diff options
| author | dartraiden <wowemuh@gmail.com> | 2019-02-10 02:02:38 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2019-02-10 02:06:58 +0300 |
| commit | eee2c11f79a8958e65cc485af1e7afcbd394db1e (patch) | |
| tree | 9ab4418393997629ef9dc7ae78089cbece595d0c /libs/libcurl/docs/CHANGES | |
| parent | 33d2c8e71902aa37d3fc978cb91e0a842a600960 (diff) | |
libcurl: update to 7.64
Diffstat (limited to 'libs/libcurl/docs/CHANGES')
| -rw-r--r-- | libs/libcurl/docs/CHANGES | 7749 |
1 files changed, 7749 insertions, 0 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES new file mode 100644 index 0000000000..b03c666643 --- /dev/null +++ b/libs/libcurl/docs/CHANGES @@ -0,0 +1,7749 @@ + _ _ ____ _ + ___| | | | _ \| | + / __| | | | |_) | | + | (__| |_| | _ <| |___ + \___|\___/|_| \_\_____| + + Changelog + +Version 7.64.0 (6 Feb 2019) + +Daniel Stenberg (6 Feb 2019) +- RELEASE-NOTES: 7.64.0 + +- RELEASE-PROCEDURE: update the release calendar + +- THANKS: 7.64.0 status + +Daniel Gustafsson (5 Feb 2019) +- ROADMAP: remove already performed item + + Commit 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 introduced support + for the draft-ietf-httpbis-cookie-alone-01 cookie draft, and while + the entry was removed from the TODO it was mistakenly left here. + Fix by removing and rewording the entry slightly. + + Closes #3530 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- [Etienne Simard brought this change] + + CONTRIBUTE.md: Fix grammatical errors + + Fix grammatical errors making the document read better. Also fixes + a typo. + + Closes #3525 + Reviewed-by: Daniel Gustafsson <daniel@yesql.se> + +Daniel Stenberg (4 Feb 2019) +- [Julian Z brought this change] + + docs: use $(INSTALL_DATA) to install man page + + Fixes #3518 + Closes #3522 + +Jay Satiro (4 Feb 2019) +- [Ladar Levison brought this change] + + runtests.pl: Fix perl call to include srcdir + + - Use explicit include opt for perl calls. + + Prior to this change some scripts couldn't find their dependencies. + + At the top, perl is called using with the "-Isrcdir" option, and it + works: + + https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L183 + + But on line 3868, that option is omitted. This caused problems for me, + as the symbol-scan.pl script in particular couldn't find its + dependencies properly: + + https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L3868 + + This patch fixes that oversight by making calls to perl sub-shells + uniform. + + Closes https://github.com/curl/curl/pull/3496 + +Daniel Stenberg (4 Feb 2019) +- [Daniel Gustafsson brought this change] + + smtp: avoid risk of buffer overflow in strtol + + If the incoming len 5, but the buffer does not have a termination + after 5 bytes, the strtol() call may keep reading through the line + buffer until is exceeds its boundary. Fix by ensuring that we are + using a bounded read with a temporary buffer on the stack. + + Bug: https://curl.haxx.se/docs/CVE-2019-3823.html + Reported-by: Brian Carpenter (Geeknik Labs) + CVE-2019-3823 + +- ntlm: fix *_type3_message size check to avoid buffer overflow + + Bug: https://curl.haxx.se/docs/CVE-2019-3822.html + Reported-by: Wenxiang Qian + CVE-2019-3822 + +- NTLM: fix size check condition for type2 received data + + Bug: https://curl.haxx.se/docs/CVE-2018-16890.html + Reported-by: Wenxiang Qian + CVE-2018-16890 + +Marcel Raad (1 Feb 2019) +- [georgeok brought this change] + + spnego_sspi: add support for channel binding + + Attempt to add support for Secure Channel binding when negotiate + authentication is used. The problem to solve is that by default IIS + accepts channel binding and curl doesn't utilise them. The result was a + 401 response. Scope affects only the Schannel(winssl)-SSPI combination. + + Fixes https://github.com/curl/curl/issues/3503 + Closes https://github.com/curl/curl/pull/3509 + +Daniel Stenberg (1 Feb 2019) +- RELEASE-NOTES: synced + +- schannel: stop calling it "winssl" + + Stick to "Schannel" everywhere. The configure option --with-winssl is + kept to allow existing builds to work but --with-schannel is added as an + alias. + + Closes #3504 + +- multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time + + To make sure Curl_timeleft() also thinks the timeout has been reached + when one of the EXPIRE_*TIMEOUTs expires. + + Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html + Reported-by: Zhao Yisha + Closes #3501 + +- [John Marshall brought this change] + + doc: use meaningless port number in CURLOPT_LOCALPORT example + + Use an ephemeral port number here; previously the example had 8080 + which could be confusing as the common web server port number might + be misinterpreted as suggesting this option affects the remote port. + + URL: https://curl.haxx.se/mail/lib-2019-01/0084.html + Closes #3513 + +GitHub (29 Jan 2019) +- [Gisle Vanem brought this change] + + Escape the '\' + + A backslash should be escaped in Roff / Troff. + +Jay Satiro (29 Jan 2019) +- TODO: WinSSL: 'Add option to disable client cert auto-send' + + By default WinSSL selects and send a client certificate automatically, + but for privacy and consistency we should offer an option to disable the + default auto-send behavior. + + Reported-by: Jeroen Ooms + + Closes https://github.com/curl/curl/issues/2262 + +Daniel Stenberg (28 Jan 2019) +- [Jeremie Rapin brought this change] + + sigpipe: if mbedTLS is used, ignore SIGPIPE + + mbedTLS doesn't have a sigpipe management. If a write/read occurs when + the remote closes the socket, the signal is raised and kills the + application. Use the curl mecanisms fix this behavior. + + Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com> + + Closes #3502 + +- unit1653: make it survive torture tests + +Jay Satiro (28 Jan 2019) +- [Michael Kujawa brought this change] + + timeval: Disable MSVC Analyzer GetTickCount warning + + Compiling with msvc /analyze and a recent Windows SDK warns against + using GetTickCount (Suggests to use GetTickCount64 instead.) + + Since GetTickCount is only being used when GetTickCount64 isn't + available, I am disabling that warning. + + Fixes https://github.com/curl/curl/issues/3437 + Closes https://github.com/curl/curl/pull/3440 + +Daniel Stenberg (26 Jan 2019) +- configure: rewrite --enable-code-coverage + + The previously used ax_code_coverage.m4 is not license compatible and + must not be used. + + Reported-by: William A. Rowe Jr + Fixes #3497 + Closes #3499 + +- [Felix Hädicke brought this change] + + setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh + + CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for + libssh as well. So accepting these options only when compiling with + libssh2 is wrong here. + + Fixes #3493 + Closes #3494 + +- [Felix Hädicke brought this change] + + libssh: do not let libssh create socket + + By default, libssh creates a new socket, instead of using the socket + created by curl for SSH connections. + + Pass the socket created by curl to libssh using ssh_options_set() with + SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket + instead of creating a new one. + + This approach is very similar to what is done in the libssh2 code, where + the socket created by curl is passed to libssh2 when + libssh2_session_startup() is called. + + Fixes #3491 + Closes #3495 + +- RELEASE-NOTES: synced + +- [Archangel_SDY brought this change] + + schannel: preserve original certificate path parameter + + Fixes #3480 + Closes #3487 + +- KNOWN_BUGS: tests not compatible with python3 + + Closes #3289 + [skip ci] + +Daniel Gustafsson (20 Jan 2019) +- memcmp: avoid doing single char memcmp + + There is no real gain in performing memcmp() comparisons on single + characters, so change these to array subscript inspections which + saves a call and makes the code clearer. + + Closes #3486 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + +Daniel Stenberg (19 Jan 2019) +- COPYING: it's 2019 + + [skip ci] + +- [hhb brought this change] + + configure: fix recv/send/select detection on Android + + This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9. + + The overloadable attribute is removed again starting from + NDK17. Actually they only exist in two NDK versions (15 and 16). With + overloadable, the first condition tried will succeed. Results in wrong + detection result. + + Closes #3484 + +Marcel Raad (19 Jan 2019) +- [georgeok brought this change] + + ntlm_sspi: add support for channel binding + + Windows extended potection (aka ssl channel binding) is required + to login to ntlm IIS endpoint, otherwise the server returns 401 + responses. + + Fixes #3280 + Closes #3321 + +Daniel Stenberg (18 Jan 2019) +- schannel: on connection close there might not be a transfer + + Reported-by: Marcel Raad + Fixes #3412 + Closes #3483 + +- [Joel Depooter brought this change] + + ssh: log the libssh2 error message when ssh session startup fails + + When a ssh session startup fails, it is useful to know why it has + failed. This commit changes the message from: + "Failure establishing ssh session" + to something like this, for example: + "Failure establishing ssh session: -5, Unable to exchange encryption keys" + + Closes #3481 + +Alessandro Ghedini (16 Jan 2019) +- Fix typo in manpage + +Daniel Stenberg (16 Jan 2019) +- RELEASE-NOTES: synced + +Sergei Nikulov (16 Jan 2019) +- cmake: updated check for HAVE_POLL_FINE to match autotools + +Daniel Stenberg (16 Jan 2019) +- curl-compilers.m4: check for __ibmxl__ to detect xlclang + + Follow-up to 2fa0d57e2e3. The __xlc__ symbol is only defined there if a + particular flag is used for legacy macros. + + Fixes #3474 + Closes #3479 + +- openssl: fix the SSL_get_tlsext_status_ocsp_resp call + + .... to not pass in a const in the second argument as that's not how it + is supposed to be used and might cause compiler warnings. + + Reported-by: Pavel Pavlov + Fixes #3477 + Closes #3478 + +- curl-compilers.m4: detect xlclang + + Since it isn't totally clang compatible, we detect this IBM clang + front-end and if detected, avoids some clang specific magic. + + Reported-by: Kees Dekker + Fixes #3474 + Closes #3476 + +- README: add codacy code quality badge + + [skip ci] + +- extract_if_dead: follow-up to 54b201b48c90a + + extract_if_dead() dead is called from two functions, and only one of + them should get conn->data updated and now neither call path clears it. + + scan-build found a case where conn->data would be NULL dereferenced in + ConnectionExists() otherwise. + + Closes #3473 + +- multi: remove "Dead assignment" + + Found by scan-build. Follow-up to 4c35574bb785ce. + + Closes #3471 + +- tests: move objnames-* from lib into tests + + Since they're used purely for testing purposes, I think they should + rather be stored there. + + Closes #3470 + +Sergei Nikulov (15 Jan 2019) +- travis: added cmake build for osx + +Daniel Stenberg (14 Jan 2019) +- [Frank Gevaerts brought this change] + + cookie: fix comment typo (url_path_len -> uri_path_len) + + Closes #3469 + +Marcel Raad (14 Jan 2019) +- winbuild: conditionally use /DZLIB_WINAPI + + zlibwapi.lib (dynamic library) and zlibstat.lib (static library) have + the ZLIB_WINAPI define set by default. Using them requires that define + too. + + Ref: https://zlib.net/DLL_FAQ.txt + + Fixes https://github.com/curl/curl/issues/3133 + Closes https://github.com/curl/curl/pull/3460 + +Daniel Stenberg (14 Jan 2019) +- src/Makefile: make 'tidy' target work for metalink builds + +- extract_if_dead: use a known working transfer when checking connections + + Make sure that this function sets a proper "live" transfer for the + connection before calling the protocol-specific connection check + function, and then clear it again afterward as a non-used connection has + no current transfer. + + Reported-by: Jeroen Ooms + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Gustafsson + Fixes #3463 + Closes #3464 + +- openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated + + OpenSSL_version() replaces OpenSSL_version_num() + + Closes #3462 + +Sergei Nikulov (11 Jan 2019) +- cmake: added checks for HAVE_VARIADIC_MACROS_C99 and HAVE_VARIADIC_MACROS_GCC + +Daniel Stenberg (11 Jan 2019) +- urldata: rename easy_conn to just conn + + We use "conn" everywhere to be a pointer to the connection. + + Introduces two functions that "attaches" and "detaches" the connection + to and from the transfer. + + Going forward, we should favour using "data->conn" (since a transfer + always only has a single connection or none at all) to "conn->data" + (since a connection can have none, one or many transfers associated with + it and updating conn->data to be correct is error prone and a frequent + reason for internal issues). + + Closes #3442 + +- tool_cb_prg: avoid integer overflow + + When calculating the progress bar width. + + Reported-by: Peng Li + Fixes #3456 + Closes #3458 + +Daniel Gustafsson (11 Jan 2019) +- travis: turn off copyright year checks in checksrc + + Invoking the maintainer intended COPYRIGHTYEAR check for everyone + in the PR pipeline is too invasive, especially at the turn of the + year when many files get affected. Remove and leave it as a tool + for maintainers to verify patches before commits. + + This reverts f7bdf4b2e1d81b2652b81b9b3029927589273b41. + + After discussion with: Daniel Stenberg + +Daniel Stenberg (10 Jan 2019) +- KNOWN_BUGS: cmake makes unusable tool_hugehelp.c with MinGW + + Closes #3125 + +- KNOWN_BUGS: Improve --data-urlencode space encoding + + Closes #3229 + +Patrick Monnerat (10 Jan 2019) +- os400: add a missing closing bracket + + See https://github.com/curl/curl/issues/3453#issuecomment-453054458 + + Reported-by: jonrumsey on github + +- os400: fix extra parameter syntax error. + + Reported-by: jonrumsey on github + Closes #3453 + +Daniel Stenberg (10 Jan 2019) +- test1558: verify CURLINFO_PROTOCOL on file:// transfer + + Attempt to reproduce issue #3444. + + Closes #3447 + +- RELEASE-NOTES: synced + +- xattr: strip credentials from any URL that is stored + + Both user and password are cleared uncondtitionally. + + Added unit test 1621 to verify. + + Fixes #3423 + Closes #3433 + +- cookies: allow secure override when done over HTTPS + + Added test 1562 to verify. + + Reported-by: Jeroen Ooms + Fixes #3445 + Closes #3450 + +- multi: multiplexing improvements + + Fixes #3436 + Closes #3448 + + Problem 1 + + After LOTS of scratching my head, I eventually realized that even when doing + 10 uploads in parallel, sometimes the socket callback to the application that + tells it what to wait for on the socket, looked like it would reflect the + status of just the single transfer that just changed state. + + Digging into the code revealed that this was indeed the truth. When multiple + transfers are using the same connection, the application did not correctly get + the *combined* flags for all transfers which then could make it switch to READ + (only) when in fact most transfers wanted to get told when the socket was + WRITEABLE. + + Problem 1b + + A separate but related regression had also been introduced by me when I + cleared connection/transfer association better a while ago, as now the logic + couldn't find the connection and see if that was marked as used by more + transfers and then it would also prematurely remove the socket from the socket + hash table even in times other transfers were still using it! + + Fix 1 + + Make sure that each socket stored in the socket hash has a "combined" action + field of what to ask the application to wait for, that is potentially the ORed + action of multiple parallel transfers. And remove that socket hash entry only + if there are no transfers left using it. + + Problem 2 + + The socket hash entry stored an association to a single transfer using that + socket - and when curl_multi_socket_action() was called to tell libcurl about + activities on that specific socket only that transfer was "handled". + + This was WRONG, as a single socket/connection can be used by numerous parallel + transfers and not necessarily a single one. + + Fix 2 + + We now store a list of handles in the socket hashtable entry and when libcurl + is told there's traffic for a particular socket, it now iterates over all + known transfers using that single socket. + +- test1561: improve test name + + [skip ci] + +- [Katsuhiko YOSHIDA brought this change] + + cookies: skip custom cookies when redirecting cross-site + + Closes #3417 + +- THANKS: fixups and a dedupe + + [skip ci] + +- timediff: fix math for unsigned time_t + + Bug: https://curl.haxx.se/mail/lib-2018-12/0088.html + + Closes #3449 + +- [Bernhard M. Wiedemann brought this change] + + tests: allow tests to pass by 2037-02-12 + + similar to commit f508d29f3902104018 + + Closes #3443 + +- RELEASE-NOTES: synced + +- [Brad Spencer brought this change] + + curl_multi_remove_handle() don't block terminating c-ares requests + + Added Curl_resolver_kill() for all three resolver modes, which only + blocks when necessary, along with test 1592 to confirm + curl_multi_remove_handle() doesn't block unless it must. + + Closes #3428 + Fixes #3371 + +- Revert "http_negotiate: do not close connection until negotiation is completed" + + This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47. + + This also reopens PR #3275 which brought the change now reverted. + + Fixes #3384 + Closes #3439 + +- curl/urlapi.h: include "curl.h" first + + This allows programs to include curl/urlapi.h directly. + + Reviewed-by: Daniel Gustafsson + Reported-by: Ben Kohler + Fixes #3438 + Closes #3441 + +Marcel Raad (6 Jan 2019) +- VS projects: fix build warning + + Starting with Visual Studio 2017 Update 9, Visual Studio doesn't like + the MinimalRebuild option anymore and warns: + + cl : Command line warning D9035: option 'Gm' has been deprecated and + will be removed in a future release + + The option can be safely removed so that the default is used. + + Closes https://github.com/curl/curl/pull/3425 + +- schannel: fix compiler warning + + When building with Unicode on MSVC, the compiler warns about freeing a + pointer to const in Curl_unicodefree. Fix this by declaring it as + non-const and casting the argument to Curl_convert_UTF8_to_tchar to + non-const too, like we do in all other places. + + Closes https://github.com/curl/curl/pull/3435 + +Daniel Stenberg (4 Jan 2019) +- [Rikard Falkeborn brought this change] + + printf: introduce CURL_FORMAT_TIMEDIFF_T + +- [Rikard Falkeborn brought this change] + + printf: fix format specifiers + + Closes #3426 + +- libtest/stub_gssapi: use "real" snprintf + + ... since it doesn't link with libcurl. + + Reverts the commit dcd6f81025 changes from this file. + + Bug: https://curl.haxx.se/mail/lib-2019-01/0000.html + Reported-by: Shlomi Fish + Reviewed-by: Daniel Gustafsson + Reviewed-by: Kamil Dudka + + Closes #3434 + +- INTERNALS: correct some outdated function names + + Closes #3431 + +- docs/version.d: mention MultiSSL + + Reviewed-by: Daniel Gustafsson + Closes #3432 + +Daniel Gustafsson (2 Jan 2019) +- [Rikard Falkeborn brought this change] + + examples: Update .gitignore + + Add a few missing examples to make `make examples` not leave the + workspace in a dirty state. + + Closes #3427 + Reviewed-by: Daniel Gustafsson <daniel@yesql.se> + +- THANKS: add more missing names + + Add Adrian Burcea who made the artwork for the curl://up 2018 event + which was held in Stockholm, Sweden. + +- docs: mention potential leak in curl_slist_append + + When a non-empty list is appended to, and used as the returnvalue, + the list pointer can leak in case of an allocation failure in the + curl_slist_append() call. This is correctly handled in curl code + usage but we weren't explicitly pointing it out in the API call + documentation. Fix by extending the RETURNVALUE manpage section + and example code. + + Closes #3424 + Reported-by: dnivras on github + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Marcel Raad (1 Jan 2019) +- tvnow: silence conversion warnings + + MinGW-w64 defaults to targeting Windows 7 now, so GetTickCount64 is + used and the milliseconds are represented as unsigned long long, + leading to a compiler warning when implicitly converting them to long. + +Daniel Stenberg (1 Jan 2019) +- THANKS: dedupe more names + + Researched-by: Tae Wong + +Marcel Raad (1 Jan 2019) +- [Markus Moeller brought this change] + + ntlm: update selection of type 3 response + + NTLM2 did not work i.e. no NTLMv2 response was created. Changing the + check seems to work. + + Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf + + Fixes https://github.com/curl/curl/issues/3286 + Closes https://github.com/curl/curl/pull/3287 + Closes https://github.com/curl/curl/pull/3415 + +Daniel Stenberg (31 Dec 2018) +- THANKS: added missing names from year <= 2000 + + Due to a report of a missing name in THANKS I manually went through an + old CHANGES.0 file and added many previously missing names here. + +Daniel Gustafsson (30 Dec 2018) +- urlapi: fix parsing ipv6 with zone index + + The previous fix for parsing IPv6 URLs with a zone index was a paddle + short for URLs without an explicit port. This patch fixes that case + and adds a unit test case. + + This bug was highlighted by issue #3408, and while it's not the full + fix for the problem there it is an isolated bug that should be fixed + regardless. + + Closes #3411 + Reported-by: GitYuanQu on github + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (30 Dec 2018) +- THANKS: dedupe Guenter Knauf + + Reported-by: Tae Wong + +- THANKS: missing name from the 6.3.1 release! + +Daniel Gustafsson (27 Dec 2018) +- RELEASE-NOTES: synced + +- [Claes Jakobsson brought this change] + + hostip: support wildcard hosts + + This adds support for wildcard hosts in CURLOPT_RESOLVE. These are + try-last so any non-wildcard entry is resolved first. If