diff options
| author | dartraiden <wowemuh@gmail.com> | 2023-09-16 22:53:10 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2023-09-16 22:53:10 +0300 |
| commit | 47346b568cae68439c3d39f06f8c4ab14911475d (patch) | |
| tree | 617c91959e8c606a315a1aaaf13a38f5b7333e9a /libs/libcurl/docs/CHANGES | |
| parent | cb1787afbb67184321f206f13f836b63cd06740a (diff) | |
libcurl: update to 8.3.0
Diffstat (limited to 'libs/libcurl/docs/CHANGES')
| -rw-r--r-- | libs/libcurl/docs/CHANGES | 5501 |
1 files changed, 2735 insertions, 2766 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index c18d77996a..45791b0d92 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,6 +6,2741 @@ Changelog
+Version 8.3.0 (13 Sep 2023)
+
+Daniel Stenberg (13 Sep 2023)
+
+- RELEASE-NOTES: syn ced
+
+ curl 8.3.0 release
+
+- THANKS: contributors from 8.3.0
+
+Thorsten Klein (12 Sep 2023)
+
+- cmake: set SIZEOF_LONG_LONG in curl_config.h
+
+ in order to support 32bit builds regarding wolfssl CTC_SETTINGS
+
+ Closes #11839
+
+Jay Satiro (12 Sep 2023)
+
+- curl_ngtcp2: fix error message
+
+- http_aws_sigv4: handle no-value user header entries
+
+ - Handle user headers in format 'name:' and 'name;' with no value.
+
+ The former is used when the user wants to remove an internal libcurl
+ header and the latter is used when the user actually wants to send a
+ no-value header in the format 'name:' (note the semi-colon is converted
+ by libcurl to a colon).
+
+ Prior to this change the AWS header import code did not special case
+ either of those and the generated AWS SignedHeaders would be incorrect.
+
+ Reported-by: apparentorder@users.noreply.github.com
+
+ Ref: https://curl.se/docs/manpage.html#-H
+
+ Fixes https://github.com/curl/curl/issues/11664
+ Closes https://github.com/curl/curl/pull/11668
+
+Dan Fandrich (11 Sep 2023)
+
+- CI: run pytest with the -v option
+
+ This lists of the test cases being run so it can be tracked over time.
+
+ Closes #11824
+
+Daniel Stenberg (11 Sep 2023)
+
+- HTTP3: the msquic backend is not functional
+
+ I ask that we do not submit bugs for this backend just yet as we know it
+ does not fully work.
+
+ Closes #11831
+ Closes #11819
+
+- aws_sigv4: the query canon code miscounted URL encoded input
+
+ Added some extra ampersands to test 439 to verify "blank" query parts
+
+ Follow-up to fc76a24c53b08cdf
+
+ Closes #11829
+
+vvb2060 (11 Sep 2023)
+
+- quic: don't set SNI if hostname is an IP address
+
+ We already do this for TLS connections.
+
+ RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in
+ "HostName".
+
+ Ref: https://www.rfc-editor.org/rfc/rfc6066#section-3
+
+ Fixes https://github.com/curl/curl/issues/11827
+ Closes https://github.com/curl/curl/pull/11828
+
+Daniel Stenberg (10 Sep 2023)
+
+- RELEASE-NOTES: synced
+
+Benoit Pierre (10 Sep 2023)
+
+- configure: fix `HAVE_TIME_T_UNSIGNED` check
+
+ The syntax was incorrect (need a proper main body), and the test
+ condition was wrong (resulting in a signed `time_t` detected as
+ unsigned).
+
+ Closes #11825
+
+Daniel Stenberg (9 Sep 2023)
+
+- THANKS-filter: pszlazak on github
+
+pszlazak (9 Sep 2023)
+
+- include.d: explain headers not printed with --fail before 7.75.0
+
+ Prior to 7.75.0 response headers were not printed if -f/--fail was used
+ and an error was reported by server. This was fixed in ab525c0
+ (precedes 7.75.0).
+
+ Closes #11822
+
+Daniel Stenberg (8 Sep 2023)
+
+- http_aws_sigv4: skip the op if the query pair is zero bytes
+
+ Follow-up to fc76a24c53b08cdf
+
+ Spotted by OSS-Fuzz
+
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62175
+ Closes #11823
+
+- cmdline-docs: use present tense, not future
+
+ + some smaller cleanups
+
+ Closes #11821
+
+- cmdline-docs: make sure to phrase it as "added in ...."
+
+ References to things that were added or changed in a specific version
+ should be specified as "(added in [version]) for two reasons:
+
+ 1 - consistency
+
+ 2 - to allow gen.pl to strip them out if deemed referring to too old
+ versions
+
+ Closes #11821
+
+Jay Satiro (8 Sep 2023)
+
+- docs: mark --ssl-revoke-best-effort as Schannel specific
+
+ Closes https://github.com/curl/curl/pull/11760
+
+Nathan Moinvaziri (8 Sep 2023)
+
+- schannel: fix ordering of cert chain info
+
+ - Use CERT_CONTEXT's pbCertEncoded to determine chain order.
+
+ CERT_CONTEXT from SECPKG_ATTR_REMOTE_CERT_CONTEXT contains
+ end-entity/server certificate in pbCertEncoded. We can use this pointer
+ to determine the order of certificates when enumerating hCertStore using
+ CertEnumCertificatesInStore.
+
+ This change is to help ensure that the ordering of the certificate chain
+ requested by the user via CURLINFO_CERTINFO has the same ordering on all
+ versions of Windows.
+
+ Prior to this change Schannel certificate order was reversed in 8986df80
+ but that was later reverted in f540a39b when it was discovered that
+ Windows 11 22H2 does the reversal on its own.
+
+ Ref: https://github.com/curl/curl/issues/9706
+
+ Closes https://github.com/curl/curl/pull/11632
+
+Chris Talbot (8 Sep 2023)
+
+- digest: Use hostname to generate spn instead of realm
+
+ In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2
+
+ digest-uri-value should be serv-type "/" host , where host is:
+
+ The DNS host name or IP address for the service requested. The
+ DNS host name must be the fully-qualified canonical name of the
+ host. The DNS host name is the preferred form; see notes on server
+ processing of the digest-uri.
+
+ Realm may not be the host, so we must specify the host explicitly.
+
+ Note this change only affects the non-SSPI digest code. The digest code
+ used by SSPI builds already uses the hostname to generate the spn.
+
+ Ref: https://github.com/curl/curl/issues/11369
+
+ Closes https://github.com/curl/curl/pull/11395
+
+Daniel Stenberg (7 Sep 2023)
+
+- docs: remove use of the word 'very'
+
+ It is mostly superfluous. proselint would complain.
+
+ Closes #11818
+
+- curl_multi_remove_handle.3: clarify what happens with connection
+
+ Closes #11817
+
+- RELEASE-NOTES: synced
+
+- test439: verify query canonization for aws-sigv4
+
+- tool_operate: make aws-sigv4 not require TLS to be used
+
+ Maybe not used too often, but we want it for testing and it should work.
+
+- http_aws_sigv4: canonicalize the query
+
+ Percent encoding needs to be done using uppercase, and most
+ non-alphanumerical must be percent-encoded.
+
+ Fixes #11794
+ Reported-by: John Walker
+ Closes #11806
+
+Wyatt O'Day (7 Sep 2023)
+
+- lib: add ability to disable auths individually
+
+ Both with configure and cmake
+
+ Closes #11490
+
+Stefan Eissing (7 Sep 2023)
+
+- ngtcp2: fix handling of large requests
+
+ - requests >64K are send in parts to the filter
+ - fix parsing of the request to assemble it correctly
+ from several sends
+ - open a QUIC stream only when the complete request has
+ been collected
+
+ Closes #11815
+
+- openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before
+
+ - we delay loading the x509 store to shorten the handshake time.
+ However an application callback installed via CURLOPT_SSL_CTX_FUNCTION
+ may need to have the store loaded and try to manipulate it.
+ - load the x509 store before invoking the app callback
+
+ Fixes #11800
+ Reported-by: guoxinvmware on github
+ Cloes #11805
+
+Daniel Stenberg (7 Sep 2023)
+
+- krb5: fix "implicit conversion loses integer precision" warnings
+
+ conversions to/from enum and unsigned chars
+
+ Closes #11814
+
+Stefan Eissing (7 Sep 2023)
+
+- pytest: improvements
+
+ - set CURL_CI for pytest runs in CI environments
+ - exclude timing sensitive tests from CI runs
+ - for failed results, list only the log and stat of
+ the failed transfer
+
+ - fix type in http.c comment
+
+ Closes #11812
+
+- CI: move on to ngtcp2 v0.19.1
+
+ Closes #11809
+
+Dan Fandrich (5 Sep 2023)
+
+- CI: run Circle macOS builds on x86 for now
+
+ The ARM machines aren't ready for us and requesting them now causes
+ warnings e-mails to be sent to some PR pushers.
+
+ Ref: #11771
+
+Viktor Szakats (5 Sep 2023)
+
+- http3: adjust cast for ngtcp2 v0.19.0
+
+ ngtcp2 v0.19.0 made size of `ecn` member of `ngtcp2_pkt_info`
+ an `uint8_t` (was: `uint32_t`). Adjust our local cast accordingly.
+
+ Fixes:
+ ```
+ ./curl/lib/vquic/curl_ngtcp2.c:1912:12: warning: implicit conversion loses in
+ teger precision: 'uint32_t' (aka 'unsigned int') to 'uint8_t' (aka 'unsigned
+ char') [-Wimplicit-int-conversion]
+ pi.ecn = (uint32_t)ecn;
+ ~ ^~~~~~~~~~~~~
+ ```
+
+ Also bump ngtcp2, nghttp3 and nghttp2 to their latest versions in our
+ docs and CI.
+
+ Ref: https://github.com/ngtcp2/ngtcp2/commit/80447281bbc94af53f8aa7a4cfc19175
+ 782894a3
+ Ref: https://github.com/ngtcp2/ngtcp2/pull/877
+ Closes #11798
+
+Stefan Eissing (5 Sep 2023)
+
+- http: fix sending of large requests
+
+ - refs #11342 where errors with git https interactions
+ were observed
+ - problem was caused by 1st sends of size larger than 64KB
+ which resulted in later retries of 64KB only
+ - limit sending of 1st block to 64KB
+ - adjust h2/h3 filters to cope with parsing the HTTP/1.1
+ formatted request in chunks
+
+ - introducing Curl_nwrite() as companion to Curl_write()
+ for the many cases where the sockindex is already known
+
+ Fixes #11342 (again)
+ Closes #11803
+
+- pytest: fix check for slow_network skips to only apply when intended
+
+ Closes #11801
+
+Daniel Stenberg (5 Sep 2023)
+
+- curl_url_get/set.3: add missing semicolon in SYNOPSIS
+
+- CURLOPT_URL.3: explain curl_url_set() uses the same parser
+
+- CURLOPT_URL.3: add two URL API calls in the see-also section
+
+Dan Fandrich (4 Sep 2023)
+
+- CI: add a 32-bit i686 Linux build
+
+ This is done by cross-compiling under regular x86_64 Linux. Since the
+ kernel offers backwards compatibility, the binaries can be tested as
+ normal.
+
+ Closes #11799
+
+- tests: fix a type warning on 32-bit x86
+
+Viktor Szakats (4 Sep 2023)
+
+- tests: delete stray `.orig` file
+
+ Follow-up to 331b89a319d0067fa1e6441719307cfef9c7960f
+ Closes #11797
+
+Daniel Stenberg (4 Sep 2023)
+
+- RELEASE-NOTES: synced
+
+Viktor Szakats (4 Sep 2023)
+
+- lib: silence compiler warning in inet_ntop6
+
+ ```
+ ./curl/lib/inet_ntop.c:121:21: warning: possible misuse of comma operator her
+ e [-Wcomma]
+ cur.base = i, cur.len = 1;
+ ^
+ ./curl/lib/inet_ntop.c:121:9: note: cast expression to void to silence warnin
+ g
+ cur.base = i, cur.len = 1;
+ ^~~~~~~~~~~~
+ (void)( )
+ ```
+
+ Closes #11790
+
+Daniel Stenberg (4 Sep 2023)
+
+- transfer: also stop the sending on closed connection
+
+ Previously this cleared the receiving bit only but in some cases it is
+ also still sending (like a request-body) when disconnected and neither
+ direction can continue then.
+
+ Fixes #11769
+ Reported-by: Oleg Jukovec
+ Closes #11795
+
+John Bampton (4 Sep 2023)
+
+- docs: change `sub-domain` to `subdomain`
+
+ https://en.wikipedia.org/wiki/Subdomain
+
+ Closes #11793
+
+Stefan Eissing (4 Sep 2023)
+
+- multi: more efficient pollfd count for poll
+
+ - do not use separate pollfds for sockets that have POLLIN+POLLOUT
+
+ Closes #11792
+
+- http2: polish things around POST
+
+ - added test cases for various code paths
+ - fixed handling of blocked write when stream had
+ been closed inbetween attempts
+ - re-enabled DEBUGASSERT on send with smaller data size
+
+ - in debug builds, environment variables can be set to simulate a slow
+ network when sending data. cf-socket.c and vquic.c support
+ * CURL_DBG_SOCK_WBLOCK: percentage of send() calls that should be
+ answered with a EAGAIN. TCP/UNIX sockets.
+ This is chosen randomly.
+ * CURL_DBG_SOCK_WPARTIAL: percentage of data that shall be written
+ to the network. TCP/UNIX sockets.
+ Example: 80 means a send with 1000 bytes would only send 800
+ This is applied to every send.
+ * CURL_DBG_QUIC_WBLOCK: percentage of send() calls that should be
+ answered with EAGAIN. QUIC only.
+ This is chosen randomly.
+
+ Closes #11756
+
+Daniel Stenberg (4 Sep 2023)
+
+- docs: add curl_global_trace to some SEE ALSO sections
+
+ Closes #11791
+
+- os400: fix checksrc nits
+
+ Closes #11789
+
+Nicholas Nethercote (3 Sep 2023)
+
+- hyper: remove `hyptransfer->endtask`
+
+ `Curl_hyper_stream` needs to distinguish between two kinds of
+ `HYPER_TASK_EMPTY` tasks: (a) the `foreach` tasks it creates itself, and
+ (b) background tasks that hyper produces. It does this by recording the
+ address of any `foreach` task in `hyptransfer->endtask` before pushing
+ it into the executor, and then comparing that against the address of
+ tasks later polled out of the executor.
+
+ This works right now, but there is no guarantee from hyper that the
+ addresses are stable. `hyper_executor_push` says "The executor takes
+ ownership of the task, which should not be accessed again unless
+ returned back to the user with `hyper_executor_poll`". That wording is a
+ bit ambiguous but with my Rust programmer's hat on I read it as meaning
+ the task returned with `hyper_executor_poll` may be conceptually the
+ same as a task that was pushed, but that there are no other guarantees
+ and comparing addresses is a bad idea.
+
+ This commit instead uses `hyper_task_set_userdata` to mark the `foreach`
+ task with a `USERDATA_RESP_BODY` value which can then be checked for,
+ removing the need for `hyptransfer->endtask`. This makes the code look
+ more like that hyper C API examples, which use userdata for every task
+ and never look at task addresses.
+
+ Closes #11779
+
+Dave Cottlehuber (3 Sep 2023)
+
+- ws: fix spelling mistakes in examples and tests
+
+ Closes #11784
+
+Daniel Stenberg (3 Sep 2023)
+
+- tool_filetime: make -z work with file dates before 1970
+
+ Fixes #11785
+ Reported-by: Harry Sintonen
+ Closes #11786
+
+Dan Fandrich (1 Sep 2023)
+
+- build: fix portability of mancheck and checksrc targets
+
+ At least FreeBSD preserves cwd across makefile lines, so rules
+ consisting of more than one "cd X; do_something" must be explicitly run
+ in a subshell to avoid this. This problem caused the Cirrus FreeBSD
+ build to fail when parallel make jobs were enabled.
+
+- CI: adjust labeler match patterns for new & obsolete files
+
+- configure: trust pkg-config when it's used for zlib
+
+ The library flags retrieved from pkg-config were later thrown out and
+ harded-coded, which negates the whole reason to use pkg-config.
+ Also, previously, the assumption was made that --libs-only-l and
+ --libs-only-L are the full decomposition of --libs, which is untrue and
+ would not allow linking against a static zlib. The new approach is
+ better in that it uses --libs, although only if --libs-only-l returns
+ nothing.
+
+ Bug: https://curl.se/mail/lib-2023-08/0081.html
+ Reported-by: Randall
+ Closes #11778
+
+Stefan Eissing (1 Sep 2023)
+
+- CI/ngtcp2: clear wolfssl for when cache is ignored
+
+ Closes #11783
+
+Daniel Stenberg (1 Sep 2023)
+
+- RELEASE-NOTES: synced
+
+Nicholas Nethercote (1 Sep 2023)
+
+- hyper: fix a progress upload counter bug
+
+ `Curl_pgrsSetUploadCounter` should be a passed a total count, not an
+ increment.
+
+ This changes the failing diff for test 579 with hyper from this:
+ ```
+ Progress callback called with UL 0 out of 0[LF]
+ -Progress callback called with UL 8 out of 0[LF]
+ -Progress callback called with UL 16 out of 0[LF]
+ -Progress callback called with UL 26 out of 0[LF]
+ -Progress callback called with UL 61 out of 0[LF]
+ -Progress callback called with UL 66 out of 0[LF]
+ +Progress callback called with UL 29 out of 0[LF]
+ ```
+ to this:
+ ```
+ Progress callback called with UL 0 out of 0[LF]
+ -Progress callback called with UL 8 out of 0[LF]
+ -Progress callback called with UL 16 out of 0[LF]
+ -Progress callback called with UL 26 out of 0[LF]
+ -Progress callback called with UL 61 out of 0[LF]
+ -Progress callback called with UL 66 out of 0[LF]
+ +Progress callback called with UL 40 out of 0[LF]
+ ```
+ Presumably a step in the right direction.
+
+ Closes #11780
+
+Daniel Stenberg (1 Sep 2023)
+
+- awssiv4: avoid freeing the date pointer on error
+
+ Since it was not allocated, don't free it even if it was wrong syntax
+
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61908
+
+ Follow-up to b137634ba3adb
+
+ Closes #11782
+
+Stefan Eissing (1 Sep 2023)
+
+- CI: ngtcp2-linux: use separate caches for tls libraries
+
+ allow ever changing master for wolfssl
+
+ Closes #11766
+
+- replace `master` as wolfssl-version with recent commit
+
+- wolfssl, use master again in CI
+
+ - with the shared session update fix landed in master, it
+ is time to use that in our CI again
+
+Nicholas Nethercote (31 Aug 2023)
+
+- tests: fix formatting errors in `FILEFORMAT.md`.
+
+ Without the surrounding backticks, these tags get swallowed when the
+ markdown is rendered.
+
+ Closes #11777
+
+Viktor Szakats (31 Aug 2023)
+
+- cmake: add support for `CURL_DEFAULT_SSL_BACKEND`
+
+ Allow overriding the default TLS backend via a CMake setting.
+
+ E.g.:
+ `cmake [...] -DCURL_DEFAULT_SSL_BACKEND=mbedtls`
+
+ Accepted values: bearssl, gnutls, mbedtls, openssl, rustls,
+ schannel, secure-transport, wolfssl
+
+ The passed string is baked into the curl/libcurl binaries.
+ The value is case-insensitive.
+
+ We added a similar option to autotools in 2017 via
+ c7170e20d0a18ec8a514b4daa53bcdbb4dcb3a05.
+
+ TODO: Convert to lowercase to improve reproducibility.
+
+ Closes #11774
+
+- sectransp: fix compiler warnings
+
+ https://github.com/curl/curl-for-win/actions/runs/6037489221/job/16381860220#
+ step:3:11046
+ ```
+ /Users/runner/work/curl-for-win/curl-for-win/curl/lib/vtls/sectransp.c:2435:1
+ 4: warning: unused variable 'success' [-Wunused-variable]
+ OSStatus success;
+ ^
+ /Users/runner/work/curl-for-win/curl-for-win/curl/lib/vtls/sectransp.c:3300:4
+ 4: warning: unused parameter 'sha256len' [-Wunused-parameter]
+ size_t sha256len)
+ ^
+ ```
+
+ Closes #11773
+
+- tidy-up: mostly whitespace nits
+
+ - delete completed TODO from `./CMakeLists.txt`.
+ - convert a C++ comment to C89 in `./CMake/CurlTests.c`.
+ - delete duplicate EOLs from EOF.
+ - add missing EOL at EOF.
