diff options
| author | dartraiden <wowemuh@gmail.com> | 2022-12-22 16:31:20 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2022-12-22 16:31:20 +0300 |
| commit | 47b6881fe726c904f87aa4be059b730ef77954d0 (patch) | |
| tree | aa72b213043d3b514c883bc59a0fa0c434106156 /libs/libcurl/docs/CHANGES | |
| parent | 8fbc9220b7f3d3a04bbe45d32489ef882821558e (diff) | |
libcurl: update to 7.87.0
Diffstat (limited to 'libs/libcurl/docs/CHANGES')
| -rw-r--r-- | libs/libcurl/docs/CHANGES | 18739 |
1 files changed, 9874 insertions, 8865 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index d48ababb4f..c5152c1398 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -1,8865 +1,9874 @@ - _ _ ____ _ - ___| | | | _ \| | - / __| | | | |_) | | - | (__| |_| | _ <| |___ - \___|\___/|_| \_\_____| - - Changelog - -Version 7.86.0 (26 Oct 2022) - -Daniel Stenberg (26 Oct 2022) -- RELEASE: synced - - The 7.86.0 release - -- THANKS: added from the 7.86.0 release - -Viktor Szakats (25 Oct 2022) -- noproxy: include netinet/in.h for htonl() - - Solve the Amiga build warning by including `netinet/in.h`. - - `krb5.c` and `socketpair.c` are using `htonl()` too. This header is - already included in those sources. - - Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 - - Reviewed-by: Daniel Stenberg - Closes #9787 - -Marc Hoersken (24 Oct 2022) -- CI: fix AppVeyor status failing for starting jobs - -Daniel Stenberg (24 Oct 2022) -- test445: verifies the protocols-over-http-proxy flaw and fix - -- http_proxy: restore the protocol pointer on error - - Reported-by: Trail of Bits - - Closes #9790 - -- multi: remove duplicate include of connect.h - - Reported-by: Martin Strunz - Fixes #9794 - Closes #9795 - -Daniel Gustafsson (24 Oct 2022) -- idn: fix typo in test description - - s/enabked/enabled/i - -Daniel Stenberg (24 Oct 2022) -- url: use IDN decoded names for HSTS checks - - Reported-by: Hiroki Kurosawa - - Closes #9791 - -- unit1614: fix disabled-proxy build - - Follow-up to 1e9a538e05c01 - - Closes #9792 - -Daniel Gustafsson (24 Oct 2022) -- cookies: optimize control character check - - When checking for invalid octets the strcspn() call will return the - position of the first found invalid char or the first NULL byte. - This means that we can check the indicated position in the search- - string saving a strlen() call. - - Closes: #9736 - Reviewed-by: Jay Satiro <raysatiro@yahoo.com> - -Daniel Stenberg (24 Oct 2022) -- netrc: replace fgets with Curl_get_line - - Make the parser only accept complete lines and avoid problems with - overly long lines. - - Reported-by: Hiroki Kurosawa - - Closes #9789 - -- RELEASE-NOTES: add "Planned upcoming removals include" - - URL: https://curl.se/mail/archive-2022-10/0001.html - - Suggested-by: Dan Fandrich - -Viktor Szakats (23 Oct 2022) -- ci: bump to gcc-11 for macos - - Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-macos-latest-are-now-running-on-macos-12/ - Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12-Readme.md - - Reviewed-by: Max Dymond - Closes #9785 - -- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip] - - - Reintroduce `CROSSPREFIX`: - - If set, we add it to the `CC` and `AR` values, and to the _default_ - value of `RC`, which is `windres`. This allows to control each of - these individidually, while also allowing to simplify configuration - via `CROSSPREFIX`. - - This variable worked differently earlier. Hopefully this new solution - hits a better compromise in usefulness/complexity/flexibility. - - Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50 - - - Enable warnings again: - - This time with an option to override it via `CFLAGS`. Warnings are - also enabled by default in CMake, `makefile.dj` and `makefile.amiga` - builds (not in autotools though). - - Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 - - Closes #9784 - -- noproxy: silence unused variable warnings with no ipv6 - - Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d - - Reviewed-by: Daniel Stenberg - Closes #9782 - -Daniel Stenberg (22 Oct 2022) -- test644: verify --xattr (with redirect) - -- tool_xattr: save the original URL, not the final redirected one - - Adjusted test 1621 accordingly. - - Reported-by: Viktor Szakats - Fixes #9766 - Closes #9768 - -- docs: make sure libcurl opts examples pass in long arguments - - Reported-by: Sergey - Fixes #9779 - Closes #9780 - -Marc Hoersken (21 Oct 2022) -- CI: fix AppVeyor job links only working for most recent build - - Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916 - Reported-by: Daniel Stenberg - - Follow up to #9769 - -Viktor Szakats (21 Oct 2022) -- noproxy: fix builds without AF_INET6 - - Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 - - Reviewed-by: Daniel Stenberg - - Closes #9778 - -Daniel Stenberg (21 Oct 2022) -- noproxy: support proxies specified using cidr notation - - For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly" - and not with string comparisons. - - Split out the noproxy checks and functionality into noproxy.c - - Added unit test 1614 to verify checking functions. - - Reported-by: Mathieu Carbonneaux - - Fixes #9773 - Fixes #5745 - Closes #9775 - -- urlapi: remove two variable assigns - - To please scan-build: - - urlapi.c:1163:9: warning: Value stored to 'qlen' is never read - qlen = Curl_dyn_len(&enc); - ^ ~~~~~~~~~~~~~~~~~~ - urlapi.c:1164:9: warning: Value stored to 'query' is never read - query = u->query = Curl_dyn_ptr(&enc); - ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Follow-up to 7d6cf06f571d57 - - Closes #9777 - -- [Jeremy Maitin-Shepard brought this change] - - cmake: improve usability of CMake build as a sub-project - - - Renames `uninstall` -> `curl_uninstall` - - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET - - Closes #9638 - -- [Don J Olmstead brought this change] - - easy_lock: check for HAVE_STDATOMIC_H as well - - The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h` - header is present. - - Closes #9755 - -- RELEASE-NOTES: synced - -- [Brad Harder brought this change] - - CURLMOPT_PIPELINING.3: dedup manpage xref - - Closes #9776 - -Marc Hoersken (20 Oct 2022) -- CI: report AppVeyor build status for each job - - Also give each job on AppVeyor CI a human-readable name. - - This aims to make job and therefore build failures more visible. - - Reviewed-by: Marcel Raad - Closes #9769 - -Viktor Szakats (20 Oct 2022) -- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip] - - Reviewed-by: Daniel Stenberg - - Closes #9771 - -- connect: fix builds without AF_INET6 - - Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9 - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #9770 - -Daniel Stenberg (20 Oct 2022) -- test1105: adjust <data> to work with a hyper build - - Closes #9767 - -- urlapi: fix parsing URL without slash with CURLU_URLENCODE - - When CURLU_URLENCODE is set, the parser would mistreat the path - component if the URL was specified without a slash like in - http://local.test:80?-123 - - Extended test 1560 to reproduce and verify the fix. - - Reported-by: Trail of Bits - - Closes #9763 - -Marc Hoersken (19 Oct 2022) -- tests: avoid CreateThread if _beginthreadex is available - - CreateThread is not threadsafe if mixed with CRT calls. - _beginthreadex on the other hand can be mixed with CRT. - - Reviewed-by: Marcel Raad - Closes #9705 - -Jay Satiro (19 Oct 2022) -- [Joel Depooter brought this change] - - schannel: Don't reset recv/send function pointers on renegotiation - - These function pointers will have been set when the initial TLS - handshake was completed. If they are unchanged, there is no need to set - them again. If they have been changed, as is the case with HTTP/2, we - don't want to override that change. That would result in the - http22_recv/send functions being completely bypassed. - - Prior to this change a connection that uses Schannel with HTTP/2 would - fail on renegotiation with error "Received HTTP/0.9 when not allowed". - - Fixes https://github.com/curl/curl/issues/9451 - Closes https://github.com/curl/curl/pull/9756 - -Viktor Szakats (18 Oct 2022) -- hostip: guard PF_INET6 use - - Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code - for these. - - ``` - hostip.c: In function 'fetch_addr': - hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function) - pf = PF_INET6; - ^~~~~~~~ - ``` - - Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d - - Reviewed-by: Daniel Stenberg - - Closes #9760 - -- amiga: do not hardcode openssl/zlib into the os config [ci skip] - - Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead. - - This allows builds without openssl and/or zlib. E.g. with the - <https://github.com/bebbo/amiga-gcc> cross-compiler. - - Reviewed-by: Daniel Stenberg - - Closes #9762 - -- amigaos: add missing curl header [ci skip] - - Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and - conditional local code need them. - - Reviewed-by: Daniel Stenberg - - Closes #9761 - -Daniel Stenberg (18 Oct 2022) -- cmdline/docs: add a required 'multi' keyword for each option - - The keyword specifies how option works when specified multiple times: - - - single: the last provided value replaces the earlier ones - - append: it supports being provided multiple times - - boolean: on/off values - - mutex: flag-like option that disable anoter flag - - The 'gen.pl' script then outputs the proper and unified language for - each option's multi-use behavior in the generated man page. - - The multi: header is requires in each .d file and will cause build error - if missing or set to an unknown value. - - Closes #9759 - -- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk - - Closes #9757 - -- mprintf: reject two kinds of precision for the same argument - - An input like "%.*1$.9999d" would first use the precision taken as an - argument *and* then the precision specified in the string, which is - confusing and wrong. pass1 will now instead return error on this double - use. - - Adjusted unit test 1398 to verify - - Reported-by: Peter Goodman - - Closes #9754 - -- ftp: remove redundant if - - Reported-by: Trail of Bits - - Closes #9753 - -- tool_operate: more transfer cleanup after parallel transfer fail - - In some circumstances when doing parallel transfers, the - single_transfer_cleanup() would not be called and then 'inglob' could - leak. - - Test 496 verifies - - Reported-by: Trail of Bits - Closes #9749 - -- mqtt: spell out CONNECT in comments - - Instead of calling it 'CONN' in several comments, use the full and - correct protocol packet name. - - Suggested by Trail of Bits - - Closes #9751 - -- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST - - Not the deprecated CURLOPT_HTTPPOST option. - - Also added two see-alsos. - - Reported-by: Trail of Bits - Closes #9752 - -- RELEASE-NOTES: synced - -Jay Satiro (17 Oct 2022) -- ngtcp2: Fix build errors due to changes in ngtcp2 library - - ngtcp2/ngtcp2@b0d86f60 changed: - - - ngtcp2_conn_get_max_udp_payload_size => - ngtcp2_conn_get_max_tx_udp_payload_size - - - ngtcp2_conn_get_path_max_udp_payload_size => - ngtcp2_conn_get_path_max_tx_udp_payload_size - - ngtcp2/ngtcp2@ec59b873 changed: - - - 'early_data_rejected' member added to ng_callbacks. - - Assisted-by: Daniel Stenberg - Reported-by: jurisuk@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9747 - Closes https://github.com/curl/curl/pull/9748 - -Daniel Stenberg (16 Oct 2022) -- curl_path: return error if given a NULL homedir - - Closes #9740 - -- libssh: if sftp_init fails, don't get the sftp error code - - This flow extracted the wrong code (sftp code instead of ssh code), and - the code is sometimes (erroneously) returned as zero anyway, so skip - getting it and set a generic error. - - Reported-by: David McLaughlin - Fixes #9737 - Closes #9740 - -- mqtt: return error for too long topic - - Closes #9744 - -- [Rickard Hallerbäck brought this change] - - tool_paramhlp: make the max argument a 'double' - - To fix compiler warnings "Implicit conversion from 'long' to 'double' - may lose precision" - - Closes #9700 - -Marc Hoersken (15 Oct 2022) -- [Philip Heiduck brought this change] - - cirrus-ci: add more macOS builds with m1 based on x86_64 builds - - Also refactor macOS builds to use task matrix. - - Assisted-by: Marc Hörsken - Closes #9565 - -Viktor Szakats (14 Oct 2022) -- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows - - `lib/config-win32.h` enables this configuration option unconditionally. - Make it apply to CMake builds as well. - - While here, delete a broken check for - `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with - the initial commit [1], but did not include the actual verification code - inside `CMake/CurlTests.c`, so it always failed. A later commit [2] - added a second test, for non-Windows platforms. - - Enabling this flag causes test 1056 to fail with CMake builds, as they - do with autotools builds. Let's apply the same solution and ignore the - results here as well. - - [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 - [2] aec7c5a87c8482b6ddffa352d7d220698652262e - - Reviewed-by: Daniel Stenberg - Assisted-by: Marcel Raad - - Closes #9726 - -- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows - - autotools enables this configuration option unconditionally for Windows - [^1]. Do the same in CMake. - - The above will make this work for all reasonably recent environments. - The logic present in `lib/config-win32.h` [^2] has the following - exceptions which we did not cover in this CMake update: - - - Builds targeting Windows 2000 and earlier - - MS Visual C++ 5.0 (1997) and earlier - - Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't - set, to avoid a broken build. We might want to handle that in the C - sources in a future commit. - - [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/m4/curl-functions.m4#L2067-L2070 - - [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/lib/config-win32.h#L511-L528 - - Closes #9727 - -- cmake: sync HAVE_SIGNAL detection with autotools - - `HAVE_SIGNAL` means the availability of the `signal()` function in - autotools, while in CMake it meant the availability of that function - _and_ the symbol `SIGALRM`. - - The latter is not available on Windows, but the function is, which means - on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not, - introducing a slight difference into the binaries. - - This patch syncs CMake behaviour with autotools to look for the function - only. - - The logic came with the initial commit adding CMake support to curl, so - the commit history doesn't reveal the reason behind it. In any case, - it's best to check the existence of `SIGALRM` directly in the source - before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and - `SIGALRM` missing. - - Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 - - Closes #9725 - -- cmake: delete duplicate HAVE_GETADDRINFO test - - A custom `HAVE_GETADDRINFO` check came with the initial CMake commit - [1]. A later commit [2] added a standard check for it as well. The - standard check run before the custom one, so CMake ignored the latter. - - The custom check was also non-portable, so this patch deletes it in - favor of the standard check. - - [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 - [2] aec7c5a87c8482b6ddffa352d7d220698652262e - - Closes #9731 - -Daniel Stenberg (14 Oct 2022) -- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros - - To make the code read more obvious - - Assisted-by: Jay Satiro - - Closes #9710 - -- [Christopher Sauer brought this change] - - docs/INSTALL: update Android Instructions for newer NDKs - - Closes #9732 - -- markdown-uppercase: ignore quoted sections - - Sections within the markdown ~~~ or ``` are now ignored. - - Closes #9733 - -- RELEASE-NOTES: synced - -- test8: update as cookies no longer can have "embedded" TABs in content - -- test1105: extend to verify TAB in name/content discarding cookies - -- cookie: reject cookie names or content with TAB characters - - TABs in name and content seem allowed by RFC 6265: "the algorithm strips - leading and trailing whitespace from the cookie name and value (but - maintains internal whitespace)" - - Cookies with TABs in the names are rejected by Firefox and Chrome. - - TABs in content are stripped out by Firefox, while Chrome discards the - whole cookie. - - TABs in cookies also cause issues in saved netscape cookie files. - - Reported-by: Trail of Bits - - URL: https://curl.se/mail/lib-2022-10/0032.html - URL: https://github.com/httpwg/http-extensions/issues/2262 - - Closes #9659 - -- curl/add_parallel_transfers: better error handling - - 1 - consider the transfer handled at once when in the function, to avoid - the same list entry to get added more than once in rare error - situations - - 2 - set the ERRORBUFFER for the handle first after it has been added - successfully - - Reported-by: Trail of Bits - - Closes #9729 - -- netrc: remove the two 'changed' arguments - - As no user of these functions used the returned content. - -- test495: verify URL encoded user name + netrc-optional - - Reproduced issue #9709 - -- netrc: use the URL-decoded user - - When the user name is provided in the URL it is URL encoded there, but - when used for authentication the encoded version should be used. - - Regression introduced after 7.83.0 - - Reported-by: Jonas Haag - Fixes #9709 - Closes #9715 - -- [Shaun Mirani brought this change] - - url: allow non-HTTPS HSTS-matching for debug builds - - Closes #9728 - -- test1275: remove the check of stderr - - To avoid the mysterious test failures on Windows, instead rely on the - error code returned on failure. - - Fixes #9716 - Closes #9723 - -Viktor Szakats (13 Oct 2022) -- lib: set more flags in config-win32.h - - The goal is to add any flag that affect the created binary, to get in - sync with the ones built with CMake and autotools. - - I took these flags from curl-for-win [0], where they've been tested with - mingw-w64 and proven to work well. - - This patch brings them to curl as follows: - - - Enable unconditionally those force-enabled via - `CMake/WindowsCache.cmake`: - - - `HAVE_SETJMP_H` - - `HAVE_STRING_H` - - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`) - - - Expand existing guards with mingw-w64: - - - `HAVE_STDBOOL_H` - - `HAVE_BOOL_T` - - - Enable Win32 API functions for Windows Vista and later: - - - `HAVE_INET_NTOP` - - `HAVE_INET_PTON` - - - Set sizes, if not already set: - - - `SIZEOF_OFF_T = 8` - - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set, - and using mingw-w64. - - - Add the remaining for mingw-w64 only. Feel free to expand as desired: - - - `HAVE_LIBGEN_H` - - `HAVE_FTRUNCATE` - - `HAVE_BASENAME` - - `HAVE_STRTOK_R` - - Future TODO: - - - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both - the `signal()` function and the `SIGALRM` macro are found. In - autotools and this header, it means the function only. For the - function alone, CMake uses `HAVE_SIGNAL_FUNC`. - - [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4dff0ca97a8c/curl-m32.sh#L53-L58 - - Reviewed-by: Daniel Stenberg - - Closes #9712 - -Daniel Stenberg (13 Oct 2022) -- tests: add tests/markdown-uppercase.pl to dist tarball - - Follow-up to aafb06c5928183d - - Closes #9722 - -- tool_paramhelp: asserts verify maximum sizes for string loading - - The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest - strings accepted when loading files into memory, but as the size is - later used as input to functions that take the size as 'int' as - argument, the sizes must not be larger than INT_MAX. - - These two new assert()s make the code error out if someone would bump - the sizes without this consideration. - - Reported-by Trail of Bits - - Closes #9719 - -- http: try parsing Retry-After: as a number first - - Since the date parser allows YYYYMMDD as a date format (due to it being - a bit too generic for parsing this particular header), a large integer - number could wrongly match that pattern and cause the parser to generate - a wrong value. - - No date format accepted for this header starts with a decimal number, so - by reversing the check and trying a number first we can deduct that if - that works, it was not a date. - - Reported-by Trail of Bits - - Closes #9718 - -- [Patrick Monnerat brought this change] - - doc: fix deprecation versions inconsistencies - - Ref: https://curl.se/mail/lib-2022-10/0026.html - - Closes #9711 - -- http_aws_sigv4: fix strlen() check - - The check was off-by-one leading to buffer overflow. - - Follow-up to 29c4aa00a16872 - - Detected by OSS-Fuzz - - Closes #9714 - -- curl/main_checkfds: check the fcntl return code better - - fcntl() can (in theory) return a non-zero number for success, so a - better test for error is checking for -1 explicitly. - - Follow-up to 41e1b30ea1b77e9ff - - Mentioned-by: Dominik Klemba - - Closes #9708 - -Viktor Szakats (12 Oct 2022) -- tidy-up: delete unused HAVE_STRUCT_POLLFD - - It was only defined in `lib/config-win32.h`, when building for Vista. - - It was only used in `select.h`, in a condition that also included a - check for `POLLIN` which is a superior choice for this detection and - which was already used by cmake and autotools builds. - - Delete both instances of this macro. - - Closes #9707 - -Daniel Stenberg (12 Oct 2022) -- test1275: verify upercase after period in markdown - - Script based on the #9474 pull-request logic, but implemented in perl. - - Updated docs/URL-SYNTAX.md accordingly. - - Suggested-by: Dan Fandrich - - Closes #9697 - -- [12932 brought this change] - - misc: nitpick grammar in comments/docs - - because the 'u' in URL is actually a consonant *sound* it is only - correct to write "a URL" - - sorry this is a bit nitpicky :P - - https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an - https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL - - Closes #9699 - -Viktor Szakats (11 Oct 2022) -- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip] - - This patch aimed to fix a regression [0], where `CC` initialization - moved beyond its first use. But, on closer inspection it turned out that - the `CC` initialization does not work as expected due to GNU Make - filling it with `cc` by default. So unless implicit values were - explicitly disabled via a GNU Make option, the default value of - `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit - value `cc` maps to `gcc` in (most/all?) MinGW envs. - - `AR` has the same issue, with a default value of `ar`. - - We could reintroduce a separate variable to fix this without ill - effects, but for simplicity and flexibility, it seems better to drop - support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and - require the caller to initialize `CC`, `AR` and `RC` to the full - (prefixed if necessary) names of these tools, as desired. - - We keep `RC ?= windres` because `RC` is empty by default. - - Also fix grammar in a comment. - - [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 - - Closes #9698 - -- smb: replace CURL_WIN32 with WIN32 - - PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the - `CURL_WIN32` macro, but that one is not defined here, while compiling - curl itself. This patch changes this to `WIN32`, assuming this was the - original intent. - - Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a - - Reviewed-by: Marcel Raad - - Closes #9701 - -Daniel Stenberg (11 Oct 2022) -- [Matthias Gatto brought this change] - - aws_sigv4: fix header computation - - Handle canonical headers and signed headers creation as explained here: - https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html - - The algo tells that signed and canonical must contain at last host and - x-amz-date. - - So we check whatever thoses are present in the curl http headers list. - If they are, we use the one enter by curl user, otherwise we generate - them. then we to lower, and remove space from each http headers plus - host and x-amz-date, then sort them all by alphabetical order. - - This patch also fix a bug with host header, which was ignoring the port. - - Closes #7966 - -Jay Satiro (11 Oct 2022) -- [Aftab Alam brought this change] - - README.md: link the curl logo to the website - - - Link the curl:// image to https://curl.se/ - - Closes https://github.com/curl/curl/pull/9675 - -- [Dustin Howett brought this change] - - schannel: when importing PFX, disable key persistence - - By default, the PFXImportCertStore API persists the key in the user's - key store (as though the certificate was being imported for permanent, - ongoing use.) - - The documentation specifies that keys that are not to be persisted - should be imported with the flag PKCS12_NO_PERSIST_KEY. - NOTE: this flag is only supported on versions of Windows newer than XP - and Server 2003. - - -- - - This is take 2 of the original fix. It extends the lifetime of the - client certificate store to that of the credential handle. The original - fix which landed in 70d010d and was later reverted in aec8d30 failed to - work properly because it did not do that. - - Minor changes were made to the schannel credential context to support - closing the client certificate store handle at the end of an SSL session. - - -- - - Reported-by: ShadowZzj@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9300 - Supersedes https://github.com/curl/curl/pull/9363 - Closes https://github.com/curl/curl/pull/9460 - -Viktor Szakats (11 Oct 2022) -- Makefile.m32: support more options [ci skip] - - - Add support for these options: - `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl` - - Caveats: - - `-wolfssh` requires `-wolfssl`. - - `-wolfssl` cannot be used with OpenSSL backends in parallel. - - `-libssh` has build issues with BoringSSL and LibreSSL, and also - what looks like a world-writable-config vulnerability on Windows. - Consider it experimental. - - `-psl` requires `-idn2` and extra libs passed via - `LIBS=-liconv -lunistring`. - - - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly. - - Generalize MultiSSL detection. - - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01). - - Document more customization options. - - This brings over some configuration logic from `curl-for-win`. - - Closes #9680 - -- cmake: enable more detection on Windows - - Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection - on Windows, instead of having predefined values. - - With these features detected correctly, CMake Windows builds get closer - to the autotools and `config-win32.h` ones. - - This also fixes detecting `HAVE_FTRUNCATE` correctly, which required - `unistd.h`. - - Fixing `ftruncate()` in turn causes a build warning/error with legacy - MinGW/MSYS1 due to an offset type size mismatch. This env misses to - detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch - force-disables `HAVE_FTRUNCATE` for this platform. - - Reviewed-by: Daniel Stenberg - - Closes #9687 - -- autotools: allow unix sockets on Windows - - Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00a9149fb39239/curl-autotools.sh#L44-L47 - - On Windows this feature is present, but not the header used in the - detection logic. It also requires an elaborate enabler logic - (as seen in `lib/curl_setup.h`). Let's always allow it and let the - lib code deal with the details. - - Closes #9688 - -- cmake: add missing inet_ntop check - - This adds the missing half of the check, next to the other half - already present in `lib/curl_config.h.cmake`. - - Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler - warnings. - - Reviewed-by: Daniel Stenberg - - Closes #9689 - -Daniel Stenberg (11 Oct 2022) -- RELEASE-NOTES: synced - -- [bsergean on github brought this change] - - asyn-ares: set hint flags when calling ares_getaddrinfo - - The hint flag is ARES_AI_NUMERICSERV, and it will save a call to - getservbyname or getservbyname_r to set it. - - Closes #9694 - -- header.d: add category smtp and imap - - They were previously (erroneously) added manually to tool_listhelp.c - which would make them get removed again when the file is updated next - time, unless added correctly here in header.d - - Follow-up to 2437fac01 - - Closes #9690 - -- curl/get_url_file_name: use libcurl URL parser - - To avoid URL tricks, use the URL parser for this. - - This update changes curl's behavior slightly in that it will ignore the - possible query part from the URL and only use the file name from the - actual path from the URL. I consider it a bugfix. - - "curl -O localhost/name?giveme-giveme" will now save the output in the - local file named 'name' - - Updated test 1210 to verify - - Assisted-by: Jay Satiro - - Closes #9684 - -- [Martin Ågren brought this change] - - docs: fix grammar around needing pass phrase - - "You never needed a pass phrase" reads like it's about to be followed by - something like "until version so-and-so", but that is not what is - intended. Change to "You never need a pass phrase". There are two - instances of this text, so make sure to update both. - -- [Xiang Xiao brought this change] - - cmake: add the check of HAVE_SOCKETPAIR - - which is used by Curl_socketpair - - Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com> - - Closes #9686 - -- curl/add_file_name_to_url: use the libcurl URL parser - - instead of the custom error-prone parser, to extract and update the path - of the given URL - - Closes #9683 - -- single_transfer: use the libcurl URL parser when appending query parts - - Instead of doing "manual" error-prone parsing in another place. - - Used when --data contents is added to the URL query when -G is provided. - - Closes #9681 - -- ws: fix buffer pointer use in the callback loop - - Closes #9678 - -- [Petr Štetiar brought this change] - - curl-wolfssl.m4: error out if wolfSSL is not usable - - When I explicitly declare, that I would like to have curl built with - wolfSSL support using `--with-wolfssl` configure option, then I would - expect, that either I endup with curl having that support, for example - in form of https support or it wouldn't be available at all. - - Downstream projects like for example OpenWrt build curl wolfSSL variant - with `--with-wolfssl` already, but in certain corner cases it does fail: - - configure:25299: checking for wolfSSL_Init in -lwolfssl - configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip] - In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33, - from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35, - from target-x86_64_musl/usr/include/wolfssl/ssl.h:35, - from conftest.c:47: - target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory - #include <wolfssl/wolfcrypt/sp_int.h> - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ - compilation terminated. - - and in the end thus produces curl without https support: - - curl: (1) Protocol "https" not supported or disabled in libcurl - - So fix it, by making the working wolfSSL mandatory and error out in - configure step when that's not the case: - - checking for wolfSSL_Init in -lwolfssl... no - configure: error: --with-wolfssl but wolfSSL was not found or doesn't work - - References: https://github.com/openwrt/packages/issues/19005 - References: https://github.com/openwrt/packages/issues/19547 - Signed-off-by: Petr Štetiar <ynezz@true.cz> - - Closes #9682 - -- tool_getparam: pass in the snprintf("%.*s") string length as 'int' - - Reported by Coverity CID 1515928 - - Closes #9679 - -- [Paul Seligman brought this change] - - ws: minor fixes for web sockets without the CONNECT_ONLY flag - - - Fixed an issue where is_in_callback was getting cleared when using web - sockets with debug logging enabled - - Ensure the handle is is_in_callback when calling out to fwrite_func - - Change the write vs. send_data decision to whether or not the handle - is in CONNECT_ONLY mode. - - Account for buflen not including the header length in curl_ws_send - - Closes #9665 - -Marc Hoersken (8 Oct 2022) -- CI/cirrus: merge existing macOS jobs into a job matrix - - Ref: #9627 - Reviewed-by: Philip H. - - Closes #9672 - -Daniel Stenberg (8 Oct 2022) -- strcase: add and use Curl_timestrcmp - - This is a strcmp() alternative function for comparing "secrets", - designed to take the same time no matter the content to not leak - match/non-match info to observers based on how fast it is. - - The time this function takes is only a function of the shortest input - string. - - Reported-by: Trail of Bits - - Closes #9658 - -- tool_getparam: split out data_urlencode() into its own function - - Closes #9673 - -- connect: fix Curl_updateconninfo for TRNSPRT_UNIX - - Reported-by: Vasiliy Ulyanov - Fixes #9664 - Closes #9670 - -- ws: fix Coverity complaints - - Coverity pointed out several flaws where variables remained - uninitialized after forks. - - Follow-up to e3f335148adc6742728f - - Closes #9666 - -Marc Hoersken (7 Oct 2022) -- CI/GHA: merge msh3 and openssl3 builds into linux workflow - - Continue work on merging all Linux workflows into one file. - - Follow up to #9501 - Closes #9646 - -Daniel Stenberg (7 Oct 2022) -- curl_ws_send.3: call the argument 'fragsize' - - Since WebSocket works with "fragments" not "frames" - - Closes #9668 - -- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type - - Follow-up to e3f335148adc6742728ff8 - - Closes #9669 - -- tool_main: exit at once if out of file descriptors - - If the main_checkfds function cannot create new file descriptors in an - attempt to detect of stdin, stdout or stderr are closed. - - Also changed the check to use fcntl() to check if the descriptors are - open, which avoids superfluously calling pipe() if they all already are. - - Follow-up to facfa19cdd4d0094 - - Reported-by: Trail of Bits - - Closes #9663 - -- websockets: remodeled API to support 63 bit frame sizes - - curl_ws_recv() now receives data to fill up the provided buffer, but can - return a partial fragment. The function now also get a pointer to a - curl_ws_frame struct with metadata that also mentions the offset and - total size of the fragment (of which you might be receiving a smaller - piece). This way, large incoming fragments will be "streamed" to the - application. When the curl_ws_frame struct field 'bytesleft' is 0, the - final fragment piece has been delivered. - - curl_ws_recv() was also adjusted to work with a buffer size smaller than - the fragment size. (Possibly needless to say as the fragment size can - now be 63 bit large). - - curl_ws_send() now supports sending a piece of a fragment, in a - streaming manner, in addition to sending the entire fragment in a single - call if it is small enough. To send a huge fragment, curl_ws_send() can - be used to send it in many small calls by first telling libcurl about - the total expected fragment size, and then send the payload in N number - of separate invokes and libcurl will stream those over the wire. - - The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it - has been extended with two new fields: *offset* and *bytesleft*. To help - describe the passed on data chunk when a fragment is delivered in many - smaller pieces. - - The documentation has been updated accordingly. - - Closes #9636 - -- [Patrick Monnerat brought this change] - - docs/examples: avoid deprecated options in examples where possible - - Example programs targeting a deprecated feature/option are commented with - a warning about it. - Other examples are adapted to not use deprecated options. - - Closes #9661 - -Viktor Szakats (6 Oct 2022) -- cmake: fix enabling websocket support - - Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77 - - Closes #9660 - -- tidy-up: delete parallel/unused feature flags - - Detecting headers and lib separately makes sense when headers come in - variations or with extra ones, but this wasn't the case here. These were - duplicate/parallel macros that we had to keep in sync with each other - for a working build. This patch leaves a single macro for each of these - dependencies: - - - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`. - - Also delete CMake logic making sure these two were in sync, along with - a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`. - - Also delete stray `HAVE_ZLIB` defines. - - There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch - retains it for compatibility and deprecates it. - - - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`. - - Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from - `winbuild/MakefileBuild.vc`, these have a role when building libssh2 - itself. And `CURL_USE_LIBSSH`, which had no use at all. - - Also delete stray `HAVE_LIBSSH2` defines. - - - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`. - - Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from - `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the - libssh2 line, and were not having any use. - - - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`. - - Reviewed-by: Daniel Stenberg - - Closes #9652 - -Daniel Stenberg (6 Oct 2022) -- netrc: compare user name case sensitively - - User name comparisions in netrc need to match the case. - - Closes #9657 - -- CURLOPT_COOKIEFILE: insist on "" for enable-without-file - - The former way that also suggested using a non-existing file to just - enable the cookie engine could lead to developers maybe a bit carelessly - guessing a file name that will not exist, and then in a future due to - circumstances, such a file could be made to exist and then accidentally - libcurl would read cookies not actually meant to. - - Reported-by: Trail of bits - - Closes #9654 - -- tests/Makefile: remove run time stats from ci-test - - The ci-test is the normal makefile target invoked in CI jobs. This has - been using the -r option to runtests.pl since a long time, but I find - that it mostly just adds many lines to the test output report without - anyone caring much about those stats. - - Remove it. - - Closes #9656 - -- [Patrick Monnerat brought this change] - - tool: reorganize function c_escape around a dynbuf - - This is a bit shorter and a lot safer. - - Substrings of unescaped characters are added by a single call to reduce - overhead. - - Extend test 1465 to handle more kind of escapes. - - Closes #9653 - -Jay Satiro (5 Oct 2022) -- CURLOPT_HTTPPOST.3: bolden the deprecation notice - - Ref: https://github.com/curl/curl/pull/9621 - - Closes https://github.com/curl/curl/pull/9637 - -Daniel Stenberg (5 Oct 2022) -- [John Bampton brought this change] - - misc: fix spelling in docs and comments - - also: remove outdated sentence - - Closes #9644 - -- [Patrick Monnerat brought this change] - - tool: avoid generating ambiguous escaped characters in --libcurl - - C string hexadecimal-escaped characters may have more than 2 digits. - This results in a wrong C compiler interpretation of a 2-digit escaped - character when followed by an hex digit character. - - The solution retained here is to represent such characters as 3-digit - octal escapes. - - Adjust and extend test 1465 for this case. - - Closes #9643 - -- configure: the ngtcp2 option should default to 'no' - - While still experimental. - - Bug: https://curl.se/mail/lib-2022-10/0007.html - Reported-by: Daniel Hallberg - - Closes #9650 - -- CURLOPT_MIMEPOST.3: add an (inline) example - - Reported-by: Jay Satiro - Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723 - - Closes #9649 - -Viktor Szakats (5 Oct 2022) -- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip] - - Exclude linker flags specifying depedency libs and libpaths, when - building against `libcurl.dll`. In such case these options are not - necessary (but may cause errors if not/wrongly configured.) - - Also move and reword a comment on `CPPFLAGS` to not apply to - `UNICODE` options. These are necessary for all build targets. - - Closes #9651 - -Jay Satiro (5 Oct 2022) -- runtests: fix uninitialized value on ignored tests - - - Don't show TESTFAIL message (ie tests failed which aren't ignored) if - only ignored tests failed. - - Before: - IGNORED: failed tests: 571 612 1056 - TESTDONE: 1214 tests out of 1217 reported OK: 99% - Use of uninitialized value $failed in concatenation (.) or string at - ./runtests.pl line 6290. - TESTFAIL: These test cases failed: - - After: - IGNORED: failed tests: 571 612 1056 - TESTDONE: 1214 tests out of 1217 reported OK: 99% - - Closes https://github.com/curl/curl/pull/9648 - -- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS - - - Correct the use of -all-static for static Windows CI builds. - - curl_LDFLAGS was removed from the makefile when metalink support was - removed. LDFLAGS=-all-static is passed to make only, because it is not a - valid option for configure compilation tests. - - Closes https://github.com/curl/curl/pull/9633 - -Viktor Szakats (4 Oct 2022) -- Makefile.m32: fix regression with tool_hugehelp [ci skip] - - In a recent commit I mistakenly deleted this logic, after seeing a - reference to a filename ending with `.cvs` and thinking it must have - been long gone. Turns out this is an existing file. Restore the rule - and the necessary `COPY` definitions with it. - - The restored logic is required for a successful build on a bare source - tree (as opposed to a source release tarball). - - Also shorten an existing condition similar to the one added in this - patch. - - Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6 - - Closes #9645 - -- Makefile.m32: deduplicate build rules [ci skip] - - After this patch, we reduce the three copies of most `Makefile.m32` - logic to one. This now resides in `lib/Makefile.m32`. It makes future - updates easier, the code shorter, with a small amount of added - complexity. - - `Makefile.m32` reduction: - - | | bytes | LOC total | blank | comment | code | - |-------------------|-------:|----------:|-------:|---------:|------:| - | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 | - | before this patch | 17601 | 625 | 62 | 106 | 457 | - | after this patch | 11680 | 392 | 52 | 104 | 236 | - - Details: - - - Change rules to create objects for the `v*` subdirs in the `lib` dir. - This allows to use a shared compile rule and assumes that filenames - are not (and will not be) colliding across these directories. - `Makefile.m32` now also stores a list of these subdirs. They are - changing rarely though. - - - Sync as much as possible between the three `Makefile.m32` scripts' - rules and their source/target sections. - - - After this patch `CPPFLAGS` are all applied to the `src` sources once - again. This matches the behaviour of cmake/autotools. Only zlib ones - are actually required there. - - - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate. - - - Change examples to link `libcurl.dll` by default. This makes building - trivial, even as a cross-build: - `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32` - To run them, you need to move/copy or add-to-path `libcurl.dll`. - You can select static mode via `CFG=-static`. - - - List more of the `Makefile.m32` config variables. - - - Drop `.rc` support from examples. It made it fragile without much - benefit. - - - Include a necessary system lib for the `externalsocket.c` example. - - - Exclude unnecessary systems libs when building in `-dyn` mode. - - Closes #9642 - -Daniel Stenberg (4 Oct 2022) -- RELEASE-NOTES: synced - -- CURLOPT_COOKIELIST.3: fix formatting mistake - - Also, updated manpage-syntax.pl to make it detect this error in test - 1173. - - Reported-by: ProceduralMan on github - Fixes #9639 - Closes #9640 - -- [Jay Satiro brought this change] - - connect: change verbose IPv6 address:port to [address]:port - - - Use brackets for the IPv6 address shown in verbose message when the - format is address:port so that it is less confusing. - - Before: Trying 2606:4700:4700::1111:443... - After: Trying [2606:4700:4700::1111]:443... - - Bug: https://curl.se/mail/archive-2022-02/0041.html - Reported-by: David Hu - - Closes #9635 - -Viktor Szakats (3 Oct 2022) -- Makefile.m32: major rework [ci skip] - - This patch overhauls `Makefile.m32` scripts, fixing a list of quirks, - making its behaviour and customization envvars align better with other - build systems, aiming for less code, that is easier to read, use and - maintain. - - Details: - - Rename customization envvars: - `CURL_CC` -> `CC` - `CURL_RC` -> `RC` - `CURL_AR` -> `AR` - `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB` - `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN` - - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used. - - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars. - - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in - favor of the above. - - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional - with `libssh2`. - - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and - examples. - - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel` - instead. - - Avoid late evaluation where not necessary (`=` -> `:=`). - - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix. - Instead, use the standard naming scheme by default: `libcurl.dll.a`. - The toolchain recognizes the name, and selects it automatically when - asking for a `-shared` vs. `-static` build. - - Stop applying `strip` to `libcurl.a`. Follow-up from - 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to - strip since then. - - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to - `CFLAGS` as desired. - - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL, - to avoid that vulnerability on Windows. - - Add `-lbrotlicommon` to `LIBS` when using `brotli`. - - Do not enable `-nghttp3` without `-ngtcp2`. - - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend. - You need to set the backend explicitly. This scales better and avoids - issues with certain combinations (e.g. `libssh2` + `wolfssl` with no - `schannel`). - - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via - `NGTCP2_LIBS`. - - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer - supported. - - Delete `SPNEGO` references. They were no-ops. - - Drop support for Win9x environments. - - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`. - - Support autotools/CMake `libssh2` builds by default. - - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and - examples. - - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the - long gone embedded one.) - - Stop static linking with c-ares by default. Add - `CPPFLAGS=-DCARES_STATICLIB` to enable it. - - Reorganize internal layout to avoid redundancy and emit clean diffs - between src/lib and example make files. - - Delete unused variables. - - Code cleanups/rework. - - Comment and indentation fixes. - - Closes #9632 - -- scripts/release-notes.pl: strip ci skip tag [ci skip] - - Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303ae97#commitcomment-85637701 - - Reviewed-by: Daniel Stenberg - - Closes #9634 - -- Makefile.m32: delete legacy component bits [ci skip] - - - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting - to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL. - - - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been - using a standard file layout since 1.1.0, so this seems unnecessary - now. - - - Drop special logic to enable Novell LDAP SDK support. - - - Drop special logic to enable OpenLDAP LDAP SDK support. This seems - to be distinct from native OpenLDAP, with support implemented inside - `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist - yet in curl. - - - Add `-lwldap32` only if there is no other LDAP library (either native - OpenLDAP, or SDKs above) present. - - - Update `doc/INSTALL.md` accordingly. - - After this patch, it's necessary to make configration changes when using - OpenSSL 1.0.2 or earlier, or the two LDAP SDKs. - - OpenSSL 1.0.2 and earlier: - ``` - export OPENSSL_INCLUDE = <path-to-openssl>/outinc - export OPENSSL_LIBPATH = <path-to-openssl>/out - export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32 - ``` - - Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`: - ``` - export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/inc -DCURL_HAS_NOVELL_LDAPSDK - export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib/mscvc -lldapsdk -lldapssl -lldapx - ``` - - OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`: - ``` - export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/include -DCURL_HAS_OPENLDAP_LDAPSDK - export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib -lldap -llber - ``` - - I haven't tested these scenarios, and in general we recommend using - a recent OpenSSL release. Also, WinLDAP (the Windows default) and - OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on - in curl. - - Closes #9631 - -Daniel Stenberg (2 Oct 2022) -- vauth/ntlm.h: make line shorter than 80 columns - - Follow-up from 265fbd937 - -Viktor Szakats (1 Oct 2022) -- docs: update sourceforge project links [ci skip] - - SourceForge projects can now choose between two hostnames, with .io and - .net ending. Both support HTTPS by default now. Opening the other variant - will perm-redirected to the one chosen by the project. - - The .io -> .net redirection is done insecurely. - - Let's update the URLs to point to the current canonical endpoints to - avoid any redirects. - - Closes #9630 - -Daniel Stenberg (1 Oct 2022) -- curl_url_set.3: document CURLU_APPENDQUERY proper - - Listed among the other supported flags. - - Reported-by: Robby Simpson - Fixes #9628 - Closes #9629 - -Viktor Szakats (1 Oct 2022) -- Makefile.m32: cleanups and fixes [ci skip] - - - Add `-lcrypt32` once, and add it always for simplicity. - - Delete broken link and reference to the pre-Vista WinIDN add-on. - MS no longer distribute it. - - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista. - - Sync `LIBCARES_PATH` default with the rest of dependencies. - - Delete version numbers from dependency path defaults. - - `libgsasl` package is now called `gsasl`. - - Delete `libexpat` and `libxml2` references. No longer used by curl. - - Delete `Edit the path below...` comments. We recommend to predefine - those envvars instead. - - `libcares.a` is not an internal dependency anymore. Stop using it as - such. - - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability. - - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`. - They were never used. - - Stop to `clean` some objects twice in `src/Makefile.m32`. - - Delete cvs-specific leftovers. - - Finish resource support in examples make file. - - Delete `-I<root>/lib` from examples make file. - - Fix copyright start year in examples make file. - - Delete duplicate `ftpuploadresume` input in examples make file. - - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path - defaults, variables names and other internal bits between the three - make files. - - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This - was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL` - envvar for the same effect. - - Fix linking `curl.exe` and examples to wrong static libs with - auto-detected OpenSSL 1.0.2 or earlier. - - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only. - - Add link to Novell LDAP SDK and use a relative default path. Latest - version is from 2016, linked to an outdated OpenSSL 1.0.1. - - Whitespace and comment cleanups. - - TODO in a next commit: - - Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell - LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the - necessary custom envvars to configure them. - - Closes #9616 - -Daniel Stenberg (30 Sep 2022) -- RELEASE-NOTES: synced - -- [Matt Holt brought this change] - - HTTP3.md: update Caddy example - - Closes #9623 - -- easy: fix the altsvc init for curl_easy_duphandle - - It was using the old #ifdef which nothing sets anymore - - Closes #9624 - -- GHA: build tests in a separate step from the running of them - - ... to make the output smaller for when you want to look at test - failures. - - Removed the examples build from msh3 - - Closes #9619 - -Viktor Szakats (29 Sep 2022) -- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference - - Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap - support. This is also the single mention of this constant in the source - tree and also in that commit. Based on these, it seems like an accident. - - Delete this reference. - - Reviewed-by: Daniel Stenberg - - Closes #9625 - -- docs: spelling nits - - - MingW -> MinGW (Minimalist GNU for Windows) - - f.e. -> e.g. - - some whitespace and punctuation. - - Reviewed-by: Daniel Stenberg - - Closes #9622 - -Daniel Stenberg (29 Sep 2022) -- [Philip Heiduck brought this change] - - cirrus-ci: add macOS build with m1 - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - - Closes #9565 - -- [Patrick Monnerat brought this change] - - lib: sanitize conditional exclusion around MIME - - The introduction of CURL_DISABLE_MIME came with some additional bugs: - - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled. - - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are - conditioned on HTTP, although also needed for SMTP and IMAP MIME mail - uploads. - - In addition, the CURLOPT_HTTPHEADER and --header documentation does not - mention their use for MIME mail. - - This commit fixes the problems above. - - Closes #9610 - -- [Thiago Suchorski brought this change] - - docs: minor grammar fixes - - Closes #9609 - -- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument - - Probably a copy and paste error from the lock function man page. - - Reported-by: Robby Simpson - Fixes #9612 - Closes #9613 - -- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five - - ... instead just list the supported encodings. - - Reported-by: ProceduralMan on github - Fixes #9614 - Closes #9615 - -Dan Fandrich (28 Sep 2022) -- tests: Remove a duplicated keyword - -- docs: document more server names for test files - -Daniel Stenberg (28 Sep 2022) -- altsvc: reject bad port numbers - - The existing code tried but did not properly reject alternative services - using negative or too large port numbers. - - With this fix, the logic now also flushes the old entries immediately - before adding a new one, making a following header with an illegal entry - not flush the already stored entry. - - Report from the ongoing source code audit by Trail of Bits. - - Adjusted test 356 to verify. - - Closes #9607 - -- functypes: provide the recv and send arg and return types - - This header is for providing the argument types for recv() and send() - when built to not use a dedicated config-[platfor].h file. - - Remove the slow brute-force checks from configure and cmake. - - This change also removes the use of the types for select, as they were - not used in code. - - Closes #9592 - -- urlapi: reject more bad characters from the host name field - - Extended test 1560 to verify - - Report from the ongoing source code audit by Trail of Bits. - - Closes #9608 - -- configure: deprecate builds with small curl_off_t - - If curl_off_t turns out to be smaller than 8 bytes, - --with-n64-deprecated needs to be used to allow the build to - continue. This is to highlight the fact that support for such builds is - going away next year. - - Also mentioned in DEPRECATED.md - - Closes #9605 - -- [Patrick Monnerat brought this change] - - http, vauth: always provide Curl_allow_auth_to_host() functionality - - This function is currently located in the lib/http.c module and is - therefore disabled by the CURL_DISABLE_HTTP conditional token. - - As it may be called by TLS backends, disabling HTTP results in an - undefined reference error at link time. - - Move this function to vauth/vauth.c to always provide it and rename it - as Curl_auth_allowed_to_host() to respect the vauth module naming - convention. - - Closes #9600 - -- ngtcp2: fix C89 compliance nit - -- openssl: make certinfo available for QUIC - - Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that - can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC - connections as well. - - The *certchain function was moved to the top of the file for this reason. - - Reported-by: Eloy Degen - Fixes #9584 - Closes #9597 - -- RELEASE-NOTES: synced - -- DEPRECATE.md: Support for systems without 64 bit data types - - Closes #9604 - -- [Patrick Monnerat brought this change] - - tests: skip mime/form tests when mime is not built-in - - Closes #9596 - -- url: rename function due to name-clash in Watt-32 - - Follow-up to 2481dbe5f4f58 and applies the change the way it was - intended. - -Viktor Szakats (26 Sep 2022) -- windows: adjust name of two internal public functions - - According to `docs/INTERNALS.md`, internal function names spanning source - files start with uppercase `Curl_`. Bring these two functions in - alignment with this. - - This also stops exporting them from `libcurl.dll` in autotools builds. - - Reviewed-by: Daniel Stenberg - - Closes #9598 - -Daniel Stenberg (26 Sep 2022) -- [Gisle Vanem brought this change] - - url: rename function due to name-clash in Watt-32 - - Since the commit 764c958c52edb427f39, there was a new function called - resolve_ip(). This clashes with an internal function in Watt-32. - - Closes #9585 - -Jay Satiro (26 Sep 2022) -- schannel: ban server ALPN change during recv renegotiation - - By the time schannel_recv is renegotiating the connection, libcurl has - already decided on a protocol and it is too late for the server to - select a protocol via ALPN except for the originally selected protocol. - - Ref: https://github.com/curl/curl/issues/9451 - - Closes https://github.com/curl/curl/pull/9463 - -Daniel Stenberg (26 Sep 2022) -- url: a zero-length userinfo part in the URL is still a (blank) user - - Adjusted test 1560 to verify - - Reported-by: Jay Satiro - - Fixes #9088 - Closes #9590 - -Viktor Szakats (25 Sep 2022) -- autotools: allow --enable-symbol-hiding with windows - - This local autotools logic was put in place in - 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for - Windows unconditionally. Testing reveals that it actually works with - tested toolchains (mingw-w64 and CI ones), so let's allow this build - feature on that platform. Bringing this in sync with CMake, which already - supported this. - - Reviewed-by: Jay Satiro - - Closes #9586 - -- autotools: reduce brute-force when detecting recv/send arg list - - autotools uses brute-force to detect `recv`/`send`/`select` argument - lists, by interating through _all_ argument type combinations on each - `./configure` run. This logic exists since - 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later - extended with Windows support. - - This results in a worst-case number of compile + link cycles as below: - - `recv`: 96 - - `send`: 192 - - `select`: 60 - Total: 348 (the number of curl C source files is 195, for comparison) - - Notice that e.g. curl-for-win autotools builds require two `./configure` - invocations, doubling these numbers. - - `recv` on Windows was especially unlucky because `SOCKET` (the correct - choice there) was listed _last_ in one of the outer trial loops. This - resulted in lengthy waits while autotools was trying all invalid - combinations first, wasting cycles, disk writes and slowing down - iteration. - - This patch reduces the amount of idle work by reordering the tests in - a way to succeed first on a well-known platform such as Windows, and - also on non-Windows by testing for POSIX prototypes first, on the - assumption that these are the most likely candidates these days. (We do - not touch `select`, where the order was already optimal for these - platforms.) - - For non-Windows, this means to try a return value of `ssize_t` first, - then `int`, reordering the buffer argument type to try `void *` first, - then `byte *`, and prefer the `const` flavor with `send`. If we are - here, also stop testing for `SOCKET` type in non-Windows builds. - - After the patch, detection on Windows is instantaneous. It should also be - faster on popular platforms such as Linux and BSD-based ones. - - If there are known-good variations for other platforms, they can also be - fast-tracked like above, given a way to check for that platform inside - the autotools logic. - - Reviewed-by: Daniel Stenberg - - Closes #9591 - -Daniel Stenberg (23 Sep 2022) -- TODO: Provide the error body from a CONNECT response - - Spellchecked-by: Jay Satiro - - Closes #9513 - Closes #9581 - -Viktor Szakats (23 Sep 2022) -- windows: autotools .rc warnings fixup - - Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing: - - - Warnings when running `autoreconf -fi`. - - - Warning when compiling .rc files: - libtool: compile: unable to infer tagged configuration - libtool: error: specify a tag with '--tag' - - Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057 - Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156 - - Suggested-by: Patrick Monnerat - Closes #9582 - -Daniel Stenberg (23 Sep 2022) -- [Randall S. Becker brought this change] - - curl_setup: disable use of FLOSS for 64-bit NonStop builds - - Older 32-bit builds currently need FLOSS. This dependency may be removed - in future OS releases. - - Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> - - Closes #9575 - -- [Patrick Monnerat brought this change] - - tool: remove dead code - - Add a debug assertion to verify protocols included/excluded in a set - are always tokenized. - - Follow-up to commit 677266c. - - Closes #9576 - -- [Patrick Monnerat brought this change] - - lib: prepare the incoming of additional protocols - - Move the curl_prot_t to its own conditional block. Introduce symbol - PROTO_TYPE_SMALL to control it. - - Fix a cast in a curl_prot_t assignment. - Remove an outdated comment. - - Follow-up to cd5ca80. - - Closes #9534 - -- msh3: change the static_assert to make the code C89 - -- bearssl: make it proper C89 compliant - -- curl-compilers.m4: for gcc + want warnings, set gnu89 standard - - To better verify that the code is C89 - - Closes #9542 - -- [Patrick Monnerat brought this change] - - lib517: fix C89 constant signedness - - In C89, positive integer literals that overflow an int but not an - unsigned int may be understood as a negative int. - - lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90 - {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 }, - ^ - - Closes #9572 - -- mprintf: use snprintf if available - - This is the single place in libcurl code where it uses the "native" - s(n)printf() function. Used for writing floats. The use has been - reviewed and vetted and uses a HUGE target buffer, but switching to - snprintf() still makes this safer and removes build-time warnings. - - Reported-by: Philip Heiduck - - Fixes #9569 - Closes #9570 - -- docs: tag curl options better in man pages - - As it makes them links in the HTML versions. - - Verified by the extended test 1176 - -- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6 - -- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged - - ... as that makes them links to their corresponding man page. - - This script is used for test 1173. - - Closes #9574 - -- RELEASE-NOTES: synced - -- [Patrick Monnerat brought this change] - - tool: remove protocol count limitation - - Replace bit mask protocol sets by null-terminated arrays of protocol - tokens. These are the addresses of the protocol names returned by - curl_version_info(). - - Protocol names are sorted case-insensitively before output to satisfy CI - tests matches consistency. - - The protocol list returned by curl_version_info() is augmented with all - RTMP protocol variants. - - Test 1401 adjusted for new alpha ordered output. - - Closes #9546 - -- test972: verify the output without using external tool - - It seems too restrictive to assume and use an external tool to verify - the JSON. This now verifies the outut byte per byte. We could consider - building a local "JSON verifyer" in a future. - - Remove 'jsonlint' from the CI job. - - Reported-by: Marcel Raad - Fixes #9563 - Closes #9564 - -- hostip: lazily wait to figure out if IPv6 works until needed - - The check may take many milliseconds, so now it is performed once the - value is first needed. Also, this change makes sure that the value is - not used if the resolve is set to be IPv4-only. - - Closes #9553 - -- curl.h: fix mention of wrong error code in comment - - The same error and comment were also used and is now corrected in - CURLOPT_SSH_KEYFUNCTION.3 - -- symbol-scan.pl: scan and verify .3 man pages - - This script now also finds all .3 man pages in docs/include and - docs/include/opts, extracts all uses of CURL* symbols and verifies that all - symbols mentioned in docs are defined in public headers. - - A "global symbol" is one of those matching a known prefix and the script makes - an attempt to check all/most of them. Just using *all* symbols that match - CURL* proved matching a little too many other references as well and turned - difficult turning into something useful. - - Closes #9544 - -- symbols-in-versions: add missing LIBCURL* symbols - -- symbol-scan.pl: also check for LIBCURL* symbols - - Closes #9544 - -- docs/libcurl/symbols-in-versions: add several missing symbols - -- test1119: scan all public headers - - Previously this test only scanned a subset of the headers, which made us - accidentally miss symbols that were provided in the others. Now, the script - iterates over all headers present in include/curl. - - Closes #9544 - -- [Patrick Monnerat brought this change] - - examples/chkspeed: improve portability - - The example program chkspeed uses strncasecmp() which is not portable - across systems. Replace calls to this function by tests on characters. - - Closes #9562 - -- easy: fix the #include order - - The mentioned "last 3 includes" order should be respected. easy_lock.h should - be included before those three. - - Reported-by: Yuriy Chernyshov - Fixes #9560 - Closes #9561 - -- docs: spellfixes - - Pointed by the new CI job - -- GHA: spellcheck - - This spellchecker checks markdown files. For this reason this job - converts all man pages in the repository to markdown with pandoc before - the check runs. - - The perl script 'cleanspell' filters out details from the man page in - the process, to avoid the spellchecker trying to spellcheck things it - can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections - of libcurl man pages. - - The spell checker does not check words in sections that are within pre, - strong and em tags. - - 'spellcheck.words' is a custom word list with additional accepted words. - - Closes #9523 - -- connect: fix the wrong error message on connect failures - - The "Failed to connect to" message after a connection failure would - include the strerror message based on the presumed previous socket - error, but in times it seems that error number is not set when reaching - this code and therefore it would include the wrong error message. - - The strerror message is now removed from here and the curl_easy_strerror - error is used instead. - - Reported-by: Edoardo Lolletti - Fixes #9549 - Closes #9554 - -- httpput-postfields.c: shorten string for C89 compliance - - httpput-postfields.c:41:3: error: string length ‘522’ is greater than the length ‘509’ ISO C90 compilers are required to support [-Woverlength-strings] - 41 | "this chapter."; - | ^~~~~~~~~~~~~~~ - - Closes #9555 - -- ws: fix a C89 compliance nit - - Closes #9541 - -- [Patrick Monnerat brought this change] - - unit test 1655: make it C89-compliant - - Initializations performed in unit test 1655 use automatic variables in - aggregates and thus can only be computed at run-time. Using gcc in C89 - dialect mode produces warning messages like: - - unit1655.c:96:7: warning: initializer element is not computable at load time [-Wpedantic] - 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */ - | ^~~~~~~ - - Fix the problem by converting these automatic pointer variables to - static arrays. - - Closes #9551 - -- [Tobias Schaefer brought this change] - - curl_strequal.3: fix typo - - Closes #9548 - -- [Dmitry Karpov brought this change] - - resolve: make forced IPv4 resolve only use A queries - - This protects IPv4-only transfers from undesired bad IPv6-related side - effects and make IPv4 transfers in dual-stack libcurl behave the same - way as in IPv4 single-stack libcurl. - - Closes #9540 - -- RELEASE-NOTES: synced - -- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths - - Patched-by: Mark Itzcovitz - Bug: https://curl.se/mail/lib-2022-09/0038.html - - Closes #9536 - -- TODO: Reduce CA certificate bundle reparsing - - By adding some sort of cache. - - Reported-by: Michael Drake - Closes #9379 - Closes #9538 - -Marc Hoersken (19 Sep 2022) -- CI/GHA: cancel outdated CI runs on new PR changes - - Avoid letting outdated CI runs continue if a PR receives - new changes. Outside a PR we let them continue running - by tying the concurrency to the commit hash instead. - - Also only let one CodeQL or Hacktoberfest job run at a time. - - Other CI platforms we use have this build in, but GitHub - unfortunately neither by default nor with a simple option. - - This saves CI resources and therefore a little energy. - - Approved-by: Daniel Stenberg - Approved-by: Max Dymond - Closes #9533 - -Daniel Stenberg (19 Sep 2022) -- docs: fix proselint complaints - -- GHA: run proselint on markdown files - - Co-authored-by: Marc Hörsken - - Closes #9520 - -- lib: the number four in a sequence is the "fourth" - - Spelling is hard - - Closes #9535 - -- [John Bampton brought this change] - - misc: fix spelling in two source files - - Closes #9529 - -Viktor Szakats (18 Sep 2022) -- windows: add .rc support to autotools builds - - After this update autotools builds will compile and link `.rc` resources - to Windows executables. Bringing this feature on par with CMake and - Makefile.m32 builds. And also making it unnecessary to improvise these - steps manually, while monkey patching build files, e.g. [0]. - - You can customize the resource compiler via the `RC` envvar, and its - options via `RCFLAGS`. - - This harmless warning may appear throughout the build, even though the - autotools manual documents [1] `RC` as a valid tag, and it fails when - omitting one: - `libtool: error: ignoring unknown tag RC` - - [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce50baa1b84/curl-autotools.sh#L376-L382 - [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html - - Closes #9521 - -Marc Hoersken (18 Sep 2022) -- CI/linkcheck: only run if a Markdown file is changed - - This saves CI resources and therefore a little energy. - - Reviewed-by: Max Dymond - Closes #9531 - -- README.md: add GHA status badges for Linux and macOS builds - - This makes sense now that Linux builds are being consolidated. - - Approved-by: Daniel Stenberg - Closes #9530 - - [skip ci] - -Daniel Stenberg (17 Sep 2022) -- misc: null-terminate - - Make use of this term consistently. - - Closes #9527 - -Marc Hoersken (17 Sep 2022) -- CI/GHA: merge intel CC and more TLS libs into linux workflow - - Continue work on merging all Linux workflows into one file. - - Reviewed-by: Max Dymond - Follow up to #9501 - Closes #9514 - -Daniel Stenberg (17 Sep 2022) -- [Patrick Monnerat brought this change] - - lib1597: make it C89-compliant again - - Automatic variable addresses cannot be used in an initialisation - aggregate. - - Follow-up to 9d51329 - - Reported-by: Daniel Stenberg - Fixes: #9524 - Closes #9525 - -- tool_libinfo: silence "different 'const' qualifiers" in qsort() - - MSVC 15.0.30729.1 warned about it - - Follow-up to dd2a024323dcc - - Closes #9522 - -- [Patrick Monnerat brought this change] - - docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR. - - Disabled protocols are now handled as if they were unknown. - Also update the possible protocol list. - -- [Patrick Monnerat brought this change] - - cli tool: do not use disabled protocols - - As they are now rejected by the library, take care of not passing - disabled protocol names to CURLOPT_PROTOCOLS_STR and - CURLOPT_REDIR_PROTOCOLS_STR. - - Rather than using the CURLPROTO_* constants, dynamically assign protocol - numbers based on the order they are listed by curl_version_info(). - - New type proto_set_t implements prototype bit masks: it should therefore - be large enough to accomodate all library-enabled protocols. If not, - protocol numbers beyond the bit count of proto_set_t are recognized but - "inaccessible": when used, a warning is displayed and the value is - ignored. Should proto_set_t overflows, enabled protocols are reordered to - force those having a public CURLPROTO_* representation to be accessible. - - Code has been added to subordinate RTMP?