specified, + any host not matched by another CURLOPT_RESOLVE config will use this + as fallback. + + Example send a.com to 10.0.0.1 and everything else to 10.0.0.2: + curl --resolve *:443:10.0.0.2 --resolve a.com:443:10.0.0.1 \ + https://a.com https://b.com + + This is probably quite similar to using: + --connect-to a.com:443:10.0.0.1:443 --connect-to :443:10.0.0.2:443 + + Closes #3406 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- url: fix incorrect indentation + +Patrick Monnerat (26 Dec 2018) +- os400: upgrade ILE/RPG binding. + + - Trailer function support. + - http 0.9 option. + - curl_easy_upkeep. + +Daniel Gustafsson (25 Dec 2018) +- FAQ: remove mention of sourceforge for github + + The project bug tracker is no longer hosted at sourceforge but is now + hosted on the curl Github page. Update the FAQ to reflect. + + Closes #3410 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- openvms: fix typos in documentation + +- openvms: fix OpenSSL discovery on VAX + + The DCL code had a typo in one of the commands which would make the + OpenSSL discovery on VAX fail. The correct syntax is F$ENVIRONMENT. + + Closes #3407 + Reviewed-by: Viktor Szakats <commit@vszakats.net> + +Daniel Stenberg (24 Dec 2018) +- [Ruslan Baratov brought this change] + + cmake: use lowercase for function name like the rest of the code + + Reviewed-by: Sergei Nikulov + + closes #3196 + +- Revert "libssh: no data pointer == nothing to do" + + This reverts commit c98ee5f67f497195c9 since commit f3ce38739fa fixed the + problem in a more generic way. + +- disconnect: set conn->data for protocol disconnect + + Follow-up to fb445a1e18d: Set conn->data explicitly to point out the + current transfer when invoking the protocol-specific disconnect function + so that it can work correctly. + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12173 + +Jay Satiro (23 Dec 2018) +- [Pavel Pavlov brought this change] + + timeval: Use high resolution timestamps on Windows + + - Use QueryPerformanceCounter on Windows Vista+ + + There is confusing info floating around that QueryPerformanceCounter + can leap etc, which might have been true long time ago, but no longer + the case nowadays (perhaps starting from WinXP?). Also, boost and + std::chrono::steady_clock use QueryPerformanceCounter in a similar way. + + Prior to this change GetTickCount or GetTickCount64 was used, which has + lower resolution. That is still the case for <= XP. + + Fixes https://github.com/curl/curl/issues/3309 + Closes https://github.com/curl/curl/pull/3318 + +Daniel Stenberg (22 Dec 2018) +- libssh: no data pointer == nothing to do + +- conncache_unlock: avoid indirection by changing input argument type + +- disconnect: separate connections and easy handles better + + Do not assume/store assocation between a given easy handle and the + connection if it can be avoided. + + Long-term, the 'conn->data' pointer should probably be removed as it is a + little too error-prone. Still used very widely though. + + Reported-by: masbug on github + Fixes #3391 + Closes #3400 + +- libssh: free sftp_canonicalize_path() data correctly + + Assisted-by: Harry Sintonen + + Fixes #3402 + Closes #3403 + +- RELEASE-NOTES: synced + +- http: added options for allowing HTTP/0.9 responses + + Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose. + + For now, both the tool and library allow HTTP/0.9 by default. + docs/DEPRECATE.md lays out the plan for when to reverse that default: 6 + months after the 7.64.0 release. The options are added already now so + that applications/scripts can start using them already now. + + Fixes #2873 + Closes #3383 + +- if2ip: remove unused function Curl_if_is_interface_name + + Closes #3401 + +- http2: clear pause stream id if it gets closed + + Reported-by: Florian Pritz + + Fixes #3392 + Closes #3399 + +Daniel Gustafsson (20 Dec 2018) +- [David Garske brought this change] + + wolfssl: Perform cleanup + + This adds a cleanup callback for cyassl. Resolves possible memory leak + when using ECC fixed point cache. + + Closes #3395 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Daniel Gustafsson <daniel@yesql.se> + +Daniel Stenberg (20 Dec 2018) +- mbedtls: follow-up VERIFYHOST fix from f097669248 + + Fix-by: Eric Rosenquist + + Fixes #3376 + Closes #3390 + +- curlver: bump to 7.64.0 for next release + +Daniel Gustafsson (19 Dec 2018) +- cookies: extend domain checks to non psl builds + + Ensure to perform the checks we have to enforce a sane domain in + the cookie request. The check for non-PSL enabled builds is quite + basic but it's better than nothing. + + Closes #2964 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (19 Dec 2018) +- [Matus Uzak brought this change] + + smb: fix incorrect path in request if connection reused + + Follow-up to 09e401e01bf9. If connection gets reused, then data member + will be copied, but not the proto member. As a result, in smb_do(), + path has been set from the original proto.share data. + + Closes #3388 + +- curl -J: do not append to the destination file + + Reported-by: Kamil Dudka + Fixes #3380 + Closes #3381 + +- mbedtls: use VERIFYHOST + + Previously, VERIFYPEER would enable/disable all checks. + + Reported-by: Eric Rosenquist + Fixes #3376 + Closes #3380 + +- pingpong: change default response timeout to 120 seconds + + Previously it was 30 minutes + +- pingpong: ignore regular timeout in disconnect phase + + The timeout set with CURLOPT_TIMEOUT is no longer used when + disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP, + POP3). + + Reported-by: jasal82 on github + + Fixes #3264 + Closes #3374 + +- TODO: Windows: set attribute 'archive' for completed downloads + + Closes #3354 + +- RELEASE-NOTES: synced + +- http: minor whitespace cleanup from f464535b + +- [Ayoub Boudhar brought this change] + + http: Implement trailing headers for chunked transfers + + This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION + options that allow a callback based approach to sending trailing headers + with chunked transfers. + + The test server (sws) was updated to take into account the detection of the + end of transfer in the case of trailing headers presence. + + Test 1591 checks that trailing headers can be sent using libcurl. + + Closes #3350 + +- darwinssl: accept setting max-tls with default min-tls + + Reported-by: Andrei Neculau + Fixes #3367 + Closes #3373 + +- gopher: fix memory leak from 9026083ddb2a9 + +- [Leonardo Taccari brought this change] + + test1201: Add a trailing `?' to the selector + + This verify that the `?' in the selector is kept as is. + + Verifies the fix in #3370 + +- [Leonardo Taccari brought this change] + + gopher: always include the entire gopher-path in request + + After the migration to URL API all octets in the selector after the + first `?' were interpreted as query and accidentally discarded and not + passed to the server. + + Add a gopherpath to always concatenate possible path and query URL + pieces. + + Fixes #3369 + Closes #3370 + +- [Leonardo Taccari brought this change] + + urlapi: distinguish possibly empty query + + If just a `?' to indicate the query is passed always store a zero length + query instead of having a NULL query. + + This permits to distinguish URL with trailing `?'. + + Fixes #3369 + Closes #3370 + +Daniel Gustafsson (13 Dec 2018) +- OS400: handle memory error in list conversion + + Curl_slist_append_nodup() returns NULL when it fails to create a new + item for the specified list, and since the coding here reassigned the + new list on top of the old list it would result in a dangling pointer + and lost memory. Also, in case we hit an allocation failure at some + point during the conversion, with allocation succeeding again on the + subsequent call(s) we will return a truncated list around the malloc + failure point. Fix by assigning to a temporary list pointer, which can + be checked (which is the common pattern for slist appending), and free + all the resources on allocation failure. + + Closes #3372 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- cookies: leave secure cookies alone + + Only allow secure origins to be able to write cookies with the + 'secure' flag set. This reduces the risk of non-secure origins + to influence the state of secure origins. This implements IETF + Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates + RFC6265. + + Closes #2956 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (13 Dec 2018) +- docs: fix the --tls-max description + + Reported-by: Tobias Lindgren + Pointed out in #3367 + + Closes #3368 + +Daniel Gustafsson (12 Dec 2018) +- urlapi: Fix port parsing of eol colon + + A URL with a single colon without a portnumber should use the default + port, discarding the colon. Fix, add a testcase and also do little bit + of comment wordsmithing. + + Closes #3365 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Version 7.63.0 (12 Dec 2018) + +Daniel Stenberg (12 Dec 2018) +- RELEASE-NOTES: 7.63.0 + +- THANKS: from the curl 7.62.0 cycle + +- test1519: use lib1518 and test CURLINFO_REDIRECT_URL more + +- Curl_follow: extract the Location: header field unvalidated + + ... when not actually following the redirect. Otherwise we return error + for this and an application can't extract the value. + + Test 1518 added to verify. + + Reported-by: Pavel Pavlov + Fixes #3340 + Closes #3364 + +- multi: convert two timeout variables to timediff_t + + The time_t type is unsigned on some systems and these variables are used + to hold return values from functions that return timediff_t + already. timediff_t is always a signed type. + + Closes #3363 + +- delta: use --diff-filter on the git diff-tree invokes + + Suggested-by: Dave Reisner + +Patrick Monnerat (11 Dec 2018) +- documentation: curl_formadd field and file names are now escaped + + Prior to 7.56.0, fieldnames and filenames were set in Content-Disposition + header without special processing: this may lead to invalid RFC 822 + quoted-strings. + 7.56.0 introduces escaping of backslashes and double quotes in these names: + mention it in the documentation. + + Reported-by: daboul on github + Closes #3361 + +Daniel Stenberg (11 Dec 2018) +- scripts/delta: show repo delta info from last release + + ... where "last release" should be the git tag in the repo. + +Daniel Gustafsson (11 Dec 2018) +- tests: add urlapi unittest + + This adds a new unittest intended to cover the internal functions in + the urlapi code, starting with parse_port(). In order to avoid name + collisions in debug builds, parse_port() is renamed Curl_parse_port() + since it will be exported. + + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +- urlapi: fix portnumber parsing for ipv6 zone index + + An IPv6 URL which contains a zone index includes a '%%25<zode id>' + string before the ending ']' bracket. The parsing logic wasn't set + up to cope with the zone index however, resulting in a malformed