes bug (3) mentioned in #2238
+
+ Closes #2250
+
+- [McDonough, Tim brought this change]
+
+ openssl: fix pinned public key build error in FIPS mode
+
+ Here is a version that should work with all versions of openssl 0.9.7
+ through 1.1.0.
+
+ Links to the docs:
+ https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
+ https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
+
+ At the very bottom of the 1.1.0 documentation there is a history section
+ that states, " stack allocated EVP_MD_CTXs are no longer supported."
+
+ If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
+ simple mapping can be used as described here:
+ https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
+
+ Closes #2258
+
+- [Travis Burtrum brought this change]
+
+ SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum
+
+- [Travis Burtrum brought this change]
+
+ SChannel/WinSSL: Implement public key pinning
+
+ Closes #1429
+
+- bump: towards 7.58.1
+
+- cookies: remove verbose "cookie size:" output
+
+ It was once used for some debugging/verifying logic but should never have
+ ended up in git!
+
+- TODO: hardcode the "localhost" addresses
+
+- TODO: CURL_REFUSE_CLEARTEXT
+
+ An idea that popped up in discussions on twitter.
+
+- progress-bar: don't use stderr explicitly, use bar->out
+
+ Reported-By: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080
+
+GitHub (24 Jan 2018)
+- [Gisle Vanem brought this change]
+
+ Fixes for MSDOS etc.
+
+ djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
+ But djgpp seems the only choice for MSDOS anyway.
+
+ PellesC do have a 'F_OK' defined in it's <unistd.h>.
+
+ Update year in Copyright.
+
+- [Gisle Vanem brought this change]
+
+ Fix small typo.
+
+Version 7.58.0 (23 Jan 2018)
+
+Daniel Stenberg (23 Jan 2018)
+- RELEASE: 7.58.0
+
+- [Gisle Vanem brought this change]
+
+ progress-bar: get screen width on windows
+
+- test1454: --connect-to with IPv6 address w/o IPv6 support!
+
+- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
+ Reported-by: John Hascall
+
+ Closes #2257
+
+- docs: fix man page syntax to make test 1140 OK again
+
+- http: prevent custom Authorization headers in redirects
+
+ ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+ curl already handles Authorization headers created internally.
+
+ Note: this changes behavior slightly, for the sake of reducing mistakes.
+
+ Added test 317 and 318 to verify.
+
+ Reported-by: Craig de Stigter
+ Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
+
+- curl: progress bar refresh, get width using ioctl()
+
+ Get screen width from the environment variable COLUMNS first, if set. If
+ not, use ioctl(). If nether works, assume 79.
+
+ Closes #2242
+
+ The "refresh" is for the -# output when no total transfer size is
+ known. It will now only use a single updated line even for this case:
+
+ The "-=O=-" ship moves when data is transferred. The four flying
+ "hashes" move (on a sine wave) on each refresh, independent of data.
+
+- RELEASE-NOTES: synced with bb0ffcc36
+
+- libcurl-env.3: first take
+
+- TODO: two possible name resolver improvements
+
+- [Kartik Mahajan brought this change]
+
+ http2: don't close connection when single transfer is stopped
+
+ Fixes #2237
+ Closes #2249
+
+- test558: fix for multissl builds
+
+ vtls.c:multissl_init() might do a curl_free() call so strip that out to
+ make this work with more builds. We just want to verify that
+ memorytracking works so skipping one line is no harm.
+
+- examples/url2file.c: add missing curl_global_cleanup() call
+
+ Reported-by: XhstormR on github
+ Fixes #2245
+
+- [Michael Gmelin brought this change]
+
+ SSH: Fix state machine for ssh-agent authentication
+
+ In case an identity didn't match[0], the state machine would fail in
+ state SSH_AUTH_AGENT instead of progressing to the next identity in
+ ssh-agent. As a result, ssh-agent authentication only worked if the
+ identity required happened to be the first added to ssh-agent.
+
+ This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which
+ stated that the "else" statement was required to prevent getting stuck
+ in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
+ interface I couldn't see how this could happen or reproduce it and I
+ also couldn't find a more detailed description of the problem which
+ would explain a test case to reproduce the problem this was supposed to
fix.
+
+ [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
+
+ Closes #2248
+
+- openssl: fix potential memory leak in SSLKEYLOGFILE logic
+
+ Coverity CID 1427646.
+
+- openssl: fix the libressl build again
+
+ Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
+ late OpenSSL version...
+
+ Fixes #2246
+ Closes #2247
+
+ Reported-by: jungle-boogie on github
+
+- unit1307: test many wildcards too
+
+- curl_fnmatch: only allow 5 '*' sections in a single pattern
+
+ ... to avoid excessive recursive calls. The number 5 is totally
+ arbitrary and could be modified if someone has a good motivation.
+
+- ftp-wildcard: fix matching an empty string with "*[^a]"
+
+ .... and avoid advancing the pointer to trigger an out of buffer read.
+
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
+ Assisted-by: Max Dymond
+
+- SMB: fix numeric constant suffix and variable types
+
+ 1. don't use "ULL" suffix since unsupported in older MSVC
+ 2. use curl_off_t instead of custom long long ifdefs
+ 3. make get_posix_time() not do unaligned data access
+
+ Fixes #2211
+ Closes #2240
+ Reported-by: Chester Liu
+
+- [rouzier brought this change]
+
+ CURLOPT_TCP_NODELAY.3: fix typo
+
+ Closes #2239
+
+- smtp/pop3/imap_get_message: decrease the data length too...
+
+ Follow-up commit to 615edc1f73 which was incomplete.
+
+ Assisted-by: Max Dymond
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
+
+- openssl: enable SSLKEYLOGFILE support by default
+
+ Fixes #2210
+ Closes #2236
+
+Patrick Monnerat (14 Jan 2018)
+- mime: clone mime tree upon easy handle duplication.
+
+ A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
+ strongly bound to the handle: there is a pointer to the easy handle in
+ each item of the mime tree and following the parent pointer list
+ of mime items ends in a dummy part stored within the handle.
+
+ Because of this binding, a mime tree cannot be shared between different
+ easy handles, thus it needs to be cloned upon easy handle duplication.
+
+ There is no way for the caller to get the duplicated mime tree
+ handle: it is then set to be automatically destroyed upon freeing the
+ new easy handle.
+
+ New test 654 checks proper mime structure duplication/release.
+
+ Add a warning note in curl_mime_data_cb() documentation about sharing
+ user data between duplicated handles.
+
+ Closes #2235
+
+- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
+
+Daniel Stenberg (13 Jan 2018)
+- test395: HTTP with overflow Content-Length value
+
+- test394: verify abort of rubbish in Content-Length: value
+
+- test393: verify --max-filesize with excessive Content-Length
+
+- HTTP: bail out on negative Content-Length: values
+
+ ... and make the max filesize check trigger if the value is too big.
+
+ Updates test 178.
+
+ Reported-by: Brad Spencer
+ Fixes #2212
+ Closes #2223
+
+Marcel Raad (13 Jan 2018)
+- [Dan Johnson brought this change]
+
+ configure.ac: append extra linker flags instead of prepending them.
+
+ Link order should list libraries after the libraries that use them,
+ so when we're guessing that we might also need to add -ldl in order
+ to use -lssl, we should add -ldl after -lssl.
+
+ Closes https://github.com/curl/curl/pull/2234
+
+Daniel Stenberg (13 Jan 2018)
+- RELEASE-NOTES: synced with 6fa10c8fa
+
+Jay Satiro (13 Jan 2018)
+- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
+
+ Broken since f121575 (precedes 7.56.1).
+
+ Bug: https://github.com/curl/curl/issues/2225
+ Reported-by: cmfrolick@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/2227
+
+Patrick Monnerat (13 Jan 2018)
+- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
+
+ This also upgrades ILE/RPG bindings with latest setopt options.
+
+ Reported-By: jonrumsey on github
+ Fixes #2230
+ Closes #2233
+
+Jay Satiro (11 Jan 2018)
+- [Zhouyihai Ding brought this change]
+
+ http2: fix incorrect trailer buffer size
+
+ Prior to this change the stored byte count of each trailer was
+ miscalculated and 1 less than required. It appears any trailer
+ after the first that was passed to Curl_client_write would be truncated
+ or corrupted as well as the size. Potentially the size of some
+ subsequent trailer could be erroneously extracted from the contents of
+ that trailer, and since that size is used by client write an
+ out-of-bounds read could occur and cause a crash or be otherwise
+ processed by client write.
+
+ The bug appears to have been born in 0761a51 (precedes 7.49.0).
+
+ Closes https://github.com/curl/curl/pull/2231
+
+- [Basuke Suzuki brought this change]
+
+ easy: fix connection ownership in curl_easy_pause
+
+ Before calling Curl_client_chop_write(), change the owner of connection
+ to the current Curl_easy handle. This will fix the issue #2217.
+
+ Fixes https://github.com/curl/curl/issues/2217
+ Closes https://github.com/curl/curl/pull/2221
+
+Daniel Stenberg (9 Jan 2018)
+- [Dimitrios Apostolou brought this change]
+
+ system.h: Additionally check __LONG_MAX__ for defining curl_off_t
+
+ __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced
+ in GCC 3.3.
+
+ Closes #2216
+
+- COPYING: it's 2018!
+
+- progress: calculate transfer speed on milliseconds if possible
+
+ to increase accuracy for quick transfers
+
+ Fixes #2200
+ Closes #2206
+
+Jay Satiro (7 Jan 2018)
+- scripts: allow all perl scripts to be run directly
+
+ - Enable execute permission (chmod +x)
+
+ - Change interpreter to /usr/bin/env perl
+
+ Closes https://github.com/curl/curl/pull/2222
+
+- mail-rcpt.d: fix short-text description
+
+- build: remove HAVE_LIMITS_H check
+
+ .. because limits.h presence isn't optional, it's required by C89.
+
+ Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
+
+ Closes https://github.com/curl/curl/pull/2215
+
+- openssl: fix memory leak of SSLKEYLOGFILE filename
+
+ - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
+ initialization.
+
+ Caught by ASAN.
+
+- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
+
+ This reverts commit c97648b55080343bb371522bf4233e94a2a13a99.
+
+ SIZEOF_LONG should not be checked in system.h since that macro is only
+ defined when building libcurl.
+
+ Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080
+ Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html
+
+Michael Kaufmann (30 Dec 2017)
+- test1554: improve the error handling
+
+- test1554: add global initialization and cleanup
+
+Daniel Stenberg (29 Dec 2017)
+- curl_version_info.3: call the argument 'age'
+
+ Reported-by: Pete Lomax
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html
+
+Patrick Monnerat (27 Dec 2017)
+- [Mikalai Ananenka brought this change]
+
+ brotli: data at the end of content can be lost
+
+ Decoding loop implementation did not concern the case when all
+ received data is consumed by Brotli decoder and the size of decoded
+ data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
+ For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
+ can result in the loss of data at the end of content.
+
+ Closes #2194
+
+Jay Satiro (26 Dec 2017)
+- examples/cacertinmem: ignore cert-already-exists error
+
+ - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
+ since it's possible the cert may have already been loaded by libcurl.
+
+ - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
+ Instead have it direct the reader to this cacertinmem.c example.
+
+ - Fix the CA certificate to use the right CA for example.com, Digicert.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
+ Reported-by: Thomas van Hesteren
+
+ Closes https://github.com/curl/curl/pull/2182
+
+- [Gisle Vanem brought this change]
+
+ tool_getparam: Support size modifiers for --max-filesize
+
+ - Move the size modifier detection code from limit-rate to its own
+ function so that it can also be used with max-filesize.
+
+ Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc.
+
+ For example --max-filesize 1G
+
+ Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html
+
+ Closes https://github.com/curl/curl/pull/2179
+
+Steve Holme (22 Dec 2017)
+- build: Fixed incorrect script termination from commit ad1dc10e61
+
+- Makefile.vc: Added our standard copyright header
+
+- winbuild: Added support for VC15
+
+- build: Added Visual Studio 2017 project files
+
+- build-wolfssl.bat: Added support for VC15
+
+- build-openssl.bat: Added support for VC15
+
+Jay Satiro (22 Dec 2017)
+- [Dimitrios Apostolou brought this change]
+
+ curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
+
+ Closes https://github.com/curl/curl/pull/2186
+
+- [Mattias Fornander brought this change]
+
+ examples/rtsp: fix error handling macros
+
+ Closes https://github.com/curl/curl/pull/2185
+
+Patrick Monnerat (20 Dec 2017)
+- curl_easy_reset: release mime-related data.
+
+ Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
+ functions dealing with UserDefined structure contents.
+ This avoids memory leakages on curl-generated part mime headers.
+ New test 2073 checks this using the cli tool --next option: it
+ triggers a valgrind error if bug is present.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
+ Reported-by: Martin Galvan
+
+- content_encoding: rework zlib_inflate
+
+ - When zlib version is < 1.2.0.4, process gzip trailer before considering
+ extra data as an error.
+ - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
+ and minimize corrupt data output.
+ - Do not try to restart deflate decompression in raw mode if output has
+ started or if the leading data is not available anymore.
+ - New test 232 checks inflating raw-deflated content.
+
+ Closes #2068
+
+- brotli: allow compiling with version 0.6.0.
+
+ Some error codes were not yet defined in brotli 0.6.0: do not issue code
+ for them in this case.
+
+Daniel Stenberg (13 Dec 2017)
+- CURLOPT_READFUNCTION.3: refer to argument with correct name
+
+ Bug: #2175
+
+ [ci skip]
+
+- rand: add a clang-analyzer work-around
+
+ scan-build would warn on a potential access of an uninitialized
+ buffer. I deem it a false positive and had to add this somewhat ugly
+ work-around to silence it.
+
+- krb5: fix a potential access of uninitialized memory
+
+ A scan-build warning.
+
+- conncache: fix a return code [regression]
+
+ This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed
+ out by scan-build!
+
+- curl: support >256 bytes warning messsages
+
+ Bug: #2174
+
+Michael Kaufmann (12 Dec 2017)
+- libssh: fix a syntax error in configure.ac
+
+ Follow-up to c92d2e1
+
+ Closes #2172
+
+Daniel Stenberg (12 Dec 2017)
+- examples/smtp-mail.c: use separate defines for options and mail
+
+ ... to make it clearer that the options want address-only, while the
+ headers in an email can also have the real name.
+
+ Assisted-by: Sean MacLennan
+
+- THANKS: added missing names
+
+ ... as I reran the contrithanks script after the mailmap name fixups.
+
+- mailmap: added/clarified several names
+
+- setopt: less *or equal* than INT_MAX/1000 should be fine
+
+ ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and
+ CURLOPT_SERVER_RESPONSE_TIMEOUT range checks.
+
+ Reported-by: Dominik Hölzl
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html
+
+ Closes #2173
+
+- [Dmitry Kostjuchenko brought this change]
+
+ vtls: replaced getenv() with curl_getenv()
+
+ Fixed undefined symbol of getenv() which does not exist when compiling
+ for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
+ curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
+ is defined.
+
+ Closes #2171
+
+- RELEASE-NOTES: synced with 3b9ea70ee
+
+- TODO: Expose tried IP addresses that failed
+
+ Suggested-by: Rainer Canavan
+
+ Closes #2126
+
+- curl.1: mention http:// and https:// as valid proxy prefixes
+
+- curl.1: documented two missing valid exit codes
+
+- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
+
+- Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
+
+ This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
+
+ It was actually added rather recently in 8e8afa82cbb629 due to a crash
+ that would otherwise happen in the RTSP code. As I don't think we've
+ fixed that behavior yet, we better keep this work-around until we have
+ fixed it better.
+
+Michael Kaufmann (10 Dec 2017)
+- tests: mark data files as non-executable in git
+
+- tests: update .gitignore for libtests
+
+Daniel Stenberg (10 Dec 2017)
+- multi_done: prune DNS cache
+
+ Prune the DNS cache immediately after the dns entry is unlocked in
+ multi_done. Timed out entries will then get discarded in a more orderly
+ fashion.
+
+ Test506 is updated
+
+ Reported-by: Oleg Pudeyev
+
+ Fixes #2169
+ Closes #2170
+
+- mailmap: fixup two old git Author "aliases"
+
+Jay Satiro (10 Dec 2017)
+- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
+
+ Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
+ like it does for other platforms. However, the Windows CRT does not
+ actually support line buffering (_IOLBF) and will use full buffering
+ (_IOFBF) instead. We can't use full buffering because multiple processes
+ may be writing to the file and that could lead to corruption, and since
+ full buffering is the only buffering available this commit disables
+ buffering for Windows SSLKEYLOGFILE entirely (_IONBF).
+
+ Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
+
+Daniel Stenberg (10 Dec 2017)
+- RESOLVE: output verbose text when trying to set a duplicate name
+
+ ... to help users understand what is or isn't done!
+
+- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
+
+- [John DeHelian brought this change]
+
+ sftp: allow quoted commands to use relative paths
+
+ Closes #1900
+
+Jay Satiro (8 Dec 2017)
+- [Richard Alcock brought this change]
+
+ CURLOPT_PRIVATE.3: fix grammar
+
+ - Change "never does nothing" double-negative to "never does anything".
+
+ Closes https://github.com/curl/curl/pull/2168
+
+Daniel Stenberg (8 Dec 2017)
+- curl: remove __EMX__ #ifdefs
+
+ These are OS/2-specific things added to the code in the year 2000. They
+ were always ugly. If there's any user left, they still don't need it
+ done this way.
+
+ Closes #2166
+
+Jay Satiro (8 Dec 2017)
+- openssl: improve data-pending check for https proxy
+
+ - Allow proxy_ssl to be checked for pending data even when connssl does
+ not yet have an SSL handle.
+
+ This change is for posterity. Currently there doesn't seem to be a code
+ path that will cause a pending data check when proxyssl could have
+ pending data and the connssl handle doesn't yet exist [1].
+
+ [1]: Recall that an https proxy connection starts out in connssl but if
+ the destination is also https then the proxy SSL backend data is moved
+ from connssl to proxyssl, which means connssl handle is temporarily
+ empty until an SSL handle for the destination can be created.
+
+ Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542
+
+ Closes https://github.com/curl/curl/pull/1916
+
+Daniel Stenberg (8 Dec 2017)
+- curl: don't set CURLOPT_INTERLEAVEDATA
+
+ That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
+ and that option isn't set or used by the curl tool!
+
+ Updates the 9 tests that verify --libcurl
+
+ Closes #2167
+
+- curl.h: remove incorrect comment about ERRORBUFFER
+
+ ... error messages are _not_ sent to stderr if this is not set.
+
+- [Michael Felt brought this change]
+
+ configure: add AX_CODE_COVERAGE only if using gcc
+
+ Fixes #2076
+ Closes #2125
+
+- curl: limit -# update frequency for unknown total size
+
+ Make it use a max 10Hz update frequency for this case as well. Return
+ early if the "point" hasn't moved since last invoke.
+
+ Reported-by: Elliot Saba
+
+ Fixes #2158
+ Closes #2163
+
+- BINDINGS: another PostgreSQL client
+
+ ...the former link is dead.
+
+ Reported-by: Frank Gevaerts
+
+- [Zachary Seguin brought this change]
+
+ CONNECT: keep close connection flag in http_connect_state struct
+
+ Fixes #2088
+ Closes #2157
+
+- [Per Malmberg brought this change]
+
+ include: get netinet/in.h before linux/tcp.h
+
+ ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc
+ 4.8.5)
+
+ Closes #2160
+
+- openldap: fix checksrc nits
+
+- [Stepan Broz brought this change]
+
+ openldap: add commented out debug possibilities
+
+ ... to aid debugging openldap library using its built-in debug messages.
+
+ Closes #2159
+
+- examples: move threaded-shared-conn.c to the "complicated" ones
+
+ ... due it relying on pthreads to link.
+
+- RELEASE-NOTES: synced with b261c44e8
+
+ ... and bump next release version to 7.58.0
+
+- [Jan Ehrhardt brought this change]
+
+ URL: tolerate backslash after drive letter for FILE:
+
+ ... as in "file://c:\some\path\curl.out"
+
+ Reviewed-by: Matthew Kerwin
+ Closes #2154
+
+- [Randall S. Becker brought this change]
+
+ tests: added netinet/in6.h includes in test servers
+
+- [Randall S. Becker brought this change]
+
+ configure: check for netinet/in6.h
+
+ Needed by HPE NonStop NSE and NSX systems
+
+ Fixes #2146
+ Closes #2155
+
+- curl-config: add --ssl-backends
+
+ Lists all SSL backends that were enabled at build-time.
+
+ Suggested-by: Oleg Pudeyev
+ Fixes #2128
+
+- conncache: only allow multiplexing within same multi handle
+
+ Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing
+ only get additional transfers added to them if the existing connection
+ is held by the same multi or easy handle. libcurl does not support doing
+ HTTP/2 streams in different threads using a shared connection.
+
+ Closes #2152
+
+- threaded-shared-conn.c: fixed typo in commenta
+
+- threaded-shared-conn.c: new example
+
+- conncache: fix several lock issues
+
+ If the lock is released before the dealings with the bundle is over, it may
+ have changed by another thread in the mean time.
+
+ Fixes #2132
+ Fixes #2151
+ Closes #2139
+
+- libssh: remove dead code in sftp_qoute
+
+ ... by removing a superfluous NULL pointer check that also confuses
+ Coverity.
+
+ Fixes #2143
+ Closes #2153
+
+- sasl_getmesssage: make sure we have a long enough string to pass
+
+ For pop3/imap/smtp, added test 891 to somewhat verify the pop3
+ case.
+
+ For this, I enhanced the pingpong test server to be able to send back
+ responses with LF-only instead of always using CRLF.
+
+ Closes #2150
+
+- libssh2: remove dead code from SSH_SFTP_QUOTE
+
+ Figured out while reviewing code in the libssh backend. The pointer was
+ checked for NULL after having been dereferenced, so we know it would
+ always equal true or it would've crashed.
+
+ Pointed-out-by: Nikos Mavrogiannopoulos
+
+ Bug #2143
+ Closes #2148
+
+- ssh-libssh.c: please checksrc
+
+Nikos Mavrogiannopoulos (4 Dec 2017)
+- libssh: fixed dereference in statvfs access
+
+ The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS
+ handling fails.
+
+ Fixes #2142
+
+Daniel Stenberg (4 Dec 2017)
+- [Guitared brought this change]
+
+ RESOURCES: update spec names
+
+ Closes #2145
+
+Nikos Mavrogiannopoulos (3 Dec 2017)
+- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
+
+ The previous code was incorrectly following the libssh2 error detection
+ for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs.
+
+ Fixes #2142
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- libssh: no need to call sftp_get_error as ssh_get_error is sufficient
+
+ Fixes #2141
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+Daniel Stenberg (2 Dec 2017)
+- libssh: fix minor static code analyzer nits
+
+ - remove superfluous NULL check which otherwise tricks the static code
+ analyzers to assume NULL pointer dereferences.
+
+ - fix fallthrough in switch()
+
+ - indent mistake
+
+- openssl: pkcs12 is supported by boringssl
+
+ Removes another #ifdef for BoringSSL
+
+ Pointed-out-by: David Benjamin
+
+ Closes #2134
+
+- [Jay Satiro brought this change]
+
+ travis: use pip2 instead of pip
+
+ .. since now mac osx image expects pip2 or pip3, and doesn't know pip:
+
+ 0.01s$ pip install --user cpp-coveralls
+ /Users/travis/.travis/job_stages: line 57: pip: command not found
+
+ Ref: https://github.com/travis-ci/travis-ci/issues/8829
+
+ Closes https://github.com/curl/curl/pull/2133
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ lib582: do not verify host for SFTP
+
+ This SFTP test fails with libssh back-end due to failure to verify
+ the peer. Disable peer verification in the test as there seems to
+ be the intention of the test.
+
+ Note that the libssh back-end automatically verifies the peer's
+ host using the default known_hosts file.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ libssh: added SFTP support
+
+ The SFTP back-end supports asynchronous reading only, limited
+ to 32-bit file length. Writing is synchronous with no other
+ limitations.
+
+ This also brings keyboard-interactive authentication.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ symbols-in-versions: added new symbols with 7.56.3 version
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ .travis.yml: added build --with-libssh
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ libssh2: return CURLE_UPLOAD_FAILED on failure to upload
+
+ This brings its in sync with the error code returned by the
+ libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ libssh2: send the correct CURLE error code on scp file not found
+
+ That also updates tests to expect the right error code
+
+ libssh2 back-end returns CURLE_SSH error if the remote file
+ is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND
+ which is sent by the libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+ Added support for libssh SSH SCP back-end
+
+ libssh is an alternative library to libssh2.