* protocols to the presence of - RTMP in the enabled protocol list, being returned by curl_version_info() - or not. - -- [Patrick Monnerat brought this change] - - setopt: use the handler table for protocol name to number conversions - - This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than - CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found. - - A new schemelen parameter is added to Curl_builtin_scheme() to support - this extended use. - - Note that disabled protocols are not recognized anymore. - - Tests adapted accordingly. - - Closes #9472 - -- altsvc: use 'h3' for h3 - - Since the official and real version has been out for a while now and servers - are deployed out there using it, there is no point in sticking to h3-29. - - Reported-by: ウさん - Fixes #9515 - Closes #9516 - -Jay Satiro (16 Sep 2022) -- [chemodax brought this change] - - winbuild: Use NMake batch-rules for compilation - - - Invoke cl compiler once for each group of .c files. - - This is significantly improves compilation time. For example in my - environment: 40 s --> 20 s. - - Prior to this change cl was invoked per .c file. - - Closes https://github.com/curl/curl/pull/9512 - -Daniel Stenberg (16 Sep 2022) -- ws: the infof() flags should be %zu - - Follow-up to e5e9e0c5e49ae0 - - Closes #9518 - -- curl: warn for --ssl use, considered insecure - - Closes #9519 - -- [Sergey Bronnikov brought this change] - - curl_escape.3: fix typo - - lengthf -> length - - Closes #9517 - -- mailmap: merge Philip Heiduck's two addresses into one - -- test1948: verify PUT + POST reusing the same handle - - Reproduced #9507, verifies the fix - -- setopt: when POST is set, reset the 'upload' field - - Reported-by: RobBotic1 on github - Fixes #9507 - Closes #9511 - -Marc Hoersken (15 Sep 2022) -- github: initial CODEOWNERS setup for CI configuration - - Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad - Reviewed-by: Max Dymond - - Closes #9505 - - [skip ci] - -- [Philip Heiduck brought this change] - - CI: optimize some more dependencies install - - Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan> - - Closes #9500 - -- CI/GHA: merge event-based and NSS into new linux workflow - - Continue work on merging all Linux workflows into one file. - - Follow up to #9501 - Closes #9506 - -Daniel Stenberg (15 Sep 2022) -- include/curl/websockets.h: add extern "C" for C++ - - Reported-by: n0name321 on github - Fixes #9509 - Closes #9510 - -- lib1560: extended to verify detect/reject of unknown schemes - - ... when no guessing is allowed. - -- urlapi: detect scheme better when not guessing - - When the parser is not allowed to guess scheme, it should consider the - word ending at the first colon to be the scheme, independently of number - of slashes. - - The parser now checks that the scheme is known before it counts slashes, - to improve the error messge for URLs with unknown schemes and maybe no - slashes. - - When following redirects, no scheme guessing is allowed and therefore - this change effectively prevents redirects to unknown schemes such as - "data". - - Fixes #9503 - -- strerror: improve two URL API error messages - -Marc Hoersken (14 Sep 2022) -- CI/GHA: merge bearssl and hyper into initial linux workflow - - Begin work on merging all Linux workflows into one file. - - Closes #9501 - -Daniel Stenberg (14 Sep 2022) -- RELEASE-NOTES: synced - -- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h - - Since the config file might also get included by the tool code at times. - This syncs with how other builds do it. - - Closes #9498 - -- tool_hugehelp: make hugehelp a blank macro when disabled - - Closes #9485 - -- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled - - ... to improve the output in this situation. Now it doesn't say "option - unknown" anymore. - - Closes #9485 - -- setopt: fix compiler warning - - Follow-up to cd5ca80f00d2 - - closes #9502 - -- [Philip Heiduck brought this change] - - CI: skip make, do make install at once for dependencies - - Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan> - - Closes #9477 - -- formdata: typecast the va_arg return value - - To avoid "enumerated type mixed with another type" warnings - - Follow-up from 0f52dd5fd5aa3592691a - - Closes #9499 - -- RELEASE-PROCEDURE.md: mention patch releases - - - When to make them and how to argue for them - - Refreshed the release date list - - Closes #9495 - -- urldata: use a curl_prot_t type for storing protocol bits - - This internal-use-only storage type can be bumped to a curl_off_t once - we need to use bit 32 as the previous 'unsigned int' can no longer hold - them all then. - - The websocket protocols take bit 30 and 31 so they are the last ones - that fit within 32 bits - but cannot properly be exported through APIs - since those use *signed* 32 bit types (long) in places. - - Closes #9481 - -- [zhanghu on xiaomi brought this change] - - formdata: fix warning: 'CURLformoption' is promoted to 'int' - - curl/lib/formdata.c: In function 'FormAdd': - curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' when passed through '...' - 249 | option = va_arg(params, CURLformoption); - | ^ - curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformoption' to 'va_arg') - curl/lib/formdata.c:249:31: note: if this code is reached, the program will abort - - Closes #9484 - -- CURLOPT_CONNECT_ONLY.3: for ws(s) as well - - and correct the version number for when that support comes. Even if it - is still experimental for WebSocket. - - Closes #9487 - -- tool_operate: avoid a few #ifdefs for disabled-libcurl builds - - By providing empty macros in the header file instead, the code gets - easier to read and yet is disabled on demand. - - Closes #9486 - -- [a1346054 on github brought this change] - - scripts: use `grep -E` instead of `egrep` - - egrep is deprecated - - Closes #9491 - -- [Hayden Roche brought this change] - - wolfSSL: fix session management bug. - - Prior to this commit, non-persistent pointers were being used to store - sessions. When a WOLFSSL object was then freed, that freed the session - it owned, and thus invalidated the pointer held in curl's cache. This - commit makes it so we get a persistent (deep copied) session pointer - that we then add to the cache. Accordingly, wolfssl_session_free, which - was previously a no-op, now needs to actually call SSL_SESSION_free. - - This bug was discovered by a wolfSSL customer. - - Closes #9492 - -- docs: use "WebSocket" in singular - - This is how the RFC calls the protocol. Also rename the file in docs/ to - WEBSOCKET.md in uppercase to match how we have done it for many other - protocol docs in similar fashion. - - Add the WebSocket docs to the tarball. - - Closes #9496 - -Marcel Raad (12 Sep 2022) -- ws: fix build without `USE_WEBSOCKETS` - - The curl.h include is required unconditionally. - -- ws: add missing curl.h include - - A conflict between commits 664249d0952 and e5839f4ee70 broke the build. - -Daniel Stenberg (12 Sep 2022) -- ws: fix an infof() call to use %uz for size_t output - - Detected by Coverity, CID 1514665. - - Closes #9480 - -Marcel Raad (12 Sep 2022) -- curl_setup: include only system.h instead of curl.h - - As done before commit 9506d01ee50. - - Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158 - Closes https://github.com/curl/curl/pull/9453 - -- lib: add missing limits.h includes - - Closes https://github.com/curl/curl/pull/9453 - -- lib and tests: add missing curl.h includes - - Closes https://github.com/curl/curl/pull/9453 - -- curl_setup: include curl.h after platform setup headers - - The platform setup headers might set definitions required for the - includes in curl.h. - - Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269 - Closes https://github.com/curl/curl/pull/9453 - -Daniel Stenberg (12 Sep 2022) -- [Benjamin Loison brought this change] - - docs: correct missing uppercase in Markdown files - - To detect these typos I used: - - ``` - clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | grep -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --color=always '\. [a-z]' | grep '\.md' - ``` - - Closes #9474 - -- tool_setopt: use better English in --libcurl source comments - - Like this: - - XYZ was set to an object pointer - ABC was set to a function pointer - - Closes #9475 - -- setopt: make protocol2num use a curl_off_t for the protocol bit - - ... since WSS does not fit within 32 bit. - - Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887 - Closes #9476 - -- RELEASE-NOTES: synced - -- configure: polish the grep -E message a bit further - - Suggested-by: Emanuele Torre - Closes #9473 - -- GHA: add a gcc-11 -O3 build using OpenSSL - - Since -O3 might trigger other warnings - - Closes #9454 - -- [Patrick Monnerat brought this change] - - content_encoding: use writer struct subclasses for different encodings - - The variable-sized encoding-specific storage of a struct contenc_writer - currently relies on void * alignment that may be insufficient with - regards to the specific storage fields, although having not caused any - problems yet. - - In addition, gcc 11.3 issues a warning on access to fields of partially - allocated structures that can occur when the specific storage size is 0: - - content_encoding.c: In function ‘Curl_build_unencoding_stack’: - content_encoding.c:980:21: warning: array subscript ‘struct contenc_writer[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bounds] - 980 | writer->handler = handler; - | ~~~~~~~~~~~~~~~~^~~~~~~~~ - In file included from content_encoding.c:49: - memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘curl_dbg_calloc’ - 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__, __FILE__) - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - content_encoding.c:977:60: note: in expansion of macro ‘calloc’ - 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1, sz); - - To solve both these problems, the current commit replaces the - contenc_writer/params structure pairs by "subclasses" of struct - contenc_writer. These are structures that contain a contenc_writer at - offset 0. Proper field alignment is therefore handled by the compiler and - full structure allocation is performed, silencing the warnings. - - Closes #9455 - -- configure: correct the wording when checking grep -E - - The check first checks that grep -E works, and only as a fallback tries - to find and use egrep. egrep is deprecated. - - This change only corrects the output wording, not the checks themselves. - - Closes #9471 - -Viktor Szakats (10 Sep 2022) -- websockets: sync prototypes in docs with implementation [ci skip] - - Docs for the new send/recv functions synced with the committed versions - of these. - - Closes #9470 - -Daniel Stenberg (10 Sep 2022) -- setopt: make protocols2num() work with websockets - - So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can - specify those as well. - - Reported-by: Patrick Monnerat - Bug: https://curl.se/mail/lib-2022-09/0016.html - Closes #9467 - -- curl/websockets.h: remove leftover bad typedef - - Just a leftover trace of a development thing that did not stay like - that. - - Reported-by: Marc Hörsken - Fixes #9465 - Cloes #9466 - -Marcel Raad (10 Sep 2022) -- [Orgad Shaneh brought this change] - - fix Cygwin/MSYS compilation - - _getpid is Windows API. On Cygwin variants it should remain getpid. - - Fixes #8220 - Closes #9255 - -Marc Hoersken (10 Sep 2022) -- GHA: prepare workflow merge by aligning structure again - - Closes #9413 - -Daniel Stenberg (9 Sep 2022) -- docs: the websockets symbols are added in 7.86.0 - - Nothing else - - Closes #9459 - -- tests/libtest/Makefile.inc: fixup merge conflict mistake - -- EXPERIMENTAL.md: add WebSockets - -- appveyor: enable websockets - -- cirrus: enable websockets in the windows builds - -- GHA: add websockets to macos, openssl3 and hyper builds - -- tests: add websockets tests - - - add websockets support to sws - - 2300: first very basic websockets test - - 2301: first libcurl test for ws (not working yet) - - 2302: use the ws callback - - 2303: test refused upgrade - -- curl_ws_meta: initial implementation - -- curl_ws_meta.3: added docs - -- ws: initial websockets support - - Closes #8995 - -- version: add ws + wss - -- libtest/lib1560: test basic websocket URL parsing - -- configure: add --enable-websockets - -- docs/WebSockets.md: docs - -- test415: verify Content-Length parser with control code + negative value - -- strtoofft: after space, there cannot be a control code - - With the change from ISSPACE() to ISBLANK() this function no longer - deals with (ignores) control codes the same way, which could lead to - this function returning unexpected values like in the case of - "Content-Length: \r-12354". - - Follow-up to 6f9fb7ec2d7cb389a0da5 - - Detected by OSS-fuzz - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140 - Assisted-by: Max Dymond - Closes #9458 - -- headers: reset the requests counter at transfer start - - If not, reusing an easy handle to do a subsequent transfer would - continue the counter from the previous invoke, which then would make use - of the header API difficult/impossible as the request counter - mismatched. - - Add libtest 1947 to verify. - - Reported-by: Andrew Lambert - Fixes #9424 - Closes #9447 - -Jay Satiro (8 Sep 2022) -- header: define public API functions as extern c - - Prior to this change linker errors would occur if curl_easy_header or - curl_easy_nextheader was called from a C++ unit. - - Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007 - Reported-by: Andrew Lambert - - Closes https://github.com/curl/curl/pull/9446 - -Daniel Stenberg (8 Sep 2022) -- http2: make nghttp2 less picky about field whitespace - - In nghttp2 1.49.0 it returns error on leading and trailing whitespace in - header fields according to language in the recently shipped RFC 9113. - - nghttp2 1.50.0 introduces an option to switch off this strict check and - this change enables this option by default which should make curl behave - more similar to how it did with nghttp2 1.48.0 and earlier. - - We might want to consider making this an option in the future. - - Closes #9448 - -- RELEASE-NOTES: synced - - And bump to 7.86.0 for the pending next release - -- [Michael Heimpold brought this change] - - ftp: ignore a 550 response to MDTM - - The 550 is overused as a return code for multiple error case, e.g. - file not found and/or insufficient permissions to access the file. - - So we cannot fail hard in this case. - - Adjust test 511 since we now fail later. - Add new test 3027 which check that when MDTM failed, but the file could - actually be retrieved, that in this case no filetime is provided. - - Reported-by: Michael Heimpold - Fixes #9357 - Closes #9387 - -- urlapi: leaner with fewer allocs - - Slightly faster with more robust code. Uses fewer and smaller mallocs. - - - remove two fields from the URL handle struct - - reduce copies and allocs - - use dynbuf buffers more instead of custom malloc + copies - - uses dynbuf to build the host name in reduces serial alloc+free within - the same function. - - move dedotdotify into urlapi.c and make it static, not strdup the input - and optimize it by checking for . and / before using strncmp - - remove a few strlen() calls - - add Curl_dyn_setlen() that can "trim" an existing dynbuf - - Closes #9408 - -Jay Satiro (7 Sep 2022) -- setup-win32: no longer define UNICODE/_UNICODE implicitly - - - If UNICODE or _UNICODE is defined but the other isn't then error - instead of implicitly defining it. - - As Marcel pointed out it is too late at this point to make such a define - because Windows headers may already be included, so likely it never - worked. We never noticed because build systems that can make Windows - Unicode builds always define both. If one is defined but not the other - then something went wrong during the build configuration. - - Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272 - Reported-by: Marcel Raad - - Closes https://github.com/curl/curl/pull/9384 - -Dan Fandrich (6 Sep 2022) -- tests: fix tag syntax errors in test files - -Marc Hoersken (6 Sep 2022) -- lib: add required Win32 setup definitions in setup-win32.h - - Assisted-by: Jay Satiro - Reviewed-by: Marcel Raad - - Follow up to #9312 - Closes #9375 - -Daniel Stenberg (6 Sep 2022) -- pingpong: extend the response reading error with errno - - To help diagnosing the cause of the problem. - - See #9380 - Closes #9443 - -- curl-compilers.m4: use -O2 as default optimize for clang - - Not -Os - - Closes #9444 - -- tool_operate: fix msnprintfing the error message - - Follow-up to 7be53774c41c59b47075fba - - Coverity CID 1513717 pointed out that we cannot use sizeof() on the - error buffer anymore. - - Closes #9440 - -- [Emanuele Torre brought this change] - - curl_ctype: add space around <= operator in ISSPACE macro - - Follow-up to f65f750 - - Closes #9441 - -- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies - - The 'protocols' listed were previously wrong. - - Reported-by: ProceduralMan on github - Fixes #9434 - Closes #9435 - -- curl_ctype: convert to macros-only - - This no longer provide functions, only macros. Runs faster and produces - smaller output. - - The biggest precaution this change brings: - - DO NOT use post/pre-increments when passing arguments to the macros. - - Closes #9429 - -- misc: ISSPACE() => ISBLANK() - - Instances of ISSPACE() use that should rather use ISBLANK(). I think - somewhat carelessly used because it sounds as if it checks for space or - whitespace, but also includes %0a to %0d. - - For parsing purposes, we should only accept what we must and not be - overly liberal. It leads to surprises and surprises lead to bad things. - - Closes #9432 - -- ctype: remove all use of <ctype.h>, use our own versions - - Except in the test servers. - - Closes #9433 - -Marc Hoersken (5 Sep 2022) -- cmake: skip superfluous hex2dec conversion using math expr - - CMake seems to be able to compare two hex values just fine. - Also make sure CURL_TARGET_WINDOWS_VERSION is respected. - - Assisted-by: Marcel Raad - Reviewed-by: Viktor Szakats - Reported-by: Keitagit-kun on github - - Follow up to #9312 - Fixes #9406 - Closes #9411 - -Daniel Stenberg (5 Sep 2022) -- curl_easy_pause.3: unpausing is as fast as possible - - Reported-by: ssdbest on github - Fixes #9410 - Closes #9430 - -- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols - - Except file. - - Reported-by: ProceduralMan on github - Fixes #9427 - Closes #9428 - -- NPN: remove support for and use of - - Next Protocol Negotiation is a TLS extension that was created and used - for agreeing to use the SPDY protocol (the precursor to HTTP/2) for - HTTPS. In the early days of HTTP/2, before the spec was finalized and - shipped, the protocol could be enabled using this extension with some - servers. - - curl supports the NPN extension with some TLS backends since then, with - a command line option `--npn` and in libcurl with - `CURLOPT_SSL_ENABLE_NPN`. - - HTTP/2 proper is made to use the ALPN (Application-Layer Protocol - Negotiation) extension and the NPN extension has no purposes - anymore. The HTTP/2 spec was published in May 2015. - - Today, use of NPN in the wild should be extremely rare and most likely - totally extinct. Chrome removed NPN support in Chrome 51, shipped in - June 2016. Removed in Firefox 53, April 2017. - - Closes #9307 - -- RELEASE-NOTES: synced - - and bump the tentative next release version to 7.85.1 - -- [Samuel Henrique brought this change] - - configure: fail if '--without-ssl' + explicit parameter for an ssl lib - - A side effect of a previous change to configure (576e507c78bdd2ec88) - exposed a non-critical issue that can happen if configure is called with - both '--without-ssl' and some parameter setting the use of a ssl library - (e.g. --with-gnutls). The configure script would end up assuming this is - a MultiSSL build, due to the way the case statement is written. - - I have changed the order of the variables in the string concatenation - for the case statement and also tweaked the options so that - --without-ssl never turns the build into a MultiSSL one and also clearly - stating that there are conflicting parameters if the user sets it like - described above. - - Closes #9414 - -- tests/certs/scripts: insert standard curl source headers - - ... including the SPDX-License-Identifier. - - These omissions were not detected by the RUEUSE CI job nor the copyright.pl - scanners because we have a general wildcard in .reuse/dep5 for - "tests/certs/*". - - Reported-by: Samuel Henrique - Fixes #9417 - Closes #9420 - -- [Samuel Henrique brought this change] - - docs: remove mentions of deprecated '--without-openssl' config parameter - - Closes #9415 - -- [Samuel Henrique brought this change] - - manpages: Fix spelling of "allows to" -> "allows one to" - - References: - https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual-page.tag - https://english.stackexchange.com/questions/60271/grammatical-complements-for-allow/60285#60285 - - Closes #9419 - -- [Samuel Henrique brought this change] - - CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes - - Lintian (on Debian) has been complaining about this for a while but - I didn't bother initially as the groff parser that we use is not - affected by this. - - But I have now noticed that the online manpage is affected by it: - https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html - - (I'm using double quotes for quoting-only down below) - - The section that should be parsed as "'\'" ends up being parsed as - "'´". - - This is due to roffit not parsing "'\\'" correctly, which is fine - as the "correct" way of writing "'\'" is "'\e'" instead. - - Note that this fix is not enough to fix the online manpage at - curl's website, as roffit seems to parse it wrongly either way. - - My intent is to at least fix the manpage so that roffit can - be changed to parse "'\e'" correctly (although I suggest making - roffit parse both ways correctly, since that's what groff does). - - More details at: - https://bugs.debian.org/966803 - https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a884cca7965c3/tags/a/acute-accent-in-manual-page.tag - - Closes #9418 - -- tool_operate: reduce errorbuffer allocs - - - parallel transfers: only alloc and keep errorbuffers in memory for - actual "live" transfers and not for the ones in the pending queue - - - serial transfers: reuse the same fixed buffer for all transfers, not - allocated at all. - - Closes #9394 - -Viktor Szakats (31 Aug 2022) -- misc: spelling fixes - - Found using codespell 2.2.1. - - Also delete the redundant protocol designator from an archive.org URL. - - Reviewed-by: Daniel Stenberg - Closes #9403 - -Daniel Stenberg (31 Aug 2022) -- tool_progress: remove 'Qd' from the parallel progress bar - - The "queued" value is no longer showing anything useful to the user. It - is an internal number of transfers waiting at that moment. - - Closes #9389 - -- tool_operate: prevent over-queuing in parallel mode - - When doing a huge amount of parallel transfers, we must not add them to - the per_transfer list frivolously since they all use memory after all. - This was previous done without really considering millions or billions - of transfers. Massive parallelism would use a lot of memory for no good - purpose. - - The queue is now limited to twice the paralleism number. - - This makes the 'Qd' value in the parallel progress meter mostly useless - for users, but works for now for us as a debug display. - - Reported-by: justchen1369 on github - Fixes #8933 - Closes #9389 - -Viktor Szakats (31 Aug 2022) -- cmake: fix original MinGW builds - - 1. Re-enable `HAVE_GETADDRINFO` detection on Windows - - Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic - that automatically assumed `getaddrinfo()` to be present for builds - with IPv6 enabled. As it turns out, certain toolchains (e.g. original - MinGW) by default target older Windows versions, and thus do not - support `getaddrinfo()` out of the box. The issue was masked for - a while by CMake builds forcing a newer Windows version, but that - logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761. - Since then, some CI builds started failing due to IPv6 enabled, - `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing. - - It also turns out that IPv6 works without `getaddrinfo()` since commit - 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So, - to resolve all this, we can now revert the initial commit, thus - restoring `getaddrinfo()` detection and support IPv6 regardless of its - outcome. - - Reported-by: Daniel Stenberg - - 2. Omit `bcrypt` with original MinGW - - Original (aka legacy/old) MinGW versions do not support `bcrypt` - (introduced with Vista). We already have logic to handle that in - `lib/rand.c` and autotools builds, where we do not call the - unsupported API and do not link `bcrypt`, respectively, when using - original MinGW. - - This patch ports that logic to CMake, fixing the link error: - `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: cannot find -lbcrypt` - - Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vle84cn4vle7s0#L508 - Regression since 76172511e7adcf720f4c77bd91f49278300ec97e - - Fixes #9214 - Fixes #9393 - Fixes #9395 - Closes #9396 - -Version 7.85.0 (31 Aug 2022) - -Daniel Stenberg (31 Aug 2022) -- RELEASE-NOTES: synced - - curl 7.85.0 release - -- THANKS: add contributors from the 7.85.0 release - -- getparam: correctly clean args - - Follow-up to bf7e887b2442783ab52 - - The previous fix for #9128 was incomplete and caused #9397. - - Fixes #9397 - Closes #9399 - -- zuul: remove the clang-tidy job - - Turns out we don't see the warnings, but the warnings right now are - plain ridiculous and unhelpful so we can just as well just kill this - job. - - Closes #9390 - -- cmake: set feature PSL if present - - ... make test 1014 pass when libpsl is used. - - Closes #9391 - -- lib530: simplify realloc failure exit path - - To make code analyzers happier - - Closes #9392 - -- [Orgad Shaneh brought this change] - - tests: add tests for netrc login/password combinations - - Covers the following PRs: - - - #9066 - - #9247 - - #9248 - - Closes #9256 - -- [Orgad Shaneh brought this change] - - url: really use the user provided in the url when netrc entry exists - - If the user is specified as part of the URL, and the same user exists - in .netrc, Authorization header was not sent at all. - - The user and password fields were assigned in conn->user and password - but the user was not assigned to data->state.aptr, which is the field - that is used in output_auth_headers and friends. - - Fix by assigning the user also to aptr. - - Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5. - - Fixes #9243 - -- [Orgad Shaneh brought this change] - - netrc: Use the password from lines without login - - If netrc entry has password with empty login, use it for any username. - - Example: - .netrc: - machine example.com password 123456 - - curl -vn http://user@example.com/ - - Fix it by initializing state_our_login to TRUE, and reset it only when - finding an entry with the same host and different login. - - Closes #9248 - -- [Jay Satiro brought this change] - - url: treat missing usernames in netrc as empty - - - If, after parsing netrc, there is a password with no username then - set a blank username. - - This used to be the case prior to 7d600ad (precedes 7.82). Note - parseurlandfillconn already does the same thing for URLs. - - Reported-by: Raivis <standsed@users.noreply.github.com> - Testing-by: Domen Kožar - - Fixes https://github.com/curl/curl/issues/8653 - Closes #9334 - Closes #9066 - -- test8: verify that "ctrl-byte cookies" are ignored - -- cookie: reject cookies with "control bytes" - - Rejects 0x01 - 0x1f (except 0x09) plus 0x7f - - Reported-by: Axel Chong - - Bug: https://curl.se/docs/CVE-2022-35252.html - - CVE-2022-35252 - - Closes #9381 - -- libssh: ignore deprecation warnings - - libssh 0.10.0 marks all SCP functions as "deprecated" which causes - compiler warnings and errors in our CI jobs and elsewhere. Ignore - deprecation warnings if 0.10.0 or later is found in the build. - - If they actually remove the functions at a later point, then someone can - deal with that pain and functionality break then. - - Fixes #9382 - Closes #9383 - -- Revert "schannel: when importing PFX, disable key persistence" - - This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692. - - Due to further reports in #9300 that indicate this commit might - introduce problems. - -- multi: use larger dns hash table for multi interface - - Have curl_multi_init() use a much larger DNS hash table than used for - the easy interface to scale and perform better when used with _many_ - host names. - - curl_share_init() sets an in-between size. - - Inspired-by: Ivan Tsybulin - See #9340 - Closes #9376 - -Marc Hoersken (28 Aug 2022) -- CI/runtests.pl: add param for dedicated curl to talk to APIs - - This should make it possible to also report test failures - if our freshly build curl binary is not fully functional. - - Reviewed-by: Daniel Stenberg - Closes #9360 - -Daniel Stenberg (27 Aug 2022) -- [Jacob Tolar brought this change] - - openssl: add cert path in error message - - Closes #9349 - -- [Jacob Tolar brought this change] - - cert.d: clarify that escape character works for file paths - - Closes #9349 - -- gha: move over ngtcp2-gnutls CI job from zuul - - Closes #9331 - -Marc Hoersken (26 Aug 2022) -- cmake: add detection of threadsafe feature - - Avoids failing test 1014 by replicating configure checks - for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests. - - Reviewed-by: Marcel Raad - - Follow up to #8680 - Closes #9312 - -Daniel Stenberg (26 Aug 2022) -- RELEASE-NOTES: synced - -Marc Hoersken (26 Aug 2022) -- CI/azure: align torture shallowness with GHA - - There 25 is used with FTP tests skipped, and 20 for FTP tests. - This should make torture tests stay within the 60min timeout. - - Reviewed-by: Daniel Stenberg - Closes #9371 - -- multi_wait: fix and improve Curl_poll error handling on Windows - - First check for errors and return CURLM_UNRECOVERABLE_POLL - before moving forward and waiting on socket readiness events. - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - - Reported-by: Daniel Stenberg - Ref: #9361 - - Follow up to #8961 - Closes #9372 - -- multi_wait: fix skipping to populate revents for extra_fds - - On Windows revents was not populated for extra_fds if - multi_wait had to wait due to the Curl_poll pre-check - not signalling any readiness. This commit fixes that. - - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro - - Closes #9361 - -- CI/appveyor: disable TLS in msys2-native autotools builds - - Schannel cannot be used from msys2-native Linux-emulated builds. - - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg - - Follow up to #9367 - Closes #9370 - -Jay Satiro (25 Aug 2022) -- tests: fix http2 tests to use CRLF headers - - Prior to this change some tests that rely on nghttpx proxy did not use - CRLF headers everywhere. A recent change in nghttp2, which updated its - version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to - use CRLF headers. - - Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 - - Fixes https://github.com/curl/curl/issues/9364 - Closes https://github.com/curl/curl/pull/9365 - -Daniel Stenberg (25 Aug 2022) -- [rcombs brought this change] - - multi: use a pipe instead of a socketpair on apple platforms - - Sockets may be shut down by the kernel when the app is moved to the - background, but pipes are not. - - Removed from KNOWN_BUGS - - Fixes #6132 - Closes #9368 - -- [Somnath Kundu brought this change] - - libssh2: provide symlink name in SFTP dir listing - - When reading the symbolic link name for a file, we need to add the file - name to base path name. - - Closes #9369 - -- configure: if asked to use TLS, fail if no TLS lib was detected - - Previously the configure script would just warn about this fact and - continue with TLS disabled build which is not always helpful. TLS should - be explicitly disabled if that is what the user wants. - - Closes #9367 - -- [Dustin Howett brought this change] - - schannel: when importing PFX, disable key persistence - - By default, the PFXImportCertStore API persists the key in the user's - key store (as though the certificate was being imported for permanent, - ongoing use.) - - The documentation specifies that keys that are not to be persisted - should be imported with the flag `PKCS12_NO_PERSIST_KEY`. - NOTE: this flag is only supported on versions of Windows newer than XP - and Server 2003. - - Fixes #9300 - Closes #9363 - -- unit1303: four tests should have TRUE for 'connecting' - - To match the comments. - - Reported-by: Wu Zheng - - See #9355 - Closes #9356 - -- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also - - Closes #9354 - -- [Fabian Fischer brought this change] - - HTTP3.md: add missing autoreconf command for building with wolfssl - - Closes #9353 - -- RELEASE-NOTES: synced - -- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer - - Ẃhen it has been used in the multi interface, it is otherwise left in - the connection cache, can't be reused and nothing will close them since - the easy handle loses the association with the multi handle and thus the - connection cache - until the multi handle is closed or it gets pruned - because the cache is full. - - Reported-by: Dominik Thalhammer - Fixes #9335 - Closes #9342 - -- docs/cmdline-opts: remove \& escapes from all .d files - - gen.pl escapes them itself now - -- docs/cmdline-opts/gen.pl: encode leading single and double quotes - - As "(aq" and "(dq" to prevent them from implying a meaning in the nroff - output. This removes the need for using \& escapes in the .d files' - description parts. - - Closes #9352 - -Marc Hoersken (23 Aug 2022) -- tests/server/sockfilt.c: avoid race condition without a mutex - - Avoid loosing any triggered handles by first aborting and joining - the waiting threads before evaluating the individual signal state. - - This removes the race condition and therefore need for a mutex. - - Closes #9023 - -Daniel Stenberg (22 Aug 2022) -- [Emil Engler brought this change] - - url: output the maximum when rejecting a url - - This commit changes the failf message to output the maximum length, when - curl refuses to process a URL because it is too long. - - See: #9317 - Closes: #9327 - -- [Chris Paulson-Ellis brought this change] - - configure: fix broken m4 syntax in TLS options - - Commit b589696f added lines to some shell within AC_ARG_WITH macros, but - inadvertently failed to move the final closing ). - - Quote the script section using braces. - - So, if these problems have been around for a while, how did I find them? - Only because I did a configure including these options: - - $ ./configure --with-openssl --without-rustls - SSL: enabled (OpenSSL) - - Closes #9344 - -- tests/data/CMakeLists: remove making the 'show' makefile target - - It is not used by runtests since 3c0f462 - - Closes #9333 - -- tests/data/Makefile: remove 'filecheck' target - - No practical use anymore since 3c0f4622cdfd6 - - Closes #9332 - -- libssh2: make atime/mtime date overflow return error - - Closes #9328 - -- libssh: make atime/mtime date overflow return error - - Closes #9328 - -- examples/curlx.c: remove - - This example is a bit convoluted to use as an example, combined with the - special license for it makes it unsuitable. - - Closes #9330 - -- [Tobias Nygren brought this change] - - curl.h: include <sys/select.h> on SunOS - - It is needed for fd_set to be visible to downstream consumers that use - <curl/multi.h>. Header is known to exist at least as far back as Solaris - 2.6. - - Closes #9329 - -- DEPRECATE.md: push the NSS deprecation date forward one year to 2023 - - URL: https://curl.se/mail/lib-2022-08/0016.html - -- libssh2: setting atime or mtime >32bit on 4-bytes-long systems - - Since the libssh2 API uses 'long' to store the timestamp, it cannot - transfer >32bit times on Windows and 32bit architecture builds. - - Avoid nasty surprises by instead not setting such time. - - Spotted by Coverity - - Closes #9325 - -- libssh: setting atime or mtime > 32bit is now just skipped - - The libssh API used caps the time to an unsigned 32bit variable. Avoid - nasty surprises by instead not setting such time. - - Spotted by Coverity. - - Closes #9324 - -Jay Satiro (16 Aug 2022) -- KNOWN_BUGS: Windows Unicode builds use homedir in current locale - - Bug: https://github.com/curl/curl/pull/7252 - Reported-by: dEajL3kA@users.noreply.github.com - - Ref: https://github.com/curl/curl/pull/7281 - - Closes https://github.com/curl/curl/pull/9305 - -Daniel Stenberg (16 Aug 2022) -- test399: switch it to use a config file instead - - ... as using a 65535 bytes host name in a URL does not fit on the - command line on some systems - like Windows. - - Reported-by: Marcel Raad - Fixes #9321 - Closes #9322 - -- RELEASE-NOTES: synced - -- asyn-ares: make a single alloc out of hostname + async data - - This saves one alloc per name resolve and simplifies the exit path. - - Closes #9310 - -- Curl_close: call Curl_resolver_cancel to avoid memory-leak - - There might be a pending (c-ares) resolve that isn't free'd up yet. - - Closes #9310 - -- asyn-thread: fix socket leak on OOM - - Closes #9310 - -- GHA: mv CI torture test from Zuul - - Closes #9310 - -- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL - - Closes #9318 - -- test399: verify check of too long host name - -- url: reject URLs with hostnames longer than 65535 bytes - - It *probably* causes other problems too since DNS can't resolve such - long names, but the SNI field in TLS is limited to 16 bits length. - - Closes #9317 - -- curl_multi_perform.3: minor language fix - - Closes #9316 - -- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC - - Follow-up to 8a13be227eede2 - - Closes #9315 - -- ngtcp2: remove leftover variable - - Mistake leftover from my edit before push. - - Follow-up from 8a13be227eede2601c2b3b - Reported-by: Viktor Szakats - Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167 - -Viktor Szakats (15 Aug 2022) -- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip] - - Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl` - was also enabled. `-ssl` meaning OpenSSL (and its forks). After - 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be - used together with wolfSSL. This patch adds the ability to enable - `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to - use it with wolfSSL or other, future TLS backends. - - Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2` - unconditionally. After this patch, this is no longer the case, and now - it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only - together with a compatible TLS backend. - - When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2 - library must be configured manually, e.g.: - `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl` - - (or via `NGTCP2_LIBS`) - - Closes #9314 - -Daniel Stenberg (15 Aug 2022) -- [Stefan Eissing brought this change] - - quic: add support via wolfSSL - - - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505 - - configure adapted to build against ngtcp2 wolfssl crypto lib - - quic code added for creation of WOLFSSL* instances - - Closes #9290 - -Marcel Raad (14 Aug 2022) -- [David Carlier brought this change] - - memdebug: add annotation attributes - - memory debug tracking annotates whether the returned pointer does not - `alias`, hints where the size required is, for Windows to be better - debugged via Visual Studio. - - Closes https://github.com/curl/curl/pull/9306 - -Daniel Stenberg (14 Aug 2022) -- GHA: move libressl CI from zuul to GitHub - - Closes #9309 - -- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel - - Closes #9161 - -- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel - - Closes #8741 - -- KNOWN_BUGS: libssh blocking and infinite loop problem - - Closes #8632 - -- RELEASE-NOTES: synced - -- msh3: fix the QUIC disconnect function - - And free request related memory better in 'done'. Fixes a memory-leak. - - Reported-by: Gisle Vanem - Fixes #8915 - Closes #9304 - -- connect: close the happy eyeballs loser connection when using QUIC - - Reviewed-by: Nick Banks - - Closes #9303 - -- [Emil Engler brought this change] - - refactor: split resolve_server() into functions - - This commit splits the branch-heavy resolve_server() function into - various sub-functions, in order to reduce the amount of nested - if/else-statements. - - Beside this, it also removes many else-sequences, by returning in the - previous if-statement. - - Closes #9283 - -- schannel: re-indent to use curl style better - - Only white space changes - - Closes #9301 - -- [Emanuele Torre brought this change] - - docs/cmdline-opts: fix example and categories for --form-escape - - The example was missing a "--form" argument - I also replaced "--form" with "-F" to shorten the line a bit since it - was already very long. - - And I also moved --form-escape from the "post" category to the "upload" - category (this is what I originally wanted to fix, before also noticing - the mistake in the example). - - Closes #9298 - -- [Nick Banks brought this change] - - HTTP3.md: update to msh3 v0.4.0 - - Closes #9297 - -- hostip: resolve *.localhost to 127.0.0.1/::1 - - Following the footsteps of other clients like Firefox/Chrome. RFC 6761 - says clients SHOULD do this. - - Add test 389 to verify. - - Reported-by: TheKnarf on github - Fixes #9192 - Closes #9296 - -Jay Satiro (11 Aug 2022) -- KNOWN_BUGS: long paths are not fully supported on Windows - - Bug: https://github.com/curl/curl/issues/8361 - Reported-by: Gisle Vanem - - Closes https://github.com/curl/curl/pull/9288 - -Daniel Stenberg (11 Aug 2022) -- config: remove the check for and use of SIZEOF_SHORT - - shorts are 2 bytes on all platforms curl runs and have ever run on. - - Closes #9291 - -- configure: introduce CURL_SIZEOF - - This is a rewrite of the previously used GPLv3+exception licensed - file. With this change, there is no more reference to GPL so we can - remove that from LICENSES/. - - Ref: #9220 - Closes #9291 - -- [Sean McArthur brought this change] - - hyper: customize test1274 to how hyper unfolds headers - - Closes #9217 - -- [Orgad Shaneh brought this change] - - curl-config: quote directories with potential space - - On Windows (at least with CMake), the default prefix is - C:/Program Files (x86)/CURL. - - Closes #9253 - -- [Oliver Roberts brought this change] - - amigaos: fix threaded resolver on AmigaOS 4.x - - Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime - feature detection and extra code to make it thread safe. - - Closes #9265 - -- [Emil Engler brought this change] - - imap: use ISALNUM() for alphanumeric checks - - This commit replaces a self-made character check for alphanumeric - characters within imap_is_bchar() with the ISALNUM() macro, as it is - reduces the size of the code and makes the performance better, due to - ASCII arithmetic. - - Closes #9289 - -- RELEASE-NOTES: synced - -- [Cering on github brought this change] - - connect: add quic connection information - - Fixes #9286 - Closes #9287 - -- [Philip Heiduck brought this change] - - cirrus/freebsd-ci: bootstrap the pip installer - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - - Closes #9213 - -- urldata: move smaller fields down in connectdata struct - - By (almost) sorting the struct fields in connectdata in a decending size - order, having the single char ones last, we reduce the number of holes - in the struct and thus the amount of storage needed. - - Closes #9280 - -- ldap: adapt to conn->port now being an 'int' - - Remove typecasts. Fix printf() formats. - - Follow-up from 764c6bd3bf. - Pointed out by Coverity CID 1507858. - - Closes #9281 - -- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS - - Closes #8264 - -- [Oliver Roberts brought this change] - - file: add handling of native AmigaOS paths - - On AmigaOS 4.x, handle native absolute paths, whilst blocking relative - paths. Also allow unix style paths if feature enabled at link time. - - Inspiration-from: Michael Trebilcock - - Closes #9259 - -- KNOWN_BUGS: cmake build is not thread-safe - - The cmake build does not check for and verify presence of a working - Atomic type, which then makes curl_global_init() to not build - thread-safe on non-Windows platforms. - - Closes https://github.com/curl/curl/issues/8973 - Closes https://github.com/curl/curl/pull/8982 - -- [Oliver Roberts brought this change] - - configure: fixup bsdsocket detection code for AmigaOS 4.x - - The code that detects bsdsocket.library for AmigaOS did not work - for AmigaOS 4.x. This has been fixed and also cleaned up a little - to reduce duplication. Wasn't technically necessary before, but is - required when building with AmiSSL instead of OpenSSL. - - Closes #9268 - -- [Oliver Roberts brought this change] - - tool: reintroduce set file comment code for AmigaOS - - Amiga specific code which put the URL in the file comment was perhaps - accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having - originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314. - Reworked to fit the code changes and added it back in. - - Reported-by: Michael Trebilcock - Originally-added-by: Chris Young - - Closes #9258 - -- urldata: make 'negnpn' use less storage - - The connectdata struct field 'negnpn' never holds a value larger than - 30, so an unsigned char saves 3 bytes struct space. - - Closes #9279 - -- urldata: make three *_proto struct fields smaller - - Use 'unsigned char' for storage instead of the enum, for three GSSAPI - related fields in the connectdata struct. - - Closes #9278 - -- connect: set socktype/protocol correctly - - So that an address used from the DNS cache that was previously used for - QUIC can be reused for TCP and vice versa. - - To make this possible, set conn->transport to "unix" for unix domain - connections ... and store the transport struct field in an unsigned char - to use less space. - - Reported-by: ウさん - Fixes #9274 - Closes #9276 - -- [Oliver Roberts brought this change] - - amissl: allow AmiSSL to be used with AmigaOS 4.x builds - - Enable AmiSSL to be used instead of static OpenSSL link libraries. - for AmigaOS 4.x, as it already is in the AmigaOS 3.x build. - - Closes #9269 - -- [opensignature on github brought this change] - - openssl: add details to "unable to set client certificate" error - - from: "curl: (58) unable to set client certificate" - - to: curl: (58) unable to set client certificate [error:0A00018F:SSL - routines::ee key too small] - - Closes #9228 - -- [Oliver Roberts brought this change] - - amissl: make AmiSSL v5 a minimum requirement - - AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0. - Support for previous OpenSSL 1.1.x versions has been dropped, so - makes sense to enforce v5 as the minimum requirement. This also - allows all the AmiSSL stub workarounds to be removed as they are - now provided in a link library in the AmiSSL SDK. - - Closes #9267 - -- [Oliver Roberts brought this change] - - configure: -pthread not available on AmigaOS 4.x - - The most recent GCC builds for AmigaOS 4.x do not allow -pthread and - exit with an error. Instead, need to explictly specify -lpthread. - - Closes #9266 - -- digest: pass over leading spaces in qop values - - When parsing the "qop=" parameter of the digest authentication, and the - value is provided within quotes, the list of values can have leading - white space which the parser previously did not handle correctly. - - Add test case 388 to verify. - - Reported-by: vlubart on github - Fixes #9264 - Closes #9270 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: reject broken header with session protocol but without qop - - Closes #9077 - -- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples - - Reported-by: jvvprasad78 on github - Assisted-by: Jay Satiro - Fixes #9239 - Closes #9241 - -- [Fabian Keil brought this change] - - test44[2-4]: add '--resolve' to the keywords - - ... so the tests can be automatically skipped when - using an external proxy like Privoxy. - - Closes #9250 - -- RELEASE-NOTES: synced - -- CURLOPT_CONNECT_ONLY.3: clarify multi API use - - Reported-by: Maxim Ivanov - Fixes #9244 - Closes #9262 - -- [Andrew Lambert brought this change] - - curl_easy_header: Add CURLH_PSEUDO to sanity check - - Fixes #9235 - Closes #9236 - -- [Emil Engler brought this change] - - docs: add dns category to --resolve - - This commit adds the dns category to the --resolve command line option, - because it can be interpreted as both: a low-level connection option and - an option related to the resolving of a hostname. - - It is also not common for dns options to belong to the connection - category and vice versa. --ipv4 and --ipv6 are both good examples. - - Closes #9229 - -Jay Satiro (2 Aug 2022) -- [Wyatt O'Day brought this change] - - schannel: Add TLS 1.3 support - - - Support TLS 1.3 as the default max TLS version for Windows Server 2022 - and Windows 11. - - - Support specifying TLS 1.3 ciphers via existing option - CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers). - - Closes https://github.com/curl/curl/pull/8419 - -Daniel Stenberg (2 Aug 2022) -- [Emil Engler brought this change] - - cmdline-opts/gen.pl: improve performance - - On some systems, the gen.pl script takes nearly two minutes for the - generation of the main-page, which is a completely unacceptable time. - - The slow performance has two causes: - 1. Use of a regex locale operator - 2. Useless invokations of loops - - The commit addresses the first issue by replacing the "\W" wiht - [^a-zA-Z0-9_], which is, according to regex101.com, functionally - equivalent to the previous operation, except that it is obviously - limited to ASCII only, which is fine, as the curl project is - English-only anyway. - - The second issue is being addressed by only running the loop if the line - contains a "--" in it. The loop may be completeley removed in the - future. - - Co-authored-by: Emanuele Torre <torreemanuele6@gmail.com> - - See #8299 - Fixes #9230 - Closes #9232 - -- docs/cmdline: mark fail and fail-with-body as mutually exclusive - - Reported-by: Andreas Sommer - Fixes #9221 - Closes #9222 - -- [Nao Yonashiro brought this change] - - quiche: fix build failure - - Reviewed-by: Alessandro Ghedini - Closes #9223 - -Viktor Szakats (2 Aug 2022) -- configure.ac: drop references to deleted functions - - follow-up from 4d73854462f30948acab12984b611e9e33ee41e6 - - Reported-by: Oliver Roberts - Fixes #9238 - Closes #9240 - -Daniel Stenberg (28 Jul 2022) -- [Sean McArthur brought this change] - - hyper: enable obs-folded multiline headers - - Closes #9216 - -- connect: revert the use of IP*_RECVERR - - The options were added in #6341 and d13179d, but cause problems: Lots of - POLLIN event occurs but recvfrom read nothing. - - Reported-by: Tatsuhiro Tsujikawa - Fixes #9209 - Closes #9215 - -- [Marco Kamner brought this change] - - docs: remove him/her/he/she from documentation - - Closes #9208 - -- RELEASE-NOTES: synced - -- tool_getparam: make --doh-url "" switch it off - - A possible future addition could be to parse the URL first too to verify - that it is valid before trying to use it. - - Assisted-by: Jay Satiro - Closes #9207 - -- mailmap: add rzrymiak on github - -Jay Satiro (26 Jul 2022) -- ngtcp2: Fix build error due to change in nghttp3 prototypes - - ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and - nghttp3_conn_shutdown_stream_write return from int to void. - - Reported-by: jurisuk@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9204 - Closes https://github.com/curl/curl/pull/9200 - -Daniel Stenberg (26 Jul 2022) -- [rzrymiak on github brought this change] - - BUGS.md: improve language - - Closes #9205 - -- [Philip Heiduck brought this change] - - cirrus.yml: replace py38-pip with py39-pip - - Reported-by: Jay Satiro - Fixes #9201 - Closes #9202 - -- tool_getparam: fix cleanarg() for unicode builds - - Use the correct type, and make cleanarg an empty macro if the cleaning - ability is absent. - - Fixes #9195 - Closes #9196 - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - -Marc Hoersken (25 Jul 2022) -- test3026: add support for Windows using native Win32 threads - - Reviewed-by: Viktor Szakats - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - - Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690 - Closes #9012 - -Jay Satiro (25 Jul 2022) -- [Evgeny Grin (Karlson2k) brought this change] - - digest: fix memory leak, fix not quoted 'opaque' - - Fix leak regression introduced by 3a6fe0c. - - Closes https://github.com/curl/curl/pull/9199 - -Daniel Stenberg (23 Jul 2022) -- tests: several enumerated type cleanups - - To please icc - - Closes #9179 - -- tool_paramhlp: fix "enumerated type mixed with another type" - - Warning by icc - - Closes #9179 - -- tool_writeout: fix enumerated type mixed with another type - - Closes #9179 - -- tool_cfgable: make 'synthetic_error' a plain bool - - The specific reason was not used. - - Closes #9179 - -- tool_paramhlp: make check_protocol return ParameterError - - "enumerated type mixed with another type" - - Closes #9179 - -- tool_formparse: fix variable may be used before its value is set - - Warning by icc - - Closes #9179 - -- sendf: skip storing HTTP headers if HTTP disabled - - Closes #9179 - -- url: enumerated type mixed with another type - - Follow-up to 1c58e7ae99ce2030213f28b - - Closes #9179 - -- urldata: change second proxytype field to unsigned char to match - - To avoid "enumerated type mixed with another type" - - Closes #9179 - -- http: typecast the httpreq assignment to avoid icc compiler warning - - error #188: enumerated type mixed with another type - - Closes #9179 - -- urldata: make state.httpreq an unsigned char - - To match set.method used for the same purpose. - - Closes #9179 - -- splay: avoid using -1 in unsigned variable - - To fix icc compiler warning integer conversion resulted in a change of sign - - Closes #9179 - -- sendf: store the header type in an usigned char to avoid icc warnings - - Closes #9179 - -- multi: fix the return code from Curl_pgrsDone() - - It does not return a CURLcode. Detected by the icc compiler warning - "enumerated type mixed with another type" - - Closes #9179 - -- sendf: make Curl_debug a void function - - As virtually no called checked the return code, and those that did - wrongly treated it as a CURLcode. Detected by the icc compiler warning: - enumerated type mixed with another type - - Closes #9179 - -- http_chunks: remove an assign + typecast - - As it caused icc to complain: "pointer cast involving 64-bit pointed-to - type" - - Closes #9179 - -- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend - - To fix the icc warning enumerated type mixed with another type - - Closes #9179 - -- curl-compilers.m4: make icc use -diag* options and disable two warnings - - -wd and -we are deprecated and are now -diag-disable and -diag-error - - Disable warning 1024 and 2259 - - Closes #9179 - -- [Matthew Thompson brought this change] - - GHA: add two Intel compiler CI jobs - - Closes #9179 - -- [Daniel Katz brought this change] - - curl-functions.m4: check whether atomics can link rather than just compile - - Some build toolchains support C11 atomics (i.e., _Atomic types), but - will not link the associated atomics runtime unless a flag is passed. In - such an environment, linking an application with libcurl.a can fail due - to undefined symbols for atomic load/store functions. - - I encountered this behavior when upgrading curl to 7.84.0 and attempting - to build with Solaris Studio 12.6. Solaris provides the flag - -xatomic=[gcc | studio], allowing users to link to one of two atomics - runtime implementations. However, if the user does not provide this - flag, then neither runtime is linked. This led to builds failing in CI. - - Closes #9190 - -- [Rosen Penev brought this change] - - curl-wolfssl.m4: add options header when building test code - - Needed for certain configurations of wolfSSL. Otherwise, missing header - error may occur. - - Tested with OpenWrt. - - Closes #9187 - -- ftp: use a correct expire ID for timer expiry - - This was an accurate error pointed out by the icc warning: enumerated - type mixed with another type - - Ref: #9179 - Closes #9184 - -- sendf: fix paused header writes since after the header API - - Regression since d1e4a67 - - Reported-by: Sergey Ogryzkov - Fixes #9180 - Closes #9182 - -- mprintf: fix *dyn_vprintf() when out-of-memory - - Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory - leak otherwise. - - Closes #9185 - -- curl-confopts: remove leftover AC_REQUIREs - - configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_defun'd - configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but not m4_defun'd - - follow-up from 4d73854462f30 - - Closes #9183 - -- file: fix icc enumerated type mixed with another type warning - - Ref: #9179 - Closes #9181 - -Viktor Szakats (19 Jul 2022) -- tidy-up: delete unused build configuration macros - - Most of them feature guards: - - - `CURL_INCLUDES_SYS_UIO` [1] - - `HAVE_ALLOCA_H` [2] - - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f8734dd0fb1bdc) - - `HAVE_DLFCN_H` - - `HAVE_DLOPEN` - - `HAVE_DOPRNT` - - `HAVE_FCNTL` - - `HAVE_GETHOSTBYNAME` [3] - - `HAVE_GETOPT_H` - - `HAVE_GETPASS` - - `HAVE_GETPROTOBYNAME` - - `HAVE_GETSERVBYNAME` - - `HAVE_IDN_FREE*` - - `HAVE_INET_ADDR` - - `HAVE_IOCTL` - - `HAVE_KRB4` - - `HAVE_KRB_GET_OUR_IP_FOR_REALM` - - `HAVE_KRB_H` - - `HAVE_LDAPSSL_H` - - `HAVE_LDAP_INIT_FD` - - `HAVE_LIBDL` - - `HAVE_LIBNSL` - - `HAVE_LIBRESOLV*` - - `HAVE_LIBUCB` - - `HAVE_LL` - - `HAVE_LOCALTIME_R` - - `HAVE_MALLOC_H` - - `HAVE_MEMCPY` - - `HAVE_MEMORY_H` - - `HAVE_NETINET_IF_ETHER_H` - - `HAVE_NI_WITHSCOPEID` - - `HAVE_OPENSSL_CRYPTO_H` - - `HAVE_OPENSSL_ERR_H` - - `HAVE_OPENSSL_PEM_H` - - `HAVE_OPENSSL_PKCS12_H` - - `HAVE_OPENSSL_RAND_H` - - `HAVE_OPENSSL_RSA_H` - - `HAVE_OPENSSL_SSL_H` - - `HAVE_OPENSSL_X509_H` - - `HAVE_PEM_H` - - `HAVE_POLL` - - `HAVE_RAND_SCREEN` - - `HAVE_RAND_STATUS` - - `HAVE_RECVFROM` - - `HAVE_SETSOCKOPT` - - `HAVE_SETVBUF` - - `HAVE_SIZEOF_LONG_DOUBLE` - - `HAVE_SOCKIO_H` - - `HAVE_SOCK_OPTS` - - `HAVE_STDIO_H` - - `HAVE_STRCASESTR` - - `HAVE_STRFTIME` - - `HAVE_STRLCAT` - - `HAVE_STRNCMPI` - - `HAVE_STRNICMP` - - `HAVE_STRSTR` - - `HAVE_STRUCT_IN6_ADDR` - - `HAVE_TLD_H` - - `HAVE_TLD_STRERROR` - - `HAVE_UNAME` - - `HAVE_USLEEP` - - `HAVE_WINBER_H` - - `HAVE_WRITEV` - - `HAVE_X509_H` - - `LT_OBJDIR` - - `NEED_BASENAME_PROTO` - - `NOT_NEED_LIBNSL` - - `OPENSSL_NO_KRB5` - - `RECVFROM_TYPE*` - - `SIZEOF_LONG_DOUBLE` - - `STRERROR_R_TYPE_ARG3` - - `USE_YASSLEMUL` - - `_USRDLL` (from CMake) [4] - - [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might - also be deleted. - - [2] Related comment can possibly be deleted in - `packages/vms/generate_config_vms_h_curl.com`. - - [3] There are more instances of this in autotools, but I did not dare to - touch those. Looked like it's used to detect socket support. - - [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to - force linking MFC components statically to the DLL. `libcurl.dll` - does not use MFC, so we can delete this define. - Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-to-mfc - - Script that can help finding unused settings like above: - ```shell - - autoheader configure.ac # generate lib/curl_config.h.in - - { - grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCache.cmake | sed -E 's|set\(||g' - grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h | sed -E 's|#define +||g' - grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake | sed -E 's|#cmakedefine +||g' - grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in | sed -E 's|#undef +||g' - } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do - c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cmake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^configure\.ac)')" - if [ "${c}" = '0' ]; then - echo "${def}" - fi - done - ``` - - Reviewed-by: Daniel Stenberg - Closes #9044 - -Daniel Stenberg (19 Jul 2022) -- RELEASE-NOTES: synced - -- cookie: treat a blank domain in Set-Cookie: as non-existing - - This matches what RFC 6265 section 5.2.3 says. - - Extended test 31 to verify. - - Fixes #9164 - Reported-by: Gwen Shapira - Closes #9177 - -- [Patrick Monnerat brought this change] - - base64: base64url encoding has no padding - - See RFC4648 section 5 and RFC7540 section 3.2.1. - - Suppress generation of '=' padding of base64url encoding. This is - accomplished by considering the string beginning at offset 64 in the - character table as the padding: this is "=" for base64, "" for base64url. - - Also use strchr() to replace character search loops where possible. - - Suppress erroneous comments about empty encoding results. - - Adjust unit test 1302 to unpadded base64url encoding and add tests for - empty results. - - Closes #9139 - -- easyoptions: fix icc warning - - easyoptions.c(360): error #188: enumerated type mixed with another type - - Ref: #9156 - Reported-by: Matthew Thompson - Closes #9176 - -- [lwthiker brought this change] - - h2h3: fix overriding the 'TE: Trailers' header - - A 'TE: Trailers' header is explicitly replaced by 'te: trailers' - (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or - HTTP/3 headers. However, this is then replaced again by the original - value due to a bug, resulting in the uppercased version being sent. Some - HTTP/2 servers reject the whole HTTP/2 stream when this is the case. - - Closes #9170 - -- lib3026: reduce the number of threads to 100 - - Down from 1000, to make it run and work in more systems. - - Fixes #9172 - Reported-by: Érico Nogueira Rolim - Closes #9173 - -- doh: move doh related struct definitions to doh.h - - and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compiler warning: - - doh.c(924): error #188: enumerated type mixed with another type - - Reported-by: Matthew Thompson - Ref #9156 - Closes #9174 - -Viktor Szakats (17 Jul 2022) -- Makefile.m32: stop trying to build libcares.a [ci skip] - - Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in - `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in - 2007 [1]. The commit message doesn't specifically address this particular - change. This logic comes from the times when c-ares was part of the curl - source tree, hence the special treatment. - - This feature creates problems when building c-ares first, using CMake - and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32` - is missing in such case. A sub-build for c-ares is undesired also when - c-ares had already been build via its own `Makefile.m32`. - - To avoid the sub-build, this patch deletes its Makefile rule. After this - patch `libcares.a` needs to be manually built before using it in - `Makefile.m32`. Aligning it with the rest of dependencies. - - [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31 - - Reviewed-by: Daniel Stenberg - Closes #9169 - -Daniel Stenberg (17 Jul 2022) -- curl: writeout: fix repeated header outputs - - The function stored a terminating zero into the buffer for convenience, - but when on repeated calls that would cause problems. Starting now, the - passed in buffer is not modified. - - Reported-by: highmtworks on github - Fixes #9150 - Closes #9152 - -- curl_multi_timeout.3: clarify usage - - Fixes #9155 - Closes #9157 - Reported-by: jvvprasad78 on github - -- mprintf: make dprintf_formatf never return negative - - This function no longer returns a negative value if the formatting - string is bad since the return value would sometimes be propagated as a - return code from the mprintf* functions and they are documented to - return the length of the output. Which cannot be negative. - - Fixes #9149 - Closes #9151 - Reported-by: yiyuaner on github - -Viktor Szakats (17 Jul 2022) -- trace: 0x7F character is non-printable - - `0x7F` is `DEL`, a non-printable symbol, so print it as - `UNPRINTABLE_CHAR`. - - Reported-by: MasterInQuestion on github - Fixes #9162 - Closes #9166 - -- doh: use https protocol by default - - The only allowed protocol is https, so it makes sense to use that - by default if not passed explicitly by the user. - - Reported-by: MasterInQuestion on github - Reviewed-by: Jay Satiro - Fixes #9163 - Closes #9165 - -- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel - - Same issue as here [1], but this time when building curl with BoringSSL - for Windows with LDAP(S) or Schannel support enabled. - - Apply the same fix [2] for these source files as well. - - This can also be fixed by moving `#include "urldata.h"` _before_ - including `winldap.h` and `schnlsp.h` respectively. This seems like - a cleaner fix, though I'm not sure why it works and if it has any - downside. - - [1] https://github.com/curl/curl/issues/5669 - [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029ab9 - - Co-authored-by: Jay Satiro - Closes #9110 - -Daniel Stenberg (13 Jul 2022) -- asyn-thread: make getaddrinfo_complete return CURLcode - - ... as the only caller that cares about what it returns assumes that - anyway. This caused icc to warn: - - asyn-thread.c(505): error #188: enumerated type mixed with another type - result = getaddrinfo_complete(data); - - Repoorted-by: Matthew Thompson - Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076 - Closes #9146 - -- easy_lock: fix build with icc - - The Intel compiler tries to look like GCC *and* clang *and* it lies in - its __has_builtin() function (returns true when it should return false), - so override it. - - Reported-by: Matthew Thompson - Fixes #9081 - Closes #9144 - -- configure: fix --disable-headers-api - - Reported-by: Michał Antoniak - Fixes #9134 - Closes #9143 - -- test3026: require 'threadsafe' - - Reported-by: Sukanya Hanumanthu - Fixes #9141 - Closes #9142 - -- [Even Rouault brought this change] - - CMake: link curl to its dependencies with PRIVATE - - The current PUBLIC visibility causes issues for downstream users. - Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986 - - Reviewed-by: Jakub Zakrzewski - Closes #9125 - -- [Even Rouault brought this change] - - CMake: remove APPEND in export(TARGETS) - - When running cmake several times, new content was appended to already - existing generated files, which is not appropriate - - Reviewed-by: Jakub Zakrzewski - Closes #9124 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks - - Closes #9135 - -- RELEASE-NOTES: synced - -Viktor Szakats (11 Jul 2022) -- build: improve OS string in CMake and `config-win32.h` - - This patch makes CMake fill the "OS string" with the value of - `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet, - the same we can pass to `./configure` via `--host=`. - - For non-CMake, non-autotools, Windows builds, this patch adds the ability - to override the default `OS` value in `lib/config-win32.h`. - - With these its possible to get the same OS string across the three build - systems. - - This patch supersedes the earlier, partial, CMake-only solution: - 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the - `CURL_OS_SUFFIX` CMake option. - - Reviewed-by: Jay Satiro - Closes #9117 - -- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip] - - They allow to override the hardcoded values for the `windres` and `strip` - tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables. - - `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and - `CURL_CC=clang` set on current latest debian:unstable or earlier, where - `llvm-windres` is missing, and a `CURL_RC=<triplet>-windres` fixes it. - Hopefully this will be fixed in the llvm package. FWIW `llvm-windres` - does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw. - - Reviewed-by: Daniel Stenberg - Closes #9132 - -Daniel Stenberg (10 Jul 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data - - Fixes #9122 - Closes #9123 - -- [Xiaoke Wang brought this change] - - tool_operate: better cleanup of easy handle in exit path - - Closes #9114 - -- [Xiaoke Wang brought this change] - - getinfo: return better error on NULL as first argument - - Closes #9114 - -- tool_getparam: repair cleanarg - - Regression since 9e5669f. - - Make sure the "cleaning" of command line arguments is done on the - original argv[] pointers. As a bonus, it also exits better on out of - memory error. - - Reported-by: Litter White - Fixes #9128 - Closes #9130 - -Jay Satiro (10 Jul 2022) -- docs: explain curl_easy_escape/unescape curl handle is ignored - - 26101421 (precedes 7.82.0) removed character conversion support used by - very old legacy operating systems and since then the curl handle passed - to curl_easy_escape/unescape is always ignored. - - Bug: https://github.com/curl/curl/discussions/9115 - Reported-by: Ted Lyngmo - - Closes https://github.com/curl/curl/pull/9121 - -Viktor Szakats (8 Jul 2022) -- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL - - BoringSSL doesn't keep a version number, and doesn't self-identify itself - via any other revision number via its own headers. We can identify - BoringSSL revisions by their commit hash. This hash is typically known by - the builder. This patch adds a way to pass this hash to libcurl, so that - it can display in the curl version string: - - For example: - - `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"` - - ``` - curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) zlib/1.2.12 [...] - Release-Date: 2022-06-27 - Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 [...] - Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos [...] - ``` - - The setting is optional, and if not passed, BoringSSL will appear without - a version number, like before this patch. - - Closes #9113 - -Jay Satiro (8 Jul 2022) -- escape: remove outdated comment - - Bug: https://github.com/curl/curl/discussions/9115 - Reported-by: Ted Lyngmo - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Fix missing initialization of nghttp3_nv.flags - - Closes https://github.com/curl/curl/pull/9118 - -Daniel Stenberg (6 Jul 2022) -- [Brad Forschinger brought this change] - - netrc.d: remove spurious quote - - Closes #9111 - -Viktor Szakats (6 Jul 2022) -- Makefile.m32: add `NGTCP2_LIBS` option [ci skip] - - Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL. - Add `NGTCP2_LIBS` envvar to override them with a custom list, - making it possible to use BoringSSL, or any other backend. - - Closes #9109 - -Jay Satiro (6 Jul 2022) -- [Evgeny Grin (Karlson2k) brought this change] - - digest: fix missing increment of 'nc' value for auth-int - - - Increment nc regardless of qop type. - - Prior to this change nc was only incremented for qop type auth even - though libcurl sends nc with any qop. - - Closes https://github.com/curl/curl/pull/9090 - -Daniel Stenberg (5 Jul 2022) -- RELEASE-NOTES: synced - - Bumped to 7.85.0 - -- urldata: reduce size of four ftp related members - - ftp_filemethod, ftpsslauth and ftp_ccc are now uchars - - accepttimeout is now unsigned int - almost 50 days ought to be enough - for this value. - - Closes #9106 - -- urldata: reduce three type-members from int to uchar - - - timecondition - - proxytype - - method - - ... previously used their enum type in the struct, which made them - unnecesarily large. - - Closes #9105 - -- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name - - Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the - other way around. - - Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias - but since the option is for more protocols than FTP the more "correct" - version of the option is the "server" one so now we switch. - - Closes #9104 - -- urldata: make 'ftp_create_missing_dirs' a uchar - - It only ever holds the values 0-2. - - Closes #9103 - -- [Don J Olmstead brought this change] - - cmake: support ngtcp2 boringssl backend - - Update the ngtcp2 find module to detect the boringssl backend. Determine - if the underlying OpenSSL implementation is BoringSSL and if so use that - as the ngtcp2 backend. - - Reviewed-by: Jakub Zakrzewski - Closes #9065 - -- urldata: change 4 timeouts to unsigned int from long - - They're not used for that long times anyway, 32 bit milliseconds is long - enough. - - Closes #9101 - -- urldata: make 'use_netrc' a uchar - - Closes #9102 - -- urldata: make 'buffer_size' an unsigned int - - It is already capped at READBUFFER_MAX which fits easily in 32 bits. - - Closes #9098 - -- urldata: remove the unused 'rtspversion' struct member - - Closes #9100 - -- urldata: make 'use_port' an usigned short - - ... instead of a long. It is already enforced to not attempt to set any - value outside of 16 bits unsigned. - - Closes #9099 - -- urldata: store dns cache timeout in an int - - 68 years ought to be enough for most. - - Closes #9097 - -- curl: proto2num: make sure obuf is inited - - Detected by Coverity. CID 1507052. - - Closes #9096 - -- cookie: use %zu to infof() for size_t values - - Detected by Coverity. CID 1507051 - Closes #9095 - -Viktor Szakats (4 Jul 2022) -- makefile.m32: add support for custom ARCH [ci skip] - - When building curl for target platform other than x64 and x86, it is now - possible to pass `ARCH=custom`, that will omit all hardcoded logic for - setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be - customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly - added one for the resource compiler: `CURL_RCFLAG_EXTRAS`. - - This makes it possible to use `makefile.m32` to build for ARM64 for - example. - - Reviewed-by: Daniel Stenberg - Closes #9092 - -- cmake: do not force Windows target versions - - The goal of this patch is to avoid CMake forcing specific Windows - versions and rely on toolchain defaults or manual selection instead. - This gives back control to the user. This also brings CMake closer to - how autotools and `Makefile.m32` behaves in this regard. - - - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did - nothing else than fixing the Windows build target to Vista. This also - happened when the toolchain did not have Vista support (e.g. original - MinGW), breaking such builds. - - In other environments it did not make a user-facing difference, - because libcurl has its own pton() implementation, so it works well - with or without Vista's inet_pton(). - - This patch drops this setting. inet_pton() is now used whenever - building for Vista or newer, either when requested manually or by - default with modern toolchains (e.g. mingw-w64). Older envs will fall - back to curl's pton(). - - Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604 - Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155 - - - When the user did no select a Windows target version manually, stop - explicitly targeting Windows XP, and instead use the toolchain default. - - This may pose an issue with old toolchains defaulting to pre-XP - targets. In such case you must manually target Windows XP via: - `-DCURL_TARGET_WINDOWS_VERSION=0x0501` - or - `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501` - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - Closes #9046 - -- windows: improve random source - - - Use the Windows API to seed the fallback random generator. - - This ensures to always have a random seed, even when libcurl is built - with a vtls backend lacking a random generator API, such as rustls - (experimental), GSKit and certain mbedTLS builds, or, when libcurl is - built without a TLS backend. We reuse the Windows-specific random - function from the Schannel backend. - - - Implement support for `BCryptGenRandom()` [1] on Windows, as a - replacement for the deprecated `CryptGenRandom()` [2] function. - - It is used as the secure random generator for Schannel, and also to - provide entropy for libcurl's fallback random generator. The new - function is supported on Vista and newer via its `bcrypt.dll`. It is - used automatically when building for supported versions. It also works - in UWP apps (the old function did not). - - - Clear entropy buffer before calling the Windows random generator. - - This avoids using arbitrary application memory as entropy (with - `CryptGenRandom()`) and makes sure to return in a predictable state - when an API call fails. - - [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom - [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom - - Closes #9027 - -Daniel Stenberg (4 Jul 2022) -- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR - - ... as replacements for deprecated CURLOPT_PROTOCOLS and - CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the - 32 bit limit the old ones are facing. - - CURLINFO_PROTCOOL is now deprecated. - - The curl tool is updated to use the new options. - - Added test 1597 to verify the libcurl protocol parser. - - Closes #8992 - -- digest: simplify a switch() to a simple if - -- digest: provide a special bit for "sess" algos - - Also shortened the names and moved them to the .c file since they are - private for this source file only. Also made them #defines instead of - enum. - - Closes #9079 - -Jay Satiro (4 Jul 2022) -- [Thomas Weißschuh brought this change] - - select: do not return fatal error on EINTR from poll() - - The same was done for select() in 5912da25 but poll() was missed. - - Bug: https://bugs.archlinux.org/task/75201 - Reported-by: Alexandre Bury (gyscos at archlinux) - - Ref: https://github.com/curl/curl/issues/8921 - Ref: https://github.com/curl/curl/pull/8961 - Ref: https://github.com/curl/curl/commit/5912da25#r77584294 - - Closes https://github.com/curl/curl/pull/9091 - -- [Kai Pastor brought this change] - - cmake: fix build for mingw cross compile - - - Change normaliz lib name to all lowercase. - - This is from a standing patch in vcpkg: - Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross - builds from Linux), the spelling must match exactly. - - Closes https://github.com/curl/curl/pull/9084 - -- easy_lock: fix build for mingw - - - Define SRWLOCK symbols missing in some mingw environments. - - Closes https://github.com/curl/curl/pull/8997 - -Daniel Stenberg (2 Jul 2022) -- tool_progress: avoid division by zero in parallel progress meter - - Reported-by: Brian Carpenter - Fixes #9082 - Closes #9083 - -- http_aws_sigv4.c: remove two unusued includes - - Closes #9080 - -- .mailmap: additional edit - - Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git - logs even when using old email. - -- RELEASE-NOTES: synced - - bumped to 7.84.1 - -- [Evgeny Grin (Karlson2k) brought this change] - - .mailmap: updated - -- [Evgeny Grin (Karlson2k) brought this change] - - THANKS: merged two entries for Evgeny Grin - - Also updated THANKS-filter file - - Closes #9076 - -- [Jilayne Lovejoy brought this change] - - lib/curl_path.c: add ISC to license expression - - THe text of the ISC license is in this file, so the SPDX license - expression should be updated - - Closes #9073 - -- [Sean McArthur brought this change] - - hyper: use wakers for curl pause/resume - - Closes #9070 - -Viktor Szakats (30 Jun 2022) -- Makefile.m32: do not set the libcurl.rc debug flag [ci skip] - - Delete `-DDEBUGBUILD=0` windres option. This was likely meant to - disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled - it instead. Delete this unnecessary option and thus sync up with - how CMake compiles libcurl.rc by default. - - Reviewed-by: Jay Satiro - Closes #9069 - -Daniel Stenberg (29 Jun 2022) -- curl.h: CURLE_CONV_FAILED is obsoleted - - The last use was removed in 7.82.0. Updated some docs too to reflect the - current error code situation. - - Closes #9067 - -- curl: output warning when a cookie is dropped due to size - - Dropped from the request, that is. - - Closes #9064 - -- curl_mime_data.3: polish the wording - - Closes #9063 - -- configure: check for the stdatomic.h header in configure - - ... and only set HAVE_ATOMIC if that header exists since we use - typedefes set in it. - - Reported-by: Ryan Schmidt - Fixes #9059 - Closes #9060 - -- easy_lock: fix the #ifdef conditional for ia32_pause - - To work better with new and old clang compilers. - - Reported-by: Ryan Schmidt - Assisted-by: Joshua Root - - Fixes #9058 - Closes #9062 - -- easy_lock: switch to using atomic_int instead of bool - - To work with more compilers without requiring separate libs to - link. Like with gcc-12 for RISC-V on Linux. - - Reported-by: Adam Sampson - Fixes #9055 - Closes #9061 - -- [vvb2060 brought this change] - - ngtcp2: fix incompatible function pointer types - - Closes #9056 - -- [vvb2060 brought this change] - - easy_lock.h: use __asm__ instead of asm to fix build - - Closes #9056 - -- [Samuel Henrique brought this change] - - libcurl-security.3: fix typo on macro "SH_" - - During the packaging of the latest curl release for Debian, Lintian - warned me about a typo which causes the section name "Secrets in memory" - to not be rendered in the manpage due to "SH_" not being recognized as a - header. - - Closes #9057 - -- easy_lock.h: include sched.h if available to fix build - - Patched-by: Harry Sintonen - - Closes #9054 - -Version 7.84.0 (27 Jun 2022) - -Daniel Stenberg (27 Jun 2022) -- RELEASE-NOTES: synced - - Version 7.84.0 release - -- THANKS: contributors from 7.84.0 release notes - -- hsts: use Curl_fopen() - -- altsvc: use Curl_fopen() - -- fopen: add Curl_fopen() for better overwriting of files - - Bug: https://curl.se/docs/CVE-2022-32207.html - CVE-2022-32207 - Reported-by: Harry Sintonen - Closes #9050 - -- test444: test many received Set-Cookie: - - The amount of sent cookies in the test is limited to 80 because hyper - has its own strict limits in how many headers it allows to be received - which triggers at some point beyond this number. - -- test442/443: test cookie caps - - 442 - verify that only 150 cookies are sent - 443 - verify that the cookie: header remains less than 8K in size - -- cookie: apply limits - - - Send no more than 150 cookies per request - - Cap the max length used for a cookie: header to 8K - - Cap the max number of received Set-Cookie: headers to 50 - - Bug: https://curl.se/docs/CVE-2022-32205.html - CVE-2022-32205 - Reported-by: Harry Sintonen - Closes #9048 - -- test387: verify rejection of compression chain attack - -- content_encoding: return error on too many compression steps - - The max allowed steps is arbitrarily set to 5. - - Bug: https://curl.se/docs/CVE-2022-32206.html - CVE-2022-32206 - Reported-by: Harry Sintonen - Closes #9049 - -- krb5: return error properly on decode errors - - Bug: https://curl.se/docs/CVE-2022-32208.html - CVE-2022-32208 - Reported-by: Harry Sintonen - Closes #9051 - -- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro - - clang 14 warns about its use. It is being deprecated by the working - group for the programming language C: "The macro ATOMIC_VAR_INIT is - basically useless for the purpose for which it was designed" - - Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm - - Reported-by: Tatsuhiro Tsujikawa - Fixes #9041 - Closes #9042 - -- [Stefan Eissing brought this change] - - ngtcp2: avoid supplying 0 length `msg_control` to sendmsg() - - Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control - buffer is provided in sengmsg(), even though msg_controllen was set to - 0. - - Initialize msg.msg_controllen just as needed and also perform the size - assertion only when needed. - - Closes #9039 - -- [Tom Eccles brought this change] - - ftp: restore protocol state after http proxy CONNECT - - connect_init() (lib/http_proxy.c) swaps out the protocol state while - working on the proxy connection, this is then restored by - Curl_connect_done() after the connection completes. - - ftp_do_more() extracted the protocol state pointer to a local variable - at the start of the function then calls Curl_proxy_connect(). If the proxy - connection completes, Curl_proxy_connect() will call Curl_connect_done() - (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp - protocol state instead of the http proxy protocol state, but the local - variable in ftp_do_more still pointed to the old value. - - Ultimately this meant that the state worked on by ftp_do_more() was the - http proxy state not the ftp state initialised by ftp_connect(), but - subsequent calls to any ftp_ function would use the original state. - - For my use-case, the visible consequence was that ftp->downloadsize was - never set and so downloaded data was never returned to the application. - - This commit updates the ftp protocol state pointer in ftp_do_more() after - Curl_proxy_connect() returns, ensuring that the correct state pointer is - used. - - Fixes #8737 - Closes #9043 - -Jay Satiro (23 Jun 2022) -- THANKS: add contributor missing from aea8ac1 - - aea8ac1 fixed #8980 which was reported by Sgharat on github, but that - info was not included in the commit message. - -- curl_setup: include _mingw.h - - Prior to this change _mingw.h needed to be included in each unit before - evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It - is included only in some mingw headers (eg stdio.h) and not others - (eg windows.h) so it's better to explicitly include it once. - - Closes https://github.com/curl/curl/pull/9036 - -Viktor Szakats (22 Jun 2022) -- rand: stop detecting /dev/urandom in cross-builds - - - Prevent CMake to auto-detect /dev/urandom when cross-building. - Before this patch, it would detect it in a cross-build scenario on *nix - hosts with this device present. This was a problem for example with - Windows builds, but it could affect any target system with this device - missing. This also syncs detection behaviour with autotools, which also - skips it for cross-builds. - - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's - fallback random number generator on Windows. Windows does not have the - concept of reading a random stream from a filename, nor any guaranteed - non-world-writable path on disk. With this, a manual misconfiguration or - an overeager auto-detection can no longer result in a user-controllable - seed source. - - Reviewed-by: Daniel Stenberg - Closes #9038 - -Daniel Stenberg (22 Jun 2022) -- [Emanuele Torre brought this change] - - ci: avoid `cmake -Hpath` - - This is an undocumented option similar to the `-Spath' option introduced - in cmake 3.13. - Replace all instances of `-Hpath' with `-Spath' in macos workflow. - Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul - scripts since it runs an older version of cmake. - - Fixes #9008 - Closes #9014 - -- INTERNALS: bring back the "Library symbols" section - - Most contents was moved, but this text should remain here. - - Follow-up to: d324ac8 - Reported-by: Viktor Szakats - Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326 - Closes #9037 - -Viktor Szakats (22 Jun 2022) -- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] - - Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows - XP when the `-ipv6` option is selected. Maybe this was added to support - pre-XP Windows versions (?). These days libcurl builds fine for both XP - and post-XP versions with IPv6 support enabled. The relevance of pre-XP - version is also low by now. Other build methods also do not impose such - limitation for a similar configuration. So, drop this hard-wired - `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default - Windows version set by the compiler. This is Vista for recent MinGW - versions. - - Old behaviour can be restored by setting this envvar: - export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501 - - [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7 - - Closes #9035 - -Daniel Stenberg (21 Jun 2022) -- CONTRIBUTE: mention how we maintain REUSE compliance - - for copyright and license information of all files stored in git - - Closes #9032 - -- CURLOPT_ALTSVC.3: document the file format - - Closes #9033 - -Jay Satiro (21 Jun 2022) -- runtests: add "threadsafe" to detected features - - Follow-up to recent commits which added thread-safety support. - - Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782 - Reported-by: Marc Hörsken - - Closes https://github.com/curl/curl/pull/9030 - -Daniel Stenberg (20 Jun 2022) -- easy: remove dead code - - Follow-up from 5912da253b64d - - Detected by Coverity (CID 1506519) - - Closes #9029 - -- [Glenn Strauss brought this change] - - transfer: upload performance; avoid tiny send - - Append to the upload buffer when only small amount remains in buffer - rather than performing a separate tiny send to empty buffer. - - Avoid degenerative upload behavior which might cause curl to send mostly - 1-byte DATA frames after exhausing the h2 send window size - - Related discussion: https://github.com/nghttp2/nghttp2/issues/1722 - - Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> - Closes #8965 - -- [Steve Holme brought this change] - - projects: fix third-party SSL library build paths for Visual Studio - - The paths used by the build batch files were inconsistent with those in - the Visual Studio project files. - - Closes #8991 - -- [Pierrick Charron brought this change] - - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts - - As per the documentation : - - > Setting a part to a NULL pointer will effectively remove that - > part's contents from the CURLU handle. - - But currently clearing CURLUPART_URL does nothing and returns - CURLUE_OK. This change will clear all parts of the URL at once. - - Closes #9028 - -- [Philip Heiduck brought this change] - - CI: bump FreeBSD 13.0 to 13.1 - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - Closes #8815 - -- RELEASE-NOTES: synced - - and updated release date in RELEASE-PROCEDURE.md - -- [divinity76 brought this change] - - CURLOPT_HTTPHEADER.3: improve comment in example - - Closes #9025 - -Marc Hoersken (16 Jun 2022) -- CI/azure: reduce flakiness by retrying install/prepare steps - - Closes #9010 - -- CI/cirrus: align Windows timeout with Azure CI at 120 minutes - - Closes #9009 - -Jay Satiro (16 Jun 2022) -- vtls: make curl_global_sslset thread-safe - - .. and update some docs to explain curl_global_* is now thread-safe. - - Follow-up to 23af112 which made curl_global_init/cleanup thread-safe. - - Closes https://github.com/curl/curl/pull/9016 - -- curl_easy_pause.3: remove explanation of progress function - - - Remove misleading text that says progress function "gets called at - least once per second, even if the connection is paused." - - The progress function behavior is more nuanced and the user is better - served reading the progress function doc rather than attempt to explain - it in the curl_easy_pause doc. - - The progress function can only be called at least once per second if an - appropriate multi transfer function is called (eg curl_multi_perform) in - that time. For a paused transfer there may not be such a call. Rather - than explain this in detail in the curl_easy_pause doc, rely on the user - reading the CURLOPT_PROGRESSFUNCTION doc. - - Ref: https://github.com/curl/curl/issues/8983 - - Closes https://github.com/curl/curl/pull/9015 - -Daniel Stenberg (15 Jun 2022) -- libssh: skip the fake-close when libssh does the right thing - - Starting in libssh 0.10.0 ssh_disconnect() will no longer close our - socket. Instead it will be kept alive as we want it, and it is our - responsibility to close it later. - - Ref: #8718 - Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240 - Closes #9021 - -- configure: warn about rustls being experimental - - Right now a dozen test cases are disabled because they don't work with - rustls. - - Closes #9019 - -- runtests: skip starting the ssh server if user name is lacking - - Because the ssh server startup script *requires* a user name there's no - point in invoking it if no name was found. - - Reported-by: Ricardo M. Correia - Ref: #9007 - Closes #9013 - -- copyright.pl: parse and use .reuse/dep5 for skips - - Also scan skipped files to be able to find superfluous ignores, shown with -v. - - Closes #9006 - -- reuse/dep5: adjusted to parse better - - ... adjusted a few files to contain copyright and license info. - - Closes #9006 - -- buildconf.bat: update copyright year range - - Closes #9006 - -- README.md: use the common "Copyright" style formatting - - Closes #9006 - -- reuse: move license info from .mailmap.license to .reuse/dep5 - - Closes #9006 - -- README.md: add a REUSE badge - - Closes #9004 - -- .reuse/dep5: remove recursive docs ignore, only skip markdown files - - ... and some additional non-markdown individual files in docs/ - - Closes #9005 - -- docs/cmdline-opts: add copyright and license identifier to each file - - gen.pl now insists on C: and SPDX-License-Identifier: fields to be - present in all files. - - Closes #9002 - -- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md - - Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that - file broke site functionality. - - Closes #9001 - -- bug_report.md: revert the REUSE template to see if it works again - -Viktor Szakats (13 Jun 2022) -- version: rename threadsafe-init to threadsafe - - Referring to Daniel's article [1], making the init function thread-safe - was the last bit to make libcurl thread-safe as a whole. So the name of - the feature may as well be the more concise 'threadsafe', also telling - the story that libcurl is now fully thread-safe, not just its init - function. Chances are high that libcurl wants to remain so in the - future, so there is little likelihood of ever needing any other distinct - `threadsafe-<name>` feature flags. - - For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to - `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's - thread safety documentation. - - [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/ - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - Closes #8989 - -Daniel Stenberg (13 Jun 2022) -- test3026: disable on win32 - - ... as it's not likely to have working pthreads - - Closes #8996 - -- GHA: shorten the reuse CI job name - - "REUSE compliance / check" should be good enough - - Closes #9000 - -- misc: add missing SPDX-License-Identifier info - - For some reason the REUSE CI job did not find these. - - Closes #8999 - -- copyright: verify SPDX-License-Identifier presence as well - -- easy_lock: add SPDX license identifier - - Closes #8998 - -- mailmap: Max Mehl - -- [Max Mehl brought this change] - - git: ignore large commit making the curl REUSE compliant - -- [Max Mehl brought this change] - - copyright: make repository REUSE compliant - - Add licensing and copyright information for all files in this repository. This - either happens in the file itself as a comment header or in the file - `.reuse/dep5`. - - This commit also adds a Github workflow to check pull requests and adapts - copyright.pl to the changes. - - Closes #8869 - -- curl_url_set.3: clarify by default using known schemes only - - Closes #8994 - -- scripts/copyright.pl: ignore leading spaces - -Viktor Szakats (10 Jun 2022) -- ngtcp2: fix typo in preprocessor condition - - Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7 - - Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185 - Reported-by: Emil Engler - Closes #8987 - -Daniel Stenberg (10 Jun 2022) -- RELEASE-NOTES: synced - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: build without sendmsg - - Closes #8981 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: use handshake helper funcs to simplify TLS handshake integration - - Closes #8968 - -- test390: verify --parallel - - Closes #8985 - -- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set - - Triggered by a bug report from Adam Light: - https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly - a misunderstanding of how CURLINFO_EFFECTIVE_URL works. - - Closes #8971 - -- url: URL encode the path when extracted, if spaces were set - -- urlapi: support CURLU_URLENCODE for curl_url_get() - -- server/sws: support spaces in the HTTP request path - -- tests/getpart: fix getpartattr to work with "data" and "data2" - -- select: return error from "lethal" poll/select errors - - Adds two new error codes: CURLE_UNRECOVERABLE_POLL and - CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces. - - Reported-by: Harry Sintonen - Fixes #8921 - Closes #8961 - -- test3026: add missing control file - - Follow-up from 2ed101256414ea5 - - Makes the test run, makes 'make dist' work - - This single test takes 24-25 seconds on my machine (with valgrind). For - this reason I tag it with a "slow" keyword. - - Closes #8976 - -- runtests: fix skipping tests not done event-based - - ... and call timestampskippedevents() to avoid the flood of - uninitialized variable warnings. - - Closes #8977 - -- transfer: maintain --path-as-is after redirects - - Reported-by: Marcus T - Fixes #8974 - Closes #8975 - -- test391: verify --path-as-is with redirect - -Jay Satiro (8 Jun 2022) -- curl_global_init.3: Separate the Windows loader lock warning - - This is a slight correction of the parent commit which implied the - loader lock warning only applied if not thread-safe. In fact the loader - lock warning applies either way. - - Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030 - -Daniel Stenberg (8 Jun 2022) -- curl_global_init.3: this is now (usually) thread-safe - - Follow-up to 23af112f5556 - - Closes #8972 - -Jay Satiro (8 Jun 2022) -- [Haxatron brought this change] - - libcurl-security.3: Document CRLF header injection - - - Document that user input to header options is not sanitized, which - could result in CRLF used to modify the request in a way other than - what was intended. - - Ref: https://hackerone.com/reports/1589877 - Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545 - - Closes https://github.com/curl/curl/pull/8964 - -- CURLOPT_RANGE.3: remove ranged upload advice - - The e-mail link in the advice contains instructions that are prone to - error. We need an example that works and can demonstrate how to properly - perform a ranged upload, and then we can refer to that example instead. - - Bug: https://github.com/curl/curl/issues/8969 - Reported-by: Simon Berger - - Closes https://github.com/curl/curl/pull/8970 - -Daniel Stenberg (7 Jun 2022) -- [Thomas Guillem brought this change] - - curl_version_info: add CURL_VERSION_THREADSAFE_INIT - - This flag can be used to make sure that curl_global_init() is - thread-safe. - - This can be useful for libraries that can't control what other - dependencies are doing with Curl. - - Closes #8680 - -- [Thomas Guillem brought this change] - - lib: make curl_global_init() threadsafe when possible - - Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and - curl_global_cleanup(). - - Closes #8680 - -- RELEASE-NOTES: synced - -- [Fabian Keil brought this change] - - test414: add the '--resolve' keyword - - ... so the test can be automatically skipped when - using an external proxy like Privoxy. - - Closes #8959 - -- [Fabian Keil brought this change] - - test{440,441,493,977}: add "HTTP proxy" keywords - - ... so the tests can be automatically skipped when - using an external proxy like Privoxy. - - Closes #8959 - -- [Fabian Keil brought this change] - - runtests.pl: add the --repeat parameter to the --help output - - Closes #8959 - -- [Fabian Keil brought this change] - - test 2081: add a valid reply for the second request - - ... so the test works when using a HTTP proxy like - Privoxy that sends an error message if the server - doesn't send data. - - Closes #8959 - -- [Fabian Keil brought this change] - - test 675: add missing CR so the test passes when run through Privoxy - - Closes #8959 - -- ftp: when failing to do a secure GSSAPI login, fail hard - - ... instead of switching to cleartext. For the sake of security. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1590102 - Closes #8963 - -- http2: reject overly many push-promise headers - - Getting more than a thousand of them is rather a sign of some kind of - attack. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1589847 - Closes #8962 - -- [Fabian Keil brought this change] - - misc: spelling improvements - - Closes #8956 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix assertion failure on EMSGSIZE - - Closes #8958 - -- easy/transfer: fix cookie-disabled build - - Follow-up from 45de940cebf6a - Reported-by: Marcel Raad - Fixes #8953 - Closes #8954 - -- examples/crawler.c: use the curl license - - With permission from Jeroen Ooms - - URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731 - Closes #8950 - -- speed-limit/time.d: mention these affect transfers in either direction - - Reported-by: Ladar Levison - Fixes #8948 - Closes #8951 - -- scripts/copyright.pl: fix the exclusion to not ignore man pages - - Ref: #8869 - Closes #8952 - -- examples: remove fopen.c and rtsp.c - - To simplify the license situation, as they were the only files in the - source tree using these specific BSD-3 clause licenses. - - For an fopen style API, we recommend instead going - https://github.com/curl/fcurl - - Ref: #8869 - Closes #8949 - -- [Wolf Vollprecht brought this change] - - netrc: check %USERPROFILE% as well on Windows - - Closes #8855 - -- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish - -- [michael musset brought this change] - - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - - The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check - wether or not the connection should continue. - - The host key is passed in argument with a custom handle for the - application. - - It overrides CURLOPT_SSH_KNOWNHOSTS - - Closes #7959 - -- docs/CONTRIBUTE.md: document the 'needs-votes' concept - - A pull request sent to the project might get labeled `needs-votes` by a - project maintainer. This label means that in addition to meeting all - other checks and qualifications this pull request must also receive - proven support/thumbs-ups from more community members to be considered - for merging. - - Closes #8910 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: tolerate missing "realm" - - Server headers may not define "realm", avoid NULL pointer dereference - in such cases. - - Closes #8912 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: added detection of more syntax error in server headers - - Invalid headers should not be processed otherwise they may create - a security risk. - - Closes #8912 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: unquote realm and nonce before processing - - RFC 7616 (and 2617) requires values to be "unquoted" before used for - digest calculations. The only place where unquoting can be done - correctly is header parsing function (realm="DOMAIN\\host" and - realm=DOMAN\\host are different realms). - - This commit adds unquoting (de-escaping) of all values during header - parsing and quoting of the values during header forming. This approach - should be most straightforward and easy to read/maintain as all values - are processed in the same way as required by RFC. - - Closes #8912 - -- headers: handle unfold of space-cleansed headers - - Detected by OSS-fuzz - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767 - - Updated test 1274 - - Closes #8947 - -- lib: make more protocol specific struct fields #ifdefed - - ... so that they don't take up space if the protocols are disabled in - the build. - - Closes #8944 - -- DISABLED: disable 1021 for hyper again - - due to flakiness in the CI builds - -- urldata: store tcp_keepidle and tcp_keepintvl as ints - - They can't be set larger than INT_MAX in the setsocket API calls. - - Also document the max values in their respective man pages. - - Closes #8940 - -- urldata: reduce size of a few struct fields - - When the values are never larger than 32 bit, ints are better than longs. - - Closes #8940 - -- urldata: remove three unused booleans from struct UserDefined - - - is_fwrite_set - - free_referer - - strip_path_slash - - Closes #8940 - -- remote-name.d: mention --output-dir - - plus add two see-alsos - - Closes #8945 - -Jay Satiro (1 Jun 2022) -- configure: skip libidn2 detection when winidn is used - - Prior to this change --with-winidn could be overridden by libidn2 - detection. - - Closes https://github.com/curl/curl/pull/8934 - -Daniel Stenberg (31 May 2022) -- CURLOPT_FILETIME.3: fix the protocols this works with - -- test681: verify --no-remote-name - - Follow-up to 83ee5c428d960 (from #8931) - - Closes #8942 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: enable Linux GSO - - Enable Linux GSO in ngtcp2 QUIC. In order to recover from the - EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write, - packet buffer is now held by struct quicsocket. GSO write might fail in - runtime depending on NIC. Disable GSO if sendmsg returns EIO. - - Closes #8909 - -- CURLOPT_PORT.3: We discourage using this option - - Closes #8941 - -- RELEASE-NOTES: synced - -- headers_push: error out if a folded header has no previous header - - As that would indicate an illegal header. The fuzzer reached the assert - in unfold_value() proving that this case can happen. - - Follow-up to c9b60f005358a364 - - Closes #8939 - -- [Boris Verkhovskiy brought this change] - - curl: re-enable --no-remote-name - - Closes #8931 - -- test680: require 'http' since it uses such a URL - - Follow-up to d1b376c03524 - -- CURLOPT_NETRC.3: document the .netrc file format - -- test680: verify rejection of malformatted .netrc quoted password - -- test679: verify netrc quoted string - -- netrc: support quoted strings - - The .netrc parser now accepts strings within double-quotes in order to - deal with for example passwords containing white space - which - previously was not possible. - - A password that starts with a double-quote also ends with one, and - double-quotes themselves are escaped with backslashes, like \". It also - supports \n, \r and \t for newline, carriage return and tabs - respectively. - - If the password does not start with a double quote, it will end at first - white space and no escaping is performed. - - WARNING: this change is not entirely backwards compatible. If anyone - previously used a double-quote as the first letter of their password, - the parser will now get it differently compared to before. This is - highly unfortunate but hard to avoid. - - Reported-by: ImpatientHippo on GitHub - Fixes #8908 - Closes #8937 - -- curl_getdate.3: document that some illegal dates pass through - - Closes #8938 - -- CI: remove configure --enable-headers-api flags - -- headers api: remove EXPERIMENTAL tag - - Closes #8900 - -Daniel Gustafsson (30 May 2022) -- cookies: fix documentation comment - - Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but - missed updating the documentation comment at the head of the file. - -Daniel Stenberg (30 May 2022) -- [Marc Hoersken brought this change] - - tests/data/test1940: use binary mode for expected stdout - - The generated stdout data is written in binary mode with [LF] - line endings, therefore we also need to do a binary comparison. - - Assisted-by: Jay Satiro - Assisted-by: Daniel Stenberg - - Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84 - Fixes #8920 - Closes #8936 - -- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation - - Spell out the multi-TLS situation. - - Reported-by: Dan Fandrich - Fixes #8926 - Closes #8932 - -Jay Satiro (28 May 2022) -- [JustAnotherArchivist brought this change] - - tool_getparam: fix --parallel-max maximum value constraint - - - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to - default value. - - Previously, --parallel-max 300 would use 300 concurrent transfers, but - --parallel-max 301 would unexpectedly use only 50. This change clamps - higher values to the maximum (ie --parallel-max 301 would use 300). - - Closes https://github.com/curl/curl/pull/8930 - -Daniel Stenberg (27 May 2022) -- curl.1: add a few see also --tls-max - - Closes #8929 - -Viktor Szakats (26 May 2022) -- cmake: do not add libcurl.rc to the static libcurl library - - Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855 - - Reviewed-By: Karlson2k@users.noreply.github.com - Closes #8923 - -- cmake: support adding a suffix to the OS value - - CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS - string appearing in the --version output after the curl version number, - for example: - - 'curl 7.83.1 (Windows)' - - This patchs adds the ability to pass a suffix that is appended to this - value. It's useful to add CPU info or other platform details, - for example: - - 'curl 7.83.1 (Windows-x64)' - - Closes #8919 - -- cmake: enable curl.rc for all Windows targets - - Before this patch, it was only enabled for MSVC. This syncs this - configuration with libcurl.rc, which was already included with - every Windows compiler. - - Closes #8918 - -- cmake: fix detecting libidn2 - - Without this patch, libidn2 detection doesn't even seem to be - attempted. With this patch, cmake can be configured to pick it - up and enable it. Necessary configuration remains manual and - differs from most other dependencies. - - If you are aware of a better fix, we're glad hearing about it - in a new Issue. - - Closes #8917 - -- version: allow stricmp() for sorting the feature list - - In CMakeLists.txt there is an attempt to detect `stricmp()`, and in - certain cases, this attempt is the only successful one to detect a - case-insensitive comparison function. `HAVE_STRICMP` is defined as - a result, but this macro wasn't used anywhere in the source. This - patch makes use of it as an alternative when alpha-sorting the - `--version` feature list. - - Reviewed-by: Daniel Stenberg - Closes #8916 - -Daniel Stenberg (25 May 2022) -- DISABLED: add six tests that fail with hyper - - 1117 1274 1940 1941 1942 1943 - -- c-hyper: mark status line as status for Curl_client_write() - - To make sure the headers API can filter it out as not a regular header. - - Reported-by: Gisle Vanem - Fixes #8894 - Closes #8914 - -Marc Hoersken (25 May 2022) -- tests/data/test1501: kill ftp server after slow LIST response - - This test is contributing to flakiness on the Windows CI runs. - Killing the ftp server after the test run like other slowness - tests already do may help resolve or reduce the flakiness. - - Closes #8907 - -Daniel Stenberg (25 May 2022) -- headers: fix the unfold realloc to use proper new size - - Previously it didn't take the old name length into acount - - Follow-up to: c9b60f005358a364 - Closes #8913 - -Marc Hoersken (25 May 2022) -- GHA: align all install, configure and build steps again - - First step towards more unified build steps on GitHub Actions. - - Closes #8873 - -- CI/azure: remove obsolete strategy for single builds - - This shortens these CI job names on GitHub even more. - Follow up to #8906 which also increased their timeout. - - Closes #8911 - -- CI/azure: shorten names of Windows CI jobs - - Suggested-by: Daniel Stenberg - Closes #8906 - -Daniel Stenberg (24 May 2022) -- http: restore header folding behavior - - Folded header lines will now get passed through like before. The headers - API is adapted and will provide the content unfolded. - - Added test 1274 and extended test 1940 to verify. - - Reported-by: Petr Pisar - Fixes #8844 - Closes #8899 - -Viktor Szakats (24 May 2022) -- Makefile.m32: delete obsolete options, improve -On [ci skip] - - - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now. - - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and - I used this with VxWorks in another project, but otherwise this isn't - necessary anymore as a default. If a target still needs it, it can be - added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing` - - bump up default optimization level to `-O3` (from `-O2`), and also rearrange - option order so the default can now be overridden via - `CURL_CFLAG_EXTRAS`. - - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS` - (strip debug info). They were working against each other. Now, if someone - needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g` - - Closes #8904 - -Daniel Gustafsson (24 May 2022) -- ntlm: fix one more hostname test fallout - - This fixup was missed in commit 5a41abef6dca19. - - Closes: #8901 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- doh: remove UNITTEST macro definition - - The UNITTEST macro is defined by curl_setup.h so there is no use in - carry a local copy of the logic. - - Closes: #8902 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (24 May 2022) -- cookie: fix false positive "potentially uninitialized local variable" - - Reviewed-by: Daniel Gustafsson - Closes #8903 - -- curl: add --rate to set max request rate per time unit - - --rate "12/m" - for 12 per minute or - --rate "5/h" - for 5 per hour - - Removed from TODO - - Closes #8671 - -- [Jay Satiro brought this change] - - max-time.d: clarify max-time sets max transfer time - - Prior to this change the doc said --max-time set the maximum time of the - 'whole operation' which is not accurate. The option maps to - CURLOPT_TIMEOUT_MS which sets maximum transfer time. - - For example, the maximum time on a transfer is reset if the transfer is - retried (--retry). - - Reported-by: Nuru@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/8877 - Closes #8879 - -- GHA/hyper: enable debug in the build - -- hyper: use 'alt-used' - - Makes test 412+413 work - - Closes #8898 - -- RELEASE-NOTES: synced - -- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl - - Closes #8888 - -- links: update dead links - - The wiki pages are gone, remove and link to more long-living docs. - - Closes #8897 - -- ntlm: (void) typecast msnprintf() where we ignore return code - - Follow-up to 5a41abef6, to please Coverity - -Daniel Gustafsson (22 May 2022) -- ntlm: copy NTLM_HOSTNAME to host buffer - - Commit 709ae2454f43 added a fake hostname to avoid leaking the local - hostname, but omitted copying it to the host buffer. Fix by copying - and adjust the test fallout. - - Closes: #8895 - Fixes: #8893 - Reported-by: Patrick Monnerat <patrick@monnerat.net> - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- configure: use the SED value to invoke sed - - Rather than assuming sed in PATH, use the resolved $SED variable - like in all other invocations of sed in configure. - - Closes: #8891 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> - -Daniel Stenberg (20 May 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Allow curl to send larger UDP datagrams - - Allow curl to send larger UDP datagram if Path MTU Discovery finds the - availability of larger path MTU. To make it work and not to send - fragmented packet, we need to set DF bit. That makes send(2) fail with - EMSGSIZE if UDP datagram is too large. In that case, just let it be - lost. This patch enables DF bit for Linux only. - - Closes #8883 - -- libcurl-security.3: add "Secrets in memory" - - Closes #8881 - -- tests: update NTLM tests to use new host name - - Also drop the debug requirement, remove the setenv sections, remove - prechecks and add NTLM to the top keywords. - - Closes #8889 - -- ntlm: provide a fixed fake host name - - The NTLM protocol includes providing the local host name, but apparently - other implementations already provide a fixed fake name instead to avoid - leaking the real local name. - - The exact name used is 'WORKSTATION', because Firefox uses that. - - The change is written to allow someone to "back-pedal" fairly easy in - case of need. - - Reported-by: Carlo Alberto - Fixes #8859 - Closes #8889 - -Daniel Gustafsson (20 May 2022) -- KNOWN_BUGS: fix typo in problem description - - s/TSL/TLS/ - -- FEATURES: remove yassl as TLS library for NTLM - - yassl was added in commit 9d904ee41b880b but is no longer available - and is thus not a library to use for NTLM. This aligns the FEATURES - doc with the FAQ. - - Closes: #8886 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- FEATURES: reorder footnotes - - The empty left-behind footnote confused the website rendering into - creating a nested emoty list, making the resulting page look quite - odd. Remove and re-order the remaining ones to avoid a gap in the - sequence. - - Closes: #8886 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- FAQ: remove opinionated sentence on NTLM - - curl is a tool that support many different things, and it doesn't - really seem like our job to tell other what to use (as they might - not have much say in the matter even). Also tidy up wording. - - Closes: #8886 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Viktor Szakats (20 May 2022) -- log2changes: do not indent empty lines [ci skip] - - This will omit two spaces of indentation from lines with no content, - thus avoiding 'spaces @ EOL'. - - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Closes #8887 - -Daniel Stenberg (19 May 2022) -- wolfssl: correct the failf() message when a handle can't be made - - Closes #8885 - -Viktor Szakats (19 May 2022) -- Makefile.m32: delete two obsolete OpenSSL options [ci skip] - - - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or - LibreSSL 3.5.x, yet it collides with the latter, which defines - it unconditionally, resulting in this warning: - ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_NO_KRB5' macro redefined [-Wmacro-redefined] - It was originally added to curl in 2004. - - - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or - LibreSSL back to at least 2.5.5. Originally added in the same - commit as the above, in 2004. - - Closes #8884 - -Daniel Stenberg (19 May 2022) -- RELEASE-NOTES: synced - - bump to 7.84.0 - -- [Christian Weisgerber via curl-library brought this change] - - Makefile.am: fix portability issues - - Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that - there is a portability issue in curl's top-level Makefile.am. - - $< can only be used in rules that deal with .SUFFIXES. Its use - for general prerequisites is a GNU make extension. - - $< could be replaced by $?, but I think in an autotools context, - something like this is better: - - Bug: https://curl.se/mail/lib-2022-05/0024.html - Closes #8861 - -- [Balakrishnan Balasubramanian brought this change] - - socks: support unix sockets for socks proxy - - Usage: - curl -x "socks5h://localhost/run/tor/socks" "https://example.com" - - Updated runtests.pl to run a socksd server listening on unix socket - - Added tests test1467 test1468 - - Added documentation for proxy command line option and socks proxy - options - - Closes #8668 - -- [Vincent Torri brought this change] - - cmake: add libpsl support - - Fixes #8865 - Closes #8867 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: extend QUIC transport parameters buffer - - Extend QUIC transport parameters buffer because 64 bytes are too - short for the ever increasing parameters. - - Closes #8872 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data - - Closes #8871 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: send appropriate connection close error code - - Closes #8870 - -- test1561: adjusted for the cookie fix - -- test414: verify secure cookie domain overlay - -- [Harry Sintonen brought this change] - - cookie: address secure domain overlay - - Bug: https://hackerone.com/reports/1560324 - Co-authored-by: Daniel Stenberg - Closes #8840 - -- [Frank Gevaerts brought this change] - - strcase: some optimisations - - Lookup tables for toupper() and tolower() make Curl_strcasecompare() - about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit - early then also allows simplifying the check at the end, for another - 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7 - times faster. - - Note that these optimisation assume ASCII. The original - Curl_raw_toupper() and raw_tolower() look like they already made that - assumption. - - Closes #8875 - -- BUG-BOUNTY.md: mention the audit exception - - Dedicated - paid for - security audits that are performed in - collaboration with curl developers are not eligible for bounties. - - (plus I changed the sub-titles to use ## instead of # in the markdown) - - Closes #8880 - -- lib/vssh/wolfssh.h: removed - - Unused header file - - Reported-by: Illarion Taev - Fixes #8863 - Closes #8866 - -- [Elms brought this change] - - wolfSSL: explicitly use compatibility layer - - This change removes adding an include `$prefix/wolfssl` or similar to - allow for openssl include aliasing. Include paths of `wolfssl/openssl/` - are used to explicitly use wolfSSL includes. This fixes cmake builds as - well as avoiding potentially using openSSL headers since include path - order is not guaranteed. - - Closes #8864 - -- curl: deprecate --random-file and --egd-file - - As libcurl no longer has any functionality for them, the tool now does - nothing with them. - - Closes #8670 - -- opts: deprecate RANDOM_FILE and EGDSOCKET - - These two options were only ever used for the OpenSSL backend for - versions before 1.1.0. They were never used for other backends and they - are not used with recent OpenSSL versions. They were never used much by - applications. - - The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time - for ancient EOL OpenSSL versions. - - Closes #8670 - -- [Harry Sintonen brought this change] - - bindlocal: don't use a random port if port number would wrap - - Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port - 65535 the code would fall back to random port rather than giving up. - - Closes #8862 - -Daniel Gustafsson (16 May 2022) -- transfer: Fix potential NULL pointer dereference - - Commit 0ef54abf5208 accidentally used the conn variable before the - assertion for it being NULL. Fix by moving the assignment which use - conn to after the assertion. - - Closes: #8857 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- docs: clarify data replacement policy for MIME API - - The API documentation for the MIME functions specify that the parts - can be set twice, with the last call winning. While true, the user - can set the parts n times for n > 2, reword to specify multiple API - calls instead. - - Closes: #8860 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (16 May 2022) -- [vvb2060 on github brought this change] - - ngtcp2: support boringssl crypto backend - - Closes #8789 - -- [Tatsuhiro Tsujikawa brought this change] - - quic: add Curl_quic_idle - - Add Curl_quic_idle which is called when no HTTP level read or write is - performed. It is a good place to handle timer expiry for QUIC transport - (.e.g, retransmission). - - Closes #8698 - -- [Gregor Jasny brought this change] - - mprintf: ignore clang non-literal format string - - Closes #8740 - -- [Nick Zitzmann brought this change] - - sectransp: check for a function defined when __BLOCKS__ is undefined - - SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it - requires Grand Central Dispatch to be supported by the compiler, and - some third-party macOS compilers do not support Grand Central Dispatch. - SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't - adversely affect anything. - - Fixes #8846 - Reported-by: Egor Pugin - Closes #8854 - -Daniel Gustafsson (16 May 2022) -- test412/413: Use version macro for User-Agent - - Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test - output file which breaks when curlver is updated. Shift to using - the %VERSION macro instead. - - Closes: #8856 - -- macos9: remove partial support - - The support for compiling on Mac OS 9 hasn't been modified since 2001 - and has no active maintainer or packager, so it's time to remove it as - it's incredibly unlikely to work. If a maintainer re-emerges it can be - resurrected from Git history. - - Closes: #8836 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (16 May 2022) -- test1635: verify --fail-with-body with --retry - - Almost a dupe of 1634 - - Closes #8847 - -- tool_operate: make sure --fail-with-body works with --retry - - ... in the same way --fail already does. - - Reported-by: Jakub Bochenski - Fixes #8845 - Closes #8847 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types - - Closes #8851 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Fix alert_read_func return value - - Closes #8852 - -- [Harry Sintonen brought this change] - - Curl_parsenetrc: don't access local pwbuf outside of scope - - Accessing local variables outside of the scope is forbidden and - depending on the compiler can result in the value being - overwritten. Fixed by moving the pwbuf to be in scope. - - Closes #8850 - -- RELEASE-NOTES: synced - - and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon) - -- [Frazer Smith brought this change] - - ci: update github actions - - - bump actions/checkout from 2 to 3 - - bump actions/upload-artifact from 1 to 3 - - bump github/codeql-actions from 1 to 2 - - use version tag for actions/checkout - - Closes #8843 - -- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix - -- url: free old conn better on reuse - - Make use of conn_free() better and avoid duplicate code. - - Reported-by: Andrea Pappacoda - Fixes #8841 - Closes #8842 - -Jay Satiro (14 May 2022) -- FAQ: Clarify Windows double quote usage - - - Windows command prompt doesn't use literal quoting via single quotes. - - - Windows command prompt inner double quotes are escaped with a - backslash. - - - Windows powershell does use single quotes but curl is not a powershell - script so the arguments may not be passed on correctly. - - - Windows powershell inner double quotes seems can be passed to curl if - the outer quotes are double quotes and an escape of backslash-backtick - is used. - - Command prompt example: - - ~~~ - getargs -v -d "\"a\"" - - argv[0]: getargs - argv[1]: -v - argv[2]: -d - argv[3]: "a" - ~~~ - - Ref: https://github.com/curl/curl/issues/8818 - Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c - - Reported-by: KotlinIsland@users.noreply.github.com - - Closes https://github.com/curl/curl/pull/8823 - -Daniel Stenberg (12 May 2022) -- github/workflows/nss: apt update first - - Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found" - - Closes #8837 - -- page-footer: mention exit code zero too - - Success (zero) is also an "exit code" worth mentioning. - - Closes #8833 - -Daniel Gustafsson (12 May 2022) -- gssapi: initialize gss_buffer_desc strings - - Explicitly initialize gss_buffer_desc strings such that a call to - freeing resources will succeed even if no data has been allocated - to it. - - Reported-by: Jay Satiro <raysatiro@yahoo.com> - -- gssapi: improve handling of errors from gss_display_status - - In case gss_display_status() returns an error, avoid trying to add - it to the buffer as the message may well be a NULL pointer. - - Originally this fix comes from a discussion in issue #8816. - - Closes: #8832 - Reviewed-by: Jay Satiro <raysatiro@yahoo.com> - -Jay Satiro (12 May 2022) -- [steini2000 brought this change] - - http2: always debug print stream id in decimal with %u - - Prior to this change the stream id shown could be hex or decimal which - was inconsistent and confusing. - - Closes https://github.com/curl/curl/pull/8808 - -Kamil Dudka (11 May 2022) -- url: remove redundant #ifdefs in allocate_conn() - - No change in behavior intended by this commit. - -Daniel Stenberg (11 May 2022) -- [Fabian Keil brought this change] - - tests 266, 116 and 1540: add a small write delay - - This makes it more likely that the trailer is received - seperately from the last-chunk. - - curl doesn't seem to care about this but it makes the tests - more useful when testing external proxies like Privoxy. - -- [Fabian Keil brought this change] - - tests 1117,1238,1523: adjust writedelay servercmds - - ... so the delays are the same now that the unit - is in milliseconds. - -- [Fabian Keil brought this change] - - tests/server/sws.c: change the HTTP writedelay unit to milliseconds - - This allows to use write delays for large responses without - resulting in the test taking an unreasonable amount of time. - - In many cases delaying writes by a whole second or more isn't - necessary for the desired effect. - - Closes #8827 - -Daniel Gustafsson (11 May 2022) -- aws-sigv4: fix potentional NULL pointer arithmetic - - We need to check if the strchr() call returns NULL (due to missing - char) before we use the returned value in arithmetic. There is no - live bug here, but fixing it before it can become for hygiene. - - Closes: #8814 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (11 May 2022) -- quiche: support ca-fallback - - Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl - - Removed from KNOWN_BUGS - - Fixes #8696 - Closes #8830 - -Daniel Gustafsson (11 May 2022) -- x509asn1: mark msnprintf return as unchecked - - We have lots of unchecked msnprintf calls, and this particular msnprintf - call isn't more interesting than the others, but this one yields a Coverity - warning so let's implicitly silence it. Going over the other invocations - is probably a worthwhile project, but for now let's keep the static - analyzers happy. - - Closes: #8831 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Version 7.83.1 (11 May 2022) - -Daniel Stenberg (11 May 2022) -- RELEASE-NOTES: synced - - curl 7.83.1 release - -- THANKS: added contributors from 7.83.1 - -- zuul: fix the ngtcp2-gnutls build - - Add packages and tweak the configure options. - - Use the GnuTLS 3.7.4 branch (not main). - - Closes #8829 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: add ca-fallback support for OpenSSL backend - - Closes #8828 - -- url: check SSH config match on connection reuse - - CVE-2022-27782 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27782.html - Closes #8825 - -- tls: check more TLS details for connection reuse - - CVE-2022-27782 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27782.html - Closes #8825 - -- cookies: make bad_domain() not consider a trailing dot fine - - The check for a dot in the domain must not consider a single trailing - dot to be fine, as then TLD + trailing dot is fine and curl will accept - setting cookies for it. - - CVE-2022-27779 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-27779.html - Closes #8820 - -- test977: reproduce ability to set cookie on TLD - - When PSL is not enabled - -- scripts/contributors.sh: correct the copyright range - -- docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates - -- test379: verify --remove-on-error with --no-clobber - -- post_per_transfer: remove the updated file name - - When --remove-on-error is used with --no-clobber, it might have an - updated file name to remove. - - Bug: https://curl.se/docs/CVE-2022-27778.html - - CVE-2022-27778 - - Reported-by: Harry Sintonen - - Closes #8824 - -- hsts: ignore trailing dots when comparing hosts names - - CVE-2022-30115 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-30115.html - Closes #8821 - -- test440/441: verify HSTS with trailing dots - -- libtest/lib1560: verify the host name percent decode fix - -- urlapi: reject percent-decoding host name into separator bytes - - CVE-2022-27780 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-27780.html - Closes #8826 - -- nss: return error if seemingly stuck in a cert loop - - CVE-2022-27781 - - Reported-by: Florian Kohnhäuser - Bug: https://curl.se/docs/CVE-2022-27781.html - Closes #8822 - -- test412/413: verify alt-svc with trailing dots - -- altsvc: fix host name matching for trailing dots - - Closes #8819 - -- [Garrett Squire brought this change] - - hyper: fix test 357 - - This change fixes the hyper API such that PUT requests that receive a - 417 response can retry without the Expect header. - - Closes #8811 - -- [Harry Sintonen brought this change] - - sectransp: bail out if SSLSetPeerDomainName fails - - Before the code would just warn about SSLSetPeerDomainName() errors. - - Closes #8798 - -- http_proxy/hyper: handle closed connections - - Enable test 1021 for hyper builds. - - Patched-by: Prithvi MK - Fixes #8700 - Closes #8806 - -- KNOWN_BUGS: timeout when reusing a http3 connection - - Closes #8764 - -- KNOWN_BUGS: configure --with-ca-fallback is not supported by h3 - - Closes #8696 - -- [Ryan Schmidt brought this change] - - Makefile: fix "make ca-firefox" - - Closes #8804 - -Daniel Gustafsson (5 May 2022) -- tests: fix markdown formatting in README - - The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be - escaped to not mean start of italic formatting. This is consistent - with docs/RELEASE-PROCEDURE.md. - - Closes: #8802 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (5 May 2022) -- TODO: expand on "Expose tried IP addresses that failed" - - Ref: #8794 - -Daniel Gustafsson (5 May 2022) -- [Fabian Keil brought this change] - - tests/server: declare variable 'reqlogfile' static - - Silences the warning: - - CC socksd-socksd.o - socksd.c:143:13: warning: no previous extern declaration for - non-static variable 'reqlogfile' [-Wmissing-variable-declarations] - const char *reqlogfile = DEFAULT_REQFILE; - ^ - socksd.c:143:7: note: declare 'static' if the variable is not - intended to be used outside of this translation unit - const char *reqlogfile = DEFAULT_REQFILE; - ^ - 1 warning generated. - - ... when compiling with clang 13. - - Closes: #8799 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION - - Commit 980a47b42 added support for ignoring session cookies, but it - was never added to the documentation. - - Closes: #8795 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (5 May 2022) -- docs/THANKS: remove name duplicate - -- [Philip Heiduck brought this change] - - .mailmap: update - - Closes #8800 - -Jay Satiro (5 May 2022) -- mbedtls: fix some error messages - - Prior to this change some of the error messages misidentified the - function that failed. - -Daniel Stenberg (5 May 2022) -- RELEASE-NOTES: synced - -- [Sergey Markelov brought this change] - - x509asn1: make do_pubkey handle EC public keys - - Closes #8757 - -- [Harry Sintonen brought this change] - - mbedtls: bail out if rng init fails - - There was a failf() call but no actual error return. - - Closes #8796 - -- [Sergey Markelov brought this change] - - urlapi: address (harmless) UndefinedBehavior sanitizer warning - - `while(i--)` causes runtime error: unsigned integer overflow: 0 - 1 - cannot be represented in type 'size_t' (aka 'unsigned long') - - Closes #8797 - -- [Fabian Keil brought this change] - - test{898,974,976}: add 'HTTP proxy' keywords - - ... so the tests can be automatically skipped when - testing external HTTP proxies like Privoxy. - - Closes #8791 - -- [Harry Sintonen brought this change] - - gskit_connect_step1: fixed bogus setsockopt calls - - setsockopt takes a reference to value, not value. With the current - code this just leads to -1 return value with errno EFAULT. - - Closes #8793 - -- CURLOPT_SSH_AUTH_TYPES.3: fix the default - - The default is all possible methods. - - Closes #8792 - -- CURLOPT_DOH_URL.3: mention the known bug - - It is mostly duplicating info from KNOWN_BUGS but make it easier to find - for users of this option. - - Closes #8790 - -- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well - - Reviewed-By: Daniel Gustafsson - Closes #8788 - -- docs/SECURITY-PROCESS.md: "Visible command line arguments" - -- SECURITY-PROCESS: mention "URL inconsistencies" - - ... as common problems that are *not* vulns. - -Daniel Gustafsson (2 May 2022) -- contributors: strip off final comma - - The final row of contributors should not end with a comma as it's the - end of the list. - - Closes: #8785 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (2 May 2022) -- [Philip Heiduck brought this change] - - misc: use "autoreconf -fi" instead buildconf - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - Closes #8777 - -Daniel Gustafsson (2 May 2022) -- [Philip Heiduck brought this change] - - cirrus: Use pip for Python packages on FreeBSD - - Using pip instead of easy_install is more in line with how other - CI images are being maintained. - - Closes: #8783 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- [Philip Heiduck brought this change] - - cirrus: Update to FreeBSD 12.3 - - Closes: #8783 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- tool_getparam: simplify conditional statement - - param_place cannot be NULL here since we immediately efter this block - perform arithmetic on it (and use it in order to get here) so there is - little reason to check. - - Closes: #8786 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- RELEASE-NOTES: synced - -- gskit: remove unused function set_callback - - This function has been unused since the initial commit of the GSKit - backend in 0eba02fd4. The motivation for the code was getting the - whole certificate chain: the only place where the latter is available - is as a callback parameter. Unfortunately it is not possible to pass - a user pointer to this callback, which precludes the possibility to - associate the cert chain with a data/conn structure. - - For further information, search for pgsk_cert_validation_callback on: - https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm - - As the upstream library never added a parameter like that to the API, - we give up the wait and remove the dead code. - - Closes: #8782 - Reviewed-by: Patrick Monnerat <patrick@monnerat.net> - -- curl: free resource in error path - - If the new filename cannot be generated due to memory pressure, free - the allocated aname on the way out to avoid a small leak. - - Closes: #8770 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- curl: guard against size_t wraparound in no-clobber code - - When generating the new filename, make sure we aren't overflowing the - size_t limit when calculating the new length. This is mostly academic - but good code hygeine nonetheless. - - Closes: #8771 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (30 Apr 2022) -- gha: build msh3 - - Closes #8779 - -- scripts/cijobs.pl: try "current branch" first then "master" - -- [Yusuke Nakamura brought this change] - - msh3: get msh3 version from MsH3Version - - Closes #8762 - -- [Yusuke Nakamura brought this change] - - msh3: psss remote_port to MsH3ConnectionOpen - - MsH3 supported additional "Port" parameter to connect not hosted on - 443 port QUIC website. - - * https://github.com/nibanks/msh3/releases/tag/v0.3.0 - * https://github.com/nibanks/msh3/pull/37 - - Closes #8762 - -- [Christian Weisgerber brought this change] - - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl - - SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3, - released five years ago. - - Bug: https://curl.se/mail/lib-2022-04/0059.html - Closes #8773 - -- http: move Curl_allow_auth_to_host() - - It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef - - Reported-by: Michael Olbrich - Fixes #8772 - Closes #8775 - -Daniel Gustafsson (29 Apr 2022) -- msh3: print boolean value as text representation - - Print the boolean value as its string representation instead of with - %hhu which isn't a format we typically use. - - Closes: #8763 - Reviewed-by: Nick Banks <nibanks@microsoft.com> - -Daniel Stenberg (29 Apr 2022) -- data/test376: set a proper name - -- GHA/mbedtls: enabled nghttp2 in the build - - Closes #8767 - -- mbedtls: fix compile when h2-enabled - - Fixes #8766 - Reported-by: LigH-de on github - Closes #8768 - -- RELEASE-NOTES: synced - - bumped curlver to 7.83.1-dev - -- SECURITY-PROCESS: extended - - Also clarify BUG-BOUNTY.md with IBB details. - - Closes #8754 - -- [Adam Rosenfield brought this change] - - conn: fix typo 'connnection' -> 'connection' in two function names - - Closes #8759 - -Version 7.83.0 (27 Apr 2022) - -Daniel Stenberg (27 Apr 2022) -- RELEASE-NOTES: synced - - The 7.83.0 release - -- docs/THANKS: contributors from 7.83.0 - -- test 898/974/976: require proxy to run - - Fixes #8755 - Reported-by: Marc Hörsken - Closes #8756 - -- gnutls: don't leak the SRP credentials in redirects - - Follow-up to 620ea21410030 and 139a54ed0a172a - - Reported-by: Harry Sintonen - Closes #8752 - -- CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS - - Closes #8753 - -- openssl: don't leak the SRP credentials in redirects either - - Follow-up to 620ea21410030 - - Reported-by: Harry Sintonen - Closes #8751 - -- [Liam Warfield brought this change] - - hyper: fix tests 580 and 581 for hyper - - Hyper now has the ability to preserve header order. This commit adds a - few lines setting the connection options for this feature. - - Related to issue #8617 - Closes #8707 - -- conncache: remove name arg from Curl_conncache_find_bundle - - To simplify, and also since the returned name is not the full actual - name used for the check. The port number and zone id is also involved, - so just showing the name is misleading. - - Closes #8750 - -- tests: verify the fix for CVE-2022-27774 - - - Test 973 redirects from HTTP to FTP, clear auth - - Test 974 redirects from HTTP to HTTP different port, clear auth - - Test 975 redirects from HTTP to FTP, permitted to keep auth - - Test 976 redirects from HTTP to HTTP different port, permitted to keep - auth - -- transfer: redirects to other protocols or ports clear auth - - ... unless explicitly permitted. - - Bug: https://curl.se/docs/CVE-2022-27774.html - Reported-by: Harry Sintonen - Closes #8748 - -- connect: store "conn_remote_port" in the info struct - - To make it available after the connection ended. - -- cookie.d: clarify when cookies are always sent - -- test898: verify the fix for CVE-2022-27776 - - Do not pass on Authorization headers on redirects to another port - -- http: avoid auth/cookie on redirects same host diff port - - CVE-2022-27776 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27776.html - Closes #8749 - -- libssh2: make the md5 comparison fail if wrong length - - Making it just skip the check unless exactly 32 is too brittle. Even if - the docs says it needs to be exactly 32, it is be safer to make the - comparison fail here instead. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1549461 - Closes #8745 - -- conncache: include the zone id in the "bundle" hashkey - - Make connections to two separate IPv6 zone ids create separate - connections. - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27775.html - Closes #8747 - -- [Patrick Monnerat brought this change] - - url: check sasl additional parameters for connection reuse. - - Also move static function safecmp() as non-static Curl_safecmp() since - its purpose is needed at several places. - - Bug: https://curl.se/docs/CVE-2022-22576.html - - CVE-2022-22576 - - Closes #8746 - -- libssh2: compare sha256 strings case sensitively - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1549435 - Closes #8744 - -- tool_getparam: error out on missing -K file - - Add test 411 to verify. - - Reported-by: Median Median Stride - Bug: https://hackerone.com/reports/1542881 - Closes #8731 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: deal with sub-millisecond timeout - - Closes #8738 - -- misc: update copyright year ranges - -- c_escape: escape '?' in generated --libcurl code - - In order to avoid the risk of it being used in an accidental trigraph in - the generated code. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1548535 - Closes #8742 - -- [Philip Heiduck brought this change] - - mlc: curl.zuul.vexxhost.dev is reachable again - - remove it from ignorelist for linkcheck - - Closes #8736 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: avoid busy loop in low CWND situation - - Closes #8739 - -- TODO: telnet - exit immediately upon connection if stdin is /dev/null - - Suggested-by: Robin A. Meade - URL: https://curl.se/mail/archive-2022-04/0027.html - -- [Kushal Das brought this change] - - docs: updates spellings with full words - - Closes #8730 - -- tests/FILEFORMAT.md: spellfix - -Daniel Gustafsson (21 Apr 2022) -- misc: fix typos - - Fix a few random typos is comments and workflow names. - -- macos: fix .plist installation into framework - - The copy command introduced in e498a9b1f had leftover '>' from the - previous sed command it replaced, which broke its syntax. Fix by - removing. - - Reported-by: Emanuele Torre <torreemanuele6@gmail.com> - -Daniel Stenberg (21 Apr 2022) -- [Christopher Degawa brought this change] - - Makefile: fix ca-bundle due to mk-ca-bundle.pl being moved - - The script was moved in 8e22fc68e7dda43e9f but the lines that called it - was not changed to reflect it's new position - - Signed-off-by: Christopher Degawa <ccom@randomderp.com> - - Closes #8728 - -Daniel Gustafsson (20 Apr 2022) -- macos: set .plist version in autoconf - - Set the libcurl version in libcurl.plist like how libcurl.vers is - created. - - Closes: #8692 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Reviewed-by: Nick Zitzmann <nickzman@gmail.com> - -- cookies: Improve errorhandling for reading cookiefile - - The existing programming had some issues with errorhandling for reading - the cookie file. If the file failed to open, we would silently ignore it - and continue as if there was no file (or stdin) passed. In this case, we - would also call fclose() on the NULL FILE pointer, which is undefined - behavior. Fix by ensuring that the FILE pointer is set before calling - fclose on it, and issue a warning in case the file cannot be opened. - Erroring out on nonexisting file would break backwards compatibility of - very old behavior so we can't really go there. - - Closes: #8699 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Reviewed-by: Jay Satiro <raysatiro@yahoo.com> - -Daniel Stenberg (20 Apr 2022) -- libcurl-tutorial.3: spellfix and minor polish - -- CURLINFO_PRIMARY_PORT.3: spellfix - - Reported-by: Patrick Monnerat - -- [Jay Dommaschk brought this change] - - libssh: fix double close - - libssh closes the socket in ssh_diconnect() so make sure that libcurl - does not also close it. - - Fixes #8708 - Closes #8718 - -Jay Satiro (20 Apr 2022) -- [Gisle Vanem brought this change] - - unit1620: call global_init before calling Curl_open - - Curl_open calls the resolver init and on Windows if the resolver backend - is c-ares then the Windows sockets library (winsock) must already have - been initialized (via global init). - - Ref: https://github.com/curl/curl/pull/8540#issuecomment-1059771800 - - Closes https://github.com/curl/curl/pull/8719 - -Daniel Stenberg (19 Apr 2022) -- CURLINFO_PRIMARY_PORT.3: clarify which port this is - - As it was not entirely clear previously. - - Closes #8725 - -- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation - - Include details about Authentication headers. - - Reported-by: Brad Spencer - Fixes #8724 - Closes #8726 - -- .github/workflows/macos.yml: add a libssh job with c-ares - - ... to enable the memdebug system - - Closes #8720 - -- RELEASE-NOTES: synced - -Jay Satiro (17 Apr 2022) -- [Gisle Vanem brought this change] - - docs/HTTP3.md: fix typo - - also fix msh3 section formatting - - Ref: https://github.com/curl/curl/commit/37492ebb#r70980087 - -Marc Hoersken (17 Apr 2022) -- timediff.[ch]: add curlx helper functions for timeval conversions - - Also move timediff_t definitions from timeval.h to timediff.h and - then make timeval.h include the new standalone-capable timediff.h. - - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - - Supersedes #5888 - Closes #8595 - -Daniel Stenberg (17 Apr 2022) -- [Balakrishnan Balasubramanian brought this change] - - tests: refactor server/socksd.c to support --unix-socket - - Closes #8687 - -- [Emanuele Torre brought this change] - - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) - - This loop was using the number of bytes read from the file as condition - to keep reading. - - From Linux's fread(3) man page: - > On success, fread() and fwrite() return the number of items read or - > written. This number equals the number of bytes transferred only when - > size is 1. If an error occurs, or the end of the file is reached, the - > return value is a short item count (or zero). - > - > The file position indicator for the stream is advanced by the number - > of bytes successfully read or written. - > - > fread() does not distinguish between end-of-file and error, and - > callers must use feof(3) and ferror(3) to determine which occurred. - - This means that nread!=0 doesn't make much sense as an end condition for - the loop: nread==0 doesn't necessarily mean that EOF has been reached or - an error has occured (but that is usually the case) and nread!=0 doesn't - necessarily mean that EOF has not been reached or that no read errors - have occured. feof(3) and ferror(3) should be uses when using fread(3). - - Currently curl has to performs an extra fread(3) call to get a return - value equal to 0 to stop looping. - - This usually "works" (even though nread==0 shouldn't be interpreted as - EOF) if stdin is a pipe because EOF usually marks the "real" end of the - stream, so the extra fread(3) call will return immediately and the extra - read syscall won't be noticeable: - - bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 | - > tail -n 5 - read(0, "a\n", 4096) = 2 - read(0, "", 4096) = 0 - read(0, "", 4096) = 0 - http://0x0.st/oRs.txt - +++ exited with 0 +++ - bash-5.1$ - - But this doesn't work if curl is reading from stdin, stdin is a - terminal, and the EOF is being emulated using a shell with ^D. Two - consecutive ^D will be required in this case to actually make curl stop - reading: - - bash-5.1$ curl -F file=@- 0x0.st - a - ^D^D - http://0x0.st/oRs.txt - bash-5.1$ - - A possible workaround to this issue is to use a program that handles EOF - correctly to indirectly send data to curl's stdin: - - bash-5.1$ cat - | curl -F file=@- 0x0.st - a - ^D - http://0x0.st/oRs.txt - bash-5.1$ - - This patch makes curl handle EOF properly when using fread(3) in - file2memory() so that the workaround is not necessary. - - Since curl was previously ignoring read errors caused by this fread(3), - ferror(3) is also used in the condition of the loop: read errors and EOF - will have the same meaning; this is done to somewhat preserve the old - behaviour instead of making the command fail when a read error occurs. - - Closes #8701 - -- gen.pl: change wording for mutexed options - - Instead of saying "This option overrides NNN", now say "This option is - mutually exclusive to NNN" in the generated man page ouput, as the - option does not in all cases actually override the others but they are - always mutually exclusive. - - Ref: #8704 - Closes #8716 - -- curl: error out if -T and -d are used for the same URL - - As one implies PUT and the other POST, both cannot be used - simultaneously. - - Add test 378 to verify. - - Reported-by: Boris Verkhovskiy - Fixes #8704 - Closes #8715 - -- lib: remove exclamation marks - - ... from infof() and failf() calls. Make them less attention seeking. - - Closes #8713 - -- fail.d: tweak the description - - Reviewed-by: Daniel Gustafsson - Suggested-by: Robert Charles Muir - Ref: https://twitter.com/rcmuir/status/1514915401574010887 - - Closes #8714 - -Daniel Gustafsson (15 Apr 2022) -- docs: Fix missing semicolon in example code - - Multiple share examples were missing a semicolon on the line defining - the CURLSHcode variable. - - Closes: #8697 - Reported-by: Michael Kaufmann <mail@michael-kaufmann.ch> - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- infof: consistent capitalization of warning messages - - Ensure that all infof calls with a warning message are capitalized - in the same way. At some point we should probably set up a style- - guide for infof but until then let's aim for a little consistenncy - where we can. - - Closes: #8711 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- RELEASE-NOTES: synced - -- [Matteo Baccan brought this change] - - perl: removed a double semicolon at end of line - - Remove double semicolons at end of line in Perl code. - - Closes: #8709 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- curl_easy_header: fix typos in documentation - - Closes: #8694 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Marcel Raad (11 Apr 2022) -- appveyor: add Cygwin build - - Closes https://github.com/curl/curl/pull/8693 - -- appveyor: only add MSYS2 to PATH where required - - Closes https://github.com/curl/curl/pull/8693 - -Daniel Stenberg (10 Apr 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix memory leak - - Closes #8691 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: remove remote_addr which is not used in a meaningful way - - Closes #8689 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: enlarge H3_SEND_SIZE - - Make h3_SEND_SIZE larger because current value (20KiB) is too small - for the high latency environment. - - Closes #8690 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix HTTP/3 upload stall and avoid busy loop - - This commit fixes HTTP/3 upload stall if upload data is larger than - H3_SEND_SIZE. Only check writability of socket if a stream is - writable to avoid busy loop when QUIC flow control window is filled - up, or upload buffer is full. - - Closes #8688 - -- [Nick Banks brought this change] - - msh3: add support for QUIC and HTTP/3 using msh3 - - Considered experimental, as the other HTTP/3 backends. - - Closes #8517 - -- TODO: "SFTP with SCP://" - -- GHA: move bearssl jobs over from zuul - - Closes #8684 - -- data/DISABLED: disable test 313 on bearssl builds - - Closes #8684 - -- runtests: add 'bearssl' as testable feature - - Closes #8684 - -- GHA: add openssl3 jobs moved over from zuul - - Closes #8683 - -- schannel: remove dead code that will never run - - As the condition can't ever evaluate true - - Reported-by: Andrey Alifanov - Ref: #8675 - Closes #8677 - -- connecache: remove duplicate connc->closure_handle check - - The superfluous extra check could cause analyzer false positives - and doesn't serve any purpose. - - Closes #8676 - -- [Michał Antoniak brought this change] - - mbedtls: remove server_fd from backend - - Closes #8682 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: use token when detecting :status header field - - Closes #8679 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: make curl 1ms faster - - Pass 0 for an already expired timer. - - Closes #8678 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix QUIC_IDLE_TIMEOUT - - QUIC_IDLE_TIMEOUT should be of type ngtcp2_duration which is - nanoseconds resolution. - - Closes #8678 - -- English: use American spelling consistently - - Authorization, Initialization, Organization etc. - - Closes #8673 - -Daniel Gustafsson (5 Apr 2022) -- [Sascha Zengler brought this change] - - BUGS: Fix incorrect punctuation - - Closes #8672 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -Daniel Stenberg (4 Apr 2022) -- tool_listhelp.c: uppercase URL - -- RELEASE-NOTES: synced - -- http: streamclose "already downloaded" - - Instead of connclose()ing, since when HTTP/2 is used it doesn't need to - close the connection as stopping the current transfer is enough. - - Reported-by: Evangelos Foutras - Closes #8665 - -Jay Satiro (1 Apr 2022) -- ftp: fix error message for partial file upload - - - Show the count of bytes written on partial file upload. - - Prior to this change the error message mistakenly showed the count of - bytes read, not written. - - Bug: https://github.com/curl/curl/discussions/8637 - Reported-by: Taras Kushnir - - Closes https://github.com/curl/curl/pull/8649 - -Daniel Stenberg (1 Apr 2022) -- http: correct the header error message to say colon - - Not semicolon - - Reported-by: Gisle Vanem - Ref: #8666 - Closes #8667 - -- lib: #ifdef on USE_HTTP2 better - - ... as nghttp2 might not be the library that provides HTTP/2 support. - - Closes #8661 - -- [Michał Antoniak brought this change] - - mbedtls: remove 'protocols' array from backend when ALPN is not used - - Closes #8663 - -- http2: RST the stream if we stop it on our own will - - For the "simulated 304" case the done-call isn't considered "premature" - but since the server didn't close the stream it needs to be reset to - stop delivering data. - - Closes #8664 - -- http: close the stream (not connection) on time condition abort - - Closes #8664 - -- http2: handle DONE called for the paused stream - - As it could otherwise stall all streams on the connection - - Reported-by: Evangelos Foutras - Fixes #8626 - Closes #8664 - -- tls: make mbedtls and NSS check for h2, not nghttp2 - - This makes them able to also negotiate HTTP/2 even when built to use - hyper for h2. - - Closes #8656 - -- tests/libtest/lib670.c: fixup the copyright year range - - follow-up to b54e18640ea4b7 - -- [Leandro Coutinho brought this change] - - lib670: avoid double check result - - Closes #8660 - -- vtls: use a generic "ALPN, server accepted" message - - Closes #8657 - -- vtls: use a backend standard message for "ALPN: offers %s" - - I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the - infof() call also needs a string argument: the ALPN ID. - - Closes #8657 - -- [Christian Schmitz brought this change] - - strcase.h: add comment about the return code - - Tool often we run into expecting this to work like strcmp, but it - returns 1 instead of 0 for match. - - Closes #8658 - -- vtls: provide a unified APLN-disagree string for all backends - - Also rephrase to make it sound less dangerous: - - "ALPN: server did not agree on a protocol. Uses default." - - Reported-by: Nick Coghlan - Fixes #8643 - Closes #8651 - -- projects/README: converted to markdown - - Closes #8652 - -- misc: spelling fixes - - Mostly in comments but also in the -w documentation for headers_json. - - Closes #8647 - -- KNOW_BUGS: HTTP3/Transfer closed with n bytes remaining to read - - "HTTP/3 does not support client certs" considered fixed, at least with - the ngtcp2 backend. - - Closes #8523 - -- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs - - Also add to quote.d. Add to TODO as something to add in a future. - - Reported-by: anon00000000 on github - Closes #8602 - Closes #8648 - -- RELEASE-NOTES: synced - -- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood - - This leaves the CURLE_RECV_ERROR error code for explicit failure to - receive network data and allows users to better separate the problems. - - Ref #8356 - Reported-by: Rianov Viacheslav - Closes #8506 - -- docs: lots of minor language polish - - Mostly based on recent language decisions from "everything curl": - - - remove contractions (isn't => is not) - - *an* HTTP (consistency) - - runtime (no hyphen) - - backend (no hyphen) - - URL is uppercase - - Closes #8646 - -Jay Satiro (29 Mar 2022) -- projects: Update VC version names for VS2017, VS2022 - - - Rename VC15 -> VC14.10, VC17 -> VC14.30. - - The projects directory that holds the pre-generated Visual Studio - project files uses VC<ver> to indicate the MSVC version. At some point - support for Visual Studio 2017 (Visual Studio version 15 which uses MSVC - 14.10) was added as VC15. Visual Studio 2022 (Visual Studio version 17 - which uses MSVC 14.30) project files were recently added and followed - that same format using VC17. - - There is no such MSVC version (yet) as VC15 or VC17. - - For VS 2017 for example, the name we use is correct as either VS17, - VS2017, VC14.10. I opted for the latter since we use VC for earlier - versions (eg VC10, VC12, etc). - - Ref: https://github.com/curl/curl/pull/8438#issuecomment-1037070192 - - Closes https://github.com/curl/curl/pull/8447 - -Daniel Stenberg (29 Mar 2022) -- mqtt: better handling of TCP disconnect mid-message - - Reported-by: Jenny Heino - Bug: https://hackerone.com/reports/1521610 - Closes #8644 - -- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL - -- [Ian Blanes brought this change] - - docs/DYNBUF: clarify documentation for Curl_dyn_ptr and Curl_dyn_uptr - - Closes #8606 - -- [Ian Blanes brought this change] - - curl: fix segmentation fault for empty output file names. - - Function glob_match_url set *result to NULL when called with filename = - "", producing an indirect NULL pointer dereference. - - Closes #8606 - -- TODO: Read keys from ~/.ssh/id_ecdsa, id_ed25519 - - It would be nice to expand the list of key locations curl uses for the - newer key types supported by libssh2. - - Closes #8586 - -- ngtcp2: update to work after recent ngtcp2 updates - - Assisted-by: Tatsuhiro Tsujikawa - Reported-by: jurisuk on github - Fixes #8638 - Closes #8639 - -- [Farzin brought this change] - - CURLOPT_PROGRESSFUNCTION.3: fix typo in example - - Closes #8636 - -- curl/header_json: output the header names in lowercase - - To better allow json[“header”]. - - Reported-by: Peter Korsgaard - Bug: https://daniel.haxx.se/blog/2022/03/24/easier-header-picking-with-curl/comment-page-1/#comment-25878 - Closes #8633 - -- RELEASE-NOTES: synced - -- headers.h: make Curl_headers_push() be CURLE_OK when not built - - ... to avoid errors when the function isn't there. - - Reported-by: Marcel Raad - Fixes #8627 - Closes #8628 - -- scripts: move three scripts from lib/ to scripts/ - - Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't - particularly belong in lib/ - - Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying - those files in the root Makefile.am - - Closes #8625 - -Marc Hoersken (23 Mar 2022) -- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 - - curl_setup.h automatically defines WIN32 if just _WIN32 is defined. - - Therefore make sure curl_setup.h is included through warnless.h. - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #8594 - -- tests/server/util.h: align WIN32 condition with util.c - - There is no need to test for both _WIN32 and WIN32 as curl_setup.h - automatically defines the later if the first one is defined. - - Also tests/server/util.c is only checking for WIN32 arouund the - implementation of win32_perror, so just defining _WIN32 - would not be sufficient for a successful compilation. - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #8594 - -Daniel Stenberg (22 Mar 2022) -- [Philip Heiduck brought this change] - - firefox-db2pem.sh: make the shell script safer - - Reported by lift - - Closes #8616 - -Jay Satiro (22 Mar 2022) -- gtls: fix build for disabled TLS-SRP - - Prior to this change if, at build time, the GnuTLS backend was found to - have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl - via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. - - Bug: https://curl.se/mail/lib-2022-03/0046.html - Reported-by: Robert Brose - - Closes https://github.com/curl/curl/pull/8604 - -- winbuild: Add a Visual Studio example to the README - - - Add an example that explains in detail how the user can add libcurl to - their Visual Studio project. - - Ref: https://github.com/curl/curl/issues/8591 - - Closes https://github.com/curl/curl/pull/8592 - -- docs/opts: Mention Schannel client cert type is P12 - - Schannel backend code behaves same as Secure Transport, it expects a P12 - certificate file or the name of a certificate already in the user's OS - key store. Also, both backends ignore CURLOPT_SSLKEY (tool: --key) - because they expect the private key to already be available from the - keystore or P12 certificate. - - Ref: https://github.com/curl/curl/discussions/8581#discussioncomment-2337260 - - Closes https://github.com/curl/curl/pull/8587 - -Daniel Stenberg (22 Mar 2022) -- lib1945: fix compiler warning 4706 on MSVC - - Follow-up from d1e4a677340c - - Closes #8623 - -- [Philip Heiduck brought this change] - - ci/event-based.yml: improve impacket install - - skip python3-pip - install impacket with library module - - Closes #8621 - -- test1459: disable for oldlibssh - - This test with libssh 0.9.3 works fine on github but fails on circleci. - Might as well disable this test for oldlibssh installations. - - Closes #8622 - -- test1135: sync with recent API updates - - This test verifies that the order of functions in public headers remain - the same but hasn't been updated to care for recently added header - files. The order is important for some few platforms - or VERSIONINFO - needs to updated. - - This fix also updates VERSIONINFO to be sure. - - Closes #8620 - -- curl_easy_nextheader.3: fix two typos - - Reported-by: Timothe Litt - Bug: https://curl.se/mail/lib-2022-03/0060.html - -- options: remove mistaken space before paren in prototype - -- cirrus: add --enable-headers-api for some windows builds - -- GHA: --enable-headers-api in all workflows - -- lib: make the headers API depend on --enable-headers-api - -- configure: add --enable-headers-api to enable the headers API - - Defaults to disabled while labeled EXPERIMENTAL. - - Make all the headers API tests require 'headers-api' to run. - -- test1671: verify -w '%{header_json} - -- test1670: verify -w %header{} - -- curl: add %{header_json} support in -w handling - - Outputs all response headers as a JSON object. - -- curl: add %header{name} support in -w handling - - Outputs the response header 'name' - -- header api: add curl_easy_header and curl_easy_nextheader - - Add test 1940 to 1946 to verify. - - Closes #8593 - -- test1459: remove the different exit code for oldlibssh - - When using libssh/0.9.3/openssl/zlib, we seem to be getting the "right" - error code. - - Closes #8490 - -- libssh: unstick SFTP transfers when done event-based - - Test 604 and 606 (at least). - - Closes #8490 - -- gha: move the event-based test over from Zuul - - Switched libssh2 to libssh - - Closes #8490 - -- RELEASE-NOTES: synced - -- http: return error on colon-less HTTP headers - - It's a protocol violation and accepting them leads to no good. - - Add test case 398 to verify - - Closes #8610 - -- test718: edited slightly to return better HTTP - - Since hyper is picky and won't play ball otherwise. - - Bug: https://github.com/hyperium/hyper/issues/2783 - Reported-by: Daniel Valenzuela - Closes #8614 - -- hyper: no h2c support - - Make tests require h2c feature present to run, and only set h2c if - nghttp2 is used in the build. Hyper does not support it. - - Remove those tests from DISABLED - - Fixes #8605 - Closes #8613 - -- configure: bump the copyright year range int the generated output - -- [Andreas Falkenhahn brought this change] - - BINDINGS.md: add Hollywood binding - - Closes #8609 - -- HISTORY: add some 2022 data - -- scripts/copyright.pl: ignore the new mlc_config.json file - -- [Philip Heiduck brought this change] - - mlc_config.json: add file to ignore known troublesome URLs - - This is the config file for the CI markdown link checker and lets us - filter URLs that are known to cause problems. Like - https://curl.zuul.vexxhost.dev/ for now. - - Closes #8597 - -- [Philip Heiduck brought this change] - - winbuild/README.md: fixup dead link - - Closes #8597 - -Jay Satiro (18 Mar 2022) -- rtsp: don't let CSeq error override earlier errors - - - When done, if an error has already occurred then don't check the - sequence numbers for mismatch. - - A sequence number may not have been received if an error occurred. - - Prior to this change a sequence mismatch error would override earlier - errors. For example, a server that returns nothing would cause error - CURLE_GOT_NOTHING in Curl_http_done which was then overridden by - CURLE_RTSP_CSEQ_ERROR in rtsp_done. - - Closes https://github.com/curl/curl/pull/8525 - -- lib: fix some misuse of curlx_convert_wchar_to_UTF8 - - curlx_convert_wchar_to_UTF8 must be freed by curlx_unicodefree, but - prior to this change some uses mistakenly called free. - - I've reviewed all other uses of curlx_convert_wchar_to_UTF8 and - curlx_convert_UTF8_to_wchar. - - Ref: https://github.com/curl/curl/commit/1d5d0ae - - Closes https://github.com/curl/curl/pull/8521 - -- mk-ca-bundle.pl: Use stricter logic to process the certificates - - .. and bump version to 1.29. - - This change makes the script properly ignore unknown blocks and - otherwise fail when Mozilla changes the certdata format in ways we - don't expect. Though this is less flexible behavior it makes it far less - likely that an invalid certificate can slip through. - - Prior to this change the state machine did not always properly reset, - and it was possible that a certificate marked as invalid could then - later be marked as valid when there was conflicting trust info or - an unknown block was erroneously processed as part of the certificate. - - Ref: https://github.com/curl/curl/pull/7801#pullrequestreview-768384569 - - Closes https://github.com/curl/curl/pull/8411 - -Marcel Raad (17 Mar 2022) -- test375: fix line endings on Windows - - Closes https://github.com/curl/curl/pull/8599 - -Daniel Stenberg (17 Mar 2022) -- http: reject header contents with nul bytes - - They are not allowed by the protocol and allowing them risk that curl - misbehaves somewhere where C functions are used but won't work on the - full contents. Further, they are not supported by hyper and they cause - problems for the new coming headers API work. - - Updated test 262 to verify and enabled it for hyper as well - - Closes #8601 - -- [Philip Heiduck brought this change] - - CI: Do not use buildconf. Instead, just use: autoreconf -fi - - Closes #8596 - -- RELEASE-NOTES: synced - -Jay Satiro (14 Mar 2022) -- libssh: Improve fix for missing SSH_S_ stat macros - - - If building libcurl against an old libssh version missing SSH_S_IFMT - and SSH_S_IFLNK then use the values from a supported version. - - Prior to this change if libssh did not define SSH_S_IFMT and SSH_S_IFLNK - then S_IFMT and S_IFLNK, respectively, were used instead. The problem - with that is the user's S_ stat macros don't have the same values across - platforms. For example Windows has values different from Linux. - - Follow-up to 7b0fd39. - - Ref: https://github.com/curl/curl/pull/8511#discussion_r815292391 - Ref: https://github.com/curl/curl/pull/8574 - - Closes https://github.com/curl/curl/pull/8588 - -Marc Hoersken (13 Mar 2022) -- tool and tests: force flush of all buffers at end of program - - On Windows data can be lost in buffers in case of abnormal program - termination, especially in process chains as seen due to flaky tests. - Therefore flushing all buffers manually should avoid this data loss. - - In the curl tool we play the safe game by only flushing write buffers, - but in the testsuite where we manage all buffers, we flush everything. - - This should drastically reduce Windows CI and testsuite flakiness. - - Reviewed-by: Daniel Stenberg - - Supersedes #7833 and #6064 - Closes #8516 - -Daniel Stenberg (12 Mar 2022) -- [Jan Venekamp brought this change] - - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - - Closes #8478 - -- [Jan Venekamp brought this change] - - BearSSL: add CURLOPT_SSL_CIPHER_LIST support - - Closes #8477 - -Dan Fandrich (11 Mar 2022) -- tool_cb_hdr: Turn the Location: into a terminal hyperlink - - This turns even relative URLs into clickable hyperlinks in a supported - terminal when --styled-output is enabled. Many terminals already turn - URLs into clickable links but there is not enough information in a - relative URL to do this automatically otherwise. - -- keepalive-time.d: It takes many probes to detect brokenness - -Daniel Stenberg (11 Mar 2022) -- [HexTheDragon brought this change] - - curl: add --no-clobber - - Does not overwrite output files if they already exist - - Closes #7708 - Co-authored-by: Daniel Stenberg - -- RELEASE-NOTES: synced - - also bump next pending version to become 7.83.0 - -- [Jean-Philippe Menil brought this change] - - openssl: check SSL_get_peer_cert_chain return value - - Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com> - Closes #8579 - -- [Jay Satiro brought this change] - - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl - - mk-ca-bundle.vbs is a Windows-specific script for Mozilla certificate - extraction, similar to mk-ca-bundle.pl which runs on any platform. The - vbs version has not been maintained while the perl version has been - maintained with improvements and security fixes. I don't think it's - worth the work to maintain both versions. Windows users should be able - to use mk-ca-bundle.pl without any problems, as long as they have perl. - - Closes #8412 - -- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype - - Copy and paste error - - Reported-by: Francisco Olarte - Fixes #8573 - Closes #8577 - -- remove-on-error.d: typo - - Reported-by: Colin Leroy - Bug: https://github.com/curl/curl/pull/8503#pullrequestreview-906520081 - -- curl: add --remove-on-error - - If a transfer returns an error, using this option makes curl remove the - leftover downloded (partial) local file before exiting. - - Added test 376 to verify - - Closes #8503 - -- libssh: fix build with old libssh versions - - ... that don't have the SSH_S_* defines. Spotted on a machine using - libssh 0.7.3 - - Closes #8574 - -- hyper: fix status_line() return code - - Detected while working on #7708 that happened to trigger an error here - with a new test case. - - Closes #8572 - -- [Alejandro R. Sedeño brought this change] - - configure.ac: move -pthread CFLAGS setting back where it used to be - - The fix for #8276 proposed in #8374 set `CFLAGS="$CFLAGS -pthead"` - earlier than it used to be set, applying it in cases where it should not - have been applied. - - This moves the AIX XLC check to a new `case $host in` block inside of - the `if test "$USE_THREADS_POSIX" != "1"` block, where `CFLAGS="$CFLAGS - -pthead"` used to happen. - - Fixes #8541 - Closes #8542 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: add client certificate authentication for OpenSSL - - Closes #8522 - -- tool_operate: fix a scan-build warning - - ... and avoid the temp storing of the return code in a diff variable. - - Closes #8565 - -- test375: verify that --proxy errors out if proxy is disabled in the build - - Closes #8565 - -- curl: error out when options need features not present in libcurl - - Trying to use a proxy when libcurl was built with proxy support disabled - should make curl error out properly. - - Remove knowledge of disabled features from the tool code and instead - make it properly respond to what libcurl returns. Update all tests to - properly require the necessary features to be present/absent so that the - test suite can still be run even with libcurl builds with disabled - features. - - Ref: https://curl.se/mail/archive-2022-03/0013.html - Closes #8565 - -- ngtcp2: disconnect the QUIC connection proper - - Reported-by: mehatzri on github - Reviewed-by: Tatsuhiro Tsujikawa - Fixes #8534 - closes #8569 - -Dan Fandrich (9 Mar 2022) -- test386: Fix an incorrect test markup tag - -Daniel Stenberg (9 Mar 2022) -- [Don J Olmstead brought this change] - - nonblock: restore setsockopt method to curlx_nonblock - - The implementation using setsockopt was removed when BeOS support was - purged. However this functionality wasn't BeOS specific, it is still - used by for example Orbis OS (Playstation 4/5 OS). - - Closes #8562 - -- openssl: fix CN check error code - - Due to a missing 'else' this returns error too easily. - - Regressed in: d15692ebb - - Reported-by: Kristoffer Gleditsch - Fixes #8559 - Closes #8560 - -- [Frank Meier brought this change] - - connect: make Curl_getconnectinfo work with conn cache from share handle - - Closes #8524 + _ _ ____ _
+ ___| | | | _ \| |
+ / __| | | | |_) | |
+ | (__| |_| | _ <| |___
+ \___|\___/|_| \_\_____|
+
+ Changelog
+
+Version 7.87.0 (21 Dec 2022)
+
+Daniel Stenberg (21 Dec 2022)
+
+- RELEASE-NOTES: synced
+
+ The curl 7.87.0 release
+
+- THANKS: 40 new contributors from 7.87.0
+
+- http: fix the ::1 comparison for IPv6 localhost for cookies
+
+ When checking if there is a "secure context", which it is if the
+ connection is to localhost even if the protocol is HTTP, the comparison
+ for ::1 was done incorrectly and included brackets.
+
+ Reported-by: BratSinot on github
+
+ Fixes #10120
+ Closes #10121
+
+Philip Heiduck (19 Dec 2022)
+
+- CI/spell: actions/checkout@v2 > actions/checkout@v3
+
+Daniel Stenberg (19 Dec 2022)
+
+- smb/telnet: do not free the protocol struct in *_done()
+
+ It is managed by the generic layer.
+
+ Reported-by: Trail of Bits
+
+ Closes #10112
+
+- http: use the IDN decoded name in HSTS checks
+
+ Otherwise it stores the info HSTS into the persistent cache for the IDN
+ name which will not match when the HSTS status is later checked for
+ using the decoded name.
+
+ Reported-by: Hiroki Kurosawa
+
+ Closes #10111
+
+- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"
+
+ Closes #10106
+
+Xì Gà (16 Dec 2022)
+
+- socks: fix username max size is 255 (0xFF)
+
+ Closes #10105
+
+ Reviewed-by: Daniel Gustafsson
+
+Daniel Stenberg (16 Dec 2022)
+
+- limit-rate.d: see also --rate
+
+- lib1560: add some basic IDN host name tests
+
+ Closes #10094
+
+- idn: rename the files to idn.[ch] and hold all IDN functions
+
+ Closes #10094
+
+- idn: remove Curl_win32_ascii_to_idn
+
+ It was not used. Introduce a new IDN header for the prototype(s).
+
+ Closes #10094
+
+- RELEASE-NOTES: synced
+
+- curl_url_get.3: remove spurious backtick
+
+ Put there by mistake.
+
+ Follow-up from 9a8564a92
+
+ Closes #10101
+
+- socks: fix infof() flag for outputing a char
+
+ It used to be a 'long', %lu is no longer correct.
+
+ Follow-up to 57d2d9b6bed33d
+ Detected by Coverity CID 1517663
+
+ Closes #10100
+
+- ssl-reqd.d: clarify that this is for upgrading connections only
+
+ Closes #10093
+
+- curl_url_set.3: document CURLU_DISALLOW_USER
+
+ Closes #10099
+
+- cmake: set the soname on the shared library
+
+ Set SONAME and VERSION for platforms we think this works on. Remove
+ issue from KNOWN_BUGS.
+
+ Assisted-by: Jakub Zakrzewski
+
+ Closes #10023
+
+- tool_paramhlp: free the proto strings on exit
+
+ And also make sure that repeated use of the options free the previous
+ string before it stores a new.
+
+ Follow-up from e6f8445edef8e7996d
+
+ Closes #10098
+
+- tool_cfgable: free the ssl_ec_curves on exit
+
+ Follow-up to ede125b7b
+
+ Closes #10097
+
+- urlapi: reject more bad letters from the host name: &+()
+
+ Follow-up from eb0167ff7d31d3a5
+
+ Extend test 1560 to verify
+
+ Closes #10096
+
+- altsvc: fix rejection of negative port numbers
+
+ Follow-up to ac612dfeee95
+
+ strtoul() accepts a leading minus so better make sure there is none
+
+ Extended test 356 somewhat to use a huge negative 64 bit number that
+ otherwise becomes a low positive number.
+
+ Closes #10095
+
+- lib: use size_t or int etc instead of longs
+
+ Since long is not using a consistent data size in curl builds, making it
+ often "waste" 32 bits.
+
+ Closes #10088
+
+- azure: use "unversioned" clang and clang-tools for scanbuild job
+
+ To make it less fragile
+
+ Closes #10092
+
+Daniel Gustafsson (14 Dec 2022)
+
+- x509asn1: avoid freeing unallocated pointers
+
+ When utf8asn1str fails there is no allocation returned, so freeing
+ the return pointer in **to is at best a no-op and at worst a double-
+ free bug waiting to happen. The current coding isn't hiding any such
+ bugs but to future proof, avoid freeing the return value pointer iff
+ the function failed.
+
+ Closes: #10087
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Emil Engler (13 Dec 2022)
+
+- curl_url_set.3: fix typo
+
+ Closes: #10089
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Daniel Stenberg (13 Dec 2022)
+
+- test2304: verify websocket handling when connection is closed
+
+- server/sws: if asked to close connection, skip the websocket handling
+
+- ws: if no connection is around, return error
+
+ - curl_ws_send returns CURLE_SEND_ERROR if data->conn is gone
+
+ - curl_ws_recv returns CURLE_GOT_NOTHING on connection close
+
+ - curl_ws_recv.3: mention new return code for connection close + example
+ embryo
+
+ Closes #10084
+
+Emil Engler (13 Dec 2022)
+
+- docs: extend the dump-header documentation
+
+ This commit extends the documentation of the --dump-header command-line
+ option to reflect the behavior introduced in 8b1e5df7.
+
+ See #10079
+ Closes #10085
+
+Daniel Stenberg (12 Dec 2022)
+
+- RELEASE-NOTES: synced
+
+- styled-output.d: this option does not work on Windows
+
+ Reported-by: u20221022 on github
+
+ Fixes #10082
+ Closes #10083
+
+Emil Engler (12 Dec 2022)
+
+- tool: determine the correct fopen option for -D
+
+ This commit fixes a bug in the dump-header feature regarding the
+ determination of the second fopen(3) option.
+
+ Reported-by: u20221022 on github
+
+ See #4753
+ See #4762
+ Fixes #10074
+ Closes #10079
+
+Christian Schmitz (11 Dec 2022)
+
+- docs/curl_ws_send: Fixed typo in websocket docs
+
+ Replace as with is in relevant sentences.
+
+ Closes: #10081
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Prithvi MK (11 Dec 2022)
+
+- c-hyper: fix multi-request mechanism
+
+ It makes test 565 run fine.
+
+ Fixes #8896
+ Closes #10080
+ Assisted-by: Daniel Stenberg
+
+Andy Alt (11 Dec 2022)
+
+- page-header: grammar improvement (display transfer rate)
+
+ Closes #10068
+
+- docs/DEPRECATE.md: grammar improvement and sp correction
+
+ The main thing I wanted to do was fix the spelling of "spent", but I
+ think this rewording improves the flow of the paragraph.
+
+ Closes #10067
+
+Boris Verkhovskiy (11 Dec 2022)
+
+- tool_cfgable: make socks5_gssapi_nec a boolean
+
+ Closes #10078
+
+Frank Gevaerts (9 Dec 2022)
+
+- contributors.sh: actually use $CURLWWW instead of just setting it.
+
+ The script was all set up for flexibility where curl-www is elsewhere in
+ the filesystem, but then hard-coded ../curl-www anyway...
+
+ Closes #10064
+
+Daniel Stenberg (9 Dec 2022)
+
+- KNOWN_BUGS: remove items not considered bugs any more
+
+ - CURL_GLOBAL_SSL
+
+ This option was changed in libcurl 7.57.0 and clearly it has not caused
+ too many issues and a lot of time has passed.
+
+ - Store TLS context per transfer instead of per connection
+
+ This is a possible future optimization. One that is much less important
+ and interesting since the added support for CA caching.
+
+ - Microsoft telnet server
+
+ This bug was filed in May 2007 against curl 7.16.1 and we have not
+ received further reports.
+
+ - active FTP over a SOCKS
+
+ Actually, proxies in general is not working with active FTP mode. This
+ is now added in proxy documentation.
+
+ - DICT responses show the underlying protocol
+
+ curl still does this, but since this is now an established behavior
+ since forever we cannot change it easily and adding an option for it
+ seems crazy as this protocol is not so little its not worth it. Let's
+ just live with it.
+
+ - Secure Transport disabling hostname validation also disables SNI
+
+ This is an already documented restriction in Secure Transport.
+
+ - CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
+
+ The curl_formadd() function is marked and documented as deprecated. No
+ point in collecting bugs for it. It should not be used further.
+
+ - STARTTRANSFER time is wrong for HTTP POSTs
+
+ After close source code inspection I cannot see how this is true or that
+ there is any special treatment for different HTTP methods. We also have
+ not received many further reports on this, making me strongly suspect
+ that this is no (longer an) issue.
+
+ - multipart formposts file name encoding
+
+ The once proposed RFC 5987-encoding is since RFC 7578 documented as MUST
+ NOT be used. The since then implemented MIME API allows the user to set
+ the name on their own and can thus provide it encoded as it wants.
+
+ - DoH is not used for all name resolves when enabled
+
+ It is questionable if users actually want to use DoH for interface and
+ FTP port name resolving. This restriction is now documented and we
+ advice users against using name resolving at all for these functions.
+
+ Closes #10043
+
+- CURLOPT_COOKIEFILE.3: advice => advise
+
+ Closes #10063
+
+ Reviewed-by: Daniel Gustafsson
+
+Daniel Gustafsson (9 Dec 2022)
+
+- curl.h: reword comment to not use deprecated option
+
+ CURLOPT_INFILE was replaced by CURLOPT_READDATA in 7.9.7, reword the
+ comment mentioning it to make code grepping easier as well as improve
+ the documentation.
+
+ Closes: #10062
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Ryan Schmidt (9 Dec 2022)
+
+- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
+
+ Change "__MWERKS__" to "macintosh". When this block was originally added
+ in 3ac6929 it was probably intended to handle classic Mac OS since the
+ previous classic Mac OS build procedure for curl (which was removed in
+ bf327a9) used Metrowerks CodeWarrior.
+
+ But there are other classic Mac OS compilers, such as the MPW compilers,
+ that were not handled by this case. For classic Mac OS,
+ CURL_TYPEOF_CURL_SOCKLEN_T needs to match what's provided by the
+ third-party GUSI library, which does not vary by compiler.
+
+ Meanwhile CodeWarrior works on platforms other than classic Mac OS, and
+ they may need different definitions. Separate blocks could be added
+ later for any of those platforms that curl doesn't already support.
+
+ Closes #10049
+
+- vms: remove SIZEOF_SHORT
+
+ The rest of SIZEOF_SHORT was removed in d48dd15.
+
+ See #9291
+ Closes #10061
+
+Daniel Gustafsson (8 Dec 2022)
+
+- tool_formparse: avoid clobbering on function params
+
+ While perfectly legal to do, clobbering function parameters and using
+ them as local variables is confusing at best and rarely improves code
+ readability. Fix by using a local variable instead, no functionality
+ is changed.
+
+ This also renames the parameter from data to mime_data since the term
+ data is (soft) reserved for the easy handle struct.
+
+ Closes: #10046
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- noproxy: guard against empty hostnames in noproxy check
+
+ When checking for a noproxy setting we need to ensure that we get
+ a hostname passed in. If there is no hostname then there cannot be
+ a matching noproxy rule for it by definition.
+
+ Closes: #10057
+ Reported-by: Geeknik Labs
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (8 Dec 2022)
+
+- c-hyper: CONNECT respones are not server responses
+
+ Together with d31915a8dbbd it makes test 265 run fine.
+
+ Fixes #8853
+ Assisted-by: Prithvi MK
+ Assisted-by: Sean McArthur
+ Closes #10060
+
+- test265: Use "connection: keep-alive" response header
+
+ When it answers as HTTP/1.0, so that clients (hyper) knows properly that
+ the connection remains intact.
+
+- RELEASE-NOTES: synced
+
+Stefan Eissing (8 Dec 2022)
+
+- cfilter: improve SSL connection checks
+
+ - fixes `Curl_ssl_cf_get_ssl()` to detect also the first filter instance
+ as ssl (refs #10053)
+
+ - replaces `Curl_ssl_use()` with the correct `Curl_conn_is_ssl()`
+
+ Closes #10054
+ Fixes #10053
+
+ Reported-by: Patrick Monnerat
+
+Daniel Stenberg (8 Dec 2022)
+
+- runtests: silence nghttpx errors
+
+ Also, move the output of the nghttpx_h3 info to the general "Env:" line
+ in the test output header.
+
+ Reported-by: Marcel Raad
+ Ref: https://github.com/curl/curl/commit/ca15b7512e8d1199e55fbaa206ef01e64b8f
+ 147d#commitcomment-92015094
+ Closes #10044
+
+Ryan Schmidt (7 Dec 2022)
+
+- config-mac: define HAVE_SYS_IOCTL_H
+
+ This is needed to compile nonblock.c on classic Mac OS with Grand
+ Unified Socket Interface (GUSI) because nonblock.c uses FIONBIO which is
+ defined in <sys/filio.h> which is included by <sys/ioctl.h>.
+
+ Ref: https://sourceforge.net/projects/gusi/
+
+ Closes https://github.com/curl/curl/pull/10042
+
+Philip Heiduck (7 Dec 2022)
+
+- CI: Change FreeBSD image from 12.3 to 12.4
+
+ Ref: https://www.phoronix.com/news/FreeBSD-12.4-Released
+
+ Closes https://github.com/curl/curl/pull/10051
+
+Ryan Schmidt (7 Dec 2022)
+
+- test1421: fix typo
+
+ Closes https://github.com/curl/curl/pull/10055
+
+Jay Satiro (7 Dec 2022)
+
+- build: assume errno.h is always available
+
+ - Remove errno.h detection from all build configurations.
+
+ errno.h is a standard header according to C89.
+
+ Closes https://github.com/curl/curl/pull/9986
+
+- build: assume assert.h is always available
+
+ - Remove assert.h detection from all build configurations.
+
+ assert.h is a standard header according to C89.
+
+ I had proposed this several years ago as part of a larger change that
+ was abandoned.
+
+ Ref: https://github.com/curl/curl/issues/1237#issuecomment-277500720
+
+ Closes https://github.com/curl/curl/pull/9985
+
+Philip Heiduck (7 Dec 2022)
+
+- CI: LGTM.com will be shut down in December 2022
+
+ Closes #10052
+
+Daniel Stenberg (6 Dec 2022)
+
+- mailmap: Andy Alt
+
+Andy Alt (6 Dec 2022)
+
+- misc: Fix incorrect spelling
+
+ Fix various uses of connnect by replacing them with connect.
+
+ Closes: #10045
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Stefan Eissing (6 Dec 2022)
+
+- wolfssl: remove special BIO return code handling
+
+ - rely solely on the retry flag in BIO, similar to OpenSSL vtls
+ implementation.
+
+ Ref: https://github.com/curl/curl/pull/10021#issuecomment-1336147053
+
+ Closes #10033
+
+Daniel Stenberg (6 Dec 2022)
+
+- openssl: return -1 on error in the BIO callbacks
+
+ BIO_read and BIO_write return negative numbers on error, including
+ retryable ones. A regression from 55807e6. Both branches should be
+ returning -1.
+
+ The APIs are patterned after POSIX read and write which, similarly,
+ return -1 on errors, not zero, with EAGAIN treated as an error.
+
+ Bug: https://github.com/curl/curl/issues/10013#issuecomment-1335308146
+ Reported-by: David Benjamin
+ Closes #10021
+
+Ryan Schmidt (6 Dec 2022)
+
+- config-mac: remove HAVE_SYS_SELECT_H
+
+ When compiling for classic Mac OS with GUSI, there is no sys/select.h.
+ GUSI provides the "select" function prototype in sys/time.h.
+
+ Closes #10039
+
+- setup: do not require __MRC__ defined for Mac OS 9 builds
+
+ Partially reverts "somewhat protect Mac OS X users from using Mac OS 9
+ config file", commit 62519bfe059251af2914199f284c736553ff0489.
+
+ Do things that are specific to classic Mac OS (i.e. include config-mac.h
+ in curl_setup.h and rename "main" to "curl_main" in tool_setup.h) when
+ only "macintosh" is defined. Remove the additional condition that
+ "__MRC__" should be defined since that would only be true with the MPW
+ MrC compiler which prevents the use of other reasonable compilers like
+ the MPW SC compiler and especially the Metrowerks CodeWarrior compilers.
+ "macintosh" is only defined by classic Mac OS compilers so this change
+ should not affect users of Mac OS X / OS X / macOS / any other OS.
+
+ Closes #10037
+
+- curl.h: name all public function parameters
+
+ Most public function parameters already have names; this adds those
+ that were missing.
+
+ Closes #10036
+
+Andy Alt (6 Dec 2022)
+
+- docs/examples: spell correction ('Retrieve')
+
+ Closes #10040
+
+Daniel Stenberg (6 Dec 2022)
+
+- unit1302: slightly extended
+
+ To test more base64 decoding
+
+- base64: faster base64 decoding
+
+ - by using a lookup table instead of strchr()
+ - by doing full quantums first, then padding
+
+ Closes #10032
+
+Michael Musset (6 Dec 2022)
+
+- libssh2: return error when ssh_hostkeyfunc returns error
+
+ return CURLE_PEER_FAILED_VERIFICATION if verification with the callback
+ return a result different than CURLKHMATCH_OK
+
+ Closes #10034
+
+Viktor Szakats (5 Dec 2022)
+
+- Makefile.mk: improve a GNU Make hack [ci skip]
+
+ Replace the hack of using `$() ` to represent a single space. The new
+ method silences the `--warn-undefined-variables` debug warning and it's
+ also a better-known form of solving this problem.
+
+ Reviewed-by: Jay Satiro
+ Closes #10031
+
+Daniel Stenberg (5 Dec 2022)
+
+- tests/unit/.gitignore: ignore all unit + 4 digits files
+
+- base64: encode without using snprintf
+
+ For speed. In some tests, this approch is 29 times faster!
+
+ Closes #10026
+
+- base64: better alloc size
+
+ The previous algorithm allocated more bytes than necessary.
+
+ Suggested-by: xtonik on github
+ Fixes #10024
+ Closes #10025
+
+Ryan Schmidt (5 Dec 2022)
+
+- config-mac: fix typo: size_T -> size_t
+
+ Both MPW and CodeWarrior compilers complained about this.
+
+ Closes #10029
+
+Daniel Stenberg (3 Dec 2022)
+
+- RELEASE-NOTES: synced
+
+Jakub Zakrzewski (2 Dec 2022)
+
+- CMake: fix build with `CURL_USE_GSSAPI`
+
+ CMAKE_*_LINKER_FLAGS must be a string but GSS_LINKER_FLAGS is a list, so
+ we need to replace semicolons with spaces when setting those.
+
+ Fixes #9017
+ Closes #1022
+
+Max Dymond (2 Dec 2022)
+
+- ci: Reuse fuzzing snippet from curl-fuzzer project
+
+Diogo Teles Sant'Anna (2 Dec 2022)
+
+- GHA: clarify workflows permissions, set least possible privilege
+
+ Set top-level permissions to None on all workflows, setting per-job
+ permissions. This avoids that new jobs inherit unwanted permissions.
+
+ Discussion: https://curl.se/mail/lib-2022-11/0028.html
+
+ Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
+
+ Closes #9928
+
+Viktor Szakats (2 Dec 2022)
+
+- Makefile.mk: address minor issues
+
+ - Fix `NROFF` auto-detection with certain shell/make-build combinations:
+
+ When a non-MSYS2 GNU Make runs inside an MSYS2 shell, Make executes
+ the detection command as-is via `CreateProcess()`. It fails because
+ `command` is an `sh` built-in. Ensure to explicitly invoke the shell.
+
+ - Initialize user-customizable variables:
+
+ Silences a list of warnings when running GNU Make with the option
+ `--warn-undefined-variables`. Another benefit is that it's now easy
+ to look up all user-customizable `Makefile.mk` variables by grepping
+ for ` ?=` in the curl source tree.
+
+ Suggested-by: Gisle Vanem
+ Ref: https://github.com/curl/curl/pull/9764#issuecomment-1330674433
+
+ - Fix `MKDIR` invocation:
+
+ Avoid a warning and potential issue in envs without forward-slash
+ support.
+
+ Closes #10000
+
+Rob de Wit (2 Dec 2022)
+
+- curl_get_line: allow last line without newline char
+
+ improve backwards compatibility
+
+ Test 3200 verifies
+
+ Closes #9973
+
+Daniel Stenberg (2 Dec 2022)
+
+- cookie: open cookie jar as a binary file
+
+ On Windows there is a difference and for text files, ^Z means end of
+ file which is not desirable.
+
+ Ref: #9973
+ Closes #10017
+
+- runtests: only do CRLF replacements for hyper if it is HTTP
+
+ Closes #10016
+
+Stefan Eissing (1 Dec 2022)
+
+- openssl: fix for BoringSSL BIO result interpretation mixups
+
+ Reported-by: Robin Marx
+ Fixes #10013
+ Closes #10015
+
+Max Dymond (1 Dec 2022)
+
+- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
+
+Daniel Stenberg (1 Dec 2022)
+
+- runtests: do CRLF replacements per section only
+
+ The `crlf="yes"` attribute and "hyper mode" are now only applied on a
+ subset of dedicated sections: data, datacheck, stdout and protocol.
+
+ Updated test 2500 accordingly.
+
+ Also made test1 use crlf="yes" for <protocol>, mostly because it is
+ often used as a template test case. Going forward, using this attribute
+ we should be able to write test cases using linefeeds only and avoid
+ mixed line ending encodings.
+
+ Follow-up to ca15b7512e8d11
+
+ Fixes #10009
+ Closes #10010
+
+Stefan Eissing (1 Dec 2022)
+
+- gnutls: use common gnutls init and verify code for ngtcp2
+
+ Closes #10007
+
+Baitinq on github (1 Dec 2022)
+
+- aws_sigv4: fix typos in aws_sigv4.c
+
+ Closes #10008
+
+Kenneth Myhra (30 Nov 2022)
+
+- curl.h: include <sys/select.h> on SerenityOS
+
+ Closes #10006
+
+Daniel Stenberg (30 Nov 2022)
+
+- openssl: prefix errors with '[lib]/[version]: '
+
+ To help users understand where this (cryptic) error message comes from.
+
+ Suggested-by: Philip Sanetra
+ Ref: #10002
+ Closes #10004
+
+Stefan Eissing (30 Nov 2022)
+
+- tests: add HTTP/3 test case, custom location for proper nghttpx
+
+ - adding support for HTTP/3 test cases via a nghttpx server that is
+ build with ngtcp2 and nghttp3.
+ - test2500 is the first test case, performing a simple GET.
+ - nghttpx is checked for support and the 'feature' nghttpx-h3
+ is set accordingly. test2500 will only run, when supported.
+ - a specific nghttpx location can be given in the environment
+ variable NGHTTPX or via the configure option
+ --with-test-nghttpx=<path>
+
+ Extend NGHTTPX config to H2 tests as well
+
+ * use $ENV{NGHTTPX} and the configured default also in http2 server starts
+ * always provide the empty test/nghttpx.conf to nghttpx. as it defaults to
+ reading /etc/nghttpx/nghttpx.conf otherwise.
+
+ Added nghttpx to CI ngtcp2 jobs to run h3 tests.
+
+ Closes #9031
+
+Daniel Stenberg (30 Nov 2022)
+
+- RELEASE-NOTES: synced
+
+ Removed duplicate after contributors.sh fix: 9967c10b6daa1
+
+- scripts/contributors.sh: strip one OR MORE leading spaces
+
+ From names found credited in commit logs
+
+- RELEASE-NOTES: synced
+
+- openssl/mbedtls: use %d for outputing port with failf (int)
+
+ Coverity CID 1517100
+
+ Also, remove some int typecasts in vtls.c for the port number
+
+ Closes #10001
+
+- KNOWN_BUGS: remove "Multi perform hangs waiting for threaded resolver"
+
+ We now offer a way to avoid that hang, using CURLOPT_QUICK_EXIT.
+
+ Follow-up to 49798cac832ab1 fixed via #9147
+
+ Closes #9999
+
+- KNOWN_BUGS: remove "--interface for ipv6 binds to unusable IP address"
+
+ Since years back the "if2ip" function verifies that it binds to a local IPv6
+ address that uses the same scope as the remote address.
+
+ This is not a bug.
+
+ Fixes #686
+ Closes #9998
+
+- test1276: verify lib/optiontable.pl
+
+ Checks that it generates an output identical to the file.
+
+- lib/optiontable.pl: adapt to CURLOPTDEPRECATED()
+
+ Follow-up from 6967571bf20624bc
+
+ Reported-by: Gisle Vanem
+
+ Fixes #9992
+ Closes #9993
+
+- docs/INSTALL.md: list OSes and CPUs quoted
+
+ to make them skip spellcheck. Also added a new CPU.
+
+ Follow-up to 4506cbf7f24a2a
+
+ Closes #9997
+
+Ikko Ashimine (28 Nov 2022)
+
+- vtls: fix typo in vtls_int.h
+
+ paramter -> parameter
+
+ Closes: #9996
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Daniel Stenberg (28 Nov 2022)
+
+- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
+
+ As OpenSSL's include files are all included using <openssl/*.h> in curl
+ source code, we just risk that existing openssl files will "shadow"
+ include files without path if that path is provided.
+
+ Fixes #9989
+ Closes #9988
+
+- INSTALL: update operating systems and CPU archs
+
+ Update after recent runs on Twitter/Mastodon and my blog
+
+ Closes #9994
+
+Stefan Eissing (28 Nov 2022)
+
+- tls: backends use connection filters for IO, enabling HTTPS-proxy
+
+ - OpenSSL (and compatible)
+ - BearSSL
+ - gnutls
+ - mbedtls
+ - rustls
+ - schannel
+ - secure-transport
+ - wolfSSL (v5.0.0 and newer)
+
+ This leaves only the following without HTTPS-proxy support:
+ - gskit
+ - nss
+ - wolfSSL (versions earlier than v5.0.0)
+
+ Closes #9962
+
+Daniel Stenberg (28 Nov 2022)
+
+- include/curl/curl.h: bump the deprecated requirements to gcc 6.1
+
+ Reported-by: Michael Kaufmann
+ Fixes #9917
+ Closes #9987
+
+Patrick Monnerat (28 Nov 2022)
+
+- mime: relax easy/mime structures binding
+
+ Deprecation and removal of codeset conversion support from the library
+ have released the strict need for an early binding of mime structures to
+ an easy handle (https://github.com/curl/curl/commit/2610142).
+
+ This constraint currently forces to create the handle before the mime
+ structure and the latter cannot be attached to another handle once
+ created (see https://curl.se/mail/lib-2022-08/0027.html).
+
+ This commit removes the handle pointers from the mime structures
+ allowing more flexibility on their use.
+
+ When an easy handle is duplicated, bound mime structures must however
+ still be duplicated too as their components hold send-time dynamic
+ information.
+
+ Closes #9927
+
+fractal-access (26 Nov 2022)
+
+- test416: verify growing FTP file support
+
+ Added setting: RETRSIZE [size] in the <servercmd> section. When set this
+ will cause the test FTP server to return the size set (rather than the
+ actual size) in the acknowledgement from a RETR request.