+ - delete whitespace at EOL (except from expected test results).
+ - convert tabs to spaces.
+ - convert CRLF EOLs to LF in GHA yaml.
+ - text casing fixes in `./CMakeLists.txt`.
+ - fix a codespell typo in `packages/OS400/initscript.sh`.
+
+ Closes #11772
+
+Dan Fandrich (31 Aug 2023)
+
+- CI: remove Windows builds from Cirrus, without replacement
+
+ If we don't do this, all coverage on Cirrus will cease in a few days. By
+ removing the Windows builds, the FreeBSD one should still continue
+ as before. The Windows builds will need be moved to another service to
+ maintain test coverage.
+
+ Closes #11771
+
+- CI: switch macOS ARM build from Cirrus to Circle CI
+
+ Cirrus is drastically reducing their free tier on Sept. 1, so they will
+ no longer perform all these builds for us. All but one build has been
+ moved, with the LibreSSL one being dropped because of linking problems
+ on Circle.
+
+ One important note about this change is that Circle CI is currently
+ directing all these builds to x86_64 hardware, despite them requesting
+ ARM. This is because ARM nodes are scheduled to be available on the
+ free tier only in December. This reduces our architectural diversity
+ until then but it should automatically come back once those machines are
+ enabled.
+
+- CI: use the right variable for BSD make
+
+ BSD uses MAKEFLAGS instead of MAKE_FLAGS so it wasn't doing parallel
+ builds before.
+
+- CI: drop the FreeBSD 12.X build
+
+ Cirrus' new free tier won't let us have many builds, so drop the
+ nonessential ones. The FreeBSD 13.X build will still give us the most
+ relevant FreeBSD coverage.
+
+- CI: move the Alpine build from Cirrus to GHA
+
+ Cirrus is reducing their free tier to next to nothing, so we must move
+ builds elsewhere.
+
+Stefan Eissing (30 Aug 2023)
+
+- test_07_upload.py: fix test_07_34 curl args
+
+ - Pass correct filename to --data-binary.
+
+ Prior to this change --data-binary was passed an incorrect filename due
+ to a missing separator in the arguments list. Since aacbeae7 curl will
+ error on incorrect filenames for POST.
+
+ Fixes https://github.com/curl/curl/issues/11761
+ Closes https://github.com/curl/curl/pull/11763
+
+Nicholas Nethercote (30 Aug 2023)
+
+- tests: document which tests fail due to hyper's lack of trailer support.
+
+ Closes #11762
+
+- docs: removing "pausing transfers" from HYPER.md.
+
+ It's a reference to #8600, which was fixed by #9070.
+
+ Closes #11764
+
+Patrick Monnerat (30 Aug 2023)
+
+- os400: handle CURL_TEMP_PRINTF() while building bind source
+
+ Closes #11547
+
+- os400: build test servers
+
+ Also fix a non-compliant main prototype in disabled.c.
+
+ Closes #11547
+
+- tests: fix compilation error for os400
+
+ OS400 uses BSD 4.3 setsockopt() prototype by default: this does not
+ define parameter as const, resulting in an error if actual parameter is
+ const. Remove the const keyword from the actual parameter cast: this
+ works in all conditions, even if the formal parameter uses it.
+
+ Closes #11547
+
+- os400: make programs and command name configurable
+
+ Closes #11547
+
+- os400: move build configuration parameters to a separate script
+
+ They can then easily be overriden in a script named "config400.override"
+ that is not part of the distribution.
+
+ Closes #11547
+
+- os400: implement CLI tool
+
+ This is provided as a QADRT (ascii) program, a link to it in the IFS and
+ a minimal CL command.
+
+ Closes #11547
+
+Matthias Gatto (30 Aug 2023)
+
+- lib: fix aws-sigv4 having date header twice in some cases
+
+ When the user was providing the header X-XXX-Date, the header was
+ re-added during signature computation, and we had it twice in the
+ request.
+
+ Reported-by: apparentorder@users.noreply.github.com
+
+ Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
+
+ Fixes: https://github.com/curl/curl/issues/11738
+ Closes: https://github.com/curl/curl/pull/11754
+
+Jay Satiro (30 Aug 2023)
+
+- multi: remove 'processing: <url>' debug message
+
+ - Remove debug message added by e024d566.
+
+ Closes https://github.com/curl/curl/pull/11759
+
+- ftp: fix temp write of ipv6 address
+
+ - During the check to differentiate between a port and IPv6 address
+ without brackets, write the binary IPv6 address to an in6_addr.
+
+ Prior to this change the binary IPv6 address was erroneously written to
+ a sockaddr_in6 'sa6' when it should have been written to its in6_addr
+ member 'sin6_addr'. There's no fallout because no members of 'sa6' are
+ accessed before it is later overwritten.
+
+ Closes https://github.com/curl/curl/pull/11747
+
+- tool: change some fopen failures from warnings to errors
+
+ - Error on missing input file for --data, --data-binary,
+ --data-urlencode, --header, --variable, --write-out.
+
+ Prior to this change if a user of the curl tool specified an input file
+ for one of the above options and that file could not be opened then it
+ would be treated as zero length data instead of an error. For example, a
+ POST using `--data @filenametypo` would cause a zero length POST which
+ is probably not what the user intended.
+
+ Closes https://github.com/curl/curl/pull/11677
+
+- hostip: fix typo
+
+Davide Masserut (29 Aug 2023)
+
+- tool: avoid including leading spaces in the Location hyperlink
+
+ Co-authored-by: Dan Fandrich <dan@coneharvesters.com>
+
+ Closes #11735
+
+Daniel Stenberg (29 Aug 2023)
+
+- SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline
+
+ Closes #11757
+
+- connect: stop halving the remaining timeout when less than 600 ms left
+
+ When curl wants to connect to a host, it always has a TIMEOUT. The
+ maximum time it is allowed to spend until a connect is confirmed.
+
+ curl will try to connect to each of the IP adresses returned for the
+ host. Two loops, one for each IP family.
+
+ During the connect loop, while curl has more than one IP address left to
+ try within a single address family, curl has traditionally allowed (time
+ left/2) for *this* connect attempt. This, to not get stuck on the
+ initial addresses in case the timeout but still allow later addresses to
+ get attempted.
+
+ This has the downside that when users set a very short timeout and the
+ host has a large number of IP addresses, the effective result might be
+ that every attempt gets a little too short time.
+
+ This change stop doing the divided-by-two if the total time left is
+ below a threshold. This threshold is 600 milliseconds.
+
+ Closes #11693
+
+- asyn-ares: reduce timeout to 2000ms
+
+ When UDP packets get lost this makes for slightly faster retries. This
+ lower timeout is used by @c-ares itself by default starting next
+ release.
+
+ Closes #11753
+
+John Bampton (29 Aug 2023)
+
+- misc: remove duplicate words
+
+ Closes #11740
+
+Daniel Stenberg (29 Aug 2023)
+
+- RELEASE-NOTES: synced
+
+- wolfSSL: avoid the OpenSSL compat API when not needed
+
+ ... and instead call wolfSSL functions directly.
+
+ Closes #11752
+
+Viktor Szakats (28 Aug 2023)
+
+- lib: fix null ptr derefs and uninitialized vars (h2/h3)
+
+ Fixing compiler warnings with gcc 13.2.0 in unity builds.
+
+ Assisted-by: Jay Satiro
+ Assisted-by: Stefan Eissing
+ Closes #11739
+
+Jay Satiro (28 Aug 2023)
+
+- secureserver.pl: fix stunnel version parsing
+
+ - Allow the stunnel minor-version version part to be zero.
+
+ Prior to this change with the stunnel version scheme of <major>.<minor>
+ if either part was 0 then version parsing would fail, causing
+ secureserver.pl to fail with error "No stunnel", causing tests that use
+ the SSL protocol to be skipped. As a practical matter this bug can only
+ be caused by a minor-version part of 0, since the major-version part is
+ always greater than 0.
+
+ Closes https://github.com/curl/curl/pull/11722
+
+- secureserver.pl: fix stunnel path quoting
+
+ - Store the stunnel path in the private variable $stunnel unquoted and
+ instead quote it in the command strings.
+
+ Prior to this change the quoted stunnel path was passed to perl's file
+ operators which cannot handle quoted paths. For example:
+
+ $stunnel = "\"/C/Program Files (x86)/stunnel/bin/tstunnel\"";
+ if(-x $stunnel or -x "$stunnel")
+ # false even if path exists and is executable
+
+ Our other test scripts written in perl, unlike this one, use servers.pm
+ which has a global $stunnel variable with the path stored unquoted and
+ therefore those scripts don't have this problem.
+
+ Closes https://github.com/curl/curl/pull/11721
+
+Daniel Stenberg (28 Aug 2023)
+
+- altsvc: accept and parse IPv6 addresses in response headers
+
+ Store numerical IPv6 addresses in the alt-svc file with the brackets
+ present.
+
+ Verify with test 437 and 438
+
+ Fixes #11737
+ Reported-by: oliverpool on github
+ Closes #11743
+
+- libtest: use curl_free() to free libcurl allocated data
+
+ In several test programs. These mistakes are not detected or a problem
+ as long as memdebug.h is included, as that provides the debug wrappers
+ for all memory functions in the same style libcurl internals do it,
+ which makes curl_free and free effectively the same call.
+
+ Reported-by: Nicholas Nethercote
+ Closes #11746
+
+Jay Satiro (28 Aug 2023)
+
+- disable.d: explain --disable not implemented prior to 7.50.0
+
+ Option -q/--disable was added in 5.0 but only -q was actually
+ implemented. Later --disable was implemented in e200034 (precedes
+ 7.49.0), but incorrectly, and fixed in 6dbc23c (precedes 7.50.0).
+
+ Reported-by: pszlazak@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/11710
+ Closes #11712
+
+Nicholas Nethercote (28 Aug 2023)
+
+- hyper: fix ownership problems
+
+ Some of these changes come from comparing `Curl_http` and
+ `start_CONNECT`, which are similar, and adding things to them that are
+ present in one and missing in another.
+
+ The most important changes:
+ - In `start_CONNECT`, add a missing `hyper_clientconn_free` call on the
+ happy path.
+ - In `start_CONNECT`, add a missing `hyper_request_free` on the error
+ path.
+ - In `bodysend`, add a missing `hyper_body_free` on an early-exit path.
+ - In `bodysend`, remove an unnecessary `hyper_body_free` on a different
+ error path that would cause a double-free.
+ https://docs.rs/hyper/latest/hyper/ffi/fn.hyper_request_set_body.html
+ says of `hyper_request_set_body`: "This takes ownership of the
+ hyper_body *, you must not use it or free it after setting it on the
+ request." This is true even if `hyper_request_set_body` returns an
+ error; I confirmed this by looking at the hyper source code.
+
+ Other changes are minor but make things slightly nicer.
+
+ Closes #11745
+
+Daniel Stenberg (28 Aug 2023)
+
+- multi.h: the 'revents' field of curl_waitfd is supported
+
+ Since 6d30f8ebed34e7276
+
+ Reported-by: Nicolás Ojeda Bär
+ Ref: #11748
+ Closes #11749
+
+Gerome Fournier (27 Aug 2023)
+
+- tool_paramhlp: improve str2num(): avoid unnecessary call to strlen()
+
+ Closes #11742
+
+Daniel Stenberg (27 Aug 2023)
+
+- docs: mention critical files in same directories as curl saves
+
+ ... cannot be fully protected. Don't do it.
+
+ Co-authored-by: Jay Satiro
+ Reported-by: Harry Sintonen
+ Fixes #11530
+ Closes #11701
+
+John Hawthorn (26 Aug 2023)
+
+- OpenSSL: clear error queue after SSL_shutdown
+
+ We've seen errors left in the OpenSSL error queue (specifically,
+ "shutdown while in init") by adding some logging it revealed that the
+ source was this file.
+
+ Since we call SSL_read and SSL_shutdown here, but don't check the return
+ code for an error, we should clear the OpenSSL error queue in case one
+ was raised.
+
+ This didn't affect curl because we call ERR_clear_error before every
+ write operation (a0dd9df9ab35528eb9eb669e741a5df4b1fb833c), but when
+ libcurl is used in a process with other OpenSSL users, they may detect
+ an OpenSSL error pushed by libcurl's SSL_shutdown as if it was their
+ own.
+
+ Co-authored-by: Satana de Sant'Ana <satana@skylittlesystem.org>
+
+ Closes #11736
+
+Alexander Kanavin (25 Aug 2023)
+
+- tests: update cookie expiry dates to far in the future
+
+ This allows testing Y2038 with system time set to after that, so that
+ actual Y2038 issues can be exposed, and not masked by expiry errors.
+
+ Fixes #11576
+ Closes #11610
+
+John Bampton (25 Aug 2023)
+
+- misc: fix spelling
+
+ Closes #11733
+
+Daniel Stenberg (25 Aug 2023)
+
+- cmdline-opts/page-header: clarify stronger that !opt == URL
+
+ Everything provided on the command line that is not an option (or an
+ argument to an option) is treated as a URL.
+
+ Closes #11734
+
+- tests/runner: fix %else handling
+
+ Getting the show state proper for %else and %endif did not properly work
+ in nested cases.
+
+ Follow-up to 3d089c41ea9
+
+ Closes #11731
+
+Nicholas Nethercote (25 Aug 2023)
+
+- docs: Remove mention of #10803 from `KNOWN_BUGS`.
+
+ Because the leaks have been fixed.
+
+- c-hyper: fix another memory leak in `Curl_http`.
+
+ There is a `hyper_clientconn_free` call on the happy path, but not one
+ on the error path. This commit adds one.
+
+ Fixes the second memory leak reported by Valgrind in #10803.
+
+ Fixes #10803
+ Closes #11729
+
+- c-hyper: fix a memory leak in `Curl_http`.
+
+ A request created with `hyper_request_new` must be consumed by either
+ `hyper_clientconn_send` or `hyper_request_free`.
+
+ This is not terrifically clear from the hyper docs --
+ `hyper_request_free` is documented only with "Free an HTTP request if
+ not going to send it on a client" -- but a perusal of the hyper code
+ confirms it.
+
+ This commit adds a `hyper_request_free` to the `error:` path in
+ `Curl_http` so that the request is consumed when an error occurs after
+ the request is created but before it is sent.
+
+ Fixes the first memory leak reported by Valgrind in #10803.
+
+ Closes #11729
+
+Daniel Stenberg (25 Aug 2023)
+
+- RELEASE-NOTES: synced
+
+John Bampton (25 Aug 2023)
+
+- misc: spellfixes
+
+ Closes #11730
+
+Daniel Stenberg (25 Aug 2023)
+
+- tests: add support for nested %if conditions
+
+ Provides more flexiblity to test cases.
+
+ Also warn and bail out if there is an '%else' or %endif' without a
+ preceeding '%if'.
+
+ Ref: #11610
+ Closes #11728
+
+- time-cond.d: mention what happens on a missing file
+
+ Closes #11727
+
+Christian Hesse (24 Aug 2023)
+
+- docs/cmdline-opts: match the current output
+
+ The release date has been added in output, reflect that in documentation.
+
+ Closes #11723
+
+Daniel Stenberg (24 Aug 2023)
+
+- lib: minor comment corrections
+
+- docs: rewrite to present tense
+
+ ... instead of using future tense.
+
+ + numerous cleanups and improvements
+ + stick to "reuse" not "re-use"
+ + fewer contractions
+
+ Closes #11713
+
+- urlapi: setting a blank URL ("") is not an ok URL
+
+ Test it in 1560
+ Fixes #11714
+ Reported-by: ad0p on github
+ Closes #11715
+
+- spelling: use 'reuse' not 're-use' in code and elsewhere
+
+ Unify the spelling as both versions were previously used intermittently
+
+ Closes #11717
+
+Michael Osipov (23 Aug 2023)
+
+- system.h: add CURL_OFF_T definitions on HP-UX with HP aCC
+
+ HP-UX on IA64 provides two modes: 32 and 64 bit while 32 bit being the
+ default one. Use "long long" in 32 bit mode and just "long" in 64 bit
+ mode.
+
+ Closes #11718
+
+Dan Fandrich (22 Aug 2023)
+
+- tests: don't call HTTP errors OK in test cases
+
+ Some HTTP errors codes were accompanied by the text OK, which causes
+ some cognitive dissonance when reading them.
+
+- http: close the connection after a late 417 is received
+
+ In this situation, only part of the data has been sent before aborting
+ so the connection is no longer usable.
+
+ Assisted-by: Jay Satiro
+ Fixes #11678
+ Closes #11679
+
+- runtests: slightly increase the longest log file displayed
+
+ The new limit provides enough space for a 64 KiB data block to be logged
+ in a trace file, plus a few lines at the start and end for context. This
+ happens to be the amount of data sent at a time in a PUT request.
+
+- tests: add delay command to the HTTP server
+
+ This adds a delay after client connect.
+
+Daniel Stenberg (22 Aug 2023)
+
+- cirrus: install everthing with pkg, avoid pip
+
+ Assisted-by: Sevan Janiyan
+
+ Closes #11711
+
+- curl_url*.3: update function descriptions
+
+ - expand and clarify several descriptions
+ - avoid using future tense all over
+
+ Closes #11708
+
+- RELEASE-NOTES: synced
+
+Stefan Eissing (21 Aug 2023)
+
+- CI/cirrus: disable python install on FreeBSD
+
+ - python cryptography package does not build build FreeBSD
+ - install just mentions "error"
+ - this gets the build and the main test suite going again
+
+ Closes #11705
+
+- test2600: fix flakiness on low cpu
+
+ - refs #11355 where failures to to low cpu resources in CI
+ are reported
+ - vastly extend CURLOPT_CONNECTTIMEOUT_MS and max durations
+ to test cases
+ - trigger Curl_expire() in test filter to allow re-checks before
+ the usual 1second interval
+
+ Closes #11690
+
+Maksim Sciepanienka (20 Aug 2023)
+
+- tool_urlglob: use the correct format specifier for curl_off_t in msnprintf
+
+ Closes #11698
+
+Daniel Stenberg (20 Aug 2023)
+
+- test687/688: two more basic --xattr tests
+
+ Closes #11697
+
+- cmdline-opts/docs: mentioned the negative option part
+
+ ... for --no-alpn and --no-buffer in the same style done for other --no-
+ options:
+
+ "Note that this is the negated option name documented."
+
+ Closes #11695
+
+Emanuele Torre (19 Aug 2023)
+
+- tool/var: also error when expansion result starts with NUL
+
+ Expansions whose output starts with NUL were being expanded to the empty
+ string, and not being recognised as values that contain a NUL byte, and
+ should error.
+
+ Closes #11694
+
+Daniel Stenberg (19 Aug 2023)
+
+- tests: add 'large-time' as a testable feature
+
+ This allows test cases to require this feature to run and to be used in
+ %if conditions.
+
+ Large here means larger than 32 bits. Ie does not suffer from y2038.
+
+ Closes #11696
+
+- tests/Makefile: add check-translatable-options.pl to tarball
+
+ Used in test 1544
+
+ Follow-up to ae806395abc8c
+
+- gen.pl: fix a long version generation mistake
+
+ Too excessive escaping made the parsing not find the correct long names
+ later and instead add "wrong" links.
+
+ Follow-up to 439ff2052e219
+
+ Reported-by: Lukas Tribus
+ Fixes #11688
+ Closes #11689
+
+- lib: move mimepost data from ->req.p.http to ->state
+
+ When the legacy CURLOPT_HTTPPOST option is used, it gets converted into
+ the modem mimpost struct at first use. This data is (now) kept for the
+ entire transfer and not only per single HTTP request. This re-enables
+ rewind in the beginning of the second request instead of in end of the
+ first, as brought by 1b39731.
+
+ The request struct is per-request data only.
+
+ Extend test 650 to verify.
+
+ Fixes #11680
+ Reported-by: yushicheng7788 on github
+ Closes #11682
+
+Patrick Monnerat (17 Aug 2023)
+
+- os400: do not check translatable options at build time
+
+ Now that there is a test for this, the build time check is not needed
+ anymore.
+
+ Closes #11650
+
+- test1554: check translatable string options in OS400 wrapper
+
+ This test runs a perl script that checks all string options are properly
+ translated by the OS400 character code conversion wrapper. It also
+ verifies these options are listed in alphanumeric order in the wrapper
+ switch statement.
+
+ Closes #11650
+
+Daniel Stenberg (17 Aug 2023)
+
+- unit3200: skip testing if function is not present
+
+ Fake a successful run since we have no easy mechanism to skip this test
+ for this advanced condition.