url + error being returned. Fix by breaking the parsing into two stages + to correctly handle the zone index. + + Closes #3355 + Closes #3319 + Reported-by: tonystz on Github + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Daniel Stenberg (11 Dec 2018) +- [Jay Satiro brought this change] + + http: fix HTTP auth to include query in URI + + - Include query in the path passed to generate HTTP auth. + + Recent changes to use the URL API internally (46e1640, 7.62.0) + inadvertently broke authentication URIs by omitting the query. + + Fixes https://github.com/curl/curl/issues/3353 + Closes #3356 + +- [Michael Kaufmann brought this change] + + http: don't set CURLINFO_CONDITION_UNMET for http status code 204 + + The http status code 204 (No Content) should not change the "condition + unmet" flag. Only the http status code 304 (Not Modified) should do + this. + + Closes #359 + +- [Samuel Surtees brought this change] + + ldap: fix LDAP URL parsing regressions + + - Match URL scheme with LDAP and LDAPS + - Retrieve attributes, scope and filter from URL query instead + + Regression brought in 46e164069d1a5230 (7.62.0) + + Closes #3362 + +- RELEASE-NOTES: synced + +- [Stefan Kanthak brought this change] + + (lib)curl.rc: fixup for minor bugs + + All resources defined in lib/libcurl.rc and curl.rc are language + neutral. + + winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the + ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong. + + Replace the hard-coded constants in both *.rc files with #define'd + values. + + Thumbs-uped-by: Rod Widdowson, Johannes Schindelin + URL: https://curl.haxx.se/mail/lib-2018-11/0000.html + Closes #3348 + +- test329: verify cookie max-age=0 immediate expiry + +- cookies: expire "Max-Age=0" immediately + + Reported-by: Jeroen Ooms + Fixes #3351 + Closes #3352 + +- [Johannes Schindelin brought this change] + + Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 + + This is a companion patch to cbea2fd2c (NTLM: force the connection to + HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1 + preemptively. However, with other (Negotiate) authentication it is not + clear to this developer whether there is a way to make it work with + HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the + error HTTP_1_1_REQUIRED. + + Note: we will still keep the NTLM workaround, as it avoids an extra + round trip. + + Daniel Stenberg helped a lot with this patch, in particular by + suggesting to introduce the Curl_h2_http_1_1_error() function. + + Closes #3349 + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +- [Ben Greear brought this change] + + openssl: fix unused variable compiler warning with old openssl + + URL: https://curl.haxx.se/mail/lib-2018-11/0055.html + + Closes #3347 + +- [Johannes Schindelin brought this change] + + NTLM: force the connection to HTTP/1.1 + + Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces + the capability. However, NTLM authentication only works with HTTP/1.1, + and will likely remain in that boat (for details, see + https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported). + + When we just found out that we want to use NTLM, and when the current + connection runs in HTTP/2 mode, let's force the connection to be closed + and to be re-opened using HTTP/1.1. + + Fixes https://github.com/curl/curl/issues/3341. + Closes #3345 + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +- [Johannes Schindelin brought this change] + + curl_global_sslset(): id == -1 is not necessarily an error + + It is allowed to call that function with id set to -1, specifying the + backend by the name instead. We should imitate what is done further down + in that function to allow for that. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + + Closes #3346 + +Johannes Schindelin (6 Dec 2018) +- .gitattributes: make tabs in indentation a visible error + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +Daniel Stenberg (6 Dec 2018) +- RELEASE-NOTES: synced + +- doh: fix memory leak in OOM situation + + Reviewed-by: Daniel Gustafsson + Closes #3342 + +- doh: make it work for h2-disabled builds too + + Reported-by: dtmsecurity at github + Fixes #3325 + Closes #3336 + +- packages: remove old leftover files and dirs + + This subdir has mostly become an attic of never-used cruft from the + past. + + Closes #3331 + +- [Gergely Nagy brought this change] + + openssl: do not use file BIOs if not requested + + Moves the file handling BIO calls to the branch of the code where they + are actually used. + + Closes #3339 + +- [Paul Howarth brought this change] + + nss: Fix compatibility with nss versions 3.14 to 3.15 + +- [Paul Howarth brought this change] + + nss: Improve info message when falling back SSL protocol + + Use descriptive text strings rather than decimal numbers. + +- [Paul Howarth brought this change] + + nss: Fall back to latest supported SSL version + + NSS may be built without support for the latest SSL/TLS versions, + leading to "SSL version range is not valid" errors when the library + code supports a recent version (e.g. TLS v1.3) but it has explicitly + been disabled. + + This change adjusts the maximum SSL version requested by libcurl to + be the maximum supported version at runtime, as long as that version + is at least as high as the minimum version required by libcurl. + + Fixes #3261 + +Daniel Gustafsson (3 Dec 2018) +- travis: enable COPYRIGHTYEAR extended warning + + The extended warning for checking incorrect COPYRIGHTYEAR is quite + expensive to run, so rather than expecting every developer to do it + we ensure it's turned on locally for Travis. + +- checksrc: add COPYRIGHTYEAR check + + Forgetting to bump the year in the copyright clause when hacking has + been quite common among curl developers, but a traditional checksrc + check isn't a good fit as it would penalize anyone hacking on January + 1st (among other things). This adds a more selective COPYRIGHTYEAR + check which intends to only cover the currently hacked on changeset. + + The check for updated copyright year is currently not enforced on all + files but only on files edited and/or committed locally. This is due to + the amount of files which aren't updated with their correct copyright + year at the time of their respective commit. + + To further avoid running this expensive check for every developer, it + adds a new local override mode for checksrc where a .checksrc file can + be used to turn on extended warnings locally. + + Closes #3303 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (3 Dec 2018) +- CHECKSRC.md: document more warnings + + Closes #3335 + [ci skip] + +- RELEASE-NOTES: synced + +- SECURITY-PROCESS: bountygraph shuts down + + This backpedals back the documents to the state before bountygraph. + + Closes #3311 + +- curl: fix memory leak reading --writeout from file + + If another string had been set first, the writout function for reading + the syntax from file would leak the previously allocated memory. + + Reported-by: Brian Carpenter + Fixes #3322 + Closes #3330 + +- tool_main: rename function to make it unique and better + + ... there's already another function in the curl tool named + free_config_fields! + +Daniel Gustafsson (29 Nov 2018) +- TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry + + Commit 7c5837e79280e6abb3ae143dfc49bca5e74cdd11 deprecated the option + making it a manual code-edit operation to turn it back on. The removal + process has thus started and is now documented in docs/DEPRECATE.md so + remove from the TODO to avoid anyone looking for something to pick up + spend cycles on an already in-progress entry. + + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Jay Satiro (29 Nov 2018) +- [Sevan Janiyan brought this change] + + connect: fix building for recent versions of Minix + + EBADIOCTL doesn't exist on more recent Minix. + There have also been substantial changes to the network stack. + Fixes build on Minix 3.4rc + + Closes https://github.com/curl/curl/pull/3323 + +- [Konstantin Kushnir brought this change] + + CMake: fix MIT/Heimdal Kerberos detection + + - fix syntax error in FindGSS.cmake + - correct krb5 include directory. FindGSS exports + "GSS_INCLUDE_DIR" variable. + + Closes https://github.com/curl/curl/pull/3316 + +Daniel Stenberg (28 Nov 2018) +- test328: verify Content-Encoding: none + + Because of issue #3315 + + Closes #3317 + +- [James Knight brought this change] + + configure: include all libraries in ssl-libs fetch + + When compiling a collection of SSL libraries to link against (SSL_LIBS), + ensure all libraries are included. The call `--libs-only-l` can produce + only a subset of found in a `--libs` call (e.x. pthread may be excluded). + Adding `--libs-only-other` ensures other libraries are also included in + the list. This corrects select build environments compiling against a + static version of OpenSSL. Before the change, the following could be + observed: + + checking for openssl options with pkg-config... found + configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -lcrypto -lz -ldl " + configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib " + configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include " + checking for HMAC_Update in -lcrypto... no + checking for HMAC_Init_ex in -lcrypto... no + checking OpenSSL linking with -ldl... no + checking OpenSSL linking with -ldl and -lpthread... no + configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more. + configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this. + ... + SSL support: no (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} ) + ... + + And include the other libraries when compiling SSL_LIBS succeeds with: + + checking for openssl options with pkg-config... found + configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -pthread -lcrypto -lz -ldl -pthread " + configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib " + configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include " + checking for HMAC_Update in -lcrypto... yes + checking for SSL_connect in -lssl... yes + ... + SSL support: enabled (OpenSSL) + ... + + Signed-off-by: James Knight <james.d.knight@live.com> + Closes #3193 + +Daniel Gustafsson (26 Nov 2018) +- doh: fix typo in infof call + + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- cmdline-opts/gen.pl: define the correct varname + + The variable definition had a small typo making it declare another + variable then the intended. + + Closes #3304 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (25 Nov 2018) +- RELEASE-NOTES: synced + +- curl_easy_perform: fix timeout handling + + curl_multi_wait() was erroneously used from within + curl_easy_perform(). It could lead to it believing there was no socket + to wait for and then instead sleep for a while instead of monitoring the + socket and then miss acting on that activity as swiftly as it should + (causing an