+ https://www.libssh.org/
+
+ That patch set also introduces support for ECDSA
+ ed25519 keys, as well as gssapi authentication.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+- RELEASE-NOTES: synced with af8cc7a69
+
+- curlver: towards 7.57.1
+
+- [W. Mark Kubacki brought this change]
+
+ lib: don't export all symbols, just everything curl_*
+
+ Absent any 'symbol map' or script to limit what gets exported, static
+ linking of libraries previously resulted in a libcurl with curl's and
+ those other symbols being (re-)exported.
+
+ This did not happen if 'versioned symbols' were enabled (which is not
+ the default) because then a version script is employed.
+
+ This limits exports to everything starting in 'curl_*'., which is
+ what "libcurl.vers" exports.
+
+ This avoids strange side-effects such as with mixing methods
+ from system libraries and those erroneously offered by libcurl.
+
+ Closes #2127
+
+- [Johannes Schindelin brought this change]
+
+ SSL: Avoid magic allocation of SSL backend specific data
+
+ Originally, my idea was to allocate the two structures (or more
+ precisely, the connectdata structure and the four SSL backend-specific
+ strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so
+ that they all could be free()d together.
+
+ However, getting the alignment right is tricky. Too tricky.
+
+ So let's just bite the bullet and allocate the SSL backend-specific
+ data separately.
+
+ As a consequence, we now have to be very careful to release the memory
+ allocated for the SSL backend-specific data whenever we release any
+ connectdata.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+ Closes #2119
+
+- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
+
+ Reported-by: Dima Tisnek
+
+- travis: add boringssl build
+
+ Uses a separate build without --enable-debug and no valgrind.
+
+ The debug option causes far too many warnings in boringssl's headers
+ (C++ comments, trailing commas etc). Valgrind triggers some false
+ positive errors in thread-local data used by boringssl.
+
+ Closes #2118
+
+Version 7.57.0 (29 Nov 2017)
+
+Daniel Stenberg (29 Nov 2017)
+- RELEASE-NOTES: curl 7.57.0
+
+- THANKS: added contributors from 7.57.0 release
+
+- openssl: fix boringssl build again
+
+ commit d3ab7c5a21e broke the boringssl build since it doesn't have
+ RSA_flags(), so we disable that code block for boringssl builds.
+
+ Reported-by: W. Mark Kubacki
+ Fixes #2117
+
+- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided
+
+- libcurl-share.3: the connection cache is shareable now
+
+- global_init: ignore CURL_GLOBAL_SSL's absense
+
+ This bit is no longer used. It is not clear what it meant for users to
+ "init the TLS" in a world with different TLS backends and since the
+ introduction of multissl, libcurl didn't properly work if inited without
+ this bit set.
+
+ Not a single user responded to the call for users of it:
+ https://curl.haxx.se/mail/lib-2017-11/0072.html
+
+ Reported-by: Evgeny Grin
+ Assisted-by: Jay Satiro
+
+ Fixes #2089
+ Fixes #2083
+ Closes #2107
+
+- ntlm: avoid integer overflow for malloc size
+
+ Reported-by: Alex Nichols
+ Assisted-by: Kamil Dudka and Max Dymond
+
+ CVE-2017-8816
+
+ Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+
+- wildcardmatch: fix heap buffer overflow in setcharset
+
+ The code would previous read beyond the end of the pattern string if the
+ match pattern ends with an open bracket when the default pattern
+ matching function is used.
+
+ Detected by OSS-Fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+
+ CVE-2017-8817
+
+ Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
+
+- [Jay Satiro brought this change]
+
+ url: fix alignment of ssl_backend_data struct
+
+ - Align the array of ssl_backend_data on a max 32 byte boundary.
+
+ 8 is likely to be ok but I went with 32 for posterity should one of
+ the ssl_backend_data structs change to contain a larger sized variable
+ in the future.
+
+ Prior to this change (since dev 70f1db3, release 7.56) the connectdata
+ structure was undersized by 4 bytes in 32-bit builds with ssl enabled
+ because long long * was mistakenly used for alignment instead of
+ long long, with the intention being an 8 byte boundary. Also long long
+ may not be an available type.
+
+ The undersized connectdata could lead to oob read/write past the end in
+ what was expected to be the last 4 bytes of the connection's secondary
+ socket https proxy ssl_backend_data struct (the secondary socket in a
+ connection is used by ftp, others?).
+
+ Closes https://github.com/curl/curl/issues/2093
+
+ CVE-2017-8818
+
+ Bug: https://curl.haxx.se/docs/adv_2017-af0a.html
+
+- ssh: remove check for a NULL pointer (!)
+
+ With this check present, scan-build warns that we might dereference this
+ point in other places where it isn't first checked for NULL. Thus, if it
+ *can* be NULL we have a problem on a few places. However, this pointer
+ should not be possible to be NULL here so I remove the check and thus
+ also three different scan-build warnings.
+
+ Closes #2111
+
+- [Matthew Kerwin brought this change]
+
+ test: add test for bad UNC/SMB path in file: URL
+
+- [Matthew Kerwin brought this change]
+
+ test: add tests to ensure basic file: URLs
+
+- [Matthew Kerwin brought this change]
+
+ URL: update "file:" URL handling
+
+ * LOTS of comment updates
+ * explicit error for SMB shares (e.g. "file:////share/path/file")
+ * more strict handling of authority (i.e. "//localhost/")
+ * now accepts dodgy old "C:|" drive letters
+ * more precise handling of drive letters in and out of Windows
+ (especially recognising both "file:c:/" and "file:/c:/")
+
+ Closes #2110
+
+- metalink: fix memory-leak and NULL pointer dereference
+
+ Reported by scan-build
+
+ Closes #2109
+
+- [Alessandro Ghedini brought this change]
+
+ connect: add support for new TCP Fast Open API on Linux
+
+ The new API added in Linux 4.11 only requires setting a socket option
+ before connecting, without the whole sento() machinery.
+
+ Notably, this makes it possible to use TFO with SSL connections on Linux
+ as well, without the need to mess around with OpenSSL (or whatever other
+ SSL library) internals.
+
+ Closes #2056
+
+- make: fix "make distclean"
+
+ Fixes #2097
+ Closes #2108
+
+- RELEASE-NOTES: synced with 31f18d272
+
+Jay Satiro (23 Nov 2017)
+- connect: improve the bind error message
+
+ eg consider a non-existent interface eth8, curl --interface eth8
+
+ Before: curl: (45) Could not resolve host: eth8
+ After: curl: (45) Couldn't bind to 'eth8'
+
+ Bug: https://github.com/curl/curl/issues/2104
+ Reported-by: Alfonso Martone
+
+Daniel Stenberg (23 Nov 2017)
+- examples/rtsp: clear RANGE again after use
+
+ Fixes #2106
+ Reported-by: youngchopin on github
+
+- [Michael Kaufmann brought this change]
+
+ test1264: verify URL with space in host name being rejected
+
+- url: reject ASCII control characters and space in host names
+
+ Host names like "127.0.0.1 moo" would otherwise be accepted by some
+ getaddrinfo() implementations.
+
+ Updated test 1034 and 1035 accordingly.
+
+ Fixes #2073
+ Closes #2092
+
+- Curl_open: fix OOM return error correctly
+
+ Closes #2098
+
+- http2: fix "Value stored to 'end' is never read" scan-build error
+
+- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
+
+- openssl: fix "Value stored to 'rc' is never read" scan-build error
+
+- mime: fix "Value stored to 'sz' is never read" scan-build error
+
+- Curl_llist_remove: fix potential NULL pointer deref
+
+ Fixes a scan-build warning.
+
+- ntlm: remove unnecessary NULL-check to please scan-build
+
+- BUGS: spellchecked
+
+Jay Satiro (18 Nov 2017)
+- [fmmedeiros brought this change]
+
+ examples/curlx: Fix code style
+
+ - Add braces around multi-line if statement.
+
+ Closes https://github.com/curl/curl/pull/2096
+
+Daniel Stenberg (17 Nov 2017)
+- resolve: allow IP address within [] brackets
+
+ ... so that IPv6 addresses can be passed like they can for connect-to
+ and how they're used in URLs.
+
+ Added test 1324 to verify
+ Reported-by: Alex Malinovich
+
+ Fixes #2087
+ Closes #2091
+
+- [Pavol Markovic brought this change]
+
+ macOS: Fix missing connectx function with Xcode version older than 9.0
+
+ The previous fix https://github.com/curl/curl/pull/1788 worked just for
+ Xcode 9. This commit extends the fix to older Xcode versions effectively
+ by not using connectx function.
+
+ Fixes https://github.com/curl/curl/issues/1330
+ Fixes https://github.com/curl/curl/issues/2080
+ Closes https://github.com/curl/curl/pull/1336
+ Closes #2082
+
+- [Dirk Feytons brought this change]
+
+ openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
+
+ Fixes #2079
+ Closes #2081
+
+- TODO: ignore private IP addresses in PASV response
+
+ Closes #1455
+
+- RELEASE-NOTES: synced with ae7369b6d
+
+Michael Kaufmann (14 Nov 2017)
+- URL: return error on malformed URLs with junk after IPv6 bracket
+
+ Follow-up to aadb7c7. Verified by new test 1263.
+
+ Closes #2072
+
+Daniel Stenberg (14 Nov 2017)
+- INTERNALS: we may use libidn2 now, not libidn
+
+Patrick Monnerat (13 Nov 2017)
+- zlib/brotli: only include header files in modules needing them
+
+ There is a conflict on symbol 'free_func' between openssl/crypto.h and
+ zlib.h on AIX. This is an attempt to resolve it.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
+ Reported-By: Michael Felt
+
+Daniel Stenberg (13 Nov 2017)
+- SMB: fix uninitialized local variable
+
+ Reported-by: Brian Carpenter
+
+- [Orgad Shaneh brought this change]
+
+ connect.c: remove executable bit on file
+
+ Closes #2071
+
+- [hsiao yi brought this change]
+
+ README.md: fixed layout
+
+ Closes #2069
+
+- setopt: split out curl_easy_setopt() to its own file
+
+ ... to make url.c smaller.
+
+ Closes #1944
+
+Jay Satiro (10 Nov 2017)
+- [John Starks brought this change]
+
+ cmake: Add missing setmode check
+
+ Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this,
+ curl will corrupt binary files when writing them to stdout on Windows.
+
+ Closes https://github.com/curl/curl/pull/2067
+
+Daniel Stenberg (10 Nov 2017)
+- curl_share_setopt: va_end was not called if conncache errors
+
+ CID 984459, detected by Coverity
+
+Sergei Nikulov (10 Nov 2017)
+- [John Starks brought this change]
+
+ cmake: Correctly include curl.rc in Windows builds (#2064)
+
+ Update CMakeLists.txt to add curl.rc to the correct list.
+
+Daniel Stenberg (9 Nov 2017)
+- RELEASE-NOTES: synced with 32828cc4f
+
+- [Luca Boccassi brought this change]
+
+ --interface: add support for Linux VRF
+
+ The --interface command (CURLOPT_INTERFACE option) already uses
+ SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
+ address first, which fails in case the user passes a VRF.
+
+ Try to use the socket option immediately and parse it as a fallback
+ instead. Update the documentation to mention this feature, and that it
+ requires the binary to be ran by root or with CAP_NET_RAW capabilities
+ for this to work.
+
+ Closes #2024
+
+- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT
+
+ Closes #2043
+
+- examples: add shared-connection-cache
+
+- test1554: verify connection cache sharing
+
+- share: add support for sharing the connection cache
+
+- imap: deal with commands case insensitively
+
+ As documented in RFC 3501 section 9:
+ https://tools.ietf.org/html/rfc3501#section-9
+
+ Closes #2061
+
+- connect: store IPv6 connection status after valid connection
+
+ ... previously it would store it already in the happy eyeballs stage
+ which could lead to the IPv6 bit being set for an IPv4 connection,
+ leading to curl not wanting to do EPSV=>PASV for FTP transfers.
+
+ Closes #2053
+
+- curl_multi_fdset.3: emphasize curl_multi_timeout
+
+ ... even when there's no socket to wait for, the timeout can still be
+ very short.
+
+Jay Satiro (9 Nov 2017)
+- content_encoding: fix inflate_stream for no bytes available
+
+ - Don't call zlib's inflate() when avail_in stream bytes is 0.
+
+ This is a follow up to the parent commit 19e66e5. Prior to that change
+ libcurl's inflate_stream could call zlib's inflate even when no bytes
+ were available, causing inflate to return Z_BUF_ERROR, and then
+ inflate_stream would treat that as a hard error and return
+ CURLE_BAD_CONTENT_ENCODING.
+
+ According to the zlib FAQ, Z_BUF_ERROR is not fatal.
+
+ This bug would happen randomly since packet sizes are arbitrary. A test
+ of 10,000 transfers had 55 fail (ie 0.55%).
+
+ Ref: https://zlib.net/zlib_faq.html#faq05
+
+ Closes https://github.com/curl/curl/pull/2060
+
+Patrick Monnerat (7 Nov 2017)
+- content_encoding: do not write 0 length data
+
+Daniel Stenberg (6 Nov 2017)
+- fnmatch: remove dead code
+
+ There was a duplicate check for backslashes in the setcharset()
+ function.
+
+ Coverity CID 1420611
+
+- url: remove unncessary NULL-check
+
+ Since 'conn' won't be NULL in there and we also access the pointer in
+ there without the check.
+
+ Coverity CID 1420610
+
+Viktor Szakats (6 Nov 2017)
+- src/Makefile.m32: fix typo in brotli lib customization
+
+ Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31
+
+- Makefile.m32: allow to customize brotli libs
+
+ It adds the ability to link against static brotli libs.
+
+ Also fix brotli include path.
+
+Patrick Monnerat (5 Nov 2017)
+- travis: add a job with brotli enabled
+
+- [Viktor Szakats brought this change]
+
+ Makefile.m32: add brotli support
+
+- HTTP: implement Brotli content encoding
+
+ This uses the brotli external library (https://github.com/google/brotli).
+ Brotli becomes a feature: additional curl_version_info() bit and
+ structure fields are provided for it and CURLVERSION_NOW bumped.
+
+ Tests 314 and 315 check Brotli content unencoding with correct and
+ erroneous data.
+
+ Some tests are updated to accomodate with the now configuration dependent
+ parameters of the Accept-Encoding header.
+
+- HTTP: support multiple Content-Encodings
+
+ This is implemented as an output streaming stack of unencoders, the last
+ calling the client write procedure.
+
+ New test 230 checks this feature.
+
+ Bug: https://github.com/curl/curl/pull/2002
+ Reported-By: Daniel Bankhead
+
+Jay Satiro (4 Nov 2017)
+- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
+
+ Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
+ check on this option is incorrect; we have to accept any value.
+
+ Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
+ erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120
+
+Daniel Stenberg (4 Nov 2017)
+- ntlm: avoid malloc(0) for zero length passwords
+
+ It triggers an assert() when built with memdebug since malloc(0) may
+ return NULL *or* a valid pointer.
+
+ Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
+
+ Assisted-by: Max Dymond
+ Closes #2054
+
+- RELEASE-NOTES: synced with ee8016b3d
+
+- curl: speed up handling of many URLs
+
+ By properly keeping track of the last entry in the list of URLs/uploads
+ to handle, curl now avoids many meaningless traverses of the list which
+ speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K
+ URLs).
+
+ Added test 1291, to verify that it doesn't take ages - but we don't have
+ any detection of "too slow" command in the test suite.
+
+ Reported-by: arainchik on github
+ Fixes #1959
+ Closes #2052
+
+- curl: pass through [] in URLs instead of calling globbing error
+
+ Assisted-by: Per Lundberg
+ Fixes #2044
+ Closes #2046
+ Closes #2048
+
+- CURLOPT_INFILESIZE: accept -1
+
+ Regression since f121575
+
+ Reported-by: Petr Voytsik
+ Fixes #2047
+
+Jay Satiro (2 Nov 2017)
+- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
+
+ Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
+ erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.
+
+Dan Fandrich (1 Nov 2017)
+- http2: Fixed OOM handling in upgrade request
+
+ This caused the torture tests on test 1800 to fail.
+
+- tests: Fixed torture tests on tests 556 and 650
+
+ Test cleanup after OOM wasn't being consistently performed.
+
+Daniel Stenberg (1 Nov 2017)
+- CURLOPT_MAXREDIRS: allow -1 as a value
+
+ ... which is valid according to documentation. Regression since
+ f121575c0b5f.
+
+ Verified now in test 501.
+
+ Reported-by: cbartl on github
+ Fixes #2038
+ Closes #2039
+
+- include: remove conncache.h inclusion from where its not needed
+
+Jay Satiro (1 Nov 2017)
+- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
+
+ .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.
+
+ Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
+ erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
+ Reported-by: Andrew Lambert
+
+Daniel Stenberg (31 Oct 2017)
+- cookie: avoid NULL dereference
+
+ ... when expiring old cookies.
+
+ Reported-by: Pavel Gushchin
+ Fixes #2032
+ Closes #2035
+
+Marcel Raad (30 Oct 2017)
+- memdebug: use send/recv signature for curl_dosend/curl_dorecv
+
+ This avoids build errors and warnings caused by implicit casts.
+
+ Closes https://github.com/curl/curl/pull/2031
+
+Daniel Stenberg (30 Oct 2017)
+- [Juro Bystricky brought this change]
+
+ mkhelp.pl: support reproducible build
+
+ Do not generate line with the current date, such as:
+
+ * Generation time: Tue Oct-24 18:01:41 2017
+
+ This will improve reproducibility. The generated string is only
+ part of a comment, so there should be no adverse consequences.
+
+ Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+ closes #2026
+
+Dan Fandrich (30 Oct 2017)
+- runtests.pl: Fixed typo in message
+
+Daniel Stenberg (30 Oct 2017)
+- curlx: the timeval functions are no longer provided as curlx_*
+
+ Pointed-out-by: Dmitri Tikhonov
+ Bug: #2034
+
+- select: update comments
+
+ s/curlx_tvnow/Curl_now
+
+- INTERNALS: remove curlx_tv* functions no longer provided
+
+- [Dmitri Tikhonov brought this change]
+
+ timeval: use mach time on MacOS
+
+ If clock_gettime() is not supported, use mach_absolute_time() on MacOS.
+
+ closes #2033
+
+monnerat (29 Oct 2017)
+- [Patrick Monnerat brought this change]
+
+ cli tool: improve ";type=" handling in -F option arguments
+
+- [Patrick Monnerat brought this change]
+
+ cli tool: in -F option arg, comma is a delimiter for files only
+
+ Also upgrade test 1133 to cover this case and clarify man page about
+ form data quoting.
+
+ Bug: https://github.com/curl/curl/issues/2022
+ Reported-By: omau on github
+
+Daniel Stenberg (29 Oct 2017)
+- timeleft: made two more users of Curl_timeleft use timediff_t
+
+Jakub Zakrzewski (28 Oct 2017)
+- cmake: Export libcurl and curl targets to use by other cmake projects
+
+ The config files define curl and libcurl targets as imported targets
+ CURL::curl and CURL::libcurl. For backward compatibility with CMake-
+ provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
+ also set.
+
+ Closes #1879
+
+Daniel Stenberg (28 Oct 2017)
+- RELEASE-NOTES: synced with f20cbac97
+
+- [Florin Petriuc brought this change]
+
+ auth: Added test cases for RFC7616
+
+ Updated docs to include support for RFC7616
+
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
+
+ Closes #1934
+
+- [Florin Petriuc brought this change]
+
+ auth: add support for RFC7616 - HTTP Digest access authentication
+
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
+
+- [Daniel Bankhead brought this change]
+
+ TODO: support multiple Content-Encodings
+
+ Closes #2002
+
+- ROADMAP: cleanup
+
+ Removed done stuff. Removed entries no longer considered for the near
+ term.
+
+- [Magicansk brought this change]
+
+ ROADMAP.md: spelling fixes
+
+ Closes #2028
+
+- Curl_timeleft: change return type to timediff_t
+
+ returning 'time_t' is problematic when that type is unsigned and we
+ return values less than zero to signal "already expired", used in
+ several places in the code.
+
+ Closes #2021
+
+- appveyor: add a win32 build
+
+- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
+
+ Regression since f121575c0b5f
+
+ Reported-by: Rob Cotrone
+
+Marcel Raad (27 Oct 2017)
+- resolvers: only include anything if needed
+
+ This avoids warnings about unused stuff.
+
+ Closes https://github.com/curl/curl/pull/2023
+
+Daniel Stenberg (27 Oct 2017)
+- HELP-US: rename the subtitle too since the label is changed
+
+ "PR-welcome" was the former name.
+
+- curl_setup.h: oops, shorten the too long line
+
+- [Martin Storsjo brought this change]
+
+ curl_setup: Improve detection of CURL_WINDOWS_APP
+
+ If WINAPI_FAMILY is defined, it should be safe to try to include
+ winapifamily.h to check what the define evaluates to.
+
+ This should fix detection of CURL_WINDOWS_APP if building with
+ _WIN32_WINNT set to 0x0600.
+
+ Closes #2025
+
+Jay Satiro (26 Oct 2017)
+- transfer: Fix chunked-encoding upload bug
+
+ - When uploading via chunked-encoding don't compare file size to bytes
+ sent to determine whether the upload has finished.
+
+ Chunked-encoding adds its own overhead which why the bytes sent is not
+ equal to the file size. Prior to this change if a file was uploaded in
+ chunked-encoding and its size was known it was possible that the upload
+ could end prematurely without sending the final few chunks. That would
+ result in a server hang waiting for the remaining data, likely followed
+ by a disconnect.
+
+ The scope of this bug is limited to some arbitrary file sizes which have
+ not been determined. One size that triggers the bug is 475020.
+
+ Bug: https://github.com/curl/curl/issues/2001
+ Reported-by: moohoorama@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/2010
+
+Daniel Stenberg (26 Oct 2017)
+- timeval: make timediff_t also work on 32bit windows
+
+ ... by using curl_off_t for the typedef if time_t is larger than 4
+ bytes.
+
+ Reported-by: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co
+ mmitcomment-25205058
+ Closes #2019
+
+- curl_fnmatch: return error on illegal wildcard pattern
+
+ ... instead of doing an infinite loop!
+
+ Added test 1162 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #2015
+ Closes #2017
+
+- [Max Dymond brought this change]
+
+ wildcards: don't use with non-supported protocols
+
+ Fixes timeouts in the fuzzing tests for non-FTP protocols.
+
+ Closes #2016
+
+- [Max Dymond brought this change]
+
+ multi: allow table handle sizes to be overridden
+
+ Allow users to specify their own hash define for
+ CURL_CONNECTION_HASH_SIZE so that both values can be overridden.
+
+ Closes #1982
+
+- time: rename Curl_tvnow to Curl_now
+
+ ... since the 'tv' stood for timeval and this function does not return a
+ timeval struct anymore.
+
+ Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
+ clean up the descriptive comments.
+
+ Closes #2011
+
+- ftplistparser: follow-up cleanup to remove PL_ERROR()
+
+- [Max Dymond brought this change]
+
+ ftplistparser: free off temporary memory always
+
+ When using the FTP list parser, ensure that the memory that's
+ allocated is always freed.
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
+ Closes #2013
+
+- timediff: return timediff_t from the time diff functions
+
+ ... to cater for systems with unsigned time_t variables.
+
+ - Renamed the functions to curlx_timediff and Curl_timediff_us.
+
+ - Added overflow protection for both of them in either direction for
+ both 32 bit and 64 bit time_ts
+
+ - Reprefixed the curlx_time functions to use Curl_*
+
+ Reported-by: Peter Piekarski
+ Fixes #2004
+ Closes #2005
+
+- [Paul Howarth brought this change]
+
+ libtest: Add required test libraries for lib1552 and lib1553
+
+ They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.
+
+ This fixes build failures on Fedora 13.
+
+ Closes #2006
+
+- [Alessandro Ghedini brought this change]
+
+ libcurl-tutorial.3: fix typo
+
+ closes #2008
+
+Alessandro Ghedini (23 Oct 2017)
+- curl_mime_filedata.3: fix typos
+
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: clean slate towards 7.57.0
+
+- [Max Dymond brought this change]
+
+ travis: exit if any steps fail
+
+ We don't expect any steps to fail in travis. Exit the script if they do.