+
+- unit2600: fix build warning if built without verbose messages
+
+- test1608: make it build and get skipped without shuffle DNS support
+
+- lib: --disable-bindlocal builds curl without local binding support
+
+- test1304: build and skip without netrc support
+
+- lib: build fixups when built with most things disabled
+
+ Closes #11687
+
+- workflows/macos.yml: disable zstd and alt-svc in the http-only build
+
+ Closes #11683
+
+Stefan Eissing (17 Aug 2023)
+
+- bearssl: handshake fix, provide proper get_select_socks() implementation
+
+ - bring bearssl handshake times down from +200ms down to other TLS backends
+ - vtls: improve generic get_select_socks() implementation
+ - tests: provide Apache with a suitable ssl session cache
+
+ Closes #11675
+
+- tests: TLS session sharing test
+
+ - test TLS session sharing with special test client
+ - expect failure with wolfSSL
+ - disable flaky wolfSSL test_02_07b
+
+ Closes #11675
+
+Daniel Stenberg (17 Aug 2023)
+
+- CURLOPT_*TIMEOUT*: extend and clarify
+
+ Closes #11686
+
+- urlapi: return CURLUE_BAD_HOSTNAME if puny2idn encoding fails
+
+ And document it. Only return out of memory when it actually is a memory
+ problem.
+
+ Pointed-out-by: Jacob Mealey
+ Closes #11674
+
+Mathew Benson (17 Aug 2023)
+
+- cmake: add GnuTLS option
+
+ - Option to use GNUTLS was missing. Hence was not able to use GNUTLS
+ with ngtcp2 for http3.
+
+ Closes #11685
+
+Daniel Stenberg (16 Aug 2023)
+
+- RELEASE-NOTES: synced
+
+- http: remove the p_pragma struct field
+
+ unused since 40e8b4e52 (2008)
+
+ Closes #11681
+
+Jay Satiro (16 Aug 2023)
+
+- CURLINFO_CERTINFO.3: better explain curl_certinfo struct
+
+ Closes https://github.com/curl/curl/pull/11666
+
+- CURLINFO_TLS_SSL_PTR.3: clarify a recommendation
+
+ - Remove the out-of-date SSL backend list supported by
+ CURLOPT_SSL_CTX_FUNCTION.
+
+ It makes more sense to just refer to that document instead of having
+ a separate list that has to be kept in sync.
+
+ Closes https://github.com/curl/curl/pull/11665
+
+- write-out.d: clarify %{time_starttransfer}
+
+ sync it up with CURLINFO_STARTTRANSFER_TIME_T
+
+Daniel Stenberg (15 Aug 2023)
+
+- transfer: don't set TIMER_STARTTRANSFER on first send
+
+ The time stamp is for measuring the first *received* byte
+
+ Fixes #11669
+ Reported-by: JazJas on github
+ Closes #11670
+
+trrui-huawei (15 Aug 2023)
+
+- quiche: enable quiche to handle timeout events
+
+ In parallel with ngtcp2, quiche also offers the `quiche_conn_on_timeout`
+ interface for the application to invoke upon timer
+ expiration. Therefore, invoking the `on_timeout` function of the
+ Connection is crucial to ensure seamless functionality of quiche with
+ timeout events.
+
+ Closes #11654
+
+- quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s
+
+ Set the `QUIC_IDLE_TIMEOUT` parameter to match ngtcp2 for consistency.
+
+Daniel Stenberg (15 Aug 2023)
+
+- KNOWN_BUGS: LDAPS requests to ActiveDirectory server hang
+
+ Closes #9580
+
+- imap: add a check for failing strdup()
+
+- imap: remove the only sscanf() call in the IMAP code
+
+ Avoids the use of a stack buffer.
+
+ Closes #11673
+
+- imap: use a dynbuf in imap_atom
+
+ Avoid a calculation + malloc. Build the output in a dynbuf.
+
+ Closes #11672
+
+Marin Hannache (14 Aug 2023)
+
+- http: do not require a user name when using CURLAUTH_NEGOTIATE
+
+ In order to get Negotiate (SPNEGO) authentication to work in HTTP you
+ used to be required to provide a (fake) user name (this concerned both
+ curl and the lib) because the code wrongly only considered
+ authentication if there was a user name provided, as in:
+
+ curl -u : --negotiate https://example.com/
+
+ This commit leverages the `struct auth` want member to figure out if the
+ user enabled CURLAUTH_NEGOTIATE, effectively removing the requirement of
+ setting a user name both in curl and the lib.
+
+ Signed-off-by: Marin Hannache <git@mareo.fr>
+ Reported-by: Enrico Scholz
+ Fixes https://sourceforge.net/p/curl/bugs/440/
+ Fixes #1161
+ Closes #9047
+
+Viktor Szakats (13 Aug 2023)
+
+- build: streamline non-UWP wincrypt detections
+
+ - with CMake, use the variable `WINDOWS_STORE` to detect an UWP build
+ and disable our non-UWP-compatible use the Windows crypto API. This
+ allows to drop two dynamic feature checks.
+
+ `WINDOWS_STORE` is true when invoking CMake with
+ `CMAKE_SYSTEM_NAME` == `WindowsStore`. Introduced in CMake v3.1.
+
+ Ref: https://cmake.org/cmake/help/latest/variable/WINDOWS_STORE.html
+
+ - with autotools, drop the separate feature check for `wincrypt.h`. On
+ one hand this header has been present for long (even Borland C 5.5 had
+ it from year 2000), on the other we used the check result solely to
+ enable another check for certain crypto functions. This fails anyway
+ with the header not present. We save one dynamic feature check at the
+ configure stage.
+
+ Reviewed-by: Marcel Raad
+ Closes #11657
+
+Nicholas Nethercote (13 Aug 2023)
+
+- docs/HYPER.md: update hyper build instructions
+
+ Nightly Rust and `-Z unstable-options` are not needed.
+
+ The instructions here now match the hyper docs exactly:
+ https://github.com/hyperium/hyper/commit/bd7928f3dd6a8461f0f0fdf7ee0fd95c2f15
+ 6f88
+
+ Closes #11662
+
+Daniel Stenberg (13 Aug 2023)
+
+- RELEASE-NOTES: synced
+
+- urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
+
+ Asssisted-by: Jay Satiro
+ Closes #11655
+
+- spellcheck: adapt to backslashed minuses
+
+ As the curl.1 has more backslashed minus, the cleanup sed lines xneed to
+ adapt.
+
+ Adjusted some docs slighly.
+
+ Follow-up to 439ff2052e
+
+ Closes #11663
+
+- gen: escape more minus
+
+ Detected since it was still hard to search for option names using dashes
+ in the middle in the man page.
+
+ Closes #11660
+
+- cookie-jar.d: enphasize that this option is ONLY writing cookies
+
+ Reported-by: Dan Jacobson
+ Tweaked-by: Jay Satiro
+ Ref: #11642
+ Closes #11661
+
+Nicholas Nethercote (11 Aug 2023)
+
+- docs/HYPER.md: document a workaround for a link error
+
+ Closes #11653
+
+Jay Satiro (11 Aug 2023)
+
+- schannel: verify hostname independent of verify cert
+
+ Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off
+ and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the
+ hostname in schannel code.
+
+ This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and
+ verify hostname". We discussed a fix several years ago in #3285 but it
+ went stale.
+
+ Assisted-by: Daniel Stenberg
+
+ Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html
+ Reported-by: Martin Galvan
+
+ Ref: https://github.com/curl/curl/pull/3285
+
+ Fixes https://github.com/curl/curl/issues/3284
+ Closes https://github.com/curl/curl/pull/10056
+
+Daniel Stenberg (11 Aug 2023)
+
+- curl_quiche: remove superfluous NULL check
+
+ 'stream' is always non-NULL at this point
+
+ Pointed out by Coverity
+
+ Closes #11656
+
+- curl/urlapi.h: tiny typo
+
+- github/labeler: make HYPER.md set Hyper and not TLS
+
+- docs/cmdline-opts/gen.pl: hide "added in" before 7.50.0
+
+ 7.50.0 shipped on Jul 21 2016, over seven years ago. We no longer need
+ to specify version changes for earlier releases in the generated output.
+
+ This ups the limit from the previous 7.30.0 (Apr 12 2013)
+
+ This hides roughly 35 "added in" mentions.
+
+ Closes #11651
+
+Jay Satiro (10 Aug 2023)
+
+- bug_report: require reporters to specify curl and os versions
+
+ - Change curl version and os sections from single-line input to
+ multi-line textarea.
+
+ - Require curl version and os sections to be filled out before report
+ can be submitted.
+
+ Closes https://github.com/curl/curl/pull/11636
+
+Daniel Stenberg (9 Aug 2023)
+
+- gen.pl: replace all single quotes with aq
+
+ - this prevents man from using a unicode sequence for them
+ - which then allows search to work properly
+
+ Closes #11645
+
+Viktor Szakats (9 Aug 2023)
+
+- cmake: fix to use variable for the curl namespace
+
+ Replace (wrong) literal with a variable to specify the curl
+ namespace.
+
+ Follow-up to 1199308dbc902c52be67fc805c72dd2582520d30 #11505
+
+ Reported-by: balikalina on Github
+ Fixes https://github.com/curl/curl/commit/1199308dbc902c52be67fc805c72dd25825
+ 20d30#r123923098
+ Closes #11629
+
+- cmake: allow `SHARE_LIB_OBJECT=ON` on all platforms
+
+ 2ebc74c36a19a1700af394c16855ce144d9878e3 #11546 introduced sharing
+ libcurl objects for shared and static targets.
+
+ The above automatically enabled for Windows builds, with an option to
+ disable with `SHARE_LIB_OBJECT=OFF`.
+
+ This patch extend this feature to all platforms as a manual option.
+ You can enable it by setting `SHARE_LIB_OBJECT=ON`. Then shared objects
+ are built in PIC mode, meaning the static lib will also have PIC code.
+
+ [EXPERIMENTAL]
+
+ Closes #11627
+
+- cmake: assume `wldap32` availability on Windows
+
+ This system library first shipped with Windows ME, available as an extra
+ install for some older releases (according to [1]). The import library
+ was present already in old MinGW 3.4.2 (year 2007).
+
+ Drop the feature check and its associated `HAVE_WLDAP32` variable.
+
+ To manually disable `wldap32`, you can use the `USE_WIN32_LDAP=OFF`
+ CMake option, like before.
+
+ [1]: https://dlcdn.apache.org/httpd/binaries/win32/LEGACY.html
+
+ Reviewed-by: Jay Satiro
+ Closes #11624
+
+Daniel Stenberg (9 Aug 2023)
+
+- page-header: move up a URL paragraph from GLOBBING to URL
+
+- variable.d: output the function names table style
+
+ Also correct the url function name in the header
+
+ Closes #11641
+
+- haproxy-clientip.d: remove backticks
+
+ This is not markdown
+
+ Follow-up to 0a75964d0d94a4
+
+ Closes #11639
+
+- RELEASE-NOTES: synced
+
+- gen.pl: escape all dashes (ascii minus) to avoid unicode hyphens
+
+ Reported-by: FC Stegerman
+ Fixes #11635
+ Closes #11637
+
+- cmdline-opts/page-header: reorder, clean up
+
+ - removed some unnecessary blurb to focus
+ - moved up the more important URL details
+ - put "globbing" into its own subtitle and moved down a little
+ - mention the online man page in the version section
+
+ Closes #11638
+
+- c-hyper: adjust the hyper to curlcode conversion
+
+ Closes #11621
+
+- test2306: make it use a persistent connection
+
+ + enable verbose already from the start
+
+ Closes #11621
+
+eppesuig (8 Aug 2023)
+
+- list-only.d: mention SFTP as supported protocol
+
+ Closes #11628
+
+Daniel Stenberg (8 Aug 2023)
+
+- request.d: use .TP for protocol "labels"
+
+ To render the section nicer in man page.
+
+ Closes #11630
+
+- cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP
+
+ ... as documented.
+
+ Update test 3201 and 3202 accordingly.
+
+ Reported-by: Markus Sommer
+ Fixes #11619
+ Closes #11626
+
+- page-footer: QLOGDIR works with ngtcp2 and quiche
+
+ It previously said "both" backends which is confusing as we currently
+ have three...
+
+ Closes #11631
+
+Stefan Eissing (8 Aug 2023)
+
+- http3: quiche, handshake optimization, trace cleanup
+
+ - load x509 store after clienthello
+ - cleanup of tracing
+
+ Closes #11618
+
+Daniel Stenberg (8 Aug 2023)
+
+- ngtcp2: remove dead code
+
+ 'result' is always zero (CURLE_OK) at this point
+
+ Detected by Coverity
+
+ Closes #11622
+
+Viktor Szakats (8 Aug 2023)
+
+- openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED`
+
+ OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the
+ popular forks (yet). Use the macro itself to detect its presence,
+ replacing the hard-wired fork-specific conditions.
+
+ This way the feature will enable automatically when forks implement it,
+ while also shorter and possibly requiring less future maintenance.
+
+ Follow-up to 94241a9e78397a2aaf89a213e6ada61e7de7ee02 #6721
+
+ Reviewed-by: Jay Satiro
+ Closes #11617
+
+- openssl: use `SSL_CTX_set_ciphersuites` with LibreSSL 3.4.1
+
+ LibreSSL 3.4.1 (2021-10-14) added support for
+ `SSL_CTX_set_ciphersuites`.
+
+ Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.1-relnotes.txt
+
+ Reviewed-by: Jay Satiro
+ Closes #11616
+
+- openssl: use `SSL_CTX_set_keylog_callback` with LibreSSL 3.5.0
+
+ LibreSSL 3.5.0 (2022-02-24) added support for
+ `SSL_CTX_set_keylog_callback`.
+
+ Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.0-relnotes.txt
+
+ Reviewed-by: Jay Satiro
+ Closes #11615
+
+- cmake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks
+
+ - `HAVE_LIBWINMM` was detected but unused. The `winmm` system library is
+ also not used by curl, but it is by its optional dependency `librtmp`.
+ Change the logic to always add `winmm` when `USE_LIBRTMP` is set. This
+ library has been available since the early days of Windows.
+
+ - `HAVE_LIBWS2_32` detected `ws2_32` lib on Windows. This lib is present
+ since Windows 95 OSR2 (AFAIR). Winsock1 already wasn't supported and
+ other existing logic already assumed this lib being present, so delete
+ the check and replace the detection variable with `WIN32` and always
+ add `ws2_32` on Windows.
+
+ Closes #11612
+
+Daniel Gustafsson (8 Aug 2023)
+
+- crypto: ensure crypto initialization works
+
+ Make sure that context initialization during hash setup works to avoid
+ going forward with the risk of a null pointer dereference.
+
+ Reported-by: Philippe Antoine on HackerOne
+ Assisted-by: Jay Satiro
+ Assisted-by: Daniel Stenberg
+
+ Closes #11614
+
+Viktor Szakats (7 Aug 2023)
+
+- openssl: switch to modern init for LibreSSL 2.7.0+
+
+ LibreSSL 2.7.0 (2018-03-21) introduced automatic initialization,
+ `OPENSSL_init_ssl()` function and deprecated the old, manual init
+ method, as seen in OpenSSL 1.1.0. Switch to the modern method when
+ available.
+
+ Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.0-relnotes.txt
+
+ Reviewed-by: Daniel Stenberg
+ Closes #11611
+
+Daniel Stenberg (7 Aug 2023)
+
+- gskit: remove
+
+ We remove support for building curl with gskit.
+
+ - This is a niche TLS library, only running on some IBM systems
+ - no regular curl contributors use this backend
+ - no CI builds use or verify this backend
+ - gskit, or the curl adaption for it, lacks many modern TLS features
+ making it an inferior solution
+ - build breakages in this code take weeks or more to get detected
+ - fixing gskit code is mostly done "flying blind"
+
+ This removal has been advertized in DEPRECATED in Jan 2, 2023 and it has
+ been mentioned on the curl-library mailing list.
+
+ It could be brought back, this is not a ban. Given proper effort and
+ will, gskit support is welcome back into the curl TLS backend family.
+
+ Closes #11460
+
+- RELEASE-NOTES: synced
+
+Dan Fandrich (7 Aug 2023)
+
+- THANKS-filter: add a name typo
+
+Stefan Eissing (7 Aug 2023)
+
+- http3/ngtcp2: shorten handshake, trace cleanup
+
+ - shorten handshake timing by delayed x509 store load (OpenSSL)
+ as we do for HTTP/2
+ - cleanup of trace output, align with HTTP/2 output
+
+ Closes #11609
+
+Daniel Stenberg (7 Aug 2023)
+
+- headers: accept leading whitespaces on first response header
+
+ This is a bad header fold but since the popular browsers accept this
+ violation, so does curl now. Unless built with hyper.
+
+ Add test 1473 to verify and adjust test 2306.
+
+ Reported-by: junsik on github
+ Fixes #11605
+ Closes #11607
+
+- include/curl/mprintf.h: add __attribute__ for the prototypes
+
+ - if gcc or clang is used
+ - if __STDC_VERSION__ >= 199901L, which means greater than C90
+ - if not using mingw
+ - if CURL_NO_FMT_CHECKS is not defined
+
+ Closes #11589
+
+- tests: fix bad printf format flags in test code
+
+- tests: fix header scan tools for attribute edits in mprintf.h
+
+- cf-socket: log successful interface bind
+
+ When the setsockopt SO_BINDTODEVICE operation succeeds, output that in
+ the verbose output.
+
+ Ref: #11599
+ Closes #11608
+
+- CURLOPT_SSL_VERIFYPEER.3: mention it does not load CA certs when disabled
+
+ Ref: #11457
+ Closes #11606
+
+- CURLOPT_SSL_VERIFYPEER.3: add two more see also options
+
+ CURLINFO_CAINFO and CURLINFO_CAPATH
+
+ Closes #11603
+
+- KNOWN_BUGS: aws-sigv4 does not behave well with AWS VPC Lattice
+
+ Closes #11007
+
+Graham Campbell (6 Aug 2023)
+
+- CI: use openssl 3.0.10+quic, nghttp3 0.14.0, ngtcp2 0.18.0
+
+ Closes #11585
+
+Daniel Stenberg (6 Aug 2023)
+
+- TODO: add *5* entries for aws-sigv4
+
+ Closes #7559
+ Closes #8107
+ Closes #8810
+ Closes #9717
+ Closes #10129
+
+- TODO: LDAP Certificate-Based Authentication
+
+ Closes #9641
+
+Stefan Eissing (6 Aug 2023)
+
+- http2: cleanup trace messages
+
+ - more compact format with bracketed stream id
+ - all frames traced in and out
+
+ Closes #11592
+
+Daniel Stenberg (6 Aug 2023)
+
+- tests/tftpd+mqttd: make variables static to silence picky warnings
+
+ Closes #11594
+
+- docs/cmdline: remove repeated working for negotiate + ntlm
+
+ The extra wording is added automatically by the gen.pl tool
+
+ Closes #11597
+
+- docs/cmdline: add small "warning" to verbose options
+
+ "Note that verbose output of curl activities and network traffic might
+ contain sensitive data, including user names, credentials or secret data
+ content. Be aware and be careful when sharing trace logs with others."
+
+ Closes #11596
+
+- RELEASE-NOTES: synced
+
+- pingpong: don't use *bump_headersize
+
+ We use that for HTTP(S) only.
+
+ Follow-up to 3ee79c1674fd6
+
+ Closes #11590
+
+- urldata: remove spurious parenthesis to unbreak no-proxy build
+
+ Follow-up to e12b39e13382
+
+ Closes #11591
+
+- easy: don't call Curl_trc_opt() in disabled-verbose builds
+
+ Follow-up to e12b39e133822c6a0
+
+ Closes #11588
+
+- http: use %u for printfing int
+
+ Follow-up to 3ee79c1674fd6f99e8efca5
+
+ Closes #11587
+
+Goro FUJI (3 Aug 2023)
+
+- vquic: show stringified messages for errno
+
+ Closes #11584
+
+Stefan Eissing (3 Aug 2023)
+
+- trace: make tracing available in non-debug builds
+
+ Add --trace-config to curl
+
+ Add curl_global_trace() to libcurl
+
+ Closes #11421
+
+Daniel Stenberg (3 Aug 2023)
+
+- TODO: remove "Support intermediate & root pinning for PINNEDPUBLICKEY"
+
+ See also https://github.com/curl/curl/pull/7507
+
+- TODO: add "WebSocket read callback"
+
+ remove "Upgrade to websockets" as we already have this
+
+ Closes #11402
+
+- test497: verify rejecting too large incoming headers
+
+- http: return error when receiving too large header set
+
+ To avoid abuse. The limit is set to 300 KB for the accumulated size of
+ all received HTTP headers for a single response. Incomplete research
+ suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
+ 1MB.