up to 1000 ms delay). + + Reported-by: Antoni Villalonga + Fixes #3305 + Closes #3306 + Closes #3308 + +- CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times + +- cookies: create the cookiejar even if no cookies to save + + Important for when the file is going to be read again and thus must not + contain old contents! + + Adds test 327 to verify. + + Reported-by: daboul on github + Fixes #3299 + Closes #3300 + +- checksrc: ban snprintf use, add command line flag to override warns + +- snprintf: renamed and we now only use msnprintf() + + The function does not return the same value as snprintf() normally does, + so readers may be mislead into thinking the code works differently than + it actually does. A different function name makes this easier to detect. + + Reported-by: Tomas Hoger + Assisted-by: Daniel Gustafsson + Fixes #3296 + Closes #3297 + +- [Tobias Hintze brought this change] + + test: update test20/1322 for eglibc bug workaround + + The tests 20 and 1322 are using getaddrinfo of libc for resolving. In + eglibc-2.19 there is a memory leakage and invalid free bug which + surfaces in some special circumstances (PF_UNSPEC hint with invalid or + non-existent names). The valgrind runs in testing fail in these + situations. + + As the tests 20/1322 are not specific on either protocol (IPv4/IPv6) + this commit changes the hints to IPv4 protocol by passing `--ipv4` flag + on the tests' command line. This prevents the valgrind failures. + +- [Tobias Hintze brought this change] + + host names: allow trailing dot in name resolve, then strip it + + Delays stripping of trailing dots to after resolving the hostname. + + Fixes #3022 + Closes #3222 + +- [UnknownShadow200 brought this change] + + CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description + + Closes #3295 + +Daniel Gustafsson (21 Nov 2018) +- configure: Fix typo in comment + +Michael Kaufmann (21 Nov 2018) +- openssl: support session resume with TLS 1.3 + + Session resumption information is not available immediately after a TLS 1.3 + handshake. The client must wait until the server has sent a session ticket. + + Use OpenSSL's "new session" callback to get the session information and put it + into curl's session cache. For TLS 1.3 sessions, this callback will be invoked + after the server has sent a session ticket. + + The "new session" callback is invoked only if OpenSSL's session cache is + enabled, so enable it and use the "external storage" mode which lets curl manage + the contents of the session cache. + + A pointer to the connection data and the sockindex are now saved as "SSL extra + data" to make them available to the callback. + + This approach also works for old SSL/TLS versions and old OpenSSL versions. + + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + + Fixes #3202 + Closes #3271 + +- ssl: fix compilation with OpenSSL 0.9.7 + + - ENGINE_cleanup() was used without including "openssl/engine.h" + - enable engine support for OpenSSL 0.9.7 + + Closes #3266 + +Daniel Stenberg (21 Nov 2018) +- openssl: disable TLS renegotiation with BoringSSL + + Since we're close to feature freeze, this change disables this feature + with an #ifdef. Define ALLOW_RENEG at build-time to enable. + + This could be converted to a bit for CURLOPT_SSL_OPTIONS to let + applications opt-in this. + + Concern-raised-by: David Benjamin + Fixes #3283 + Closes #3293 + +- [Romain Fliedel brought this change] + + ares: remove fd from multi fd set when ares is about to close the fd + + When using c-ares for asyn dns, the dns socket fd was silently closed + by c-ares without curl being aware. curl would then 'realize' the fd + has been removed at next call of Curl_resolver_getsock, and only then + notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with + CURL_POLL_REMOVE. At this point the fd is already closed. + + By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this + patch allows curl to be notified that the fd is not longer needed + for neither for write nor read. At this point by calling + Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE + before the fd is actually closed by ares. + + In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore + since it does not allow passing a different sock_state_cb_data + + Closes #3238 + +- [Romain Fliedel brought this change] + + examples/ephiperfifo: report error when epoll_ctl fails + +Daniel Gustafsson (20 Nov 2018) +- [pkubaj brought this change] + + ntlm: Remove redundant ifdef USE_OPENSSL + + lib/curl_ntlm.c had code that read as follows: + + #ifdef USE_OPENSSL + # ifdef USE_OPENSSL + # else + # .. + # endif + #endif + + Remove the redundant USE_OPENSSL along with #else (it's not possible to + reach it anyway). The removed construction is a leftover from when the + SSLeay support was removed. + + Closes #3269 + Reviewed-by: Daniel Gustafsson <daniel@yesql.se> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (20 Nov 2018) +- [Han Han brought this change] + + ssl: replace all internal uses of CURLE_SSL_CACERT + + Closes #3291 + +Han Han (19 Nov 2018) +- docs: add more description to unified ssl error codes + +- curle: move deprecated error code to ifndef block + +Patrick Monnerat (19 Nov 2018) +- os400: add CURLOPT_CURLU to ILE/RPG binding. + +- os400: Add curl_easy_conn_upkeep() to ILE/RPG binding. + +- os400: fix return type of curl_easy_pause() in ILE/RPG binding. + +Daniel Stenberg (19 Nov 2018) +- RELEASE-NOTES: synced + +- impacket: add LICENSE + + The license for the impacket package was not in our tree. + + Imported now from upstream's + https://github.com/SecureAuthCorp/impacket/blob/master/LICENSE + + Reported-by: infinnovation-dev on github + Fixes #3276 + Closes #3277 + +Daniel Gustafsson (18 Nov 2018) +- tool_doswin: Fix uninitialized field warning + + The partial struct initialization in 397664a065abffb7c3445ca9 caused + a warning on uninitialized MODULEENTRY32 struct members: + + /src/tool_doswin.c:681:3: warning: missing initializer for field + 'th32ModuleID' of 'MODULEENTRY32 {aka struct tagMODULEENTRY32}' + [-Wmissing-field-initializers] + + This is sort of a bogus warning as the remaining members will be set + to zero by the compiler, as all omitted members are. Nevertheless, + remove the warning by omitting all members and setting the dwSize + members explicitly. + + Closes #3254 + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + +- openssl: Remove SSLEAY leftovers + + Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't + compatible with the SSLeay library. This removes the few leftovers that + were omitted in the less frequently used platform targets. + + Closes #3270 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (16 Nov 2018) +- [Elia Tufarolo brought this change] + + http_negotiate: do not close connection until negotiation is completed + + Fix HTTP POST using CURLAUTH_NEGOTIATE. + + Closes #3275 + +- pop3: only do APOP with a valid timestamp + + Brought-by: bobmitchell1956 on github + Fixes #3278 + Closes #3279 + +Jay Satiro (16 Nov 2018) +- [Peter Wu brought this change] + + openssl: do not log excess "TLS app data" lines for TLS 1.3 + + The SSL_CTX_set_msg_callback callback is not just called for the + Handshake or Alert protocols, but also for the raw record header + (SSL3_RT_HEADER) and the decrypted inner record type + (SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid + excess debug spam when using `curl -v` against a TLSv1.3-enabled server: + + * TLSv1.3 (IN), TLS app data, [no content] (0): + + (Following this message, another callback for the decrypted + handshake/alert messages will be be present anyway.) + + Closes https://github.com/curl/curl/pull/3281 + +Marc Hoersken (15 Nov 2018) +- tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows + + SO_EXCLUSIVEADDRUSE is on by default on Vista or newer, + but does not work together with SO_REUSEADDR being on. + + The default changes were made with stunnel 5.34 and 5.35. + +Daniel Stenberg (13 Nov 2018) +- [Kamil Dudka brought this change] + + nss: remove version selecting dead code + + Closes #3262 + +- nss: set default max-tls to 1.3/1.2 + + Fixes #3261 + +Daniel Gustafsson (13 Nov 2018) +- tool_cb_wrt: Silence function cast compiler warning + + Commit 5bfaa86ceb3c2a9ac474a928e748c4a86a703b33 introduced a new + compiler warning on Windows cross compilation with GCC. See below + for an example of the warning from the autobuild logs (whitespace + edited to fit): + + /src/tool_cb_wrt.c:175:9: warning: cast from function call of type + 'intptr_t {aka long long int}' to non-matching type 'void *' + [-Wbad-function-cast] + (HANDLE) _get_osfhandle(fileno(outs->stream)), + ^ + + Store the return value from _get_osfhandle() in an intermediate + variable and cast the variable in WriteConsoleW() rather than the + function call directly to avoid a compiler warning. + + In passing, also add inspection of the MultiByteToWideChar() return + value and return failure in case an error is reported. + + Closes #3263 + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + Reviewed-by: Viktor Szakats <commit@vszakats.net> + +Daniel Stenberg (12 Nov 2018) +- nss: fix fallthrough comment to fix picky compiler warning + +- docs: expanded on some CURLU details + +- [Tim Rühsen brought this change] + + ftp: avoid two unsigned int overflows in FTP listing parser + + Curl_ftp_parselist: avoid unsigned integer overflows + + The overflow has no real world impact, just avoid it for "best + practice". + + Closes #3225 + +- curl: --local-port range was not "including" + + The end port number in a given range was not included in the range used, + as it is documented to be. + + Reported-by: infinnovation-dev on github + Fixes #3251 + Closes #3255 + +- [Jérémy Rocher brought this change] + + openssl: support BoringSSL TLS renegotiation + + As per BoringSSL porting documentation [1], BoringSSL rejects peer + renegotiations by default. + + curl fails when trying to authenticate to server through client + certificate if it is requested by server after the initial TLS + handshake. + + Enable renegotiation by default with BoringSSL to get same behavior as + with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2] + which was introduced in commit 1d5ef3bb1eb9 [3]. + + 1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation + 2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482 + 3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86 + + Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com> + Fixes #3258 + Closes #3259 + +- HISTORY: add some milestones + + Added a few of the more notable milestones in curl history that were + missing. Primarily more recent ones but I also noted some older that + could be worth mentioning. + + [ci skip] + Closes #3257 + +Daniel Gustafsson (9 Nov 2018) +- KNOWN_BUGS: add --proxy-any connection issue + + Add the identified issue with --proxy-any and proxy servers which + advertise