+
+ Closes #9772
+
+- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
+
+ When using the option CURLOPT_IGNORE_CONTENT_LENGTH (set.ignorecl in
+ code) to support growing files in FTP, the code should ignore the
+ initial size it gets from the server as this will not be the final size
+ of the file. This is done in ftp_state_quote() to prevent a size request
+ being issued in the initial sequence. However, in a later call to
+ ftp_state_get_resp() the code attempts to get the size of the content
+ again if it doesn't already have it, by parsing the response from the
+ RETR request. This fix prevents this parsing of the response to get the
+ size when the set.ignorecl option is set. This should maintain the size
+ value as -1, unknown, in this situation.
+
+ Closes #9772
+
+Stefan Eissing (26 Nov 2022)
+
+- cfilter: re-add `conn` as parameter to cfilter setup methods
+
+ - `Curl_ssl_get_config()` now returns the first config if no SSL proxy
+ filter is active
+
+ - socket filter starts connection only on first invocation of its
+ connect method
+
+ Fixes #9982
+ Closes #9983
+
+Daniel Stenberg (26 Nov 2022)
+
+- KNOWN_BUGS: remove five FTP related issues
+
+ - "FTP with CONNECT and slow server"
+
+ I believe this is not a problem these days.
+
+ - "FTP with NULs in URL parts"
+
+ The FTP protocol does not support them properly anyway.
+
+ - remove "FTP and empty path parts in the URL"
+
+ I don't think this has ever been reported as a real problem but was only
+ a hypothetical one.
+
+ - "Premature transfer end but healthy control channel"
+
+ This is not a bug, this is an optimization that *could* be performed but is
+ not an actual problem.
+
+ - "FTP without or slow 220 response"
+
+ Instead add to the documentation of the connect timeout that the
+ connection is considered complete at TCP/TLS/QUIC layer.
+
+ Closes #9979
+
+Stefan Eissing (26 Nov 2022)
+
+- tests: add authorityInfoAccess to generated certs
+
+ Generate stunnel.pem as well
+
+ Closes #9980
+
+Daniel Stenberg (25 Nov 2022)
+
+- runtests: --no-debuginfod now disables DEBUGINFOD_URLS
+
+ Prior to this change, DEBUGINFOD_URLS was always disabled by runtests
+ due to a report of it slowing down tests. However, some setups need it
+ to fetch debug symbols, and if it is disabled on those systems then curl
+ tests with valgrind will fail.
+
+ Reported-by: Mark Gaiser
+
+ Ref: #8805
+ Closes #9950
+
+Casey Bodley (25 Nov 2022)
+
+- test/aws_sigv4: test cases for content-sha256
+
+ 1956 adds the sha256 value corresponding to an empty buffer
+ 1957 adds an arbitrary value and confirms that the signature differs from 195
+ 6
+ 1958 adds whitespace to 1957 and confirms that the signature matches 1957
+ 1959 adds a value longer than 'char sha_hex[65]' in Curl_output_aws_sigv4()
+
+ Signed-off-by: Casey Bodley <cbodley@redhat.com>
+
+ Closes #9804
+
+- aws_sigv4: consult x-%s-content-sha256 for payload hash
+
+ `Curl_output_aws_sigv4()` doesn't always have the whole payload in
+ memory to generate a real payload hash. this commit allows the user to
+ pass in a header like `x-amz-content-sha256` to provide their desired
+ payload hash
+
+ some services like s3 require this header, and may support other values
+ like s3's `UNSIGNED-PAYLOAD` and `STREAMING-AWS4-HMAC-SHA256-PAYLOAD`
+ with special semantics. servers use this header's value as the payload
+ hash during signature validation, so it must match what the client uses
+ to generate the signature
+
+ CURLOPT_AWS_SIGV4.3 now describes the content-sha256 interaction
+
+ Signed-off-by: Casey Bodley <cbodley@redhat.com>
+
+ Closes #9804
+
+Philip Heiduck (25 Nov 2022)
+
+- GHA: NSS use clang instead of clang-9
+
+ Closes #9978
+
+Daniel Stenberg (25 Nov 2022)
+
+- RELEASE-NOTES: synced
+
+- tool_operate: override the numeric locale and set "C" by force
+
+ Makes curl always use dot as decimal separator for options,
+ independently of what the locale says. Makes scripts and command lines
+ portable.
+
+ Updated docs accordingly.
+
+ Reported-by: Daniel Faust
+
+ Fixes #9969
+ Closes #9972
+
+- test1662: verify formpost, 301 redirect, no rewind possible
+
+ Reproduces #9735 and verifies the subsequent fix. The original issue
+ uses a pipe that cannot be rewound, but this test case instead sets a
+ callback without rewind ability to get roughly the same properties but
+ being a much more portable test.
+
+- lib: rewind BEFORE request instead of AFTER previous
+
+ This makes a big difference for cases when the rewind is not actually
+ necessary to perofm (for example HTTP response code 301 converts to GET)
+ and therefore the rewind can be avoided. In particular for situations
+ when that rewind fails, for example when reading from a pipe or similar.
+
+ Reported-by: Ali Utku Selen
+
+ Fixes #9735
+ Closes #9958
+
+- vtls: repair build with disabled proxy
+
+ Closes #9974
+
+Daniel Gustafsson (23 Nov 2022)
+
+- packaging: remove traces of deleted files
+
+ Commit a8861b6cc removed packages/DOS but left a few traces of it
+ which broke the distcheck CI. Remove all traces.
+
+ Closes: #9971
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- openssl: silence compiler warning when not using IPv6
+
+ In non-IPv6 builds the conn parameter is unused, and compilers which
+ run with "-Werror=unused-parameter" (or similar) warnings turned on
+ fails to build. Below is an excerpt from a CI job:
+
+ vtls/openssl.c: In function ‘Curl_ossl_verifyhost’:
+ vtls/openssl.c:2016:75: error: unused parameter ‘conn’ [-Werror=unused-
+ parameter]
+ 2016 | CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connec
+ tdata *conn,
+ | ~~~~~~~~~~~~~
+ ~~~~~~~^~~~
+
+ Closes: #9970
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- netware: remove leftover traces
+
+ Commit 3b16575ae938dec2a29454631a12aa52b6ab9c67 removed support for
+ building on Novell Netware, but a few leftover traces remained. This
+ removes the last bits.
+
+ Closes: #9966
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Ryan Schmidt (23 Nov 2022)
+
+- curl_endian: remove Curl_write64_le from header
+
+ The actual function was already removed in 4331c6dc.
+
+ See #7280
+ Closes #9968
+
+Daniel Stenberg (22 Nov 2022)
+
+- docs: add more "SEE ALSO" links to CA related pages
+
+ Closes #9959
+
+- examples: update descriptions
+
+ Make them not say "this is an example showing..." and instead just say
+ what the example shows.
+
+ Closes #9960
+
+Stefan Eissing (22 Nov 2022)
+
+- vtls: localization of state data in filters
+
+ - almost all backend calls pass the Curl_cfilter intance instead of
+ connectdata+sockindex
+ - ssl_connect_data is remove from struct connectdata and made internal
+ to vtls
+ - ssl_connect_data is allocated in the added filter, kept at cf->ctx
+
+ - added function to let a ssl filter access its ssl_primary_config and
+ ssl_config_data this selects the propert subfields in conn and data,
+ for filters added as plain or proxy
+ - adjusted all backends to use the changed api
+ - adjusted all backends to access config data via the exposed
+ functions, no longer using conn or data directly
+
+ cfilter renames for clear purpose:
+
+ - methods `Curl_conn_*(data, conn, sockindex)` work on the complete
+ filter chain at `sockindex` and connection `conn`.
+ - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter
+ instance.
+ - methods `Curl_conn_cf()` work on/with filter instances at a
+ connection.
+ - rebased and resolved some naming conflicts
+ - hostname validation (und session lookup) on SECONDARY use the same
+ name as on FIRST (again).
+
+ new debug macros and removing connectdata from function signatures where not
+ needed.
+
+ adapting schannel for new Curl_read_plain paramter.
+
+ Closes #9919
+
+Daniel Stenberg (22 Nov 2022)
+
+- examples/10-at-a-time: fix possible skipped final transfers
+
+ Prior to this change if curl_multi_perform returned 0 running handles
+ and then all remaining transfers were added, then the perform loop would
+ end immediately without performing those transfers.
+
+ Reported-by: Mikhail Kuznetsov
+
+ Fixes https://github.com/curl/curl/issues/9953
+ Closes https://github.com/curl/curl/pull/9954
+
+Viktor Szakats (22 Nov 2022)
+
+- Makefile.mk: portable Makefile.m32
+
+ Update bare GNU Make `Makefile.m32` to:
+
+ - Move objects into a subdirectory.
+ - Add support for MS-DOS. Tested with DJGPP.
+ - Add support for Watt-32 (on MS-DOS).
+ - Add support for AmigaOS.
+ - Rename `Makefile.m32` to `Makefile.mk`
+ - Replace `ARCH` with `TRIPLET`.
+ - Build `tool_hugehelp.c` proper (when tools are available).
+ - Drop MS-DOS compatibility macro `USE_ZLIB` (replaced by `HAVE_LIBZ`)
+ - Add support for `ZLIB_LIBS` to override `-lz`.
+ - Omit object files when building examples.
+ - Default `CC` to `gcc` once again, for convenience. (Caveat: compiler
+ name `cc` cannot be set now.)
+ - Set `-DCURL_NO_OLDIES` for examples, like autotools does.
+ - Delete `makefile.dj` files. Notice the configuration details and
+ defaults are not retained with the new method.
+ - Delete `makefile.amiga` files. A successful build needs a few custom
+ options. We're also not retaining all build details from the existing
+ Amiga make files.
+ - Rename `Makefile.m32` to `Makefile.mk` to reflect that they are not
+ Windows/MinGW32-specific anymore.
+ - Add support for new `CFG` options: `-map`, `-debug`, `-trackmem`
+ - Set `-DNDEBUG` by default.
+ - Allow using `-DOS=...` in all `lib/config-*.h` headers, syncing this
+ with `config-win32.h`.
+ - Look for zlib parts in `ZLIB_PATH/include` and `ZLIB_PATH/lib`
+ instead of bare `ZLIB_PATH`.
+
+ Note that existing build configurations for MS-DOS and AmigaOS likely
+ become incompatible with this change.
+
+ Example AmigaOS configuration:
+ ```
+ export CROSSPREFIX=/opt/amiga/bin/m68k-amigaos-
+ export CC=gcc
+ export CPPFLAGS='-DHAVE_PROTO_BSDSOCKET_H'
+ export CFLAGS='-mcrt=clib2'
+ export LDFLAGS="${CFLAGS}"
+ export LIBS='-lnet -lm'
+ make -C lib -f Makefile.mk
+ make -C src -f Makefile.mk
+ ```
+
+ Example MS-DOS configuration:
+ ```
+ export CROSSPREFIX=/opt/djgpp/bin/i586-pc-msdosdjgpp-
+ export WATT_PATH=/opt/djgpp/net/watt
+ export ZLIB_PATH=/opt/djgpp
+ export OPENSSL_PATH=/opt/djgpp
+ export OPENSSL_LIBS='-lssl -lcrypt'
+ export CFG=-zlib-ssl
+ make -C lib -f Makefile.mk
+ make -C src -f Makefile.mk
+ ```
+
+ Closes #9764
+
+Stefan Eissing (22 Nov 2022)
+
+- cfiler: filter types have flags indicating what they do
+
+ - Adding Curl_conn_is_ip_connected() to check if network connectivity
+ has been reached
+
+ - having ftp wait for network connectivity before proceeding with
+ transfers.
+
+ Fixes test failures 1631 and 1632 with hyper.
+
+ Closes #9952
+
+Daniel Stenberg (21 Nov 2022)
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (20 Nov 2022)
+
+- sendf: change Curl_read_plain to wrap Curl_recv_plain (take 2)
+
+ Prior to this change Curl_read_plain would attempt to read the
+ socket directly. On Windows that's a problem because recv data may be
+ cached by libcurl and that data is only drained using Curl_recv_plain.
+
+ Rather than rewrite Curl_read_plain to handle cached recv data, I
+ changed it to wrap Curl_recv_plain, in much the same way that
+ Curl_write_plain already wraps Curl_send_plain.
+
+ Curl_read_plain -> Curl_recv_plain
+ Curl_write_plain -> Curl_send_plain
+
+ This fixes a bug in the schannel backend where decryption of arbitrary
+ TLS records fails because cached recv data is never drained. We send
+ data (TLS records formed by Schannel) using Curl_write_plain, which
+ calls Curl_send_plain, and that may do a recv-before-send
+ ("pre-receive") to cache received data. The code calls Curl_read_plain
+ to read data (TLS records from the server), which prior to this change
+ did not call Curl_recv_plain and therefore cached recv data wasn't
+ retrieved, resulting in malformed TLS records and decryption failure
+ (SEC_E_DECRYPT_FAILURE).
+
+ The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
+ to the issue and PR for more information.
+
+ --
+
+ This is take 2 of the original fix. It preserves the original behavior
+ of Curl_read_plain to write 0 to the bytes read parameter on error,
+ since apparently some callers expect that (SOCKS tests were hanging).
+ The original fix which landed in 12e1def5 and was later reverted in
+ 18383fbf failed to work properly because it did not do that.
+
+ Also, it changes Curl_write_plain the same way to complement
+ Curl_read_plain, and it changes Curl_send_plain to return -1 instead of
+ 0 on CURLE_AGAIN to complement Curl_recv_plain.
+
+ Behavior on error with these changes:
+
+ Curl_recv_plain returns -1 and *code receives error code.
+ Curl_send_plain returns -1 and *code receives error code.
+ Curl_read_plain returns error code and *n (bytes read) receives 0.
+ Curl_write_plain returns error code and *written receives 0.
+
+ --
+
+ Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361
+
+ Assisted-by: Joel Depooter
+ Reported-by: Egor Pugin
+
+ Fixes https://github.com/curl/curl/issues/9431
+ Closes https://github.com/curl/curl/pull/9949
+
+Sean McArthur (19 Nov 2022)
+
+- hyper: classify headers as CONNECT and 1XX
+
+ Closes #9947
+
+Stefan Eissing (19 Nov 2022)
+
+- ftp: fix "AUTH TLS" on primary conn and for SSL in PASV second conn
+
+ Follow-up to dafdb20a26d0c89
+
+ Reported-by: Anthony Hu
+ Closes #9948
+
+Jay Satiro (19 Nov 2022)
+
+- CURLOPT_POST.3: Explain setting to 0 changes request type
+
+ Bug: https://github.com/curl/curl/issues/9849
+ Reported-by: MonkeybreadSoftware@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/9942
+
+Daniel Stenberg (19 Nov 2022)
+
+- docs/INSTALL.md: expand on static builds
+
+ Remove from KNOWN_BUGS
+
+ Closes #9944
+
+Stefan Eissing (19 Nov 2022)
+
+- http: restore h3 to working condition after connection filter introduction
+
+ Follow-up to dafdb20a26d0c
+
+ HTTP/3 needs a special filter chain, since it does the TLS handling
+ itself. This PR adds special setup handling in the HTTP protocol handler
+ that takes are of it.
+
+ When a handler, in its setup method, installs filters, the default
+ behaviour for managing the filter chain is overridden.
+
+ Reported-by: Karthikdasari0423 on github
+
+ Fixes #9931
+ Closes #9945
+
+Daniel Stenberg (18 Nov 2022)
+
+- urldata: change port num storage to int and unsigned short
+
+ Instead of long.
+
+ Closes #9946
+
+- Revert "sendf: change Curl_read_plain to wrap Curl_recv_plain"
+
+ This reverts commit 12e1def51a75392df62e65490416007d7e68dab9.
+
+ It introduced SOCKS proxy fails, like test 700 never ending.
+
+ Reopens #9431
+
+- HTTP-COOKIES.md: update the 6265bis link to draft-11
+
+ Closes #9940
+
+- docs/WEBSOCKET.md: explain the URL use
+
+ Fixes #9936
+ Closes #9941
+
+Jay Satiro (18 Nov 2022)
+
+- sendf: change Curl_read_plain to wrap Curl_recv_plain
+
+ Prior to this change Curl_read_plain would attempt to read the
+ socket directly. On Windows that's a problem because recv data may be
+ cached by libcurl and that data is only drained using Curl_recv_plain.
+
+ Rather than rewrite Curl_read_plain to handle cached recv data, I
+ changed it to wrap Curl_recv_plain, in much the same way that
+ Curl_write_plain already wraps Curl_send_plain.
+
+ Curl_read_plain -> Curl_recv_plain
+ Curl_write_plain -> Curl_send_plain
+
+ This fixes a bug in the schannel backend where decryption of arbitrary
+ TLS records fails because cached recv data is never drained. We send
+ data (TLS records formed by Schannel) using Curl_write_plain, which
+ calls Curl_send_plain, and that may do a recv-before-send
+ ("pre-receive") to cache received data. The code calls Curl_read_plain
+ to read data (TLS records from the server), which prior to this change
+ did not call Curl_recv_plain and therefore cached recv data wasn't
+ retrieved, resulting in malformed TLS records and decryption failure
+ (SEC_E_DECRYPT_FAILURE).
+
+ The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
+ to the issue and PR for more information.
+
+ Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361
+
+ Assisted-by: Joel Depooter
+ Reported-by: Egor Pugin
+
+ Fixes https://github.com/curl/curl/issues/9431
+ Closes https://github.com/curl/curl/pull/9904
+
+- test3026: reduce runtime in legacy mingw builds
+
+ - Load Windows system libraries secur32 and iphlpapi beforehand, so
+ that libcurl's repeated global init/cleanup only increases/decreases
+ the library's refcount rather than causing it to load/unload.
+
+ Assisted-by: Marc Hoersken
+
+ Closes https://github.com/curl/curl/pull/9412
+
+Daniel Stenberg (18 Nov 2022)
+
+- url: move back the IDN conversion of proxy names
+
+ Regression: in commit 53bcf55 we moved the IDN conversion calls to
+ happen before the HSTS checks. But the HSTS checks are only done on the
+ server host name, not the proxy names. By moving the proxy name IDN
+ conversions, we accidentally broke the verbose output showing the proxy
+ name.
+
+ This change moves back the IDN conversions for the proxy names to the
+ place in the code path they were before 53bcf55.
+
+ Reported-by: Andy Stamp
+ Fixes #9937
+ Closes #9939
+
+Alexandre Ferrieux (18 Nov 2022)
+
+- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
+
+ Fixes #2975
+ Closes #9147
+
+Daniel Stenberg (17 Nov 2022)
+
+- HTTP-COOKIES.md: mention that http://localhost is a secure context
+
+ Reported-by: Trail of Bits
+
+ Closes #9938
+
+- lib: parse numbers with fixed known base 10
+
+ ... instead of using 0 argument that allows decimal, hex or octal when
+ the number is documented and assumed to use base 10.
+
+ Closes #9933
+
+- RELEASE-NOTES: synced
+
+- scripts/delta: adapt to curl.h changes for the opt counter
+
+- cookie: expire cookies at once when max-age is negative
+
+ Update test 329 to verify
+
+ Reported-by: godmar on github
+ Fixes #9930
+ Closes #9932
+
+Stefan Eissing (17 Nov 2022)
+
+- proxy: haproxy filter is only available when PROXY and HTTP are
+
+ Closes #9935
+
+Daniel Stenberg (16 Nov 2022)
+
+- OtherTests.cmake: check for cross-compile, not for toolchain
+
+ Build systems like vcpkg alway sets `CMAKE_TOOLCHAIN_FILE` so it should
+ not be used as a sign that this is a cross-compile.
+
+ Also indented the function correctly.
+
+ Reported-by: Philip Chan
+ Fixes #9921
+ Closes #9923
+
+- ntlm: improve comment for encrypt_des
+
+ Reported-by: Andrei Rybak
+ Fixes #9903
+ Closes #9925
+
+- include/curl/curl.h: bump the deprecated requirements to gcc 5.3
+
+ Reported-by: Stephan Guilloux
+ Fixes #9917
+ Closes #9918
+
+Stefan Eissing (15 Nov 2022)
+
+- proxy: refactor haproxy protocol handling as connection filter
+
+ Closes #9893
+
+Patrick Monnerat (15 Nov 2022)
+
+- lib: feature deprecation warnings in gcc >= 4.3
+
+ Add a deprecated attribute to functions and enum values that should not
+ be used anymore.
+ This uses a gcc 4.3 dialect, thus is only available for this version of
+ gcc and newer. Note that the _Pragma() keyword is introduced by C99, but
+ is available as part of the gcc dialect even when compiling in C89 mode.
+
+ It is still possible to disable deprecation at a calling module compile
+ time by defining CURL_DISABLE_DEPRECATION.
+
+ Gcc type checking macros are made aware of possible deprecations.
+
+ Some testing support Perl programs are adapted to the extended
+ declaration syntax.
+
+ Several test and unit test C programs intentionally use deprecated
+ functions/options and are annotated to not generate a warning.
+
+ New test 1222 checks the deprecation status in doc and header files.
+
+ Closes #9667
+
+Daniel Stenberg (15 Nov 2022)
+
+- log2changes.pl: wrap long lines at 80 columns
+
+ Also, only use author names in the output.
+
+ Fixes #9896
+ Reported-by: John Sherrill
+ Closes #9897
+
+- cfilters: use %zu for outputting size_t
+
+ Detected by Coverity CID 1516894
+
+ Closes #9907
+
+- Curl_closesocket: avoid using 'conn' if NULL
+
+ ... in debug-only code.
+
+ Reported by Coverity CID 1516896
+
+ Closes #9907
+
+- url: only acknowledge fresh_reuse for non-followed transfers
+
+ ... to make sure NTLM auth sticks to the connection it needs, as
+ verified by 2032.
+
+ Follow-up to fa0b9227616e
+
+ Assisted-by: Stefan Eissing
+ Closes #9905
+
+- netrc.d: provide mutext info
+
+ Reported-by: xianghongai on github
+ Fixes #9899
+ Closes #9901
+
+- cmdline-opts/page-footer: remove long option nroff formatting
+
+ As gen.pl adds them
+
+- nroff-scan.pl: detect double highlights
+
+- cmdline-opts/gen.pl: fix the linkifier
+
+ Improved logic for finding existing --options in text and replacing with
+ the full version with nroff syntax. This also makes the web version link
+ options better.
+
+ Reported-by: xianghongai on github
+ Fixes #9899
+ Closes #9902
+
+Patrick Monnerat (14 Nov 2022)
+
+- tool: use feature names instead of bit mask, when possible
+
+ If the run-time libcurl is too old to support feature names, the name
+ array is created locally from the bit masks. This is the only sequence
+ left that uses feature bit masks.
+
+ Closes #9583
+
+- docs: curl_version_info is not thread-safe before libcurl initialization
+
+ Closes #9583
+
+- version: add a feature names array to curl_version_info_data
+
+ Field feature_names contains a null-terminated sorted array of feature
+ names. Bitmask field features is deprecated.
+
+ Documentation is updated. Test 1177 and tests/version-scan.pl updated to
+ match new documentation format and extended to check feature names too.
+
+ Closes #9583
+
+Stefan Eissing (14 Nov 2022)
+
+- negtelnetserver.py: have it call its close() method
+
+ Closes #9894
+
+Nathan Moinvaziri (13 Nov 2022)
+
+- ntlm: silence ubsan warning about copying from null target_info pointer.
+
+ runtime error: null pointer passed as argument 2, which is declared to
+ never be null
+
+ Closes #9898
+
+Daniel Stenberg (12 Nov 2022)
+
+- RELEASE-NOTES: synced
+
+Stefan Eissing (12 Nov 2022)
+
+- Websocket: fixes for partial frames and buffer updates.
+
+ - buffers updated correctly when handling partial frames
+ - callbacks no longer invoked for incomplete payload data of 0 length
+ - curl_ws_recv no longer returns with 0 length partial payload
+
+ Closes #9890
+
+Daniel Stenberg (12 Nov 2022)
+
+- tool_operate: provide better errmsg for -G with bad URL
+
+ If the URL that -G would try to add a query to could not be parsed, it would
+ display
+
+ curl: (27) Out of memory
+
+ It now instead shows:
+
+ curl: (2) Could not parse the URL, failed to set query
+
+ Reported-by: Alex Xu
+ Fixes #9889
+ Closes #9892
+
+- vtls: fix build without proxy support
+
+ Follow-up to dafdb20a26d0c890
+
+ Closes #9895
+
+- tool_getparam: make --no-get work as the opposite of --get
+
+ ... as documented.
+
+ Closes #9891
+
+- http: mark it 'this_is_a_follow' in the Location: logic
+
+ To make regular auth "reloads" to not count as redirects.
+
+ Verified by test 3101
+
+ Fixes #9885
+ Closes #9887
+
+Viktor Szakats (11 Nov 2022)
+
+- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
+
+ The previously set default value of 8 (64-bit) is only correct for
+ mingw-w64 and only when we set `_FILE_OFFSET_BITS` to 64 (the default
+ when building curl). For MSVC, old MinGW and other Windows compilers,
+ the correct value is 4 (32-bit). Adjust condition accordingly. Also
+ drop the manual override option.
+
+ Regression in 7.86.0 (from 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6)
+
+ Bug: https://github.com/curl/curl/pull/9712#issuecomment-1307330551
+
+ Reported-by: Peter Piekarski
+ Reviewed-by: Jay Satiro
+
+ Closes #9872
+
+Daniel Stenberg (11 Nov 2022)
+
+- lib: remove bad set.opt_no_body assignments
+
+ This struct field MUST remain what the application set it to, so that
+ handle reuse and handle duplication work.
+
+ Instead, the request state bit 'no_body' is introduced for code flows
+ that need to change this in run-time.
+
+ Closes #9888
+
+Stefan Eissing (11 Nov 2022)
+
+- lib: connection filters (cfilter) addition to curl:
+
+ - general construct/destroy in connectdata
+ - default implementations of callback functions
+ - connect: cfilters for connect and accept
+ - socks: cfilter for socks proxying
+ - http_proxy: cfilter for http proxy tunneling
+ - vtls: cfilters for primary and proxy ssl
+ - change in general handling of data/conn
+ - Curl_cfilter_setup() sets up filter chain based on data settings,
+ if none are installed by the protocol handler setup
+ - Curl_cfilter_connect() boot straps filters into `connected` status,
+ used by handlers and multi to reach further stages
+ - Curl_cfilter_is_connected() to check if a conn is connected,
+ e.g. all filters have done their work
+ - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE
+ indicators for multi select to work
+ - Curl_cfilter_data_pending() asks filters if the have incoming
+ data pending for recv
+ - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks
+ installed in conn->recv/conn->send for io handling
+ - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters
+ and addition/removal of a `data` from their connection
+ - adding vtl functions to prevent use of Curl_ssl globals directly
+ in other parts of the code.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9855
+
+- curl-rustls.m4: on macOS, rustls also needs the Security framework
+
+ Closes #9883
+
+Daniel Stenberg (10 Nov 2022)
+
+- rtsp: only store first_host once
+
+ Suggested-by: Erik Janssen
+ URL: https://github.com/curl/curl/pull/9870#issuecomment-1309499744
+ Closes #9882
+
+Fata Nugraha (10 Nov 2022)
+
+- test3028: verify PROXY
+
+- http: do not send PROXY more than once
+
+ Unlike `CONNECT`, currently we don't keep track whether `PROXY` is
+ already sent or not. This causes `PROXY` header to be sent twice during
+ `MSTATE_TUNNELING` and `MSTATE_PROTOCONNECT`.
+
+ Closes #9878
+ Fixes #9442
+
+Jay Satiro (10 Nov 2022)
+
+- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
+
+ Prior to this change if the user wanted to signal an error from their
+ write callbacks they would have to use logic to return a value different
+ from the number of bytes (nmemb) passed to the callback. Also, the
+ inclination of some users has been to just return 0 to signal error,
+ which is incorrect as that may be the number of bytes passed to the
+ callback.
+
+ To remedy this the user can now return CURL_WRITEFUNC_ERROR instead.
+
+ Ref: https://github.com/curl/curl/issues/9873
+
+ Closes https://github.com/curl/curl/pull/9874
+
+Daniel Stenberg (9 Nov 2022)
+
+- Revert "GHA: add scorecard.yml"
+
+ This reverts commit ca76c79b34f9d90105674a2151bf228ff7b13bef.
+
+- GHA: add scorecard.yml
+
+ add a "scorecard" scanner job
+
+Lorenzo Miniero (9 Nov 2022)
+
+- test3100: RTSP Basic authentication
+
+ Closes #9449
+
+Daniel Stenberg (9 Nov 2022)
+
+- rtsp: fix RTSP auth
+
+ Verified with test 3100
+
+ Fixes #4750
+ Closes #9870
+
+- KNOWN_BUGS: remove eight entries
+
+ - 1.2 Multiple methods in a single WWW-Authenticate: header
+
+ This is not considered a bug anymore but a restriction and one that we
+ keep because we have NEVER gotten this reported by users in the wild and
+ because of this I consider this a fringe edge case we don't need to
+ support.
+
+ - 1.6 Unnecessary close when 401 received waiting for 100
+
+ This is not a bug, but possibly an optimization that *can* be done.
+
+ - 1.7 Deflate error after all content was received
+
+ This is not a curl bug. This happens due to broken servers.
+
+ - 2.1 CURLINFO_SSL_VERIFYRESULT has limited support
+
+ This is not a bug. This is just the nature of the implementation.
+
+ - 2.2 DER in keychain
+
+ This is not a bug.
+
+ - 5.7 Visual Studio project gaps
+
+ This is not a bug.
+
+ - 15.14 cmake build is not thread-safe
+
+ Fixed in 109e9730ee5e2b
+
+ - 11.3 Disconnects do not do verbose
+
+ This is not a bug.
+
+ Closes #9871
+
+Hirotaka Tagawa (9 Nov 2022)
+
+- headers: add endif comments
+
+ Closes #9853
+
+Daniel Stenberg (8 Nov 2022)
+
+- test1221: verify --url-query
+
+- curl: add --url-query
+
+ This option adds a piece of data, usually a name + value pair, to the
+ end of the URL query part. The syntax is identical to that used for
+ --data-urlencode with one extension:
+
+ If the argument starts with a '+' (plus), the rest of the string is
+ provided as-is unencoded.
+
+ This allows users to "build" query parts with options and URL encoding
+ even when not doing GET requests, which the already provided option -G
+ (--get) is limited to.
+
+ This idea was born in a Twitter thread.
+
+ Closes #9691
+
+- maketgz: set the right version in lib/libcurl.plist
+
+ Follow-up to e498a9b1fe5964a18eb2a3a99dc52
+
+ Make sure the tarball gets a version of the libcurl.plist file that is
+ updated with the new version string.
+
+ Reported-by: jvreelanda on github
+ Fixes #9866
+ Closes #9867
+
+- RELEASE-NOTES: synced
+
+ Bumped version to 7.87.0
+
+Michael Drake (8 Nov 2022)
+
+- curl.h: add CURLOPT_CA_CACHE_TIMEOUT option
+
+ Adds a new option to control the maximum time that a cached
+ certificate store may be retained for.
+
+ Currently only the OpenSSL backend implements support for
+ caching certificate stores.
+
+ Closes #9620
+
+- openssl: reduce CA certificate bundle reparsing by caching
+
+ Closes #9620
+
+Rose (8 Nov 2022)
+
+- lib: fix some type mismatches and remove unneeded typecasts
+
+ Many of these castings are unneeded if we change the variables to work
+ better with each other.
+
+ Ref: https://github.com/curl/curl/pull/9823
+
+ Closes https://github.com/curl/curl/pull/9835
+
+Daniel Stenberg (8 Nov 2022)
+
+- cookie: compare cookie prefixes case insensitively
+
+ Adapted to language in rfc6265bis draft-11.
+
+ Closes #9863
+
+ Reviewed-by: Daniel Gustafsson
+
+- tool_operate: when aborting, make sure there is a non-NULL error buffer
+
+ To store custom errors in. Or SIGSEGVs will follow.
+
+ Reported-by: Trail of Bits
+ Closes #9865
+
+- WEBSOCKET.md: fix broken link
+
+ Reported-by: Felipe Gasper
+ Bug: https://curl.se/mail/lib-2022-10/0097.html
+ Closes #9864
+
+- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
+
+ Reported-by: Oskar Sigvardsson
+
+ Bug: https://curl.se/mail/lib-2022-11/0016.html
+
+ Closes #9862
+
+Stefan Eissing (7 Nov 2022)
+
+- websockets: fix handling of partial frames
+
+ buffer used and send length calculations are fixed when a partial
+ websocket frame has been received.
+
+ Closes #9861
+
+Daniel Stenberg (7 Nov 2022)
+
+- mailmap: unify Stefan Eissing
+
+Stefan Eissing (7 Nov 2022)
+
+- hyper: fix handling of hyper_task's when reusing the same address
+
+ Fixes #9840
+ Closes #9860
+
+Jay Satiro (7 Nov 2022)
+
+- ws: return CURLE_NOT_BUILT_IN when websockets not built in
+
+ - Change curl_ws_recv & curl_ws_send to return CURLE_NOT_BUILT_IN when
+ websockets support is not built in.
+
+ Prior to this change they returned CURLE_OK.
+
+ Closes #9851
+
+Daniel Stenberg (7 Nov 2022)
+
+- noproxy: tailmatch like in 7.85.0 and earlier
+
+ A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work
+ differently than before. This restores the logic to how it used to work:
+
+ All names listed in NO_PROXY are tailmatched against the used domain
+ name, if the lengths are identical it needs a full match.
+
+ Update the docs, update test 1614.
+
+ Reported-by: Stuart Henderson
+ Fixes #9842
+ Closes #9858
+
+- configure: require fork for NTLM-WB
+
+ Reported-by: ウさん
+
+ Fixes #9847
+ Closes #9856
+
+- docs/EARLY-RELEASE.md: how to determine an early release
+
+ URL: https://curl.se/mail/lib-2022-10/0079.html
+
+ Closes #9820
+
+- RELEASE-NOTES: synced
+
+Zespre Schmidt (3 Nov 2022)
+
+- docs: add missing parameters for --retry flag
+
+ Closes #9848
+
+Adam Averay (3 Nov 2022)
+
+- libcurl-errors.3: remove duplicate word
+
+ Closes #9846
+
+Eric Vigeant (3 Nov 2022)
+
+- cur_path: do not add '/' if homedir ends with one
+
+ When using SFTP and a path relative to the user home, do not add a
+ trailing '/' to the user home dir if it already ends with one.
+
+ Closes #9844
+
+Viktor Szakats (1 Nov 2022)
+
+- windows: fail early with a missing windres in autotools
+
+ `windres` is not always auto-detected by autotools when building for
+ Windows. When this happened, the build failed with a confusing error due
+ to the empty `RC` command:
+
+ ```
+ /bin/bash ../libtool --tag=RC --mode=compile -I../include -DCURL_EMBED_MANIF
+ EST -i curl.rc -o curl.o
+ [...]
+ Usage: /sandbox/curl/libtool [OPTION]... [MODE-ARG]...
+ Try 'libtool --help' for more information.
+ libtool: error: unrecognised option: '-I../include'
+ ```
+
+ Improve this by verifying if `RC` is set, and fail with a clear error
+ otherwise.
+
+ Follow-up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057
+
+ Ref: https://curl.se/mail/lib-2022-10/0049.html
+ Reported-by: Thomas Glanzmann
+ Closes #9781
+
+- lib: sync guard for Curl_getaddrinfo_ex() definition and use
+
+ `Curl_getaddrinfo_ex()` gets _defined_ with `HAVE_GETADDRINFO` set. But,
+ `hostip4.c` _used_ it with `HAVE_GETADDRINFO_THREADSAFE` set alone. It
+ meant a build with the latter, but without the former flag could result
+ in calling this function but not defining it, and failing to link.
+
+ Patch this by adding an extra check for `HAVE_GETATTRINFO` around the
+ call.
+
+ Before this patch, build systems prevented this condition. Now they
+ don't need to.
+
+ While here, simplify the related CMake logic on Windows by setting
+ `HAVE_GETADDRINFO_THREADSAFE` to the detection result of
+ `HAVE_GETADDRINFO`. This expresses the following intent clearer than
+ the previous patch and keeps the logic in a single block of code:
+ When we have `getaddrinfo()` on Windows, it's always threadsafe.
+
+ Follow-up to 67d88626d44ec04b9e11dca4cfbf62cd29fe9781
+
+ Reviewed-by: Jay Satiro
+ Closes #9734
+
+- tidy-up: process.h detection and use
+
+ This patch aims to cleanup the use of `process.h` header and the macro
+ `HAVE_PROCESS_H` associated with it.
+
+ - `process.h` is always available on Windows. In curl, it is required
+ only for `_beginthreadex()` in `lib/curl_threads.c`.
+
+ - `process.h` is also available in MS-DOS. In curl, its only use was in
+ `lib/smb.c` for `getpid()`. But `getpid()` is in fact declared by
+ `unistd.h`, which is always enabled via `lib/config-dos.h`. So the
+ header is not necessary.
+
+ - `HAVE_PROCESS_H` was detected by CMake, forced to 1 on Windows and
+ left to real detection for other platforms.
+ It was also set to always-on in `lib/config-win32.h` and
+ `lib/config-dos.h`.
+ In autotools builds, there was no detection and the macro was never
+ set.
+
+ Based on these observations, in this patch we:
+
+ - Rework Windows `getpid` logic in `lib/smb.c` to always use the
+ equivalent direct Win32 API function `GetCurrentProcessId()`, as we
+ already did for Windows UWP apps. This makes `process.h` unnecessary
+ here on Windows.
+
+ - Stop #including `process.h` into files where it was not necessary.
+ This is everywhere, except `lib/curl_threads.c`.
+
+ > Strangely enough, `lib/curl_threads.c` compiled fine with autotools
+ > because `process.h` is also indirecty included via `unistd.h`. This
+ > might have been broken in autotools MSVC builds, where the latter
+ > header is missing.
+
+ - Delete all remaining `HAVE_PROCESS_H` feature guards, for they were
+ unnecessary.
+
+ - Delete `HAVE_PROCESS_H` detection from CMake and predefined values
+ from `lib/config-*.h` headers.
+
+ Reviewed-by: Jay Satiro
+ Closes #9703
+
+Daniel Stenberg (1 Nov 2022)
+
+- lib1301: unit103 turned into a libtest
+
+ It is not a unit test so moved over to libtests.
+
+- strcase: use curl_str(n)equal for case insensitive matches
+
+ No point in having two entry points for the same functions.
+
+ Also merged the *safe* function treatment into these so that they can
+ also be used when one or both pointers are NULL.
+
+ Closes #9837
+
+- README.md: remove badges and xmas-tree garnish
+
+ URL: https://curl.se/mail/lib-2022-10/0050.html
+
+ Closes #9833
+
+Patrick Monnerat (1 Nov 2022)
+
+- gen.pl: do not generate CURLHELP bitmask lines > 79 characters
+
+ If a command line option is in many help categories, there is a risk
+ that CURLHELP bitmask source lines generated for listhelp are longer
+ than 79 characters.
+
+ This change takes care of folding such long lines.
+
+ Cloes #9834
+
+Marc Hoersken (30 Oct 2022)
+
+- CI/cirrus: remove superfluous double-quotes and sudo
+
+ Follow up to #9565 and #9677
+ Closes #9738
+
+- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
+
+ Ref: #9738
+
+Daniel Stenberg (30 Oct 2022)
+
+- style: use space after comment start and before comment end
+
+ /* like this */
+
+ /*not this*/
+
+ checksrc is updated accordingly
+
+ Closes #9828
+
+Patrick Schlangen (30 Oct 2022)
+
+- docs: remove performance note in CURLOPT_SSL_VERIFYPEER
+
+ This note became obsolete since PR #7892 (see also discussion in the PR
+ comments).
+
+ Closes #9832
+
+Daniel Stenberg (30 Oct 2022)
+
+- tests/server: make use of strcasecompare from lib/
+
+ ... instead of having a second private implementation.
+
+ Idea triggered by #9830
+
+ Closes #9831
+
+- curl: timeout in the read callback
+
+ The read callback can timeout if there's nothing to read within the
+ given maximum period. Example use case is when doing "curl -m 3
+ telnet://example.com" or anything else that expects input on stdin or
+ similar that otherwise would "hang" until something happens and then not
+ respect the timeout.
+
+ This fixes KNOWN_BUG 8.1, first filed in July 2009.
+
+ Bug: https://sourceforge.net/p/curl/bugs/846/
+
+ Closes #9815
+
+- noproxy: fix tail-matching
+
+ Also ignore trailing dots in both host name and comparison pattern.
+
+ Regression in 7.86.0 (from 1e9a538e05c0)
+
+ Extended test 1614 to verify better.
+
+ Reported-by: Henning Schild
+ Fixes #9821
+ Closes #9822
+
+- docs: explain the noproxy CIDR notation support
+
+ Follow-up to 1e9a538e05c0107c
+
+ Closes #9818
+
+Jon Rumsey (27 Oct 2022)
+
+- os400: use platform socklen_t in Curl_getnameinfo_a
+
+ Curl_getnameinfo_a() is prototyped before including curl.h as an
+ ASCII'fied wrapper for getnameinfo(), which itself is prototyped with
+ socklen_t arguments, so this should use the platform socklen_t and not
+ curl_socklen_t too.
+
+ Update setup-os400.h
+
+ Fixes #9811
+ Closes #9812
+
+Daniel Stenberg (27 Oct 2022)
+
+- noproxy: also match with adjacent comma
+
+ If the host name is an IP address and the noproxy string contained that
+ IP address with a following comma, it would erroneously not match.
+
+ Extended test 1614 to verify this combo as well.
+
+ Reported-by: Henning Schild
+
+ Fixes #9813
+ Closes #9814
+
+Randall S. Becker (27 Oct 2022)
+
+- build: fix for NonStop
+
+ - Include arpa/inet.h in all units where htonl is called.
+
+ Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
+
+ Closes https://github.com/curl/curl/pull/9816
+
+- system.h: support 64-bit curl_off_t for NonStop 32-bit
+
+ - Correctly define curl_off_t on NonStop (ie __TANDEM) ia64 and x86 for
+ 32-bit builds.
+
+ Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
+
+ Closes https://github.com/curl/curl/pull/9817
+
+Daniel Stenberg (27 Oct 2022)
+
+- spellcheck.words: remove 'github' as an accepted word
+
+ Prefer the properly cased version: GitHub
+
+ Use markdown for links and GitHub in text.
+
+ Closes #9810
+
+Ayesh Karunaratne (27 Oct 2022)
+
+- misc: typo and grammar fixes
+
+ - Replace `Github` with `GitHub`.
+ - Replace `windows` with `Windows`
+ - Replace `advice` with `advise` where a verb is used.
+ - A few fixes on removing repeated words.
+ - Replace `a HTTP` with `an HTTP`
+
+ Closes #9802
+
+Viktor Szakats (27 Oct 2022)
+
+- windows: fix linking .rc to shared curl with autotools
+
+ `./configure --enable-shared --disable-static` fails when trying to link
+ a shared `curl.exe`, due to `libtool` magically changing the output
+ filename of `windres` to one that it doesn't find when linking:
+
+ ```
+ /bin/sh ../libtool --tag=RC --mode=compile windres -I../../curl/include -DCUR
+ L_EMBED_MANIFEST -i ../../curl/src/curl.rc -o curl.o
+ libtool: compile: windres -I../../curl/include -DCURL_EMBED_MANIFEST -i ../.
+ ./curl/src/curl.rc -o .libs/curl.o
+ [...]
+ CCLD curl.exe
+ clang: error: no such file or directory: 'curl.o'
+ ```
+
+ Let's resolve this by skipping `libtool` and calling `windres` directly
+ when building `src` (aka `curl.exe`). Leave `lib` unchanged, as it does
+ need the `libtool` magic. This solution is compatible with building
+ a static `curl.exe`.
+
+ This build scenario is not CI-tested.
+
+ While here, delete an obsolete comment about a permanent `libtool`
+ warning that we've resolved earlier.
+
+ Regression from 6de7322c03d5b4d91576a7d9fc893e03cc9d1057
+
+ Reported-by: Christoph Reiter
+ Fixes #9803
+ Closes #9805
+
+- cmake: really enable warnings with clang
+
+ Even though `PICKY_COMPILER=ON` is the default, warnings were not
+ enabled when using llvm/clang, because `CMAKE_COMPILER_IS_CLANG` was
+ always false (in my tests at least).
+
+ This is the single use of this variable in curl, and in a different
+ place we already use `CMAKE_C_COMPILER_ID MATCHES "Clang"`, which works
+ as expected, so change the condition to use that instead.
+
+ Also fix the warnings uncovered by the above:
+
+ - lib: add casts to silence clang warnings
+
+ - schannel: add casts to silence clang warnings in ALPN code
+
+ Assuming the code is correct, solve the warnings with a cast.
+ This particular build case isn't CI tested.
+
+ There is a chance the warning is relevant for some platforms, perhaps
+ Windows 32-bit ARM7.
+
+ Closes #9783
+
+Joel Depooter (26 Oct 2022)
+
+- sendf: remove unnecessary if condition
+
+ At this point, the psnd->buffer will always exist. We have already
+ allocated a new buffer if one did not previously exist, and returned
+ from the function if the allocation failed.
+
+ Closes #9801
+
+Viktor Szakats (26 Oct 2022)
+
+- winidn: drop WANT_IDN_PROTOTYPES
+
+ `WANT_IDN_PROTOTYPES` was necessary to avoid using a header that came
+ via an optional package. MS stopped distributing this package some
+ years ago and the winidn definitions are part of standard headers (via
+ `windows.h`) since Vista.
+
+ Auto-detect Vista inside `lib/idn_win32.c` and enable the manual
+ definitions if building for an older Windows.
+
+ This allows to delete this manual knob from all build-systems.
+
+ Also drop the `_SAL_VERSION` sub-case:
+
+ Our manual definitions are now only enabled with old systems. We assume
+ that code analysis is not run on such systems, allowing us to delete the
+ SAL-friendly flavour of these.
+
+ Reviewed-by: Jay Satiro
+ Closes #9793
+
+Daniel Stenberg (26 Oct 2022)
+
+- misc: remove duplicated include files
+
+ Closes #9796
+
+- scripts/checksrc.pl: detect duplicated include files
+
+ After an idea by Dan Fandrich in #9794
+
+ Closes #9796
+
+- RELEASE-NOTES: synced
+
+ And bumped version to 7.86.1 for now
+
+- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
+
+ The removal is brief or long, don't assume.
+
+ Reported-by: Luca Niccoli
+
+ Fixes #9799
+ Closes #9800
+
+Version 7.86.0 (26 Oct 2022)
+
+Daniel Stenberg (26 Oct 2022)
+
+- RELEASE: synced
+
+ The 7.86.0 release
+
+- THANKS: added from the 7.86.0 release
+
+Viktor Szakats (25 Oct 2022)
+
+- noproxy: include netinet/in.h for htonl()
+
+ Solve the Amiga build warning by including `netinet/in.h`.
+
+ `krb5.c` and `socketpair.c` are using `htonl()` too. This header is
+ already included in those sources.
+
+ Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9787
+
+Marc Hoersken (24 Oct 2022)
+
+- CI: fix AppVeyor status failing for starting jobs
+
+Daniel Stenberg (24 Oct 2022)
+
+- test445: verifies the protocols-over-http-proxy flaw and fix
+
+- http_proxy: restore the protocol pointer on error
+
+ Reported-by: Trail of Bits
+
+ Closes #9790
+
+- multi: remove duplicate include of connect.h
+
+ Reported-by: Martin Strunz
+ Fixes #9794
+ Closes #9795
+
+Daniel Gustafsson (24 Oct 2022)
+
+- idn: fix typo in test description
+
+ s/enabked/enabled/i
+
+Daniel Stenberg (24 Oct 2022)
+
+- url: use IDN decoded names for HSTS checks
+
+ Reported-by: Hiroki Kurosawa
+
+ Closes #9791
+
+- unit1614: fix disabled-proxy build
+
+ Follow-up to 1e9a538e05c01
+
+ Closes #9792
+
+Daniel Gustafsson (24 Oct 2022)
+
+- cookies: optimize control character check
+
+ When checking for invalid octets the strcspn() call will return the
+ position of the first found invalid char or the first NULL byte.
+ This means that we can check the indicated position in the search-
+ string saving a strlen() call.
+
+ Closes: #9736
+ Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+
+Daniel Stenberg (24 Oct 2022)
+
+- netrc: replace fgets with Curl_get_line
+
+ Make the parser only accept complete lines and avoid problems with
+ overly long lines.
+
+ Reported-by: Hiroki Kurosawa
+
+ Closes #9789
+
+- RELEASE-NOTES: add "Planned upcoming removals include"
+
+ URL: https://curl.se/mail/archive-2022-10/0001.html
+
+ Suggested-by: Dan Fandrich
+
+Viktor Szakats (23 Oct 2022)
+
+- ci: bump to gcc-11 for macos
+
+ Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-
+ macos-latest-are-now-running-on-macos-12/
+ Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12
+ -Readme.md
+
+ Reviewed-by: Max Dymond
+ Closes #9785
+
+- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip]
+
+ - Reintroduce `CROSSPREFIX`:
+
+ If set, we add it to the `CC` and `AR` values, and to the _default_
+ value of `RC`, which is `windres`. This allows to control each of
+ these individidually, while also allowing to simplify configuration
+ via `CROSSPREFIX`.
+
+ This variable worked differently earlier. Hopefully this new solution
+ hits a better compromise in usefulness/complexity/flexibility.
+
+ Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50
+
+ - Enable warnings again:
+
+ This time with an option to override it via `CFLAGS`. Warnings are
+ also enabled by default in CMake, `makefile.dj` and `makefile.amiga`
+ builds (not in autotools though).
+
+ Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3
+
+ Closes #9784
+
+- noproxy: silence unused variable warnings with no ipv6
+
+ Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9782
+
+Daniel Stenberg (22 Oct 2022)
+
+- test644: verify --xattr (with redirect)
+
+- tool_xattr: save the original URL, not the final redirected one
+
+ Adjusted test 1621 accordingly.
+
+ Reported-by: Viktor Szakats
+ Fixes #9766
+ Closes #9768
+
+- docs: make sure libcurl opts examples pass in long arguments
+
+ Reported-by: Sergey
+ Fixes #9779
+ Closes #9780
+
+Marc Hoersken (21 Oct 2022)
+
+- CI: fix AppVeyor job links only working for most recent build
+
+ Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916
+ Reported-by: Daniel Stenberg
+
+ Follow up to #9769
+
+Viktor Szakats (21 Oct 2022)
+
+- noproxy: fix builds without AF_INET6
+
+ Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9778
+
+Daniel Stenberg (21 Oct 2022)
+
+- noproxy: support proxies specified using cidr notation
+
+ For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly"
+ and not with string comparisons.
+
+ Split out the noproxy checks and functionality into noproxy.c
+
+ Added unit test 1614 to verify checking functions.
+
+ Reported-by: Mathieu Carbonneaux
+
+ Fixes #9773
+ Fixes #5745
+ Closes #9775
+
+- urlapi: remove two variable assigns
+
+ To please scan-build:
+
+ urlapi.c:1163:9: warning: Value stored to 'qlen' is never read
+ qlen = Curl_dyn_len(&enc);
+ ^ ~~~~~~~~~~~~~~~~~~
+ urlapi.c:1164:9: warning: Value stored to 'query' is never read
+ query = u->query = Curl_dyn_ptr(&enc);
+ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ Follow-up to 7d6cf06f571d57
+
+ Closes #9777
+
+Jeremy Maitin-Shepard (21 Oct 2022)
+
+- cmake: improve usability of CMake build as a sub-project
+
+ - Renames `uninstall` -> `curl_uninstall`
+ - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET
+
+ Closes #9638
+
+Don J Olmstead (21 Oct 2022)
+
+- easy_lock: check for HAVE_STDATOMIC_H as well
+
+ The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h`
+ header is present.
+
+ Closes #9755
+
+Daniel Stenberg (21 Oct 2022)
+
+- RELEASE-NOTES: synced
+
+Brad Harder (20 Oct 2022)
+
+- CURLMOPT_PIPELINING.3: dedup manpage xref
+
+ Closes #9776
+
+Marc Hoersken (20 Oct 2022)
+
+- CI: report AppVeyor build status for each job
+
+ Also give each job on AppVeyor CI a human-readable name.
+
+ This aims to make job and therefore build failures more visible.
+
+ Reviewed-by: Marcel Raad
+ Closes #9769
+
+Viktor Szakats (20 Oct 2022)
+
+- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip]
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9771
+
+- connect: fix builds without AF_INET6
+
+ Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Jay Satiro
+
+ Closes #9770
+
+Daniel Stenberg (20 Oct 2022)
+
+- test1105: adjust <data> to work with a hyper build
+
+ Closes #9767
+
+- urlapi: fix parsing URL without slash with CURLU_URLENCODE
+
+ When CURLU_URLENCODE is set, the parser would mistreat the path
+ component if the URL was specified without a slash like in
+ http://local.test:80?-123
+
+ Extended test 1560 to reproduce and verify the fix.
+
+ Reported-by: Trail of Bits
+
+ Closes #9763
+
+Marc Hoersken (19 Oct 2022)
+
+- tests: avoid CreateThread if _beginthreadex is available
+
+ CreateThread is not threadsafe if mixed with CRT calls.
+ _beginthreadex on the other hand can be mixed with CRT.
+
+ Reviewed-by: Marcel Raad
+ Closes #9705
+
+Joel Depooter (19 Oct 2022)
+
+- schannel: Don't reset recv/send function pointers on renegotiation
+
+ These function pointers will have been set when the initial TLS
+ handshake was completed. If they are unchanged, there is no need to set
+ them again. If they have been changed, as is the case with HTTP/2, we
+ don't want to override that change. That would result in the
+ http22_recv/send functions being completely bypassed.
+
+ Prior to this change a connection that uses Schannel with HTTP/2 would
+ fail on renegotiation with error "Received HTTP/0.9 when not allowed".
+
+ Fixes https://github.com/curl/curl/issues/9451
+ Closes https://github.com/curl/curl/pull/9756
+
+Viktor Szakats (18 Oct 2022)
+
+- hostip: guard PF_INET6 use
+
+ Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code
+ for these.
+
+ ```
+ hostip.c: In function 'fetch_addr':
+ hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function)
+ pf = PF_INET6;
+ ^~~~~~~~
+ ```
+
+ Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9760
+
+- amiga: do not hardcode openssl/zlib into the os config [ci skip]
+
+ Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead.
+
+ This allows builds without openssl and/or zlib. E.g. with the
+ <https://github.com/bebbo/amiga-gcc> cross-compiler.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9762
+
+- amigaos: add missing curl header [ci skip]
+
+ Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and
+ conditional local code need them.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9761
+
+Daniel Stenberg (18 Oct 2022)
+
+- cmdline/docs: add a required 'multi' keyword for each option
+
+ The keyword specifies how option works when specified multiple times:
+
+ - single: the last provided value replaces the earlier ones
+ - append: it supports being provided multiple times
+ - boolean: on/off values
+ - mutex: flag-like option that disable anoter flag
+
+ The 'gen.pl' script then outputs the proper and unified language for
+ each option's multi-use behavior in the generated man page.
+
+ The multi: header is requires in each .d file and will cause build error
+ if missing or set to an unknown value.
+
+ Closes #9759
+
+- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk
+
+ Closes #9757
+
+- mprintf: reject two kinds of precision for the same argument
+
+ An input like "%.*1$.9999d" would first use the precision taken as an
+ argument *and* then the precision specified in the string, which is
+ confusing and wrong. pass1 will now instead return error on this double
+ use.
+
+ Adjusted unit test 1398 to verify
+
+ Reported-by: Peter Goodman
+
+ Closes #9754
+
+- ftp: remove redundant if
+
+ Reported-by: Trail of Bits
+
+ Closes #9753
+
+- tool_operate: more transfer cleanup after parallel transfer fail
+
+ In some circumstances when doing parallel transfers, the
+ single_transfer_cleanup() would not be called and then 'inglob' could
+ leak.
+
+ Test 496 verifies
+
+ Reported-by: Trail of Bits
+ Closes #9749
+
+- mqtt: spell out CONNECT in comments
+
+ Instead of calling it 'CONN' in several comments, use the full and
+ correct protocol packet name.
+
+ Suggested by Trail of Bits
+
+ Closes #9751
+
+- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST
+
+ Not the deprecated CURLOPT_HTTPPOST option.
+
+ Also added two see-alsos.
+
+ Reported-by: Trail of Bits
+ Closes #9752
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (17 Oct 2022)
+
+- ngtcp2: Fix build errors due to changes in ngtcp2 library
+
+ ngtcp2/ngtcp2@b0d86f60 changed:
+
+ - ngtcp2_conn_get_max_udp_payload_size =>
+ ngtcp2_conn_get_max_tx_udp_payload_size
+
+ - ngtcp2_conn_get_path_max_udp_payload_size =>
+ ngtcp2_conn_get_path_max_tx_udp_payload_size
+
+ ngtcp2/ngtcp2@ec59b873 changed:
+
+ - 'early_data_rejected' member added to ng_callbacks.
+
+ Assisted-by: Daniel Stenberg
+ Reported-by: jurisuk@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9747
+ Closes https://github.com/curl/curl/pull/9748
+
+Daniel Stenberg (16 Oct 2022)
+
+- curl_path: return error if given a NULL homedir
+
+ Closes #9740
+
+- libssh: if sftp_init fails, don't get the sftp error code
+
+ This flow extracted the wrong code (sftp code instead of ssh code), and
+ the code is sometimes (erroneously) returned as zero anyway, so skip
+ getting it and set a generic error.
+
+ Reported-by: David McLaughlin
+ Fixes #9737
+ Closes #9740
+
+- mqtt: return error for too long topic
+
+ Closes #9744
+
+Rickard Hallerbäck (16 Oct 2022)
+
+- tool_paramhlp: make the max argument a 'double'
+
+ To fix compiler warnings "Implicit conversion from 'long' to 'double'
+ may lose precision"
+
+ Closes #9700
+
+Philip Heiduck (15 Oct 2022)
+
+- cirrus-ci: add more macOS builds with m1 based on x86_64 builds
+
+ Also refactor macOS builds to use task matrix.
+
+ Assisted-by: Marc Hörsken
+ Closes #9565
+
+Viktor Szakats (14 Oct 2022)
+
+- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows
+
+ `lib/config-win32.h` enables this configuration option unconditionally.
+ Make it apply to CMake builds as well.
+
+ While here, delete a broken check for
+ `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with
+ the initial commit [1], but did not include the actual verification code
+ inside `CMake/CurlTests.c`, so it always failed. A later commit [2]
+ added a second test, for non-Windows platforms.
+
+ Enabling this flag causes test 1056 to fail with CMake builds, as they
+ do with autotools builds. Let's apply the same solution and ignore the
+ results here as well.
+
+ [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
+ [2] aec7c5a87c8482b6ddffa352d7d220698652262e
+
+ Reviewed-by: Daniel Stenberg
+ Assisted-by: Marcel Raad
+
+ Closes #9726
+
+- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows
+
+ autotools enables this configuration option unconditionally for Windows
+ [^1]. Do the same in CMake.
+
+ The above will make this work for all reasonably recent environments.
+ The logic present in `lib/config-win32.h` [^2] has the following
+ exceptions which we did not cover in this CMake update:
+
+ - Builds targeting Windows 2000 and earlier
+ - MS Visual C++ 5.0 (1997) and earlier
+
+ Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't
+ set, to avoid a broken build. We might want to handle that in the C
+ sources in a future commit.
+
+ [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a5
+ 1f6/m4/curl-functions.m4#L2067-L2070
+
+ [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a5
+ 1f6/lib/config-win32.h#L511-L528
+
+ Closes #9727
+
+- cmake: sync HAVE_SIGNAL detection with autotools
+
+ `HAVE_SIGNAL` means the availability of the `signal()` function in
+ autotools, while in CMake it meant the availability of that function
+ _and_ the symbol `SIGALRM`.
+
+ The latter is not available on Windows, but the function is, which means
+ on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not,
+ introducing a slight difference into the binaries.
+
+ This patch syncs CMake behaviour with autotools to look for the function
+ only.
+
+ The logic came with the initial commit adding CMake support to curl, so
+ the commit history doesn't reveal the reason behind it. In any case,
+ it's best to check the existence of `SIGALRM` directly in the source
+ before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and
+ `SIGALRM` missing.
+
+ Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6
+
+ Closes #9725
+
+- cmake: delete duplicate HAVE_GETADDRINFO test
+
+ A custom `HAVE_GETADDRINFO` check came with the initial CMake commit
+ [1]. A later commit [2] added a standard check for it as well. The
+ standard check run before the custom one, so CMake ignored the latter.
+
+ The custom check was also non-portable, so this patch deletes it in
+ favor of the standard check.
+
+ [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
+ [2] aec7c5a87c8482b6ddffa352d7d220698652262e
+
+ Closes #9731
+
+Daniel Stenberg (14 Oct 2022)
+
+- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros
+
+ To make the code read more obvious
+
+ Assisted-by: Jay Satiro
+
+ Closes #9710
+
+Christopher Sauer (14 Oct 2022)
+
+- docs/INSTALL: update Android Instructions for newer NDKs
+
+ Closes #9732
+
+Daniel Stenberg (14 Oct 2022)
+
+- markdown-uppercase: ignore quoted sections
+
+ Sections within the markdown ~~~ or ``` are now ignored.
+
+ Closes #9733
+
+- RELEASE-NOTES: synced
+
+- test8: update as cookies no longer can have "embedded" TABs in content
+
+- test1105: extend to verify TAB in name/content discarding cookies
+
+- cookie: reject cookie names or content with TAB characters
+
+ TABs in name and content seem allowed by RFC 6265: "the algorithm strips
+ leading and trailing whitespace from the cookie name and value (but
+ maintains internal whitespace)"
+
+ Cookies with TABs in the names are rejected by Firefox and Chrome.
+
+ TABs in content are stripped out by Firefox, while Chrome discards the
+ whole cookie.