+
+ Closes #11582
+
+Stefan Eissing (3 Aug 2023)
+
+- http2: upgrade tests and add fix for non-existing stream
+
+ - check in h2 filter recv that stream actually exists
+ and return error if not
+ - add test for parallel, extreme h2 upgrades that fail if
+ connections get reused before fully switched
+ - add h2 upgrade upload test just for completeness
+
+ Closes #11563
+
+Viktor Szakats (3 Aug 2023)
+
+- tests: ensure `libcurl.def` contains all exports
+
+ Add `test1279` to verify that `libcurl.def` lists all exported API
+ functions found in libcurl headers.
+
+ Also:
+
+ - extend test suite XML `stdout` tag with the `loadfile` attribute.
+
+ - fix `tests/extern-scan.pl` and `test1135` to include websocket API.
+
+ - use all headers (sorted) in `test1135` instead of a manual list.
+
+ - add options `--sort`, `--heading=` to `tests/extern-scan.pl`.
+
+ - add `libcurl.def` to the auto-labeler GHA task.
+
+ Follow-up to 2ebc74c36a19a1700af394c16855ce144d9878e3
+
+ Closes #11570
+
+Daniel Stenberg (2 Aug 2023)
+
+- url: change default value for CURLOPT_MAXREDIRS to 30
+
+ It was previously unlimited by default, but that's not a sensible
+ default. While changing this has a remote risk of breaking an existing
+ use case, I figure it is more likely to actually save users from loops.
+
+ Closes #11581
+
+- lib: fix a few *printf() flag mistakes
+
+ Reported-by: Gisle Vanem
+ Ref: #11574
+ Closes #11579
+
+Samuel Chiang (2 Aug 2023)
+
+- openssl: make aws-lc version support OCSP
+
+ And bump version in CI
+
+ Closes #11568
+
+Daniel Stenberg (2 Aug 2023)
+
+- tool: make the length argument an int for printf()-.* flags
+
+ Closes #11578
+
+- tool_operate: fix memory leak when SSL_CERT_DIR is used
+
+ Detected by Coverity
+
+ Follow-up to 29bce9857a12b6cfa726a5
+
+ Closes #11577
+
+- tool/var: free memory on OOM
+
+ Coverity detected this memory leak in OOM situation
+
+ Follow-up to 2e160c9c652504e
+
+ Closes #11575
+
+Viktor Szakats (2 Aug 2023)
+
+- gha: bump libressl and mbedtls versions
+
+ Closes #11573
+
+Jay Satiro (2 Aug 2023)
+
+- schannel: fix user-set legacy algorithms in Windows 10 & 11
+
+ - If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then
+ use the SCHANNEL_CRED legacy structure to pass the list to Schannel.
+
+ - If the user set both a legacy algorithm list and a TLS 1.3 cipher list
+ then abort.
+
+ Although MS doesn't document it, Schannel will not negotiate TLS 1.3
+ when SCHANNEL_CRED is used. That means setting a legacy algorithm list
+ limits the user to earlier versions of TLS.
+
+ Prior to this change, since 8beff435 (precedes 7.85.0), libcurl would
+ ignore legacy algorithms in Windows 10 1809 and later.
+
+ Reported-by: zhihaoy@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/pull/10741
+ Closes https://github.com/curl/curl/pull/10746
+
+Daniel Stenberg (2 Aug 2023)
+
+- variable.d: setting a variable again overwrites it
+
+ Reported-by: Niall McGee
+ Bug: https://twitter.com/niallmcgee/status/1686523075423322113
+ Closes #11571
+
+Jay Satiro (2 Aug 2023)
+
+- CURLOPT_PROXY_SSL_OPTIONS.3: sync formatting
+
+ - Re-wrap CURLSSLOPT_ALLOW_BEAST description.
+
+Daniel Stenberg (2 Aug 2023)
+
+- RELEASE-NOTES: synced
+
+- resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set
+
+ Previously it would always do PF_UNSPEC if CURL_IPRESOLVE_V4 is not
+ used, thus unnecessarily asking for addresses that will not be used.
+
+ Reported-by: Joseph Tharayil
+ Fixes #11564
+ Closes #11565
+
+- docs: link to the website versions instead of markdowns
+
+ ... to make the links work when the markdown is converted to webpages on
+ https://curl.se
+
+ Reported-by: Maurício Meneghini Fauth
+ Fixes https://github.com/curl/curl-www/issues/272
+ Closes #11569
+
+Viktor Szakats (1 Aug 2023)
+
+- cmake: cache more config and delete unused ones
+
+ - cache more Windows config results for faster initialization.
+
+ - delete unused config macros `HAVE_SYS_UTSNAME_H`, `HAVE_SSL_H`.
+
+ - delete dead references to `sys/utsname.h`.
+
+ Closes #11551
+
+- egd: delete feature detection and related source code
+
+ EGD is Entropy Gathering Daemon, a socket-based entropy source supported
+ by pre-OpenSSL v1.1 versions and now deprecated. curl also deprecated it
+ a while ago.
+
+ Its detection in CMake was broken all along because OpenSSL libs were
+ not linked at the point of feature check.
+
+ Delete detection from both cmake and autotools, along with the related
+ source snippet, and the `--with-egd-socket=` `./configure` option.
+
+ Closes #11556
+
+Stefan Eissing (1 Aug 2023)
+
+- tests: fix h3 server check and parallel instances
+
+ - fix check for availability of nghttpx server
+ - add `tcp` frontend config for same port as quic, as
+ without this, port 3000 is bound which clashes for parallel
+ testing
+
+ Closes #11553
+
+Daniel Stenberg (1 Aug 2023)
+
+- docs/cmdline-opts: spellfixes, typos and polish
+
+ To make them accepted by the spell checker
+
+ Closes #11562
+
+- CI/spellcheck: build curl.1 and spellcheck it
+
+ Added acceptable words
+
+ Closes #11562
+
+Alexander Jaeger (1 Aug 2023)
+
+- misc: fix various typos
+
+ Closes #11561
+
+Daniel Stenberg (1 Aug 2023)
+
+- http2: avoid too early connection re-use/multiplexing
+
+ HTTP/1 connections that are upgraded to HTTP/2 should not be picked up
+ for reuse and multiplexing by other handles until the 101 switching
+ process is completed.
+
+ Lots-of-debgging-by: Stefan Eissing
+ Reported-by: Richard W.M. Jones
+ Bug: https://curl.se/mail/lib-2023-07/0045.html
+ Closes #11557
+
+- Revert "KNOWN_BUGS: build for iOS simulator on macOS 13.2 with Xcode 14"
+
+ This reverts commit 2e8a3d7cb73c85a9aa151e263315f8a496dbb9d4.
+
+ It's a user error for supplying incomplete information to the build system.
+
+ Reported-by: Ryan Schmidt
+ Ref: https://github.com/curl/curl/issues/11215#issuecomment-1658729367
+
+Viktor Szakats (1 Aug 2023)
+
+- cmake: add support for single libcurl compilation pass
+
+ Before this patch CMake builds used two separate compilation passes to
+ build the shared and static libcurl respectively. This patch allows to
+ reduce that to a single pass if the target platform and build settings
+ allow it.
+
+ This reduces CMake build times when building both static and shared
+ libcurl at the same time, making these dual builds an almost zero-cost
+ option.
+
+ Enable this feature for Windows builds, where the difference between the
+ two passes was the use of `__declspec(dllexport)` attribute for exported
+ API functions for the shared builds. This patch replaces this method
+ with the use of `libcurl.def` at DLL link time.
+
+ Also update `Makefile.mk` to use `libcurl.def` to export libcurl API
+ symbols on Windows. This simplifies (or fixes) this build method (e.g.
+ in curl-for-win, which generated a `libcurl.def` from `.h` files using
+ an elaborate set of transformations).
+
+ `libcurl.def` has the maintenance cost of keeping the list of public
+ libcurl API symbols up-to-date. This list seldom changes, so the cost
+ is low.
+
+ Closes #11546
+
+- cmake: detect `SSL_set0_wbio` in OpenSSL
+
+ Present in OpenSSL 1.1.0 and BoringSSL.
+ Missing from LibreSSL 3.8.0.
+
+ Follow-up to f39472ea9f4f4e12cfbc0500c4580a8d52ce4a59
+
+ While here, also fix `RAND_egd()` detection which was broken, likely all
+ along. This feature is probably broken with CMake builds and also
+ requires a sufficiently obsolete OpenSSL version, so this part of the
+ update was not tested.
+
+ Closes #11555
+
+- cmake: fixup H2 duplicate symbols for unity builds
+
+ Closes #11550
+
+Pablo Busse (1 Aug 2023)
+
+- openssl: Support async cert verify callback
+
+ - Update the OpenSSL connect state machine to handle
+ SSL_ERROR_WANT_RETRY_VERIFY.
+
+ This allows libcurl users that are using custom certificate validation
+ to suspend processing while waiting for external I/O during certificate
+ validation.
+
+ Closes https://github.com/curl/curl/pull/11499
+
+Jay Satiro (1 Aug 2023)
+
+- tool_cb_wrt: fix invalid unicode for windows console
+
+ - Suppress an incomplete UTF-8 sequence at the end of the buffer.
+
+ - Attempt to reconstruct incomplete UTF-8 sequence from prior call(s)
+ in current call.
+
+ Prior to this change, in Windows console UTF-8 sequences split between
+ two or more calls to the write callback would cause invalid "replacement
+ characters" U+FFFD to be printed instead of the actual Unicode
+ character. This is because in Windows only UTF-16 encoded characters are
+ printed to the console, therefore we convert the UTF-8 contents to
+ UTF-16, which cannot be done with partial UTF-8 sequences.
+
+ Reported-by: Maksim Arhipov
+
+ Fixes https://github.com/curl/curl/issues/9841
+ Closes https://github.com/curl/curl/pull/10890
+
+Daniel Stenberg (1 Aug 2023)
+
+- sectransp: prevent CFRelease() of NULL
+
+ When SecCertificateCopyCommonName() returns NULL, the common_name
+ pointer remains set to NULL which apparently when calling CFRelease() on
+ (sometimes?) crashes.
+
+ Reported-by: Guillaume Algis
+ Fixes #9194
+ Closes #11554
+
+Jay Satiro (1 Aug 2023)
+
+- vtls: clarify "ALPN: offers" message
+
+ Before:
+ * ALPN: offers h2,http/1.1
+
+ After:
+ * ALPN: curl offers h2,http/1.1
+
+ Bug: https://curl.se/mail/lib-2023-07/0041.html
+ Reported-by: Richard W.M. Jones
+ Closes #11544
+
+Daniel Stenberg (1 Aug 2023)
+
+- urlapi: make sure zoneid is also duplicated in curl_url_dup
+
+ Add several curl_url_dup() tests to the general lib1560 test.
+
+ Reported-by: Rutger Broekhoff
+ Bug: https://curl.se/mail/lib-2023-07/0047.html
+ Closes #11549
+
+Sergey (1 Aug 2023)
+
+- urlapi: fix heap buffer overflow
+
+ `u->path = Curl_memdup(path, pathlen + 1);` accesses bytes after the null-ter
+ minator.
+
+ ```
+ ==2676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x04d48c75 a
+ t pc 0x0112708a bp 0x006fb7e0 sp 0x006fb3c4
+ READ of size 78 at 0x04d48c75 thread T0
+ #0 0x1127089 in __asan_wrap_memcpy D:\a\_work\1\s\src\vctools\asan\llvm\c
+ ompiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:840
+ #1 0x1891a0e in Curl_memdup C:\actions-runner\_work\client\client\third_p
+ arty\curl\lib\strdup.c:97
+ #2 0x18db4b0 in parseurl C:\actions-runner\_work\client\client\third_part
+ y\curl\lib\urlapi.c:1297
+ #3 0x18db819 in parseurl_and_replace C:\actions-runner\_work\client\clien
+ t\third_party\curl\lib\urlapi.c:1342
+ #4 0x18d6e39 in curl_url_set C:\actions-runner\_work\client\client\third_
+ party\curl\lib\urlapi.c:1790
+ #5 0x1877d3e in parseurlandfillconn C:\actions-runner\_work\client\client
+ \third_party\curl\lib\url.c:1768
+ #6 0x1871acf in create_conn C:\actions-runner\_work\client\client\third_p
+ arty\curl\lib\url.c:3403
+ #7 0x186d8dc in Curl_connect C:\actions-runner\_work\client\client\third_
+ party\curl\lib\url.c:3888
+ #8 0x1856b78 in multi_runsingle C:\actions-runner\_work\client\client\thi
+ rd_party\curl\lib\multi.c:1982
+ #9 0x18531e3 in curl_multi_perform C:\actions-runner\_work\client\client\
+ third_party\curl\lib\multi.c:2756
+ ```
+
+ Closes #11560
+
+Daniel Stenberg (31 Jul 2023)
+
+- curl: make %output{} in -w specify a file to write to
+
+ It can be used multiple times. Use %output{>>name} to append.
+
+ Add docs. Test 990 and 991 verify.
+
+ Idea: #11400
+ Suggested-by: ed0d2b2ce19451f2
+ Closes #11416
+
+- RELEASE-NOTES: synced
+
+- tool: add "variable" support
+
+ Add support for command line variables. Set variables with --variable
+ name=content or --variable name@file (where "file" can be stdin if set
+ to a single dash (-)).
+
+ Variable content is expanded in option parameters using "{{name}}"
+ (without the quotes) if the option name is prefixed with
+ "--expand-". This gets the contents of the variable "name" inserted, or
+ a blank if the name does not exist as a variable. Insert "{{" verbatim
+ in the string by prefixing it with a backslash, like "\\{{".
+
+ Import an environment variable with --variable %name. It makes curl exit
+ with an error if the environment variable is not set. It can also rather
+ get a default value if the variable does not exist, using =content or
+ @file like shown above.
+
+ Example: get the USER environment variable into the URL:
+
+ --variable %USER
+ --expand-url = "https://example.com/api/{{USER}}/method"
+
+ When expanding variables, curl supports a set of functions that can make
+ the variable contents more convenient to use. It can trim leading and
+ trailing white space with "trim", output the contents as a JSON quoted
+ string with "json", URL encode it with "url" and base 64 encode it with
+ "b64". To apply functions to a variable expansion, add them colon
+ separated to the right side of the variable. They are then performed in
+ a left to right order.
+
+ Example: get the contents of a file called $HOME/.secret into a variable
+ called "fix". Make sure that the content is trimmed and percent-encoded
+ sent as POST data:
+
+ --variable %HOME=/home/default
+ --expand-variable fix@{{HOME}}/.secret
+ --expand-data "{{fix:trim:url}}"
+ https://example.com/
+
+ Documented. Many new test cases.
+
+ Co-brainstormed-by: Emanuele Torre
+ Assisted-by: Jat Satiro
+ Closes #11346
+
+- KNOWN_BUGS: cygwin: make install installs curl-config.1 twice
+
+ Closes #8839
+
+- KNOWN_BUGS: build for iOS simulator on macOS 13.2 with Xcode 14
+
+ Closes #11215
+
+- KNOWN_BUGS: cmake outputs: no version information available
+
+ Closes #11158
+
+- KNOWN_BUGS: APOP authentication fails on POP3
+
+ Closes #10073
+
+- KNOWN_BUGS: hyper is slow
+
+ Closes #11203
+
+Patrick Monnerat (31 Jul 2023)
+
+- configure, cmake, lib: more form api deprecation
+
+ Introduce a --enable-form-api configure option to control its inclusion
+ in builds. The condition name defined for it is CURL_DISABLE_FORM_API.
+
+ Form api code is dependent of MIME: configure and CMake handle this
+ dependency automatically: CMake by making it a dependent option
+ explicitly, configure by inheriting the MIME value by default and
+ rejecting explicit incompatible values.
+
+ "form-api" is now a new hidden test feature.
+
+ Update libcurl modules to respect this option and adjust tests
+ accordingly.
+
+ Closes #9621
+
+Daniel Stenberg (31 Jul 2023)
+
+- mailmap: add Derzsi Dániel
+
+Derzsi Dániel (31 Jul 2023)
+
+- wolfssl: support loading system CA certificates
+
+ Closes #11452
+
+Viktor Szakats (30 Jul 2023)
+
+- nss: delete more NSS references
+
+ Fix the distcheck CI failure and delete more NSS references.
+
+ Follow-up to 7c8bae0d9c9b2dfeeb008b9a316117d7b9675175
+
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Daniel Stenberg
+ Closes #11548
+
+Daniel Stenberg (29 Jul 2023)
+
+- nss: remove support for this TLS library
+
+ Closes #11459
+
+Ryan Schmidt (29 Jul 2023)
+
+- macOS: fix target detection more
+
+ Now SCDynamicStoreCopyProxies is called (and the required frameworks are
+ linked in) on all versions of macOS and only on macOS. Fixes crash due
+ to undefined symbol when built with the macOS 10.11 SDK or earlier.
+
+ CURL_OSX_CALL_COPYPROXIES is renamed to CURL_MACOS_CALL_COPYPROXIES and
+ is now only defined when SCDynamicStoreCopyProxies will actually be
+ called. Previously, it was defined when ENABLE_IPV6 was not defined but
+ SCDynamicStoreCopyProxies is not called in that case.
+
+ TARGET_OS_OSX is only defined in the macOS 10.12 SDK and later and only
+ when dynamic targets are enabled. TARGET_OS_MAC is always defined but
+ means any Mac OS or derivative including macOS, iOS, tvOS, and watchOS.
+ TARGET_OS_IPHONE means any Darwin OS other than macOS.
+
+ Follow-up to c73b2f82
+
+ Fixes #11502
+ Closes #11516
+
+Daniel Stenberg (29 Jul 2023)
+
+- tool_operate: allow SSL_CERT_FILE and SSL_CERT_DIR
+
+ ... used at once.
+
+ Reported-by: Gabriel Corona
+ Fixes #11325
+ Closes #11531
+
+Thomas M. DuBuisson (29 Jul 2023)
+
+- CI: remove Lift's configuration
+
+ The Lift tool is being retired. Their site reads:
+
+ "Sonatype Lift will be retiring on Sep 12, 2023, with its analysis
+ stopping on Aug 12, 2023."
+
+ Closes #11541
+
+Nathan Moinvaziri (29 Jul 2023)
+
+- Revert "schannel: reverse the order of certinfo insertions"
+
+ This reverts commit 8986df802db9b5338d9d50a54232ebae4dbcf6dd.
+
+ Windows does not guarantee a particular certificate ordering, even
+ though TLS may have its own ordering/relationship guarantees. Recent
+ versions of Windows 11 reversed the ordering of ceritifcates returned by
+ CertEnumCertificatesInStore, therefore this commit no longer works as
+ initially intended. libcurl makes no guarantees about certificate
+ ordering if the operating system can't.
+
+ Ref: https://github.com/curl/curl/issues/9706
+
+ Closes https://github.com/curl/curl/pull/11536
+
+wangzhikun (29 Jul 2023)
+
+- winbuild: improve check for static zlib
+
+ - Check for zlib static library name zlibstatic.lib.
+
+ zlib's static library has a different name depending on how it was
+ built. zlibstatic.lib is output by cmake. zlibstat.lib is output by
+ their pre-generated Visual Studio project files (in the contrib
+ directory) and defines ZLIB_WINAPI (ie it's meant to use stdcall
+ instead of cdecl if you end up exporting the zlib functions).
+
+ Prior to this change the makefile only checked for the latter.
+
+ Closes https://github.com/curl/curl/pull/11521
+
+Daniel Stenberg (29 Jul 2023)
+
+- configure: use the pkg-config --libs-only-l flag for libssh2
+
+ ... instead of --libs, as that one also returns -L flags.
+
+ Reported-by: Wilhelm von Thiele
+ Fixes #11538
+ Closes #11539
+
+Viktor Szakats (29 Jul 2023)
+
+- cmake: support building static and shared libcurl in one go
+
+ This patch adds the ability to build a static and shared libcurl library
+ in a single build session. It also adds an option to select which one to
+ use when building the curl executable.
+
+ New build options:
+ - `BUILD_STATIC_LIBS`. Default: `OFF`.
+ Enabled automatically if `BUILD_SHARED_LIBS` is `OFF`.
+ - `BUILD_STATIC_CURL`. Default: `OFF`.
+ Requires `BUILD_STATIC_LIBS` enabled.
+ Enabled automatically if building static libcurl only.
+ - `STATIC_LIB_SUFFIX`. Default: empty.
+ - `IMPORT_LIB_SUFFIX`. Default: `_imp` if implib filename would collide
+ with static lib name (typically with MSVC) in Windows builds.
+ Otherwise empty.