authentication schemes other than the supported one. + + Closes #876 + Closes #3250 + Reported-by: NTMan on Github + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (9 Nov 2018) +- [Jim Fuller brought this change] + + setopt: add CURLOPT_CURLU + + Allows an application to pass in a pre-parsed URL via a URL handle. + + Closes #3227 + +- [Gisle Vanem brought this change] + + docs: ESCape "\n" codes + + Groff / Troff will display a: + printaf("Errno: %ld\n", error); + as: + printf("Errno: %ld0, error); + + when a "\n" is not escaped. Use "\\n" instead. + + Closes #3246 + +- curl: --local-port fix followup + + Regression by 52db54869e6. + + Reported-by: infinnovation-dev on github + Fixes #3248 + Closes #3249 + +GitHub (7 Nov 2018) +- [Gisle Vanem brought this change] + + More "\n" ESCaping + +Daniel Stenberg (7 Nov 2018) +- RELEASE-NOTES: synced + +- curl: fix --local-port integer overflow + + The tool's local port command line range parser didn't check for integer + overflows and could pass "weird" data to libcurl for this option. + libcurl however, has a strict range check for the values so it rejects + anything outside of the accepted range. + + Reported-by: Brian Carpenter + Closes #3242 + +- curl: correct the switch() logic in ourWriteOut + + Follow-up to e431daf013, as I did the wrong correction for a compiler + warning. It should be a break and not a fall-through. + + Pointed-out-by: Frank Gevaerts + +- [Frank Gevaerts brought this change] + + curl: add %{stderr} and %{stdout} for --write-out + + Closes #3115 + +Daniel Gustafsson (7 Nov 2018) +- winssl: be consistent in Schannel capitalization + + The productname from Microsoft is "Schannel", but in infof/failf + reporting we use "schannel". This removes different versions. + + Closes #3243 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (7 Nov 2018) +- TODO: Have the URL API offer IDN decoding + + Similar to how URL decoding/encoding is done, we could have URL + functions to convert IDN host names to punycode. + + Suggested-by: Alexey Melnichuk + Closes #3232 + +- urlapi: only skip encoding the first '=' with APPENDQUERY set + + APPENDQUERY + URLENCODE would skip all equals signs but now it only skip + encoding the first to better allow "name=content" for any content. + + Reported-by: Alexey Melnichuk + Fixes #3231 + Closes #3231 + +- url: a short host name + port is not a scheme + + The function identifying a leading "scheme" part of the URL considered a + few letters ending with a colon to be a scheme, making something like + "short:80" to become an unknown scheme instead of a short host name and + a port number. + + Extended test 1560 to verify. + + Also fixed test203 to use file_pwd to make it get the correct path on + windows. Removed test 2070 since it was a duplicate of 203. + + Assisted-by: Marcel Raad + Reported-by: Hagai Auro + Fixes #3220 + Fixes #3233 + Closes #3223 + Closes #3235 + +- [Sangamkar brought this change] + + libcurl: stop reading from paused transfers + + In the transfer loop it would previously not acknwledge the pause bit + and continue until drained or loop ended. + + Closes #3240 + +Jay Satiro (6 Nov 2018) +- tool: add undocumented option --dump-module-paths for win32 + + - Add an undocumented diagnostic option for Windows to show the full + paths of all loaded modules regardless of whether or not libcurl + initialization succeeds. + + This is needed so that in the CI we can get a list of all DLL + dependencies after initialization (when they're most likely to have + finished loading) and then package them as artifacts so that a + functioning build can be downloaded. Also I imagine it may have some use + as a diagnostic for help requests. + + Ref: https://github.com/curl/curl/pull/3103 + + Closes https://github.com/curl/curl/pull/3208 + +- curl_multibyte: fix a malloc overcalculation + + Prior to this change twice as many bytes as necessary were malloc'd when + converting wchar to UTF8. To allay confusion in the future I also + changed the variable name for the amount of bytes from len to bytes. + + Closes https://github.com/curl/curl/pull/3209 + +Michael Kaufmann (5 Nov 2018) +- netrc: don't ignore the login name specified with "--user" + + - for "--netrc", don't ignore the login/password specified with "--user", + only ignore the login/password in the URL. + This restores the netrc behaviour of curl 7.61.1 and earlier. + - fix the documentation of CURL_NETRC_REQUIRED + - improve the detection of login/password changes when reading .netrc + - don't read .netrc if both login and password are already set + + Fixes #3213 + Closes #3224 + +Patrick Monnerat (5 Nov 2018) +- OS400: add URL API ccsid wrappers and sync ILE/RPG bindings + +Daniel Stenberg (5 Nov 2018) +- [Yasuhiro Matsumoto brought this change] + + curl: fixed UTF-8 in current console code page (Windows) + + Fixes #3211 + Fixes #3175 + Closes #3212 + +- TODO: 2.6 multi upkeep + + Closes #3199 + +Daniel Gustafsson (5 Nov 2018) +- unittest: make 1652 stable across collations + + The previous coding used a format string whose output depended on the + current locale of the environment running the test. Since the gist of + the test is to have a format string, with the actual formatting being + less important, switch to a more stable formatstring with decimals. + + Reported-by: Marcel Raad + Closes #3234 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Daniel Stenberg (5 Nov 2018) +- Revert "url: a short host name + port is not a scheme" + + This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2. + + This commit caused test failures on appveyor/windows. Work on fixing them is + in #3235. + +- symbols-in-versions: add missing CURLU_ symbols + + ...and fix symbol-scan.pl to also scan urlapi.h + + Reported-by: Alexey Melnichuk + Fixes #3226 + Closes #3230 + +Daniel Gustafsson (3 Nov 2018) +- infof: clearly indicate truncation + + The internal buffer in infof() is limited to 2048 bytes of payload plus + an additional byte for NULL termination. Servers with very long error + messages can however cause truncation of the string, which currently + isn't very clear, and leads to badly formatted output. + + This appends a "...\n" (or just "..." in case the format didn't with a + newline char) marker to the end of the string to clearly show + that it has been truncated. + + Also include a unittest covering infof() to try and catch any bugs + introduced in this quite important function. + + Closes #3216 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Michael Kaufmann (3 Nov 2018) +- tool_getparam: fix some comments + +Daniel Stenberg (3 Nov 2018) +- url: a short host name + port is not a scheme + + The function identifying a leading "scheme" part of the URL considered a few + letters ending with a colon to be a scheme, making something like "short:80" + to become an unknown scheme instead of a short host name and a port number. + + Extended test 1560 to verify. + + Reported-by: Hagai Auro + Fixes #3220 + Closes #3223 + +- URL: fix IPv6 numeral address parser + + Regression from 46e164069d1a52. Extended test 1560 to verify. + + Reported-by: tpaukrt on github + Fixes #3218 + Closes #3219 + +- travis: remove curl before a normal build + + on Linux. To make sure the test suite runs with its newly build tool and + doesn't require an external one present. + + Bug: #3198 + Closes #3200 + +- [Tim Rühsen brought this change] + + mprintf: avoid unsigned integer overflow warning + + The overflow has no real world impact. + Just avoid it for "best practice". + + Code change suggested by "The Infinnovation Team" and Daniel Stenberg. + Closes #3184 + +- Curl_follow: accept non-supported schemes for "fake" redirects + + When not actually following the redirect and the target URL is only + stored for later retrieval, curl always accepted "non-supported" + schemes. This was a regression from 46e164069d1a5230. + + Reported-by: Brad King + Fixes #3210 + Closes #3215 + +Daniel Gustafsson (2 Nov 2018) +- openvms: fix example name + + Commit efc696a2e09225bfeab4 renamed persistant.c to persistent.c to + fix the typo in the name, but missed to update the OpenVMS package + files which still looked for the old name. + + Closes #3217 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Viktor Szakats <commit@vszakats.net> + +Daniel Stenberg (1 Nov 2018) +- configure: show CFLAGS, LDFLAGS etc in summary + + To make it easier to understand other people's and remote builds etc. + + Closes #3207 + +- version: bump for next cycle + +- axtls: removed + + As has been outlined in the DEPRECATE.md document, the axTLS code has + been disabled for 6 months and is hereby removed. + + Use a better supported TLS library! + + Assisted-by: Daniel Gustafsson + Closes #3194 + +- [marcosdiazr brought this change] + + schannel: make CURLOPT_CERTINFO support using Issuer chain + + Closes #3197 + +- travis: build with sanitize=address,undefined,signed-integer-overflow + + ... using clang + + Closes #3190 + +- schannel: use Curl_ prefix for global private symbols + + Curl_verify_certificate() must use the Curl_ prefix since it is globally + available in the lib and otherwise steps outside of our namespace! + + Closes #3201 + +Kamil Dudka (1 Nov 2018) +- tests: drop http_pipe.py script no longer used + + It is unused since commit f7208df7d9d5cd5e15e2d89237e828f32b63f135. + + Closes #3204 + +Daniel Stenberg (31 Oct 2018) +- runtests: use the local curl for verifying + + ... revert the mistaken change brought in commit 8440616f53. + + Reported-by: Alessandro Ghedini + Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html + + Closes #3198 + +Version 7.62.0 (30 Oct 2018) + +Daniel Stenberg (30 Oct 2018) +- RELEASE-NOTES: 7.62.0 + +- THANKS: 7.62.0 status + +Daniel Gustafsson (30 Oct 2018) +- vtls: add MesaLink to curl_sslbackend enum + + MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the + backend was never added to the curl_sslbackend enum in curl/curl.h. + This adds the new backend to the enum and updates the relevant docs. + + Closes #3195 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (30 Oct 2018) +- [Ruslan Baratov brought this change] + + cmake: Remove unused CURL_CONFIG_HAS_BEEN_RUN_BEFORE variable + + Closes #3191 + +- test2080: verify the fix for CVE-2018-16842 + +- voutf: fix bad arethmetic when outputting warnings to stderr + + CVE-2018-16842 + Reported-by: Brian Carpenter + Bug: https://curl.haxx.se/docs/CVE-2018-16842.html + +- [Tuomo Rinne brought this change] + + cmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in + + Closes #3123 + +- [Tuomo Rinne brought this change] + + cmake: add find_dependency call for ZLIB to CMake config file + +- [Tuomo Rinne brought this change] + + cmake: add support for transitive ZLIB target + +- unit1650: fix "null pointer passed as argument 1 to memcmp" + + Detected by UndefinedBehaviorSanitizer + + Closes #3187 + +- travis: add a "make