+
+ TABs in cookies also cause issues in saved netscape cookie files.
+
+ Reported-by: Trail of Bits
+
+ URL: https://curl.se/mail/lib-2022-10/0032.html
+ URL: https://github.com/httpwg/http-extensions/issues/2262
+
+ Closes #9659
+
+- curl/add_parallel_transfers: better error handling
+
+ 1 - consider the transfer handled at once when in the function, to avoid
+ the same list entry to get added more than once in rare error
+ situations
+
+ 2 - set the ERRORBUFFER for the handle first after it has been added
+ successfully
+
+ Reported-by: Trail of Bits
+
+ Closes #9729
+
+- netrc: remove the two 'changed' arguments
+
+ As no user of these functions used the returned content.
+
+- test495: verify URL encoded user name + netrc-optional
+
+ Reproduced issue #9709
+
+- netrc: use the URL-decoded user
+
+ When the user name is provided in the URL it is URL encoded there, but
+ when used for authentication the encoded version should be used.
+
+ Regression introduced after 7.83.0
+
+ Reported-by: Jonas Haag
+ Fixes #9709
+ Closes #9715
+
+Shaun Mirani (13 Oct 2022)
+
+- url: allow non-HTTPS HSTS-matching for debug builds
+
+ Closes #9728
+
+Daniel Stenberg (13 Oct 2022)
+
+- test1275: remove the check of stderr
+
+ To avoid the mysterious test failures on Windows, instead rely on the
+ error code returned on failure.
+
+ Fixes #9716
+ Closes #9723
+
+Viktor Szakats (13 Oct 2022)
+
+- lib: set more flags in config-win32.h
+
+ The goal is to add any flag that affect the created binary, to get in
+ sync with the ones built with CMake and autotools.
+
+ I took these flags from curl-for-win [0], where they've been tested with
+ mingw-w64 and proven to work well.
+
+ This patch brings them to curl as follows:
+
+ - Enable unconditionally those force-enabled via
+ `CMake/WindowsCache.cmake`:
+
+ - `HAVE_SETJMP_H`
+ - `HAVE_STRING_H`
+ - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`)
+
+ - Expand existing guards with mingw-w64:
+
+ - `HAVE_STDBOOL_H`
+ - `HAVE_BOOL_T`
+
+ - Enable Win32 API functions for Windows Vista and later:
+
+ - `HAVE_INET_NTOP`
+ - `HAVE_INET_PTON`
+
+ - Set sizes, if not already set:
+
+ - `SIZEOF_OFF_T = 8`
+ - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set,
+ and using mingw-w64.
+
+ - Add the remaining for mingw-w64 only. Feel free to expand as desired:
+
+ - `HAVE_LIBGEN_H`
+ - `HAVE_FTRUNCATE`
+ - `HAVE_BASENAME`
+ - `HAVE_STRTOK_R`
+
+ Future TODO:
+
+ - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both
+ the `signal()` function and the `SIGALRM` macro are found. In
+ autotools and this header, it means the function only. For the
+ function alone, CMake uses `HAVE_SIGNAL_FUNC`.
+
+ [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4df
+ f0ca97a8c/curl-m32.sh#L53-L58
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9712
+
+Daniel Stenberg (13 Oct 2022)
+
+- tests: add tests/markdown-uppercase.pl to dist tarball
+
+ Follow-up to aafb06c5928183d
+
+ Closes #9722
+
+- tool_paramhelp: asserts verify maximum sizes for string loading
+
+ The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest
+ strings accepted when loading files into memory, but as the size is
+ later used as input to functions that take the size as 'int' as
+ argument, the sizes must not be larger than INT_MAX.
+
+ These two new assert()s make the code error out if someone would bump
+ the sizes without this consideration.
+
+ Reported-by Trail of Bits
+
+ Closes #9719
+
+- http: try parsing Retry-After: as a number first
+
+ Since the date parser allows YYYYMMDD as a date format (due to it being
+ a bit too generic for parsing this particular header), a large integer
+ number could wrongly match that pattern and cause the parser to generate
+ a wrong value.
+
+ No date format accepted for this header starts with a decimal number, so
+ by reversing the check and trying a number first we can deduct that if
+ that works, it was not a date.
+
+ Reported-by Trail of Bits
+
+ Closes #9718
+
+Patrick Monnerat (13 Oct 2022)
+
+- doc: fix deprecation versions inconsistencies
+
+ Ref: https://curl.se/mail/lib-2022-10/0026.html
+
+ Closes #9711
+
+Daniel Stenberg (13 Oct 2022)
+
+- http_aws_sigv4: fix strlen() check
+
+ The check was off-by-one leading to buffer overflow.
+
+ Follow-up to 29c4aa00a16872
+
+ Detected by OSS-Fuzz
+
+ Closes #9714
+
+- curl/main_checkfds: check the fcntl return code better
+
+ fcntl() can (in theory) return a non-zero number for success, so a
+ better test for error is checking for -1 explicitly.
+
+ Follow-up to 41e1b30ea1b77e9ff
+
+ Mentioned-by: Dominik Klemba
+
+ Closes #9708
+
+Viktor Szakats (12 Oct 2022)
+
+- tidy-up: delete unused HAVE_STRUCT_POLLFD
+
+ It was only defined in `lib/config-win32.h`, when building for Vista.
+
+ It was only used in `select.h`, in a condition that also included a
+ check for `POLLIN` which is a superior choice for this detection and
+ which was already used by cmake and autotools builds.
+
+ Delete both instances of this macro.
+
+ Closes #9707
+
+Daniel Stenberg (12 Oct 2022)
+
+- test1275: verify upercase after period in markdown
+
+ Script based on the #9474 pull-request logic, but implemented in perl.
+
+ Updated docs/URL-SYNTAX.md accordingly.
+
+ Suggested-by: Dan Fandrich
+
+ Closes #9697
+
+12932 (12 Oct 2022)
+
+- misc: nitpick grammar in comments/docs
+
+ because the 'u' in URL is actually a consonant *sound* it is only
+ correct to write "a URL"
+
+ sorry this is a bit nitpicky :P
+
+ https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an
+ https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL
+
+ Closes #9699
+
+Viktor Szakats (11 Oct 2022)
+
+- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip]
+
+ This patch aimed to fix a regression [0], where `CC` initialization
+ moved beyond its first use. But, on closer inspection it turned out that
+ the `CC` initialization does not work as expected due to GNU Make
+ filling it with `cc` by default. So unless implicit values were
+ explicitly disabled via a GNU Make option, the default value of
+ `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit
+ value `cc` maps to `gcc` in (most/all?) MinGW envs.
+
+ `AR` has the same issue, with a default value of `ar`.
+
+ We could reintroduce a separate variable to fix this without ill
+ effects, but for simplicity and flexibility, it seems better to drop
+ support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and
+ require the caller to initialize `CC`, `AR` and `RC` to the full
+ (prefixed if necessary) names of these tools, as desired.
+
+ We keep `RC ?= windres` because `RC` is empty by default.
+
+ Also fix grammar in a comment.
+
+ [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3
+
+ Closes #9698
+
+- smb: replace CURL_WIN32 with WIN32
+
+ PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the
+ `CURL_WIN32` macro, but that one is not defined here, while compiling
+ curl itself. This patch changes this to `WIN32`, assuming this was the
+ original intent.
+
+ Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a
+
+ Reviewed-by: Marcel Raad
+
+ Closes #9701
+
+Matthias Gatto (11 Oct 2022)
+
+- aws_sigv4: fix header computation
+
+ Handle canonical headers and signed headers creation as explained here:
+ https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.
+ html
+
+ The algo tells that signed and canonical must contain at last host and
+ x-amz-date.
+
+ So we check whatever thoses are present in the curl http headers list.
+ If they are, we use the one enter by curl user, otherwise we generate
+ them. then we to lower, and remove space from each http headers plus
+ host and x-amz-date, then sort them all by alphabetical order.
+
+ This patch also fix a bug with host header, which was ignoring the port.
+
+ Closes #7966
+
+Aftab Alam (11 Oct 2022)
+
+- README.md: link the curl logo to the website
+
+ - Link the curl:// image to https://curl.se/
+
+ Closes https://github.com/curl/curl/pull/9675
+
+Dustin Howett (11 Oct 2022)
+
+- schannel: when importing PFX, disable key persistence
+
+ By default, the PFXImportCertStore API persists the key in the user's
+ key store (as though the certificate was being imported for permanent,
+ ongoing use.)
+
+ The documentation specifies that keys that are not to be persisted
+ should be imported with the flag PKCS12_NO_PERSIST_KEY.
+ NOTE: this flag is only supported on versions of Windows newer than XP
+ and Server 2003.
+
+ --
+
+ This is take 2 of the original fix. It extends the lifetime of the
+ client certificate store to that of the credential handle. The original
+ fix which landed in 70d010d and was later reverted in aec8d30 failed to
+ work properly because it did not do that.
+
+ Minor changes were made to the schannel credential context to support
+ closing the client certificate store handle at the end of an SSL session.
+
+ --
+
+ Reported-by: ShadowZzj@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9300
+ Supersedes https://github.com/curl/curl/pull/9363
+ Closes https://github.com/curl/curl/pull/9460
+
+Viktor Szakats (11 Oct 2022)
+
+- Makefile.m32: support more options [ci skip]
+
+ - Add support for these options:
+ `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl`
+
+ Caveats:
+ - `-wolfssh` requires `-wolfssl`.
+ - `-wolfssl` cannot be used with OpenSSL backends in parallel.
+ - `-libssh` has build issues with BoringSSL and LibreSSL, and also
+ what looks like a world-writable-config vulnerability on Windows.
+ Consider it experimental.
+ - `-psl` requires `-idn2` and extra libs passed via
+ `LIBS=-liconv -lunistring`.
+
+ - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly.
+ - Generalize MultiSSL detection.
+ - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01).
+ - Document more customization options.
+
+ This brings over some configuration logic from `curl-for-win`.
+
+ Closes #9680
+
+- cmake: enable more detection on Windows
+
+ Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection
+ on Windows, instead of having predefined values.
+
+ With these features detected correctly, CMake Windows builds get closer
+ to the autotools and `config-win32.h` ones.
+
+ This also fixes detecting `HAVE_FTRUNCATE` correctly, which required
+ `unistd.h`.
+
+ Fixing `ftruncate()` in turn causes a build warning/error with legacy
+ MinGW/MSYS1 due to an offset type size mismatch. This env misses to
+ detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch
+ force-disables `HAVE_FTRUNCATE` for this platform.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9687
+
+- autotools: allow unix sockets on Windows
+
+ Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00
+ a9149fb39239/curl-autotools.sh#L44-L47
+
+ On Windows this feature is present, but not the header used in the
+ detection logic. It also requires an elaborate enabler logic
+ (as seen in `lib/curl_setup.h`). Let's always allow it and let the
+ lib code deal with the details.
+
+ Closes #9688
+
+- cmake: add missing inet_ntop check
+
+ This adds the missing half of the check, next to the other half
+ already present in `lib/curl_config.h.cmake`.
+
+ Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler
+ warnings.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9689
+
+Daniel Stenberg (11 Oct 2022)
+
+- RELEASE-NOTES: synced
+
+bsergean on github (11 Oct 2022)
+
+- asyn-ares: set hint flags when calling ares_getaddrinfo
+
+ The hint flag is ARES_AI_NUMERICSERV, and it will save a call to
+ getservbyname or getservbyname_r to set it.
+
+ Closes #9694
+
+Daniel Stenberg (11 Oct 2022)
+
+- header.d: add category smtp and imap
+
+ They were previously (erroneously) added manually to tool_listhelp.c
+ which would make them get removed again when the file is updated next
+ time, unless added correctly here in header.d
+
+ Follow-up to 2437fac01
+
+ Closes #9690
+
+- curl/get_url_file_name: use libcurl URL parser
+
+ To avoid URL tricks, use the URL parser for this.
+
+ This update changes curl's behavior slightly in that it will ignore the
+ possible query part from the URL and only use the file name from the
+ actual path from the URL. I consider it a bugfix.
+
+ "curl -O localhost/name?giveme-giveme" will now save the output in the
+ local file named 'name'
+
+ Updated test 1210 to verify
+
+ Assisted-by: Jay Satiro
+
+ Closes #9684
+
+Martin Ågren (11 Oct 2022)
+
+- docs: fix grammar around needing pass phrase
+
+ "You never needed a pass phrase" reads like it's about to be followed by
+ something like "until version so-and-so", but that is not what is
+ intended. Change to "You never need a pass phrase". There are two
+ instances of this text, so make sure to update both.
+
+Xiang Xiao (10 Oct 2022)
+
+- cmake: add the check of HAVE_SOCKETPAIR
+
+ which is used by Curl_socketpair
+
+ Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
+
+ Closes #9686
+
+Daniel Stenberg (10 Oct 2022)
+
+- curl/add_file_name_to_url: use the libcurl URL parser
+
+ instead of the custom error-prone parser, to extract and update the path
+ of the given URL
+
+ Closes #9683
+
+- single_transfer: use the libcurl URL parser when appending query parts
+
+ Instead of doing "manual" error-prone parsing in another place.
+
+ Used when --data contents is added to the URL query when -G is provided.
+
+ Closes #9681
+
+- ws: fix buffer pointer use in the callback loop
+
+ Closes #9678
+
+Petr Štetiar (10 Oct 2022)
+
+- curl-wolfssl.m4: error out if wolfSSL is not usable
+
+ When I explicitly declare, that I would like to have curl built with
+ wolfSSL support using `--with-wolfssl` configure option, then I would
+ expect, that either I endup with curl having that support, for example
+ in form of https support or it wouldn't be available at all.
+
+ Downstream projects like for example OpenWrt build curl wolfSSL variant
+ with `--with-wolfssl` already, but in certain corner cases it does fail:
+
+ configure:25299: checking for wolfSSL_Init in -lwolfssl
+ configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
+ In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.
+ h:33,
+ from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_
+ public.h:35,
+ from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
+ from conftest.c:47:
+ target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal err
+ or: wolfssl/wolfcrypt/sp_int.h: No such file or directory
+ #include <wolfssl/wolfcrypt/sp_int.h>
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ compilation terminated.
+
+ and in the end thus produces curl without https support:
+
+ curl: (1) Protocol "https" not supported or disabled in libcurl
+
+ So fix it, by making the working wolfSSL mandatory and error out in
+ configure step when that's not the case:
+
+ checking for wolfSSL_Init in -lwolfssl... no
+ configure: error: --with-wolfssl but wolfSSL was not found or doesn't work
+
+ References: https://github.com/openwrt/packages/issues/19005
+ References: https://github.com/openwrt/packages/issues/19547
+ Signed-off-by: Petr Štetiar <ynezz@true.cz>
+
+ Closes #9682
+
+Daniel Stenberg (10 Oct 2022)
+
+- tool_getparam: pass in the snprintf("%.*s") string length as 'int'
+
+ Reported by Coverity CID 1515928
+
+ Closes #9679
+
+Paul Seligman (9 Oct 2022)
+
+- ws: minor fixes for web sockets without the CONNECT_ONLY flag
+
+ - Fixed an issue where is_in_callback was getting cleared when using web
+ sockets with debug logging enabled
+ - Ensure the handle is is_in_callback when calling out to fwrite_func
+ - Change the write vs. send_data decision to whether or not the handle
+ is in CONNECT_ONLY mode.
+ - Account for buflen not including the header length in curl_ws_send
+
+ Closes #9665
+
+Marc Hoersken (8 Oct 2022)
+
+- CI/cirrus: merge existing macOS jobs into a job matrix
+
+ Ref: #9627
+ Reviewed-by: Philip H.
+
+ Closes #9672
+
+Daniel Stenberg (8 Oct 2022)
+
+- strcase: add and use Curl_timestrcmp
+
+ This is a strcmp() alternative function for comparing "secrets",
+ designed to take the same time no matter the content to not leak
+ match/non-match info to observers based on how fast it is.
+
+ The time this function takes is only a function of the shortest input
+ string.
+
+ Reported-by: Trail of Bits
+
+ Closes #9658
+
+- tool_getparam: split out data_urlencode() into its own function
+
+ Closes #9673
+
+- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
+
+ Reported-by: Vasiliy Ulyanov
+ Fixes #9664
+ Closes #9670
+
+- ws: fix Coverity complaints
+
+ Coverity pointed out several flaws where variables remained
+ uninitialized after forks.
+
+ Follow-up to e3f335148adc6742728f
+
+ Closes #9666
+
+Marc Hoersken (7 Oct 2022)
+
+- CI/GHA: merge msh3 and openssl3 builds into linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Follow up to #9501
+ Closes #9646
+
+Daniel Stenberg (7 Oct 2022)
+
+- curl_ws_send.3: call the argument 'fragsize'
+
+ Since WebSocket works with "fragments" not "frames"
+
+ Closes #9668
+
+- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type
+
+ Follow-up to e3f335148adc6742728ff8
+
+ Closes #9669
+
+- tool_main: exit at once if out of file descriptors
+
+ If the main_checkfds function cannot create new file descriptors in an
+ attempt to detect of stdin, stdout or stderr are closed.
+
+ Also changed the check to use fcntl() to check if the descriptors are
+ open, which avoids superfluously calling pipe() if they all already are.
+
+ Follow-up to facfa19cdd4d0094
+
+ Reported-by: Trail of Bits
+
+ Closes #9663
+
+- websockets: remodeled API to support 63 bit frame sizes
+
+ curl_ws_recv() now receives data to fill up the provided buffer, but can
+ return a partial fragment. The function now also get a pointer to a
+ curl_ws_frame struct with metadata that also mentions the offset and
+ total size of the fragment (of which you might be receiving a smaller
+ piece). This way, large incoming fragments will be "streamed" to the
+ application. When the curl_ws_frame struct field 'bytesleft' is 0, the
+ final fragment piece has been delivered.
+
+ curl_ws_recv() was also adjusted to work with a buffer size smaller than
+ the fragment size. (Possibly needless to say as the fragment size can
+ now be 63 bit large).
+
+ curl_ws_send() now supports sending a piece of a fragment, in a
+ streaming manner, in addition to sending the entire fragment in a single
+ call if it is small enough. To send a huge fragment, curl_ws_send() can
+ be used to send it in many small calls by first telling libcurl about
+ the total expected fragment size, and then send the payload in N number
+ of separate invokes and libcurl will stream those over the wire.
+
+ The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it
+ has been extended with two new fields: *offset* and *bytesleft*. To help
+ describe the passed on data chunk when a fragment is delivered in many
+ smaller pieces.
+
+ The documentation has been updated accordingly.
+
+ Closes #9636
+
+Patrick Monnerat (7 Oct 2022)
+
+- docs/examples: avoid deprecated options in examples where possible
+
+ Example programs targeting a deprecated feature/option are commented with
+ a warning about it.
+ Other examples are adapted to not use deprecated options.
+
+ Closes #9661
+
+Viktor Szakats (6 Oct 2022)
+
+- cmake: fix enabling websocket support
+
+ Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77
+
+ Closes #9660
+
+- tidy-up: delete parallel/unused feature flags
+
+ Detecting headers and lib separately makes sense when headers come in
+ variations or with extra ones, but this wasn't the case here. These were
+ duplicate/parallel macros that we had to keep in sync with each other
+ for a working build. This patch leaves a single macro for each of these
+ dependencies:
+
+ - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`.
+
+ Also delete CMake logic making sure these two were in sync, along with
+ a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`.
+
+ Also delete stray `HAVE_ZLIB` defines.
+
+ There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch
+ retains it for compatibility and deprecates it.
+
+ - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`.
+
+ Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from
+ `winbuild/MakefileBuild.vc`, these have a role when building libssh2
+ itself. And `CURL_USE_LIBSSH`, which had no use at all.
+
+ Also delete stray `HAVE_LIBSSH2` defines.
+
+ - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`.
+
+ Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from
+ `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the
+ libssh2 line, and were not having any use.
+
+ - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9652
+
+Daniel Stenberg (6 Oct 2022)
+
+- netrc: compare user name case sensitively
+
+ User name comparisions in netrc need to match the case.
+
+ Closes #9657
+
+- CURLOPT_COOKIEFILE: insist on "" for enable-without-file
+
+ The former way that also suggested using a non-existing file to just
+ enable the cookie engine could lead to developers maybe a bit carelessly
+ guessing a file name that will not exist, and then in a future due to
+ circumstances, such a file could be made to exist and then accidentally
+ libcurl would read cookies not actually meant to.
+
+ Reported-by: Trail of bits
+
+ Closes #9654
+
+- tests/Makefile: remove run time stats from ci-test
+
+ The ci-test is the normal makefile target invoked in CI jobs. This has
+ been using the -r option to runtests.pl since a long time, but I find
+ that it mostly just adds many lines to the test output report without
+ anyone caring much about those stats.
+
+ Remove it.
+
+ Closes #9656
+
+Patrick Monnerat (6 Oct 2022)
+
+- tool: reorganize function c_escape around a dynbuf
+
+ This is a bit shorter and a lot safer.
+
+ Substrings of unescaped characters are added by a single call to reduce
+ overhead.
+
+ Extend test 1465 to handle more kind of escapes.
+
+ Closes #9653
+
+Jay Satiro (5 Oct 2022)
+
+- CURLOPT_HTTPPOST.3: bolden the deprecation notice
+
+ Ref: https://github.com/curl/curl/pull/9621
+
+ Closes https://github.com/curl/curl/pull/9637
+
+John Bampton (5 Oct 2022)
+
+- misc: fix spelling in docs and comments
+
+ also: remove outdated sentence
+
+ Closes #9644
+
+Patrick Monnerat (5 Oct 2022)
+
+- tool: avoid generating ambiguous escaped characters in --libcurl
+
+ C string hexadecimal-escaped characters may have more than 2 digits.
+ This results in a wrong C compiler interpretation of a 2-digit escaped
+ character when followed by an hex digit character.
+
+ The solution retained here is to represent such characters as 3-digit
+ octal escapes.
+
+ Adjust and extend test 1465 for this case.
+
+ Closes #9643
+
+Daniel Stenberg (5 Oct 2022)
+
+- configure: the ngtcp2 option should default to 'no'
+
+ While still experimental.
+
+ Bug: https://curl.se/mail/lib-2022-10/0007.html
+ Reported-by: Daniel Hallberg
+
+ Closes #9650
+
+- CURLOPT_MIMEPOST.3: add an (inline) example
+
+ Reported-by: Jay Satiro
+ Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723
+
+ Closes #9649
+
+Viktor Szakats (5 Oct 2022)
+
+- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip]
+
+ Exclude linker flags specifying depedency libs and libpaths, when
+ building against `libcurl.dll`. In such case these options are not
+ necessary (but may cause errors if not/wrongly configured.)
+
+ Also move and reword a comment on `CPPFLAGS` to not apply to
+ `UNICODE` options. These are necessary for all build targets.
+
+ Closes #9651
+
+Jay Satiro (5 Oct 2022)
+
+- runtests: fix uninitialized value on ignored tests
+
+ - Don't show TESTFAIL message (ie tests failed which aren't ignored) if
+ only ignored tests failed.
+
+ Before:
+ IGNORED: failed tests: 571 612 1056
+ TESTDONE: 1214 tests out of 1217 reported OK: 99%
+ Use of uninitialized value $failed in concatenation (.) or string at
+ ./runtests.pl line 6290.
+ TESTFAIL: These test cases failed:
+
+ After:
+ IGNORED: failed tests: 571 612 1056
+ TESTDONE: 1214 tests out of 1217 reported OK: 99%
+
+ Closes https://github.com/curl/curl/pull/9648
+
+- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS
+
+ - Correct the use of -all-static for static Windows CI builds.
+
+ curl_LDFLAGS was removed from the makefile when metalink support was
+ removed. LDFLAGS=-all-static is passed to make only, because it is not a
+ valid option for configure compilation tests.
+
+ Closes https://github.com/curl/curl/pull/9633
+
+Viktor Szakats (4 Oct 2022)
+
+- Makefile.m32: fix regression with tool_hugehelp [ci skip]
+
+ In a recent commit I mistakenly deleted this logic, after seeing a
+ reference to a filename ending with `.cvs` and thinking it must have
+ been long gone. Turns out this is an existing file. Restore the rule
+ and the necessary `COPY` definitions with it.
+
+ The restored logic is required for a successful build on a bare source
+ tree (as opposed to a source release tarball).
+
+ Also shorten an existing condition similar to the one added in this
+ patch.
+
+ Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6
+
+ Closes #9645
+
+- Makefile.m32: deduplicate build rules [ci skip]
+
+ After this patch, we reduce the three copies of most `Makefile.m32`
+ logic to one. This now resides in `lib/Makefile.m32`. It makes future
+ updates easier, the code shorter, with a small amount of added
+ complexity.
+
+ `Makefile.m32` reduction:
+
+ | | bytes | LOC total | blank | comment | code |
+ |-------------------|-------:|----------:|-------:|---------:|------:|
+ | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 |
+ | before this patch | 17601 | 625 | 62 | 106 | 457 |
+ | after this patch | 11680 | 392 | 52 | 104 | 236 |
+
+ Details:
+
+ - Change rules to create objects for the `v*` subdirs in the `lib` dir.
+ This allows to use a shared compile rule and assumes that filenames
+ are not (and will not be) colliding across these directories.
+ `Makefile.m32` now also stores a list of these subdirs. They are
+ changing rarely though.
+
+ - Sync as much as possible between the three `Makefile.m32` scripts'
+ rules and their source/target sections.
+
+ - After this patch `CPPFLAGS` are all applied to the `src` sources once
+ again. This matches the behaviour of cmake/autotools. Only zlib ones
+ are actually required there.
+
+ - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate.
+
+ - Change examples to link `libcurl.dll` by default. This makes building
+ trivial, even as a cross-build:
+ `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32`
+ To run them, you need to move/copy or add-to-path `libcurl.dll`.
+ You can select static mode via `CFG=-static`.
+
+ - List more of the `Makefile.m32` config variables.
+
+ - Drop `.rc` support from examples. It made it fragile without much
+ benefit.
+
+ - Include a necessary system lib for the `externalsocket.c` example.
+
+ - Exclude unnecessary systems libs when building in `-dyn` mode.
+
+ Closes #9642
+
+Daniel Stenberg (4 Oct 2022)
+
+- RELEASE-NOTES: synced
+
+- CURLOPT_COOKIELIST.3: fix formatting mistake
+
+ Also, updated manpage-syntax.pl to make it detect this error in test
+ 1173.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9639
+ Closes #9640
+
+Jay Satiro (4 Oct 2022)
+
+- connect: change verbose IPv6 address:port to [address]:port
+
+ - Use brackets for the IPv6 address shown in verbose message when the
+ format is address:port so that it is less confusing.
+
+ Before: Trying 2606:4700:4700::1111:443...
+ After: Trying [2606:4700:4700::1111]:443...
+
+ Bug: https://curl.se/mail/archive-2022-02/0041.html
+ Reported-by: David Hu
+
+ Closes #9635
+
+Viktor Szakats (3 Oct 2022)
+
+- Makefile.m32: major rework [ci skip]
+
+ This patch overhauls `Makefile.m32` scripts, fixing a list of quirks,
+ making its behaviour and customization envvars align better with other
+ build systems, aiming for less code, that is easier to read, use and
+ maintain.
+
+ Details:
+ - Rename customization envvars:
+ `CURL_CC` -> `CC`
+ `CURL_RC` -> `RC`
+ `CURL_AR` -> `AR`
+ `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB`
+ `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN`
+ - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used.
+ - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars.
+ - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in
+ favor of the above.
+ - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional
+ with `libssh2`.
+ - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and
+ examples.
+ - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel`
+ instead.
+ - Avoid late evaluation where not necessary (`=` -> `:=`).
+ - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix.
+ Instead, use the standard naming scheme by default: `libcurl.dll.a`.
+ The toolchain recognizes the name, and selects it automatically when
+ asking for a `-shared` vs. `-static` build.
+ - Stop applying `strip` to `libcurl.a`. Follow-up from
+ 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to
+ strip since then.
+ - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to
+ `CFLAGS` as desired.
+ - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL,
+ to avoid that vulnerability on Windows.
+ - Add `-lbrotlicommon` to `LIBS` when using `brotli`.
+ - Do not enable `-nghttp3` without `-ngtcp2`.
+ - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend.
+ You need to set the backend explicitly. This scales better and avoids
+ issues with certain combinations (e.g. `libssh2` + `wolfssl` with no
+ `schannel`).
+ - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via
+ `NGTCP2_LIBS`.
+ - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer
+ supported.
+ - Delete `SPNEGO` references. They were no-ops.
+ - Drop support for Win9x environments.
+ - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`.
+ - Support autotools/CMake `libssh2` builds by default.
+ - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and
+ examples.
+ - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the
+ long gone embedded one.)
+ - Stop static linking with c-ares by default. Add
+ `CPPFLAGS=-DCARES_STATICLIB` to enable it.
+ - Reorganize internal layout to avoid redundancy and emit clean diffs
+ between src/lib and example make files.
+ - Delete unused variables.
+ - Code cleanups/rework.
+ - Comment and indentation fixes.
+
+ Closes #9632
+
+- scripts/release-notes.pl: strip ci skip tag [ci skip]
+
+ Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303
+ ae97#commitcomment-85637701
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9634
+
+- Makefile.m32: delete legacy component bits [ci skip]
+
+ - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting
+ to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL.
+
+ - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been
+ using a standard file layout since 1.1.0, so this seems unnecessary
+ now.
+
+ - Drop special logic to enable Novell LDAP SDK support.
+
+ - Drop special logic to enable OpenLDAP LDAP SDK support. This seems
+ to be distinct from native OpenLDAP, with support implemented inside
+ `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist
+ yet in curl.
+
+ - Add `-lwldap32` only if there is no other LDAP library (either native
+ OpenLDAP, or SDKs above) present.
+
+ - Update `doc/INSTALL.md` accordingly.
+
+ After this patch, it's necessary to make configration changes when using
+ OpenSSL 1.0.2 or earlier, or the two LDAP SDKs.
+
+ OpenSSL 1.0.2 and earlier:
+ ```
+ export OPENSSL_INCLUDE = <path-to-openssl>/outinc
+ export OPENSSL_LIBPATH = <path-to-openssl>/out
+ export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32
+ ```
+
+ Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`:
+ ```
+ export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/inc -DCURL_HAS_NOVELL_LDAPSDK
+ export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib/mscvc -lldapsdk -lldapssl -ll
+ dapx
+ ```
+
+ OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`:
+ ```
+ export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/include -DCURL_HAS_OPENLDAP_LDAPSD
+ K
+ export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib -lldap -llber
+ ```
+
+ I haven't tested these scenarios, and in general we recommend using
+ a recent OpenSSL release. Also, WinLDAP (the Windows default) and
+ OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on
+ in curl.
+
+ Closes #9631
+
+Daniel Stenberg (2 Oct 2022)
+
+- vauth/ntlm.h: make line shorter than 80 columns
+
+ Follow-up from 265fbd937
+
+Viktor Szakats (1 Oct 2022)
+
+- docs: update sourceforge project links [ci skip]
+
+ SourceForge projects can now choose between two hostnames, with .io and
+ .net ending. Both support HTTPS by default now. Opening the other variant
+ will perm-redirected to the one chosen by the project.
+
+ The .io -> .net redirection is done insecurely.
+
+ Let's update the URLs to point to the current canonical endpoints to
+ avoid any redirects.
+
+ Closes #9630
+
+Daniel Stenberg (1 Oct 2022)
+
+- curl_url_set.3: document CURLU_APPENDQUERY proper
+
+ Listed among the other supported flags.
+
+ Reported-by: Robby Simpson
+ Fixes #9628
+ Closes #9629
+
+Viktor Szakats (1 Oct 2022)
+
+- Makefile.m32: cleanups and fixes [ci skip]
+
+ - Add `-lcrypt32` once, and add it always for simplicity.
+ - Delete broken link and reference to the pre-Vista WinIDN add-on.
+ MS no longer distribute it.
+ - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista.
+ - Sync `LIBCARES_PATH` default with the rest of dependencies.
+ - Delete version numbers from dependency path defaults.
+ - `libgsasl` package is now called `gsasl`.
+ - Delete `libexpat` and `libxml2` references. No longer used by curl.
+ - Delete `Edit the path below...` comments. We recommend to predefine
+ those envvars instead.
+ - `libcares.a` is not an internal dependency anymore. Stop using it as
+ such.
+ - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability.
+ - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`.
+ They were never used.
+ - Stop to `clean` some objects twice in `src/Makefile.m32`.
+ - Delete cvs-specific leftovers.
+ - Finish resource support in examples make file.
+ - Delete `-I<root>/lib` from examples make file.
+ - Fix copyright start year in examples make file.
+ - Delete duplicate `ftpuploadresume` input in examples make file.
+ - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path
+ defaults, variables names and other internal bits between the three
+ make files.
+ - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This
+ was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL`
+ envvar for the same effect.
+ - Fix linking `curl.exe` and examples to wrong static libs with
+ auto-detected OpenSSL 1.0.2 or earlier.
+ - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only.
+ - Add link to Novell LDAP SDK and use a relative default path. Latest
+ version is from 2016, linked to an outdated OpenSSL 1.0.1.
+ - Whitespace and comment cleanups.
+
+ TODO in a next commit:
+
+ Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell
+ LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the
+ necessary custom envvars to configure them.
+
+ Closes #9616
+
+Daniel Stenberg (30 Sep 2022)
+
+- RELEASE-NOTES: synced
+
+Matt Holt (30 Sep 2022)
+
+- HTTP3.md: update Caddy example
+
+ Closes #9623
+
+Daniel Stenberg (30 Sep 2022)
+
+- easy: fix the altsvc init for curl_easy_duphandle
+
+ It was using the old #ifdef which nothing sets anymore
+
+ Closes #9624
+
+- GHA: build tests in a separate step from the running of them
+
+ ... to make the output smaller for when you want to look at test
+ failures.
+
+ Removed the examples build from msh3
+
+ Closes #9619
+
+Viktor Szakats (29 Sep 2022)
+
+- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference
+
+ Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap
+ support. This is also the single mention of this constant in the source
+ tree and also in that commit. Based on these, it seems like an accident.
+
+ Delete this reference.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9625
+
+- docs: spelling nits
+
+ - MingW -> MinGW (Minimalist GNU for Windows)
+ - f.e. -> e.g.
+ - some whitespace and punctuation.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9622
+
+Philip Heiduck (29 Sep 2022)
+
+- cirrus-ci: add macOS build with m1
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+
+ Closes #9565
+
+Patrick Monnerat (29 Sep 2022)
+
+- lib: sanitize conditional exclusion around MIME
+
+ The introduction of CURL_DISABLE_MIME came with some additional bugs:
+ - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled.
+ - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are
+ conditioned on HTTP, although also needed for SMTP and IMAP MIME mail
+ uploads.
+
+ In addition, the CURLOPT_HTTPHEADER and --header documentation does not
+ mention their use for MIME mail.
+
+ This commit fixes the problems above.
+
+ Closes #9610
+
+Thiago Suchorski (29 Sep 2022)
+
+- docs: minor grammar fixes
+
+ Closes #9609
+
+Daniel Stenberg (28 Sep 2022)
+
+- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument
+
+ Probably a copy and paste error from the lock function man page.
+
+ Reported-by: Robby Simpson
+ Fixes #9612
+ Closes #9613
+
+- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five
+
+ ... instead just list the supported encodings.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9614
+ Closes #9615
+
+Dan Fandrich (28 Sep 2022)
+
+- tests: Remove a duplicated keyword
+
+- docs: document more server names for test files
+
+Daniel Stenberg (28 Sep 2022)
+
+- altsvc: reject bad port numbers
+
+ The existing code tried but did not properly reject alternative services
+ using negative or too large port numbers.
+
+ With this fix, the logic now also flushes the old entries immediately
+ before adding a new one, making a following header with an illegal entry
+ not flush the already stored entry.
+
+ Report from the ongoing source code audit by Trail of Bits.
+
+ Adjusted test 356 to verify.
+
+ Closes #9607
+
+- functypes: provide the recv and send arg and return types
+
+ This header is for providing the argument types for recv() and send()
+ when built to not use a dedicated config-[platfor].h file.
+
+ Remove the slow brute-force checks from configure and cmake.
+
+ This change also removes the use of the types for select, as they were
+ not used in code.
+
+ Closes #9592
+
+- urlapi: reject more bad characters from the host name field
+
+ Extended test 1560 to verify
+
+ Report from the ongoing source code audit by Trail of Bits.
+
+ Closes #9608
+
+- configure: deprecate builds with small curl_off_t
+
+ If curl_off_t turns out to be smaller than 8 bytes,
+ --with-n64-deprecated needs to be used to allow the build to
+ continue. This is to highlight the fact that support for such builds is
+ going away next year.
+
+ Also mentioned in DEPRECATED.md
+
+ Closes #9605
+
+Patrick Monnerat (27 Sep 2022)
+
+- http, vauth: always provide Curl_allow_auth_to_host() functionality
+
+ This function is currently located in the lib/http.c module and is
+ therefore disabled by the CURL_DISABLE_HTTP conditional token.
+
+ As it may be called by TLS backends, disabling HTTP results in an
+ undefined reference error at link time.
+
+ Move this function to vauth/vauth.c to always provide it and rename it
+ as Curl_auth_allowed_to_host() to respect the vauth module naming
+ convention.
+
+ Closes #9600
+
+Daniel Stenberg (27 Sep 2022)
+
+- ngtcp2: fix C89 compliance nit
+
+- openssl: make certinfo available for QUIC
+
+ Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that
+ can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC
+ connections as well.
+
+ The *certchain function was moved to the top of the file for this reason.
+
+ Reported-by: Eloy Degen
+ Fixes #9584
+ Closes #9597
+
+- RELEASE-NOTES: synced
+
+- DEPRECATE.md: Support for systems without 64 bit data types
+
+ Closes #9604
+
+Patrick Monnerat (27 Sep 2022)
+
+- tests: skip mime/form tests when mime is not built-in
+
+ Closes #9596
+
+Daniel Stenberg (27 Sep 2022)
+
+- url: rename function due to name-clash in Watt-32
+
+ Follow-up to 2481dbe5f4f58 and applies the change the way it was
+ intended.
+
+Viktor Szakats (26 Sep 2022)
+
+- windows: adjust name of two internal public functions
+
+ According to `docs/INTERNALS.md`, internal function names spanning source
+ files start with uppercase `Curl_`. Bring these two functions in
+ alignment with this.
+
+ This also stops exporting them from `libcurl.dll` in autotools builds.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9598
+
+Gisle Vanem (26 Sep 2022)
+
+- url: rename function due to name-clash in Watt-32
+
+ Since the commit 764c958c52edb427f39, there was a new function called
+ resolve_ip(). This clashes with an internal function in Watt-32.
+
+ Closes #9585
+
+Jay Satiro (26 Sep 2022)
+
+- schannel: ban server ALPN change during recv renegotiation
+
+ By the time schannel_recv is renegotiating the connection, libcurl has
+ already decided on a protocol and it is too late for the server to
+ select a protocol via ALPN except for the originally selected protocol.
+
+ Ref: https://github.com/curl/curl/issues/9451
+
+ Closes https://github.com/curl/curl/pull/9463
+
+Daniel Stenberg (26 Sep 2022)
+
+- url: a zero-length userinfo part in the URL is still a (blank) user
+
+ Adjusted test 1560 to verify
+
+ Reported-by: Jay Satiro
+
+ Fixes #9088
+ Closes #9590
+
+Viktor Szakats (25 Sep 2022)
+
+- autotools: allow --enable-symbol-hiding with windows
+
+ This local autotools logic was put in place in
+ 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for
+ Windows unconditionally. Testing reveals that it actually works with
+ tested toolchains (mingw-w64 and CI ones), so let's allow this build
+ feature on that platform. Bringing this in sync with CMake, which already
+ supported this.
+
+ Reviewed-by: Jay Satiro
+
+ Closes #9586
+
+- autotools: reduce brute-force when detecting recv/send arg list
+
+ autotools uses brute-force to detect `recv`/`send`/`select` argument
+ lists, by interating through _all_ argument type combinations on each
+ `./configure` run. This logic exists since
+ 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later
+ extended with Windows support.
+
+ This results in a worst-case number of compile + link cycles as below:
+ - `recv`: 96
+ - `send`: 192
+ - `select`: 60
+ Total: 348 (the number of curl C source files is 195, for comparison)
+
+ Notice that e.g. curl-for-win autotools builds require two `./configure`
+ invocations, doubling these numbers.
+
+ `recv` on Windows was especially unlucky because `SOCKET` (the correct
+ choice there) was listed _last_ in one of the outer trial loops. This
+ resulted in lengthy waits while autotools was trying all invalid
+ combinations first, wasting cycles, disk writes and slowing down
+ iteration.
+
+ This patch reduces the amount of idle work by reordering the tests in
+ a way to succeed first on a well-known platform such as Windows, and
+ also on non-Windows by testing for POSIX prototypes first, on the
+ assumption that these are the most likely candidates these days. (We do
+ not touch `select`, where the order was already optimal for these
+ platforms.)
+
+ For non-Windows, this means to try a return value of `ssize_t` first,
+ then `int`, reordering the buffer argument type to try `void *` first,
+ then `byte *`, and prefer the `const` flavor with `send`. If we are
+ here, also stop testing for `SOCKET` type in non-Windows builds.
+
+ After the patch, detection on Windows is instantaneous. It should also be
+ faster on popular platforms such as Linux and BSD-based ones.
+
+ If there are known-good variations for other platforms, they can also be
+ fast-tracked like above, given a way to check for that platform inside
+ the autotools logic.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9591
+
+Daniel Stenberg (23 Sep 2022)
+
+- TODO: Provide the error body from a CONNECT response
+
+ Spellchecked-by: Jay Satiro
+
+ Closes #9513
+ Closes #9581
+
+Viktor Szakats (23 Sep 2022)
+
+- windows: autotools .rc warnings fixup
+
+ Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing:
+
+ - Warnings when running `autoreconf -fi`.
+
+ - Warning when compiling .rc files:
+ libtool: compile: unable to infer tagged configuration
+ libtool: error: specify a tag with '--tag'
+
+ Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057
+ Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156
+
+ Suggested-by: Patrick Monnerat
+ Closes #9582
+
+Randall S. Becker (23 Sep 2022)
+
+- curl_setup: disable use of FLOSS for 64-bit NonStop builds
+
+ Older 32-bit builds currently need FLOSS. This dependency may be removed
+ in future OS releases.
+
+ Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
+
+ Closes #9575
+
+Patrick Monnerat (23 Sep 2022)
+
+- tool: remove dead code
+
+ Add a debug assertion to verify protocols included/excluded in a set
+ are always tokenized.
+
+ Follow-up to commit 677266c.
+
+ Closes #9576
+
+- lib: prepare the incoming of additional protocols
+
+ Move the curl_prot_t to its own conditional block. Introduce symbol
+ PROTO_TYPE_SMALL to control it.
+
+ Fix a cast in a curl_prot_t assignment.
+ Remove an outdated comment.
+
+ Follow-up to cd5ca80.
+
+ Closes #9534
+
+Daniel Stenberg (23 Sep 2022)
+
+- msh3: change the static_assert to make the code C89
+
+- bearssl: make it proper C89 compliant
+
+- curl-compilers.m4: for gcc + want warnings, set gnu89 standard
+
+ To better verify that the code is C89
+
+ Closes #9542
+
+Patrick Monnerat (22 Sep 2022)
+
+- lib517: fix C89 constant signedness
+
+ In C89, positive integer literals that overflow an int but not an
+ unsigned int may be understood as a negative int.
+
+ lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90
+ {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 },
+ ^
+
+ Closes #9572
+
+Daniel Stenberg (22 Sep 2022)
+
+- mprintf: use snprintf if available
+
+ This is the single place in libcurl code where it uses the "native"
+ s(n)printf() function. Used for writing floats. The use has been
+ reviewed and vetted and uses a HUGE target buffer, but switching to
+ snprintf() still makes this safer and removes build-time warnings.
+
+ Reported-by: Philip Heiduck
+
+ Fixes #9569
+ Closes #9570
+
+- docs: tag curl options better in man pages
+
+ As it makes them links in the HTML versions.
+
+ Verified by the extended test 1176
+
+- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6
+
+- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged
+
+ ... as that makes them links to their corresponding man page.
+
+ This script is used for test 1173.
+
+ Closes #9574
+
+- RELEASE-NOTES: synced
+
+Patrick Monnerat (22 Sep 2022)
+
+- tool: remove protocol count limitation
+
+ Replace bit mask protocol sets by null-terminated arrays of protocol
+ tokens. These are the addresses of the protocol names returned by
+ curl_version_info().
+
+ Protocol names are sorted case-insensitively before output to satisfy CI
+ tests matches consistency.
+
+ The protocol list returned by curl_version_info() is augmented with all
+ RTMP protocol variants.
+
+ Test 1401 adjusted for new alpha ordered output.
+
+ Closes #9546
+
+Daniel Stenberg (22 Sep 2022)
+
+- test972: verify the output without using external tool
+
+ It seems too restrictive to assume and use an external tool to verify
+ the JSON. This now verifies the outut byte per byte. We could consider
+ building a local "JSON verifyer" in a future.
+
+ Remove 'jsonlint' from the CI job.
+
+ Reported-by: Marcel Raad
+ Fixes #9563
+ Closes #9564
+
+- hostip: lazily wait to figure out if IPv6 works until needed
+
+ The check may take many milliseconds, so now it is performed once the
+ value is first needed. Also, this change makes sure that the value is
+ not used if the resolve is set to be IPv4-only.
+
+ Closes #9553
+
+- curl.h: fix mention of wrong error code in comment
+
+ The same error and comment were also used and is now corrected in
+ CURLOPT_SSH_KEYFUNCTION.3
+
+- symbol-scan.pl: scan and verify .3 man pages
+
+ This script now also finds all .3 man pages in docs/include and
+ docs/include/opts, extracts all uses of CURL* symbols and verifies that all
+ symbols mentioned in docs are defined in public headers.
+
+ A "global symbol" is one of those matching a known prefix and the script make
+ s
+ an attempt to check all/most of them. Just using *all* symbols that match
+ CURL* proved matching a little too many other references as well and turned
+ difficult turning into something useful.
+
+ Closes #9544
+
+- symbols-in-versions: add missing LIBCURL* symbols
+
+- symbol-scan.pl: also check for LIBCURL* symbols
+
+ Closes #9544
+
+- docs/libcurl/symbols-in-versions: add several missing symbols
+
+- test1119: scan all public headers
+
+ Previously this test only scanned a subset of the headers, which made us
+ accidentally miss symbols that were provided in the others. Now, the script
+ iterates over all headers present in include/curl.
+
+ Closes #9544
+
+Patrick Monnerat (21 Sep 2022)
+
+- examples/chkspeed: improve portability
+
+ The example program chkspeed uses strncasecmp() which is not portable
+ across systems. Replace calls to this function by tests on characters.
+
+ Closes #9562
+
+Daniel Stenberg (21 Sep 2022)
+
+- easy: fix the #include order
+
+ The mentioned "last 3 includes" order should be respected. easy_lock.h should
+ be included before those three.
+
+ Reported-by: Yuriy Chernyshov
+ Fixes #9560
+ Closes #9561
+
+- docs: spellfixes
+
+ Pointed by the new CI job
+
+- GHA: spellcheck
+
+ This spellchecker checks markdown files. For this reason this job
+ converts all man pages in the repository to markdown with pandoc before
+ the check runs.
+
+ The perl script 'cleanspell' filters out details from the man page in
+ the process, to avoid the spellchecker trying to spellcheck things it
+ can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections
+ of libcurl man pages.
+
+ The spell checker does not check words in sections that are within pre,
+ strong and em tags.
+
+ 'spellcheck.words' is a custom word list with additional accepted words.
+
+ Closes #9523
+
+- connect: fix the wrong error message on connect failures
+
+ The "Failed to connect to" message after a connection failure would
+ include the strerror message based on the presumed previous socket
+ error, but in times it seems that error number is not set when reaching
+ this code and therefore it would include the wrong error message.
+
+ The strerror message is now removed from here and the curl_easy_strerror
+ error is used instead.
+
+ Reported-by: Edoardo Lolletti
+ Fixes #9549
+ Closes #9554
+
+- httpput-postfields.c: shorten string for C89 compliance
+
+ httpput-postfields.c:41:3: error: string length ‘522’ is greater than the
+ length ‘509’ ISO C90 compilers are required to support [-Woverlength-str
+ ings]
+ 41 | "this chapter.";
+ | ^~~~~~~~~~~~~~~
+
+ Closes #9555
+
+- ws: fix a C89 compliance nit
+
+ Closes #9541
+
+Patrick Monnerat (21 Sep 2022)
+
+- unit test 1655: make it C89-compliant
+
+ Initializations performed in unit test 1655 use automatic variables in
+ aggregates and thus can only be computed at run-time. Using gcc in C89
+ dialect mode produces warning messages like:
+
+ unit1655.c:96:7: warning: initializer element is not computable at load time
+ [-Wpedantic]
+ 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */
+ | ^~~~~~~
+
+ Fix the problem by converting these automatic pointer variables to
+ static arrays.
+
+ Closes #9551
+
+Tobias Schaefer (20 Sep 2022)
+
+- curl_strequal.3: fix typo
+
+ Closes #9548
+
+Dmitry Karpov (20 Sep 2022)
+
+- resolve: make forced IPv4 resolve only use A queries
+
+ This protects IPv4-only transfers from undesired bad IPv6-related side
+ effects and make IPv4 transfers in dual-stack libcurl behave the same
+ way as in IPv4 single-stack libcurl.
+
+ Closes #9540
+
+Daniel Stenberg (20 Sep 2022)
+
+- RELEASE-NOTES: synced
+
+- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths
+
+ Patched-by: Mark Itzcovitz
+ Bug: https://curl.se/mail/lib-2022-09/0038.html
+
+ Closes #9536
+
+- TODO: Reduce CA certificate bundle reparsing
+
+ By adding some sort of cache.
+
+ Reported-by: Michael Drake
+ Closes #9379
+ Closes #9538
+
+Marc Hoersken (19 Sep 2022)
+
+- CI/GHA: cancel outdated CI runs on new PR changes
+
+ Avoid letting outdated CI runs continue if a PR receives
+ new changes. Outside a PR we let them continue running
+ by tying the concurrency to the commit hash instead.
+
+ Also only let one CodeQL or Hacktoberfest job run at a time.
+
+ Other CI platforms we use have this build in, but GitHub
+ unfortunately neither by default nor with a simple option.
+
+ This saves CI resources and therefore a little energy.
+
+ Approved-by: Daniel Stenberg
+ Approved-by: Max Dymond
+ Closes #9533
+
+Daniel Stenberg (19 Sep 2022)
+
+- docs: fix proselint complaints
+
+- GHA: run proselint on markdown files
+
+ Co-authored-by: Marc Hörsken
+
+ Closes #9520
+
+- lib: the number four in a sequence is the "fourth"
+
+ Spelling is hard
+
+ Closes #9535
+
+John Bampton (19 Sep 2022)
+
+- misc: fix spelling in two source files
+
+ Closes #9529
+
+Viktor Szakats (18 Sep 2022)
+
+- windows: add .rc support to autotools builds
+
+ After this update autotools builds will compile and link `.rc` resources
+ to Windows executables. Bringing this feature on par with CMake and
+ Makefile.m32 builds. And also making it unnecessary to improvise these
+ steps manually, while monkey patching build files, e.g. [0].
+
+ You can customize the resource compiler via the `RC` envvar, and its
+ options via `RCFLAGS`.
+
+ This harmless warning may appear throughout the build, even though the
+ autotools manual documents [1] `RC` as a valid tag, and it fails when
+ omitting one:
+ `libtool: error: ignoring unknown tag RC`
+
+ [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce
+ 50baa1b84/curl-autotools.sh#L376-L382
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html
+
+ Closes #9521
+
+Marc Hoersken (18 Sep 2022)
+
+- CI/linkcheck: only run if a Markdown file is changed
+
+ This saves CI resources and therefore a little energy.
+
+ Reviewed-by: Max Dymond
+ Closes #9531
+
+- README.md: add GHA status badges for Linux and macOS builds
+
+ This makes sense now that Linux builds are being consolidated.
+
+ Approved-by: Daniel Stenberg
+ Closes #9530
+
+ [skip ci]
+
+Daniel Stenberg (17 Sep 2022)
+
+- misc: null-terminate
+
+ Make use of this term consistently.
+
+ Closes #9527
+
+Marc Hoersken (17 Sep 2022)
+
+- CI/GHA: merge intel CC and more TLS libs into linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Reviewed-by: Max Dymond
+ Follow up to #9501
+ Closes #9514
+
+Patrick Monnerat (17 Sep 2022)
+
+- lib1597: make it C89-compliant again
+
+ Automatic variable addresses cannot be used in an initialisation
+ aggregate.
+
+ Follow-up to 9d51329
+
+ Reported-by: Daniel Stenberg
+ Fixes: #9524
+ Closes #9525
+
+Daniel Stenberg (17 Sep 2022)
+
+- tool_libinfo: silence "different 'const' qualifiers" in qsort()
+
+ MSVC 15.0.30729.1 warned about it
+
+ Follow-up to dd2a024323dcc
+
+ Closes #9522
+
+Patrick Monnerat (16 Sep 2022)
+
+- docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.
+
+ Disabled protocols are now handled as if they were unknown.
+ Also update the possible protocol list.
+
+- cli tool: do not use disabled protocols
+
+ As they are now rejected by the library, take care of not passing
+ disabled protocol names to CURLOPT_PROTOCOLS_STR and
+ CURLOPT_REDIR_PROTOCOLS_STR.
+
+ Rather than using the CURLPROTO_* constants, dynamically assign protocol
+ numbers based on the order they are listed by curl_version_info().
+
+ New type proto_set_t implements prototype bit masks: it should therefore
+ be large enough to accomodate all library-enabled protocols. If not,
+ protocol numbers beyond the bit count of proto_set_t are recognized but
+ "inaccessible": when used, a warning is displayed and the value is
+ ignored. Should proto_set_t overflows, enabled protocols are reordered to
+ force those having a public CURLPROTO_* representation to be accessible.
+
+ Code has been added to subordinate RTMP?* protocols to the presence of
+ RTMP in the enabled protocol list, being returned by curl_version_info()
+ or not.
+
+- setopt: use the handler table for protocol name to number conversions
+
+ This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than
+ CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found.
+
+ A new schemelen parameter is added to Curl_builtin_scheme() to support
+ this extended use.
+
+ Note that disabled protocols are not recognized anymore.
+
+ Tests adapted accordingly.
+
+ Closes #9472
+
+Daniel Stenberg (16 Sep 2022)
+
+- altsvc: use 'h3' for h3
+
+ Since the official and real version has been out for a while now and servers
+ are deployed out there using it, there is no point in sticking to h3-29.
+
+ Reported-by: ウさん
+ Fixes #9515
+ Closes #9516
+
+chemodax (16 Sep 2022)
+
+- winbuild: Use NMake batch-rules for compilation
+
+ - Invoke cl compiler once for each group of .c files.
+
+ This is significantly improves compilation time. For example in my
+ environment: 40 s --> 20 s.
+
+ Prior to this change cl was invoked per .c file.
+
+ Closes https://github.com/curl/curl/pull/9512
+
+Daniel Stenberg (16 Sep 2022)
+
+- ws: the infof() flags should be %zu
+
+ Follow-up to e5e9e0c5e49ae0
+
+ Closes #9518
+
+- curl: warn for --ssl use, considered insecure
+
+ Closes #9519
+
+Sergey Bronnikov (16 Sep 2022)
+
+- curl_escape.3: fix typo
+
+ lengthf -> length
+
+ Closes #9517
+
+Daniel Stenberg (16 Sep 2022)
+
+- mailmap: merge Philip Heiduck's two addresses into one
+
+- test1948: verify PUT + POST reusing the same handle
+
+ Reproduced #9507, verifies the fix
+
+- setopt: when POST is set, reset the 'upload' field
+
+ Reported-by: RobBotic1 on github
+ Fixes #9507
+ Closes #9511
+
+Marc Hoersken (15 Sep 2022)
+
+- github: initial CODEOWNERS setup for CI configuration
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Max Dymond
+
+ Closes #9505
+
+ [skip ci]
+
+Philip Heiduck (15 Sep 2022)
+
+- CI: optimize some more dependencies install
+
+ Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan>
+
+ Closes #9500
+
+Marc Hoersken (15 Sep 2022)
+
+- CI/GHA: merge event-based and NSS into new linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Follow up to #9501
+ Closes #9506
+
+Daniel Stenberg (15 Sep 2022)
+
+- include/curl/websockets.h: add extern "C" for C++
+
+ Reported-by: n0name321 on github
+ Fixes #9509
+ Closes #9510
+
+- lib1560: extended to verify detect/reject of unknown schemes
+
+ ... when no guessing is allowed.
+
+- urlapi: detect scheme better when not guessing
+
+ When the parser is not allowed to guess scheme, it should consider the
+ word ending at the first colon to be the scheme, independently of number
+ of slashes.
+
+ The parser now checks that the scheme is known before it counts slashes,
+ to improve the error messge for URLs with unknown schemes and maybe no
+ slashes.
+
+ When following redirects, no scheme guessing is allowed and therefore
+ this change effectively prevents redirects to unknown schemes such as
+ "data".
+
+ Fixes #9503
+
+- strerror: improve two URL API error messages
+
+Marc Hoersken (14 Sep 2022)
+
+- CI/GHA: merge bearssl and hyper into initial linux workflow
+
+ Begin work on merging all Linux workflows into one file.
+
+ Closes #9501
+
+Daniel Stenberg (14 Sep 2022)
+
+- RELEASE-NOTES: synced
+
+- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h
+
+ Since the config file might also get included by the tool code at times.
+ This syncs with how other builds do it.
+
+ Closes #9498
+
+- tool_hugehelp: make hugehelp a blank macro when disabled
+
+ Closes #9485
+
+- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
+
+ ... to improve the output in this situation. Now it doesn't say "option
+ unknown" anymore.
+
+ Closes #9485
+
+- setopt: fix compiler warning
+
+ Follow-up to cd5ca80f00d2
+
+ closes #9502
+
+Philip Heiduck (13 Sep 2022)
+
+- CI: skip make, do make install at once for dependencies
+
+ Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan>
+
+ Closes #9477
+
+Daniel Stenberg (13 Sep 2022)
+
+- formdata: typecast the va_arg return value
+
+ To avoid "enumerated type mixed with another type" warnings
+
+ Follow-up from 0f52dd5fd5aa3592691a
+
+ Closes #9499
+
+- RELEASE-PROCEDURE.md: mention patch releases
+
+ - When to make them and how to argue for them
+ - Refreshed the release date list
+
+ Closes #9495
+
+- urldata: use a curl_prot_t type for storing protocol bits
+
+ This internal-use-only storage type can be bumped to a curl_off_t once
+ we need to use bit 32 as the previous 'unsigned int' can no longer hold
+ them all then.
+
+ The websocket protocols take bit 30 and 31 so they are the last ones
+ that fit within 32 bits - but cannot properly be exported through APIs
+ since those use *signed* 32 bit types (long) in places.
+
+ Closes #9481
+
+zhanghu on xiaomi (13 Sep 2022)
+
+- formdata: fix warning: 'CURLformoption' is promoted to 'int'
+
+ curl/lib/formdata.c: In function 'FormAdd':
+ curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' wh
+ en passed through '...'
+ 249 | option = va_arg(params, CURLformoption);
+ | ^
+ curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformopti
+ on' to 'va_arg')
+ curl/lib/formdata.c:249:31: note: if this code is reached, the program will a
+ bort
+
+ Closes #9484
+
+Daniel Stenberg (13 Sep 2022)
+
+- CURLOPT_CONNECT_ONLY.3: for ws(s) as well
+
+ and correct the version number for when that support comes. Even if it
+ is still experimental for WebSocket.
+
+ Closes #9487
+
+- tool_operate: avoid a few #ifdefs for disabled-libcurl builds
+
+ By providing empty macros in the header file instead, the code gets
+ easier to read and yet is disabled on demand.
+
+ Closes #9486
+
+a1346054 on github (13 Sep 2022)
+
+- scripts: use `grep -E` instead of `egrep`
+
+ egrep is deprecated
+
+ Closes #9491
+
+Hayden Roche (13 Sep 2022)
+
+- wolfSSL: fix session management bug.
+
+ Prior to this commit, non-persistent pointers were being used to store
+ sessions. When a WOLFSSL object was then freed, that freed the session
+ it owned, and thus invalidated the pointer held in curl's cache. This
+ commit makes it so we get a persistent (deep copied) session pointer
+ that we then add to the cache. Accordingly, wolfssl_session_free, which
+ was previously a no-op, now needs to actually call SSL_SESSION_free.
+
+ This bug was discovered by a wolfSSL customer.
+
+ Closes #9492
+
+Daniel Stenberg (13 Sep 2022)
+
+- docs: use "WebSocket" in singular
+
+ This is how the RFC calls the protocol. Also rename the file in docs/ to
+ WEBSOCKET.md in uppercase to match how we have done it for many other
+ protocol docs in similar fashion.
+
+ Add the WebSocket docs to the tarball.
+
+ Closes #9496
+
+Marcel Raad (12 Sep 2022)
+
+- ws: fix build without `USE_WEBSOCKETS`
+
+ The curl.h include is required unconditionally.
+
+- ws: add missing curl.h include
+
+ A conflict between commits 664249d0952 and e5839f4ee70 broke the build.
+
+Daniel Stenberg (12 Sep 2022)
+
+- ws: fix an infof() call to use %uz for size_t output
+
+ Detected by Coverity, CID 1514665.
+
+ Closes #9480
+
+Marcel Raad (12 Sep 2022)
+
+- curl_setup: include only system.h instead of curl.h
+
+ As done before commit 9506d01ee50.