+
+ Also:
+
+ - Stop setting the `CURL_STATICLIB` macro via `curl_config.h`, and pass
+ it directly to the compiler. This also allows to delete a condition
+ from `tests/server/CMakeLists.txt`.
+
+ - Complete a TODO by following the logic used in autotools (also for
+ `LIBCURL_NO_SHARED`), and set `-DCURL_STATICLIB` in `Cflags:` of
+ `libcurl.pc` for _static-only_ curl builds.
+
+ - Convert an existing CI test to build both shared and static libcurl.
+
+ Closes #11505
+
+Stefan Eissing (28 Jul 2023)
+
+- CI/awslc: add cache for build awslc library
+
+ Closes #11535
+
+- GHA/linux.yml: add caching
+
+ Closes #11532
+
+Daniel Stenberg (27 Jul 2023)
+
+- RELEASE-NOTES: synced
+
+ Bump working version to 8.3.0
+
+- url: remove infof() output for "still name resolving"
+
+ The message does not help and might get spewed a lot during times.
+
+ Reported-by: yushicheng7788 on github
+ Fixes #11394
+ Closes #11529
+
+- KNOWN_BUGS: cygwin: "WARNING: UNPROTECTED PRIVATE KEY FILE!"
+
+ Closes #11244
+
+Stefan Eissing (27 Jul 2023)
+
+- CI: quiche updates
+
+ - remove quiche from standard `linux` workflow
+ - add mod_h2 caching to quiche workflow
+ - rename quiche to quiche-linux
+ - move version definitions into env section
+
+ Closes #11528
+
+- http2: disable asssertion blocking OSSFuzz testing
+
+ - not clear how this triggers and it blocks OSSFuzz testing other
+ things. Since we handle the case with an error return, disabling the
+ assertion for now seems the best way forward.
+
+ Fixes #11500
+ Closes #11519
+
+- http2: fix in h2 proxy tunnel: progress in ingress on sending
+
+ - depending on what is tunneled, the proxy may never get invoked for
+ receiving data explicitly. Not progressing ingress may lead to stalls
+ due to missed WINDOW_UPDATEs.
+
+ CI:
+ - add a chache for building mod_h2
+
+ Closes #11527
+
+- CI ngtcp2+quictls: use nghttpx cache as in quiche build
+
+Jay Satiro (27 Jul 2023)
+
+- bearssl: don't load CA certs when peer verification is disabled
+
+ We already do this for other SSL backends.
+
+ Bug: https://github.com/curl/curl/pull/11457#issuecomment-1644587473
+ Reported-by: kyled-dell@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/11497
+
+Daniel Stenberg (26 Jul 2023)
+
+- easy: remove #ifdefs to make code easier on the eye
+
+ Closes #11525
+
+Stefan Eissing (26 Jul 2023)
+
+- GHA: adding quiche workflow
+
+ - adding separate quiche workflow to also build nghttpx server for testing
+
+ Closes #11517
+
Version 8.2.1 (26 Jul 2023)
Daniel Stenberg (26 Jul 2023)
@@ -6246,2769 +8981,3 @@ Grisha Levit (6 Mar 2023) See #10079
Closes #10675
-
-Jay Satiro (6 Mar 2023)
-
-- tests: fix gnutls-serv check
-
- - If gnutls-serv doesn't exist then don't try to execute it.
-
- Follow-up to 2fdc1d81.
-
- Closes https://github.com/curl/curl/pull/10688
-
-Daniel Stenberg (6 Mar 2023)
-
-- lib1560: fix enumerated type mixed with another type
-
- Follow-up to c84c0f9aa3bb006
-
- Closes #10684
-
-Viktor Szakats (5 Mar 2023)
-
-- cmake: fix enabling LDAPS on Windows
-
- Before this patch, enabling LDAPS required a manual C flag:
- https://github.com/curl/curl-for-win/blob/c1cfc31cfc04f24f7a4f946564d6f0e1b4d
- 7dd36/curl-cmake.sh#L105
-
- Fix this and enable LDAPS automatically when using `wldap32` (and
- when not explicitly disabled). This matches autotools and `Makefile.mk`
- behavior. Also remove issue from KNOWN_BUGS.
-
- Add workaround for MSVS 2010 warning triggered by LDAPS now enabled
- in more CI tests:
- `ldap.c(360): warning C4306: 'type cast' : conversion from 'int' to 'void *'
- of greater size`
- Ref: https://ci.appveyor.com/project/curlorg/curl/builds/46408284/job/v8mwl9y
- fbmoeqwlr#L312
-
- Reported-by: JackBoosY on github
- Reviewed-by: Jay Satiro
- Reviewed-by: Marcel Raad
- Fixes #6284
- Closes #10674
-
-- Makefile.mk: delete redundant `HAVE_LDAP_SSL` macro [ci skip]
-
- Since abebb2b8939c6b3e0f951eb2d9ec3729b569aa2c, we set this macro for
- all Windows `wldap32` builds using `Makefile.mk`.
-
- For OpenLDAP builds this macro is not enough to enable LDAPS, and
- OpenLDAP is not an option in `Makefile.mk`. For Novell LDAP it might
- have helped, but it's also not an option anymore in `Makefile.mk`.
-
- The future for LDAPS is that we should enable it by default without
- extra build knobs.
-
- Reviewed-by: Marcel Raad
- Closes #10681
-
-- cmake: skip CA-path/bundle auto-detection in cross-builds
-
- Also remove issue from KNOWN_BUGS.
-
- Reported-by: Cristian Morales Vega
- Reviewed-by: Marcel Raad
- Fixes #6178
- Closes #10676
-
-Daniel Stenberg (3 Mar 2023)
-
-- schannel: loop over the algos to pick the selected one
-
- Avoid using the funny macro and the extra buffer copy.
-
- Closes #10647
-
-- wildcard: remove files and move functions into ftplistparser.c
-
-- ftp: allocate the wildcard struct on demand
-
- The feature is rarely used so this frees up data for the vast majority
- of easy handles that don't use it.
-
- Rename "protdata" to "ftpwc" since it is always an FTP wildcard struct
- pointer. Made the state struct field an unsigned char to save space.
-
- Closes #10639
-
-- lib1560: test parsing URLs with ridiculously large fields
-
- In the order of 120K.
-
- Closes #10665
-
-Brad Spencer (3 Mar 2023)
-
-- urlapi: parse IPv6 literals without ENABLE_IPV6
-
- This makes the URL parser API stable and working the same way
- independently of libcurl supporting IPv6 transfers or not.
-
- Closes #10660
-
-Jan Engelhardt (3 Mar 2023)
-
-- build: drop the use of XC_AMEND_DISTCLEAN
-
- Because automake used to delete depdirs at once (.deps) and there was an issu
- e
- with portability, curl's XC_AMEND_DISTCLEAN greps the Makefiles in an attempt
- to build a list of all depfiles and delete them individually instead.
-
- Since commit 08849db866b44510f6b8fd49e313c91a43a3dfd3, automake switched from
- deleting directories to individual files. curl's custom logic now finds a lot
- more results with the grep (the filtering of these results isn't great), whic
- h
- causes a massive bloating of the Makefile in the order of O(n^2).
-
- Also remove now-unused XC_AMEND_DISTCLEAN macro group
-
- References: https://github.com/curl/curl/issues/9843
- References: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59288
-
- Reported-by: Ilmari Lauhakangas
- Fixes #9843
- Closes #10661
-
-Balakrishnan Balasubramanian (3 Mar 2023)
-
-- test1470: test socks proxy using unix sockets and connect to https
-
- Similar to test1468 except using https instead of http
-
- Closes #10662
-
-Daniel Stenberg (3 Mar 2023)
-
-- test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED
-
- When returned from the CURLOPT_SOCKOPTFUNCTION, like when we have a
- custom socket connected in the app, passed in to libcurl.
-
- Verifies the fix in #10648
-
- Closes #10651
-
-Stefan Eissing (2 Mar 2023)
-
-- tests: rename tests/tests-httpd to tests/http
-
- - httpd is only one server we test with
- - the suite coveres the HTTP protocol in general where
- the default test cases need a more beefy environment
-
- Closes #10654
-
-- socket: detect "dead" connections better, e.g. not fit for reuse
-
- - refs #10646 where reuse was attempted on closed connections in the
- cache, leading to an exhaustion of retries on a transfer
- - the mistake was that poll events like POLLHUP, POLLERR, etc
- were regarded as "not dead".
- - change cf-socket filter check to regard such events as inidication
- of corpsiness.
- - vtls filter checks: fixed interpretation of backend check result
- when inconclusive to interrogate status further down the filter
- chain.
-
- Reported-by: SendSonS on github
- Fixes #10646
- Closes #10652
-
-- lib: give source files cf-http.* better fitting names
-
- Closes #10656
-
-- http2: fix code indent
-
- Closes https://github.com/curl/curl/pull/10655
-
-Shankar Jadhavar (1 Mar 2023)
-
-- cf-socket: if socket is already connected, return CURLE_OK
-
- In 7.87.0, if callback method for CURLOPT_SOCKOPTFUNCTION returns
- CURL_SOCKOPT_ALREADY_CONNECTED then curl library used to return
- CURLE_OK. n 7.88.0, now even if callback returns
- CURL_SOCKOPT_ALREADY_CONNECTED, curl library still tries to connect to
- socket by invoking method do_connect().
-
- This is regression caused by commit
- https://github.com/curl/curl/commit/71b7e0161032927cdfb
-
- Fix: Check if we are already connected and return CURLE_OK.
-
- Fixes #10626
- Closes #10648
-
-Jay Satiro (1 Mar 2023)
-
-- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
-
- This is the existing behavior and it has been widely assumed in the
- codebase.
-
- Closes https://github.com/curl/curl/pull/10645
-
-Stefan Eissing (1 Mar 2023)
-
-- http2: fix upload busy loop
-
- - Set KEEP_SEND_PAUSE when exhausting remote HTTP/2 window size of a
- stream.
-
- - Clear KEEP_SEND_PAUSE when receiving HTTP/2 window updates on a paused
- stream.
-
- - Also fix http2 send compiler warnings reported in #10449.
-
- Prior to this change, starting in 71b7e016 which precedes 7.88.0,
- libcurl may eat CPU during HTTP/2 upload.
-
- Reported-by: Jay Satiro
-
- Fixes https://github.com/curl/curl/issues/10449
- Fixes https://github.com/curl/curl/issues/10618
- Closes https://github.com/curl/curl/pull/10627
-
-Daniel Stenberg (1 Mar 2023)
-
-- sectransp: make read_cert() use a dynbuf when loading
-
- Closes #10632
-
-Jay Satiro (1 Mar 2023)
-
-- transfer: limit Windows SO_SNDBUF updates to once a second
-
- - Change readwrite_upload() to call win_update_buffer_size() no more
- than once a second to update SO_SNDBUF (send buffer limit).
-
- Prior to this change during an upload readwrite_upload() could call
- win_update_buffer_size() anywhere from hundreds of times per second to
- an extreme test case of 100k per second (which is likely due to a bug,
- see #10618). In the latter case WPA profiler showed
- win_update_buffer_size was the highest capture count in
- readwrite_upload. In any case the calls were excessive and unnecessary.
-
- Ref: https://github.com/curl/curl/pull/2762
-
- Closes https://github.com/curl/curl/pull/10611
-
-Daniel Stenberg (28 Feb 2023)
-
-- RELEASE-NOTES: synced
-
-Stefan Eissing (28 Feb 2023)
-
-- http2: fix for http2-prior-knowledge when reusing connections
-
- - refs #10634 where errors in the HTTP/2 framing layer are observed.
- - the bug was that on connection reuse, the code attempted to switch
- in yet another layer of HTTP/2 handling instead of detecting that
- this was already in place.
- - added pytest testcase reproducing the issue.
-
- Reported-by: rwmjones on github
- Fixes #10634
- Closes #10643
-
-- cf-socket: fix handling of remote addr for accepted tcp sockets
-
- - do not try to determine the remote address of a listen socket. There
- is none.
- - Update remote address of an accepted socket by getpeername() if
- available.
-
- Reported-by: Harry Sintonen
- Fixes #10622
- Closes #10642
-
-- http: fix unix domain socket use in https connects
-
- - when h2/h3 eyeballing was involved, unix domain socket
- configurations were not honoured
- - configuring --unix-socket will disable HTTP/3 as candidate for eyeballing
- - combinatino of --unix-socket and --http3-only will fail during initialisati
- on
- - adding pytest test_11 to reproduce
-
- Reported-by: Jelle van der Waa
- Fixes #10633
- Closes #10641
-
-Daniel Stenberg (28 Feb 2023)
-
-- setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct
-
- To make duphandle work etc
-
- Closes #10635
-
-Viktor Szakats (28 Feb 2023)
-
-- quic/schannel: fix compiler warnings
-
- Fixes #10603
- Closes #10616
-
-Daniel Stenberg (28 Feb 2023)
-
-- page-footer: add explanation for three missing exit codes
-
- Added in 7.73.0, 7.77.0 and 7.84.0
-
- Closes #10630
-
-積丹尼 Dan Jacobson (28 Feb 2023)
-
-- rate.c: single URLs make no sense in --rate example
-
- Here somehow you need to put more than one URL in these examples, else
- they will make no sense, as --rate only affects the second and beyond
- URLs. The first URL will always finish the same time no matter what
- --rate is given.
-
- Closes #10638
-
-Daniel Stenberg (28 Feb 2023)
-
-- libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3
-
- Closes #10629
-
-- mqtt: on send error, return error
-
- Reported-by: Maciej Domanski
-
- Closes #10623
-
-- ws: keep the socket non-blocking
-
- Reported-by: marski on github
- Fixes #10615
- Closes #10625
-
-- hostip: avoid sscanf and extra buffer copies
-
- Also made create_hostcache_id() return the id length.
-
- Closes #10601
-
-- PARALLEL-TRANSFERS.md: not "early days" for this anymore
-
- Refresh the language as the support is now over three years old
-
- Closes #10624
-
-- easy: remove infof() debug leftover from curl_easy_recv
-
- It said "reached [path]/easy.c:1231"
-
- Closes #10628
-
-- idn: return error if the conversion ends up with a blank host
-
- Some IDN sequences are converted into "" (nothing), which can make this
- function end up with a zero length host name and we cannot consider that
- a valid host to continue with.
-
- Reported-by: Maciej Domanski
- Closes #10617
-
-- examples/http3.c: use CURL_HTTP_VERSION_3
-
- and update the comment
-
- Closes #10619
-
-- x509asn1.c: use correct format specifier for infof() call
-
- Detected by Coverity
-
- Closes #10614
-
-- Revert "GHA: add Microsoft C++ Code Analysis"
-
- This reverts commit e0db842b2a082dffad4a9fbe31321e9a75c74041.
-
- This tool seems very restricted in how often it might be used by a
- project and thus very quickly start to report fails simply because it
- refuses to run when "there are more runs than allowed".
-
- Closes #10613
-
-Patrick Monnerat (25 Feb 2023)
-
-- tests: test secure mail protocols with explicit SSL requests
-
- New tests 987, 988 and 989, disabled for rustls (hanging).
-
- Closes #10077
-
-- tests: support for imaps/pop3s/smtps protocols
-
- Closes #10077
-
-- runtests: use a hash table for server port numbers
-
- Closes #10077
-
-Andy Alt (25 Feb 2023)
-
-- INTERNALS.md: grammar
-
- Closes #10607
-
-Daniel Stenberg (25 Feb 2023)
-
-- RELEASE-NOTES: synced
-
-Philip Heiduck (25 Feb 2023)
-
-- .cirrus.yml: Bump to FreeBSD 13.2
-
- Closes #10270
-
-- ngtcp2-gnutls.yml: bump to gnutls 3.8.0
-
- Closes #10507
-
-- CI: update ngtcp2 and nghttp2 for pytest
-
- Follow-up: https://github.com/curl/curl/commit/5c9ee8cef4b351a085b440f8178500
- 124647f8e6
-
- Closes #10508
-
-Andy Alt (25 Feb 2023)
-
-- GHA: use same flags for Slackbuild as Slack package
-
- Closes #10526
-
-Daniel Stenberg (24 Feb 2023)
-
-- rtsp: avoid sscanf for parsing
-
- Closes #10605
-
-- http_proxy: parse the status line without sscanf
-
- Closes #10602
-
-- telnet: error correctly for WS set to "x[num]"
-
- Follow-up to e4f93be9d587
- Reported-by: Harry Sintonen
- Closes #10606
-
-- krb5: avoid sscanf for parsing
-
- Closes #10599
-
-- misc: remove support for curl_off_t < 8 bytes
-
- Closes #10597
-
-- telnet: parse NEW_ENVIRON without sscanf
-
- Closes #10596
-
-- telnet: parse the WS= argument without sscanf
-
- Closes #10596
-
-- telnet: parse telnet options without sscanf
-
- Closes #10596
-
-- ftp: replace sscanf for MDTM 213 response parsing
-
- Closes #10590
-
-- ftp: replace sscanf for PASV parsing
-
- Closes #10590
-
-- ftp: make the EPSV response parser not use sscanf
-
- Closes #10590
-
-Stefan Eissing (24 Feb 2023)
-
-- ngtcp2: fix unwanted close of file descriptor 0
-
- ... causing macOS to hand out 0 as next socket handle and failing on
- further operations.
-
- Reported-by: Sergey Fionov
- Fixes #10593
- Closes #10595
-
-Daniel Stenberg (23 Feb 2023)
-
-- select: stop treating POLLRDBAND as an error
-
- POLLRDBAND does not seem to be an general error and on Windows the value
- for POLLIN is 768 and the value for POLLRDBAND is 512.
-
- Fixes #10501
- Reported-by: opensslonzos-github on github
- Closes #10592
-
-- test978: mark file as text mode
-
- Follow-up to 4ea5702980cb
-
- To fix test failures on Windows
-
- Closes #10594
-
-- http: rewrite the status line parser without sscanf
-
- Closes #10585
-
-- test978: verify that --stderr works for -w's stderr as well
-
-Jay Satiro (23 Feb 2023)
-
-- curl: make -w's %{stderr} use the file set with --stderr
-
- Reported-by: u20221022 on github
- Fixes #10491
- Closes #10569
-
-- winbuild: fix makefile clean
-
- - Fix and move 'clean' code that removes the output and obj directories
- trees from MakefileBuild.vc to Makefile.vc.
-
- Prior to this change the 'clean' code did not work right because the
- variables containing the directory names were not fully initialized and
- the rmdir syntax was sometimes incorrect (typos). DIRDIST for example
- was set to ..\builds\ and not ..\builds\$(CONFIG_NAME_LIB)\ so it would
- remove the former and not the latter. If WITH_PREFIX was set then that
- directory was removed instead.
-
- Also, DIRDIST (the output directory) even if initialized should not be
- removed by MakefileBuild.vc because by that time it could be set to a
- user directory that may contain other files if WITH_PREFIX is set (eg we
- don't want rmdir /s /q C:\usr\local). Therefore we remove from
- Makefile.vc before any of that happens. I added a comment in both
- makefiles explaining this.
-
- Closes https://github.com/curl/curl/pull/10576
-
-- sectransp: fix compiler warning c89 mixed code/declaration
-
- Since cbf57176 the Cirrus CI 'macOS arm64 SecureTransport http2' has
- been failing due to c89 warnings mixed code/declaration. That commit is
- not the cause so I assume something has changed in the CI outside of our
- configuration. Anyway, we don't mix code/declaration so this is the fix
- for that.
-
- Closes https://github.com/curl/curl/pull/10574
-
-Philipp Engel (22 Feb 2023)
-
-- BINDINGS: add Fortran binding
-
- Closes #10589
-
-Stefan Eissing (22 Feb 2023)
-
-- test2600: detect when ALARM_TIMEOUT is in use and adjust
-
- - use higher timeout values > 1s
- - skip duration checks
-
- Assisted-by: Marcel Raad
- Closes #10513
-
-Daniel Stenberg (22 Feb 2023)
-
-- RELEASE-NOTES: synced
-
-- test686: verify return code for no URL after --next
-
-- tool_operate: propagate error codes for missing URL after --next
-
- Fixes #10558
- Reported-by: u20221022 on github
- Closes #10580
-
-- test1278: verify that an extra --no-remote-name cause no warning
-
-- tool_getparam: don't add a new node for just --no-remote-name
-
- Unless --remote-name-all is used.
-
- Fixes #10564
- Reported-by: u20221022 on github
- Closes #10582
-
-- gen.pl: add '%GLOBALS' as a variable for mainpage
-
- And use it in page-header to list all global command line options.