tidy" build that runs clang-tidy + + Closes #3182 + +- unit1300: fix stack-use-after-scope AddressSanitizer warning + + Closes #3186 + +- Curl_auth_create_plain_message: fix too-large-input-check + + CVE-2018-16839 + Reported-by: Harry Sintonen + Bug: https://curl.haxx.se/docs/CVE-2018-16839.html + +- Curl_close: clear data->multi_easy on free to avoid use-after-free + + Regression from b46cfbc068 (7.59.0) + CVE-2018-16840 + Reported-by: Brian Carpenter (Geeknik Labs) + + Bug: https://curl.haxx.se/docs/CVE-2018-16840.html + +- [randomswdev brought this change] + + system.h: use proper setting with Sun C++ as well + + system.h selects the proper Sun settings when __SUNPRO_C is defined. The + Sun compiler does not define it when compiling C++ files. I'm adding a + check also on __SUNPRO_CC to allow curl to work properly also when used + in a C++ project on Sun Solaris. + + Closes #3181 + +- rand: add comment to skip a clang-tidy false positive + +- test1651: unit test Curl_extract_certinfo() + + The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel. + +- x509asn1: always check return code from getASN1Element() + +- Makefile: add 'tidy' target that runs clang-tidy + + Available in the root, src and lib dirs. + + Closes #3163 + +- RELEASE-PROCEDURE: adjust the release dates + + See: https://curl.haxx.se/mail/lib-2018-10/0107.html + +Patrick Monnerat (27 Oct 2018) +- x509asn1: suppress left shift on signed value + + Use an unsigned variable: as the signed operation behavior is undefined, + this change silents clang-tidy about it. + + Ref: https://github.com/curl/curl/pull/3163 + Reported-By: Daniel Stenberg + +Michael Kaufmann (27 Oct 2018) +- multi: Fix error handling in the SENDPROTOCONNECT state + + If Curl_protocol_connect() returns an error code, + handle the error instead of switching to the next state. + + Closes #3170 + +Daniel Stenberg (27 Oct 2018) +- RELEASE-NOTES: synced + +- openssl: output the correct cipher list on TLS 1.3 error + + When failing to set the 1.3 cipher suite, the wrong string pointer would + be used in the error message. Most often saying "(nil)". + + Reported-by: Ricky-Tigg on github + Fixes #3178 + Closes #3180 + +- docs/CIPHERS: fix the TLS 1.3 cipher names + + ... picked straight from the OpenSSL man page: + https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html + + Reported-by: Ricky-Tigg on github + Bug: #3178 + +Marcel Raad (27 Oct 2018) +- travis: install gnutls-bin package + + This is required for gnutls-serv, which enables a few more tests. + + Closes https://github.com/curl/curl/pull/2958 + +Daniel Gustafsson (26 Oct 2018) +- ssh: free the session on init failures + + Ensure to clear the session object in case the libssh2 initialization + fails. + + It could be argued that the libssh2 error function should be called to + get a proper error message in this case. But since the only error path + in libssh2_knownhost_init() is memory a allocation failure it's safest + to avoid since the libssh2 error handling allocates memory. + + Closes #3179 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (26 Oct 2018) +- docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date + + ... I'm moving it up one week due to travels. The rest stays. + +- [Daniel Gustafsson brought this change] + + openssl: make 'done' a proper boolean + + Closes #3176 + +- gtls: Values stored to but never read + + Detected by clang-tidy + + Closes #3176 + +- [Alexey Eremikhin brought this change] + + curl.1: --ipv6 mutexes ipv4 (fixed typo) + + Fixes #3171 + Closes #3172 + +- tool_main: make TerminalSettings static + + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/becfe1233ff2b6b0c3e1b6a10048b55b68c2539f#commitcomment-31008819 + Closes #3161 + +- curl-config.in: remove dependency on bc + + Reported-by: Dima Pasechnik + Fixes #3143 + Closes #3174 + +- [Gisle Vanem brought this change] + + rtmp: fix for compiling with lwIP + + Compiling on _WIN32 and with USE_LWIPSOCK, causes this error: + curl_rtmp.c(223,3): error: use of undeclared identifier 'setsockopt' + setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO, + ^ + curl_rtmp.c(41,32): note: expanded from macro 'setsockopt' + #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e) + ^ + Closes #3155 + +- configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T + + Follow-up to #3166 which did the cmake part of this. This type/define is + not used. + + Closes #3168 + +- [Ruslan Baratov brought this change] + + cmake: remove unused variables + + Remove variables: + * HAVE_SOCKLEN_T + * CURL_SIZEOF_CURL_SOCKLEN_T + * CURL_TYPEOF_CURL_SOCKLEN_T + + Closes #3166 + +Michael Kaufmann (25 Oct 2018) +- urldata: Fix comment in header + + The "connecting" function is used by multiple protocols, not only FTP + +- netrc: free temporary strings if memory allocation fails + + - Change the inout parameters after all needed memory has been + allocated. Do not change them if something goes wrong. + - Free the allocated temporary strings if strdup() fails. + + Closes #3122 + +Daniel Stenberg (24 Oct 2018) +- [Ruslan Baratov brought this change] + + config: Remove unused SIZEOF_VOIDP + + Closes #3162 + +- RELEASE-NOTES: synced + +GitHub (23 Oct 2018) +- [Gisle Vanem brought this change] + + Fix for compiling with lwIP (3) + + lwIP on Windows does not have a WSAIoctl() function. + But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing. + +Daniel Stenberg (23 Oct 2018) +- Curl_follow: return better errors on URL problems + + ... by making the converter function global and accessible. + + Closes #3153 + +- Curl_follow: remove remaining free(newurl) + + Follow-up to 05564e750e8f0c. This function no longer frees the passed-in + URL. + + Reported-by: Michael Kaufmann + Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm + ent-30985666 + +Daniel Gustafsson (23 Oct 2018) +- headers: end all headers with guard comment + + Most headerfiles end with a /* <headerguard> */ comment, but it was + missing from some. The comment isn't the most important part of our + code documentation but consistency has an intrinsic value in itself. + This adds header guard comments to the files that were lacking it. + + Closes #3158 + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Jay Satiro (23 Oct 2018) +- CIPHERS.md: Mention the options used to set TLS 1.3 ciphers + + Closes https://github.com/curl/curl/pull/3159 + +Daniel Stenberg (20 Oct 2018) +- docs/BUG-BOUNTY: the sponsors actually decide the amount + + Retract the previous approach as the sponsors will be the ones to set the + final amounts. + + Closes #3152 + [ci skip] + +- multi: avoid double-free + + Curl_follow() no longer frees the string. Make sure it happens in the + caller function, like we normally handle allocations. + + This bug was introduced with the use of the URL API internally, it has + never been in a release version + + Reported-by: Dario Weißer + Closes #3149 + +- multi: make the closure handle "inherit" CURLOPT_NOSIGNAL + + Otherwise, closing that handle can still cause surprises! + + Reported-by: Martin Ankerl + Fixes #3138 + Closes #3147 + +Marcel Raad (19 Oct 2018) +- VS projects: add USE_IPV6 + + The Visual Studio builds didn't use IPv6. Add it to all projects since + Visual Studio 2008, which is verified to build via AppVeyor. + + Closes https://github.com/curl/curl/pull/3137 + +- config_win32: enable LDAPS + + As done in the autotools and CMake builds by default. + + Closes https://github.com/curl/curl/pull/3137 + +Daniel Stenberg (18 Oct 2018) +- travis: add build for "configure --disable-verbose" + + Closes #3144 + +Kamil Dudka (17 Oct 2018) +- tool_cb_hdr: handle failure of rename() + + Detected by Coverity. + + Closes #3140 + Reviewed-by: Jay Satiro + +Daniel Stenberg (17 Oct 2018) +- RELEASE-NOTES: synced + +- docs/SECURITY-PROCESS: the hackerone IBB program drops curl + + ... now there's only BountyGraph. + +Jay Satiro (16 Oct 2018) +- [Matthew Whitehead brought this change] + + x509asn1: Fix SAN IP address verification + + For IP addresses in the subject alternative name field, the length + of the IP address (and hence the number of bytes to perform a + memcmp on) is incorrectly calculated to be zero. The code previously + subtracted q from name.end. where in a successful case q = name.end + and therefore addrlen equalled 0. The change modifies the code to + subtract name.beg from name.end to calculate the length correctly. + + The issue only affects libcurl with GSKit SSL, not other SSL backends. + The issue is not a security issue as IP verification would always fail. + + Fixes #3102 + Closes #3141 + +Daniel Gustafsson (15 Oct 2018) +- INSTALL: mention mesalink in TLS section + + Commit 57348eb97d1b8fc3742e02c6587d2d02ff592da5 added support for the + MesaLink vtls backend, but missed updating the TLS section containing + supported backends in the docs. + + Closes #3134 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Marcel Raad (14 Oct 2018) +- nonblock: fix unused parameter warning + + If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not + used. + +Michael Kaufmann (13 Oct 2018) +- Curl_follow: Always free the passed new URL + + Closes #3124 + +Viktor Szakats (12 Oct 2018) +- replace rawgit links [ci skip] + + Ref: https://rawgit.com/ "RawGit has reached the end of its useful life" + Ref: https://news.ycombinator.com/item?id=18202481 + Closes https://github.com/curl/curl/pull/3131 + +Daniel Stenberg (12 Oct 2018) +- docs/BUG-BOUNTY.md: for vulns published since Aug 1st 2018 + + [ci skip] + +- travis: make distcheck scan for BOM markers + + and remove BOM from projects/wolfssl_override.props + + Closes #3126 + +Marcel Raad (11 Oct 2018) +- CMake: remove BOM + + Accidentally aded in commit 1bb86057ff07083deeb0b00f8ad35879ec4d03ea. + + Reported-by: Viktor Szakats + Ref: https://github.com/curl/curl/pull/3120#issuecomment-428673136 + +Daniel Gustafsson (10 Oct 2018) +- transfer: fix typo in comment + +Michael Kaufmann (10 Oct 2018) +- docs: add "see also" links for SSL options + + - link TLS 1.2 and TLS 1.3 options + - link proxy and non-proxy options + + Closes #3121 + +Marcel Raad (10 Oct 2018) +- AppVeyor: remove BDIR variable that sneaked in again + + Removed in ae762e1abebe3a5fe75658583c85059a0957ef6e, accidentally added + again in 9f3be5672dc4dda30ab43e0152e13d714a84d762. + +- CMake: disable -Wpedantic-ms-format + + As done in the autotools build. This is required for MinGW, which + supports only %I64 for printing 64-bit values, but warns about it. + + Closes https://github.com/curl/curl/pull/3120 + +Viktor Szakats (9 Oct 2018) +- ldap: show precise LDAP call in error message on Windows + + Also add a unique but common text ('bind via') to make it + easy to grep this specific failure regardless of platform. + + Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468 + Closes https://github.com/curl/curl/pull/3118 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Daniel