+
+ Closes #1966
+
+Version 7.56.1 (23 Oct 2017)
+
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: 7.56.1
+
+- THANKS: update at 7.56.1 release time
+
+- [Jon DeVree brought this change]
+
+ mk-ca-bundle: Remove URL for aurora
+
+ Aurora is no longer used by Mozilla
+ https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
+
+- [Jon DeVree brought this change]
+
+ mk-ca-bundle: Fix URL for NSS
+
+ The 'tip' is the most recent branch committed to, this should be
+ 'default' like the URLs for the browser are.
+
+ Closes #1998
+
+- imap: if a FETCH response has no size, don't call write callback
+
+ CVE-2017-1000257
+
+ Reported-by: Brian Carpenter and 0xd34db347
+ Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
+
+- ftp: reject illegal IP/port in PASV 227 response
+
+ ... by using range checks. Among other things, this avoids an undefined
+ behavior for a left shift that could happen on negative or very large
+ values.
+
+ Closes #1997
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
+
+Patrick Monnerat (20 Oct 2017)
+- test653: check reuse of easy handle after mime data change
+
+ See issue #1999
+
+- mime: do not reuse previously computed multipart size
+
+ The contents might have changed: size must be recomputed.
+
+ Reported-by: moteus on github
+ Fixes #1999
+
+- test308: disable if MultiSSL feature enabled
+
+ Even if OpenSSL is enabled, it might not be the default backend when
+ multi-ssl is enabled, causing the test to fail.
+
+- runtests: support MultiSSL client feature
+
+- vtls: change struct Curl_ssl `close' field name to `close_one'.
+
+ On OS/400, `close' is an ASCII system macro that corrupts the code if
+ not used in a context not targetting the close() system API.
+
+- os400: add missing symbols in config file.
+
+ Also adjust makefile to renamed files and warn about installation dirs mix-up.
+
+- test652: curl_mime_data + base64 encoder with large contents
+
+- mime: limit bas64-encoded lines length to 76 characters
+
+Daniel Stenberg (16 Oct 2017)
+- RELEASE-NOTES: synced with f121575c0
+
+- setopt: range check most long options
+
+ ... filter early instead of risking "funny values" having to be dealt
+ with elsewhere.
+
+- setopt: avoid integer overflows when setting millsecond values
+
+ ... that are multiplied by 1000 when stored.
+
+ For 32 bit long systems, the max value accepted (2147483 seconds) is >
+ 596 hours which is unlikely to ever be set by a legitimate application -
+ and previously it didn't work either, it just caused undefined behavior.
+
+ Also updated the man pages for these timeout options to mention the
+ return code.
+
+ Closes #1938
+
+Viktor Szakats (15 Oct 2017)
+- makefile.m32: allow to override gcc, ar and ranlib
+
+ Allow to ovverride certain build tools, making it possible to
+ use LLVM/Clang to build curl. The default behavior is unchanged.
+ To build with clang (as offered by MSYS2), these settings can
+ be used:
+
+ CURL_CC=clang
+ CURL_AR=llvm-ar
+ CURL_RANLIB=llvm-ranlib
+
+ Closes https://github.com/curl/curl/pull/1993
+
+- ldap: silence clang warning
+
+ Use memset() to initialize a structure to avoid LLVM/Clang warning:
+ ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
+
+ Closes https://github.com/curl/curl/pull/1992
+
+Daniel Stenberg (14 Oct 2017)
+- runtests: use valgrind for torture as well
+
+ NOTE: it makes them terribly slow. I recommend only using valgrind for
+ specific torture tests or using lots of patience.
+
+- memdebug: trace send, recv and socket
+
+ ... to allow them to be included in torture tests too.
+
+ closes #1980
+
+- configure: remove the C++ compiler check
+
+ ... we used it only for the fuzzer, which we now have in a separate git
+ repo.
+
+ Closes #1990
+
+Patrick Monnerat (13 Oct 2017)
+- mime: do not call failf() if easy handle is NULL.
+
+Daniel Stenberg (13 Oct 2017)
+- test651: curl_formadd with huge COPYCONTENTS
+
+- mime: fix the content reader to handle >16K data properly
+
+ Reported-by: Jeroen Ooms
+ Closes #1988
+
+Patrick Monnerat (12 Oct 2017)
+- mime: keep "text/plain" content type if user-specified.
+
+ Include test cases in 554, 587, 650.
+
+ Fixes https://github.com/curl/curl/issues/1986
+
+- cli tool: use file2memory() to buffer stdin in -F option.
+
+ Closes PR https://github.com/curl/curl/pull/1985
+
+- cli tool: reimplement stdin buffering in -F option.
+
+ If stdin is not a regular file, its content is memory-buffered to enable
+ a possible data "rewind".
+ In all cases, stdin data size is determined before real use to avoid
+ having an unknown part's size.
+
+ --libcurl generated code is left as an unbuffered stdin fread/fseek callback
+ part with unknown data size.
+
+ Buffering is not supported in deprecated curl_formadd() API.
+
+Daniel Stenberg (12 Oct 2017)
+- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
+
+- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
+
+ following the new github "standard"
+
+- RELEASE-NOTES: synced with 5505df7d2
+
+Jay Satiro (11 Oct 2017)
+- [Artak Galoyan brought this change]
+
+ url: Update current connection SSL verify params in setopt
+
+ Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
+ connection updates the current connection's (i.e.'connectdata'
+ structure) appropriate ssl_config (and ssl_proxy_config) structures
+ variables, making these options effective for ongoing connection.
+
+ This functionality was available before and was broken by the
+ following change:
+ "proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
+ CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151.
+
+ Bug: https://github.com/curl/curl/issues/1941
+
+ Closes https://github.com/curl/curl/pull/1951
+
+Daniel Stenberg (11 Oct 2017)
+- [David Benjamin brought this change]
+
+ openssl: don't use old BORINGSSL_YYYYMM macros
+
+ Those were temporary things we'd add and remove for our own convenience
+ long ago. The last few stayed around for too long as an oversight but
+ have since been removed. These days we have a running
+ BORINGSSL_API_VERSION counter which is bumped when we find it
+ convenient, but 2015-11-19 was quite some time ago, so just check
+ OPENSSL_IS_BORINGSSL.
+
+ Closes #1979
+
+- test950; verify SMTP with custom request
+
+- ftpserver: support case insensitive commands
+
+- smtp_done: free data before returning (on send failure)
+
+ ... as otherwise it could leak that memory.
+
+ Detected by OSS-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600
+
+ Assisted-by: Max Dymond
+ Closes #1977
+
+- FTP: URL decode path for dir listing in nocwd mode
+
+ Reported-by: Zenju on github
+
+ Test 244 added to verify
+ Fixes #1974
+ Closes #1976
+
+- test298: verify --ftp-method nowcwd with URL encoded path
+
+ Ref: #1974
+
+- CURLOPT_XFERINFODATA.3: fix duplicate see also
+
+- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
+
+- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
+
+- openssl: enable PKCS12 support for !BoringSSL
+
+ Enable PKCS12 for all non-boringssl builds without relying on configure
+ or cmake checks.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
+ Reported-by: Christian Schmitz
+ Closes #1948
+
+- [Kristiyan Tsaklev brought this change]
+
+ curl: don't pass semicolons when parsing Content-Disposition
+
+ Test 1422 updated to verify.
+
+ Closes #1964
+
+Patrick Monnerat (9 Oct 2017)
+- mime: properly unbind mime structure in curl_mime_free().
+
+ This allows freeing a mime structure bound to the easy handle before
+ curl_easy_cleanup().
+
+ Fixes #1970.
+
+Daniel Stenberg (9 Oct 2017)
+- RTSP: avoid integer overflow on funny RTSP response
+
+ ... like a very large non-existing RTSP version number.
+
+ Added test 577 to verify.
+
+ Detected by OSS-fuzz.
+ Closes #1969
+
+Patrick Monnerat (8 Oct 2017)
+- ftpserver: properly reset $ftptargetdir.
+
+- test643: verify curl_mime_subparts() rejects cyclic additions.
+
+- mime: refuse to add subparts to one of their own descendants.
+
+ Reported-by: Alexey Melnichuk
+ Fixes #1962
+
+- mime: avoid resetting a part's encoder when part's contents change.
+
+- mime: improve unbinding top multipart from easy handle.
+
+ Also avoid dangling pointers in referencing parts.
+
+Daniel Stenberg (8 Oct 2017)
+- RELEASE-NOTES: synced with a4c1c75da30af1
+
+- curlver.h: next expected release is 7.57.0
+
+Patrick Monnerat (8 Oct 2017)
+- mime: be tolerant about setting twice the same header list in a part.
+
+- docs: clarify form/mime usage of non-regular data files.
+
+Daniel Stenberg (8 Oct 2017)
+- Revert "multi_done: wait for name resolve to finish if still ongoing"
+
+ This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe.
+
+ Caused memory leaks in the fuzzer, needs to be done differently.
+
+ Disable test 1553 for now too, as it causes memory leaks without this
+ commit!
+
+- remove_handle: call multi_done() first, then clear dns cache pointer
+
+ Closes #1960
+
+- multi_done: wait for name resolve to finish if still ongoing
+
+ ... as we must clean up memory.
+
+- pingpong: return error when trying to send without connection
+
+ When imap_done() got called before a connection is setup, it would try
+ to "finish up" and dereffed a NULL pointer.
+
+ Test case 1553 managed to reproduce. I had to actually use a host name
+ to try to resolve to slow it down, as using the normal local server IP
+ will make libcurl get a connection in the first curl_multi_perform()
+ loop and then the bug doesn't trigger.
+
+ Fixes #1953
+ Assisted-by: Max Dymond
+
+Dan Fandrich (6 Oct 2017)
+- tests: added flaky keyword to tests 587 and 644
+
+ These are around 5% flaky in my Linux x86 autobuilds.
+
+Marcel Raad (6 Oct 2017)
+- vtls: fix warnings with --disable-crypto-auth
+
+ When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
+ are not used.
+
+Daniel Stenberg (6 Oct 2017)
+- multi_cleanup: call DONE on handles that never got that
+
+ ... fixes a memory leak with at least IMAP when remove_handle is never
+ called and the transfer is abruptly just abandoned early.
+
+ Test 1552 added to verify
+
+ Detected by OSS-fuzz
+ Assisted-by: Max Dymond
+ Closes #1954
+
+- [Benbuck Nason brought this change]
+
+ strtoofft: Remove extraneous null check
+
+ Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
+ argument.
+
+ Closes #1952
+
+- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
+
+ Reported-by: Javier Sixto
+ Fixes #1955
+ Closes #1956
+
+Viktor Szakats (6 Oct 2017)
+- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
+
+ The source code is now prepared to handle the case when both
+ Win32 Crypto and OpenSSL/NSS crypto backends are enabled
+ at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
+ whenever the targeted Windows version supports it. Since this
+ matches the minimum Windows version supported by curl
+ (Windows 2000), enable it unconditionally for the Win32 platform.
+
+ This in turn enables SMB (and SMBS) protocol support whenever
+ Win32 Crypto is available, regardless of what other crypto backends
+ are enabled.
+
+ Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052
+
+ Closes https://github.com/curl/curl/pull/1943
+
+Daniel Stenberg (5 Oct 2017)
+- build: fix --disable-crypto-auth
+
+ Reported-by: Wyatt O'Day
+ Fixes #1945
+ Closes #1947
+
+Jay Satiro (5 Oct 2017)
+- [Nick Zitzmann brought this change]
+
+ darwinssl: add support for TLSv1.3
+
+ Closes https://github.com/curl/curl/pull/1794
+
+Daniel Stenberg (4 Oct 2017)
+- [Felix Kaiser brought this change]
+
+ docs: fix typo in curl_mime_data_cb man page
+
+ Closes #1946
+
+Viktor Szakats (4 Oct 2017)
+- lib/Makefile.m32: allow customizing dll suffixes
+
+ - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
+ libcurl dll name. Useful to add `-x64` to 64-bit builds so that
+ it can live in the same directory as the 32-bit one. By default
+ this is empty.
+
+ - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
+ generated import library (implib) for libcurl .dll. It defaults
+ to `dll`, and it's useful to modify that to `.dll` to have the
+ standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
+
+ Closes https://github.com/curl/curl/pull/1942
+
+Daniel Stenberg (4 Oct 2017)
+- [Max Dymond brought this change]
+
+ fuzzer: move to using external curl-fuzzer
+
+ Use the external curl-fuzzer repository for fuzzing.
+
+ Closes #1923
+
+- failf: skip the sprintf() if there are no consumers
+
+ Closes #1936
+
+- ftp: UBsan fixup 'pointer index expression overflowed'
+
+ Closes #1939
+
+- RELEASE-PROCEDURE: update the release schedule
+
+Version 7.56.0 (4 Oct 2017)
+
+Daniel Stenberg (4 Oct 2017)
+- RELEASE-NOTES: curl 7.56.0
+
+- THANKS: added new 7.56.0 contributors
+
+Jay Satiro (4 Oct 2017)
+- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported
+
+ Ref: https://github.com/curl/curl/issues/1002
+
+Michael Kaufmann (3 Oct 2017)
+- idn: fix source code comment
+
+- vtls: compare and clone ssl configs properly
+
+ Compare these settings in Curl_ssl_config_matches():
+ - verifystatus (CURLOPT_SSL_VERIFYSTATUS)
+ - random_file (CURLOPT_RANDOM_FILE)
+ - egdsocket (CURLOPT_EGDSOCKET)
+
+ Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
+ and copy the setting "sessionid" unconditionally.
+
+ This means that reusing connections that are secured with a client
+ certificate is now possible, and the statement "TLS session resumption
+ is disabled when a client certificate is used" in the old advisory at
+ https://curl.haxx.se/docs/adv_20170419.html is obsolete.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #1917
+
+- proxy: read the "no_proxy" variable only if necessary
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #1919
+
+Patrick Monnerat (3 Oct 2017)
+- libcurl-tutorial: add casts in example to avoid compilation warnings.
+
+Daniel Stenberg (3 Oct 2017)
+- examples: bring back curl_formadd-using examples
+
+ ... now with a -formadd suffix. While the new mime API is introduced in
+ 7.56.0 we must acknowledge that lots of users can't upgrade their curl
+ versions immediately.
+
+- test1153: verify quoted double-qoutes in PWD response
+
+- FTP: zero terminate the entry path even on bad input
+
+ ... a single double quote could leave the entry path buffer without a zero
+ terminating byte. CVE-2017-1000254
+
+ Test 1152 added to verify.
+
+ Reported-by: Max Dymond
+ Bug: https://curl.haxx.se/docs/adv_20171004.html
+
+Jay Satiro (2 Oct 2017)
+- [Sergei Nikulov brought this change]
+
+ cmake: disable tests and man generation if perl/nroff not found
+
+ Fixes https://github.com/curl/curl/issues/1500
+ Reported-by: Jay Satiro
+
+ Fixes https://github.com/curl/curl/pull/1662
+ Assisted-by: Tom Seddon
+ Assisted-by: dpull@users.noreply.github.com
+ Assisted-by: elelel@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/1924
+
+Patrick Monnerat (2 Oct 2017)
+- libcurl-tutorial: fix two typos.
+
+- TODO: remove deprecated form API items.
+
+- libcurl-tutorial: describe MIME API and deprecate form API.
+
+ Include a guide to form/mime API conversion.
+
+Daniel Stenberg (30 Sep 2017)
+- cookie: fix memory leak if path was set twice in header
+
+ ... this will let the second occurance override the first.
+
+ Added test 1161 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #1932
+ Closes #1933
+
+Dan Fandrich (30 Sep 2017)
+- test650: Use variable replacement to set the host address and port
+
+ Otherwise, the test fails when the -b test option is used to set a
+ different test port range.
+
+- Set and use more necessary options when some protocols are disabled
+
+ When curl and libcurl are built with some protocols disabled, they stop
+ setting and receiving some options that don't make sense with those
+ protocols. In particular, when HTTP is disabled many options aren't set
+ that are used only by HTTP. However, some options that appear to be
+ HTTP-only are actually used by other protocols as well (some despite
+ having HTTP in the name) and should be set, but weren't. This change now
+ causes some of these options to be set and used for more (or for all)
+ protocols. In particular, this fixes tests 646 through 649 in an
+ HTTP-disabled build, which use the MIME API in the mail protocols.
+
+Daniel Stenberg (29 Sep 2017)
+- test1160: verifies cookie leak for large cookies
+
+ The fix done in 20ea22ff735
+
+- cookie: fix memory leak on oversized rejection
+
+ Regression brought by 2bc230de63b
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
+ Assisted-by: Max Dymond
+
+ Closes #1930
+
+- [Anders Bakken brought this change]
+
+ connect: fix race condition with happy eyeballs timeout
+
+ The timer should be started after conn->connecttime is set. Otherwise
+ the timer could expire without this condition being true:
+
+ /* should we try another protocol family? */
+ if(i == 0 && conn->tempaddr[1] == NULL &&
+ curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {
+
+ Ref: #1928
+
+Michael Kaufmann (28 Sep 2017)
+- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
+
+ Closes #1922
+
+- docs: clarify the use of environment variables for proxy
+
+ Closes #1921
+
+- http: add custom empty headers to repeated requests
+
+ Closes #1920
+
+- reuse_conn: don't copy flags that are known to be equal
+
+ A connection can only be reused if the flags "conn_to_host" and
+ "conn_to_port" match. Therefore it is not necessary to copy these flags
+ in reuse_conn().
+
+ Closes #1918
+
+Daniel Stenberg (27 Sep 2017)
+- curl.h: include <sys/select.h> on cygwin too
+
+ When building with -std=c++14 on cygwin, this header won't be
+ automatically included as it otherwise is.
+
+ The <sys/select.h> include decision should ideally be reversed and be
+ avoided where that header file doesn't exist.
+
+ Reported-by: Ian Fette
+ Fixes #1925
+
+- RELEASE-NOTES: synced with d8ab5dc50
+
+Michael Kaufmann (24 Sep 2017)
+- tests: adjust .gitignore for new tests
+
+Jay Satiro (23 Sep 2017)
+- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
+
+ .. and include the core NTLM header in all NTLM-related source files.
+
+ Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
+ but did not include vtls.h where it was defined.
+
+ Closes https://github.com/curl/curl/pull/1911
+
+Daniel Stenberg (23 Sep 2017)
+- file_range: avoid integer overflow when figuring out byte range
+
+ When trying to bump the value with one and the value is already at max,
+ it causes an integer overflow.
+
+ Closes #1908
+ Detected by oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
+
+ Assisted-by: Max Dymond
+
+Michael Kaufmann (23 Sep 2017)
+- tests: fix a compiler warning in test 643
+
+Jay Satiro (23 Sep 2017)
+- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry
+
+ - Use spaces instead of tabs as the delimiter.
+
+ Follow up to 7c52b12 which added the entry. The entry had used tabs but
+ the symbol-scan parser doesn't recognize tabs and would fail the symbol.
+
+Viktor Szakats (22 Sep 2017)
+- metalink: fix NSS issue in MultiSSL builds
+
+ In MultiSSL mode (i.e. when more than one SSL backend is compiled
+ in), we cannot use the compile time flag `USE_NSS` as indicator that
+ the NSS backend is in use. As far as Metalink is concerned, the SSL
+ backend is only used for MD5, SHA-1 and SHA-256 calculations,
+ therefore one of the available SSL backends is selected at compile
+ time, in a strict order of preference.
+
+ Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
+ to determine whether the SSL backend used for Metalink is the NSS
+ backend, and use that to guard the code that wants to de-initialize
+ the NSS-specific data structure.
+
+ Ref: https://github.com/curl/curl/pull/1848
+
+- ntlm: use strict order for SSL backend #if branches
+
+ With the recently introduced MultiSSL support multiple SSL backends
+ can be compiled into cURL That means that now the order of the SSL
+
+ One option would be to use the same SSL backend as was configured
+ via `curl_global_sslset()`, however, NTLMv2 support would appear
+ to be available only with some SSL backends. For example, when
+ eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
+ support for NTLMv1 using Windows' Crypt API, it specifically did
+ *not* introduce NTLMv2 support using Crypt API at the same time.
+
+ So let's select one specific SSL backend for NTLM support when
+ compiled with multiple SSL backends, using a priority order such
+ that we support NTLMv2 even if only one compiled-in SSL backend can
+ be used for that.
+
+ Ref: https://github.com/curl/curl/pull/1848
+
+Daniel Stenberg (22 Sep 2017)
+- symbols-in-versions: add CURLSSLSET_NO_BACKENDS
+
+ ...fixup from b8e0fe19ec
+
+- imap: quote atoms properly when escaping characters
+
+ Updates test 800 to verify
+
+ Fixes #1902
+ Closes #1903
+
+- tests: make the imap server not verify user+password
+
+ ... as the test cases themselves do that and it makes it easier to add
+ crazy test cases.
+
+ Test 800 updated to use user name + password that need quoting.
+
+ Test 856 updated to trigger an auth fail differently.
+
+ Ref: #1902
+
+- vtls: provide curl_global_sslset() even in non-SSL builds
+
+ ... it just returns error:
+
+ Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
+ Reported-by: Marcel Raad
+
+ Closes #1906
+
+Patrick Monnerat (22 Sep 2017)
+- form/mime: field names are not allowed to contain zero-valued bytes.
+
+ Also suppress length argument of curl_mime_name() (names are always
+ zero-terminated).
+
+Daniel Stenberg (21 Sep 2017)
+- [Dirk Feytons brought this change]
+
+ openssl: only verify RSA private key if supported
+
+ In some cases the RSA key does not support verifying it because it's
+ located on a smart card, an engine wants to hide it, ...
+ Check the flags on the key before trying to verify it.
+ OpenSSL does the same thing internally; see ssl/ssl_rsa.c
+
+ Closes #1904
+
+Marcel Raad (21 Sep 2017)
+- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
+
+ Otherwise, typecheck-gcc.h warns on MinGW-w64.
+
+Patrick Monnerat (20 Sep 2017)
+- mime: rephrase the multipart output state machine (#1898) ...
+
+ ... in hope coverity will like it much.
+
+- mime: fix an explicit null dereference (#1899)
+
+Daniel Stenberg (20 Sep 2017)
+- curl: check fseek() return code and bail on error
+
+ Detected by coverity. CID 1418137.
+
+- smtp: fix memory leak in OOM
+
+ Regression since ce0881edee
+
+ Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
+ torture testing.
+
+- RELEASE-NOTES: synced with 5fe85587c
+
+- [Pavel Pavlov brought this change]
+
+ cookies: use lock when using CURLINFO_COOKIELIST
+
+ Closes #1896
+
+- [Max Dymond brought this change]
+
+ ossfuzz: changes before merging the generated corpora
+
+ Before merging in the oss-fuzz corpora from Google, there are some changes
+ to the fuzzer.
+ - Add a read corpus script, to display corpus files nicely.
+ - Change the behaviour of the fuzzer so that TLV parse failures all now
+ go down the same execution paths, which should reduce the size of the
+ corpora.
+ - Make unknown TLVs a failure to parse, which should decrease the size
+ of the corpora as well.
+
+ Closes #1881
+
+- mime:escape_string minor clarification change
+
+ ... as it also removes a warning with old gcc versions.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
+ Reported-by: Ben Greear
+
+- [Max Dymond brought this change]
+
+ ossfuzz: don't write out to stdout
+
+ Don't make the fuzzer write out to stdout - instead write some of the
+ contents to a memory block so we exercise the data output code but
+ quietly.
+
+ Closes #1885
+
+- cookies: reject oversized cookies
+
+ ... instead of truncating them.
+
+ There's no fixed limit for acceptable cookie names in RFC 6265, but the
+ entire cookie is said to be less than 4096 bytes (section 6.1). This is
+ also what browsers seem to implement.
+
+ We now allow max 5000 bytes cookie header. Max 4095 bytes length per
+ cookie name and value. Name + value together may not exceed 4096 bytes.
+
+ Added test 1151 to verify
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
+ Reported-by: Kevin Smith
+
+ Closes #1894
+
+- travis: on mac, don't install openssl or libidn
+
+ - openssl is already installed and causes warnings when trying to
+ install again
+
+ - libidn isn't used these days, and homebrew doesn't seem to have a
+ libidn2 package to replace with easily
+
+ Closes #1895
+
+- curl: make str2udouble not return values on error
+
+ ... previously it would store a return value even when it returned
+ error, which could make the value get used anyway!