-
-- docs/cmdline-opts: mark all global options
-
- gen.pl now outputs a generic explanations for them for each option
-
- Fixes #10566
- Reported-by: u20221022 on github
- Closes #10584
-
-- GHA: add Microsoft C++ Code Analysis
-
- Closes #10583
-
-- tool_progress: shut off progress meter for --silent in parallel
-
- Reported-by: finkjsc on github
- Fixes #10573
- Closes #10579
-
-- lib1560: add a test using %25 in the userinfo in a URL
-
- Closes #10578
-
-Stefan Eissing (21 Feb 2023)
-
-- CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections
-
- As tested in test_02_07, when firing off 200 urls with --parallel, 199
- wait for the first connection to be established. if that is multiuse,
- urls are added up to its capacity.
-
- The first url over capacity opens another connection. But subsequent
- urls found the same situation and open a connection too. They should
- have waited for the second connection to actually connect and make its
- capacity known.
-
- This change fixes that by
-
- - setting `connkeep()` early in the HTTP setup handler. as otherwise
- a new connection is marked as closeit by default and not considered
- for multiuse at all
- - checking the "connected" status for a candidate always and continuing
- to PIPEWAIT if no alternative is found.
-
- pytest:
- - removed "skip" from test_02_07
- - added test_02_07b to check that http/1.1 continues to work as before
-
- Closes #10456
-
-Daniel Stenberg (21 Feb 2023)
-
-- test419: verify --dump-header to file that cannot be created
-
- Closes #10571
-
-- tool_operate: avoid fclose(NULL) on bad header dump file
-
- Fixes #10570
- Reported-by: Jérémy Rabasco
- Closes #10571
-
-- RELEASE-NOTES: synced
-
- Starting the journey towards 8.0.0
-
-- cookie: parse without sscanf()
-
- Saves us from using 2*4096 bytes buffers on stack, the extra copies and
- more.
-
- Closes #10550
-
-- lib517: verify time stamps without leading zeroes plus some more
-
-- parsedate: replace sscanf( for time stamp parsing
-
- Closes #10547
-
-- parsedate: parse strings without using sscanf()
-
- - sscanf is slow and complex, avoid it
- - give up already if the string is 12 bytes or longer as no valid string
- can be that long
- - this can now be done without copy
-
- Closes #10547
-
-Matt Jolly (20 Feb 2023)
-
-- tests: HTTP server fixups
-
- - httpserver.pl -> http-server.pl for consistency
- - add http3-server.pl to EXTRA_DIST; alphabetise for maintainability
- - nghttpx proxy invocation scripts should not use getcwd
-
- Closes #10568
-
-Version 7.88.1 (20 Feb 2023)
-
-Daniel Stenberg (20 Feb 2023)
-
-- RELEASE-NOTES: synced
-
- 7.88.1 release
-
-- THANKS: add contributors from 7.88.1
-
-- socketpair: allow EWOULDBLOCK when reading the pair check bytes
-
- Reported-by: Gunamoi Software
- Co-authored-by: Jay Satiro
- Fixes #10561
- Closes #10562
-
-Jay Satiro (18 Feb 2023)
-
-- tool_operate: fix scanbuild compiler warning
-
- Prior to this change Azure CI scanbuild warned of a potential NULL
- pointer string passed to strtol when CURLDEBUG enabled, even though the
- way the code was written it wouldn't have happened.
-
- Bug: https://github.com/curl/curl/commit/5479d991#r101159711
- Reported-by: Marcel Raad
-
- Closes https://github.com/curl/curl/pull/10559
-
-- curl_setup: Suppress OpenSSL 3 deprecation warnings
-
- - Define OPENSSL_SUPPRESS_DEPRECATED.
-
- OpenSSL 3 has deprecated some of the functions libcurl uses such as
- those with DES, MD5 and ENGINE prefix. We don't have replacements for
- those functions so the warnings were disabled in autotools and cmake
- builds, but still showed in other builds.
-
- Closes https://github.com/curl/curl/pull/10543
-
-- build-openssl.bat: keep OpenSSL 3 engine binaries
-
- Prior to this change copying the OpenSSL 3 engine binaries failed
- because 'engines-1_1' (OpenSSL 1.1.x folder name) was erroneously used
- instead of 'engines-3'. The OpenSSL 3 builds would complete successfully
- but without the engine binaries.
-
- Closes https://github.com/curl/curl/pull/10542
-
-ALittleDruid (18 Feb 2023)
-
-- cmake: fix Windows check for CryptAcquireContext
-
- Check for CryptAcquireContext in windows.h and wincrypt.h only, since
- otherwise this check may fail due to third party headers not found.
-
- Closes https://github.com/curl/curl/pull/10353
-
-Daniel Stenberg (19 Feb 2023)
-
-- remote-header-name.d: mention that filename* is not supported
-
- and that you can use --clobber to allow overwriting.
-
- Ref: #10533
- Closes #10555
-
- Co-authored-by: Jay Satiro <raysatiro@yahoo.com>
-
-Pierrick Charron (18 Feb 2023)
-
-- CURLOPT_WS_OPTIONS.3: fix the availability version
-
- Closes #10557
-
-Jacob Hoffman-Andrews (18 Feb 2023)
-
-- GHA: update rustls dependency to 0.9.2
-
- This allows re-enabling test 312 for the rustls backend.
-
- Closes #10553
-
-Philip Heiduck (18 Feb 2023)
-
-- HTTP3.md: update git branches
-
- Closes #10554
-
-Stefan Eissing (17 Feb 2023)
-
-- urldata: remove `now` from struct SingleRequest - not needed
-
- Closes #10549
-
-Daniel Stenberg (17 Feb 2023)
-
-- lib1560: add IPv6 canonicalization tests
-
- Closes #10552
-
-- RELEASE-NOTES: synced
-
-- urlapi: do the port number extraction without using sscanf()
-
- - sscanf() is rather complex and slow, strchr() much simpler
-
- - the port number function does not need to fully verify the IPv6 address
- anyway as it is done later in the hostname_check() function and doing
- it twice is unnecessary.
-
- Closes #10541
-
-Stefan Eissing (17 Feb 2023)
-
-- setopt: allow HTTP3 when HTTP2 is not defined
-
- Reported-by: Karthikdasari0423 on github
- Fixes #10538
- Closes #10544
-
-Jon Rumsey (17 Feb 2023)
-
-- os400: correct Curl_os400_sendto()
-
- Add const qualifier to 5th argument of Curl_os400_sendto()
-
- Make OS400 wrapper for sendto match the normal prototype of sendto()
- with a const qualifier.
-
- Fixes #10539
- Closes #10548
-
-Stefan Eissing (17 Feb 2023)
-
-- tests-httpd: add proxy tests
-
- for direct and tunneling checks on http: and https:
-
- Closes #10519
-
-Daniel Stenberg (17 Feb 2023)
-
-- curl: make --silent work stand-alone
-
- - renamed the struct field to 'silent' to match the cmdline option
- - make --show-error toggle independently of --silent
- - make --silent independent of ->noprogress as well
-
- By doing this, the three options --silent, --no-progress-meter and
- --show-error should work independently of each other and also work with
- and without '--no-' prefix as documented.
-
- Reported-by: u20221022 on github
- Fixes #10535
- Closes #10536
-
-- socks: allow using DoH to resolve host names
-
- For SOCKS modes where a local host resolve is done.
-
- It was previously disabled in 12d655d4561, but a few local tests seem to
- indicate that it works fine. Works now because of the SOCKS refactor of
- 4a4b63daaa01ef59 that made it non-blocking.
-
- Reported-by: roughtex on github
- Fixes #10537
- Closes #10540
-
-Stefan Eissing (17 Feb 2023)
-
-- test: add test for HTTP/2 corruption as reported in #10525
-
- - adding test_02_20 for reproducing the situation
- - using recently released mod_h2 Apache module
- - skipping test if an older version is installed
- - adding installation of current mod_h2 to github pytest workflow
-
- This reproduces the error reliable (for me) on the lib/http2.c version
- of curl 7.88.0. And passes with the recent curl master.
-
- Closes #10534
-
-Daniel Stenberg (16 Feb 2023)
-
-- tool_operate: allow debug builds to set buffersize
-
- Using the CURL_BUFFERSIZE environment variable.
-
- Closes #10532
-
-Stefan Eissing (16 Feb 2023)
-
-- connnect: fix timeout handling to use full duration
-
- - connect timeout was used at half the configured value, if the
- destination had 1 ip version 4 and other version 6 addresses
- (or the other way around)
- - extended test2600 to reproduce these cases
-
- Reported-by: Michael Kaufmann
- Fixes #10514
- Closes #10517
-
-Daniel Stenberg (16 Feb 2023)
-
-- tool_getparam: make --get a true boolean
-
- To match how it is documented in the man page.
-
- Fixes #10527
- Reported-by: u20221022 on github
- Closes #10531
-
-Harry Sintonen (16 Feb 2023)
-
-- http:: include stdint.h more readily
-
- Closes #10516
-
-Stefan Eissing (16 Feb 2023)
-
-- tests: make the telnet server shut down a socket gracefully
-
- - test 1452 failed occasionally with ECONNRESET errnos in curl when the
- server closed the connection in an unclean state.
-
- Closes #10509
-
-Harry Sintonen (16 Feb 2023)
-
-- http2: set drain on stream end
-
- Ensure that on_frame_recv() stream end will trigger a read if there is
- pending data. Without this it could happen that the pending data is
- never consumed.
-
- This combined with https://github.com/curl/curl/pull/10529 should fix
- https://github.com/curl/curl/issues/10525
-
- Ref: https://github.com/curl/curl/issues/10525
- Closes #10530
-
-Stefan Eissing (16 Feb 2023)
-
-- http2: buffer/pausedata and output flush fix.
-
- * do not process pending input data when copying pausedata to the
- caller
- * return CURLE_AGAIN if the output buffer could not be completely
- written out.
-
- Ref: #10525
- Closes #10529
-
-Marcel Raad (16 Feb 2023)
-
-- krb5: silence cast-align warning
-
- Add an intermediate cast to `void *`, as done everywhere else when
- casting from `sockaddr *` to `sockaddr_in *`.
-
- Closes https://github.com/curl/curl/pull/10528
-
-Daniel Stenberg (15 Feb 2023)
-
-- RELEASE-NOTES: synced
-
- bumped to 7.88.1
-
-- tests: make sure gnuserv-tls has SRP support before using it
-
- Reported-by: fundawang on github
- Fixes #10522
- Closes #10524
-
-- runtests: fix "uninitialized value $port"
-
- by using a more appropriate variable
-
- Reported-by: fundawang on github
- Fixes #10518
- Closes #10520
-
-Version 7.88.0 (15 Feb 2023)
-
-Daniel Stenberg (15 Feb 2023)
-
-- RELEASE-NOTES: synced
-
- 7.88.0 release
-
-- THANKS: added contributors from 7.88.0
-
-- openssl: rename 'errcode_t' to 'sslerr_t'
-
- Turns out "/usr/include/et/com_err.h" typedefs this type (without proper
- variable scoping).
-
- comerr is the "common error description library" that apparently might be use
- d
- by krb5 code, which then makes this header get used in a curl build.
-
- Reported-by: Bruno Henrique Batista Cruz da Silva
- Fixed #10502
- Closes #10500
-
-Dan Fandrich (13 Feb 2023)
-
-- CONTRIBUTE: More formally specify the commit description
-
- This codifies what people have actually used in git commits over the
- past 6 years. I've left off some lesser-used headers that appear to
- duplicate others and tried to describe a consistent use for several
- others that were used more arbitrarily.
-
- This makes it easier for new committers to find out the kinds of things
- we want to acknowledge, makes it easier to perform statistical analysis
- on commits, and opens the possibility of performing lint checks on
- descriptions before submission.
-
- Reviewed-by: Daniel Stenberg
- Reviewed-by: Jay Satiro
-
- Closes #10478
-
-Stefan Eissing (13 Feb 2023)
-
-- openssl: test and fix for forward proxy handling (non-tunneling).
-
- - adding pytest test_10 cases for proxy httpd setup tests
- - fixing openssl bug in https: proxy hostname verification that
- used the hostname of the request and not the proxy name.
-
- Closes #10498
-
-Daniel Stenberg (13 Feb 2023)
-
-- cmdline-opts/Makefile: on error, do not leave a partial
-
- And support 'make V=1' to show the full command line
-
- Closes #10497
-
-- curl.1: make help, version and manual sections "custom"
-
- Instead of using "multi: boolean", as these are slightly special as in
- they do are not enable/disable ones.
-
- Fixes #10490
- Reported-by: u20221022 on github
- Closes #10497
-
-Stefan Eissing (13 Feb 2023)
-
-- tests: add tests for HTTP/2 and HTTP/3 to verify the header API
-
- Test 2403 and 2503 check "header_json" output and therefore use of
- header-api
-
- Closes #10495
-
-Philip Heiduck (13 Feb 2023)
-
-- CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12
-
- Closes #10493
-
-Daniel Stenberg (13 Feb 2023)
-
-- KNOW_BUGS: cleanups with some changed to TODOs
-
- - remove "Excessive HTTP/2 packets with TCP_NODELAY"
-
- This is not a bug. Rather room for improvement.
-
- I believe these have been fixed:
-
- - 17.4 Connection failures with parallel HTTP/2
- - 17.5 HTTP/2 connections through HTTPS proxy frequently stall
-
- - remove "FTPS needs session reuse"
-
- That is still true, but curl should also do session reuse now.
-
- - remove "ASCII FTP"
-
- It is documented behavior, and not single user has asked for extended
- functionality here the last decade or so.
-
- - remove "Passive transfer tries only one IP address"
-
- add as a TODO
-
- - remove "DoH leaks memory after followlocation"
-
- With a recipe on how to reproduce, this is pointless to keep around
-
- - remove "DoH does not inherit all transfer options"
-
- add it as a TODO
-
- Closes #10487
-
-Tatsuhiro Tsujikawa (13 Feb 2023)
-
-- GHA: bump ngtcp2 workflow dependencies
-
- Closes #10494
-
-Patrick Monnerat (13 Feb 2023)
-
-- content_encoding: do not reset stage counter for each header
-
- Test 418 verifies
-
- Closes #10492
-
-Daniel Stenberg (13 Feb 2023)
-
-- RELEASE-NOTES: synced
-
-Jay Satiro (13 Feb 2023)
-
-- multi: stop sending empty HTTP/3 UDP datagrams on Windows
-
- - Limit the 0-sized send procedure that is used to reset a SOCKET's
- FD_WRITE to TCP sockets only.
-
- Prior to this change the reset was used on UDP sockets as well, but
- unlike TCP sockets a 0-sized send actually sends out a datagram.
-
- Assisted-by: Marc Hörsken
-
- Ref: https://github.com/curl/curl/pull/9203
-
- Fixes https://github.com/curl/curl/issues/9086
- Closes https://github.com/curl/curl/pull/10430
-
-Viktor Szakats (12 Feb 2023)
-
-- h3: silence compiler warnings
-
- Reviewed-by: Daniel Stenberg
- Fixes #10485
- Closes #10486
-
-Daniel Stenberg (12 Feb 2023)
-
-- smb: return error on upload without size
-
- The protocol needs to know the size ahead of time, this is now a known
- restriction and not a bug.
-
- Also output a clearer error if the URL path does not contain proper
- share.
-
- Ref: #7896
- Closes #10484
-
-Viktor Szakats (12 Feb 2023)
-
-- windows: always use curl's basename() implementation
-
- The `basename()` [1][2] implementation provided by mingw-w64 [3] makes
- assumptions about input encoding and may break with non-ASCII strings.
-
- `basename()` was auto-detected with CMake, autotools and since
- 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 (2022-10-13), also in
- `Makefile.mk` after syncing its behaviour with the mainline build
- methods. A similar patch for curl-for-win broke official Windows
- builds earlier, in release 7.83.1_4 (2022-06-15).
-
- This patch forces all Windows builds to use curl's internal
- `basename()` implementation to avoid such problems.
-
- [1]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/basename.html
- [2]: https://www.man7.org/linux/man-pages/man3/basename.3.html
- [3]: https://sourceforge.net/p/mingw-w64/mingw-w64/ci/master/tree/mingw-w64-c
- rt/misc/basename.c
-
- Reported-by: UnicornZhang on Github
- Assisted-by: Cherish98 on Github
- Reviewed-by: Daniel Stenberg
-
- Fixes #10261
- Closes #10475
-
-Philip Heiduck (12 Feb 2023)
-
-- Linux CI: Bump rustls-ffi to v0.9.1
-
- Closes #10476
-
-Daniel Stenberg (12 Feb 2023)
-
-- libtest: build lib2305 with multibyte as well
-
- Fixes a build regression.
-
- Follow-up to 5a9a04d5567
- Reported-by: Viktor Szakats
- Ref: https://github.com/curl/curl/pull/10475#issuecomment-1426831800
-
- Closes #10477
-
-Dmitry Atamanov (12 Feb 2023)
-
-- cmake: fix dev warning due to mismatched arg
-
- The package name passed to find_package_handle_standard_args (BROTLI)
- does not match the name of the calling package (Brotli). This can lead
- to problems in calling code that expects find_package result variables
- (e.g., _FOUND) to follow a certain pattern.
-
- Closes https://github.com/curl/curl/pull/10471
-
-James Keast (11 Feb 2023)
-
-- setopt: Address undefined behaviour by checking for null
-
- This addresses undefined behaviour found using clang's UBsan:
-
- curl/lib/setopt.c:177:14: runtime error: applying non-zero offset 1 to null p
- ointer
- SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior curl/lib/setopt.c:177
- :14 in
-
- Closes #10472
-
-Jacob Hoffman-Andrews (11 Feb 2023)
-
-- rustls: improve error messages
-
- Changes numeric error codes into verbose error codes in two places.
- Adds a prefix indicating that the error came from rustls, and in some
- places which function it came from.
-
- Adds special handling for RUSTLS_RESULT_UNEXPECTED_EOF, since the
- default message of "Unexpected EOF" is insufficiently explanatory.
-
- Closes #10463
-
-Daniel Stenberg (11 Feb 2023)
-
-- openssl: remove dead code
-
- Follow-up to e8b00fcd6a
-
- Due to the new 'if(!nonblocking)' check on the block a level above,
- there is no need to check for it again within the same conditional.
-
- Detected by Coverity
-
- Closes #10473
-
-- ngtcp2: replace removed define and stop using removed function
-
- They were removed upstream.
-
- Reported-by: Karthikdasari0423 on github
- Fixes #10469
- Closes #10474
-
-- scripts/delta: show percent of number of files changed since last tag
-
-- RELEASE-NOTES: synced
-
-Stefan Eissing (10 Feb 2023)
-
-- pytest: add a test case for PUSH related things.
-
- - checking that "103 Early Hints" are visible in curl's header dump file
-
- Closes #10452
-
-Gregory Panakkal (10 Feb 2023)
-
-- WEBSOCKET.md: typo
-
- Fixing missing slash for ws protocol scheme
-
- Closes #10464
-
-Stefan Eissing (10 Feb 2023)
-
-- vquic: stabilization and improvements
-
- vquic stabilization
- - udp send code shared between ngtcp2 and quiche
- - quiche handling of data and events improved
-
- ngtcp2 and pytest improvements
- - fixes handling of "drain" situations, discovered in scorecard
- tests with the Caddy server.
- - improvements in handling transfers that have already data or
- are already closed to make an early return on recv
-
- pytest
- - adding caddy tests when available
-
- scorecard improvemnts.
- - using correct caddy port
- - allowing tests for only httpd or caddy
-
- Closes #10451
-
-Philip Heiduck (10 Feb 2023)
-
-- Linux CI: update some dependecies to latest tag
-
- Closes #10458
-
-Daniel Stenberg (10 Feb 2023)
-
-- test2305: send 3 frames, 4097 bytes each, as one message
-
- Receive them using a 256 bytes buffer in a loop.
-
-- ws: fix recv of larger frames
-
- + remove 'oleft' from the struct
- + deal with "overflow data" in a separate dynbuf
-
- Reported-by: Mike Duglas
- Fixes #10438
- Closes #10447
-
-- curl/websockets.h: extend the websocket frame struct
-
-- sws: fix typo, indentation add more ws logging
-
-- test2304: remove stdout verification
-
- This cripples the test somewhat but the check was bad since depending on
- timing it could exit before the output was done, making the test flaky.
-
-Dan Fandrich (9 Feb 2023)
-
-- CI: Add more labeler match patterns
-
-- CI: Retry failed downloads to reduce spurious failures
-
- A temporary error with a remote server shouldn't cause a CI run to fail.
- Also, put a cap on the time to download to fail faster on a misbehaving
- server or connection and use HTTP compression where possible to reduce
- download times.