+
+ Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158
+ Closes https://github.com/curl/curl/pull/9453
+
+- lib: add missing limits.h includes
+
+ Closes https://github.com/curl/curl/pull/9453
+
+- lib and tests: add missing curl.h includes
+
+ Closes https://github.com/curl/curl/pull/9453
+
+- curl_setup: include curl.h after platform setup headers
+
+ The platform setup headers might set definitions required for the
+ includes in curl.h.
+
+ Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269
+ Closes https://github.com/curl/curl/pull/9453
+
+Benjamin Loison (12 Sep 2022)
+
+- docs: correct missing uppercase in Markdown files
+
+ To detect these typos I used:
+
+ ```
+ clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [
+ a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | gre
+ p -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --col
+ or=always '\. [a-z]' | grep '\.md'
+ ```
+
+ Closes #9474
+
+Daniel Stenberg (12 Sep 2022)
+
+- tool_setopt: use better English in --libcurl source comments
+
+ Like this:
+
+ XYZ was set to an object pointer
+ ABC was set to a function pointer
+
+ Closes #9475
+
+- setopt: make protocol2num use a curl_off_t for the protocol bit
+
+ ... since WSS does not fit within 32 bit.
+
+ Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887
+ Closes #9476
+
+- RELEASE-NOTES: synced
+
+- configure: polish the grep -E message a bit further
+
+ Suggested-by: Emanuele Torre
+ Closes #9473
+
+- GHA: add a gcc-11 -O3 build using OpenSSL
+
+ Since -O3 might trigger other warnings
+
+ Closes #9454
+
+Patrick Monnerat (11 Sep 2022)
+
+- content_encoding: use writer struct subclasses for different encodings
+
+ The variable-sized encoding-specific storage of a struct contenc_writer
+ currently relies on void * alignment that may be insufficient with
+ regards to the specific storage fields, although having not caused any
+ problems yet.
+
+ In addition, gcc 11.3 issues a warning on access to fields of partially
+ allocated structures that can occur when the specific storage size is 0:
+
+ content_encoding.c: In function ‘Curl_build_unencoding_stack’:
+ content_encoding.c:980:21: warning: array subscript ‘struct contenc_write
+ r[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bo
+ unds]
+ 980 | writer->handler = handler;
+ | ~~~~~~~~~~~~~~~~^~~~~~~~~
+ In file included from content_encoding.c:49:
+ memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘c
+ url_dbg_calloc’
+ 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__,
+ __FILE__)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~~~~~~~~~~
+ content_encoding.c:977:60: note: in expansion of macro ‘calloc’
+ 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1
+ , sz);
+
+ To solve both these problems, the current commit replaces the
+ contenc_writer/params structure pairs by "subclasses" of struct
+ contenc_writer. These are structures that contain a contenc_writer at
+ offset 0. Proper field alignment is therefore handled by the compiler and
+ full structure allocation is performed, silencing the warnings.
+
+ Closes #9455
+
+Daniel Stenberg (11 Sep 2022)
+
+- configure: correct the wording when checking grep -E
+
+ The check first checks that grep -E works, and only as a fallback tries
+ to find and use egrep. egrep is deprecated.
+
+ This change only corrects the output wording, not the checks themselves.
+
+ Closes #9471
+
+Viktor Szakats (10 Sep 2022)
+
+- websockets: sync prototypes in docs with implementation [ci skip]
+
+ Docs for the new send/recv functions synced with the committed versions
+ of these.
+
+ Closes #9470
+
+Daniel Stenberg (10 Sep 2022)
+
+- setopt: make protocols2num() work with websockets
+
+ So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can
+ specify those as well.
+
+ Reported-by: Patrick Monnerat
+ Bug: https://curl.se/mail/lib-2022-09/0016.html
+ Closes #9467
+
+- curl/websockets.h: remove leftover bad typedef
+
+ Just a leftover trace of a development thing that did not stay like
+ that.
+
+ Reported-by: Marc Hörsken
+ Fixes #9465
+ Cloes #9466
+
+Orgad Shaneh (10 Sep 2022)
+
+- fix Cygwin/MSYS compilation
+
+ _getpid is Windows API. On Cygwin variants it should remain getpid.
+
+ Fixes #8220
+ Closes #9255
+
+Marc Hoersken (10 Sep 2022)
+
+- GHA: prepare workflow merge by aligning structure again
+
+ Closes #9413
+
+Daniel Stenberg (9 Sep 2022)
+
+- docs: the websockets symbols are added in 7.86.0
+
+ Nothing else
+
+ Closes #9459
+
+- tests/libtest/Makefile.inc: fixup merge conflict mistake
+
+- EXPERIMENTAL.md: add WebSockets
+
+- appveyor: enable websockets
+
+- cirrus: enable websockets in the windows builds
+
+- GHA: add websockets to macos, openssl3 and hyper builds
+
+- tests: add websockets tests
+
+ - add websockets support to sws
+ - 2300: first very basic websockets test
+ - 2301: first libcurl test for ws (not working yet)
+ - 2302: use the ws callback
+ - 2303: test refused upgrade
+
+- curl_ws_meta: initial implementation
+
+- curl_ws_meta.3: added docs
+
+- ws: initial websockets support
+
+ Closes #8995
+
+- version: add ws + wss
+
+- libtest/lib1560: test basic websocket URL parsing
+
+- configure: add --enable-websockets
+
+- docs/WebSockets.md: docs
+
+- test415: verify Content-Length parser with control code + negative value
+
+- strtoofft: after space, there cannot be a control code
+
+ With the change from ISSPACE() to ISBLANK() this function no longer
+ deals with (ignores) control codes the same way, which could lead to
+ this function returning unexpected values like in the case of
+ "Content-Length: \r-12354".
+
+ Follow-up to 6f9fb7ec2d7cb389a0da5
+
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140
+ Assisted-by: Max Dymond
+ Closes #9458
+
+- headers: reset the requests counter at transfer start
+
+ If not, reusing an easy handle to do a subsequent transfer would
+ continue the counter from the previous invoke, which then would make use
+ of the header API difficult/impossible as the request counter
+ mismatched.
+
+ Add libtest 1947 to verify.
+
+ Reported-by: Andrew Lambert
+ Fixes #9424
+ Closes #9447
+
+Jay Satiro (8 Sep 2022)
+
+- header: define public API functions as extern c
+
+ Prior to this change linker errors would occur if curl_easy_header or
+ curl_easy_nextheader was called from a C++ unit.
+
+ Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007
+ Reported-by: Andrew Lambert
+
+ Closes https://github.com/curl/curl/pull/9446
+
+Daniel Stenberg (8 Sep 2022)
+
+- http2: make nghttp2 less picky about field whitespace
+
+ In nghttp2 1.49.0 it returns error on leading and trailing whitespace in
+ header fields according to language in the recently shipped RFC 9113.
+
+ nghttp2 1.50.0 introduces an option to switch off this strict check and
+ this change enables this option by default which should make curl behave
+ more similar to how it did with nghttp2 1.48.0 and earlier.
+
+ We might want to consider making this an option in the future.
+
+ Closes #9448
+
+- RELEASE-NOTES: synced
+
+ And bump to 7.86.0 for the pending next release
+
+Michael Heimpold (7 Sep 2022)
+
+- ftp: ignore a 550 response to MDTM
+
+ The 550 is overused as a return code for multiple error case, e.g.
+ file not found and/or insufficient permissions to access the file.
+
+ So we cannot fail hard in this case.
+
+ Adjust test 511 since we now fail later.
+ Add new test 3027 which check that when MDTM failed, but the file could
+ actually be retrieved, that in this case no filetime is provided.
+
+ Reported-by: Michael Heimpold
+ Fixes #9357
+ Closes #9387
+
+Daniel Stenberg (7 Sep 2022)
+
+- urlapi: leaner with fewer allocs
+
+ Slightly faster with more robust code. Uses fewer and smaller mallocs.
+
+ - remove two fields from the URL handle struct
+ - reduce copies and allocs
+ - use dynbuf buffers more instead of custom malloc + copies
+ - uses dynbuf to build the host name in reduces serial alloc+free within
+ the same function.
+ - move dedotdotify into urlapi.c and make it static, not strdup the input
+ and optimize it by checking for . and / before using strncmp
+ - remove a few strlen() calls
+ - add Curl_dyn_setlen() that can "trim" an existing dynbuf
+
+ Closes #9408
+
+Jay Satiro (7 Sep 2022)
+
+- setup-win32: no longer define UNICODE/_UNICODE implicitly
+
+ - If UNICODE or _UNICODE is defined but the other isn't then error
+ instead of implicitly defining it.
+
+ As Marcel pointed out it is too late at this point to make such a define
+ because Windows headers may already be included, so likely it never
+ worked. We never noticed because build systems that can make Windows
+ Unicode builds always define both. If one is defined but not the other
+ then something went wrong during the build configuration.
+
+ Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272
+ Reported-by: Marcel Raad
+
+ Closes https://github.com/curl/curl/pull/9384
+
+Dan Fandrich (6 Sep 2022)
+
+- tests: fix tag syntax errors in test files
+
+Marc Hoersken (6 Sep 2022)
+
+- lib: add required Win32 setup definitions in setup-win32.h
+
+ Assisted-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+ Follow up to #9312
+ Closes #9375
+
+Daniel Stenberg (6 Sep 2022)
+
+- pingpong: extend the response reading error with errno
+
+ To help diagnosing the cause of the problem.
+
+ See #9380
+ Closes #9443
+
+- curl-compilers.m4: use -O2 as default optimize for clang
+
+ Not -Os
+
+ Closes #9444
+
+- tool_operate: fix msnprintfing the error message
+
+ Follow-up to 7be53774c41c59b47075fba
+
+ Coverity CID 1513717 pointed out that we cannot use sizeof() on the
+ error buffer anymore.
+
+ Closes #9440
+
+Emanuele Torre (6 Sep 2022)
+
+- curl_ctype: add space around <= operator in ISSPACE macro
+
+ Follow-up to f65f750
+
+ Closes #9441
+
+Daniel Stenberg (6 Sep 2022)
+
+- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies
+
+ The 'protocols' listed were previously wrong.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9434
+ Closes #9435
+
+- curl_ctype: convert to macros-only
+
+ This no longer provide functions, only macros. Runs faster and produces
+ smaller output.
+
+ The biggest precaution this change brings:
+
+ DO NOT use post/pre-increments when passing arguments to the macros.
+
+ Closes #9429
+
+- misc: ISSPACE() => ISBLANK()
+
+ Instances of ISSPACE() use that should rather use ISBLANK(). I think
+ somewhat carelessly used because it sounds as if it checks for space or
+ whitespace, but also includes %0a to %0d.
+
+ For parsing purposes, we should only accept what we must and not be
+ overly liberal. It leads to surprises and surprises lead to bad things.
+
+ Closes #9432
+
+- ctype: remove all use of <ctype.h>, use our own versions
+
+ Except in the test servers.
+
+ Closes #9433
+
+Marc Hoersken (5 Sep 2022)
+
+- cmake: skip superfluous hex2dec conversion using math expr
+
+ CMake seems to be able to compare two hex values just fine.
+ Also make sure CURL_TARGET_WINDOWS_VERSION is respected.
+
+ Assisted-by: Marcel Raad
+ Reviewed-by: Viktor Szakats
+ Reported-by: Keitagit-kun on github
+
+ Follow up to #9312
+ Fixes #9406
+ Closes #9411
+
+Daniel Stenberg (5 Sep 2022)
+
+- curl_easy_pause.3: unpausing is as fast as possible
+
+ Reported-by: ssdbest on github
+ Fixes #9410
+ Closes #9430
+
+- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols
+
+ Except file.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9427
+ Closes #9428
+
+- NPN: remove support for and use of
+
+ Next Protocol Negotiation is a TLS extension that was created and used
+ for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
+ HTTPS. In the early days of HTTP/2, before the spec was finalized and
+ shipped, the protocol could be enabled using this extension with some
+ servers.
+
+ curl supports the NPN extension with some TLS backends since then, with
+ a command line option `--npn` and in libcurl with
+ `CURLOPT_SSL_ENABLE_NPN`.
+
+ HTTP/2 proper is made to use the ALPN (Application-Layer Protocol
+ Negotiation) extension and the NPN extension has no purposes
+ anymore. The HTTP/2 spec was published in May 2015.
+
+ Today, use of NPN in the wild should be extremely rare and most likely
+ totally extinct. Chrome removed NPN support in Chrome 51, shipped in
+ June 2016. Removed in Firefox 53, April 2017.
+
+ Closes #9307
+
+- RELEASE-NOTES: synced
+
+ and bump the tentative next release version to 7.85.1
+
+Samuel Henrique (4 Sep 2022)
+
+- configure: fail if '--without-ssl' + explicit parameter for an ssl lib
+
+ A side effect of a previous change to configure (576e507c78bdd2ec88)
+ exposed a non-critical issue that can happen if configure is called with
+ both '--without-ssl' and some parameter setting the use of a ssl library
+ (e.g. --with-gnutls). The configure script would end up assuming this is
+ a MultiSSL build, due to the way the case statement is written.
+
+ I have changed the order of the variables in the string concatenation
+ for the case statement and also tweaked the options so that
+ --without-ssl never turns the build into a MultiSSL one and also clearly
+ stating that there are conflicting parameters if the user sets it like
+ described above.
+
+ Closes #9414
+
+Daniel Stenberg (4 Sep 2022)
+
+- tests/certs/scripts: insert standard curl source headers
+
+ ... including the SPDX-License-Identifier.
+
+ These omissions were not detected by the RUEUSE CI job nor the copyright.pl
+ scanners because we have a general wildcard in .reuse/dep5 for
+ "tests/certs/*".
+
+ Reported-by: Samuel Henrique
+ Fixes #9417
+ Closes #9420
+
+Samuel Henrique (2 Sep 2022)
+
+- docs: remove mentions of deprecated '--without-openssl' config parameter
+
+ Closes #9415
+
+- manpages: Fix spelling of "allows to" -> "allows one to"
+
+ References:
+ https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual
+ -page.tag
+ https://english.stackexchange.com/questions/60271/grammatical-complements-fo
+ r-allow/60285#60285
+
+ Closes #9419
+
+- CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes
+
+ Lintian (on Debian) has been complaining about this for a while but
+ I didn't bother initially as the groff parser that we use is not
+ affected by this.
+
+ But I have now noticed that the online manpage is affected by it:
+ https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html
+
+ (I'm using double quotes for quoting-only down below)
+
+ The section that should be parsed as "'\'" ends up being parsed as
+ "'´".
+
+ This is due to roffit not parsing "'\\'" correctly, which is fine
+ as the "correct" way of writing "'\'" is "'\e'" instead.
+
+ Note that this fix is not enough to fix the online manpage at
+ curl's website, as roffit seems to parse it wrongly either way.
+
+ My intent is to at least fix the manpage so that roffit can
+ be changed to parse "'\e'" correctly (although I suggest making
+ roffit parse both ways correctly, since that's what groff does).
+
+ More details at:
+ https://bugs.debian.org/966803
+ https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a
+ 884cca7965c3/tags/a/acute-accent-in-manual-page.tag
+
+ Closes #9418
+
+Daniel Stenberg (1 Sep 2022)
+
+- tool_operate: reduce errorbuffer allocs
+
+ - parallel transfers: only alloc and keep errorbuffers in memory for
+ actual "live" transfers and not for the ones in the pending queue
+
+ - serial transfers: reuse the same fixed buffer for all transfers, not
+ allocated at all.
+
+ Closes #9394
+
+Viktor Szakats (31 Aug 2022)
+
+- misc: spelling fixes
+
+ Found using codespell 2.2.1.
+
+ Also delete the redundant protocol designator from an archive.org URL.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9403
+
+Daniel Stenberg (31 Aug 2022)
+
+- tool_progress: remove 'Qd' from the parallel progress bar
+
+ The "queued" value is no longer showing anything useful to the user. It
+ is an internal number of transfers waiting at that moment.
+
+ Closes #9389
+
+- tool_operate: prevent over-queuing in parallel mode
+
+ When doing a huge amount of parallel transfers, we must not add them to
+ the per_transfer list frivolously since they all use memory after all.
+ This was previous done without really considering millions or billions
+ of transfers. Massive parallelism would use a lot of memory for no good
+ purpose.
+
+ The queue is now limited to twice the paralleism number.
+
+ This makes the 'Qd' value in the parallel progress meter mostly useless
+ for users, but works for now for us as a debug display.
+
+ Reported-by: justchen1369 on github
+ Fixes #8933
+ Closes #9389
+
+Viktor Szakats (31 Aug 2022)
+
+- cmake: fix original MinGW builds
+
+ 1. Re-enable `HAVE_GETADDRINFO` detection on Windows
+
+ Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic
+ that automatically assumed `getaddrinfo()` to be present for builds
+ with IPv6 enabled. As it turns out, certain toolchains (e.g. original
+ MinGW) by default target older Windows versions, and thus do not
+ support `getaddrinfo()` out of the box. The issue was masked for
+ a while by CMake builds forcing a newer Windows version, but that
+ logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761.
+ Since then, some CI builds started failing due to IPv6 enabled,
+ `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing.
+
+ It also turns out that IPv6 works without `getaddrinfo()` since commit
+ 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So,
+ to resolve all this, we can now revert the initial commit, thus
+ restoring `getaddrinfo()` detection and support IPv6 regardless of its
+ outcome.
+
+ Reported-by: Daniel Stenberg
+
+ 2. Omit `bcrypt` with original MinGW
+
+ Original (aka legacy/old) MinGW versions do not support `bcrypt`
+ (introduced with Vista). We already have logic to handle that in
+ `lib/rand.c` and autotools builds, where we do not call the
+ unsupported API and do not link `bcrypt`, respectively, when using
+ original MinGW.
+
+ This patch ports that logic to CMake, fixing the link error:
+ `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: can
+ not find -lbcrypt`
+
+ Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vl
+ e84cn4vle7s0#L508
+ Regression since 76172511e7adcf720f4c77bd91f49278300ec97e
+
+ Fixes #9214
+ Fixes #9393
+ Fixes #9395
+ Closes #9396
+
+Version 7.85.0 (31 Aug 2022)
+
+Daniel Stenberg (31 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+ curl 7.85.0 release
+
+- THANKS: add contributors from the 7.85.0 release
+
+- getparam: correctly clean args
+
+ Follow-up to bf7e887b2442783ab52
+
+ The previous fix for #9128 was incomplete and caused #9397.
+
+ Fixes #9397
+ Closes #9399
+
+- zuul: remove the clang-tidy job
+
+ Turns out we don't see the warnings, but the warnings right now are
+ plain ridiculous and unhelpful so we can just as well just kill this
+ job.
+
+ Closes #9390
+
+- cmake: set feature PSL if present
+
+ ... make test 1014 pass when libpsl is used.
+
+ Closes #9391
+
+- lib530: simplify realloc failure exit path
+
+ To make code analyzers happier
+
+ Closes #9392
+
+Orgad Shaneh (29 Aug 2022)
+
+- tests: add tests for netrc login/password combinations
+
+ Covers the following PRs:
+
+ - #9066
+ - #9247
+ - #9248
+
+ Closes #9256
+
+- url: really use the user provided in the url when netrc entry exists
+
+ If the user is specified as part of the URL, and the same user exists
+ in .netrc, Authorization header was not sent at all.
+
+ The user and password fields were assigned in conn->user and password
+ but the user was not assigned to data->state.aptr, which is the field
+ that is used in output_auth_headers and friends.
+
+ Fix by assigning the user also to aptr.
+
+ Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5.
+
+ Fixes #9243
+
+- netrc: Use the password from lines without login
+
+ If netrc entry has password with empty login, use it for any username.
+
+ Example:
+ .netrc:
+ machine example.com password 123456
+
+ curl -vn http://user@example.com/
+
+ Fix it by initializing state_our_login to TRUE, and reset it only when
+ finding an entry with the same host and different login.
+
+ Closes #9248
+
+Jay Satiro (29 Aug 2022)
+
+- url: treat missing usernames in netrc as empty
+
+ - If, after parsing netrc, there is a password with no username then
+ set a blank username.
+
+ This used to be the case prior to 7d600ad (precedes 7.82). Note
+ parseurlandfillconn already does the same thing for URLs.
+
+ Reported-by: Raivis <standsed@users.noreply.github.com>
+ Testing-by: Domen Kožar
+
+ Fixes https://github.com/curl/curl/issues/8653
+ Closes #9334
+ Closes #9066
+
+Daniel Stenberg (29 Aug 2022)
+
+- test8: verify that "ctrl-byte cookies" are ignored
+
+- cookie: reject cookies with "control bytes"
+
+ Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+ Reported-by: Axel Chong
+
+ Bug: https://curl.se/docs/CVE-2022-35252.html
+
+ CVE-2022-35252
+
+ Closes #9381
+
+- libssh: ignore deprecation warnings
+
+ libssh 0.10.0 marks all SCP functions as "deprecated" which causes
+ compiler warnings and errors in our CI jobs and elsewhere. Ignore
+ deprecation warnings if 0.10.0 or later is found in the build.
+
+ If they actually remove the functions at a later point, then someone can
+ deal with that pain and functionality break then.
+
+ Fixes #9382
+ Closes #9383
+
+- Revert "schannel: when importing PFX, disable key persistence"
+
+ This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692.
+
+ Due to further reports in #9300 that indicate this commit might
+ introduce problems.
+
+- multi: use larger dns hash table for multi interface
+
+ Have curl_multi_init() use a much larger DNS hash table than used for
+ the easy interface to scale and perform better when used with _many_
+ host names.
+
+ curl_share_init() sets an in-between size.
+
+ Inspired-by: Ivan Tsybulin
+ See #9340
+ Closes #9376
+
+Marc Hoersken (28 Aug 2022)
+
+- CI/runtests.pl: add param for dedicated curl to talk to APIs
+
+ This should make it possible to also report test failures
+ if our freshly build curl binary is not fully functional.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9360
+
+Jacob Tolar (27 Aug 2022)
+
+- openssl: add cert path in error message
+
+ Closes #9349
+
+- cert.d: clarify that escape character works for file paths
+
+ Closes #9349
+
+Daniel Stenberg (27 Aug 2022)
+
+- gha: move over ngtcp2-gnutls CI job from zuul
+
+ Closes #9331
+
+Marc Hoersken (26 Aug 2022)
+
+- cmake: add detection of threadsafe feature
+
+ Avoids failing test 1014 by replicating configure checks
+ for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests.
+
+ Reviewed-by: Marcel Raad
+
+ Follow up to #8680
+ Closes #9312
+
+Daniel Stenberg (26 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+Marc Hoersken (26 Aug 2022)
+
+- CI/azure: align torture shallowness with GHA
+
+ There 25 is used with FTP tests skipped, and 20 for FTP tests.
+ This should make torture tests stay within the 60min timeout.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9371
+
+- multi_wait: fix and improve Curl_poll error handling on Windows
+
+ First check for errors and return CURLM_UNRECOVERABLE_POLL
+ before moving forward and waiting on socket readiness events.
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+ Reported-by: Daniel Stenberg
+ Ref: #9361
+
+ Follow up to #8961
+ Closes #9372
+
+- multi_wait: fix skipping to populate revents for extra_fds
+
+ On Windows revents was not populated for extra_fds if
+ multi_wait had to wait due to the Curl_poll pre-check
+ not signalling any readiness. This commit fixes that.
+
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Jay Satiro
+
+ Closes #9361
+
+- CI/appveyor: disable TLS in msys2-native autotools builds
+
+ Schannel cannot be used from msys2-native Linux-emulated builds.
+
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Daniel Stenberg
+
+ Follow up to #9367
+ Closes #9370
+
+Jay Satiro (25 Aug 2022)
+
+- tests: fix http2 tests to use CRLF headers
+
+ Prior to this change some tests that rely on nghttpx proxy did not use
+ CRLF headers everywhere. A recent change in nghttp2, which updated its
+ version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to
+ use CRLF headers.
+
+ Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8
+
+ Fixes https://github.com/curl/curl/issues/9364
+ Closes https://github.com/curl/curl/pull/9365
+
+rcombs (25 Aug 2022)
+
+- multi: use a pipe instead of a socketpair on apple platforms
+
+ Sockets may be shut down by the kernel when the app is moved to the
+ background, but pipes are not.
+
+ Removed from KNOWN_BUGS
+
+ Fixes #6132
+ Closes #9368
+
+Somnath Kundu (25 Aug 2022)
+
+- libssh2: provide symlink name in SFTP dir listing
+
+ When reading the symbolic link name for a file, we need to add the file
+ name to base path name.
+
+ Closes #9369
+
+Daniel Stenberg (25 Aug 2022)
+
+- configure: if asked to use TLS, fail if no TLS lib was detected
+
+ Previously the configure script would just warn about this fact and
+ continue with TLS disabled build which is not always helpful. TLS should
+ be explicitly disabled if that is what the user wants.
+
+ Closes #9367
+
+Dustin Howett (25 Aug 2022)
+
+- schannel: when importing PFX, disable key persistence
+
+ By default, the PFXImportCertStore API persists the key in the user's
+ key store (as though the certificate was being imported for permanent,
+ ongoing use.)
+
+ The documentation specifies that keys that are not to be persisted
+ should be imported with the flag `PKCS12_NO_PERSIST_KEY`.
+ NOTE: this flag is only supported on versions of Windows newer than XP
+ and Server 2003.
+
+ Fixes #9300
+ Closes #9363
+
+Daniel Stenberg (23 Aug 2022)
+
+- unit1303: four tests should have TRUE for 'connecting'
+
+ To match the comments.
+
+ Reported-by: Wu Zheng
+
+ See #9355
+ Closes #9356
+
+- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also
+
+ Closes #9354
+
+Fabian Fischer (23 Aug 2022)
+
+- HTTP3.md: add missing autoreconf command for building with wolfssl
+
+ Closes #9353
+
+Daniel Stenberg (23 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
+
+ Ẃhen it has been used in the multi interface, it is otherwise left in
+ the connection cache, can't be reused and nothing will close them since
+ the easy handle loses the association with the multi handle and thus the
+ connection cache - until the multi handle is closed or it gets pruned
+ because the cache is full.
+
+ Reported-by: Dominik Thalhammer
+ Fixes #9335
+ Closes #9342
+
+- docs/cmdline-opts: remove \& escapes from all .d files
+
+ gen.pl escapes them itself now
+
+- docs/cmdline-opts/gen.pl: encode leading single and double quotes
+
+ As "(aq" and "(dq" to prevent them from implying a meaning in the nroff
+ output. This removes the need for using \& escapes in the .d files'
+ description parts.
+
+ Closes #9352
+
+Marc Hoersken (23 Aug 2022)
+
+- tests/server/sockfilt.c: avoid race condition without a mutex
+
+ Avoid loosing any triggered handles by first aborting and joining
+ the waiting threads before evaluating the individual signal state.
+
+ This removes the race condition and therefore need for a mutex.
+
+ Closes #9023
+
+Emil Engler (22 Aug 2022)
+
+- url: output the maximum when rejecting a url
+
+ This commit changes the failf message to output the maximum length, when
+ curl refuses to process a URL because it is too long.
+
+ See: #9317
+ Closes: #9327
+
+Chris Paulson-Ellis (22 Aug 2022)
+
+- configure: fix broken m4 syntax in TLS options
+
+ Commit b589696f added lines to some shell within AC_ARG_WITH macros, but
+ inadvertently failed to move the final closing ).
+
+ Quote the script section using braces.
+
+ So, if these problems have been around for a while, how did I find them?
+ Only because I did a configure including these options:
+
+ $ ./configure --with-openssl --without-rustls
+ SSL: enabled (OpenSSL)
+
+ Closes #9344
+
+Daniel Stenberg (18 Aug 2022)
+
+- tests/data/CMakeLists: remove making the 'show' makefile target
+
+ It is not used by runtests since 3c0f462
+
+ Closes #9333
+
+- tests/data/Makefile: remove 'filecheck' target
+
+ No practical use anymore since 3c0f4622cdfd6
+
+ Closes #9332
+
+- libssh2: make atime/mtime date overflow return error
+
+ Closes #9328
+
+- libssh: make atime/mtime date overflow return error
+
+ Closes #9328
+
+- examples/curlx.c: remove
+
+ This example is a bit convoluted to use as an example, combined with the
+ special license for it makes it unsuitable.
+
+ Closes #9330
+
+Tobias Nygren (17 Aug 2022)
+
+- curl.h: include <sys/select.h> on SunOS
+
+ It is needed for fd_set to be visible to downstream consumers that use
+ <curl/multi.h>. Header is known to exist at least as far back as Solaris
+ 2.6.
+
+ Closes #9329
+
+Daniel Stenberg (17 Aug 2022)
+
+- DEPRECATE.md: push the NSS deprecation date forward one year to 2023
+
+ URL: https://curl.se/mail/lib-2022-08/0016.html
+
+- libssh2: setting atime or mtime >32bit on 4-bytes-long systems
+
+ Since the libssh2 API uses 'long' to store the timestamp, it cannot
+ transfer >32bit times on Windows and 32bit architecture builds.
+
+ Avoid nasty surprises by instead not setting such time.
+
+ Spotted by Coverity
+
+ Closes #9325
+
+- libssh: setting atime or mtime > 32bit is now just skipped
+
+ The libssh API used caps the time to an unsigned 32bit variable. Avoid
+ nasty surprises by instead not setting such time.
+
+ Spotted by Coverity.
+
+ Closes #9324
+
+Jay Satiro (16 Aug 2022)
+
+- KNOWN_BUGS: Windows Unicode builds use homedir in current locale
+
+ Bug: https://github.com/curl/curl/pull/7252
+ Reported-by: dEajL3kA@users.noreply.github.com
+
+ Ref: https://github.com/curl/curl/pull/7281
+
+ Closes https://github.com/curl/curl/pull/9305
+
+Daniel Stenberg (16 Aug 2022)
+
+- test399: switch it to use a config file instead
+
+ ... as using a 65535 bytes host name in a URL does not fit on the
+ command line on some systems - like Windows.
+
+ Reported-by: Marcel Raad
+ Fixes #9321
+ Closes #9322
+
+- RELEASE-NOTES: synced
+
+- asyn-ares: make a single alloc out of hostname + async data
+
+ This saves one alloc per name resolve and simplifies the exit path.
+
+ Closes #9310
+
+- Curl_close: call Curl_resolver_cancel to avoid memory-leak
+
+ There might be a pending (c-ares) resolve that isn't free'd up yet.
+
+ Closes #9310
+
+- asyn-thread: fix socket leak on OOM
+
+ Closes #9310
+
+- GHA: mv CI torture test from Zuul
+
+ Closes #9310
+
+- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL
+
+ Closes #9318
+
+- test399: verify check of too long host name
+
+- url: reject URLs with hostnames longer than 65535 bytes
+
+ It *probably* causes other problems too since DNS can't resolve such
+ long names, but the SNI field in TLS is limited to 16 bits length.
+
+ Closes #9317
+
+- curl_multi_perform.3: minor language fix
+
+ Closes #9316
+
+- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC
+
+ Follow-up to 8a13be227eede2
+
+ Closes #9315
+
+- ngtcp2: remove leftover variable
+
+ Mistake leftover from my edit before push.
+
+ Follow-up from 8a13be227eede2601c2b3b
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167
+
+Viktor Szakats (15 Aug 2022)
+
+- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip]
+
+ Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl`
+ was also enabled. `-ssl` meaning OpenSSL (and its forks). After
+ 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be
+ used together with wolfSSL. This patch adds the ability to enable
+ `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to
+ use it with wolfSSL or other, future TLS backends.
+
+ Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2`
+ unconditionally. After this patch, this is no longer the case, and now
+ it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only
+ together with a compatible TLS backend.
+
+ When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2
+ library must be configured manually, e.g.:
+ `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl`
+
+ (or via `NGTCP2_LIBS`)
+
+ Closes #9314
+
+Stefan Eissing (15 Aug 2022)
+
+- quic: add support via wolfSSL
+
+ - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505
+ - configure adapted to build against ngtcp2 wolfssl crypto lib
+ - quic code added for creation of WOLFSSL* instances
+
+ Closes #9290
+
+David Carlier (14 Aug 2022)
+
+- memdebug: add annotation attributes
+
+ memory debug tracking annotates whether the returned pointer does not
+ `alias`, hints where the size required is, for Windows to be better
+ debugged via Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/9306
+
+Daniel Stenberg (14 Aug 2022)
+
+- GHA: move libressl CI from zuul to GitHub
+
+ Closes #9309
+
+- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel
+
+ Closes #9161
+
+- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel
+
+ Closes #8741
+
+- KNOWN_BUGS: libssh blocking and infinite loop problem
+
+ Closes #8632
+
+- RELEASE-NOTES: synced
+
+- msh3: fix the QUIC disconnect function
+
+ And free request related memory better in 'done'. Fixes a memory-leak.
+
+ Reported-by: Gisle Vanem
+ Fixes #8915
+ Closes #9304
+
+- connect: close the happy eyeballs loser connection when using QUIC
+
+ Reviewed-by: Nick Banks
+
+ Closes #9303
+
+Emil Engler (12 Aug 2022)
+
+- refactor: split resolve_server() into functions
+
+ This commit splits the branch-heavy resolve_server() function into
+ various sub-functions, in order to reduce the amount of nested
+ if/else-statements.
+
+ Beside this, it also removes many else-sequences, by returning in the
+ previous if-statement.
+
+ Closes #9283
+
+Daniel Stenberg (12 Aug 2022)
+
+- schannel: re-indent to use curl style better
+
+ Only white space changes
+
+ Closes #9301
+
+Emanuele Torre (12 Aug 2022)
+
+- docs/cmdline-opts: fix example and categories for --form-escape
+
+ The example was missing a "--form" argument
+ I also replaced "--form" with "-F" to shorten the line a bit since it
+ was already very long.
+
+ And I also moved --form-escape from the "post" category to the "upload"
+ category (this is what I originally wanted to fix, before also noticing
+ the mistake in the example).
+
+ Closes #9298
+
+Nick Banks (11 Aug 2022)
+
+- HTTP3.md: update to msh3 v0.4.0
+
+ Closes #9297
+
+Daniel Stenberg (11 Aug 2022)
+
+- hostip: resolve *.localhost to 127.0.0.1/::1
+
+ Following the footsteps of other clients like Firefox/Chrome. RFC 6761
+ says clients SHOULD do this.
+
+ Add test 389 to verify.
+
+ Reported-by: TheKnarf on github
+ Fixes #9192
+ Closes #9296
+
+Jay Satiro (11 Aug 2022)
+
+- KNOWN_BUGS: long paths are not fully supported on Windows
+
+ Bug: https://github.com/curl/curl/issues/8361
+ Reported-by: Gisle Vanem
+
+ Closes https://github.com/curl/curl/pull/9288
+
+Daniel Stenberg (11 Aug 2022)
+
+- config: remove the check for and use of SIZEOF_SHORT
+
+ shorts are 2 bytes on all platforms curl runs and have ever run on.
+
+ Closes #9291
+
+- configure: introduce CURL_SIZEOF
+
+ This is a rewrite of the previously used GPLv3+exception licensed
+ file. With this change, there is no more reference to GPL so we can
+ remove that from LICENSES/.
+
+ Ref: #9220
+ Closes #9291
+
+Sean McArthur (10 Aug 2022)
+
+- hyper: customize test1274 to how hyper unfolds headers
+
+ Closes #9217
+
+Orgad Shaneh (10 Aug 2022)
+
+- curl-config: quote directories with potential space
+
+ On Windows (at least with CMake), the default prefix is
+ C:/Program Files (x86)/CURL.
+
+ Closes #9253
+
+Oliver Roberts (10 Aug 2022)
+
+- amigaos: fix threaded resolver on AmigaOS 4.x
+
+ Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime
+ feature detection and extra code to make it thread safe.
+
+ Closes #9265
+
+Emil Engler (10 Aug 2022)
+
+- imap: use ISALNUM() for alphanumeric checks
+
+ This commit replaces a self-made character check for alphanumeric
+ characters within imap_is_bchar() with the ISALNUM() macro, as it is
+ reduces the size of the code and makes the performance better, due to
+ ASCII arithmetic.
+
+ Closes #9289
+
+Daniel Stenberg (10 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+Cering on github (10 Aug 2022)
+
+- connect: add quic connection information
+
+ Fixes #9286
+ Closes #9287
+
+Philip Heiduck (8 Aug 2022)
+
+- cirrus/freebsd-ci: bootstrap the pip installer
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+
+ Closes #9213
+
+Daniel Stenberg (8 Aug 2022)
+
+- urldata: move smaller fields down in connectdata struct
+
+ By (almost) sorting the struct fields in connectdata in a decending size
+ order, having the single char ones last, we reduce the number of holes
+ in the struct and thus the amount of storage needed.
+
+ Closes #9280
+
+- ldap: adapt to conn->port now being an 'int'
+
+ Remove typecasts. Fix printf() formats.
+
+ Follow-up from 764c6bd3bf.
+ Pointed out by Coverity CID 1507858.
+
+ Closes #9281
+
+- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS
+
+ Closes #8264
+
+Oliver Roberts (8 Aug 2022)
+
+- file: add handling of native AmigaOS paths
+
+ On AmigaOS 4.x, handle native absolute paths, whilst blocking relative
+ paths. Also allow unix style paths if feature enabled at link time.
+
+ Inspiration-from: Michael Trebilcock
+
+ Closes #9259
+
+Daniel Stenberg (8 Aug 2022)
+
+- KNOWN_BUGS: cmake build is not thread-safe
+
+ The cmake build does not check for and verify presence of a working
+ Atomic type, which then makes curl_global_init() to not build
+ thread-safe on non-Windows platforms.
+
+ Closes https://github.com/curl/curl/issues/8973
+ Closes https://github.com/curl/curl/pull/8982
+
+Oliver Roberts (8 Aug 2022)
+
+- configure: fixup bsdsocket detection code for AmigaOS 4.x
+
+ The code that detects bsdsocket.library for AmigaOS did not work
+ for AmigaOS 4.x. This has been fixed and also cleaned up a little
+ to reduce duplication. Wasn't technically necessary before, but is
+ required when building with AmiSSL instead of OpenSSL.
+
+ Closes #9268
+
+- tool: reintroduce set file comment code for AmigaOS
+
+ Amiga specific code which put the URL in the file comment was perhaps
+ accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having
+ originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314.
+ Reworked to fit the code changes and added it back in.
+
+ Reported-by: Michael Trebilcock
+ Originally-added-by: Chris Young
+
+ Closes #9258
+
+Daniel Stenberg (8 Aug 2022)
+
+- urldata: make 'negnpn' use less storage
+
+ The connectdata struct field 'negnpn' never holds a value larger than
+ 30, so an unsigned char saves 3 bytes struct space.
+
+ Closes #9279
+
+- urldata: make three *_proto struct fields smaller
+
+ Use 'unsigned char' for storage instead of the enum, for three GSSAPI
+ related fields in the connectdata struct.
+
+ Closes #9278
+
+- connect: set socktype/protocol correctly
+
+ So that an address used from the DNS cache that was previously used for
+ QUIC can be reused for TCP and vice versa.
+
+ To make this possible, set conn->transport to "unix" for unix domain
+ connections ... and store the transport struct field in an unsigned char
+ to use less space.
+
+ Reported-by: ウさん
+ Fixes #9274
+ Closes #9276
+
+Oliver Roberts (8 Aug 2022)
+
+- amissl: allow AmiSSL to be used with AmigaOS 4.x builds
+
+ Enable AmiSSL to be used instead of static OpenSSL link libraries.
+ for AmigaOS 4.x, as it already is in the AmigaOS 3.x build.
+
+ Closes #9269
+
+opensignature on github (8 Aug 2022)
+
+- openssl: add details to "unable to set client certificate" error
+
+ from: "curl: (58) unable to set client certificate"
+
+ to: curl: (58) unable to set client certificate [error:0A00018F:SSL
+ routines::ee key too small]
+
+ Closes #9228
+
+Oliver Roberts (8 Aug 2022)
+
+- amissl: make AmiSSL v5 a minimum requirement
+
+ AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0.
+ Support for previous OpenSSL 1.1.x versions has been dropped, so
+ makes sense to enforce v5 as the minimum requirement. This also
+ allows all the AmiSSL stub workarounds to be removed as they are
+ now provided in a link library in the AmiSSL SDK.
+
+ Closes #9267
+
+- configure: -pthread not available on AmigaOS 4.x
+
+ The most recent GCC builds for AmigaOS 4.x do not allow -pthread and
+ exit with an error. Instead, need to explictly specify -lpthread.
+
+ Closes #9266
+
+Daniel Stenberg (8 Aug 2022)
+
+- digest: pass over leading spaces in qop values
+
+ When parsing the "qop=" parameter of the digest authentication, and the
+ value is provided within quotes, the list of values can have leading
+ white space which the parser previously did not handle correctly.
+
+ Add test case 388 to verify.
+
+ Reported-by: vlubart on github
+ Fixes #9264
+ Closes #9270
+
+Evgeny Grin (Karlson2k) (7 Aug 2022)
+
+- digest: reject broken header with session protocol but without qop
+
+ Closes #9077
+
+Daniel Stenberg (7 Aug 2022)
+
+- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples
+
+ Reported-by: jvvprasad78 on github
+ Assisted-by: Jay Satiro
+ Fixes #9239
+ Closes #9241
+
+Fabian Keil (7 Aug 2022)
+
+- test44[2-4]: add '--resolve' to the keywords
+
+ ... so the tests can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #9250
+
+Daniel Stenberg (7 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+- CURLOPT_CONNECT_ONLY.3: clarify multi API use
+
+ Reported-by: Maxim Ivanov
+ Fixes #9244
+ Closes #9262
+
+Andrew Lambert (6 Aug 2022)
+
+- curl_easy_header: Add CURLH_PSEUDO to sanity check
+
+ Fixes #9235
+ Closes #9236
+
+Emil Engler (6 Aug 2022)
+
+- docs: add dns category to --resolve
+
+ This commit adds the dns category to the --resolve command line option,
+ because it can be interpreted as both: a low-level connection option and
+ an option related to the resolving of a hostname.
+
+ It is also not common for dns options to belong to the connection
+ category and vice versa. --ipv4 and --ipv6 are both good examples.
+
+ Closes #9229
+
+Wyatt O'Day (2 Aug 2022)
+
+- schannel: Add TLS 1.3 support
+
+ - Support TLS 1.3 as the default max TLS version for Windows Server 2022
+ and Windows 11.
+
+ - Support specifying TLS 1.3 ciphers via existing option
+ CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers).
+
+ Closes https://github.com/curl/curl/pull/8419
+
+Emil Engler (2 Aug 2022)
+
+- cmdline-opts/gen.pl: improve performance
+
+ On some systems, the gen.pl script takes nearly two minutes for the
+ generation of the main-page, which is a completely unacceptable time.
+
+ The slow performance has two causes:
+ 1. Use of a regex locale operator
+ 2. Useless invokations of loops
+
+ The commit addresses the first issue by replacing the "\W" wiht
+ [^a-zA-Z0-9_], which is, according to regex101.com, functionally
+ equivalent to the previous operation, except that it is obviously
+ limited to ASCII only, which is fine, as the curl project is
+ English-only anyway.
+
+ The second issue is being addressed by only running the loop if the line
+ contains a "--" in it. The loop may be completeley removed in the
+ future.
+
+ Co-authored-by: Emanuele Torre <torreemanuele6@gmail.com>
+
+ See #8299
+ Fixes #9230
+ Closes #9232
+
+Daniel Stenberg (2 Aug 2022)
+
+- docs/cmdline: mark fail and fail-with-body as mutually exclusive
+
+ Reported-by: Andreas Sommer
+ Fixes #9221
+ Closes #9222
+
+Nao Yonashiro (2 Aug 2022)
+
+- quiche: fix build failure
+
+ Reviewed-by: Alessandro Ghedini
+ Closes #9223
+
+Viktor Szakats (2 Aug 2022)
+
+- configure.ac: drop references to deleted functions
+
+ follow-up from 4d73854462f30948acab12984b611e9e33ee41e6
+
+ Reported-by: Oliver Roberts
+ Fixes #9238
+ Closes #9240
+
+Sean McArthur (28 Jul 2022)
+
+- hyper: enable obs-folded multiline headers
+
+ Closes #9216
+
+Daniel Stenberg (28 Jul 2022)
+
+- connect: revert the use of IP*_RECVERR
+
+ The options were added in #6341 and d13179d, but cause problems: Lots of
+ POLLIN event occurs but recvfrom read nothing.
+
+ Reported-by: Tatsuhiro Tsujikawa
+ Fixes #9209
+ Closes #9215
+
+Marco Kamner (27 Jul 2022)
+
+- docs: remove him/her/he/she from documentation
+
+ Closes #9208
+
+Daniel Stenberg (27 Jul 2022)
+
+- RELEASE-NOTES: synced
+
+- tool_getparam: make --doh-url "" switch it off
+
+ A possible future addition could be to parse the URL first too to verify
+ that it is valid before trying to use it.
+
+ Assisted-by: Jay Satiro
+ Closes #9207
+
+- mailmap: add rzrymiak on github
+
+Jay Satiro (26 Jul 2022)
+
+- ngtcp2: Fix build error due to change in nghttp3 prototypes
+
+ ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and
+ nghttp3_conn_shutdown_stream_write return from int to void.
+
+ Reported-by: jurisuk@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9204
+ Closes https://github.com/curl/curl/pull/9200
+
+rzrymiak on github (26 Jul 2022)
+
+- BUGS.md: improve language
+
+ Closes #9205
+
+Philip Heiduck (26 Jul 2022)
+
+- cirrus.yml: replace py38-pip with py39-pip
+
+ Reported-by: Jay Satiro
+ Fixes #9201
+ Closes #9202
+
+Daniel Stenberg (25 Jul 2022)
+
+- tool_getparam: fix cleanarg() for unicode builds
+
+ Use the correct type, and make cleanarg an empty macro if the cleaning
+ ability is absent.
+
+ Fixes #9195
+ Closes #9196
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+Marc Hoersken (25 Jul 2022)
+
+- test3026: add support for Windows using native Win32 threads
+
+ Reviewed-by: Viktor Szakats
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Daniel Stenberg
+
+ Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690
+ Closes #9012
+
+Evgeny Grin (Karlson2k) (25 Jul 2022)
+
+- digest: fix memory leak, fix not quoted 'opaque'
+
+ Fix leak regression introduced by 3a6fe0c.
+
+ Closes https://github.com/curl/curl/pull/9199
+
+Daniel Stenberg (23 Jul 2022)
+
+- tests: several enumerated type cleanups
+
+ To please icc
+
+ Closes #9179
+
+- tool_paramhlp: fix "enumerated type mixed with another type"
+
+ Warning by icc
+
+ Closes #9179
+
+- tool_writeout: fix enumerated type mixed with another type
+
+ Closes #9179
+
+- tool_cfgable: make 'synthetic_error' a plain bool
+
+ The specific reason was not used.
+
+ Closes #9179
+
+- tool_paramhlp: make check_protocol return ParameterError
+
+ "enumerated type mixed with another type"
+
+ Closes #9179
+
+- tool_formparse: fix variable may be used before its value is set
+
+ Warning by icc
+
+ Closes #9179
+
+- sendf: skip storing HTTP headers if HTTP disabled
+
+ Closes #9179
+
+- url: enumerated type mixed with another type
+
+ Follow-up to 1c58e7ae99ce2030213f28b
+
+ Closes #9179
+
+- urldata: change second proxytype field to unsigned char to match
+
+ To avoid "enumerated type mixed with another type"
+
+ Closes #9179
+
+- http: typecast the httpreq assignment to avoid icc compiler warning
+
+ error #188: enumerated type mixed with another type
+
+ Closes #9179
+
+- urldata: make state.httpreq an unsigned char
+
+ To match set.method used for the same purpose.
+
+ Closes #9179
+
+- splay: avoid using -1 in unsigned variable
+
+ To fix icc compiler warning integer conversion resulted in a change of sign
+
+ Closes #9179
+
+- sendf: store the header type in an usigned char to avoid icc warnings
+
+ Closes #9179
+
+- multi: fix the return code from Curl_pgrsDone()
+
+ It does not return a CURLcode. Detected by the icc compiler warning
+ "enumerated type mixed with another type"
+
+ Closes #9179
+
+- sendf: make Curl_debug a void function
+
+ As virtually no called checked the return code, and those that did
+ wrongly treated it as a CURLcode. Detected by the icc compiler warning:
+ enumerated type mixed with another type
+
+ Closes #9179
+
+- http_chunks: remove an assign + typecast
+
+ As it caused icc to complain: "pointer cast involving 64-bit pointed-to
+ type"
+
+ Closes #9179
+
+- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
+
+ To fix the icc warning enumerated type mixed with another type
+
+ Closes #9179
+
+- curl-compilers.m4: make icc use -diag* options and disable two warnings
+
+ -wd and -we are deprecated and are now -diag-disable and -diag-error
+
+ Disable warning 1024 and 2259
+
+ Closes #9179
+
+Matthew Thompson (23 Jul 2022)
+
+- GHA: add two Intel compiler CI jobs
+
+ Closes #9179
+
+Daniel Katz (21 Jul 2022)
+
+- curl-functions.m4: check whether atomics can link rather than just compile
+
+ Some build toolchains support C11 atomics (i.e., _Atomic types), but
+ will not link the associated atomics runtime unless a flag is passed. In
+ such an environment, linking an application with libcurl.a can fail due
+ to undefined symbols for atomic load/store functions.
+
+ I encountered this behavior when upgrading curl to 7.84.0 and attempting
+ to build with Solaris Studio 12.6. Solaris provides the flag
+ -xatomic=[gcc | studio], allowing users to link to one of two atomics
+ runtime implementations. However, if the user does not provide this
+ flag, then neither runtime is linked. This led to builds failing in CI.
+
+ Closes #9190
+
+Rosen Penev (20 Jul 2022)
+
+- curl-wolfssl.m4: add options header when building test code
+
+ Needed for certain configurations of wolfSSL. Otherwise, missing header
+ error may occur.
+
+ Tested with OpenWrt.
+
+ Closes #9187
+
+Daniel Stenberg (20 Jul 2022)
+
+- ftp: use a correct expire ID for timer expiry
+
+ This was an accurate error pointed out by the icc warning: enumerated
+ type mixed with another type
+
+ Ref: #9179
+ Closes #9184
+
+- sendf: fix paused header writes since after the header API
+
+ Regression since d1e4a67
+
+ Reported-by: Sergey Ogryzkov
+ Fixes #9180
+ Closes #9182
+
+- mprintf: fix *dyn_vprintf() when out-of-memory
+
+ Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory
+ leak otherwise.
+
+ Closes #9185
+
+- curl-confopts: remove leftover AC_REQUIREs
+
+ configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_
+ defun'd
+ configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but no
+ t m4_defun'd
+
+ follow-up from 4d73854462f30
+
+ Closes #9183
+
+- file: fix icc enumerated type mixed with another type warning
+
+ Ref: #9179
+ Closes #9181
+
+Viktor Szakats (19 Jul 2022)
+
+- tidy-up: delete unused build configuration macros
+
+ Most of them feature guards:
+
+ - `CURL_INCLUDES_SYS_UIO` [1]
+ - `HAVE_ALLOCA_H` [2]
+ - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f
+ 8734dd0fb1bdc)
+ - `HAVE_DLFCN_H`
+ - `HAVE_DLOPEN`
+ - `HAVE_DOPRNT`
+ - `HAVE_FCNTL`
+ - `HAVE_GETHOSTBYNAME` [3]
+ - `HAVE_GETOPT_H`
+ - `HAVE_GETPASS`
+ - `HAVE_GETPROTOBYNAME`
+ - `HAVE_GETSERVBYNAME`
+ - `HAVE_IDN_FREE*`
+ - `HAVE_INET_ADDR`
+ - `HAVE_IOCTL`
+ - `HAVE_KRB4`
+ - `HAVE_KRB_GET_OUR_IP_FOR_REALM`
+ - `HAVE_KRB_H`
+ - `HAVE_LDAPSSL_H`
+ - `HAVE_LDAP_INIT_FD`
+ - `HAVE_LIBDL`
+ - `HAVE_LIBNSL`
+ - `HAVE_LIBRESOLV*`
+ - `HAVE_LIBUCB`
+ - `HAVE_LL`
+ - `HAVE_LOCALTIME_R`
+ - `HAVE_MALLOC_H`
+ - `HAVE_MEMCPY`
+ - `HAVE_MEMORY_H`
+ - `HAVE_NETINET_IF_ETHER_H`
+ - `HAVE_NI_WITHSCOPEID`
+ - `HAVE_OPENSSL_CRYPTO_H`
+ - `HAVE_OPENSSL_ERR_H`
+ - `HAVE_OPENSSL_PEM_H`
+ - `HAVE_OPENSSL_PKCS12_H`
+ - `HAVE_OPENSSL_RAND_H`
+ - `HAVE_OPENSSL_RSA_H`
+ - `HAVE_OPENSSL_SSL_H`
+ - `HAVE_OPENSSL_X509_H`
+ - `HAVE_PEM_H`
+ - `HAVE_POLL`
+ - `HAVE_RAND_SCREEN`
+ - `HAVE_RAND_STATUS`
+ - `HAVE_RECVFROM`
+ - `HAVE_SETSOCKOPT`
+ - `HAVE_SETVBUF`
+ - `HAVE_SIZEOF_LONG_DOUBLE`
+ - `HAVE_SOCKIO_H`
+ - `HAVE_SOCK_OPTS`
+ - `HAVE_STDIO_H`
+ - `HAVE_STRCASESTR`
+ - `HAVE_STRFTIME`
+ - `HAVE_STRLCAT`
+ - `HAVE_STRNCMPI`
+ - `HAVE_STRNICMP`
+ - `HAVE_STRSTR`
+ - `HAVE_STRUCT_IN6_ADDR`
+ - `HAVE_TLD_H`
+ - `HAVE_TLD_STRERROR`
+ - `HAVE_UNAME`
+ - `HAVE_USLEEP`
+ - `HAVE_WINBER_H`
+ - `HAVE_WRITEV`
+ - `HAVE_X509_H`
+ - `LT_OBJDIR`
+ - `NEED_BASENAME_PROTO`
+ - `NOT_NEED_LIBNSL`
+ - `OPENSSL_NO_KRB5`
+ - `RECVFROM_TYPE*`
+ - `SIZEOF_LONG_DOUBLE`
+ - `STRERROR_R_TYPE_ARG3`
+ - `USE_YASSLEMUL`
+ - `_USRDLL` (from CMake) [4]
+
+ [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might
+ also be deleted.
+
+ [2] Related comment can possibly be deleted in
+ `packages/vms/generate_config_vms_h_curl.com`.
+
+ [3] There are more instances of this in autotools, but I did not dare to
+ touch those. Looked like it's used to detect socket support.
+
+ [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to
+ force linking MFC components statically to the DLL. `libcurl.dll`
+ does not use MFC, so we can delete this define.
+ Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-
+ to-mfc
+
+ Script that can help finding unused settings like above:
+ ```shell
+
+ autoheader configure.ac # generate lib/curl_config.h.in
+
+ {
+ grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCac
+ he.cmake | sed -E 's|set\(||g'
+ grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h
+ | sed -E 's|#define +||g'
+ grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake
+ | sed -E 's|#cmakedefine +||g'
+ grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in
+ | sed -E 's|#undef +||g'
+ } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do
+ c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|
+ ^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cm
+ ake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^config
+ ure\.ac)')"
+ if [ "${c}" = '0' ]; then
+ echo "${def}"
+ fi
+ done
+ ```
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9044
+
+Daniel Stenberg (19 Jul 2022)
+
+- RELEASE-NOTES: synced
+
+- cookie: treat a blank domain in Set-Cookie: as non-existing
+
+ This matches what RFC 6265 section 5.2.3 says.
+
+ Extended test 31 to verify.
+
+ Fixes #9164
+ Reported-by: Gwen Shapira
+ Closes #9177
+
+Patrick Monnerat (19 Jul 2022)
+
+- base64: base64url encoding has no padding
+
+ See RFC4648 section 5 and RFC7540 section 3.2.1.
+
+ Suppress generation of '=' padding of base64url encoding. This is
+ accomplished by considering the string beginning at offset 64 in the
+ character table as the padding: this is "=" for base64, "" for base64url.
+
+ Also use strchr() to replace character search loops where possible.
+
+ Suppress erroneous comments about empty encoding results.
+
+ Adjust unit test 1302 to unpadded base64url encoding and add tests for
+ empty results.
+
+ Closes #9139
+
+Daniel Stenberg (19 Jul 2022)
+
+- easyoptions: fix icc warning
+
+ easyoptions.c(360): error #188: enumerated type mixed with another type
+
+ Ref: #9156
+ Reported-by: Matthew Thompson
+ Closes #9176
+
+lwthiker (19 Jul 2022)
+
+- h2h3: fix overriding the 'TE: Trailers' header
+
+ A 'TE: Trailers' header is explicitly replaced by 'te: trailers'
+ (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or
+ HTTP/3 headers. However, this is then replaced again by the original
+ value due to a bug, resulting in the uppercased version being sent. Some
+ HTTP/2 servers reject the whole HTTP/2 stream when this is the case.
+
+ Closes #9170
+
+Daniel Stenberg (18 Jul 2022)
+
+- lib3026: reduce the number of threads to 100
+
+ Down from 1000, to make it run and work in more systems.
+
+ Fixes #9172
+ Reported-by: Érico Nogueira Rolim
+ Closes #9173
+
+- doh: move doh related struct definitions to doh.h
+
+ and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compil
+ er warning:
+
+ doh.c(924): error #188: enumerated type mixed with another type
+
+ Reported-by: Matthew Thompson
+ Ref #9156
+ Closes #9174
+
+Viktor Szakats (17 Jul 2022)
+
+- Makefile.m32: stop trying to build libcares.a [ci skip]
+
+ Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in
+ `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in
+ 2007 [1]. The commit message doesn't specifically address this particular
+ change. This logic comes from the times when c-ares was part of the curl
+ source tree, hence the special treatment.
+
+ This feature creates problems when building c-ares first, using CMake
+ and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32`
+ is missing in such case. A sub-build for c-ares is undesired also when
+ c-ares had already been build via its own `Makefile.m32`.
+
+ To avoid the sub-build, this patch deletes its Makefile rule. After this
+ patch `libcares.a` needs to be manually built before using it in
+ `Makefile.m32`. Aligning it with the rest of dependencies.
+
+ [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9169
+
+Daniel Stenberg (17 Jul 2022)
+
+- curl: writeout: fix repeated header outputs
+
+ The function stored a terminating zero into the buffer for convenience,
+ but when on repeated calls that would cause problems. Starting now, the
+ passed in buffer is not modified.
+
+ Reported-by: highmtworks on github
+ Fixes #9150
+ Closes #9152
+
+- curl_multi_timeout.3: clarify usage
+
+ Fixes #9155
+ Closes #9157
+ Reported-by: jvvprasad78 on github
+
+- mprintf: make dprintf_formatf never return negative
+
+ This function no longer returns a negative value if the formatting
+ string is bad since the return value would sometimes be propagated as a
+ return code from the mprintf* functions and they are documented to
+ return the length of the output. Which cannot be negative.
+
+ Fixes #9149
+ Closes #9151
+ Reported-by: yiyuaner on github
+
+Viktor Szakats (17 Jul 2022)
+
+- trace: 0x7F character is non-printable
+
+ `0x7F` is `DEL`, a non-printable symbol, so print it as
+ `UNPRINTABLE_CHAR`.
+
+ Reported-by: MasterInQuestion on github
+ Fixes #9162
+ Closes #9166
+
+- doh: use https protocol by default
+
+ The only allowed protocol is https, so it makes sense to use that
+ by default if not passed explicitly by the user.
+
+ Reported-by: MasterInQuestion on github
+ Reviewed-by: Jay Satiro
+ Fixes #9163
+ Closes #9165
+
+- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
+
+ Same issue as here [1], but this time when building curl with BoringSSL
+ for Windows with LDAP(S) or Schannel support enabled.
+
+ Apply the same fix [2] for these source files as well.
+
+ This can also be fixed by moving `#include "urldata.h"` _before_
+ including `winldap.h` and `schnlsp.h` respectively. This seems like
+ a cleaner fix, though I'm not sure why it works and if it has any
+ downside.
+
+ [1] https://github.com/curl/curl/issues/5669
+ [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029
+ ab9
+
+ Co-authored-by: Jay Satiro
+ Closes #9110
+
+Daniel Stenberg (13 Jul 2022)
+
+- asyn-thread: make getaddrinfo_complete return CURLcode
+
+ ... as the only caller that cares about what it returns assumes that
+ anyway. This caused icc to warn:
+
+ asyn-thread.c(505): error #188: enumerated type mixed with another type
+ result = getaddrinfo_complete(data);
+
+ Repoorted-by: Matthew Thompson
+ Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076
+ Closes #9146
+
+- easy_lock: fix build with icc
+
+ The Intel compiler tries to look like GCC *and* clang *and* it lies in
+ its __has_builtin() function (returns true when it should return false),
+ so override it.
+
+ Reported-by: Matthew Thompson
+ Fixes #9081
+ Closes #9144
+
+- configure: fix --disable-headers-api
+
+ Reported-by: Michał Antoniak
+ Fixes #9134
+ Closes #9143
+
+- test3026: require 'threadsafe'
+
+ Reported-by: Sukanya Hanumanthu
+ Fixes #9141
+ Closes #9142
+
+Even Rouault (12 Jul 2022)
+
+- CMake: link curl to its dependencies with PRIVATE
+
+ The current PUBLIC visibility causes issues for downstream users.
+ Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9125
+
+- CMake: remove APPEND in export(TARGETS)
+
+ When running cmake several times, new content was appended to already
+ existing generated files, which is not appropriate
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9124
+
+Tatsuhiro Tsujikawa (12 Jul 2022)
+
+- ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
+
+ Closes #9135
+
+Daniel Stenberg (11 Jul 2022)
+
+- RELEASE-NOTES: synced
+
+Viktor Szakats (11 Jul 2022)
+
+- build: improve OS string in CMake and `config-win32.h`
+
+ This patch makes CMake fill the "OS string" with the value of
+ `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet,
+ the same we can pass to `./configure` via `--host=`.
+
+ For non-CMake, non-autotools, Windows builds, this patch adds the ability
+ to override the default `OS` value in `lib/config-win32.h`.
+
+ With these its possible to get the same OS string across the three build
+ systems.
+
+ This patch supersedes the earlier, partial, CMake-only solution:
+ 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the
+ `CURL_OS_SUFFIX` CMake option.
+
+ Reviewed-by: Jay Satiro
+ Closes #9117
+
+- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip]
+
+ They allow to override the hardcoded values for the `windres` and `strip`
+ tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables.
+
+ `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and
+ `CURL_CC=clang` set on current latest debian:unstable or earlier, where
+ `llvm-windres` is missing, and a `CURL_RC=<triplet>-windres` fixes it.
+ Hopefully this will be fixed in the llvm package. FWIW `llvm-windres`
+ does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9132
+
+Tatsuhiro Tsujikawa (10 Jul 2022)
+
+- ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
+
+ Fixes #9122
+ Closes #9123
+
+Xiaoke Wang (10 Jul 2022)
+
+- tool_operate: better cleanup of easy handle in exit path
+
+ Closes #9114
+
+- getinfo: return better error on NULL as first argument
+
+ Closes #9114
+
+Daniel Stenberg (10 Jul 2022)
+
+- tool_getparam: repair cleanarg
+
+ Regression since 9e5669f.
+
+ Make sure the "cleaning" of command line arguments is done on the
+ original argv[] pointers. As a bonus, it also exits better on out of
+ memory error.
+
+ Reported-by: Litter White
+ Fixes #9128
+ Closes #9130
+
+Jay Satiro (10 Jul 2022)
+
+- docs: explain curl_easy_escape/unescape curl handle is ignored
+
+ 26101421 (precedes 7.82.0) removed character conversion support used by
+ very old legacy operating systems and since then the curl handle passed
+ to curl_easy_escape/unescape is always ignored.
+
+ Bug: https://github.com/curl/curl/discussions/9115
+ Reported-by: Ted Lyngmo
+
+ Closes https://github.com/curl/curl/pull/9121
+
+Viktor Szakats (8 Jul 2022)
+
+- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL
+
+ BoringSSL doesn't keep a version number, and doesn't self-identify itself
+ via any other revision number via its own headers. We can identify
+ BoringSSL revisions by their commit hash. This hash is typically known by
+ the builder. This patch adds a way to pass this hash to libcurl, so that
+ it can display in the curl version string:
+
+ For example:
+
+ `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"`
+
+ ```
+ curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel)
+ zlib/1.2.12 [...]
+ Release-Date: 2022-06-27
+ Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps
+ mqtt pop3 [...]
+ Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv
+ 6 Kerberos [...]
+ ```
+
+ The setting is optional, and if not passed, BoringSSL will appear without
+ a version number, like before this patch.
+
+ Closes #9113
+
+Jay Satiro (8 Jul 2022)
+
+- escape: remove outdated comment
+
+ Bug: https://github.com/curl/curl/discussions/9115
+ Reported-by: Ted Lyngmo
+
+Tatsuhiro Tsujikawa (8 Jul 2022)
+
+- ngtcp2: Fix missing initialization of nghttp3_nv.flags
+
+ Closes https://github.com/curl/curl/pull/9118
+
+Brad Forschinger (6 Jul 2022)
+
+- netrc.d: remove spurious quote
+
+ Closes #9111
+
+Viktor Szakats (6 Jul 2022)
+
+- Makefile.m32: add `NGTCP2_LIBS` option [ci skip]
+
+ Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL.
+ Add `NGTCP2_LIBS` envvar to override them with a custom list,
+ making it possible to use BoringSSL, or any other backend.
+
+ Closes #9109
+
+Evgeny Grin (Karlson2k) (6 Jul 2022)
+
+- digest: fix missing increment of 'nc' value for auth-int
+
+ - Increment nc regardless of qop type.
+
+ Prior to this change nc was only incremented for qop type auth even
+ though libcurl sends nc with any qop.
+
+ Closes https://github.com/curl/curl/pull/9090
+
+Daniel Stenberg (5 Jul 2022)
+
+- RELEASE-NOTES: synced
+
+ Bumped to 7.85.0
+
+- urldata: reduce size of four ftp related members
+
+ ftp_filemethod, ftpsslauth and ftp_ccc are now uchars
+
+ accepttimeout is now unsigned int - almost 50 days ought to be enough
+ for this value.
+
+ Closes #9106
+
+- urldata: reduce three type-members from int to uchar
+
+ - timecondition
+ - proxytype
+ - method
+
+ ... previously used their enum type in the struct, which made them
+ unnecesarily large.
+
+ Closes #9105
+
+- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name
+
+ Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the
+ other way around.
+
+ Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias
+ but since the option is for more protocols than FTP the more "correct"
+ version of the option is the "server" one so now we switch.
+
+ Closes #9104
+
+- urldata: make 'ftp_create_missing_dirs' a uchar
+
+ It only ever holds the values 0-2.
+
+ Closes #9103
+
+Don J Olmstead (5 Jul 2022)
+
+- cmake: support ngtcp2 boringssl backend
+
+ Update the ngtcp2 find module to detect the boringssl backend. Determine
+ if the underlying OpenSSL implementation is BoringSSL and if so use that
+ as the ngtcp2 backend.
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9065
+
+Daniel Stenberg (5 Jul 2022)
+
+- urldata: change 4 timeouts to unsigned int from long
+
+ They're not used for that long times anyway, 32 bit milliseconds is long
+ enough.
+
+ Closes #9101
+
+- urldata: make 'use_netrc' a uchar
+
+ Closes #9102
+
+- urldata: make 'buffer_size' an unsigned int
+
+ It is already capped at READBUFFER_MAX which fits easily in 32 bits.
+
+ Closes #9098
+
+- urldata: remove the unused 'rtspversion' struct member
+
+ Closes #9100
+
+- urldata: make 'use_port' an usigned short
+
+ ... instead of a long. It is already enforced to not attempt to set any
+ value outside of 16 bits unsigned.
+
+ Closes #9099
+
+- urldata: store dns cache timeout in an int
+
+ 68 years ought to be enough for most.
+
+ Closes #9097
+
+- curl: proto2num: make sure obuf is inited
+
+ Detected by Coverity. CID 1507052.
+
+ Closes #9096
+
+- cookie: use %zu to infof() for size_t values
+
+ Detected by Coverity. CID 1507051
+ Closes #9095
+
+Viktor Szakats (4 Jul 2022)
+
+- makefile.m32: add support for custom ARCH [ci skip]
+
+ When building curl for target platform other than x64 and x86, it is now
+ possible to pass `ARCH=custom`, that will omit all hardcoded logic for
+ setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be
+ customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly
+ added one for the resource compiler: `CURL_RCFLAG_EXTRAS`.
+
+ This makes it possible to use `makefile.m32` to build for ARM64 for
+ example.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9092
+
+- cmake: do not force Windows target versions
+
+ The goal of this patch is to avoid CMake forcing specific Windows
+ versions and rely on toolchain defaults or manual selection instead.
+ This gives back control to the user. This also brings CMake closer to
+ how autotools and `Makefile.m32` behaves in this regard.
+
+ - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did
+ nothing else than fixing the Windows build target to Vista. This also
+ happened when the toolchain did not have Vista support (e.g. original
+ MinGW), breaking such builds.
+
+ In other environments it did not make a user-facing difference,
+ because libcurl has its own pton() implementation, so it works well
+ with or without Vista's inet_pton().
+
+ This patch drops this setting. inet_pton() is now used whenever
+ building for Vista or newer, either when requested manually or by
+ default with modern toolchains (e.g. mingw-w64). Older envs will fall
+ back to curl's pton().
+
+ Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604
+ Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155
+
+ - When the user did no select a Windows target version manually, stop
+ explicitly targeting Windows XP, and instead use the toolchain default.
+
+ This may pose an issue with old toolchains defaulting to pre-XP
+ targets. In such case you must manually target Windows XP via:
+ `-DCURL_TARGET_WINDOWS_VERSION=0x0501`
+ or
+ `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501`
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+ Closes #9046
+
+- windows: improve random source
+
+ - Use the Windows API to seed the fallback random generator.
+
+ This ensures to always have a random seed, even when libcurl is built
+ with a vtls backend lacking a random generator API, such as rustls
+ (experimental), GSKit and certain mbedTLS builds, or, when libcurl is
+ built without a TLS backend. We reuse the Windows-specific random
+ function from the Schannel backend.
+
+ - Implement support for `BCryptGenRandom()` [1] on Windows, as a
+ replacement for the deprecated `CryptGenRandom()` [2] function.
+
+ It is used as the secure random generator for Schannel, and also to
+ provide entropy for libcurl's fallback random generator. The new
+ function is supported on Vista and newer via its `bcrypt.dll`. It is
+ used automatically when building for supported versions. It also works
+ in UWP apps (the old function did not).
+
+ - Clear entropy buffer before calling the Windows random generator.
+
+ This avoids using arbitrary application memory as entropy (with
+ `CryptGenRandom()`) and makes sure to return in a predictable state
+ when an API call fails.
+
+ [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenra
+ ndom
+ [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptge
+ nrandom
+
+ Closes #9027
+
+Daniel Stenberg (4 Jul 2022)
+
+- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
+
+ ... as replacements for deprecated CURLOPT_PROTOCOLS and
+ CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the
+ 32 bit limit the old ones are facing.
+
+ CURLINFO_PROTCOOL is now deprecated.
+
+ The curl tool is updated to use the new options.
+
+ Added test 1597 to verify the libcurl protocol parser.
+
+ Closes #8992
+
+- digest: simplify a switch() to a simple if
+
+- digest: provide a special bit for "sess" algos
+
+ Also shortened the names and moved them to the .c file since they are
+ private for this source file only. Also made them #defines instead of
+ enum.
+
+ Closes #9079
+
+Thomas Weißschuh (4 Jul 2022)
+
+- select: do not return fatal error on EINTR from poll()
+
+ The same was done for select() in 5912da25 but poll() was missed.
+
+ Bug: https://bugs.archlinux.org/task/75201
+ Reported-by: Alexandre Bury (gyscos at archlinux)
+
+ Ref: https://github.com/curl/curl/issues/8921
+ Ref: https://github.com/curl/curl/pull/8961
+ Ref: https://github.com/curl/curl/commit/5912da25#r77584294
+
+ Closes https://github.com/curl/curl/pull/9091
+
+Kai Pastor (3 Jul 2022)
+
+- cmake: fix build for mingw cross compile
+
+ - Change normaliz lib name to all lowercase.
+
+ This is from a standing patch in vcpkg:
+ Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross
+ builds from Linux), the spelling must match exactly.
+
+ Closes https://github.com/curl/curl/pull/9084
+
+Jay Satiro (2 Jul 2022)
+
+- easy_lock: fix build for mingw
+
+ - Define SRWLOCK symbols missing in some mingw environments.
+
+ Closes https://github.com/curl/curl/pull/8997
+
+Daniel Stenberg (2 Jul 2022)
+
+- tool_progress: avoid division by zero in parallel progress meter
+
+ Reported-by: Brian Carpenter
+ Fixes #9082
+ Closes #9083
+
+- http_aws_sigv4.c: remove two unusued includes
+
+ Closes #9080
+
+- .mailmap: additional edit
+
+ Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git
+ logs even when using old email.
+
+- RELEASE-NOTES: synced
+
+ bumped to 7.84.1
+
+Evgeny Grin (Karlson2k) (1 Jul 2022)
+
+- .mailmap: updated
+
+- THANKS: merged two entries for Evgeny Grin
+
+ Also updated THANKS-filter file
+
+ Closes #9076
+
+Jilayne Lovejoy (1 Jul 2022)
+
+- lib/curl_path.c: add ISC to license expression
+
+ THe text of the ISC license is in this file, so the SPDX license
+ expression should be updated
+
+ Closes #9073
+
+Sean McArthur (30 Jun 2022)
+
+- hyper: use wakers for curl pause/resume
+
+ Closes #9070
+
+Viktor Szakats (30 Jun 2022)
+
+- Makefile.m32: do not set the libcurl.rc debug flag [ci skip]
+
+ Delete `-DDEBUGBUILD=0` windres option. This was likely meant to
+ disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled
+ it instead. Delete this unnecessary option and thus sync up with
+ how CMake compiles libcurl.rc by default.
+
+ Reviewed-by: Jay Satiro
+ Closes #9069
+
+Daniel Stenberg (29 Jun 2022)
+
+- curl.h: CURLE_CONV_FAILED is obsoleted
+
+ The last use was removed in 7.82.0. Updated some docs too to reflect the
+ current error code situation.
+
+ Closes #9067
+
+- curl: output warning when a cookie is dropped due to size
+
+ Dropped from the request, that is.
+
+ Closes #9064
+
+- curl_mime_data.3: polish the wording
+
+ Closes #9063
+
+- configure: check for the stdatomic.h header in configure
+
+ ... and only set HAVE_ATOMIC if that header exists since we use
+ typedefes set in it.
+
+ Reported-by: Ryan Schmidt
+ Fixes #9059
+ Closes #9060
+
+- easy_lock: fix the #ifdef conditional for ia32_pause
+
+ To work better with new and old clang compilers.
+
+ Reported-by: Ryan Schmidt
+ Assisted-by: Joshua Root
+
+ Fixes #9058
+ Closes #9062
+
+- easy_lock: switch to using atomic_int instead of bool
+
+ To work with more compilers without requiring separate libs to
+ link. Like with gcc-12 for RISC-V on Linux.
+
+ Reported-by: Adam Sampson
+ Fixes #9055
+ Closes #9061
+
+vvb2060 (28 Jun 2022)
+
+- ngtcp2: fix incompatible function pointer types
+
+ Closes #9056
+
+- easy_lock.h: use __asm__ instead of asm to fix build
+
+ Closes #9056
+
+Samuel Henrique (27 Jun 2022)
+
+- libcurl-security.3: fix typo on macro "SH_"
+
+ During the packaging of the latest curl release for Debian, Lintian
+ warned me about a typo which causes the section name "Secrets in memory"
+ to not be rendered in the manpage due to "SH_" not being recognized as a
+ header.
+
+ Closes #9057
+
+Daniel Stenberg (27 Jun 2022)
+
+- easy_lock.h: include sched.h if available to fix build
+
+ Patched-by: Harry Sintonen
+
+ Closes #9054
+
+Version 7.84.0 (27 Jun 2022)
+
+Daniel Stenberg (27 Jun 2022)
+
+- RELEASE-NOTES: synced
+
+ Version 7.84.0 release
+
+- THANKS: contributors from 7.84.0 release notes
+
+- hsts: use Curl_fopen()
+
+- altsvc: use Curl_fopen()
+
+- fopen: add Curl_fopen() for better overwriting of files
+
+ Bug: https://curl.se/docs/CVE-2022-32207.html
+ CVE-2022-32207
+ Reported-by: Harry Sintonen
+ Closes #9050
+
+- test444: test many received Set-Cookie:
+
+ The amount of sent cookies in the test is limited to 80 because hyper
+ has its own strict limits in how many headers it allows to be received
+ which triggers at some point beyond this number.
+
+- test442/443: test cookie caps
+
+ 442 - verify that only 150 cookies are sent
+ 443 - verify that the cookie: header remains less than 8K in size
+
+- cookie: apply limits
+
+ - Send no more than 150 cookies per request
+ - Cap the max length used for a cookie: header to 8K
+ - Cap the max number of received Set-Cookie: headers to 50
+
+ Bug: https://curl.se/docs/CVE-2022-32205.html
+ CVE-2022-32205
+ Reported-by: Harry Sintonen
+ Closes #9048
+
+- test387: verify rejection of compression chain attack
+
+- content_encoding: return error on too many compression steps
+
+ The max allowed steps is arbitrarily set to 5.
+
+ Bug: https://curl.se/docs/CVE-2022-32206.html
+ CVE-2022-32206
+ Reported-by: Harry Sintonen
+ Closes #9049
+
+- krb5: return error properly on decode errors
+
+ Bug: https://curl.se/docs/CVE-2022-32208.html
+ CVE-2022-32208
+ Reported-by: Harry Sintonen
+ Closes #9051
+
+- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro
+
+ clang 14 warns about its use. It is being deprecated by the working
+ group for the programming language C: "The macro ATOMIC_VAR_INIT is
+ basically useless for the purpose for which it was designed"
+
+ Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm
+
+ Reported-by: Tatsuhiro Tsujikawa
+ Fixes #9041
+ Closes #9042
+
+Stefan Eissing (23 Jun 2022)
+
+- ngtcp2: avoid supplying 0 length `msg_control` to sendmsg()
+
+ Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control
+ buffer is provided in sengmsg(), even though msg_controllen was set to
+ 0.
+
+ Initialize msg.msg_controllen just as needed and also perform the size
+ assertion only when needed.
+
+ Closes #9039
+
+Tom Eccles (23 Jun 2022)
+
+- ftp: restore protocol state after http proxy CONNECT
+
+ connect_init() (lib/http_proxy.c) swaps out the protocol state while
+ working on the proxy connection, this is then restored by
+ Curl_connect_done() after the connection completes.
+
+ ftp_do_more() extracted the protocol state pointer to a local variable
+ at the start of the function then calls Curl_proxy_connect(). If the proxy
+ connection completes, Curl_proxy_connect() will call Curl_connect_done()
+ (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp
+ protocol state instead of the http proxy protocol state, but the local
+ variable in ftp_do_more still pointed to the old value.
+
+ Ultimately this meant that the state worked on by ftp_do_more() was the
+ http proxy state not the ftp state initialised by ftp_connect(), but
+ subsequent calls to any ftp_ function would use the original state.
+
+ For my use-case, the visible consequence was that ftp->downloadsize was
+ never set and so downloaded data was never returned to the application.
+
+ This commit updates the ftp protocol state pointer in ftp_do_more() after
+ Curl_proxy_connect() returns, ensuring that the correct state pointer is
+ used.
+
+ Fixes #8737
+ Closes #9043
+
+Jay Satiro (23 Jun 2022)
+
+- THANKS: add contributor missing from aea8ac1
+
+ aea8ac1 fixed #8980 which was reported by Sgharat on github, but that
+ info was not included in the commit message.
+
+- curl_setup: include _mingw.h
+
+ Prior to this change _mingw.h needed to be included in each unit before
+ evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It
+ is included only in some mingw headers (eg stdio.h) and not others
+ (eg windows.h) so it's better to explicitly include it once.
+
+ Closes https://github.com/curl/curl/pull/9036
+
+Viktor Szakats (22 Jun 2022)
+
+- rand: stop detecting /dev/urandom in cross-builds
+
+ - Prevent CMake to auto-detect /dev/urandom when cross-building.
+ Before this patch, it would detect it in a cross-build scenario on *nix
+ hosts with this device present. This was a problem for example with
+ Windows builds, but it could affect any target system with this device
+ missing. This also syncs detection behaviour with autotools, which also
+ skips it for cross-builds.
+ - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's
+ fallback random number generator on Windows. Windows does not have the
+ concept of reading a random stream from a filename, nor any guaranteed
+ non-world-writable path on disk. With this, a manual misconfiguration or
+ an overeager auto-detection can no longer result in a user-controllable
+ seed source.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9038
+
+Emanuele Torre (22 Jun 2022)
+
+- ci: avoid `cmake -Hpath`
+
+ This is an undocumented option similar to the `-Spath' option introduced
+ in cmake 3.13.
+ Replace all instances of `-Hpath' with `-Spath' in macos workflow.
+ Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul
+ scripts since it runs an older version of cmake.
+
+ Fixes #9008
+ Closes #9014
+
+Daniel Stenberg (22 Jun 2022)
+
+- INTERNALS: bring back the "Library symbols" section
+
+ Most contents was moved, but this text should remain here.
+
+ Follow-up to: d324ac8
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326
+ Closes #9037
+
+Viktor Szakats (22 Jun 2022)
+
+- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
+
+ Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows
+ XP when the `-ipv6` option is selected. Maybe this was added to support
+ pre-XP Windows versions (?). These days libcurl builds fine for both XP
+ and post-XP versions with IPv6 support enabled. The relevance of pre-XP
+ version is also low by now. Other build methods also do not impose such
+ limitation for a similar configuration. So, drop this hard-wired
+ `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default
+ Windows version set by the compiler. This is Vista for recent MinGW
+ versions.
+
+ Old behaviour can be restored by setting this envvar:
+ export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501
+
+ [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7
+
+ Closes #9035
+
+Daniel Stenberg (21 Jun 2022)
+
+- CONTRIBUTE: mention how we maintain REUSE compliance
+
+ for copyright and license information of all files stored in git
+
+ Closes #9032
+
+- CURLOPT_ALTSVC.3: document the file format
+
+ Closes #9033
+
+Jay Satiro (21 Jun 2022)
+
+- runtests: add "threadsafe" to detected features
+
+ Follow-up to recent commits which added thread-safety support.
+
+ Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782
+ Reported-by: Marc Hörsken
+
+ Closes https://github.com/curl/curl/pull/9030
+
+Daniel Stenberg (20 Jun 2022)
+
+- easy: remove dead code
+
+ Follow-up from 5912da253b64d
+
+ Detected by Coverity (CID 1506519)
+
+ Closes #9029
+
+Glenn Strauss (20 Jun 2022)
+
+- transfer: upload performance; avoid tiny send
+
+ Append to the upload buffer when only small amount remains in buffer
+ rather than performing a separate tiny send to empty buffer.
+
+ Avoid degenerative upload behavior which might cause curl to send mostly
+ 1-byte DATA frames after exhausing the h2 send window size
+
+ Related discussion: https://github.com/nghttp2/nghttp2/issues/1722
+
+ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+ Closes #8965
+
+Steve Holme (20 Jun 2022)
+
+- projects: fix third-party SSL library build paths for Visual Studio
+
+ The paths used by the build batch files were inconsistent with those in
+ the Visual Studio project files.
+
+ Closes #8991
+
+Pierrick Charron (20 Jun 2022)
+
+- urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
+
+ As per the documentation :
+
+ > Setting a part to a NULL pointer will effectively remove that
+ > part's contents from the CURLU handle.
+
+ But currently clearing CURLUPART_URL does nothing and returns
+ CURLUE_OK. This change will clear all parts of the URL at once.
+
+ Closes #9028
+
+Philip Heiduck (18 Jun 2022)
+
+- CI: bump FreeBSD 13.0 to 13.1
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+ Closes #8815
+
+Daniel Stenberg (18 Jun 2022)
+
+- RELEASE-NOTES: synced
+
+ and updated release date in RELEASE-PROCEDURE.md
+
+divinity76 (17 Jun 2022)
+
+- CURLOPT_HTTPHEADER.3: improve comment in example
+
+ Closes #9025
+
+Marc Hoersken (16 Jun 2022)
+
+- CI/azure: reduce flakiness by retrying install/prepare steps
+
+ Closes #9010
+
+- CI/cirrus: align Windows timeout with Azure CI at 120 minutes
+
+ Closes #9009
+
+Jay Satiro (16 Jun 2022)
+
+- vtls: make curl_global_sslset thread-safe
+
+ .. and update some docs to explain curl_global_* is now thread-safe.
+
+ Follow-up to 23af112 which made curl_global_init/cleanup thread-safe.
+
+ Closes https://github.com/curl/curl/pull/9016
+
+- curl_easy_pause.3: remove explanation of progress function
+
+ - Remove misleading text that says progress function "gets called at
+ least once per second, even if the connection is paused."
+
+ The progress function behavior is more nuanced and the user is better
+ served reading the progress function doc rather than attempt to explain
+ it in the curl_easy_pause doc.
+
+ The progress function can only be called at least once per second if an
+ appropriate multi transfer function is called (eg curl_multi_perform) in
+ that time. For a paused transfer there may not be such a call. Rather
+ than explain this in detail in the curl_easy_pause doc, rely on the user
+ reading the CURLOPT_PROGRESSFUNCTION doc.
+
+ Ref: https://github.com/curl/curl/issues/8983
+
+ Closes https://github.com/curl/curl/pull/9015
+
+Daniel Stenberg (15 Jun 2022)
+
+- libssh: skip the fake-close when libssh does the right thing
+
+ Starting in libssh 0.10.0 ssh_disconnect() will no longer close our
+ socket. Instead it will be kept alive as we want it, and it is our
+ responsibility to close it later.
+
+ Ref: #8718
+ Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240
+ Closes #9021
+
+- configure: warn about rustls being experimental
+
+ Right now a dozen test cases are disabled because they don't work with
+ rustls.
+
+ Closes #9019
+
+- runtests: skip starting the ssh server if user name is lacking
+
+ Because the ssh server startup script *requires* a user name there's no
+ point in invoking it if no name was found.
+
+ Reported-by: Ricardo M. Correia
+ Ref: #9007
+ Closes #9013
+
+- copyright.pl: parse and use .reuse/dep5 for skips
+
+ Also scan skipped files to be able to find superfluous ignores, shown with -v
+ .
+
+ Closes #9006
+
+- reuse/dep5: adjusted to parse better
+
+ ... adjusted a few files to contain copyright and license info.
+
+ Closes #9006
+
+- buildconf.bat: update copyright year range
+
+ Closes #9006
+
+- README.md: use the common "Copyright" style formatting
+
+ Closes #9006
+
+- reuse: move license info from .mailmap.license to .reuse/dep5
+
+ Closes #9006
+
+- README.md: add a REUSE badge
+
+ Closes #9004
+
+- .reuse/dep5: remove recursive docs ignore, only skip markdown files
+
+ ... and some additional non-markdown individual files in docs/
+
+ Closes #9005
+
+- docs/cmdline-opts: add copyright and license identifier to each file
+
+ gen.pl now insists on C: and SPDX-License-Identifier: fields to be
+ present in all files.
+
+ Closes #9002
+
+- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md
+
+ Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that
+ file broke site functionality.
+
+ Closes #9001
+
+- bug_report.md: revert the REUSE template to see if it works again
+
+Viktor Szakats (13 Jun 2022)
+
+- version: rename threadsafe-init to threadsafe
+
+ Referring to Daniel's article [1], making the init function thread-safe
+ was the last bit to make libcurl thread-safe as a whole. So the name of
+ the feature may as well be the more concise 'threadsafe', also telling
+ the story that libcurl is now fully thread-safe, not just its init
+ function. Chances are high that libcurl wants to remain so in the
+ future, so there is little likelihood of ever needing any other distinct
+ `threadsafe-<name>` feature flags.
+
+ For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
+ `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
+ thread safety documentation.
+
+ [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-s
+ afe/
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Jay Satiro
+ Closes #8989
+
+Daniel Stenberg (13 Jun 2022)
+
+- test3026: disable on win32
+
+ ... as it's not likely to have working pthreads
+
+ Closes #8996
+
+- GHA: shorten the reuse CI job name
+
+ "REUSE compliance / check" should be good enough
+
+ Closes #9000
+
+- misc: add missing SPDX-License-Identifier info
+
+ For some reason the REUSE CI job did not find these.
+
+ Closes #8999
+
+- copyright: verify SPDX-License-Identifier presence as well
+
+- easy_lock: add SPDX license identifier
+
+ Closes #8998
+
+- mailmap: Max Mehl
+
+Max Mehl (13 Jun 2022)
+
+- git: ignore large commit making the curl REUSE compliant
+
+- copyright: make repository REUSE compliant
+
+ Add licensing and copyright information for all files in this repository. Thi
+ s
+ either happens in the file itself as a comment header or in the file
+ `.reuse/dep5`.
+
+ This commit also adds a Github workflow to check pull requests and adapts
+ copyright.pl to the changes.
+
+ Closes #8869
+
+Daniel Stenberg (12 Jun 2022)
+
+- curl_url_set.3: clarify by default using known schemes only
+
+ Closes #8994
+
+- scripts/copyright.pl: ignore leading spaces
+
+Viktor Szakats (10 Jun 2022)
+
+- ngtcp2: fix typo in preprocessor condition
+
+ Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7
+
+ Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185
+ Reported-by: Emil Engler
+ Closes #8987
+
+Daniel Stenberg (10 Jun 2022)
+
+- RELEASE-NOTES: synced
+
+Tatsuhiro Tsujikawa (10 Jun 2022)
+
+- ngtcp2: build without sendmsg
+
+ Closes #8981
+
+- ngtcp2: use handshake helper funcs to simplify TLS handshake integration
+
+ Closes #8968
+
+Daniel Stenberg (10 Jun 2022)
+
+- test390: verify --parallel
+
+ Closes #8985
+
+- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set
+
+ Triggered by a bug report from Adam Light:
+ https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly
+ a misunderstanding of how CURLINFO_EFFECTIVE_URL works.
+
+ Closes #8971
+
+- url: URL encode the path when extracted, if spaces were set
+
+- urlapi: support CURLU_URLENCODE for curl_url_get()
+
+- server/sws: support spaces in the HTTP request path
+
+- tests/getpart: fix getpartattr to work with "data" and "data2"
+
+- select: return error from "lethal" poll/select errors
+
+ Adds two new error codes: CURLE_UNRECOVERABLE_POLL and
+ CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces.
+
+ Reported-by: Harry Sintonen
+ Fixes #8921
+ Closes #8961
+
+- test3026: add missing control file
+
+ Follow-up from 2ed101256414ea5
+
+ Makes the test run, makes 'make dist' work
+
+ This single test takes 24-25 seconds on my machine (with valgrind). For
+ this reason I tag it with a "slow" keyword.
+
+ Closes #8976
+
+- runtests: fix skipping tests not done event-based
+
+ ... and call timestampskippedevents() to avoid the flood of
+ uninitialized variable warnings.
+
+ Closes #8977
+
+- transfer: maintain --path-as-is after redirects
+
+ Reported-by: Marcus T
+ Fixes #8974
+ Closes #8975
+
+- test391: verify --path-as-is with redirect
+
+Jay Satiro (8 Jun 2022)
+
+- curl_global_init.3: Separate the Windows loader lock warning
+
+ This is a slight correction of the parent commit which implied the
+ loader lock warning only applied if not thread-safe. In fact the loader
+ lock warning applies either way.
+
+ Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030
+
+Daniel Stenberg (8 Jun 2022)
+
+- curl_global_init.3: this is now (usually) thread-safe
+
+ Follow-up to 23af112f5556
+
+ Closes #8972
+
+Haxatron (8 Jun 2022)
+
+- libcurl-security.3: Document CRLF header injection
+
+ - Document that user input to header options is not sanitized, which
+ could result in CRLF used to modify the request in a way other than
+ what was intended.
+
+ Ref: https://hackerone.com/reports/1589877
+ Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0
+ d7cfe545
+
+ Closes https://github.com/curl/curl/pull/8964
+
+Jay Satiro (8 Jun 2022)
+
+- CURLOPT_RANGE.3: remove ranged upload advice
+
+ The e-mail link in the advice contains instructions that are prone to
+ error. We need an example that works and can demonstrate how to properly
+ perform a ranged upload, and then we can refer to that example instead.
+
+ Bug: https://github.com/curl/curl/issues/8969
+ Reported-by: Simon Berger
+
+ Closes https://github.com/curl/curl/pull/8970
+
+Thomas Guillem (7 Jun 2022)
+
+- curl_version_info: add CURL_VERSION_THREADSAFE_INIT
+
+ This flag can be used to make sure that curl_global_init() is
+ thread-safe.
+
+ This can be useful for libraries that can't control what other
+ dependencies are doing with Curl.
+
+ Closes #8680
+
+- lib: make curl_global_init() threadsafe when possible
+
+ Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and
+ curl_global_cleanup().
+
+ Closes #8680
+
+Daniel Stenberg (6 Jun 2022)
+
+- RELEASE-NOTES: synced
+
+Fabian Keil (6 Jun 2022)
+
+- test414: add the '--resolve' keyword
+
+ ... so the test can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #8959
+
+- test{440,441,493,977}: add "HTTP proxy" keywords
+
+ ... so the tests can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #8959
+
+- runtests.pl: add the --repeat parameter to the --help output
+
+ Closes #8959
+
+- test 2081: add a valid reply for the second request
+
+ ... so the test works when using a HTTP proxy like
+ Privoxy that sends an error message if the server
+ doesn't send data.
+
+ Closes #8959
+
+- test 675: add missing CR so the test passes when run through Privoxy
+
+ Closes #8959
+
+Daniel Stenberg (6 Jun 2022)
+
+- ftp: when failing to do a secure GSSAPI login, fail hard
+
+ ... instead of switching to cleartext. For the sake of security.
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1590102
+ Closes #8963
+
+- http2: reject overly many push-promise headers
+
+ Getting more than a thousand of them is rather a sign of some kind of
+ attack.
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1589847
+ Closes #8962
+
+Fabian Keil (5 Jun 2022)
+
+- misc: spelling improvements
+
+ Closes #8956
+
+Tatsuhiro Tsujikawa (5 Jun 2022)
+
+- ngtcp2: fix assertion failure on EMSGSIZE
+
+ Closes #8958
+
+Daniel Stenberg (2 Jun 2022)
+
+- easy/transfer: fix cookie-disabled build
+
+ Follow-up from 45de940cebf6a
+ Reported-by: Marcel Raad
+ Fixes #8953
+ Closes #8954
+
+- examples/crawler.c: use the curl license
+
+ With permission from Jeroen Ooms
+
+ URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731
+ Closes #8950
+
+- speed-limit/time.d: mention these affect transfers in either direction
+
+ Reported-by: Ladar Levison
+ Fixes #8948
+ Closes #8951
+
+- scripts/copyright.pl: fix the exclusion to not ignore man pages
+
+ Ref: #8869
+ Closes #8952
+
+- examples: remove fopen.c and rtsp.c
+
+ To simplify the license situation, as they were the only files in the
+ source tree using these specific BSD-3 clause licenses.
+
+ For an fopen style API, we recommend instead going
+ https://github.com/curl/fcurl
+
+ Ref: #8869
+ Closes #8949
+
+Wolf Vollprecht (2 Jun 2022)
+
+- netrc: check %USERPROFILE% as well on Windows
+
+ Closes #8855
+
+Daniel Stenberg (2 Jun 2022)
+
+- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish
+
+Michael Musset (2 Jun 2022)
+
+- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
+
+ The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check
+ wether or not the connection should continue.
+
+ The host key is passed in argument with a custom handle for the
+ application.
+
+ It overrides CURLOPT_SSH_KNOWNHOSTS
+
+ Closes #7959
+
+Daniel Stenberg (2 Jun 2022)
+
+- docs/CONTRIBUTE.md: document the 'needs-votes' concept
+
+ A pull request sent to the project might get labeled `needs-votes` by a
+ project maintainer. This label means that in addition to meeting all
+ other checks and qualifications this pull request must also receive
+ proven support/thumbs-ups from more community members to be considered
+ for merging.
+
+ Closes #8910
+
+Evgeny Grin (Karlson2k) (2 Jun 2022)
+
+- digest: tolerate missing "realm"
+
+ Server headers may not define "realm", avoid NULL pointer dereference
+ in such cases.
+
+ Closes #8912
+
+- digest: added detection of more syntax error in server headers
+
+ Invalid headers should not be processed otherwise they may create
+ a security risk.
+
+ Closes #8912
+
+- digest: unquote realm and nonce before processing
+
+ RFC 7616 (and 2617) requires values to be "unquoted" before used for
+ digest calculations. The only place where unquoting can be done
+ correctly is header parsing function (realm="DOMAIN\\host" and
+ realm=DOMAN\\host are different realms).
+
+ This commit adds unquoting (de-escaping) of all values during header
+ parsing and quoting of the values during header forming. This approach
+ should be most straightforward and easy to read/maintain as all values
+ are processed in the same way as required by RFC.
+
+ Closes #8912
+
+Daniel Stenberg (1 Jun 2022)
+
+- headers: handle unfold of space-cleansed headers
+
+ Detected by OSS-fuzz
+
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767
+
+ Updated test 1274
+
+ Closes #8947
+
+- lib: make more protocol specific struct fields #ifdefed
+
+ ... so that they don't take up space if the protocols are disabled in
+ the build.
+
+ Closes #8944
+
+- DISABLED: disable 1021 for hyper again
+
+ due to flakiness in the CI builds
+
+- urldata: store tcp_keepidle and tcp_keepintvl as ints
+
+ They can't be set larger than INT_MAX in the setsocket API calls.
+
+ Also document the max values in their respective man pages.
+
+ Closes #8940
+
+- urldata: reduce size of a few struct fields
+
+ When the values are never larger than 32 bit, ints are better than longs.
+
+ Closes #8940
+
+- urldata: remove three unused booleans from struct UserDefined
+
+ - is_fwrite_set
+ - free_referer
+ - strip_path_slash
+
+ Closes #8940
+
+- remote-name.d: mention --output-dir
+
+ plus add two see-alsos
+
+ Closes #8945
+
+Jay Satiro (1 Jun 2022)
+
+- configure: skip libidn2 detection when winidn is used
+
+ Prior to this change --with-winidn could be overridden by libidn2
+ detection.
+
+ Closes https://github.com/curl/curl/pull/8934
+
+Daniel Stenberg (31 May 2022)
+
+- CURLOPT_FILETIME.3: fix the protocols this works with
+
+- test681: verify --no-remote-name
+
+ Follow-up to 83ee5c428d960 (from #8931)
+
+ Closes #8942
+
+Tatsuhiro Tsujikawa (31 May 2022)
+
+- ngtcp2: enable Linux GSO
+
+ Enable Linux GSO in ngtcp2 QUIC. In order to recover from the
+ EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write,
+ packet buffer is now held by struct quicsocket. GSO write might fail in
+ runtime depending on NIC. Disable GSO if sendmsg returns EIO.
+
+ Closes #8909
+
+Daniel Stenberg (31 May 2022)
+
+- CURLOPT_PORT.3: We discourage using this option
+
+ Closes #8941
+
+- RELEASE-NOTES: synced
+
+- headers_push: error out if a folded header has no previous header
+
+ As that would indicate an illegal header. The fuzzer reached the assert
+ in unfold_value() proving that this case can happen.
+
+ Follow-up to c9b60f005358a364
+
+ Closes #8939
+
+Boris Verkhovskiy (31 May 2022)
+
+- curl: re-enable --no-remote-name
+
+ Closes #8931
+
+Daniel Stenberg (31 May 2022)
+
+- test680: require 'http' since it uses such a URL
+
+ Follow-up to d1b376c03524
+
+- CURLOPT_NETRC.3: document the .netrc file format
+
+- test680: verify rejection of malformatted .netrc quoted password
+
+- test679: verify netrc quoted string
+
+- netrc: support quoted strings
+
+ The .netrc parser now accepts strings within double-quotes in order to
+ deal with for example passwords containing white space - which
+ previously was not possible.
+
+ A password that starts with a double-quote also ends with one, and
+ double-quotes themselves are escaped with backslashes, like \". It also
+ supports \n, \r and \t for newline, carriage return and tabs
+ respectively.
+
+ If the password does not start with a double quote, it will end at first
+ white space and no escaping is performed.
+
+ WARNING: this change is not entirely backwards compatible. If anyone
+ previously used a double-quote as the first letter of their password,
+ the parser will now get it differently compared to before. This is
+ highly unfortunate but hard to avoid.
+
+ Reported-by: ImpatientHippo on GitHub
+ Fixes #8908
+ Closes #8937
+
+- curl_getdate.3: document that some illegal dates pass through
+
+ Closes #8938
+
+- CI: remove configure --enable-headers-api flags
+
+- headers api: remove EXPERIMENTAL tag
+
+ Closes #8900
+
+Daniel Gustafsson (30 May 2022)
+
+- cookies: fix documentation comment
+
+ Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but
+ missed updating the documentation comment at the head of the file.
+
+Marc Hoersken (30 May 2022)
+
+- tests/data/test1940: use binary mode for expected stdout
+
+ The generated stdout data is written in binary mode with [LF]
+ line endings, therefore we also need to do a binary comparison.
+
+ Assisted-by: Jay Satiro
+ Assisted-by: Daniel Stenberg
+
+ Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84
+ Fixes #8920
+ Closes #8936
+
+Daniel Stenberg (29 May 2022)
+
+- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation
+
+ Spell out the multi-TLS situation.
+
+ Reported-by: Dan Fandrich
+ Fixes #8926
+ Closes #8932
+
+JustAnotherArchivist (28 May 2022)
+
+- tool_getparam: fix --parallel-max maximum value constraint
+
+ - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to
+ default value.
+
+ Previously, --parallel-max 300 would use 300 concurrent transfers, but
+ --parallel-max 301 would unexpectedly use only 50. This change clamps
+ higher values to the maximum (ie --parallel-max 301 would use 300).
+
+ Closes https://github.com/curl/curl/pull/8930
+
+Daniel Stenberg (27 May 2022)
+
+- curl.1: add a few see also --tls-max
+
+ Closes #8929
+
+Viktor Szakats (26 May 2022)
+
+- cmake: do not add libcurl.rc to the static libcurl library
+
+ Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855
+
+ Reviewed-By: Karlson2k@users.noreply.github.com
+ Closes #8923
+
+- cmake: support adding a suffix to the OS value
+
+ CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS
+ string appearing in the --version output after the curl version number,
+ for example:
+
+ 'curl 7.83.1 (Windows)'
+
+ This patchs adds the ability to pass a suffix that is appended to this
+ value. It's useful to add CPU info or other platform details,
+ for example:
+
+ 'curl 7.83.1 (Windows-x64)'
+
+ Closes #8919
+
+- cmake: enable curl.rc for all Windows targets
+
+ Before this patch, it was only enabled for MSVC. This syncs this
+ configuration with libcurl.rc, which was already included with
+ every Windows compiler.
+
+ Closes #8918
+
+- cmake: fix detecting libidn2
+
+ Without this patch, libidn2 detection doesn't even seem to be
+ attempted. With this patch, cmake can be configured to pick it
+ up and enable it. Necessary configuration remains manual and
+ differs from most other dependencies.
+
+ If you are aware of a better fix, we're glad hearing about it
+ in a new Issue.
+
+ Closes #8917
+
+- version: allow stricmp() for sorting the feature list
+
+ In CMakeLists.txt there is an attempt to detect `stricmp()`, and in
+ certain cases, this attempt is the only successful one to detect a
+ case-insensitive comparison function. `HAVE_STRICMP` is defined as
+ a result, but this macro wasn't used anywhere in the source. This
+ patch makes use of it as an alternative when alpha-sorting the
+ `--version` feature list.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #8916
+
+Daniel Stenberg (25 May 2022)
+
+- DISABLED: add six tests that fail with hyper
+
+ 1117 1274 1940 1941 1942 1943
+
+- c-hyper: mark status line as status for Curl_client_write()
+
+ To make sure the headers API can filter it out as not a regular header.
+
+ Reported-by: Gisle Vanem
+ Fixes #8894
+ Closes #8914
+
+Marc Hoersken (25 May 2022)
+
+- tests/data/test1501: kill ftp server after slow LIST response
+
+ This test is contributing to flakiness on the Windows CI runs.
+ Killing the ftp server after the test run like other slowness
+ tests already do may help resolve or reduce the flakiness.
+
+ Closes #8907
+
+Daniel Stenberg (25 May 2022)
+
+- headers: fix the unfold realloc to use proper new size
+
+ Previously it didn't take the old name length into acount
+
+ Follow-up to: c9b60f005358a364
+ Closes #8913
+
+Marc Hoersken (25 May 2022)
+
+- GHA: align all install, configure and build steps again
+
+ First step towards more unified build steps on GitHub Actions.
+
+ Closes #8873
+
+- CI/azure: remove obsolete strategy for single builds
+
+ This shortens these CI job names on GitHub even more.
+ Follow up to #8906 which also increased their timeout.
+
+ Closes #8911
+
+- CI/azure: shorten names of Windows CI jobs
+
+ Suggested-by: Daniel Stenberg
+ Closes #8906
+
+Daniel Stenberg (24 May 2022)
+
+- http: restore header folding behavior
+
+ Folded header lines will now get passed through like before. The headers
+ API is adapted and will provide the content unfolded.
+
+ Added test 1274 and extended test 1940 to verify.
+
+ Reported-by: Petr Pisar
+ Fixes #8844
+ Closes #8899
+
+Viktor Szakats (24 May 2022)
+
+- Makefile.m32: delete obsolete options, improve -On [ci skip]
+
+ - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now
+ .
+ - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and
+ I used this with VxWorks in another project, but otherwise this isn't
+ necessary anymore as a default. If a target still needs it, it can be
+ added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing`
+ - bump up default optimization level to `-O3` (from `-O2`), and also rearrang
+ e
+ option order so the default can now be overridden via
+ `CURL_CFLAG_EXTRAS`.
+ - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS`
+ (strip debug info). They were working against each other. Now, if someone
+ needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g`
+
+ Closes #8904
+
+Daniel Gustafsson (24 May 2022)
+
+- ntlm: fix one more hostname test fallout
+
+ This fixup was missed in commit 5a41abef6dca19.
+
+ Closes: #8901
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- doh: remove UNITTEST macro definition
+
+ The UNITTEST macro is defined by curl_setup.h so there is no use in
+ carry a local copy of the logic.
+
+ Closes: #8902
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (24 May 2022)
+
+- cookie: fix false positive "potentially uninitialized local variable"
+
+ Reviewed-by: Daniel Gustafsson
+ Closes #8903
+
+- curl: add --rate to set max request rate per time unit
+
+ --rate "12/m" - for 12 per minute or
+ --rate "5/h" - for 5 per hour
+
+ Removed from TODO
+
+ Closes #8671
+
+Jay Satiro (23 May 2022)
+
+- max-time.d: clarify max-time sets max transfer time
+
+ Prior to this change the doc said --max-time set the maximum time of the
+ 'whole operation' which is not accurate. The option maps to
+ CURLOPT_TIMEOUT_MS which sets maximum transfer time.
+
+ For example, the maximum time on a transfer is reset if the transfer is
+ retried (--retry).
+
+ Reported-by: Nuru@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/8877
+ Closes #8879
+
+Daniel Stenberg (23 May 2022)
+
+- GHA/hyper: enable debug in the build
+
+- hyper: use 'alt-used'
+
+ Makes test 412+413 work
+
+ Closes #8898
+
+- RELEASE-NOTES: synced
+
+- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
+
+ Closes #8888
+
+- links: update dead links
+
+ The wiki pages are gone, remove and link to more long-living docs.
+
+ Closes #8897
+
+- ntlm: (void) typecast msnprintf() where we ignore return code
+
+ Follow-up to 5a41abef6, to please Coverity
+
+Daniel Gustafsson (22 May 2022)
+
+- ntlm: copy NTLM_HOSTNAME to host buffer
+
+ Commit 709ae2454f43 added a fake hostname to avoid leaking the local
+ hostname, but omitted copying it to the host buffer. Fix by copying
+ and adjust the test fallout.
+
+ Closes: #8895
+ Fixes: #8893
+ Reported-by: Patrick Monnerat <patrick@monnerat.net>
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- configure: use the SED value to invoke sed
+
+ Rather than assuming sed in PATH, use the resolved $SED variable
+ like in all other invocations of sed in configure.
+
+ Closes: #8891
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
+
+Tatsuhiro Tsujikawa (20 May 2022)
+
+- ngtcp2: Allow curl to send larger UDP datagrams
+
+ Allow curl to send larger UDP datagram if Path MTU Discovery finds the
+ availability of larger path MTU. To make it work and not to send
+ fragmented packet, we need to set DF bit. That makes send(2) fail with
+ EMSGSIZE if UDP datagram is too large. In that case, just let it be
+ lost. This patch enables DF bit for Linux only.
+
+ Closes #8883
+
+Daniel Stenberg (20 May 2022)
+
+- libcurl-security.3: add "Secrets in memory"
+
+ Closes #8881
+
+- tests: update NTLM tests to use new host name
+
+ Also drop the debug requirement, remove the setenv sections, remove
+ prechecks and add NTLM to the top keywords.
+
+ Closes #8889
+
+- ntlm: provide a fixed fake host name
+
+ The NTLM protocol includes providing the local host name, but apparently
+ other implementations already provide a fixed fake name instead to avoid
+ leaking the real local name.
+
+ The exact name used is 'WORKSTATION', because Firefox uses that.
+
+ The change is written to allow someone to "back-pedal" fairly easy in
+ case of need.
+
+ Reported-by: Carlo Alberto
+ Fixes #8859
+ Closes #8889
+
+Daniel Gustafsson (20 May 2022)
+
+- KNOWN_BUGS: fix typo in problem description
+
+ s/TSL/TLS/
+
+- FEATURES: remove yassl as TLS library for NTLM
+
+ yassl was added in commit 9d904ee41b880b but is no longer available
+ and is thus not a library to use for NTLM. This aligns the FEATURES
+ doc with the FAQ.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- FEATURES: reorder footnotes
+
+ The empty left-behind footnote confused the website rendering into
+ creating a nested emoty list, making the resulting page look quite
+ odd. Remove and re-order the remaining ones to avoid a gap in the
+ sequence.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- FAQ: remove opinionated sentence on NTLM
+
+ curl is a tool that support many different things, and it doesn't
+ really seem like our job to tell other what to use (as they might
+ not have much say in the matter even). Also tidy up wording.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Viktor Szakats (20 May 2022)
+
+- log2changes: do not indent empty lines [ci skip]
+
+ This will omit two spaces of indentation from lines with no content,
+ thus avoiding 'spaces @ EOL'.
+
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Closes #8887
+
+Daniel Stenberg (19 May 2022)
+
+- wolfssl: correct the failf() message when a handle can't be made
+
+ Closes #8885
+
+Viktor Szakats (19 May 2022)
+
+- Makefile.m32: delete two obsolete OpenSSL options [ci skip]
+
+ - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or
+ LibreSSL 3.5.x, yet it collides with the latter, which defines
+ it unconditionally, resulting in this warning:
+ ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_
+ NO_KRB5' macro redefined [-Wmacro-redefined]
+ It was originally added to curl in 2004.
+
+ - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or
+ LibreSSL back to at least 2.5.5. Originally added in the same
+ commit as the above, in 2004.
+
+ Closes #8884
+
+Daniel Stenberg (19 May 2022)
+
+- RELEASE-NOTES: synced
+
+ bump to 7.84.0
+
+Christian Weisgerber via curl-library (19 May 2022)
+
+- Makefile.am: fix portability issues
+
+ Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that
+ there is a portability issue in curl's top-level Makefile.am.
+
+ $< can only be used in rules that deal with .SUFFIXES. Its use
+ for general prerequisites is a GNU make extension.
+
+ $< could be replaced by $?, but I think in an autotools context,
+ something like this is better:
+
+ Bug: https://curl.se/mail/lib-2022-05/0024.html
+ Closes #8861
+
+Balakrishnan Balasubramanian (19 May 2022)
+
+- socks: support unix sockets for socks proxy
+
+ Usage:
+ curl -x "socks5h://localhost/run/tor/socks" "https://example.com"
+
+ Updated runtests.pl to run a socksd server listening on unix socket
+
+ Added tests test1467 test1468
+
+ Added documentation for proxy command line option and socks proxy
+ options
+
+ Closes #8668
+
+Vincent Torri (19 May 2022)
+
+- cmake: add libpsl support
+
+ Fixes #8865
+ Closes #8867
+
+Tatsuhiro Tsujikawa (19 May 2022)
+
+- ngtcp2: extend QUIC transport parameters buffer
+
+ Extend QUIC transport parameters buffer because 64 bytes are too
+ short for the ever increasing parameters.
+
+ Closes #8872
+
+- ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
+
+ Closes #8871
+
+- ngtcp2: send appropriate connection close error code
+
+ Closes #8870
+
+Daniel Stenberg (19 May 2022)
+
+- test1561: adjusted for the cookie fix
+
+- test414: verify secure cookie domain overlay
+
+Harry Sintonen (19 May 2022)
+
+- cookie: address secure domain overlay
+
+ Bug: https://hackerone.com/reports/1560324
+ Co-authored-by: Daniel Stenberg
+ Closes #8840
+
+Frank Gevaerts (19 May 2022)
+
+- strcase: some optimisations
+
+ Lookup tables for toupper() and tolower() make Curl_strcasecompare()
+ about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit
+ early then also allows simplifying the check at the end, for another
+ 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7
+ times faster.
+
+ Note that these optimisation assume ASCII. The original
+ Curl_raw_toupper() and raw_tolower() look like they already made that
+ assumption.
+
+ Closes #8875
+
+Daniel Stenberg (19 May 2022)
+
+- BUG-BOUNTY.md: mention the audit exception
+
+ Dedicated - paid for - security audits that are performed in
+ collaboration with curl developers are not eligible for bounties.
+
+ (plus I changed the sub-titles to use ## instead of # in the markdown)
+
+ Closes #8880
+
+- lib/vssh/wolfssh.h: removed
+
+ Unused header file
+
+ Reported-by: Illarion Taev
+ Fixes #8863
+ Closes #8866
+
+Elms (17 May 2022)
+
+- wolfSSL: explicitly use compatibility layer
+
+ This change removes adding an include `$prefix/wolfssl` or similar to
+ allow for openssl include aliasing. Include paths of `wolfssl/openssl/`
+ are used to explicitly use wolfSSL includes. This fixes cmake builds as
+ well as avoiding potentially using openSSL headers since include path
+ order is not guaranteed.
+
+ Closes #8864
+
+Daniel Stenberg (17 May 2022)
+
+- curl: deprecate --random-file and --egd-file
+
+ As libcurl no longer has any functionality for them, the tool now does
+ nothing with them.
+
+ Closes #8670
+
+- opts: deprecate RANDOM_FILE and EGDSOCKET
+
+ These two options were only ever used for the OpenSSL backend for
+ versions before 1.1.0. They were never used for other backends and they
+ are not used with recent OpenSSL versions. They were never used much by
+ applications.
+
+ The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time
+ for ancient EOL OpenSSL versions.
+
+ Closes #8670
+
+Harry Sintonen (17 May 2022)
+
+- bindlocal: don't use a random port if port number would wrap
+
+ Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port
+ 65535 the code would fall back to random port rather than giving up.
+
+ Closes #8862
+
+Daniel Gustafsson (16 May 2022)
+
+- transfer: Fix potential NULL pointer dereference
+
+ Commit 0ef54abf5208 accidentally used the conn variable before the
+ assertion for it being NULL. Fix by moving the assignment which use
+ conn to after the assertion.
+
+ Closes: #8857
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- docs: clarify data replacement policy for MIME API
+
+ The API documentation for the MIME functions specify that the parts
+ can be set twice, with the last call winning. While true, the user
+ can set the parts n times for n > 2, reword to specify multiple API
+ calls instead.
+
+ Closes: #8860
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+vvb2060 on github (16 May 2022)
+
+- ngtcp2: support boringssl crypto backend
+
+ Closes #8789
+
+Tatsuhiro Tsujikawa (16 May 2022)
+
+- quic: add Curl_quic_idle
+
+ Add Curl_quic_idle which is called when no HTTP level read or write is
+ performed. It is a good place to handle timer expiry for QUIC transport
+ (.e.g, retransmission).
+
+ Closes #8698
+
+Gregor Jasny (16 May 2022)
+
+- mprintf: ignore clang non-literal format string
+
+ Closes #8740
+
+Nick Zitzmann (16 May 2022)
+
+- sectransp: check for a function defined when __BLOCKS__ is undefined
+
+ SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it
+ requires Grand Central Dispatch to be supported by the compiler, and
+ some third-party macOS compilers do not support Grand Central Dispatch.
+ SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't
+ adversely affect anything.
+
+ Fixes #8846
+ Reported-by: Egor Pugin
+ Closes #8854
+
+Daniel Gustafsson (16 May 2022)
+
+- test412/413: Use version macro for User-Agent
+
+ Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test
+ output file which breaks when curlver is updated. Shift to using
+ the %VERSION macro instead.
+
+ Closes: #8856
+
+- macos9: remove partial support
+
+ The support for compiling on Mac OS 9 hasn't been modified since 2001
+ and has no active maintainer or packager, so it's time to remove it as
+ it's incredibly unlikely to work. If a maintainer re-emerges it can be
+ resurrected from Git history.
+
+ Closes: #8836
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (16 May 2022)
+
+- test1635: verify --fail-with-body with --retry
+
+ Almost a dupe of 1634
+
+ Closes #8847
+
+- tool_operate: make sure --fail-with-body works with --retry
+
+ ... in the same way --fail already does.
+
+ Reported-by: Jakub Bochenski
+ Fixes #8845
+ Closes #8847
+
+Tatsuhiro Tsujikawa (16 May 2022)
+
+- ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types
+
+ Closes #8851
+
+- ngtcp2: Fix alert_read_func return value
+
+ Closes #8852
+
+Harry Sintonen (16 May 2022)
+
+- Curl_parsenetrc: don't access local pwbuf outside of scope
+
+ Accessing local variables outside of the scope is forbidden and
+ depending on the compiler can result in the value being
+ overwritten. Fixed by moving the pwbuf to be in scope.
+
+ Closes #8850
+
+Daniel Stenberg (16 May 2022)
+
+- RELEASE-NOTES: synced
+
+ and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon)
+
+Frazer Smith (14 May 2022)
+
+- ci: update github actions
+
+ - bump actions/checkout from 2 to 3
+ - bump actions/upload-artifact from 1 to 3
+ - bump github/codeql-actions from 1 to 2
+ - use version tag for actions/checkout
+
+ Closes #8843
+
+Daniel Stenberg (14 May 2022)
+
+- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix
+
+- url: free old conn better on reuse
+
+ Make use of conn_free() better and avoid duplicate code.
+
+ Reported-by: Andrea Pappacoda
+ Fixes #8841
+ Closes #8842
+
+Jay Satiro (14 May 2022)
+
+- FAQ: Clarify Windows double quote usage
+
+ - Windows command prompt doesn't use literal quoting via single quotes.
+
+ - Windows command prompt inner double quotes are escaped with a
+ backslash.
+
+ - Windows powershell does use single quotes but curl is not a powershell
+ script so the arguments may not be passed on correctly.
+
+ - Windows powershell inner double quotes seems can be passed to curl if
+ the outer quotes are double quotes and an escape of backslash-backtick
+ is used.
+
+ Command prompt example:
+
+ ~~~
+ getargs -v -d "\"a\""
+
+ argv[0]: getargs
+ argv[1]: -v
+ argv[2]: -d
+ argv[3]: "a"
+ ~~~
+
+ Ref: https://github.com/curl/curl/issues/8818
+ Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c
+
+ Reported-by: KotlinIsland@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/8823
+
+Daniel Stenberg (12 May 2022)
+
+- github/workflows/nss: apt update first
+
+ Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found"
+
+ Closes #8837
+
+- page-footer: mention exit code zero too
+
+ Success (zero) is also an "exit code" worth mentioning.
+
+ Closes #8833
+
+Daniel Gustafsson (12 May 2022)
+
+- gssapi: initialize gss_buffer_desc strings
+
+ Explicitly initialize gss_buffer_desc strings such that a call to
+ freeing resources will succeed even if no data has been allocated
+ to it.
+
+ Reported-by: Jay Satiro <raysatiro@yahoo.com>
+
+- gssapi: improve handling of errors from gss_display_status
+
+ In case gss_display_status() returns an error, avoid trying to add
+ it to the buffer as the message may well be a NULL pointer.
+
+ Originally this fix comes from a discussion in issue #8816.
+
+ Closes: #8832
+ Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+
+steini2000 (12 May 2022)
+
+- http2: always debug print stream id in decimal with %u
+
+ Prior to this change the stream id shown could be hex or decimal which
+ was inconsistent and confusing.
+
+ Closes https://github.com/curl/curl/pull/8808
+
+Kamil Dudka (11 May 2022)
+
+- url: remove redundant #ifdefs in allocate_conn()
+
+ No change in behavior intended by this commit.
+
+Fabian Keil (11 May 2022)
+
+- tests 266, 116 and 1540: add a small write delay
+
+ This makes it more likely that the trailer is received
+ seperately from the last-chunk.
+
+ curl doesn't seem to care about this but it makes the tests
+ more useful when testing external proxies like Privoxy.
+
+- tests 1117,1238,1523: adjust writedelay servercmds
+
+ ... so the delays are the same now that the unit
+ is in milliseconds.
+
+- tests/server/sws.c: change the HTTP writedelay unit to milliseconds
+
+ This allows to use write delays for large responses without
+ resulting in the test taking an unreasonable amount of time.
+
+ In many cases delaying writes by a whole second or more isn't
+ necessary for the desired effect.
+
+ Closes #8827
+
+Daniel Gustafsson (11 May 2022)
+
+- aws-sigv4: fix potentional NULL pointer arithmetic
+
+ We need to check if the strchr() call returns NULL (due to missing
+ char) before we use the returned value in arithmetic. There is no
+ live bug here, but fixing it before it can become for hygiene.
+
+ Closes: #8814
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (11 May 2022)
+
+- quiche: support ca-fallback
+
+ Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl
+
+ Removed from KNOWN_BUGS
+
+ Fixes #8696
+ Closes #8830
+
+Daniel Gustafsson (11 May 2022)
+
+- x509asn1: mark msnprintf return as unchecked
+
+ We have lots of unchecked msnprintf calls, and this particular msnprintf
+ call isn't more interesting than the others, but this one yields a Coverity
+ warning so let's implicitly silence it. Going over the other invocations
+ is probably a worthwhile project, but for now let's keep the static
+ analyzers happy.
+
+ Closes: #8831
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Version 7.83.1 (11 May 2022)
+
+Daniel Stenberg (11 May 2022)
+
+- RELEASE-NOTES: synced
+
+ curl 7.83.1 release
+
+- THANKS: added contributors from 7.83.1
|