+
+ Reported-by: Brian Carpenter
+ Closes #1893
+
+Jay Satiro (18 Sep 2017)
+- socks: fix incorrect port number in SOCKS4 error message
+
+ Prior to this change it appears the SOCKS5 port parsing was erroneously
+ used for the SOCKS4 error message, and as a result an incorrect port
+ would be shown in the error message.
+
+ Bug: https://github.com/curl/curl/issues/1892
+ Reported-by: Jackarain@users.noreply.github.com
+
+- [Marc Aldorasi brought this change]
+
+ schannel: Support partial send for when data is too large
+
+ Schannel can only encrypt a certain amount of data at once. Instead of
+ failing when too much data is to be sent at once, send as much data as
+ we can and let the caller send the remaining data by calling send again.
+
+ Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html
+
+ Closes https://github.com/curl/curl/pull/1890
+
+- [David Benjamin brought this change]
+
+ openssl: add missing includes
+
+ lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
+ their headers directly rather than relying on other OpenSSL headers
+ including things.
+
+ Closes https://github.com/curl/curl/pull/1891
+
+Daniel Stenberg (15 Sep 2017)
+- conversions: fix several compiler warnings
+
+- server/getpart: provide dummy function to build conversion enabled
+
+- non-ascii: use iconv() with 'char **' argument
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
+
+- escape.c: error: pointer targets differ in signedness
+
+- docs: clarify the CURLOPT_INTERLEAVE* options behavior
+
+- [Max Dymond brought this change]
+
+ rtsp: Segfault in rtsp.c when using WRITEDATA
+
+ If the INTERLEAVEFUNCTION is defined, then use that plus the
+ INTERLEAVEDATA information when writing RTP. Otherwise, use
+ WRITEFUNCTION and WRITEDATA.
+
+ Fixes #1880
+ Closes #1884
+
+Marcel Raad (15 Sep 2017)
+- [Isaac Boukris brought this change]
+
+ tests: enable gssapi in travis-ci linux build
+
+ Closes https://github.com/curl/curl/pull/1687
+
+- [Isaac Boukris brought this change]
+
+ tests: add initial gssapi test using stub implementation
+
+ The stub implementation is pre-loaded using LD_PRELOAD
+ and emulates common gssapi uses (only builds if curl is
+ initially built with gssapi support).
+
+ The initial tests are currently disabled for debug builds
+ as LD_PRELOAD is not used then.
+
+ Ref: https://github.com/curl/curl/pull/1687
+
+Daniel Stenberg (15 Sep 2017)
+- test1150: verify same host fetch using different ports over proxy
+
+ Closes #1889
+
+- URL: on connection re-use, still pick the new remote port
+
+ ... as when a proxy connection is being re-used, it can still get a
+ different remote port.
+
+ Fixes #1887
+ Reported-by: Oli Kingshott
+
+- RELEASE-NOTES: synced with 87501e57f
+
+- code style: remove wrong uses of multiple spaces
+
+ Closes #1878
+
+- checksrc: detect and warn for multiple spaces
+
+- code style: use space after semicolon
+
+- checksrc: verify space after semicolons
+
+- code style: use spaces around pluses
+
+- checksrc: detect and warn for lack of spaces next to plus signs
+
+- code style: use spaces around equals signs
+
+- checksrc: verify spaces around equals signs
+
+ ... as the code style mandates.
+
+- Curl_checkheaders: make it available for IMAP and SMTP too
+
+ ... not only HTTP uses this now.
+
+ Closes #1875
+
+- travis: add build without HTTP/SMTP/IMAP
+
+Jay Satiro (10 Sep 2017)
+- mbedtls: enable CA path processing
+
+ CA path processing was implemented when mbedtls.c was added to libcurl
+ in fe7590f, but it was never enabled.
+
+ Bug: https://github.com/curl/curl/issues/1877
+ Reported-by: SBKarr@users.noreply.github.com
+
+Daniel Stenberg (8 Sep 2017)
+- rtsp: do not call fwrite() with NULL pointer FILE *
+
+ If the default write callback is used and no destination has been set, a
+ NULL pointer would be passed to fwrite()'s 4th argument.
+
+ OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
+ (not publicly open yet)
+
+ Detected by OSS-fuzz
+ Closes #1874
+
+- configure: use -Wno-varargs on clang 3.9[.X] debug builds
+
+ ... to avoid a clang bug
+
+- [Max Dymond brought this change]
+
+ ossfuzz: add some more handled CURL options
+
+ Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT,
+ MAIL_FROM and uploading data.
+
+- configure: check for C++ compiler after C, to make it non-fatal
+
+ The tests for object file/executable file extensions are presumably only
+ done for the first of these macros in the configure file.
+
+ Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515
+ Reported-by: Marcel Raad
+ Closes #1873
+
+Patrick Monnerat (7 Sep 2017)
+- form API: add new test 650.
+
+ Now that the form API is deprecated and not used anymore in curl tool,
+ a lot of its features left untested. Test 650 attempts to check all these
+ features not tested elsewhere.
+
+Jay Satiro (7 Sep 2017)
+- configure: fix curl_off_t check's include order
+
+ - Prepend srcdir include path instead of append.
+
+ Prior to this change it was possible that during the check for the size
+ of curl_off_t the include path of a user's already installed curl could
+ come before the include path of the to-be-built curl, resulting in the
+ system.h of the former being incorrectly included for that check.
+
+ Closes https://github.com/curl/curl/pull/1870
+
+Daniel Stenberg (7 Sep 2017)
+- [Jakub Zakrzewski brought this change]
+
+ KNOWN_BUGS: Remove CMake symbol hiding issue
+
+ It has already been fixed in 6140dfc
+
+- http-proxy: when not doing CONNECT, that phase is done immediately
+
+ `conn->connect_state` is NULL when doing a regular non-CONNECT request
+ over the proxy and should therefor be considered complete at once.
+
+ Fixes #1853
+ Closes #1862
+ Reported-by: Lawrence Wagerfield
+
+- [Johannes Schindelin brought this change]
+
+ OpenSSL: fix yet another mistake while encapsulating SSL backend data
+
+ Another mistake in my manual fixups of the largely mechanical
+ search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
+ commit concerning HTTPS proxies (and hence not caught during my
+ earlier testing).
+
+ Fixes #1855
+ Closes #1871
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ OpenSSL: fix erroneous SSL backend encapsulation
+
+ In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
+ data, 2017-06-21), this developer prepared for a separation of the
+ private data of the SSL backends from the general connection data.
+
+ This conversion was partially automated (search-and-replace) and
+ partially manual (e.g. proxy_ssl's backend data).
+
+ Sadly, there was a crucial error in the manual part, where the wrong
+ handle was used: rather than connecting ssl[sockindex]' BIO to the
+ proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
+ was an incorrect location to paste "BACKEND->"... d'oh.
+
+ Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Jay Satiro brought this change]
+
+ vtls: fix memory corruption
+
+ Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
+ 2017-07-28), the code handling HTTPS proxies was broken because the
+ pointer to the SSL backend data was not swapped between
+ conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
+ instead set to NULL (causing segmentation faults).
+
+ [jes: provided the commit message, tested and verified the patch]
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- vtls: switch to CURL_SHA256_DIGEST_LENGTH define
+
+ ... instead of the prefix-less version since WolfSSL 3.12 now uses an
+ enum with that name that causes build failures for us.
+
+ Fixes #1865
+ Closes #1867
+ Reported-by: Gisle Vanem
+
+- travis: add c-ares enabled builds linux + osx
+
+ Closes #1868
+
+- HISTORY: added some recent items
+
+Jay Satiro (6 Sep 2017)
+- SSL: fix unused parameter warnings
+
+Patrick Monnerat (6 Sep 2017)
+- mime: drop internal FILE * support.
+
+ - The part kind MIMEKIND_FILE and associated code are suppressed.
+ - Seek data origin offset not used anymore: suppressed.
+ - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
+ renamed accordingly.
+ - Curl_getformdata() processes stdin via a callback.
+
+Daniel Stenberg (6 Sep 2017)
+- configure: remove --enable-soname-bump and SONAME_BUMP
+
+ Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we
+ determine the native type for `curl_off_t`. To really make sure we
+ didn't break ABI without bumping SONAME, we introduced logic that
+ attempted to detect that it would use a different size and thus not be
+ compatible. We also provided a manual switch that allowed users to tell
+ configure to bump SONAME by force.
+
+ Today, we know of no one who ever got a SONAME bump auto-detected and we
+ don't know of anyone who's using the manual bump feature. The auto-
+ detection is also no longer working since we introduced defining
+ curl_off_t in system.h (7.55.0).
+
+ Finally, this bumping logic is not present in the cmake build.
+
+ Closes #1861
+
+Jay Satiro (6 Sep 2017)
+- [Gisle Vanem brought this change]
+
+ vtls: select ssl backend case-insensitive (follow-up)
+
+ - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.
+
+ - Change Curl_strcasecompare calls to strcasecompare
+ (maps to the former but shorter).
+
+ Follow-up to c290b8f.
+
+ Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313
+
+ Co-authored-by: Jay Satiro
+
+- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
+
+ This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.
+
+ The first one, written for old OpenSSL versions:
+ https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
+
+ The second one, written for BoringSSL and new OpenSSL versions:
+ https://github.com/curl/curl/pull/1346
+
+ Note the first one is GPL licensed but the author gave permission to
+ waive that license for libcurl.
+
+ As of right now this feature is disabled by default, and does not have
+ a configure option to enable it. To enable this feature define
+ ENABLE_SSLKEYLOGFILE when building libcurl and set environment
+ variable SSLKEYLOGFILE to a pathname that will receive the keys.
+
+ And in Wireshark change your preferences to point to that key file:
+ Edit > Preferences > Protocols > SSL > Master-Secret
+
+ Co-authored-by: Peter Wu
+
+ Ref: https://github.com/curl/curl/pull/1030
+ Ref: https://github.com/curl/curl/pull/1346
+
+ Closes https://github.com/curl/curl/pull/1866
+
+Patrick Monnerat (5 Sep 2017)
+- mime: fix a trivial warning.
+
+- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
+
+ mime_state is now a typedef.
+
+- mime: implement encoders.
+
+ curl_mime_encoder() is operational and documented.
+ curl tool -F option is extended with ";encoder=".
+ curl tool --libcurl option generates calls to curl_mime_encoder().
+ New encoder tests 648 & 649.
+ Test 1404 extended with an encoder specification.
+
+- runtests.pl: support attribute "nonewline" in part verify/upload.
+
+- [Daniel Stenberg brought this change]
+
+ fixup data/test1135
+
+- [Daniel Stenberg brought this change]
+
+ mime: unified to use the typedef'd mime structs everywhere
+
+ ... and slightly edited to follow our code style better.
+
+- [Daniel Stenberg brought this change]
+
+ curl.h: use lower case curl_mime* as for all public symbols
+
+- [Daniel Stenberg brought this change]
+
+ docs/curl_mime_*.3: use correct variable types in examples
+
+Kamil Dudka (5 Sep 2017)
+- openssl: use OpenSSL's default ciphers by default
+
+ Up2date versions of OpenSSL maintain the default reasonably secure
+ without breaking compatibility, so it is better not to override the
+ default by curl. Suggested at https://bugzilla.redhat.com/1483972
+
+ Closes #1846
+
+Viktor Szakats (5 Sep 2017)
+- examples/mime: minor example code fixes
+
+Daniel Stenberg (5 Sep 2017)
+- docs/curl_mime_*.3: added examples
+
+- configure: add MultiSSL to FEATURES when enabled
+
+ ...for curl-config and its corresponding test 1014
+
+- http-proxy: treat all 2xx as CONNECT success
+
+ Added test 1904 to verify.
+
+ Reported-by: Lawrence Wagerfield
+ Fixes #1859
+ Closes #1860
+
+- MAIL-ETIQUETTE: added "1.9 Your emails are public"
+
+- curl.h: fix "unused checksrc ignore", remove dangling reference
+
+ ... to a README file that doesn't exist anymore
+
+Viktor Szakats (4 Sep 2017)
+- docs: Update to secure URL versions
+
+- mime: use CURL_ZERO_TERMINATED in examples
+
+ and some minor whitespace fixes
+
+Daniel Stenberg (4 Sep 2017)
+- schannel: return CURLE_SSL_CACERT on failed verification
+
+ ... not *CACERT_BADFILE as it isn't really because of a bad file.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html
+ Closes #1858
+
+- test1135: fixed after bd8070085f9
+
+- examples/post-callback: stop returning one byte at a time
+
+ ... since people copy and paste code from this example and thus they get
+ an inefficient POST operation without a good reason and sometimes
+ without understanding why.
+
+ Instead this now returns as much data as possible.
+
+- RELEASE-NOTES: fixed the function counter script
+
+- curl.h: make the curl_strequal() protos use the same style
+
+ ... as the other functions. Makes it easier to machine-parse!
+
+- docs: curl_mime_*.3 man page formatting edits
+
+- RELEASE-NOTES: synced with 1ab9e9b50
+
+Patrick Monnerat (4 Sep 2017)
+- lib: bump version info (soname). Adapt and reenable test 1135.
+
+Daniel Stenberg (3 Sep 2017)
+- headers: move the global_sslset() proto from multi.h to curl.h
+
+ As it was added to multi.h simply to not break test 1135, which now has
+ been disabled due to the mime API addition anyway and su we can now move
+ the sslset stuff to where the other curl_global_* prototypes are.
+
+Patrick Monnerat (3 Sep 2017)
+- mime: fix signed/unsigned conversions.
+
+ Use and generate CURL_ZERO_TERMINATED in curl tool and tests.
+
+Jay Satiro (3 Sep 2017)
+- tool_formparse: fix some trivial warnings
+
+Patrick Monnerat (3 Sep 2017)
+- mime: use size_t instead of ssize_t in public API interface.
+
+ To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED
+ has been introduced.
+
+ Documentation updated accordingly.
+
+ symbols in versions updated. Added form API symbols deprecation info.
+
+- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata().
+
+ This feature is badly supported in Windows: as a replacement, a caller has
+ to use curl_mime_data_cb() with fread, fseek and possibly fclose
+ callbacks to process opened files.
+
+ The cli tool and documentation are updated accordingly.
+
+ The feature is however kept internally for form API compatibility, with
+ the known caveats it always had.
+
+ As a side effect, stdin size is not determined by the cli tool even if
+ possible and this results in a chunked transfer encoding. Test 173 is
+ updated accordingly.
+
+- mime: fix some implicit curl_off_t --> size_t conversion warnings.
+
+- mime: tests and examples.
+
+ Additional mime-specific tests.
+ Existing tests updated to reflect small differences (Expect: 100-continue,
+ data size change due to empty lines, etc).
+ Option -F headers= keyword added to tests.
+ test1135 disabled until the entry point order change is resolved.
+ New example smtp-mime.
+ Examples postit2 and multi-post converted from form API to mime API.
+
+- mime: use in curl cli tool instead of form API.
+
+ Extended -F option syntax to support multipart mail messages.
+ -F keyword headers= added to include custom headers in parts.
+ Documentation upgraded.
+
+- mime: new MIME API.
+
+ Available in HTTP, SMTP and IMAP.
+ Deprecates the FORM API.
+ See CURLOPT_MIMEPOST.
+ Lib code and associated documentation.
+
+- test564: Add a warning comment about shell profile output.
+
+ Shell profile output makes the SSH server failing and this problem reason
+ is not easy to find when no hint is given.
+
+- checksrc: disable SPACEBEFOREPAREN for case statement.
+
+ The case keyword may be followed by a constant expression and thus should
+ allow it to start with an open parenthesis.
+
+- runtests.pl: allow <file[1-4]> tags in client section.
+
+ This enables tests to create more than one file on the client side.
+
+- runtests.pl: Apply strippart to upload too.
+
+ This will allow substitution of boundaries in mail messages.
+
+- Curl_base64_encode: always call with a real data handle.
+
+ Some calls in different modules were setting the data handle to NULL, causing
+ segmentation faults when using builds that enable character code conversions.
+
+- non-ascii: allow conversion functions to be called with a NULL data handle.
+
+- http: fix a memory leakage in checkrtspprefix().
+
+Daniel Stenberg (2 Sep 2017)
+- [Max Dymond brought this change]
+
+ ossfuzz: Move to C++ for curl_fuzzer.
+
+ Automake gets confused if you want to use C++ static libraries with C
+ code - basically we need to involve the clang++ linker. The easiest way
+ of achieving this is to rename the C code as C++ code. This gets us a
+ bit further along the path and ought to be compatible with Google's
+ version of clang.
+
+- curl_global_sslset: select backend by name case insensitively
+
+ Closes #1849
+
+- [Max Dymond brought this change]
+
+ ossfuzz: additional seed corpora
+
+ Create simple seed corpora for:
+ - FTP
+ - telnet
+ - dict
+ - tftp
+ - imap
+ - pop3
+
+ based off the tests of the same number.
+
+ Closes #1842
+
+- [Max Dymond brought this change]
+
+ ossfuzz: moving towards the ideal integration
+
+ - Start with the basic code from the ossfuzz project.
+ - Rewrite fuzz corpora to be binary files full of Type-Length-Value
+ data, and write a glue layer in the fuzzing function to convert
+ corpora into CURL options.
+ - Have supporting functions to generate corpora from existing tests
+ - Integrate with Makefile.am
+
+- strcase: corrected comment header for Curl_strcasecompare()
+
+- unit1301: fix error message on first test
+
+- curl_global_sslset.3: show the struct and enum too
+
+ ... so that users can actually write code based on the man page alone,
+ not having to read the header file.
+
+Jay Satiro (31 Aug 2017)
+- darwinssl: handle long strings in TLS certs (follow-up)
+
+ - Fix handling certificate subjects that are already UTF-8 encoded.
+
+ Follow-up to b3b75d1 from two days ago. Since then a copy would be
+ skipped if the subject was already UTF-8, possibly resulting in a NULL
+ deref later on.
+
+ Ref: https://github.com/curl/curl/issues/1823
+ Ref: https://github.com/curl/curl/pull/1831
+
+ Closes https://github.com/curl/curl/pull/1836
+
+Daniel Stenberg (31 Aug 2017)
+- cyassl: call it the "WolfSSL" backend
+
+ ... instead of cyassl, as this is the current name for it.
+
+ Closes #1844
+
+- polarssl: fix multissl breakage
+
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
+ Closes #1843
+
+- configure: remove the leading comma from the backends list
+
+ ... when darwinssl is used.
+
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493
+
+ Closes #1845
+
+Kamil Dudka (30 Aug 2017)
+- examples/sslbackend.c: fix failure of 'make checksrc'
+
+ ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE)
+ } else if(isdigit(*name)) {
+ ^
+ ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE)
+ } else
+ ^
+
+Viktor Szakats (30 Aug 2017)
+- makefile.m32: add multissl support
+
+ Closes https://github.com/curl/curl/pull/1840
+
+Daniel Stenberg (30 Aug 2017)
+- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
+
+ The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for
+ CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk
+ for a similar mistake, define the backend aliases to use the enum values
+ instead.
+
+ Reported-by: Gisle Vanem
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
+
+- curl_global_sslset.3: clarify
+
+ it is a one time *set*, not necessarily a one time use... it can be
+ called again if the first call failed or just listed the alternatives.
+
+ clarify that the available backends are the ones this build supports
+
+ plus add some formatting
+
+ Reported-by: Rich Gray
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
+
+- curl/multi.h: remove duplicated closing c++ brace
+
+ Regression since 1328f69d53f2f2e93
+
+ Fixes #1841
+ Reported-by: Andrei Karas
+
+- RELEASE-NOTES: synced with 8c33c963a
+
+- HELP-US.md: spelling
+
+- HELP-US.md: "How to get started helping out in the curl project"
+
+ Closes #1837
+
+Dan Fandrich (29 Aug 2017)
+- asyn-thread: Fixed cleanup after OOM
+
+ destroy_async_data() assumes that if the flag "done" is not set yet, the
+ thread itself will clean up once the request is complete. But if an
+ error (generally OOM) occurs before the thread even has a chance to
+ start, it will never get a chance to clean up and memory will be leaked.
+ By clearing "done" only just before starting the thread, the correct
+ cleanup sequence will happen in all cases.
+
+Daniel Stenberg (28 Aug 2017)
+- curl_global_init.3: mention curl_global_sslset(3)
+
+Dan Fandrich (28 Aug 2017)
+- unit1606: Fixed shadowed variable warning
+
+- asyn-thread: Improved cleanup after OOM situations
+
+- asyn-thread: Set errno to the proper value ENOMEM in OOM situation
+
+ This used to be set in some configurations to EAI_MEMORY which is not a
+ valid value for errno and caused Curl_strerror to fail an assertion.
+
+Daniel Stenberg (28 Aug 2017)
+- [Johannes Schindelin brought this change]
+
+ configure: Handle "MultiSSL" specially When versioning symbols
+
+ There is a mode in which libcurl is compiled with versioned symbols,
+ depending on the active SSL backend.
+
+ When multiple SSL backends are active, it does not make sense to favor
+ one over the others, so let's not: introduce a new prefix for the case
+ where multiple SSL backends are compiled into cURL.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ configure: allow setting the default SSL backend
+
+ Previously, we used as default SSL backend whatever was first in the
+ `available_backends` array.
+
+ However, some users may want to override that default without patching
+ the source code.
+
+ Now they can: with the --with-default-ssl-backend=<backend> option of
+ the ./configure script.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: use Curl_ssl_multi pseudo backend only when needed
+
+ When only one SSL backend is configured, it is totally unnecessary to
+ let multissl_init() configure the backend at runtime, we can select the
+ correct backend at build time already.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ version: if built with more than one SSL backend, report all of them
+
+ To discern the active one from the inactive ones, put the latter into
+ parentheses.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ version: add the CURL_VERSION_MULTI_SSL feature flag
+
+ This new feature flag reports When cURL was built with multiple SSL
+ backends.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ metalink: allow compiling with multiple SSL backends
+
+ Previously, the code assumed that at most one of the SSL backends would
+ be compiled in, emulating OpenSSL's functions if the configured backend
+ was not OpenSSL itself.
+
+ However, now we allow building with multiple SSL backends and choosing
+ one at runtime. Therefore, metalink needs to be adjusted to handle this
+ scenario, too.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ docs/examples: demonstrate how to select SSL backends
+
+ The newly-introduced curl_global_sslset() function deserves to be
+ show-cased.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ Add a man page for curl_global_sslset()
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: introduce curl_global_sslset()
+
+ Let's add a compile time safe API to select an SSL backend. This
+ function needs to be called *before* curl_global_init(), and can be
+ called only once.
+
+ Side note: we do not explicitly test that it is called before
+ curl_global_init(), but we do verify that it is not called multiple times
+ (even implicitly).
+
+ If SSL is used before the function was called, it will use whatever the
+ CURL_SSL_BACKEND environment variable says (or default to the first
+ available SSL backend), and if a subsequent call to
+ curl_global_sslset() disagrees with the previous choice, it will fail
+ with CURLSSLSET_TOO_LATE.
+
+ The function also accepts an "avail" parameter to point to a (read-only)
+ NULL-terminated list of available backends. This comes in real handy if
+ an application wants to let the user choose between whatever SSL backends
+ the currently available libcurl has to offer: simply call
+
+ curl_global_sslset(-1, NULL, &avail);
+
+ which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
+ variable to point to the relevant information to present to the user.
+
+ Just like with the HTTP/2 push functions, we have to add the function
+ declaration of curl_global_sslset() function to the header file
+ *multi.h* because VMS and OS/400 require a stable order of functions
+ declared in include/curl/*.h (where the header files are sorted
+ alphabetically). This looks a bit funny, but it cannot be helped.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: refactor out essential information about the SSL backends
+
+ There is information about the compiled-in SSL backends that is really
+ no concern of any code other than the SSL backend itself, such as which
+ function (if any) implements SHA-256 summing.
+
+ And there is information that is really interesting to the user, such as
+ the name, or the curl_sslbackend value.
+
+ Let's factor out the latter into a publicly visible struct. This
+ information will be used in the upcoming API to set the SSL backend
+ globally.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: allow selecting which SSL backend to use at runtime
+
+ When building software for the masses, it is sometimes not possible to
+ decide for all users which SSL backend is appropriate.
+
+ Git for Windows, for example, uses cURL to perform clones, fetches and
+ pushes via HTTPS, and some users strongly prefer OpenSSL, while other
+ users really need to use Secure Channel because it offers
+ enterprise-ready tools to manage credentials via Windows' Credential
+ Store.
+
+ The current Git for Windows versions use the ugly work-around of
+ building libcurl once with OpenSSL support and once with Secure Channel
+ support, and switching out the binaries in the installer depending on
+ the user's choice.