-
-Daniel Stenberg (9 Feb 2023)
-
-- no-clobber.d: only use long form options in man page text
-
- ... since they are expanded and the short-form gets mentioned
- automatically so if the short form is mentioned as well, it gets
- repeated.
-
- Fixes #10461
- Closes #10462
- Reported-by: Dan Fandrich
-
-- GHA: enable websockets in the torture job
-
- Closes #10448
-
-- header.d: add a header file example
-
- Closes #10455
-
-Stefan Eissing (9 Feb 2023)
-
-- HTTP/[23]: continue upload when state.drain is set
-
- - as reported in #10433, HTTP/2 uploads may stall when a response is
- received before the upload is done. This happens when the
- data->state.drain is set for such a transfer, as the special handling
- in transfer.c from then on only cared about downloads.
- - add continuation of uploads, if applicable, in this case.
- - add pytest case test_07_12_upload_seq_large to reproduce this scenario
- (although, current nghttp2 implementation is using drain less often)
-
- Reported-by: Lucas Pardue
-
- Fixes #10433
- Closes #10443
-
-- http2: minor buffer and error path fixes
-
- - use memory buffer in full available size
- - fail receive of reset/errored streams early
-
- pytest:
- - make test_05 error cases more reliable
-
- Closes #10444
-
-Federico Pellegrin (9 Feb 2023)
-
-- openldap: fix missing sasl symbols at build in specific configs
-
- If curl is built with openldap support (USE_OPENLDAP=1) but does not
- have also some other protocol (IMAP/SMTP/POP3) enabled that brings
- in Curl_sasl_* functions, then the build will fail with undefined
- references to various symbols:
-
- ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_decode_mech'
- ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_parse_url_auth
- _option'
- ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_cleanup'
- ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_can_authentica
- te'
- ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_continue'
- ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_start'
- ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_init'
-
- This was tracked down to these functions bein used in openldap.c but
- defined in curl_sasl.c and then forward in two vauth/ files to have
- a guard against a set of #define configurations that was now extended
- to cover also this case.
-
- Example configuration targeted that could reproduce the problem:
-
- curl 7.87.1-DEV () libcurl/7.87.1-DEV .... OpenLDAP/2.6.3
- Protocols: file ftp ftps http https ldap ldaps
-
- Closes #10445
-
-Daniel Stenberg (9 Feb 2023)
-
-- ws: use %Ou for outputting curl_off_t with info()
-
- Reported-by: Mike Duglas
- Fixes #10439
- Closes #10441
-
-Jay Satiro (9 Feb 2023)
-
-- curl_setup: Disable by default recv-before-send in Windows
-
- Prior to this change a workaround for Windows to recv before every send
- was enabled by default. The way it works is a recv is called before
- every send and saves the received data, in case send fails because in
- Windows apparently that can wipe out the socket's internal received
- data buffer.
-
- This feature has led to several bugs because the way libcurl operates
- it waits on a socket to read or to write, and may not at all times
- check for buffered receive data.
-
- Two recent significant bugs this workaround caused:
- - Broken Schannel TLS 1.3 connections (#9431)
- - HTTP/2 arbitrary hangs (#10253)
-
- The actual code remains though it is disabled by default. Though future
- changes to connection filter buffering could improve the situation IMO
- it's just not tenable to manage this workaround.
-
- Ref: https://github.com/curl/curl/issues/657
- Ref: https://github.com/curl/curl/pull/668
- Ref: https://github.com/curl/curl/pull/720
-
- Ref: https://github.com/curl/curl/issues/9431
- Ref: https://github.com/curl/curl/issues/10253
-
- Closes https://github.com/curl/curl/pull/10409
-
-Stefan Eissing (8 Feb 2023)
-
-- http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames
-
- add a small buffer to nghttp2 session sending in order to aggregate
- small SETTINGS/PRIO/WIN_UPDATE frames that nghttp2 "writes" to the
- callback individually.
-
- Ref: #10389
- Closes #10432
-
-- openssl: store the CA after first send (ClientHello)
-
- move Curl_ssl_setup_x509_store() call after the first send (ClientHello)
- this gives time to parse CA anchors while waiting on the server reply
-
- Ref: #10389
- Closes #10432
-
-Daniel Stenberg (8 Feb 2023)
-
-- RELEASE-NOTES: synced
-
-Anthony Hu (8 Feb 2023)
-
-- wolfssl: remove deprecated post-quantum algorithms
-
- Closes #10440
-
-John Bampton (8 Feb 2023)
-
-- misc: fix spelling
-
- Closes #10437
-
-Daniel Stenberg (7 Feb 2023)
-
-- man pages: call the custom user pointer 'clientp' consistently
-
- The variable had a few different names. Now try to use 'clientp'
- consistently for all man pages using a custom pointer set by the
- application.
-
- Reported-by: Gerrit Renker
-
- Fixes #10434
- Closes #10435
-
-- vtls: infof using %.*s needs to provide the length as int
-
- Fixes a Coverity warning.
-
- Closes #10436
-
-Stefan Eissing (7 Feb 2023)
-
-- vrls: addressing issues reported by coverity
-
- I believe the code was secure before this, but limiting the accepted
- name length to what is used in the structures should help Coverity's
- analysis.
-
- Closes #10431
-
-Daniel Stenberg (7 Feb 2023)
-
-- tool_operate: move the 'updated' variable
-
- This was already done by Dan Fandrich in the previous PR but somehow I
- lost that fixup.
-
- Follow-up to 349c5391f2121e
-
-Dan Fandrich (7 Feb 2023)
-
-- tool_operate: Fix error codes during DOS filename sanitize
-
- It would return CURLE_URL_MALFORMAT in an OOM condition.
-
- Closes #10414
-
-- tool_operate: Fix error codes on bad URL & OOM
-
- curl would erroneously report CURLE_OUT_OF_MEMORY in some cases instead
- of CURLE_URL_MALFORMAT. In other cases, it would erroneously return
- CURLE_URL_MALFORMAT instead of CURLE_OUT_OF_MEMORY. Add a test case to
- test the former condition.
-
- Fixes #10130
- Closes #10414
-
-Daniel Stenberg (6 Feb 2023)
-
-- setopt: use >, not >=, when checking if uarg is larger than uint-max
-
- Closes #10421
-
-- vtls: fix failf() format argument type for %.*s handling
-
- Reported by Coverity
-
- Closes #10422
-
-- openssl: fix "Improper use of negative value"
-
- By getting the socket first and returning error in case of bad socket.
-
- Detected by Coverity.
-
- Closes #10423
-
-Dan Fandrich (6 Feb 2023)
-
-- packages: Remove Android.mk from makefile
-
- This was missed in commit #44141512
-
- Ref: #10418
-
-Daniel Stenberg (6 Feb 2023)
-
-- curl_ws_send.3: clarify how to send multi-frame messages
-
-Mike Duglas (6 Feb 2023)
-
-- ws: fix multiframe send handling
-
- Fixes #10413
- Closes #10420
-
-Daniel Stenberg (6 Feb 2023)
-
-- unit2600: make sure numerical curl_easy_setopt sets long
-
- Follow-up to 671158242db3203
-
- Reported-by: Marcel Raad
- Fixes #10410
- Closes #10419
-
-Andy Alt (6 Feb 2023)
-
-- GHA: move Slackware test into matrix
-
- Closes #10412
-
-Pronyushkin Petr (6 Feb 2023)
-
-- urlapi: fix part of conditional expression is always true: qlen
-
- Closes #10408
-
-- url: fix part of conditional expression is always true
-
- Closes #10407
-
-Daniel Stenberg (6 Feb 2023)
-
-- RELEASE-NOTES: synced
-
-Philip Heiduck (6 Feb 2023)
-
-- GHA/macos.yml: bump to gcc-12
-
- Closes #10415
-
-Daniel Stenberg (6 Feb 2023)
-
-- packages: remove Android, update README
-
- - Nobody builds curl for Android using this anymore
- - Refreshed the README and converted to markdown
-
- Reported-by: John Porter
- Fixes #10416
- Closes #10418
-
-Kvarec Lezki (5 Feb 2023)
-
-- fopen: remove unnecessary assignment
-
- [CWE-1164] V1048: The '* tempname' variable was assigned the same value.
-
- Ref: https://pvs-studio.com/en/docs/warnings/v1048/
-
- Closes https://github.com/curl/curl/pull/10398
-
-Gisle Vanem (5 Feb 2023)
-
-- libtest: add a sleep macro for Windows
-
- .. because sleep() is used in some libtests.
-
- Closes https://github.com/curl/curl/pull/10295
-
-Kvarec Lezki (3 Feb 2023)
-
-- http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
-
- V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> mem
- size.
-
- https://pvs-studio.com/en/docs/warnings/v220/
-
- Closes #10400
-
-Daniel Stenberg (3 Feb 2023)
-
-- mailmap: Thomas1664 on github
-
-Thomas1664 on github (3 Feb 2023)
-
-- CURLOPT_WRITEFUNCTION.3: fix memory leak in example
-
- Closes #10390
-
-Kvarec Lezki (3 Feb 2023)
-
-- doh: ifdef IPv6 code
-
- For disabled IPv6 a condition (conn->ip_version != CURL_IPRESOLVE_V4) is
- always false. https://pvs-studio.com/en/docs/warnings/v560/
-
- Closes #10397
-
-Daniel Stenberg (3 Feb 2023)
-
-- urlapi: remove pathlen assignment
-
- "Value stored to 'pathlen' is never read"
-
- Follow-up to 804d5293f89
-
- Reported-by: Kvarec Lezki
-
- Closes #10405
-
-Kvarec Lezki (3 Feb 2023)
-
-- http: fix "part of conditional expression is always false"
-
- [CWE-570] V560: A part of conditional expression is always false: conn->bits.
- authneg.
- [CWE-570] V560: A part of conditional expression is always false: conn->handl
- er->protocol & (0 | 0).
-
- https://pvs-studio.com/en/docs/warnings/v560/
-
- Closes #10399
-
-Daniel Stenberg (2 Feb 2023)
-
-- urlapi: skip the extra dedotdot alloc if no dot in path
-
- Saves an allocation for many/most URLs.
-
- Updates test 1395 accordingly
-
- Closes #10403
-
-Stefan Eissing (2 Feb 2023)
-
-- connections: introduce http/3 happy eyeballs
-
- New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing.
- - filter is installed when `--http3` in the tool is used (or
- the equivalent CURLOPT_ done in the library)
- - starts a QUIC/HTTP/3 connect right away. Should that not
- succeed after 100ms (subject to change), a parallel attempt
- is started for HTTP/2 and HTTP/1.1 via TCP
- - both attempts are subject to IPv6/IPv4 eyeballing, same
- as happens for other connections
- - tie timeout to the ip-version HAPPY_EYEBALLS_TIMEOUT
- - use a `soft` timeout at half the value. When the soft timeout
- expires, the HTTPS-CONNECT filter checks if the QUIC filter
- has received any data from the server. If not, it will start
- the HTTP/2 attempt.
-
- HTTP/3(ngtcp2) improvements.
- - setting call_data in all cfilter calls similar to http/2 and vtls filters
- for use in callback where no stream data is available.
- - returning CURLE_PARTIAL_FILE for prematurely terminated transfers
- - enabling pytest test_05 for h3
- - shifting functionality to "connect" UDP sockets from ngtcp2
- implementation into the udp socket cfilter. Because unconnected
- UDP sockets are weird. For example they error when adding to a
- pollset.
-
- HTTP/3(quiche) improvements.
- - fixed upload bug in quiche implementation, now passes 251 and pytest
- - error codes on stream RESET
- - improved debug logs
- - handling of DRAIN during connect
- - limiting pending event queue
-
- HTTP/2 cfilter improvements.
- - use LOG_CF macros for dynamic logging in debug build
- - fix CURLcode on RST streams to be CURLE_PARTIAL_FILE
- - enable pytest test_05 for h2
- - fix upload pytests and improve parallel transfer performance.
-
- GOAWAY handling for ngtcp2/quiche
- - during connect, when the remote server refuses to accept new connections
- and closes immediately (so the local conn goes into DRAIN phase), the
- connection is torn down and a another attempt is made after a short grace
- period.
- This is the behaviour observed with nghttpx when we tell it to shut
- down gracefully. Tested in pytest test_03_02.
-
- TLS improvements
- - ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, repl
- aces
- copy of logic in all tls backends.
- - standardized the infof logging of offered ALPNs
- - ALPN negotiated: have common function for all backends that sets alpn propr
- ty
- and connection related things based on the negotiated protocol (or lack the
- reof).
-
- - new tests/tests-httpd/scorecard.py for testing h3/h2 protocol implementatio
- n.
- Invoke:
- python3 tests/tests-httpd/scorecard.py --help
- for usage.
-
- Improvements on gathering connect statistics and socket access.
- - new CF_CTRL_CONN_REPORT_STATS cfilter control for having cfilters
- report connection statistics. This is triggered when the connection
- has completely connected.
- - new void Curl_pgrsTimeWas(..) method to report a timer update with
- a timestamp of when it happend. This allows for updating timers
- "later", e.g. a connect statistic after full connectivity has been
- reached.
- - in case of HTTP eyeballing, the previous changes will update
- statistics only from the filter chain that "won" the eyeballing.
- - new cfilter query CF_QUERY_SOCKET for retrieving the socket used
- by a filter chain.
- Added methods Curl_conn_cf_get_socket() and Curl_conn_get_socket()
- for convenient use of this query.
- - Change VTLS backend to query their sub-filters for the socket when
- checks during the handshake are made.
-
- HTTP/3 documentation on how https eyeballing works.
-
- TLS improvements
- - ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, repl
- aces
- copy of logic in all tls backends.
- - standardized the infof logging of offered ALPNs
- - ALPN negotiated: have common function for all backends that sets alpn propr
- ty
- and connection related things based on the negotiated protocol (or lack the
- reof).
-
- Scorecard with Caddy.
- - configure can be run with `--with-test-caddy=path` to specify which caddy t
- o use for testing
- - tests/tests-httpd/scorecard.py now measures download speeds with caddy
-
- pytest improvements
- - adding Makfile to clean gen dir
- - adding nghttpx rundir creation on start
- - checking httpd version 2.4.55 for test_05 cases where it is needed. Skippin
- g with message if too old.
- - catch exception when checking for caddy existance on system.
-
- Closes #10349
-
-Daniel Stenberg (2 Feb 2023)
-
-- CODEOWNERS: remove the peeps mentioned as CI owners
-
- These owners do not have the bandwidth/energy to do the reviews which
- makes PRs stall and this ownership claim flawed. We can bring people
- back when the situation is different.
-
- Follow-up to c04c78ac87c4d46737934345a
-
- Closes #10386
-
-Martin D'Aloia (2 Feb 2023)
-
-- write-out.d: add 'since version' to %{header_json} documentation
-
- The documentation of `%{header_json}` missed to mention since which
- version this variable for `--write-out` is present.
-
- Based on commit https://github.com/curl/curl/commit/4133a69f2daa476bb
- we can determine from the tags were this commit is present that the
- first version to include it was `7.83.0`.
- This could be also checked with:
- `git tag --contains 4133a69f2daa476bb6d902687f1dd6660ea9c3c5`
-
- Closes #10395
-
-Daniel Stenberg (1 Feb 2023)
-
-- urlapi: avoid Curl_dyn_addf() for hex outputs
-
- Inspired by the recent fixes to escape.c, we should avoid calling
- Curl_dyn_addf() in loops, perhaps in particular when adding something so
- simple as %HH codes - for performance reasons. This change makes the
- same thing for the URL parser's two URL-encoding loops.
-
- Closes #10384
-
-- urlapi: skip path checks if path is just "/"
-
- As a miniscule optimization, treat a path of the length 1 as the same as
- non-existing, as it can only be a single leading slash, and that's what
- we do for no paths as well.
-
- Closes #10385
-
-Philip Heiduck (1 Feb 2023)
-
-- GHA/macos: use Xcode_14.0.1 for cmake builds
-
- Fixes #10356
- Closes #10381
-
-Viktor Szakats (1 Feb 2023)
-
-- tls: fixes for wolfssl + openssl combo builds
-
- 1. Add `USE_WOLFSSL` to the TLS backend priority list in
- `lib/curl_ntlm_core.c`.
-
- 2. Fix `lib/curl_ntlm_core.h` to respect TLS backend priority, bringing
- it in sync with the above list and `lib/curl_ntlm_core.c` itself.
-
- Reported-by: Mark Roszko
- Ref: https://github.com/curl/curl/issues/10321
-
- 3. Allow enabling both wolfSSL and OpenSSL at the same time in
- `lib/Makefile.mk` bringing this in line with cmake/autotools builds.
- Update logic to select the crypto-specific lib for `ngtcp2`, which
- supports a single TLS backend at the same time.
-
- Closes #10322
-
-Daniel Stenberg (1 Feb 2023)
-
-- RELEASE-NOTES: synced
-
-- docs/INSTALL: document how to use multiple TLS backends
-
- And document how OpenSSL forks and wolfSSL cannot be used at the same
- time.
-
- Reported-by: Mark Roszko
- Fixes #10321
- Closes #10382
-
-Kvarec Lezki (1 Feb 2023)
-
-- cookies: fp is always not NULL
-
- Closes #10383
-
-Daniel Stenberg (31 Jan 2023)
-
-- escape: use table lookup when adding %-codes to output
-
- On my dev host, this code runs 7.8 times faster.
-
- Closes #10377
-
-- unit2600: avoid error: ‘TEST_CASES’ defined but not used
-
- Follow-up to d55de24dce9d51
-
- Closes #10379
-
-- escape: hex decode with a lookup-table
-
- Makes the decoding 2.8 times faster in my tests.
-
- Closes #10376
-
-- cf-socket: fix build error wo TCP_FASTOPEN_CONNECT
-
- Follow-up to 5651a36d1a
-
- Closes #10378
-
- Reviewed-by: Stefan Eissing
-
-Stefan Eissing (31 Jan 2023)
-
-- CI: add pytest github workflow to CI test/tests-httpd on a HTTP/3 setup
-
- Closes #10317
-
-- connect: fix strategy testing for attempts, timeouts and happy-eyeball
-
- - add test2600 as a unit test that triggers various connect conditions
- and monitors behaviour, available in a debug build only.
-
- - this exposed edge cases in connect.c that have been fixed
-
- Closes #10312
-
-- cf-socket: improvements in socket I/O handling
-
- - Curl_write_plain/Curl_read_plain have been eliminated. Last code use
- now uses Curl_conn_send/recv so that requests use conn->send/revc
- callbacks which defaults to cfilters use.
- - Curl_recv_plain/Curl_send_plain have been internalized in cf-socket.c.
- - USE_RECV_BEFORE_SEND_WORKAROUND (active on Windows) has been moved
- into cf-socket.c. The pre_recv buffer is held at the socket filter
- context. `postponed_data` structures have been removed from
- `connectdata`.
- - the hanger in HTTP/2 request handling was a result of read buffering
- on all sends and the multi handling is not prepared for this. The
- following happens:
-
- - multi preforms on a HTTP/2 easy handle
- - h2 reads and processes data
- - this leads to a send of h2 data
- - which receives and buffers before the send
- - h2 returns
- - multi selects on the socket, but no data arrives (its in the buffer alre
- ady)
- the workaround now receives data in a loop as long as there is something i
- n
- the buffer. The real fix would be for multi to change, so that `data_pendi
- ng`
- is evaluated before deciding to wait on the socket.
-
- io_buffer, optional, in cf-socket.c, http/2 sets state.drain if lower
- filter have pending data.
-
- This io_buffer is only available/used when the
- -DUSE_RECV_BEFORE_SEND_WORKAROUND is active, e.g. on Windows
- configurations. It also maintains the original checks on protocol
- handler being HTTP and conn->send/recv not being replaced.
-
- The HTTP/2 (nghttp2) cfilter now sets data->state.drain when it finds
- out that the "lower" filter chain has still pending data at the end of
- its IO operation. This prevents the processing from becoming stalled.
-
- Closes #10280
-
-Daniel Stenberg (31 Jan 2023)
-
-- openssl: only use CA_BLOB if verifying peer
-
- Reported-by: Paul Groke
- Bug: https://curl.se/mail/lib-2023-01/0070.html
- Fixes #10351
- Closes #10359
-
-Thomas1664 on github (31 Jan 2023)
-
-- curl_free.3: fix return type of `curl_free`
-
- Fixes #10373
- Closes #10374
-
-Daniel Stenberg (30 Jan 2023)
-
-- zuul: stop using this CI service
-
- The important jobs have already transitioned. The remaining ones we can
- skip for now.
-
- Closes #10368
-
-- copyright: remove "m4/ax_compile_check_sizeof.m4" from skips
-
- and report if skipped files do not exist.
-
- Follow-up to 9e11c2791fb960758 which removed the file.
-
- Closes #10369
-
-- ws: unstick connect-only shutdown
-
- As this mode uses blocking sockets, it must set them back to
- non-blocking in disconnect to avoid the risk of getting stuck.
-
- Closes #10366
-
-- ws: remove bad assert
-
- Reported-by: Stanley Wucw
- Fixes #10347
- Closes #10366
-
-- openssl: adapt to boringssl's error code type
-
- BoringSSL uses uint32_t, OpenSSL uses 'unsigned 'long'
-
- Closes #10360
-
-- tool_operate: repair --rate
-
- Regression from a55256cfb242 (7.87.0)
- Reported-by: highmtworks on github
- Fixes #10357
- Closes #10358
-
-- dict: URL decode the entire path always
-
- Reported-by: dekerser on github
- Fixes #10298
- Closes #10354
-
-Stefan Eissing (29 Jan 2023)
-
-- vtls: do not null-check when we already assume cf-ctx exists
-
- Fixes #10361
- Closes #10362
-
-Daniel Stenberg (29 Jan 2023)
-
-- RELEASE-NOTES: synced
-
-- CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1
-
- Reported-by: Brian Green
- Fixes #10328
- Closes #10355
-
-- copyright.pl: cease doing year verifications
-
- As we have (mostly) removed the copyright year ranges.
-
- Reported-by: Ryan Schmidt
- Fixes #10345
- Closes #10352
-
-Dan Fandrich (28 Jan 2023)
-
-- CI: Work around a labeler bug that removes labels
-
-Jay Satiro (26 Jan 2023)
-
-- write-out.d: clarify Windows % symbol escaping
-
- - Clarify that in Windows batch files the % must be escaped as %%, and
- at the command prompt it cannot be escaped which could lead to
- incorrect expansion.
-
- Prior to this change the doc implied % must be escaped as %% in win32
- always.
-
- ---
-
- Examples showing how a write-out argument is received by curl:
-
- If curl --write-out "%{http_code}" is executed in a batch file:
- {http_code}
-
- If curl --write-out "%%{http_code}" is executed in a batch file:
- %{http_code}
-
- If curl --write-out "%{http_code}" is executed from the command prompt:
- %{http_code}
-
- If curl --write-out "%%{http_code}" is executed from the command prompt:
- %%{http_code}
-
- At the command prompt something like "%{speed_download}%{http_code}"
- would first be parsed by the command interpreter as %{speed_download}%
- and would be expanded as environment variable {speed_download} if it
- existed, though that's highly unlikely since Windows environment names
- don't use braces.
-
- ---
-
- Reported-by: Muhammad Hussein Ammari
-
- Ref: https://github.com/bagder/everything-curl/pull/279
-
- Fixes https://github.com/curl/curl/issues/10323
- Closes https://github.com/curl/curl/pull/10337
-
-Ryan Schmidt (26 Jan 2023)
-
-- connect: Fix build when not ENABLE_IPV6
-
- Check for ENABLE_IPV6 before accessing AF_INET6. Fixes build failure
- introduced in 1c5d8ac.
-
- Closes https://github.com/curl/curl/pull/10344
-
-- cf-socket: Fix build when not HAVE_GETPEERNAME
-
- Remove remaining references to conn and sockfd, which were removed from
- the function signature when conninfo_remote was renamed to
- conn_set_primary_ip in 6a8d7ef.
-
- Closes https://github.com/curl/curl/pull/10343
-
-Stefan Eissing (26 Jan 2023)
-
-- vtls: Manage current easy handle in nested cfilter calls
-
- The previous implementation cleared `data` so the outer invocation lost
- its data, which could lead to a crash.
-
- Bug: https://github.com/curl/curl/issues/10336
- Reported-by: Fujii Hironori
-
- Closes https://github.com/curl/curl/pull/10340
-
-Dan Fandrich (25 Jan 2023)
-
-- CI: Add even more paths to the labeler config (#10326)
-
-- scripts: Fix Appveyor job detection in cijobs.pl
-
- The reorganization in #9769 broke the script. This should probably be
- rewritten to use a YAML parser for better upward compatibility.
-
-- CI: Add a few more paths to the labeler config (#10326)
-
-- CI: Switch the labeler event to pull_request_target
-
- Otherwise, the action won't work on PRs from forked repositories
- (#10326).
-
-Viktor Szakats (25 Jan 2023)
-
-- cmake: delete redundant macro definition `SECURITY_WIN32`
-
- Stop explicitly defining `SECURITY_WIN32` in CMake builds.
-
- No other build systems define this macro, because it's unconditionally
- defined in `lib/curl_sspi.h` already. This is the only curl source using
- the `sspi.h` and `security.h` Win32 headers, and no other Win32 headers
- need this macro.
-
- Reviewed-by: Jay Satiro
- Closes #10341
-
-Fredrik (24 Jan 2023)
-
-- winbuild: document that arm64 is supported
-
- Building an arm64 version works flawlessly with the VS arm64 toolset.
-
- Closes https://github.com/curl/curl/pull/10332
-
-Cherish98 (24 Jan 2023)
-
-- openssl: don't log raw record headers
-
- - Skip content type SSL3_RT_HEADER in verbose TLS output.
-
- This commit prevents bogus and misleading verbose TLS header messages as
- discussed in #10299.
-
- Assisted-by: Peter Wu
-
- Closes https://github.com/curl/curl/pull/10299
-
-Marc Aldorasi (24 Jan 2023)
-
-- cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS
-
- - Use list() instead of set() for CMAKE_REQUIRED_DEFINITIONS list since
- the former is clearer.
-
- Closes https://github.com/curl/curl/pull/10272
-
-Dan Fandrich (23 Jan 2023)
-
-- CI: Add a workflow to automatically label pull requests
-
- The labeler language is quite restrictive right now so labels are added
- quite conservatively, meaning that many PRs won't get labels when it's
- "obvious" they should. It will still save some manual work on those
- that it can label.
-
-Jay Satiro (21 Jan 2023)
-
-- system.h: assume OS400 is always built with ILEC compiler
-
- Prior to this change the OS400 types were only defined when __ILEC400__.
- That symbol is only defined by IBM's C compiler and not their C++
- compiler, which led to missing types when users on OS400 would compile a
- C++ application that included curl.
-
- The IBM C and C++ compilers are the only native compilers on the
- platform.
-
- Assisted-by: Jon Rumsey
- Reported-by: John Sherrill
-
- Fixes https://github.com/curl/curl/issues/10305
- Closes https://github.com/curl/curl/pull/10329
-
-xgladius (20 Jan 2023)
-
-- cmake: Remove deprecated symbols check
-
- curl stopped use of CMAKE_USE_ as a prefix for its own build symbols in
- 2021 and added a check, meant to last 1 year, to fatally error on those
- symbols. This commit removes that check.
-
- Closes https://github.com/curl/curl/pull/10314
-
-Dan Fandrich (20 Jan 2023)
-
-- docs: POSTFIELDSIZE must be set to -1 with read function
-
- Reported-by: RanBarLavie on github
-
- Closes #10313
-
-Stefan Eissing (20 Jan 2023)
-
-- vtls: fix hostname handling in filters
-
- - Copy the hostname and dispname to ssl_connect_data.
-
- Use a copy instead of referencing the `connectdata` instance since this
- may get free'ed on connection reuse.
-
- Reported-by: Stefan Talpalaru
- Reported-by: sergio-nsk@users.noreply.github.com
-
- Fixes https://github.com/curl/curl/issues/10273
- Fixes https://github.com/curl/curl/issues/10309
-
- Closes https://github.com/curl/curl/pull/10310
-
-Sergey Bronnikov (17 Jan 2023)
-
-- lib: fix typos
-
- Closes https://github.com/curl/curl/pull/10307
-
-- curl_version_info.3: fix typo
-
- Closes https://github.com/curl/curl/pull/10306
-
-Jay Satiro (17 Jan 2023)
-
-- openssl: Don't ignore CA paths when using Windows CA store (redux)
-
- .. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA.
-
- This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it
- does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded
- default locations. Instead the native Windows CA store can be used at
- the same time.
-
- ---
-
- This behavior was originally added over two years ago in abbc5d60
- (#5585) but then 83393b1a (#7892) broke it over a year ago, I assume
- inadvertently.
-
- The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely
- rarely used.
-
- Ref: https://github.com/curl/curl/pull/5585
- Ref: https://github.com/curl/curl/pull/7892
- Ref: https://curl.se/mail/lib-2023-01/0019.html
-
- Closes https://github.com/curl/curl/pull/10244
-
-Daniel Stenberg (13 Jan 2023)
-
-- RELEASE-NOTES: synced
-
-- ws: fix autoping handling
-
- Reported-by: Alexey Savchuk
- Fixes #10289
- Closes #10294
-
-- curl_log: avoid printf() format checking with mingw
-
- Since it does not seem to like %zu and more
-
- Follow-up to db91dbbf2
-
- Fixes #10291
- Closes #10292
-
-- tool_getparam: fix compiler warning when !HAVE_WRITABLE_ARGV
-
- Follow-up to 2ed0e1f70ee176edf3d2
-
- Closes #10286
-
-Stefan Eissing (12 Jan 2023)
-
-- openssl: make the BIO_METHOD a local variable in the connection filter
-
- This avoids UAF issues when `curl_global_cleanup()` is called before all
- transfers have been completely handled. Unfortunately this seems to be a
- more common pattern than we like.
-
- Closes #10285
-
-Daniel Stenberg (12 Jan 2023)
-
-- curl: output warning at --verbose output for debug-enabled version
-
- + a libcurl warning in the debug output
-
- Assisted-by: Jay Satiro
-
- Ref: https://curl.se/mail/lib-2023-01/0039.html
- Closes #10278
-
-- src: add --http3-only
-
- Warning: --http3 and --http3-only are subject to change again (or be
- removed) before HTTP/3 support goes non-experimental.
-
- Closes #10264
-
-- curl.h: add CURL_HTTP_VERSION_3ONLY
-
- As the previous CURL_HTTP_VERSION_3 option gets a slightly altered meaning.
-
- Closes #10264
-
-- connect: fix access of pointer before NULL check
-
- Detected by Coverity CID 1518992
-
- Closes #10284
-
-Daniel Gustafsson (12 Jan 2023)
-
-- easyoptions: Fix header printing in generation script
-
- The optiontable.pl script prints the header comment when generating
- easyoptions.c, but it wasn't escaping all characters which jumbled the
- curl ascii logo. Fix by escaping.
-
- Cloes #10275
-
-Harry Sintonen (12 Jan 2023)
-
-- tool_getparam: fix hiding of command line secrets
-
- Closes #10276
-
-Stefan Eissing (12 Jan 2023)
-
-- tests: document the cfilter debug logging options
-
- Closes #10283
-
-- curl_log: for failf/infof and debug logging implementations
-
- - new functions and macros for cfilter debugging
- - set CURL_DEBUG with names of cfilters where debug logging should be
- enabled
- - use GNUC __attribute__ to enable printf format checks during compile
-
- Closes #10271
-
-Daniel Stenberg (10 Jan 2023)
-
-- RELEASE-NOTES: synced
-
-Nick Banks (10 Jan 2023)
-
-- msh3: update to v0.6
-
- Closes #10192
-
-Stefan Eissing (10 Jan 2023)
-
-- ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
-
- Using common method for SSL_CTX initialization of verfiy peer and CA
- settings. This also provides X509_STORE sharing to become available for
- ngtcp2+openssl HTTP/3.
-
- Reported-by: violetlige on github
-
- Fixes #10222
- Closes #10239
-
-Daniel Stenberg (10 Jan 2023)
-
-- cf-socket: make infof() call use %zu for size_t output
-
- Detected by Coverity CID 1518986 and CID 1518984
-
- Closes #10268
-
-Jon Rumsey (10 Jan 2023)
-
-- os400: fixes to make-lib.sh and initscript.sh
-
- Adjust how exports list is generated from header files to account for
- declarations across multiple lines and CURL_DEPRECATED(...) tags.
-
- Update initscript.sh
-
- Specify qadrt_use_inline to prevent unistd.h in ASCII runtime defining
- close(a) -> close_a(a)
-
- Fixes #10266
- Closes #10267
-
-Stefan Eissing (9 Jan 2023)
-
-- tests-httpd: basic infra to run curl against an apache httpd plus nghttpx for
- h3
-
- - adding '--with-test-httpd=<path>' to configure non-standard apache2
- install
- - python env and base classes for running httpd
- - basic tests for connectivity with h1/h2/h3
- - adding test cases for truncated responses in http versions.
- - adding goaway test for HTTP/3.
- - adding "stuttering" tests with parallel downloads in chunks with
- varying delays between chunks.
-
- - adding a curltest module to the httpd server, adding GOAWAY test.
- - mod_curltest now installs 2 handlers
- - 'echo': writing as response body what came as request body
- - 'tweak': with query parameters to tweak response behaviour
- - marked known fails as skip for now
-
- Closes #10175
-
-- quic: improve connect error message, debugging info, fix false connect report
-
- - ECONNECTREFUSED has not its own fail message in quic filters
- - Debug logging in connect eyballing improved
- - Fix bug in ngtcp2/quiche that could lead to false success reporting.
-
- Reported-by: Divy Le Ray
-
- Fixes #10245
- Closes #10248
-
-- quiche: fix build without any HTTP/2 implementation
-
- Fixes #10260
- Closes #10263
-
-Daniel Stenberg (9 Jan 2023)
-
-- .github/workflows/linux.yml: add a quiche CI job
-
- Move over from zuul
-
- Closes #10241
-
-- curl.h: allow up to 10M buffer size
-
- Bump the limit from 512K. There might be reasons for applications using
- h3 to set larger buffers and there is no strong reason for curl to have
- a very small maximum.
-
- Ref: https://curl.se/mail/lib-2023-01/0026.html
-
- Closes #10256
-
-Tatsuhiro Tsujikawa (8 Jan 2023)
-
-- GHA: use designated ngtcp2 and its dependencies versions
-
- Designate ngtcp2 and its dependency versions so that the CI build does
- not fail without our control.
-
- Closes #10257
-
-Daniel Stenberg (8 Jan 2023)
-
-- docs/cmdline-opts/hsts.d: explain hsts more
-
- Closes #10258
-
-Stefan Eissing (8 Jan 2023)
-
-- msh3: run again in its cfilter
-
- - test 2500, single GET works
- - test 2501, single POST stalls
- - test 2502, multiple, sequential GETs each use a new connection since
- MsH3ConnectionGetState(qconn) no longer reports CONNECTED after one
- GET.
-
- Closes #10204
-
-Jay Satiro (8 Jan 2023)
-
-- sendf: fix build for Linux TCP fastopen
-
- - Fix the remote addr struct dereference.
-
- - Include cf-socket.h in urldata.h.
-
- Follow-up to 6a8d7ef9 which changed conn->ipaddr (Curl_addrinfo* )
- member to conn->remote_addr (Curl_sockaddr_ex *) several days ago.
-
- Reported-by: Stephan Guilloux
-
- Fixes https://github.com/curl/curl/issues/10249
- Closes https://github.com/curl/curl/pull/10250
-
-Daniel Stenberg (7 Jan 2023)
-
-- RELEASE-NOTES: synced
-
-- setopt: move the SHA256 opt within #ifdef libssh2
-
- Because only the libssh2 backend not supports it and thus this should
- return error if this option is used other backends.
-
- Reported-by: Harry Sintonen
-
- Closes #10255
-
-Patrick Monnerat (7 Jan 2023)
-
-- nss: implement data_pending method
-
- NSS currently uses the default Curl_none_data_pending() method which
- always returns false, causing TLS buffered input data to be missed.
-
- The current commit implements the nss_data_pending() method that properly
- monitors the presence of available TLS data.
-
- Ref:#10077
-
- Closes #10225
-
-Jay Satiro (6 Jan 2023)
-
-- CURLOPT_HEADERDATA.3: warn DLL users must set write function
-
- - Warn that in Windows if libcurl is running from a DLL and if
- CURLOPT_HEADERDATA is set then CURLOPT_WRITEFUNCTION or
- CURLOPT_HEADERFUNCTION must be set as well, otherwise the user may
- experience crashes.
-
- We already have a similar warning in CURLOPT_WRITEDATA. Basically, in
- Windows libcurl could crash writing a FILE pointer that was created by
- a different C runtime. In Windows each DLL that is part of a program may
- or may not have its own C runtime.
-
- Ref: https://github.com/curl/curl/issues/10231
-
- Closes https://github.com/curl/curl/pull/10233
-
-Jon Rumsey (5 Jan 2023)
-
-- x509asn1: fix compile errors and warnings
-
- Various small issues when built for GSKit
-
- Closes #10238
-
-Patrick Monnerat (5 Jan 2023)
-
-- runtests: fix detection of TLS backends
-
- Built-in TLS backends are detected at test time by scanning for their
- names in the version string line returned by the cli tool: as this line
- may also list the libssh configuration that mentions its own backend,
- the curl backend may be wrongly determined.
-
- In example, if the version line contains "libssh/0.10.4/openssl/zlib",
- OpenSSL is detected as a curl-configured backend even if not.
-
- This fix requires the backend names to appear as full words preceded by
- spacing in the version line to be recognized as curl TLS backends.
-
- Closes #10236
-
-Andy Alt (5 Jan 2023)
-
-- GHA: add job on Slackware 15.0
-
- Closes #10230
-
-Daniel Stenberg (5 Jan 2023)
-
-- test363: make even smaller writes to loop more
-
-- http_proxy: do not assign data->req.p.http use local copy
-
- Avoid the tricky reusing of the data->req.p.http pointer for http proxy
- tunneling.
-
- Fixes #10194
- Closes #10234
-
-Stefan Eissing (5 Jan 2023)
-
-- quic: rename vquic implementations, fix for quiche build.
-
- - quiche in debug mode did not build, fixed.
- - moved all vquic implementation files to prefix curl_* to avoid
- the potential mixups between provided .h files and our own.
- - quich passes test 2500 and 2502. 2501, the POST, fail with
- the body being rejected. Quich bug?
-
- Closes #10242
-
-- sectransp: fix for incomplete read/writes
-
- SecureTransport expects result code errSSLWouldBlock when the requested
- length could not be sent/recieved in full. The previous code returned
- noErr, which let SecureTransport to believe that the IO had terminated
- prematurely.
-
- Fixes #10227
- Closes #10235
-
-Andy Alt (5 Jan 2023)
-
-- GHA: Hacktoberfest CI: Update deprecated 'set-output' command
-
- Closes #10221
-
-Jay Satiro (5 Jan 2023)
-
-- scripts: set file mode +x on all perl and shell scripts
-
- - Set all scripts +x, ie 644 => 755.
-
- Prior to this change some scripts were not executable and therefore
- could not be called directly.
-
- ~~~
- git ls-files -s \*.{sh,pl,py} | grep -v 100755
- ~~~
-
- Closes https://github.com/curl/curl/pull/10219
-
-Stefan Eissing (4 Jan 2023)
-
-- tool_operate: fix headerfile writing
-
- Do not rely on the first transfer started to be the first to get a
- response (remember -Z). All transfers now write the headefile (-D) in
- append mode, making sure that the order of transfer responses does not
- lead to overwrites of previous data.
-
- Closes #10224
-
-Daniel Stenberg (4 Jan 2023)
-
-- misc: reduce struct and struct field sizes
-
- - by using BIT() instead of bool
- - imap: shrink struct
- - ftp: make state 'unsigned char'
- - ftp: sort ftp_conn struct entries on size
- - urldata: use smaller fields for SSL version info storage
- - pop3: reduce the pop3_conn struct size
- - smtp: reduce the size of the smtp structs
-
- Closes #10186
-
-- noproxy: support for space-separated names is deprecated
-
- To be removed in July 2024.
-
- Assisted-by: Michael Osipov
- Fixes #10209
- Closes #10215
-
-Andrei Rybak (4 Jan 2023)
-
-- lib: fix typos in comments which repeat a word
-
- Remove erroneously duplicated words in code comments of files
- `lib.connect.c` and `lib/url.c`.
-
- Closes #10220
-
-Radek Brich (3 Jan 2023)
-
-- cmake: set SOVERSION also for macOS
-
- Closes #10214
-
-Jay Satiro (3 Jan 2023)
-
-- http2: fix compiler warning due to uninitialized variable
-
- Prior to this change http2_cfilter_add could return an uninitialized
- cfilter pointer in an OOM condition. In this case though, the pointer
- is discarded and not dereferenced so there was no risk of a crash.
|