+
+ Needless to say, this is a super ugly workaround that actually only
+ works in some cases: Git for Windows also comes in a portable form, and
+ in a form intended for third-party applications requiring Git
+ functionality, in which cases this "swap out libcurl-4.dll" simply is
+ not an option.
+
+ Therefore, the Git for Windows project has a vested interest in teaching
+ cURL to make the SSL backend a *runtime* option.
+
+ This patch makes that possible.
+
+ By running ./configure with multiple --with-<backend> options, cURL will
+ be built with multiple backends.
+
+ For the moment, the backend can be configured using the environment
+ variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
+ "schannel").
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: fold the backend ID into the Curl_ssl structure
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ curl_ntlm_core: don't complain but #include OpenSSL header if needed
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: encapsulate SSL backend-specific data
+
+ So far, all of the SSL backends' private data has been declared as
+ part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
+ block.
+
+ This can only work as long as the SSL backend is a compile-time option,
+ something we want to change in the next commits.
+
+ Therefore, let's encapsulate the exact data needed by each SSL backend
+ into a private struct, and let's avoid bleeding any SSL backend-specific
+ information into urldata.h. This is also necessary to allow multiple SSL
+ backends to be compiled in at the same time, as e.g. OpenSSL's and
+ CyaSSL's headers cannot be included in the same .c file.
+
+ To avoid too many malloc() calls, we simply append the private structs
+ to the connectdata struct in allocate_conn().
+
+ This requires us to take extra care of alignment issues: struct fields
+ often need to be aligned on certain boundaries e.g. 32-bit values need to
+ be stored at addresses that divide evenly by 4 (= 32 bit / 8
+ bit-per-byte).
+
+ We do that by assuming that no SSL backend's private data contains any
+ fields that need to be aligned on boundaries larger than `long long`
+ (typically 64-bit) would need. Under this assumption, we simply add a
+ dummy field of type `long long` to the `struct connectdata` struct. This
+ field will never be accessed but acts as a placeholder for the four
+ instances of ssl_backend_data instead. the size of each ssl_backend_data
+ struct is stored in the SSL backend-specific metadata, to allow
+ allocate_conn() to know how much extra space to allocate, and how to
+ initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
+ pointers.
+
+ This would appear to be a little complicated at first, but is really
+ necessary to encapsulate the private data of each SSL backend correctly.
+ And we need to encapsulate thusly if we ever want to allow selecting
+ CyaSSL and OpenSSL at runtime, as their headers cannot be included within
+ the same .c file (there are just too many conflicting definitions and
+ declarations for that).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: prepare the SSL backends for encapsulated private data
+
+ At the moment, cURL's SSL backend needs to be configured at build time.
+ As such, it is totally okay for them to hard-code their backend-specific
+ data in the ssl_connect_data struct.
+
+ In preparation for making the SSL backend a runtime option, let's make
+ the access of said private data a bit more abstract so that it can be
+ adjusted later in an easy manner.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ urldata.h: move SSPI-specific #include to correct location
+
+ In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables,
+ 2014-12-03), an SSPI-specific field was added to the kerberos5data
+ struct without moving the #include "curl_sspi.h" later in the same file.
+
+ This broke the build when SSPI was enabled, unless Secure Channel was
+ used as SSL backend, because it just so happens that Secure Channel also
+ requires "curl_sspi.h" to be #included.
+
+ In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled,
+ 2017-02-21), this bug was fixed incorrectly: Instead of moving the
+ appropriate conditional #include, the Secure Channel-conditional part
+ was now also SSPI-conditional.
+
+ Fix this problem by moving the correct #include instead.
+
+ This is also required for an upcoming patch that moves all the Secure
+ Channel-specific stuff out of urldata.h and encapsulates it properly in
+ vtls/schannel.c instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ urldata.h: remove support for obsolete PolarSSL version
+
+ Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require
+ a newer PolarSSL version. No need to keep code trying to support any
+ older version.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ getinfo: access SSL internals via Curl_ssl
+
+ In the ongoing endeavor to abstract out all SSL backend-specific
+ functionality, this is the next step: Instead of hard-coding how the
+ different SSL backends access their internal data in getinfo.c, let's
+ implement backend-specific functions to do that task.
+
+ This will also allow for switching SSL backends as a runtime option.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move SSL backends' private constants out of their header files
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ axtls: use Curl_none_* versions of init() and cleanup()
+
+ There are convenient no-op versions of the init/cleanup functions now,
+ no need to define private ones for axTLS.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: remove obsolete declarations of SSL backend functionality
+
+ These functions are all available via the Curl_ssl struct now, no need
+ to declare them separately anymore.
+
+ As the global declarations are removed, the corresponding function
+ definitions are marked as file-local. The only two exceptions here are
+ Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
+ declarations were removed, there are no function definitions to mark
+ file-local.
+
+ Please note that Curl_nss_force_init() is *still* declared globally, as
+ the only SSL backend-specific function, because it was introduced
+ specifically for the use case where cURL was compiled with
+ `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
+ support for NSS, 2010-06-27).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ schannel: reorder functions topologically
+
+ The _shutdown() function calls the _session_free() function; While this
+ is not a problem now (because schannel.h declares both functions), a
+ patch looming in the immediate future with make all of these functions
+ file-local.
+
+ So let's just move the _session_free() function's definition before it
+ is called.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ axtls: reorder functions topologically
+
+ The connect_finish() function (like many other functions after it) calls
+ the Curl_axtls_close() function; While this is not a problem now
+ (because axtls.h declares the latter function), a patch looming in the
+ immediate future with make all of these functions file-local.
+
+ So let's just move the Curl_axtls_close() function's definition before
+ it is called.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
+
+ That will allow us to choose the SSL backend at runtime.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: convert the have_curlssl_* constants to runtime flags
+
+ The entire idea of introducing the Curl_ssl struct to describe SSL
+ backends is to prepare for choosing the SSL backend at runtime.
+
+ To that end, convert all the #ifdef have_curlssl_* style conditionals
+ to use bit flags instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move sha256sum into the Curl_ssl struct
+
+ The SHA-256 checksumming is also an SSL backend-specific function.
+ Let's include it in the struct declaring the functionality of SSL
+ backends.
+
+ In contrast to MD5, there is no fall-back code. To indicate this, the
+ respective entries are NULL for those backends that offer no support for
+ SHA-256 checksumming.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move md5sum into the Curl_ssl struct
+
+ The MD5 summing is also an SSL backend-specific function. So let's
+ include it, offering the previous fall-back code as a separate function
+ now: Curl_none_md5sum(). To allow for that, the signature had to be
+ changed so that an error could be returned from the implementation
+ (Curl_none_md5sum() can run out of memory).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: use the Curl_ssl struct to access all SSL backends' functionality
+
+ This is the first step to unify the SSL backend handling. Now all the
+ SSL backend-specific functionality is accessed via a global instance of
+ the Curl_ssl struct.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: declare Curl_ssl structs for every SSL backend
+
+ The idea of introducing the Curl_ssl struct was to unify how the SSL
+ backends are declared and called. To this end, we now provide an
+ instance of the Curl_ssl struct for each and every SSL backend.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: introduce a new struct for SSL backends
+
+ This new struct is similar in nature to Curl_handler: it will define the
+ functions and capabilities of all the SSL backends (where Curl_handler
+ defines the functions and capabilities of protocol handlers).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: make sure every _sha256sum()'s first arg is const
+
+ This patch makes the signature of the _sha256sum() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: make sure all _data_pending() functions return bool
+
+ This patch makes the signature of the _data_pending() functions
+ consistent among the SSL backends, in preparation for unifying the way
+ all SSL backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: make sure all _cleanup() functions return void
+
+ This patch makes the signature of the _cleanup() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: use consistent signature for _random() implementations
+
+ This will make the upcoming multissl backend much easier to implement.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- strtooff: fix build for systems with long long but no strtoll option
+
+ Closes #1829
+
+ Reported-by: Dan Fandrich
+ Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615
+
+- darwinssl: handle long strings in TLS certs
+
+ ... as the previous fixed length 128 bytes buffer was sometimes too
+ small.
+
+ Fixes #1823
+ Closes #1831
+
+ Reported-by: Benjamin Sergeant
+ Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
+
+- system.h: include sys/poll.h for AIX
+
+ ... to get the event/revent defines that might be used for the poll
+ struct.
+
+ Reported-by: Michael Smith
+ Fixes #1828
+ Closes #1833
+
+Dan Fandrich (26 Aug 2017)
+- tests: Make sure libtests & unittests call curl_global_cleanup()
+
+ These were missed in commit c468c27b.
+
+Jay Satiro (26 Aug 2017)
+- [theantigod brought this change]
+
+ winbuild: fix embedded manifest option
+
+ Embedded manifest option didn't work due to incorrect path.
+
+ Fixes https://github.com/curl/curl/issues/1832
+
+Daniel Stenberg (25 Aug 2017)
+- fuzz/Makefile.am: remove curlbuild.h leftovers
+
+- examples/threaded-ssl: mention that this is for openssl before 1.1
+
+- imap: use defined names for response codes
+
+ When working on this code I found the previous setup a bit weird while
+ using proper defines increases readability.
+
+ Closes #1824
+
+- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
+
+- imap: support PREAUTH
+
+ It is a defined possible greeting at server startup that means the
+ connection is already authenticated. See
+ https://tools.ietf.org/html/rfc3501#section-7.1.4
+
+ Test 846 added to verify.
+
+ Fixes #1818
+ Closes #1820
+
+Jay Satiro (23 Aug 2017)
+- config-tpf: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
+
+ Bug: https://github.com/curl/curl/issues/1816
+
+Dan Fandrich (23 Aug 2017)
+- test1453: Fixed <features>
+
+Daniel Stenberg (22 Aug 2017)
+- [Gisle Vanem brought this change]
+
+ config-dos: add missing defines, SIZEOF_* and two others
+
+ Bug: #1816
+
+- curl: shorten and clean up CA cert verification error message
+
+ The previous message was just too long for ordinary people and it was
+ encouraging users to use `--insecure` a little too easy.
+
+ Based-on-work-by: Frank Denis
+
+ Closes #1810
+ Closes #1817
+
+- request-target.d: mention added in 7.55.0
+
+Marcel Raad (22 Aug 2017)
+- tool_main: turn off MinGW CRT's globbing
+
+ By default, the MinGW CRT globs command-line arguments. This prevents
+ getting a single asterisk into an argument as test 1299 does. Turn off
+ globbing by setting the global variable _CRT_glob to 0 for MinGW.
+
+ Fixes https://github.com/curl/curl/issues/1751
+ Closes https://github.com/curl/curl/pull/1813
+
+Viktor Szakats (22 Aug 2017)
+- makefile.m32: add support for libidn2
+
+ libidn was replaced with libidn2 last year in configure.
+ Caveat: libidn2 may depend on a list of further libs.
+ These can be manually specified via CURL_LDFLAG_EXTRAS.
+
+ Closes https://github.com/curl/curl/pull/1815
+
+Jay Satiro (22 Aug 2017)
+- [Viktor Szakats brought this change]
+
+ config-win32: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
+
+ Closes https://github.com/curl/curl/pull/1814
+
+Daniel Stenberg (20 Aug 2017)
+- cmake: enable picky compiler options with clang and gcc
+
+ closes #1799
+
+- curl/system.h: fix build for hppa
+
+ Reported-by: John David Anglin
+ Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10
+
+- [Even Rouault brought this change]
+
+ tftp: fix memory leak on too long filename
+
+ Fixes
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+
+ ==9752== Memcheck, a memory error detector
+ ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
+ ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
+ ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+ ==9752==
+ curl: (71) TFTP file name too long
+
+ ==9752==
+ ==9752== HEAP SUMMARY:
+ ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11
+ ==9752== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==9752== by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x40E849: operate (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x402693: main (in /home/even/install-curl-git/bin/curl)
+
+ Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568
+ Credit to OSS Fuzz
+
+ Closes #1808
+
+Dan Fandrich (19 Aug 2017)
+- runtests: fixed case insensitive matching of keywords
+
+ Commit 5c2aac71 didn't work in the case of mixed-case keywords given on
+ the command-line.
+
+- tests: Make sure libtests call curl_global_cleanup()
+
+ This ensures that global data allocations are freed so Valgrind stays
+ happy. This was a problem with at least PolarSSL and mbedTLS.
+
+Daniel Stenberg (18 Aug 2017)
+- RELEASE-NOTES: synced with 8baead425
+
+- scripts/contri*sh: use "git log --use-mailmap"
+
+- mailmap: de-duplify some git authors
+
+- http2_recv: return error better on fatal h2 errors
+
+ Ref #1012
+ Figured-out-by: Tatsuhiro Tsujikawa
+
+- KNOWN_BUGS: HTTP test server 'connection-monitor' problems
+
+ Closes #868
+
+- curl/system.h: check for __ppc__ as well
+
+ ... regression since issue #1774 (commit 10b3df10596a) since obviously
+ some older gcc doesn't know __powerpc__ while some newer doesn't know
+ __ppc__ ...
+
+ Fixes #1797
+ Closes #1798
+ Reported-by: Ryan Schmidt
+
+- [Jan Alexander Steffens (heftig) brought this change]
+
+ http: Don't wait on CONNECT when there is no proxy
+
+ Since curl 7.55.0, NetworkManager almost always failed its connectivity
+ check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
+ CONNECT process entirely non-blocking).
+
+ This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
+ which returns false if the CONNECT state was left uninitialized and lets
+ the connection continue.
+
+ Closes #1803
+ Fixes #1804
+
+ Also-fixed-by: Gergely Nagy
+
+- [Johannes Schindelin brought this change]
+
+ metalink: adjust source code style
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG
+
+- lib557: no longer use CURL_SIZEOF_* defines
+
+- config-win32: define SIZEOF_CURL_OFF_T
+
+- cmake: sizeof curl_off_t, remove unused detections
+
+- system.h: remove all CURL_SIZEOF_* defines
+
+ ... as they're not used externally and internally we check for the sizes
+ already in configure etc.
+
+ Closes #1767
+
+- ftp: fix CWD when doing multicwd then nocwd on same connection
+
+ Fixes #1782
+ Closes #1787
+ Reported-by: Peter Lamare
+
+- CURLOPT_SSH_COMPRESSION.3: enable with 1L
+
+ (leaves other values reserved for the future)
+
+- compressed-ssh.d: "Added: 7.56.0"
+
+- curl/system.h: checksrc compliance
+
+Jay Satiro (17 Aug 2017)
+- [Viktor Szakats brought this change]
+
+ ssh: add the ability to enable compression (for SCP/SFTP)
+
+ The required low-level logic was already available as part of
+ `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
+ option.)
+
+ This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
+ (boolean) and the new `curl` command-line option `--compressed-ssh`
+ to request this `libssh2` feature. To have compression enabled, it
+ is required that the SSH server supports a (zlib) compatible
+ compression method and that `libssh2` was built with `zlib` support
+ enabled.
+
+ [1] https://www.libssh2.org/libssh2_session_flag.html
+
+ Ref: https://github.com/curl/curl/issues/1732
+ Closes https://github.com/curl/curl/pull/1735
+
+- examples/ftpuploadresume: checksrc compliance
+
+- [Maksim Stsepanenka brought this change]
+
+ http_proxy: fix build error for CURL_DOES_CONVERSIONS
+
+ Closes https://github.com/curl/curl/pull/1793
+
+GitHub (16 Aug 2017)
+- [Nick Zitzmann brought this change]
+
+ configure: check for __builtin_available() availability (#1788)
+
+ This change does two things:
+ 1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
+ failing trying to compile connectx() in lib/connect.c.)
+ 2. It finally weak-links the connectx() function, and falls back on
+ connect() when run on older operating systems.
+
+Daniel Stenberg (16 Aug 2017)
+- travis: add metalink to some osx builds
+
+ Closes #1790
+
+- [Max Dymond brought this change]
+
+ coverage: Use two coveralls commands to get lib/vtls results
+
+ closes #1747
+
+- darwinssi: fix error: variable length array used
+
+- m4/curl-compilers.m4: use proper quotes around string, not backticks
+
+ ... when setting clang version to assume 3.7
+
+ Caused a lot of "integer expression expected" warnings by configure.
+
+- [Benbuck Nason brought this change]
+
+ cmake: remove dead code for DISABLED_THREADSAFE
+
+ Closes #1786
+
+Jay Satiro (15 Aug 2017)
+- [Jakub Zakrzewski brought this change]
+
+ curl-confopts.m4: fix --disable-threaded-resolver
+
+ Closes https://github.com/curl/curl/issues/1784
+
+Daniel Stenberg (15 Aug 2017)
+- [Ryan Winograd brought this change]
+
+ progress: Track total times following redirects
+
+ Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`,
+ `t_pretransfer`, and `t_starttransfer` to track the total times for
+ these activities when a redirect is followed. Previously, only the times
+ for the most recent request would be tracked.
+
+ Related changes:
+
+ - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes`
+ now that the function only resets transfer sizes and no longer
+ modifies any of the progress timers.
+
+ - Add a bool to the `Progress` struct that is used to prevent
+ double-counting `t_starttransfer` times.
+
+ Added test case 1399.
+
+ Fixes #522 and Known Bug 1.8
+ Closes #1602
+ Reported-by: joshhe on github
+
+- [Benbuck Nason brought this change]
+
+ cmake: remove dead code for CURL_DISABLE_RTMP
+
+ Closes #1785
+
+Kamil Dudka (15 Aug 2017)
+- zsh.pl: produce a working completion script again
+
+ Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
+ to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
+ produce a broken completion script:
+
+ % curl --<TAB>
+ _curl:10: no such file or directory: seconds
+
+ Closes #1779
+
+Daniel Stenberg (15 Aug 2017)
+- curlver: toward 7.56.0?
+
+- RELEASE-NOTES: synced with 91c46dc44
+
+- test1449: FTP download range with an too large size
+
+- strtoofft: reduce integer overflow risks globally
+
+ ... make sure we bail out on overflows.
+
+ Reported-by: Brian Carpenter
+ Closes #1758
+
+- travis: build the examples too
+
+ to make sure they keep building warning-free
+
+ Closes #1777
+
+- runtests: match keywords case insensitively
+
+- examples/ftpuploadresume.c: use portable code
+
+ ... converted from the MS specific _snscanf()
+
+Version 7.55.1 (13 Aug 2017)
+
+Daniel Stenberg (13 Aug 2017)
+- RELEASE-NOTES/THANKS: curl 7.55.1 release time
+
+- gitignore: ignore .xz now instead of .lzma
+
+- [Sergei Nikulov brought this change]
+
+ cmake: Threads detection update. ref: #1702
+
+ Closes #1719
+
+- ipv6_scope: support unique local addresses
+
+ Fixes #1764
+ Closes #1773
+ Reported-by: James Slaughter
+
+- [Alex Potapenko brought this change]
+
+ curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__
+
+ Closes #1774
+
+- test1448: verify redirect to IDN using URL
+
+ Closes #1772
+
+- [Salah-Eddin Shaban brought this change]
+
+ redirect: skip URL encoding for host names
+
+ This fixes redirects to IDN URLs
+
+ Fixes #1441
+ Closes #1762
+ Reported by: David Lord
+
+- test2032: mark as flaky (again)
+
+- travis: test cmake build on tarball too
+
+ Could've prevented #1755
+
+- [Simon Warta brought this change]
+
+ cmake: allow user to override CMAKE_DEBUG_POSTFIX
+
+ Closes #1763
+
+- connect-to.d: better language
+
+- connect-to.d: clarified
+
+- bagder/Curl_tvdiff_us: fix the math
+
+ Regression since adef394ac5 (released in 7.55.0)
+
+ Reported-by: Han Qiao
+ Fixes #1769
+ Closes #1771
+
+- curl/system.h: add Oracle Solaris Studio
+
+ Fixes #1752
+
+- [Alessandro Ghedini brought this change]
+
+ docs: fix typo funtion -> function
+
+ Closes #1770
+
+Alessandro Ghedini (12 Aug 2017)
+- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description
+
+- docs: fix typo stuct -> struct
+
+Dan Fandrich (12 Aug 2017)
+- test1447: require a curl with http support
+
+Daniel Stenberg (11 Aug 2017)
+- [Thomas Petazzoni brought this change]
+
+ curl/system.h: support more architectures
+
+ The long list of architectures in include/curl/system.h is annoying to
+ maintain, and needs to be extended for each and every architecture to
+ support.
+
+ Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler
+ (we are in the GNUC condition anyway), which tells us if long is 4
+ bytes or 8 bytes.
+
+ This fixes the build of libcurl 7.55.0 on architectures such as
+ OpenRISC or ARC.
+
+ Closes #1766
+
+ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+- test2033: this went flaky again
+
+ Suspicion: when we enabled the threaded resolver by default.
+
+- test1447: verifies the parse proxy fix in 6e0e152ce5c
+
+- [Even Rouault brought this change]
+
+ parse_proxy(): fix memory leak in case of invalid proxy server name
+
+ Fixes the below leak:
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1
+ curl: (5) Couldn't resolve proxy name
+ ==5048==
+ ==5048== HEAP SUMMARY:
+ ==5048== in use at exit: 532 bytes in 12 blocks
+ ==5048== total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CB79: parse_login_details (url.c:5614)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CBB6: parse_login_details (url.c:5621)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984
+ Credit to OSS Fuzz for discovery
+
+ Closes #1761
+
+- RELEASE-NOTES: synced with 37f2195a9
+
+- curlver: bump to 7.55.1
+
+- openssl: fix "error: this statement may fall through"
+
+ A gcc7 warning.
+
+- [David Benjamin brought this change]
+
+ openssl: remove CONST_ASN1_BIT_STRING.
+
+ Just making the pointer as const works for the pre-1.1.0 path too.
+
+ Closes #1759
+
+- maketgz: remove old *.dist files before making the tarball
+
+ To avoid "old crap" unintentionally getting shipped.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html
+ Reported-by: Christian Weisgerber
+
+Jay Satiro (10 Aug 2017)
+- mkhelp.pl: allow executing this script directly
+
+ - Enable execute permission (chmod +x)
+
+ - Change interpreter to /usr/bin/env perl
+
+ Ref: https://github.com/curl/curl/issues/1743
+
+Daniel Stenberg (10 Aug 2017)
+- configure: use the threaded resolver backend by default if possible
+
+ Closes #1647
+
+- cmake: move cmake_uninstall.cmake to CMake/
+
+ Closes #1756
+
+- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
+
+- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too
+
+ Fixes #1755
+
+- travis: verify "make install"
+
+ Help-by: Jay Satiro
+ Closes #1753
+
+Marcel Raad (10 Aug 2017)
+- build: check out *.sln files with Windows line endings
+
+ Visual Studio doesn't like LF line endings in solution files and always
+ converts them to CRLF when doing changes to the solution. Notably, this
+ affects the solutions in the release archive.
+
+ Closes https://github.com/curl/curl/pull/1746
+
+- gitignore: ignore top-level .vs folder
+
+ This folder is generated when using the CMake build system from within
+ Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/1746
+
+Jay Satiro (10 Aug 2017)
+- digest_sspi: Don't reuse context if the user/passwd has changed
+
+ Bug: https://github.com/curl/curl/issues/1685
+ Reported-by: paulharris@users.noreply.github.com
+
+ Assisted-by: Isaac Boukris
+
+ Closes https://github.com/curl/curl/pull/1742
+
+Daniel Stenberg (9 Aug 2017)
+- [Adam Sampson brought this change]
+
+ dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST
+
+ These weren't included in the 7.55.0 release, but are required in order
+ to run the full test suite.
+
+ Closes #1744
+
+- [Adam Sampson brought this change]
+
+ curl: do bounds check using a double comparison
+
+ The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+ complete: if the parsed number in num is larger than will fit in a long,
+ the conversion is undefined behaviour (causing test1427 to fail for me
+ on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
+ rid of the cast means the comparison will be done using doubles.
+
+ It might make more sense for the max argument to also be a double...
+
+ Fixes #1750
+ Closes #1749
+
+- make install: add 8 missing man pages to the installation
+
+- build: fix 'make install' with configure, install docs/libcurl/* too
+
+ Broken since d24838d4da9faa
+
+ Reported-by: Bernard Spil
+
+Version 7.55.0 (9 Aug 2017)
+
+Daniel Stenberg (9 Aug 2017)
+- RELEASE-NOTES: curl 7.55.0
+
+- THANKS: 20 new contributors in 7.55.0
+
+- [Viktor Szakats brought this change]
+
+ docs/comments: Update to secure URL versions
+
+ Closes #1741
+
+- configure: fix recv/send/select detection on Android
+
+ ... since they now provide several functions as
+ __attribute__((overloadable)), the argument detection logic need
+ updates.
+
+ Patched-by: destman at github
+
+ Fixes #1738
+ Closes #1739
+
+Marcel Raad (8 Aug 2017)
+- ax_code_coverage.m4: update to latest version
+
+ This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
+ from August 01, 2017. Notably, this removes the lconv version whitelist.
+
+ Closes https://github.com/curl/curl/pull/1716
+
+Daniel Stenberg (7 Aug 2017)
+- test1427: verify command line parser integer overflow detection
+
+- curl: detect and bail out early on parameter integer overflows
+
+ Make the number parser aware of the maximum limit curl accepts for a
+ value and return an error immediately if larger, instead of running an
+ integer overflow later.
+
+ Fixes #1730
+ Closes #1736
+
+- glob: do not continue parsing after a strtoul() overflow range
+
+ Added test 1289 to verify.
+
+ CVE-2017-1000101
+
+ Bug: https://curl.haxx.se/docs/adv_20170809A.html
+ Reported-by: Brian Carpenter
+
+- tftp: reject file name lengths that don't fit
+
+ ... and thereby avoid telling send() to send off more bytes than the
+ size of the buffer!
+
+ CVE-2017-1000100
+
+ Bug: https://curl.haxx.se/docs/adv_20170809B.html
+ Reported-by: Even Rouault
+
+ Credit to OSS-Fuzz for the discovery
+
+- [Even Rouault brought this change]
+
+ file: output the correct buffer to the user
+
+ Regression brought by 7c312f84ea930d8 (April 2017)
+
+ CVE-2017-1000099
+
+ Bug: https://curl.haxx.se/docs/adv_20170809C.html
+
+ Credit to OSS-Fuzz for the discovery
+
+- easy_events: make event data static
+
+ First: this function is only used in debug-builds and not in
+ release/real builds. It is used to drive tests using the event-based
+ API.
+
+ A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
+ CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
+ funtion returns, namely when curl_multi_remove_handle() is called.
+
+ Reported-by: Brian Carpenter
+
+- getparameter: avoid returning uninitialized 'usedarg'
+
+ Fixes #1728
+
+Marcel Raad (5 Aug 2017)
+- [Isaac Boukris brought this change]
+
+ gssapi: fix memory leak of output token in multi round context
+
+ When multiple rounds are needed to establish a security context
+ (usually ntlm), we overwrite old token with a new one without free.
+ Found by proposed gss tests using stub a gss implementation (by
+ valgrind error), though I have confirmed the leak with a real
+ gssapi implementation as well.
+
+ Closes https://github.com/curl/curl/pull/1733
+
+- darwinssl: fix compiler warning
+
+ clang complains:
+ vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
+ [-Werror,-Wextra-tokens]
+
+ This breaks the darwinssl build on Travis. Fix it by making this token
+ a comment.
+
+ Closes https://github.com/curl/curl/pull/1734
+
+- CMake: fix CURL_WERROR for MSVC
+
+ When using CURL_WERROR in MSVC builds, the debug flags were overridden
+ by the release flags and /WX got added twice in debug mode.
+
+ Closes https://github.com/curl/curl/pull/1715
+
+Daniel Stenberg (4 Aug 2017)
+- RELEASE-NOTES: synced with 561e9217c
+
+- test1010: verify that #1718 is fixed
+
+ ... by doing two transfers in nocwd mode and check that there's no
+ superfluous CWD command.
+
+- FTP: skip unnecessary CWD when in nocwd mode
+
+ ... when reusing a connection. If it didn't do any CWD previously.
+
+ Fixes #1718
+
+Marcel Raad (4 Aug 2017)
+- travis: explicitly specify dist
+
+ This makes the builds more reproducible as travis is currently rolling
+ out trusty as default dist [1]. Specifically, this avoids coverage
+ check failures when trusty is used as seen in [2] until we figure out
+ what's wrong.
+
+ [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
+ [2] https://github.com/curl/curl/pull/1692
+
+ Closes https://github.com/curl/curl/pull/1725
+
+Daniel Stenberg (4 Aug 2017)
+- travis: BUILD_TYPE => T
+
+ (to make the full line appear nicer on travis web UI)
+
+- travis: add osx build with darwinssl
+
+ Closes #1706
+
+- darwin: silence compiler warnings
+
+ With a clang pragma and three type fixes
+
+ Fixes #1722
+
+- BUILD.WINDOWS: mention buildconf.bat for builds off git
+
+- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
+
+- test130: verify comments in .netrc
+
+- [Gisle Vanem brought this change]
+
+ netrc: skip lines starting with '#'
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
+
+Marcel Raad (3 Aug 2017)
+- CMake: set MSVC warning level to 4
+
+ The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
+ consistent with the Visual Studio and NMake builds. Disable level 4
+ warning C4127 for the library and additionally C4306 for the test
+ servers to get a clean CURL_WERROR build as that warning is raised in
+ some macros in older Visual Studio versions.
+
+ Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
+ Closes https://github.com/curl/curl/pull/1711
+
+Daniel Stenberg (2 Aug 2017)
+- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
+
+ Reported-by: Viktor Szakats
+
+- CURLOPT_NETRC.3: mention the file name on windows
+
+ ... and CURLOPT_NETRC_FILE(3).
+
+- travis: build osx with libressl too
+
+- travis: build osx with openssl too
+
+- tests/server/util: fix curltime mistake from 4dee50b9c80f9
+
+Marcel Raad (1 Aug 2017)
+- curl_threads: fix MSVC compiler warning
+
+ Use LongToHandle to convert from long to HANDLE in the Win32
+ implementation.
+ This should fix the following warning when compiling with
+ MSVC 11 (2012) in 64-bit mode:
+ lib\curl_threads.c(113): warning C4306:
+ 'type cast' : conversion from 'long' to 'HANDLE' of greater size
+
+ Closes https://github.com/curl/curl/pull/1717
+
+Daniel Stenberg (1 Aug 2017)
+- BUGS: improved phrasing about security bugs
+
+ Reported-by: Max Dymond
+
+- BUGS: clarify how to report security related bugs
+
+- [Brad Spencer brought this change]
+
+ multi: fix request timer management
+
+ There are some bugs in how timers are managed for a single easy handle
+ that causes the wrong "next timeout" value to be reported to the
+ application when a new minimum needs to be recomputed and that new
+ minimum should be an existing timer that isn't currently set for the
+ easy handle. When the application drives a set of easy handles via the
+ `curl_multi_socket_action()` API (for example), it gets told to wait the
+ wrong amount of time before the next call, which causes requests to
+ linger for a long time (or, it is my guess, possibly forever).
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
+
+Jay Satiro (1 Aug 2017)
+- curl_setup: Define CURL_NO_OLDIES for building libcurl
+
+ .. to catch accidental use of deprecated error codes.
+
+ Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
+
+Daniel Stenberg (1 Aug 2017)
+- [Jeremy Tan brought this change]
+
+ configure: fix the check for IdnToUnicode
+
+ Fixes #1669
+ Closes #1713
+
+- http: fix response code parser to avoid integer overflow
+
+ test 1429 and 1433 were updated to work with the stricter HTTP status line
+ parser.
+
+ Closes #1714
+ Reported-by: Brian Carpenter
+
+Jay Satiro (31 Jul 2017)
+- [Dwarakanath Yadavalli brought this change]
+
+ libcurl: Stop using error codes defined under CURL_NO_OLDIES
+
+ Fixes https://github.com/curl/curl/issues/1688
+ Closes https://github.com/curl/curl/pull/1712
+
+- include.d: clarify --include is only for response headers
+
+ Follow-up to 171f8de and de6de94.
+
+ Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
+ Reported-by: Daniel Stenberg
+
+Daniel Stenberg (30 Jul 2017)
+- [Jason Juang brought this change]
+
+ cmake: support make uninstall
+
+ Closes #1674
+
+- RELEASE-NOTES: synced with 001701c47
+
+Marcel Raad (29 Jul 2017)
+- AppVeyor: now really use CURL_WERROR
+
+ It was misspelled as CURL_ERROR in commit
+ 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4.
+
+ Closes https://github.com/curl/curl/pull/1686
+
+Jay Satiro (29 Jul 2017)
+- tool_help: clarify --include is only for response headers
+
+ Follow-up to 171f8de.
+
+ Ref: https://github.com/curl/curl/issues/1704
+
+- splay: fix signed/unsigned mismatch warning
+
+ Follow-up to 4dee50b.
+
+ Ref: https://github.com/curl/curl/pull/1693
+
+Daniel Stenberg (28 Jul 2017)
+- include.d: clarify that it concerns the response headers
+
+ Reported-by: olesteban at github
+ Fixes #1704
+
+- [Johannes Schindelin brought this change]
+
+ curl_rtmp: fix a compiler warning
+
+ The headers of librtmp declare the socket as `int`, and on Windows, that
+ disagrees with curl_socket_t.
+
+ Bug: #1652
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- test1323: verify curlx_tvdiff
+
+- timeval: struct curltime is a struct timeval replacement
+
+ ... to make all libcurl internals able to use the same data types for
+ the struct members. The timeval struct differs subtly on several
+ platforms so it makes it cumbersome to use everywhere.
+
+ Ref: #1652
+ Closes #1693
+
+- darwinssl: fix variable type mistake (regression)
+
+ ... which made --tlsv1.2 not work because it would blank the max tls
+ version variable.
+
+ Reported-by: Nick Miyake
+ Bug: #1703
+
+- multi: mention integer overflow risk if using > 500 million sockets
+
+ Reported-by: ovidiu-benea@users.noreply.github.com
+
+ Closes #1675
+ Closes #1683
+
+- checksrc: escape open brace in regex
+
+ ... to silence warning.
+
+Kamil Dudka (20 Jul 2017)
+- nss: fix a possible use-after-free in SelectClientCert()
+
+ ... causing a SIGSEGV in showit() in case the handle used to initiate
+ the connection has already been freed.
+
+ This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
+
+ Reported-by: Rob Sanders
+ Bug: https://bugzilla.redhat.com/1436158
+
+- nss: unify the coding style of nss_send() and nss_recv()
+
+ No changes in behavior intended by this commit.
+
+Marcel Raad (18 Jul 2017)
+- tests/server/resolve.c: fix deprecation warning
+
+ MSVC warns that gethostbyname is deprecated. Always use getaddrinfo
+ instead to fix this when IPv6 is enabled, also for IPv4 resolves. This
+ is also consistent with what libcurl does.
+
+ Closes https://github.com/curl/curl/pull/1682
+
+Jay Satiro (17 Jul 2017)
+- darwinssl: fix pinnedpubkey build error
+
+ - s/SessionHandle/Curl_easy/
+
+ Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
+ Reported-by: Gisle Vanem
+
+Marcel Raad (16 Jul 2017)
+- rtspd: fix GCC warning after MSVC warning fix
+
+ Older GCC warns:
+ /tests/server/rtspd.c:1194:10: warning: missing braces around
+ initializer [-Wmissing-braces]
+
+ Fix this by using memset instead of an initializer.
+
+- libtest: fix MSVC warning C4706
+
+ With warning level 4, MSVC warns about assignments within conditional
+ expressions. Change the while loop to a do-while loop to fix this. This
+ change is also consistent with CODE_STYLE.md.
+
+- sockfilt: suppress conversion warning with explicit cast
+
+ MSVC warns when implicitly casting -1 to unsigned long.
+
+- rtspd: fix MSVC level 4 warning
+
+ warning C4701: potentially uninitialized local variable 'req' used
+
+- winbuild: re-enable warning C4127 for curl tool
+
+ Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to
+ be disabled for libcurl.
+
+- winbuild: build with warning level 4
+
+ This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which
+ changed the warning level from 3 to 4 for the Visual Studio project
+ files. But disable the level 4 warning C4127 "conditional expression is
+ constant", as that one is issued by older versions of the Windows SDK
+ as well as curl itself under some circumstances.
+
+ Closes https://github.com/curl/curl/pull/1667
+
+Jay Satiro (12 Jul 2017)
+- [Max Dymond brought this change]
+
+ travis: install libidn2
+
+ Install libidn2 to increase test coverage (IDN tests)
+
+ Closes https://github.com/curl/curl/pull/1673
+
+Marcel Raad (12 Jul 2017)
+- travis: enable warnings also in release mode
+
+ ... to get warnings also on Linux/GCC and OSX/clang.
+
+ Closes https://github.com/curl/curl/pull/1666
+
+Daniel Stenberg (12 Jul 2017)
+- [Max Dymond brought this change]
+
+ travis: install libssh2
+
+ Install libssh2 to increase test coverage (SFTP, SCP)
+
+Marcel Raad (12 Jul 2017)
+- system.h: include winsock2.h before windows.h
+
+ ... to avoid compiler warnings if the user doesn't want
+ WIN32_LEAN_AND_MEAN.
+
+- build: remove WIN32_LEAN_AND_MEAN from individual build systems
+
+ It's defined for all build systems in curl_setup.h since commit
+ beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro
+ redefinition warnings in the configure builds.
+
+ Closes https://github.com/curl/curl/pull/1677
+
+Jay Satiro (11 Jul 2017)
+- ISSUE_TEMPLATE: Add a comment not to file security issues on github
+
+Marcel Raad (11 Jul 2017)
+- curl_setup: always define WIN32_LEAN_AND_MEAN on Windows
+
+ Make sure to always define WIN32_LEAN_AND_MEAN before including any
+ Windows headers to avoid pulling in unnecessary headers. This avoids
+ unnecessary macro clashes and compiler warnings.
+
+ Ref: https://github.com/curl/curl/issues/1562
+ Closes https://github.com/curl/curl/pull/1672
+
+Jay Satiro (11 Jul 2017)
+- strerror: Preserve Windows error code in some functions
+
+ This is a follow-up to af02162 which removed (SET_)ERRNO macros. That
+ commit was an earlier draft that I committed by mistake, which was then
+ remedied by a5834e5 and e909de6, and now this commit. With this commit
+ there is now no difference between the current code and the changes that
+ were approved in the final draft.
+
+ Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem
+ Ref: https://github.com/curl/curl/pull/1589
+
+Marcel Raad (10 Jul 2017)
+- [Max Dymond brought this change]
+
+ tests: Fix up issues with errno in test files
+
+ Closes https://github.com/curl/curl/pull/1671
+
+Daniel Stenberg (10 Jul 2017)
+- errno: fix non-windows builds after af0216251b94e7
+
+- [Ryan Winograd brought this change]
+
+ make: fix docs build on OpenBSD
+
+ Ref: #1591
+
+Marcel Raad (10 Jul 2017)
+- ldap: fix MinGW compiler warning
+
+ ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with
+ the latest original MinGW, resulting in compiler warnings since commit
+ f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI
+ case by using ldap_simple_bind_s again instead of ldap_bind_s with
+ LDAP_AUTH_SIMPLE.
+
+ Closes https://github.com/curl/curl/pull/1664
+
+- curl-compilers.m4: disable warning spam with Cygwin's clang
+
+ When building with Cygwin or MinGW, libtool uses a wrapper executable
+ instead of a wrapper script [1], which is written in C and throws
+ missing-variable-declarations warnings. Don't enable these warnings on
+ Cygwin and MinGW in order to avoid warnings for every executable built,
+ which spams the test suite output when using Cygwin's clang.
+
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Wrapper-executables.html
+
+ Closes https://github.com/curl/curl/pull/1665
+
+Jay Satiro (10 Jul 2017)
+- curl_setup_once: Remove ERRNO/SET_ERRNO macros
+
+ Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError
+ for Win32 and regular errno otherwise.
+
+ I reviewed the code and found no justifiable reason for conflating errno
+ on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno,
+ and any Win32 multithreaded CRT supports thread-local errno.
+
+ Fixes https://github.com/curl/curl/issues/895
+ Closes https://github.com/curl/curl/pull/1589
+
+- tool_getparam: fix potentially uninitialized err
+
+Marcel Raad (9 Jul 2017)
+- smb: rename variable to fix shadowing warning
+
+ GCC 4.6.3 on travis complains:
+ smb.c: In function ‘get_posix_time’:
+ smb.c:725:13: error: declaration of ‘time’ shadows a global declaration
+ [-Werror=shadow]
+
+ Fix this by renaming the variable.
+
+- tool_cb_wrt: fix variable shadowing warning
+
+ GCC 4.4 complains:
+ tool_cb_wrt.c:81: error: declaration of ‘isatty’ shadows a global
+ declaration
+ /usr/include/unistd.h:782: error: shadowed declaration is here
+
+ Fix this by renaming the variable.
+
+ Closes https://github.com/curl/curl/pull/1661
+
+Daniel Stenberg (8 Jul 2017)
+- RELEASE-NOTES: synced with be2c999b8
+
+- travis: install stunnel
+
+- valgrind.supp: supress OpenSSL false positive seen on travis
+
+- travis: detect and use valgrind for normal builds
+
+ Closes #1653
+
+- travis: add SMB, DICT, TELNET torture to coverage test
+
+- [Paul Harris brought this change]
+
+ cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC
+
+ Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere.
+
+ Closes #1649
+
+- CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
+
+- [Max Dymond brought this change]
+
+ test1452: add telnet negotiation
+
+ Add a basic telnet server for negotiating some telnet options before
+ echoing back any data that's sent to it.
+
+ Closes #1645
+
+- travis: do more tests in the coverage run
+
+ I added a selection of torture and event tests that run "fast enough"
+
+- curl_easy_escape.3: mention the (lack of) encoding
+
+ Fixes #1612
+ Reported-by: Jeroen Ooms
+
+- [Gisle Vanem brought this change]
+
+ memdebug: don't setbuf() if the file open failed
+
+ Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151
+
+- appveyor: enable CURL_WERROR on all builds
+
+- cmake: add CURL_WERROR for enabling "warning as errors"
+
+- [Hannes Magnusson brought this change]
+
+ cmake: remove spurious "-l" from linker flags
+
+ Fixes #1552
+
+- test506: skip if threaded-resolver
+
+- runtests: support "threaded-resolver" as a feature
+
+ ... to let tests require it or skip if present
+
+- asyn-thread.c: fix unused variable warnings on macOS
+
+- http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLD
+
+ Make the name reflect its use better, and add a short comment describing
+ what it's for.
+
+- cmake: if inet_pton is used, bump _WIN32_WINNT
+
+ ... and make sure inet_pton is always checked for when *not* using Windows,
+ which is a regression from 4fc6ebe18.
+
+ Idea-by: Sergei Nikulov
+
+- select.h: avoid macro redefinition harder
+
+ ... by checking the POLLIN define, as the header file checks don't work
+ on Windows.
+
+- inet_pton: fix include on windows to get prototype
+
+ inet_pton() exists on Windows and gets used by our cmake builds. Make
+ sure the correct header file is included to avoid compiler warnings.
+
+ Closes #1639
+
+- TODO: 1.10 auto-detect proxy
+
+ Closes #1572
+
+- TODO: HTTP proxy CONNECT is non-blocking now
+
+- cmake: fix send/recv argument scanner for windows
+
+ ... by simply trying the Windows argument types first.
+
+ Fixes #1640
+
+- RELEASE-NOTES: synced with 596cfb6c0
+
+- [Gisle Vanem brought this change]
+
+ smb: add support for CURLOPT_FILETIME
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
+
+ Closes #1643
+
+- travis: install nghttp2 on linux builds
+
+ Closes #1642
+
+- [Gisle Vanem brought this change]
+
+ smb: fix build for djgpp/MSDOS
+
+ bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
+
+- configure: try ldap/lber in reversed order first
+
+ When scanning for which LDAP libraries to use, try the -lldap -llber
+ combination before the reversed order since it has a greater chance of
+ working when linking with libcurl statically.
+
+ Fixes #1619
+ Closes #1634
+ Reported-by: David E. Narváez
+
+- configure: remove checks for 5 functions never used
+
+ fork, getprotobyname, inet_addr, perror, uname
+
+ closes #1638
+
+- dist: add SMB python deps into the tarball
+
+- [Max Dymond brought this change]
+
+ test1451: add SMB support to the testbed
+
+ Add test 1451 which does some very basic SMB testing using the impacket
+ SMB server.
+
+ Closes #1630
+
+- [Max Dymond brought this change]
+
+ test: add impacket for SMB testing
+
+ Import impacket 0.9.15 for use in SMB testing. This was generated by
+ doing "pip2.7 install -t . impacket"
+
+ Unnecessary files for current testing were deleted.
+
+- travis.yml: use --enable-werror on debug builds
+
+ ... to better detect and fault on compiler warnings/errors
+
+ Closes #1637
+
+- tool_sleep: typecast to avoid macos compiler warning
+
+ tool_sleep.c:54:24: error: implicit conversion loses integer precision:
+ 'long' to '__darwin_suseconds_t' (aka 'int')
+ [-Werror,-Wshorten-64-to-32]
+
+- [Martin Kepplinger brought this change]
+
+ timeval.c: Use long long constant type for timeval assignment
+
+ On a 64 bit host, sparse says:
+
+ timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long
+ timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long
+
+ so let's use long long constant types in order to prevent undesired overflow
+ failures.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html
+
+ Closes #1636
+
+ Signed-off-by: Martin Kepplinger <martink@posteo.de>
+
+- url: make the original string get used on subsequent transfers
+
+ ... since CURLOPT_URL should follow the same rules as other options:
+ they remain set until changed or cleared.
+
+ Added test 1551 to verify.
+
+ Fixes #1631
+ Closes #1632
+ Reported-by: Pavel Rochnyak
+
+- [Johannes Schindelin brought this change]
+
+ gtls: fix build when sizeof(long) < sizeof(void *)
+
+ - Change gnutls pointer/int macros to pointer/curl_socket_t.
+ Prior to this change they used long type as well.
+
+ The size of the `long` data type can be shorter than that of pointer
+ types. This is the case most notably on Windows.
+
+ If C99 were acceptable, we could simply use `intptr_t` here. But we
+ want to retain C89 compatibility.
+
+ Simply use the trick of performing pointer arithmetic with the NULL
+ pointer: to convert an integer `i` to a pointer, simply take the
+ address of the `i`th element of a hypothetical character array
+ starting at address NULL. To convert back, simply cast the pointer
+ difference.
+
+ Thanks to Jay Satiro for the initial modification to use curl_socket_t
+ instead of int/long.
+
+ Closes #1617
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Ryan Winograd brought this change]
+
+ unit1399: fix integer overflow
+
+ Bug: #1616
+ Closes #1633
+
+- [Per Malmberg brought this change]
+
+ cmake: Added compatibility options for older Windows versions
+
+ CURL_STATIC_CRT and ENABLE_INET_PTON
+
+ Closes #1621
+
+- unit1399: add logging to time comparison
+
+ ... to enable tracking down why autobuilds fail on this
+
+ Bug: #1616
+
+- make: build the docs subdir only from within src
+
+ ... and don't build at all in include
+
+ Prompted-by-work-by: Simon Warta
+ Ref: #1590
+ Closes #1591
+
+- [Max Dymond brought this change]
+
+ test1450: fix up DICT server in torture mode
+
+ As per https://github.com/curl/curl/pull/1615, the DICT server is a
+ little spammy in torture mode due to the sockets being torn down
+ unexpectedly. Fix this by adding some error handling to the handling
+ function.
+
+ Closes #1629
+
+- [Max Dymond brought this change]
+
+ test1450: add simple testing for DICT
+
+ Add a new server which provides a DICT interface. This is intended to
+ begin coverage testing for lib/dict.c
+
+ Closes #1615
+
+- [Dan Fandrich brought this change]
+
+ test1521: fix out-of-tree builds, broken with 467da3af
+
+ The test.h file is no longer in the same directory as the source file,
+ so that directory needs to be added to the include path.
+
+ Fixes #1627
+ Closes #1628
+
+- [Max Dymond brought this change]
+
+ http2: handle PING frames
+
+ Add a connection check function to HTTP2 based off RTSP. This causes
+ PINGs to be handled the next time the connection is reused.
+
+ Closes #1521
+
+- [Max Dymond brought this change]
+
+ handler: refactor connection checking
+
+ Add a new type of callback to Curl_handler which performs checks on
+ the connection. Alter RTSP so that it uses this callback to do its
+ own check on connection health.
+
+- [Dmitry Kostjuchenko brought this change]
+
+ openssl: improve fallback seed of PRNG with a time based hash
+
+ Fixes #1620
+
+- [Ryan Winograd brought this change]
+
+ progress: prevent resetting t_starttransfer
+
+ Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked
+ with `TIMER_STARTTRANSFER` more than once during a single request.
+
+ When a redirect occurs, this is considered a new request and
+ `t_starttransfer` can be updated to reflect the `t_starttransfer` time
+ of the redirect request.
+
+ Closes #1616
+
+ Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370
+
+- curl_strequal.3: fix typo in SYNOPSIS
+
+ Reported-by: Jesse Chisholm
+
+ Fixes #1623
+
+- RELEASE-NOTES: synced with ce2c3ebda
+
+Kamil Dudka (28 Jun 2017)
+- curl --socks5-{basic,gssapi}: control socks5 auth
+
+ Closes https://github.com/curl/curl/pull/1454
+
+- CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth
+
+ If libcurl was built with GSS-API support, it unconditionally advertised
+ GSS-API authentication while connecting to a SOCKS5 proxy. This caused
+ problems in environments with improperly configured Kerberos: a stock
+ libcurl failed to connect, despite libcurl built without GSS-API
+ connected fine using username and password.
+
+ This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
+ allowed methods for SOCKS5 authentication at run time.
+
+ Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
+ for compatibility reasons because the set of authentication methods
+ allowed by default was different for HTTP and SOCKS5 proxies.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
+ Closes https://github.com/curl/curl/pull/1454
+
+- socks: deduplicate the code for auth request
+
+- socks: use proxy_user instead of proxy_name
+
+ ... to make it obvious what the data is used for
+
+Daniel Stenberg (27 Jun 2017)
+- libtest/make: generate lib1521.c
+
+ ... instead of having the generated code checked in. This saves space in
+ the tarball but primarily automatically adapts to newly added options.
+
+ Closes #1614
+
+Jay Satiro (26 Jun 2017)
+- tool_getparam: fix memory leak on test 1147 OOM (torture tests)
+
+ Bug: https://github.com/curl/curl/pull/1486#issuecomment-310926872
+ Reported-by: Dan Fandrich
+
+Dan Fandrich (25 Jun 2017)
+- test1537: fixed memory leak on OOM
+
+Marcel Raad (25 Jun 2017)
+- test1521: fix compiler warnings
+
+ The integer literal 3123123123 doesn't fit into a 32-bit signed
+ integer, so GCC with 32-bit long warns in C90 mode:
+ this decimal constant is unsigned only in ISO C90 [enabled by default]
+ Fix this by using ULONG_MAX, which should fit in any curl_off_t and has
+ the correct suffix to not issue any warnings.
+ Also adds the missing CURLOPT_REQUEST_TARGET from commit
+ 9b167fd090f596eac828817d48c247eeae53407f.
+
+ Closes https://github.com/curl/curl/pull/1611
+
+Daniel Stenberg (24 Jun 2017)
+- curl/system.h: add check for XTENSA for 32bit gcc
+
+ Reported-by: Neil Kolban
+ Fixes: 1598
+
+- [Henrik S. Gaßmann brought this change]
+
+ winbuild: fix boringssl build
+
+ Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from
+ including too much clutter including `wincrypt.h` which in turn contains
+ some preprocessor macros that clash with boringssl symbols.
+
+ Detect boringssl by checking the existance of `is_boringssl.h` and set
+ the corresponding `HAVE_BORINGSSL` for compilation which is used in
+ `ldap.c` to undefine the evil macros.
+
+ Closes #1610
+
+- progress: progress.timespent needs to be us
+
+ follow-up to 64ed44a815e4e to fix test 500 failures
+
+Marcel Raad (24 Jun 2017)
+- curl-compilers.m4: fix unknown-warning-option on Apple clang
+
+ Since 5598b0bd63f690c151074494ce47ef872f004ab4, clang -v is used to
+ detect the clang version. The version number was expected to come after
+ the word "version". For Apple clang, this doesn't work as it has its
+ own versioning scheme.
+ The version number is now first searched after the string
+ "based on LLVM". This works for Apple clang before version 7, and also
+ for e.g. Ubuntu's clang up to version 3.7. If it's not found and the
+ version string contains "Apple LLVM version", clang version 3.7 is
+ assumed, which is the version that comes with Xcode 7. Otherwise, the
+ version number is still expected after the word "version", which works
+ for very old Apple clang versions.
+
+ Ref: https://trac.macports.org/wiki/XcodeVersionInfo
+ Fixes https://github.com/curl/curl/issues/1606
+ Closes https://github.com/curl/curl/pull/1607
+
+Daniel Stenberg (24 Jun 2017)
+- progress: fix "time spent", broke in adef394ac
+
+- CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
+
+ ... supported since 7.54.1
+
+- maketgz: switch to -6e for xz
+
+ To reduce the memory requirement for decompress, and still do almost as
+ good compression as with -9e.
+
+ Pointed-out-by: Dan Fandrich
+
+- libtest/Makefile: remove unused lib1541 variables
+
+- CONTRIBUTE.md: mention the out-of-tree build test too
+
+- maketgz: switch to xz instead of lzma
+
+ The compressed output size seems to be a tad bit smaller, but generally
+ xz seems more preferred these days and is used directly by for example
+ gentoo instead of bz2.
+
+ "Users of LZMA Utils should move to XZ Utils" =>
+ https://tukaani.org/lzma/
+
+ Closes #1604
+
+- --request-target: instead of --strip-path-slash
+
+ ... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH.
+
+ This option instead provides the full "alternative" target to use in the
+ request, instead of extracting the path from the URL.
+
+ Test 1298 and 1299 updated accordingly.
+
+ Idea-by: Evert Pot
+ Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373
+
+ Closes #1593
+
+Marcel Raad (21 Jun 2017)
+- lib1521: fix missing-variable-declarations clang warnings
+
+ Declare TU-local variables static.
+
+- travis: enable typecheck-gcc warnings
+
+ - switch debug and release configurations so that we get an optimized
+ build with GCC 4.3+ as required by typecheck-gcc
+ - enable warnings-as-errors for release builds
+ (which have warnings disabled)
+
+ Closes https://github.com/curl/curl/pull/1595
+
+- typecheck-gcc: add support for CURLINFO_OFF_T
+
+ typecheck-gcc expected curl_socket_t instead of curl_off_t arguments
+ for CURLINFO_OFF_T. Detected by test1521, unfortunately only when run
+ locally.
+
+ Closes https://github.com/curl/curl/pull/1592
+
+Daniel Stenberg (21 Jun 2017)
+- [Simon Warta brought this change]
+
+ ci: whitelist branches to avoid testing feature branches twice
+
+- [Gisle Vanem brought this change]
+
+ lib: fix the djgpp build
+
+ Bug: https://github.com/curl/curl/commit/73a2fcea0b4adea6ba342cd7ed1149782c214ae3#commitcomment-22655993
+
+Marcel Raad (20 Jun 2017)
+- if2ip: fix compiler warning in ISO C90 mode
+
+ remote_scope_id is only used when both HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID
+ and ENABLE_IPV6 are defined instead of only one of them.
+
+Daniel Stenberg (20 Jun 2017)
+- travis: do the distcheck test build out-of-tree as well
+
+- http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASH
+
+ ... to enable sending "OPTIONS *" which wasn't possible previously.
+
+ This option currently only works for HTTP.
+
+ Added test cases 1298 + 1299 to verify
+
+ Fixes #1280
+ Closes #1462
+
+- test1521: test getinfo's OFF_T types too
+
+ Closes #1588
+
+- lib1521: add curl_easy_getinfo calls to the test set
+
+ Also added return value checks to make sure no unexpected return codes
+ are used.
+
+- [Simon Warta brought this change]
+
+ automake: use $(MKHELP) variable instead if constant mkhelp.pl
+
+ this improves symmetry with the rule above
+
+- [Simon Warta brought this change]
+
+ mkhelp.pl: fix script name in usage text
+
+- RELEASE-NOTES: synced with 3b80d3ca4
+
+- getinfo: return sizes as curl_off_t
+
+ This change introduces new alternatives for the existing six
+ curl_easy_getinfo() options that return sizes or speeds as doubles. The
+ new versions are named like the old ones but with an appended '_T':
+
+ CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
+ CURLINFO_CONTENT_LENGTH_UPLOAD_T
+ CURLINFO_SIZE_DOWNLOAD_T
+ CURLINFO_SIZE_UPLOAD_T
+ CURLINFO_SPEED_DOWNLOAD_T
+ CURLINFO_SPEED_UPLOAD_T
+
+ Closes #1511
+
+- PIPELINING_SERVER_BL: cleanup the internal list use
+
+ The list was freed incorrectly since the llist refactor of
+ cbae73e1dd959. Added test 1550 to verify that it works and avoid future
+ regressions.
+
+ Reported-by: Pascal Terjan
+
+ Fixes #1584
+ Closes #1585
+
+- http2: fix OOM crash
+
+ torture mode with test 1021 found it
+
+- CURLOPT_PREQUOTE.3: spellfix man page reference
+
+Marcel Raad (18 Jun 2017)
+- http_proxy: fix build with http and proxy
+
+ After deff7de0eb0e22d2d142b96b9cc84cd8db5d2a48, the build without
+ CURL_DISABLE_PROXY and CURL_DISABLE_HTTP was failing because of missing
+ includes.
+
+- http_proxy: fix compiler warning
+
+ With CURL_DISABLE_PROXY or CURL_DISABLE_HTTP, GCC complained about a
+ missing prototype for Curl_connect_free.
+
+Daniel Stenberg (18 Jun 2017)
+- TODO: update the TOC too
+
+- TODO: implement support for CURLOPT_PREQUOTE with SFTP
+
+ ... also updated the CURLOPT_PREQUOTE.3 man page to mention the correct
+ protocol support.
+
+ Closes #1514
+
+- tool_wrte_cb: remove check for config == NULL
+
+ ... as it really cannot have reached this far with config being NULL,
+ thus this is unnecesary and misleading.
+
+ Bug: https://news.ycombinator.com/item?id=14577585 and
+ https://daniel.haxx.se/blog/2017/06/17/curl-doesnt-spew-binary-anymore/comment-page-1/#comment-18356
+
+ Forwarded-to-us-by: Jakub Wilk
+
+- curl: prevent binary output spewed to terminal
+
+ ... unless "--output -" is used. Binary detection is done by simply
+ checking for a binary zero in early data.
+
+ Added test 1425 1426 to verify.
+
+ Closes #1512
+
+Marcel Raad (16 Jun 2017)
+- Makefile.m32: enable -W for MinGW32 build
+
+ The configure-based build also has this in addition to -Wall.
+
+ Closes https://github.com/curl/curl/pull/1578
+
+- curl-compilers.m4: enable comma clang warning
+
+ It usually warns when using commas instead of semicolons or other
+ operators by accident.
+
+ Closes https://github.com/curl/curl/pull/1578
+
+- curl-compilers.m4: enable missing-variable-declarations clang warning
+
+ It usually warns when forgetting to declare TU-local variables static.
+
+ Closes https://github.com/curl/curl/pull/1578
+
+- curl-compilers.m4: enable double-promotion warning
+
+ Enable -Wdouble-promotion for both GCC and clang. It warns on implicit
+ promotion from float to double.
+
+ Closes https://github.com/curl/curl/pull/1578
+
+- curl-compilers.m4: enable vla warning for clang
+
+ Previously, that warning was only implicitly active in C90 mode.
+ Enable it unconditionally as already done for GCC.
+
+ Closes https://github.com/curl/curl/pull/1578
+
+Daniel Stenberg (16 Jun 2017)
+- http-proxy: fix chunked-encoded CONNECT responses
+
+ Regression since 5113ad0424.
+
+ ... and remove 'flaky' from test 1061 again
+
+ Closes #1579
+
+- http-proxy: deal with EAGAIN
+
+ ... the previous code would reset the header length wrongly (since
+ 5113ad0424). This makes test 1060 reliable again.
+
+ Also: make sws send even smaller chunks of data to increase the
+ likeliness of this happening.
+
+- libtest/libntlmconnect: fix compiler warnings from f94fcdb
+
+- [Jay Satiro brought this change]
+
+ HTTPS-Proxy: don't offer h2 for https proxy connections
+
+ Bug: https://github.com/curl/curl/issues/1254
+
+ Closes #1546
+
+- tests: stabilize test 2032 and 2033
+
+ Both these tests run the same underlying test code: libntlmconnect.c -
+ this test code made some assumptions about socket ordering when it used
+ curl_easy_fdset() and when we changed timing or got accidental changes
+ in libcurl the tests would fail.
+
+ The tests verify that the different transfers keep using the same
+ connections, which I now instead made sure by adding the number of bytes
+ each transfer gets and then verifies that they always get the same
+ amount as when these tests worked.
+
+ Closes #1576
+
+- test1148: verify the -# progressbar
+
+ Closes #1569
+
+- test1061: mark as flaky
+
+ Fails intermittently on travis builds since a few days. Likely due to
+ 5113ad0424.
+
+Jay Satiro (16 Jun 2017)
+- url: refactor the check for Windows drive letter in path
+
+ - Move the logic to detect a Windows drive letter prefix
+ (eg c: in c:foo) into a function-like macro.
+
+ Closes https://github.com/curl/curl/pull/1571
+
+- mk-ca-bundle.pl: Check curl's exit code after certdata download
+
+ - No longer allow partial downloads of certdata.
+
+ Prior to this change partial downloads were (erroneously?) allowed since
+ only the server code was checked to be 200.
+
+ Bug: https://github.com/curl/curl/pull/1577
+ Reported-by: Matteo B.
+
+Daniel Stenberg (16 Jun 2017)
+- dist: add the fuzz dir to the tarball
+
+- configure: disable nghttp2 too if HTTP has been disabled
+
+- http-proxy: fix build with --disable-proxy or --disable-http
+
+ Reported-by: Dan Fandrich
+
+- fuzz/README: document how to build
+
+ Fixes #1476
+
+- [Frederik B brought this change]
+
+ fuzz: corpora file structure, initial commit
+
+- [Frederik B brought this change]
+
+ fuzz: bring oss-fuzz initial code converted to C89
+
+- http-proxy: only attempt FTP over HTTP proxy
+
+ ... all other non-HTTP protocol schemes are now defaulting to "tunnel
+ trough" mode if a HTTP proxy is specified. In reality there are no HTTP
+ proxies out there that allow those other schemes.
+
+ Assisted-by: Ray Satiro, Michael Kaufmann
+
+ Closes #1505
+
+- TODO: the generated include file is gone
+
+ ... since commit 73a2fcea0b
+
+- curl_setup.h: error out on CURL_WANTS_CA_BUNDLE_ENV use
+
+ ... to make it really apparent if there's any user using this on purpose.
+
+ Suggested-by: Jay Satiro
+
+ Closes #1542
+
+- lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
+
+ When this define was set, libcurl would check the environment variable
+ named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This
+ feature was only defined by the watcom and m32 makefiles and caused
+ inconsistent behaviours among libcurls built on different platforms.
+
+ The curl tool does already feature its own similar logic and the library
+ does not really need it, and it isn't documented libcurl behavior. So
+ this change removes it.
+
+ Ref: #1538
+
+- test1147: verify -H on a file
+
+- curl: allow --header and --proxy-header read from file
+
+ So many headers can be provided as @filename.
+
+ Suggested-by: Timothe Litt
+
+ Closes #1486
+
+- RELEASE-NOTES: synced with 2ad80eec5
+
+- curl/curlver.h: start working on 7.55.0
+
+- http-proxy: do the HTTP CONNECT process entirely non-blocking
+
+ Mentioned as a problem since 2007 (8f87c15bdac63) and of course it
+ existed even before that.
+
+ Closes #1547
+
+- progress: let "current speed" be UL + DL speeds combined
+
+ Bug #1556
+ Reported-by: Paul Harris
+ Closes #1559
+
+Marcel Raad (14 Jun 2017)
+- system.h: fix MinGW build
+
+ CURLSYS_PULL_WS2TCPIP_H got renamed to CURL_PULL_WS2TCPIP_H in commit
+ 73a2fcea0b4adea6ba342cd7ed1149782c214ae3.
+
+Daniel Stenberg (14 Jun 2017)
+- timers: store internal time stamps as time_t instead of doubles
+
+ This gives us accurate precision and it allows us to avoid storing "no
+ time" for systems with too low timer resolution as we then bump the time
+ up to 1 microsecond. Should fix test 573 on windows.
+
+ Remove the now unused curlx_tvdiff_secs() function.
+
+ Maintains the external getinfo() API with using doubles.
+
+ Fixes #1531
+
+- dist: make the hugehelp.c not get regenerated unnecessarily
+
+ The maketgz script now makes sure the generated hugehelp.c file in the
+ tarball is newer than the generated curl.1 man page, so that it doesn't
+ have to get unnecessarily rebuilt first thing in a typical build. It
+ thus also removes the need for perl to build off a plain release
+ tarball.
+
+ Fixes #1565
+
+- includes: remove curl/curlbuild.h and curl/curlrules.h
+
+ Rely entirely on curl/system.h now.
+
+ Introduced in Aug 2008 with commit 14240e9e109f. Now gone.
+
+ Fixes #1456
+
+Version 7.54.1 (14 Jun 2017)
+
+Daniel Stenberg (14 Jun 2017)
+- release: 7.54.1
+
+Dan Fandrich (13 Jun 2017)
+- mk-lib1521.pl: updated to match the test changes in 916ec30a
+
+Daniel Stenberg (13 Jun 2017)
+- [Stuart Henderson brought this change]
-Daniel Stenberg (8 Mar 2009)
-- Andre Guibert de Bruet found and fixed a code segment in ssluse.c where the
- allocation of the memory BIO was not being properly checked.
-
-- Andre Guibert de Bruet fixed the gnutls-using code: There are a few places
- in the gnutls code where we were checking for negative values for errors,
- when the man pages state that GNUTLS_E_SUCCESS is returned on success and
- other values indicate error conditions.
-
-- Bill Egert pointed out (http://curl.haxx.se/bug/view.cgi?id=2671602) that
- curl didn't use sprintf() in a way that is documented to work in POSIX but
- since we use our own printf() code (from libcurl) that shouldn't be a
- problem. Nonetheless I modified the code to not rely on such particular
- features and to not cause further raised eyebrowse with no good reason.
-
-Daniel Fandrich (5 Mar 2009)
-- Expanded the security section of the libcurl-tutorial man page to cover
- more issues for authors to consider when writing robust libcurl-using
- applications.
-
-Yang Tse (5 Mar 2009)
-- Fixed NTLM authentication memory leak on SSPI enabled Windows builds. This
- issue was noticed by Chris Deidun.
-
-Daniel Fandrich (4 Mar 2009)
-- Fixed a problem with m4 quoting in the OpenSSL configure check reported
- by Daniel Johnson.
-
-Daniel Stenberg (3 Mar 2009)
-- David James brought a patch that make libcurl close (all) dead connections
- whenever you attempt to open a new connection.
-
- 1. After cleaning up a dead connection, "continue" instead of
- returning FALSE. This ensures that we clean up all dead connections,
- rather than just cleaning up the first dead connection.
- 2. Move up the cleanup for dead connections so that it occurs for
- all connections, rather than just the connections which have the same
- preferences as our current new connection.
-
-Version 7.19.4 (3 March 2009)
-
-Daniel Stenberg (3 Mar 2009)
-- David Kierznowski notified us about a security flaw
- (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
- which previous libcurl versions (by design) can be tricked to access an
- arbitrary local/different file instead of a remote one when
- CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
- together this the addition of two new setopt options for controlling this
- new behavior:
-
- o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
- follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
- excludes the FILE and SCP protocols and thus you nee to explicitly allow
- them in your app if you really want that behavior.
-
- o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
- using the primary URL option. This is useful if you want to allow a user or
- other outsiders control what URL to pass to libcurl and yet not allow all
- protocols libcurl may have been built to support.
-
-Daniel Stenberg (27 Feb 2009)
-- Senthil Raja Velu reported a problem when CURLOPT_INTERFACE and
- CURLOPT_LOCALPORT were used together (the local port bind failed), and
- Markus Koetter provided the fix!
-
-Daniel Stenberg (25 Feb 2009)
-- As Daniel Fandrich figured out, we must do the GnuTLS initing in the
- curl_global_init() function to properly maintain the performing functions
- thread-safe. We've previously (28 April 2007) moved the init to a later time
- just to avoid it to fail very early when libgcrypt dislikes the situation,
- but that move was bad and the fix should rather be in libgcrypt or
- elsewhere.
-
-Daniel Stenberg (24 Feb 2009)
-- Brian J. Murrell found out that Negotiate proxy authentication didn't work.
- It happened because the code used the struct for server-based auth all the
- time for both proxy and server auth which of course was wrong.
-
-Daniel Stenberg (23 Feb 2009)
-- After a bug reported by James Cheng I've made curl_easy_getinfo() for
- CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD return
- -1 if the sizes aren't know. Previously these returned 0, make it impossible
- to detect the difference between actually zero and unknown.
-
-Yang Tse (23 Feb 2009)
-- Daniel Johnson provided a shell script that will perform all the steps needed
- to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework
-
-Daniel Stenberg (23 Feb 2009)
-- I renamed everything in the windows builds files that used the name 'curllib'
- to the proper 'libcurl' as clearly this caused confusion.
-
-Yang Tse (20 Feb 2009)
-- Do not halt compilation when using VS2008 to build a Windows 2000 target.
-
-Daniel Stenberg (20 Feb 2009)
-- Linus Nielsen Feltzing reported and helped me repeat and fix a problem with
- FTP with the multi interface: when a transfer fails, like when aborted by a
- write callback, the control connection was wrongly closed and thus not
- re-used properly.
-
- This change is also an attempt to cleanup the code somewhat in this area, as
- now the FTP code attempts to keep (better) track on pending responses
- necessary to get read in ftp_done().
-
-Daniel Stenberg (19 Feb 2009)
-- Patrik Thunstrom reported a problem and helped me repeat it. It turned out
- libcurl did a superfluous 1000ms wait when doing SFTP downloads!
-
- We read data with libssh2 while doing the "DO" operation for SFTP and then
- when we were about to start getting data for the actual file part, the
- "TRANSFER" part, we waited for socket action (in 1000ms) before doing a
- libssh2-read. But in this case libssh2 had already read and buffered the
- data so we ended up always just waiting 1000ms before we get working on the
- data!
-
-Patrick Monnerat (18 Feb 2009)
-- FTP downloads (i.e.: RETR) ending with code 550 now return error
- CURLE_REMOTE_FILE_NOT_FOUND instead of CURLE_FTP_COULDNT_RETR_FILE.
-
-Daniel Stenberg (17 Feb 2009)
-- Kamil Dudka made NSS-powered builds compile and run again!
-
-- A second follow-up change by Andre Guibert de Bruet to fix a related memory
- leak like that fixed on the 14th. When zlib returns failure, we need to
- cleanup properly before returning error.
-
-- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 in addition to 1 for
- plain FTP connections, and it will then allow MKD to fail once and retry the
- CWD afterwards. This is especially useful if you're doing many simultanoes
- connections against the same server and they all have this option enabled,
- as then CWD may first fail but then another connection does MKD before this
- connection and thus MKD fails but trying CWD works! The numbers can
- (should?) now be set with the convenience enums now called
- CURLFTP_CREATE_DIR and CURLFTP_CREATE_DIR_RETRY.
-
- Tests has proven that if you're making an application that uploads a set of
- files to an ftp server, you will get a noticable gain in speed if you're
- using multiple connections and this option will be then be very useful.
-
-Daniel Stenberg (14 Feb 2009)
-- Andre Guibert de Bruet found and fixed a memory leak in the content encoding
- code, which could happen on libz errors.
-
-Daniel Fandrich (12 Feb 2009)
-- Added support for Digest and NTLM authentication using GnuTLS.
-
-Daniel Stenberg (11 Feb 2009)
-- CURLINFO_CONDITION_UNMET was added to allow an application to get to know if
- the condition in the previous request was unmet. This is typically a time
- condition set with CURLOPT_TIMECONDITION and was previously not possible to
- reliably figure out. From bug report #2565128
- (http://curl.haxx.se/bug/view.cgi?id=2565128) filed by Jocelyn Jaubert.
-
-Daniel Fandrich (4 Feb 2009)
-- Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS
- (respectively) when --with-ssl=/usr is used (patch based on FreeBSD).
-
-- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
- This couldn't ever overflow in curl, but might if the code were used
- elsewhere or under different conditions.
-
-Daniel Stenberg (3 Feb 2009)
-- Hidemoto Nakada provided a small fix that makes it possible to get the
- CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with
- CURLOPT_NOBODY set true.
-
-Daniel Stenberg (2 Feb 2009)
-- Patrick Scott found a rather large memory leak when using the multi
- interface and setting CURLMOPT_MAXCONNECTS to something less than the number
- of handles you add to the multi handle. All the connections that didn't fit
- in the cache would not be properly disconnected nor freed!
-
-- Craig A West brought us: libcurl now defaults to do CONNECT with HTTP
- version 1.1 instead of 1.0 like before. This change also introduces the new
- proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to
- switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0
- option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0.
-
- I updated all test cases cases that use CONNECT and I tried to do some using
- --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run.
-
-Daniel Stenberg (31 Jan 2009)
-- When building with c-ares 1.6.1 (not yet released) or later and IPv6 support
- enabled, we can now take advantage of its brand new AF_UNSPEC support in
- ares_gethostbyname(). This makes test case 241 finally run fine for me with
- this setup since it now parses the "::1 ip6-localhost" line fine in my
- /etc/hosts file!
-
-Daniel Stenberg (30 Jan 2009)
-- Scott Cantor filed bug report #2550061
- (http://curl.haxx.se/bug/view.cgi?id=2550061) mentioning that I failed to
- properly make sure that the VC9 makefiles got included in the latest
- release. I've now fixed the release script and verified it so next release
- will hopefully include them properly!
-
-Daniel Fandrich (30 Jan 2009)
-- Fixed --disable-proxy for FTP and SOCKS. Thanks to Daniel Egger for
- reporting.
-
-Yang Tse (29 Jan 2009)
-- Introduced curl_sspi.c and curl_sspi.h for the implementation of functions
- Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were
- named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c
- Also adjusted socks_sspi.c to remove the link-time dependency on the Windows
- SSPI library using it now in the same way as it was done in http_ntlm.c.
-
-Daniel Stenberg (28 Jan 2009)
-- Markus Moeller introduced two new options to libcurl:
- CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl
- to do GSS-style authentication with SOCKS5 proxies. The curl tool got the
- options called --socks5-gssapi-service and --socks5-gssapi-nec to enable
- these.
-
-Daniel Stenberg (26 Jan 2009)
-- Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app
- to set desired block size to use for TFTP transfers instead of the default
- 512 bytes.
-
-- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
- disable "rfc4507bis session ticket support". rfc4507bis was later turned
- into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
-
- The enabled extension concerns the session management. I wonder how often
- libcurl stops a connection and then resumes a TLS session. also, sending the
- session data is some overhead. .I suggest that you just use your proposed
- patch (which explicitly disables TICKET).
-
- If someone writes an application with libcurl and openssl who wants to
- enable the feature, one can do this in the SSL callback.
-
- Sharad Gupta brought this to my attention. Peter Sylvester helped me decide
- on the proper action.
-
-- Alexey Borzov filed bug report #2535504
- (http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with
- quoted quotation marks in HTTP Digest headers didn't work. I've now added
- test case 1095 that verifies my fix.
-
-- Craig A West brought CURLOPT_NOPROXY and the corresponding --noproxy option.
- They basically offer the same thing the NO_PROXY environment variable only
- offered previously: list a set of host names that shall not use the proxy
- even if one is specified.
-
-Daniel Fandrich (20 Jan 2009)
-- Call setlocale() for libtest tests to test the effects of locale-induced
- libc changes on libcurl.
-
-- Fixed a couple more locale-dependent toupper conversions, mainly for
- clarity. This does fix one problem that causes ;type=i FTP URLs
- to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is
- used (test case 561)
-
-- Added tests 561 and 1091 through 1094 to test various combinations
- of ;type= and ;mode= URLs that could potentially fail in the Turkish
- locale.
-
-Daniel Stenberg (20 Jan 2009)
-- Lisa Xu pointed out that the ssh.obj file was missing from the
- lib/Makefile.vc6 file (and thus from the vc8 and vc9 ones too).
-
-Version 7.19.3 (19 January 2009)
-
-Daniel Stenberg (16 Jan 2009)
-- Andrew de los Reyes fixed curlbuild.h for "generic" gcc builds on PPC, both
- 32 bit and 64 bit.
-
-Daniel Stenberg (15 Jan 2009)
-- Tim Ansell fixed a compiler warning in lib/cookie.c
-
-Daniel Stenberg (14 Jan 2009)
-- Grant Erickson fixed timeouts for TFTP such that specifying a
- connect-timeout, a max-time or both options work correctly and as expected
- by passing the correct boolean value to Curl_timeleft via the
- 'duringconnect' parameter.
-
- With this small change, curl TFTP now behaves as expected (and likely as
- originally-designed):
-
- 1) For non-existent or unreachable dotted IP addresses:
-
- a) With no options, follows the default curl 300s timeout...
- b) With --connect-timeout only, follows that value...
- c) With --max-time only, follows that value...
- d) With both --connect-timeout and --max-time, follows the smaller value...
-
- and times out with a "curl: (7) Couldn't connect to server" error.
-
- 2) For transfers to/from a valid host:
-
- a) With no options, follows default curl 300s timeout for the
- first XRQ/DATA/ACK transaction and the default TFTP 3600s
- timeout for the remainder of the transfer...
-
- b) With --connect-time only, follows that value for the
- first XRQ/DATA/ACK transaction and the default TFTP 3600s
- timeout for the remainder of the transfer...
-
- c) With --max-time only, follows that value for the first
- XRQ/DATA/ACK transaction and for the remainder of the
- transfer...
-
- d) With both --connect-timeout and --max-time, follows the former
- for the first XRQ/DATA/ACK transaction and the latter for the
- remainder of the transfer...
-
- and times out with a "curl: (28) Timeout was reached" error as
- appropriate.
-
-Daniel Stenberg (13 Jan 2009)
-- Michael Wallner fixed a NULL pointer deref when calling
- curl_easy_setup(curl, CURLOPT_COOKIELIST, "SESS") on a CURL handle with no
- cookies data.
-
-- Stefan Teleman brought a patch to fix the default curlbuild.h file for the
- SunPro compilers.
-
-Daniel Stenberg (12 Jan 2009)
-- Based on bug report #2498665 (http://curl.haxx.se/bug/view.cgi?id=2498665)
- by Daniel Black, I've now added magic to the configure script that makes it
- use pkg-config to detect gnutls details as well if the existing method
- (using libgnutls-config) fails. While doing this, I cleaned up and unified
- the pkg-config usage when detecting openssl and nss as well.
-
-Daniel Stenberg (11 Jan 2009)
-- Karl Moerder brought the patch that creates vc9 Makefiles, and I made
- 'maketgz' now use the actual makefile targets to do the VC8 and VC9
- makefiles.
-
-Daniel Stenberg (10 Jan 2009)
-- Emil Romanus fixed:
-
- When using the multi interface over HTTP and the server returns a Location
- header, the running easy handle will get stuck in the CURLM_STATE_PERFORM
- state, leaving the external event loop stuck waiting for data from the
- ingoing socket (when using the curl_multi_socket_action stuff). While this
- bug was pretty hard to find, it seems to require only a one-line fix. The
- break statement on line 1374 in multi.c caused the function to skip the call
- to multistate().
-
- How to reproduce this bug? Well, that's another question. evhiperfifo.c in
- the examples directory chokes on this bug only _sometimes_, probably
- depending on how fast the URLs are added. One way of testing the bug out is
- writing to hiper.fifo from more than one source at the same time.
-
-Daniel Fandrich (7 Jan 2009)
-- Unified much of the SessionHandle initialization done in Curl_open() and
- curl_easy_reset() by creating Curl_init_userdefined(). This had the side
- effect of fixing curl_easy_reset() so it now also resets
- CURLOPT_FTP_FILEMETHOD and CURLOPT_SSL_SESSIONID_CACHE
-
-Daniel Stenberg (7 Jan 2009)
-- Rob Crittenden did once again provide an NSS update:
-
- I have to jump through a few hoops now with the NSS library initialization
- since another part of an application may have already initialized NSS by the
- time Curl gets invoked. This patch is more careful to only shutdown the NSS
- library if Curl did the initialization.
-
- It also adds in a bit of code to set the default ciphers if the app that
- call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
- ciphers. One might argue that this lets other application developers get
- lazy and/or they aren't using the NSS API correctly, and you'd be right.
- But still, this will avoid terribly difficult-to-trace crashes and is
- generally helpful.
-
-Daniel Stenberg (1 Jan 2009)
-- 'reconf' is removed since we rather have users use 'buildconf'
-
-Daniel Stenberg (31 Dec 2008)
-- Bas Mevissen reported http://curl.haxx.se/bug/view.cgi?id=2479030 pointing
- out that 'reconf' didn't properly point out the m4 subdirectory when running
- aclocal.
-
-Daniel Stenberg (29 Dec 2008)
- - Phil Lisiecki filed bug report #2413067
- (http://curl.haxx.se/bug/view.cgi?id=2413067) that identified a problem that
- would cause libcurl to mark a DNS cache entry "in use" eternally if the
- subsequence TCP connect failed. It would thus never get pruned and refreshed
- as it should've been.
-
- Phil provided his own patch to this problem that while it seemed to work
- wasn't complete and thus I wrote my own fix to the problem.
-
-Daniel Stenberg (28 Dec 2008)
-- Peter Korsgaard fixed building libcurl with "configure --with-ssl
- --disable-verbose".
-
-- Anthony Bryan fixed more language and spelling flaws in man pages.
-
-Daniel Stenberg (22 Dec 2008)
-- Given a recent enough libssh2, libcurl can now seek/resume with SFTP even
- on file indexes beyond 2 or 4GB.
-
-- Anthony Bryan provided a set of patches that cleaned up manual language,
- corrected spellings and more.
-
-Daniel Stenberg (20 Dec 2008)
-- Igor Novoseltsev fixed a bad situation for the multi_socket() API when doing
- pipelining, as libcurl could then easily get confused and A) work on the
- handle that was not "first in queue" on a pipeline, or even B) tell the app
- to REMOVE a socket while it was in use by a second handle in a pipeline. Both
- errors caused hanging or stalling applications.
-
-Daniel Stenberg (19 Dec 2008)
-- curl_multi_timeout() could return a timeout value of 0 even though nothing
- was actually ready to get done, as the internal time resolution is higher
- than the returned millisecond timer. Therefore it could cause applications
- running on fast processors to do short bursts of busy-loops.
- curl_multi_timeout() will now only return 0 if the timeout is actually
- alreay triggered.
-
-- Using the libssh2 0.19 function libssh2_session_block_directions(), libcurl
- now has an improved ability to do right when the multi interface (both
- "regular" and multi_socket) is used for SCP and SFTP transfers. This should
- result in (much) less busy-loop situations and thus less CPU usage with no
- speed loss.
-
-Daniel Stenberg (17 Dec 2008)
-- SCP and SFTP with the multi interface had the same flaw: the 'DONE'
- operation didn't complete properly if the EAGAIN equivalent was returned but
- libcurl would simply continue with a half-completed close operation
- performed. This ruined persistent connection re-use and cause some
- SSH-protocol errors in general. The correction is unfortunately adding a
- blocking function - doing it entirely non-blocking should be considered for
- a better fix.
-
-Gisle Vanem (16 Dec 2008)
-- Added the possibility to use the Watt-32 tcp/ip stack under Windows.
- The change simply involved adding a USE_WATT32 section in the
- config-win32.h files (under ./lib and ./src). This section disables
- the use of any Winsock headers.
-
-Daniel Stenberg (16 Dec 2008)
-- libssh2_sftp_last_error() was wrongly used at some places in libcurl which
- made libcurl sometimes not properly abort problematic SFTP transfers.
-
-Daniel Stenberg (12 Dec 2008)
-- More work with Igor Novoseltsev to first fix the remaining stuff for
- removing easy handles from multi handles when the easy handle is/was within
- a HTTP pipeline. His bug report #2351653
- (http://curl.haxx.se/bug/view.cgi?id=2351653) was also related and was
- eventually fixed by a patch by Igor himself.
-
-Yang Tse (12 Dec 2008)
-- Patrick Monnerat fixed a build regression, introduced in 7.19.2, affecting
- OS/400 compilations with IPv6 enabled.
-
-Daniel Stenberg (12 Dec 2008)
-- Mark Karpeles filed bug report #2416182 titled "crash in ConnectionExists
- when using duphandle+curl_mutli"
- (http://curl.haxx.se/bug/view.cgi?id=2416182) which showed that
- curl_easy_duphandle() wrongly also copied the pointer to the connection
- cache, which was plain wrong and caused a segfault if the handle would be
- used in a different multi handle than the handle it was duplicated from.
-
-Daniel Stenberg (11 Dec 2008)
-- Keshav Krity found out that libcurl failed to deal with dotted IPv6
- addresses if they were very long (>39 letters) due to a too strict address
- validity parser. It now accepts addresses up to 45 bytes long.
-
-Daniel Stenberg (11 Dec 2008)
-- Internet Explorer had a broken HTTP digest authentication before v7 and
- there are servers "out there" that relies on the client doing this broken
- Digest authentication. Apache even comes with an option to work with such
- broken clients.
-
- The difference is only for URLs that contain a query-part (a '?'-letter and
- text to the right of it).
-
- libcurl now supports this quirk, and you enable it by setting the
- CURLAUTH_DIGEST_IE bit in the bitmask you pass to the CURLOPT_HTTPAUTH or
- CURLOPT_PROXYAUTH options. They are thus individually controlled to server
- and proxy.
-
- (note that there's no way to activate this with the curl tool yet)
-
-Daniel Fandrich (9 Dec 2008)
-- Added test cases 1089 and 1090 to test --write-out after a redirect to
- test a report that the size didn't work, but these test cases pass.
-
-- Documented CURLOPT_CONNECT_ONLY as being useful only on HTTP URLs.
-
-Daniel Stenberg (9 Dec 2008)
-- Ken Hirsch simplified how libcurl does FTPS: now it doesn't assume any
- particular state for the control connection like it did before for implicit
- FTPS (libcurl assumed such control connections to be encrypted while some
- FTPS servers such as FileZilla assumes such connections to be clear
- mode). Use the CURLOPT_USE_SSL option to set your desired level.
-
-Daniel Stenberg (8 Dec 2008)
-- Fred Machado posted about a weird FTP problem on the curl-users list and when
- researching it, it turned out he got a 550 response back from a SIZE command
- and then I fell over the text in RFC3659 that says:
-
- The presence of the 550 error response to a SIZE command MUST NOT be taken
- by the client as an indication that the file cannot be transferred in the
- current MODE and TYPE.
-
- In other words: the change I did on September 30th 2008 and that has been
- included in the last two releases were a regression and a bad idea. We MUST
- NOT take a 550 response from SIZE as a hint that the file doesn't exist.
-
-- Christian Krause filed bug #2221237
- (http://curl.haxx.se/bug/view.cgi?id=2221237) that identified an infinite
- loop during GSS authentication given some specific conditions. With his
- patience and great feedback I managed to narrow down the problem and
- eventually fix it although I can't test any of this myself!
-
-Daniel Fandrich (3 Dec 2008)
-- Fixed the getifaddrs version of Curl_if2ip to work on systems without IPv6
- support (e.g. Minix)
-
-Daniel Stenberg (3 Dec 2008)
-- Igor Novoseltsev filed bug #2351645
- (http://curl.haxx.se/bug/view.cgi?id=2351645) that identified a problem with
- the multi interface that occured if you removed an easy handle while in
- progress and the handle was used in a HTTP pipeline.
-
-- Pawel Kierski pointed out a mistake in the cookie code that could lead to a
- bad fclose() after a fatal error had occured.
- (http://curl.haxx.se/bug/view.cgi?id=2382219)
-
-Daniel Fandrich (25 Nov 2008)
-- If a HTTP request is Basic and num is already >=1000, the HTTP test
- server adds 1 to num to get the data section to return. This allows
- testing authentication negotiations using the Basic authentication
- method.
-
-- Added tests 1087 and 1088 to test Basic authentication on a redirect
- with and without --location-trusted
-
-Daniel Stenberg (24 Nov 2008)
-- Based on a patch by Vlad Grachov, libcurl now uses a new libssh2 0.19
- function when built to support SCP and SFTP that helps the library to know
- in which direction a particular libssh2 operation would return EAGAIN so
- that libcurl knows what socket conditions to wait for before trying the
- function call again. Previously (and still when using libssh2 0.18 or
- earlier), libcurl will busy-loop in this situation when the easy interface
- is used!
-
-Daniel Fandrich (20 Nov 2008)
-- Automatically detect OpenBSD's CA cert bundle.
-
-Daniel Stenberg (19 Nov 2008)
-- I removed the default use of "Pragma: no-cache" from libcurl when a proxy is
- used. It has been used since forever but it was never a good idea to use
- unless explicitly asked for.
-
-- Josef Wolf's extension that allows a $TESTDIR/gdbinit$testnum file that when
- you use runtests.pl -g, will be sourced by gdb to allow additional fancy or
- whatever you see fit
-
-- Christian Krause reported and fixed a memory leak that would occur with HTTP
- GSS/kerberos authentication (http://curl.haxx.se/bug/view.cgi?id=2284386)
-
-- Andreas Wurf and Markus Koetter helped me analyze a problem that Andreas got
- when uploading files to a single FTP server using multiple easy handle
- handles with the multi interface. Occasionally a handle would stall in
- mysterious ways.
-
- The problem turned out to be a side-effect of the ConnectionExists()
- function's eagerness to re-use a handle for HTTP pipelining so it would
- select it even if already being in use, due to an inadequate check for its
- chances of being used for pipelnining.
-
-Daniel Fandrich (17 Nov 2008)
-- Added more compiler warning options for gcc 4.3
-
-Yang Tse (17 Nov 2008)
-- Fix a remaining problem in the inet_pton() runtime configure check. And
- fix internal Curl_inet_pton() failures to reject certain malformed literals.
-
-- Make configure script check if ioctl with the SIOCGIFADDR command can be
- used, and define HAVE_IOCTL_SIOCGIFADDR if appropriate.
-
-Daniel Stenberg (16 Nov 2008)
-- Christian Krause fixed a build failure when building with gss support
- enabled and FTP disabled.
-
-- Added check for NULL returns from strdup() in src/main.c and lib/formdata.c
- - reported by Jim Meyering also prevent buffer overflow on MSDOS when you do
- for example -O on a url with a file name part longer than PATH_MAX letters
-
-- lib/nss.c fixes based on the report by Jim Meyering: I went over and added
- checks for return codes for all calls to malloc and strdup that were
- missing. I also changed a few malloc(13) to use arrays on the stack and a
- few malloc(PATH_MAX) to instead use aprintf() to lower memory use.
-
-- I fixed a memory leak in Curl_nss_connect() when CURLOPT_ISSUERCERT is
- in use.
-
-Daniel Fandrich (14 Nov 2008)
-- Added .xml as one of the few common file extensions known by the multipart
- form generator.
-
-- Added some #ifdefs around header files and change the EAGAIN test to
- fix compilation on Cell (reported by Jeff Curley).
-
-Yang Tse (14 Nov 2008)
-- Fixed several configure script issues affecting checks for inet_ntoa_r(),
- inet_ntop(), inet_pton(), getifaddrs(), fcntl() and getaddrinfo().
-
-Yang Tse (13 Nov 2008)
-- Refactored configure script detection of functions used to set sockets into
- non-blocking mode, and decouple function detection from function capability.
+ libressl: OCSP and intermediate certs workaround no longer needed
+
+ lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed
+ by intermediate certs, this was fixed in LibreSSL in
+ https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0
+
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
+
+- url: fix buffer overwrite with file protocol (CVE-2017-9502)
+
+ Bug: https://github.com/curl/curl/issues/1540
+ Advisory: https://curl.haxx.se/docs/adv_20170614.html
+
+ Assisted-by: Ray Satiro
+ Reported-by: Marcel Raad
+
+- urlglob: fix division by zero
+
+ The multiply() function that is used to avoid integer overflows, was
+ itself reason for a possible division by zero error when passed a
+ specially formatted glob.
+
+ Reported-by: GwanYeong Kim
+
+- configure: update the copyright year in the output
+
+- [ygrek brought this change]
+
+ BINDINGS: update SP-Forth and OCaml urls
+
+Michael Kaufmann (11 Jun 2017)
+- FindWin32CACert: Use a temporary buffer on the stack
+
+ Don't malloc() the temporary buffer, and use the correct type:
+ SearchPath() works with TCHAR, but SearchPathA() works with char.
+ Set the buffer size to MAX_PATH, because the terminating null byte
+ is already included in MAX_PATH.
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
+
+ Closes #1548
+
+Dan Fandrich (11 Jun 2017)
+- test1521: fixed OOM handling
+
+Daniel Stenberg (9 Jun 2017)
+- RELEASE-PROCEDURE: updated future release dates
+
+- [Paul Harris brought this change]
+
+ gitignore: ignore all vim swap files
+
+ Closes #1561
+
+- lib1521: fix compiler warnings on the use of bad 'long' values
+
+ Reported-by: Marcel Raad
+ Bug: https://github.com/curl/curl/commit/cccac4fb2b20d6ed87da7978408c3ecacc464fe4#commitcomment-22453387
+
+- setopt: check CURLOPT_ADDRESS_SCOPE option range
+
+ ... and return error instead of triggering an assert() when being way
+ out of range.
+
+Jay Satiro (8 Jun 2017)
+- [TheAssassin brought this change]
+
+ cmake: Fix inconsistency regarding mbed TLS include directory
+
+ Previously, one had to set MBEDTLS_INCLUDE_DIR to make CMake find the
+ headers, but the system complained that mbed TLS wasn't found due to
+ MBEDTLS_INCLUDE_DIRS (note the trailing s) was not set. This commit
+ attempts to fix that.
+
+ Closes https://github.com/curl/curl/pull/1541
+
+Daniel Stenberg (8 Jun 2017)
+- [Ryuichi KAWAMATA brought this change]
+
+ examples/multi-uv.c: fix deprecated symbol
+
+ Closes #1557
+
+- asyn-ares: s/Curl_expire_latest/Curl_expire
+
+- expire: remove Curl_expire_latest()
+
+ With the introduction of expire IDs and the fact that existing timers
+ can be removed now and thus never expire, the concept with adding a
+ "latest" timer is not working anymore as it risks to not expire at all.
+
+ So, to be certain the timers actually are in line and will expire, the
+ plain Curl_expire() needs to be used. The _latest() function was added
+ as a sort of shortcut in the past that's quite simply not necessary
+ anymore.
+
+ Follow-up to 31b39c40cf90
+
+ Reported-by: Paul Harris
+
+ Closes #1555
+
+- [Chris Carlmar brought this change]
+
+ configure: fix link with librtmp when specifying path
+
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0017.html
+
+- file: make speedcheck use current time for checks
+
+ ... as it would previously just get the "now" timestamp before the
+ transfer starts and then not update it again.
+
+ Closes #1550
+
+- metalink: remove unused printf() argument
+
+- travis: let some builds *not* use --enable-debug
+
+ typecheck-gcc and other things require optimized builds
+
+ Closes #1544
+
+- README.md: show the coverall coverage on github
+
+- lib1521: fix compiler warnings
+
+- test1521: make the code < 80 columns wide
+
+- test1121: use stricter types to work with typcheck-gcc
+
+- typecheck-gcc: allow CURLOPT_STDERR to be NULL too
+
+- test1521: test *all* curl_easy_setopt options
+
+ mk-lib1521.pl generates a test program (lib1521.c) that calls
+ curl_easy_setopt() for every known option with a few typical values to
+ make sure they work (ignoring the return codes).
+
+ Some small changes were necessary to avoid asserts and NULL accesses
+ when doing this.
+
+ The perl script needs to be manually rerun when we add new options.
+
+ Closes #1543
+
+Dan Fandrich (5 Jun 2017)
+- test1538: added "verbose logs" keyword
+
+ These error messages are not displayed with --disable-verbose
+
+Daniel Stenberg (5 Jun 2017)
+- test1262: verify ftp download with -z for "if older than this"
+
+Marcel Raad (5 Jun 2017)
+- curl_ntlm_core: use Curl_raw_toupper instead of toupper
+
+ This was the only remaining use of toupper in the entire source code.
+
+ Suggested-by: Daniel Stenberg
+Daniel Stenberg (4 Jun 2017)
+- RELEASE-NOTES: synced with 65ba92650
projects / platform / upstream / curl.git / blobdiff