Stenberg (9 Oct 2018) +- docs/DEPRECATE: minor reformat to render nicer on web + +Daniel Gustafsson (9 Oct 2018) +- CURLOPT_SSL_VERIFYSTATUS: Fix typo + + Changes s/OSCP/OCSP/ and bumps the copyright year due to the change. + +Marcel Raad (9 Oct 2018) +- curl_setup: define NOGDI on Windows + + This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h> + on MinGW. + + Closes https://github.com/curl/curl/pull/3113 + +- Windows: fixes for MinGW targeting Windows Vista + + Classic MinGW has neither InitializeCriticalSectionEx nor + GetTickCount64, independent of the target Windows version. + + Closes https://github.com/curl/curl/pull/3113 + +Daniel Stenberg (8 Oct 2018) +- TODO: fixed 'API for URL parsing/splitting' + +Daniel Gustafsson (8 Oct 2018) +- KNOWN_BUGS: Fix various typos + + Closes #3112 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Viktor Szakats (8 Oct 2018) +- spelling fixes [ci skip] + + as detected by codespell 1.14.0 + + Closes https://github.com/curl/curl/pull/3114 + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Daniel Stenberg (8 Oct 2018) +- RELEASE-NOTES: synced + +- curl_ntlm_wb: check aprintf() return codes + + ... when they return NULL we're out of memory and MUST return failure. + + closes #3111 + +- docs/BUG-BOUNTY: proposed additional docs + + Bug bounty explainer. See https://bountygraph.com/programs/curl + + Closes #3067 + +- [Rick Deist brought this change] + + hostip: fix check on Curl_shuffle_addr return value + + Closes #3110 + +- FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output + + Now FILE transfers send headers to the header callback like HTTP and + other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...) + work for FILE in the callbacks. + + Makes "curl -i file://.." and "curl -I file://.." work like before + again. Applied the bold header logic to them too. + + Regression from c1c2762 (7.61.0) + + Reported-by: Shaun Jackman + Fixes #3083 + Closes #3101 + +Daniel Gustafsson (7 Oct 2018) +- gskit: make sure to terminate version string + + In case a very small buffer was passed to the version function, it could + result in the buffer not being NULL-terminated since strncpy() doesn't + guarantee a terminator on an overflowed buffer. Rather than adding code + to terminate (and handle zero-sized buffers), move to using snprintf() + instead like all the other vtls backends. + + Closes #3105 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Viktor Szakats <commit@vszakats.net> + +- TODO: add LD_PRELOAD support on macOS + + Add DYLD_INSERT_LIBRARIES support to the TODO list. Reported in #2394. + +- runtests: skip ld_preload tests on macOS + + The LD_PRELOAD functionality doesn't exist on macOS, so skip any tests + requiring it. + + Fixes #2394 + Closes #3106 + Reported-by: Github user @jakirkham + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Marcel Raad (7 Oct 2018) +- AppVeyor: use Debug builds to run tests + + This enables more tests. + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: add HTTP_ONLY build + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: add WinSSL builds + + Use the oldest and latest Windows SDKs for them. + Also, remove all but one OpenSSL build. + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: add remaining Visual Studio versions + + This adds Visual Studio 9 and 10 builds. + There's no 64-bit VC9 compiler on AppVeyor, so use it as the Win32 + build. Also, VC9 cannot be used for running the test suite. + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: break long line + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: remove unused BDIR variable + + Closes https://github.com/curl/curl/pull/3104 + +Daniel Stenberg (6 Oct 2018) +- test2100: test DoH using IPv4-only + + To make it only send one DoH request and avoid the race condition that + could lead to the requests getting sent in reversed order and thus + making it hard to compare in the test case. + + Fixes #3107 + Closes #3108 + +- tests/FILEFORMAT: mention how to use <fileN> and <stripfileN> too + + [ci skip] + +- RELEASE-NOTES: synced + +- [Dmitry Kostjuchenko brought this change] + + timeval: fix use of weak symbol clock_gettime() on Apple platforms + + Closes #3048 + +- doh: keep the IPv4 address in (original) network byte order + + Ideally this will fix the reversed order shown in SPARC tests: + + resp 8: Expected 127.0.0.1 got 1.0.0.127 + + Closes #3091 + +Jay Satiro (5 Oct 2018) +- INTERNALS.md: wrap lines longer than 79 + +Daniel Gustafsson (5 Oct 2018) +- INTERNALS: escape reference to parameter + + The parameter reference <string> was causing rendering issues in the + generated HTML page, as <string> isn't a valid HTML tag. Fix by back- + tick escaping it. + + Closes #3099 + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- checksrc: handle zero scoped ignore commands + + If a !checksrc! disable command specified to ignore zero errors, it was + still added to the ignore block even though nothing was ignored. While + there were no blocks ignored that shouldn't be ignored, the processing + ended with with a warning: + + <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE) + /* !checksrc! disable LONGLINE 0 */ + ^ + Fix by instead treating a zero ignore as a a badcommand and throw a + warning for that one. + + Closes #3096 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- checksrc: enable strict mode and warnings + + Enable strict and warnings mode for checksrc to ensure we aren't missing + anything due to bugs in the checking code. This uncovered a few things + which are all fixed in this commit: + + * several variables were used uninitialized + * several variables were not defined in the correct scope + * the whitelist filehandle was read even if the file didn't exist + * the enable_warn() call when a disable counter had expired was passing + incorrect variables, but since the checkwarn() call is unlikely to hit + (the counter is only decremented to zero on actual ignores) it didn't + manifest a problem. + + Closes #3090 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Marcel Raad (5 Oct 2018) +- CMake: suppress MSVC warning C4127 for libtest + + It's issued by older Windows SDKs (prior to version 8.0). + +Sergei Nikulov (5 Oct 2018) +- Merge branch 'dmitrykos-fix_missing_CMake_defines' + +- [Dmitry Kostjuchenko brought this change] + + cmake: test and set missed defines during configuration + + Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC. + + Closes #3097 + +Marcel Raad (5 Oct 2018) +- AppVeyor: disable test 500 + + It almost always results in + "starttransfer vs total: 0.000001 0.000000". + I cannot reproduce this locally, so disable it for now. + + Closes https://github.com/curl/curl/pull/3100 + +- AppVeyor: set custom install prefix + + CMake's default has spaces and in 32-bit mode parentheses, which result + in syntax errors in curl-config. + + Closes https://github.com/curl/curl/pull/3100 + +- AppVeyor: Remove non-SSL non-test builds + + They don't add much value. + + Closes https://github.com/curl/curl/pull/3100 + +- AppVeyor: run test suite + + Use the preinstalled MSYS2 bash for that. + Disable test 1139 as the CMake build doesn't generate curl.1. + + Ref: https://github.com/curl/curl/issues/3070#issuecomment-425922224 + Closes https://github.com/curl/curl/pull/3100 + +- AppVeyor: use in-tree build + + Required to run the tests. + + Closes https://github.com/curl/curl/pull/3100 + +Daniel Stenberg (4 Oct 2018) +- doh: make sure TTL isn't re-inited by second (discarded?) response + + Closes #3092 + +- test320: strip out more HTML when comparing + + To make the test case work with different gnutls-serv versions better. + + Reported-by: Kamil Dudka + Fixes #3093 + Closes #3094 + +Marcel Raad (4 Oct 2018) +- runtests: use Windows paths for Windows curl + + curl generated by CMake's Visual Studio generator has "Windows" in the + version number. + +Daniel Stenberg (4 Oct 2018) +- [Colin Hogben brought this change] + + tests/negtelnetserver.py: fix Python2-ism in neg TELNET server + + Fix problems caused by differences in treatment of bytes objects between + python2 and python3. + + Fixes #2929 + Closes #3080 + +Daniel Gustafsson (3 Oct 2018) +- memory: ensure to check allocation results + + The result of a memory allocation should always be checked, as we may + run under memory pressure where even a small allocation can fail. This + adds checking and error handling to a few cases where the allocation + wasn't checked for success. In the ftp case, the freeing of the path + variable is moved ahead of the allocation since there is little point + in keeping it around across the strdup, and the separation makes for + more readable code. In nwlib, the lock is aslo freed in the error path. + + Also bumps the copyright years on affected files. + + Closes #3084 + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- comment: Fix multiple typos in function parameters + + Ensure that the parameters in the comment match the actual names in the + prototype. + + Closes #3079 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- CURLOPT_SSLVERSION.3: fix typos and consistent spelling + + Use TLS vX.Y throughout the document, instead of TLS X.Y, as that was + already done in all but a few cases. Also fix a few typos. + + Closes #3076 + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- SECURITY-PROCESS: make links into hyperlinks + + Use proper Markdown hyperlink format for the Bountygraph links in order + for the generated website page to be more user friendly. Also link to + the sponsors to give them a little extra credit. + + Closes #3082 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Jay Satiro (3 Oct 2018) +- CURLOPT_HEADER.3: fix typo + +- nss: fix nssckbi module loading on Windows + + - Use .DLL extension instead of .so to load modules on Windows. + + Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html + Reported-by: Maxime Legros + + Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442 + + Closes https://github.com/curl/curl/pull/3086 + +- data-binary.d: clarify default content-type is x-www-form-urlencoded + + - Advise user that --data-binary sends a default content type of + x-www-form-urlencoded, and to have the data treated as arbitrary + binary data by the server set the content-type header to octet-stream. + + Ref: https://github.com/curl/curl/pull/2852#issuecomment-426465094 + + Closes https://github.com/curl/curl/pull/3085 + +Marcel Raad (2 Oct 2018) +- test1299: use single quotes around asterisk + + Ref: https://github.com/curl/curl/issues/1751#issuecomment-321522580 + +Daniel Stenberg (2 Oct 2018) +- docs/CIPHERS: mention the colon separation for OpenSSL + + Bug: #3077 + +- runtests: ignore disabled even when ranges are given + + runtests.pl support running a range of tests, like "44 to 127". Starting + now, the code makes sure that even such given ranges will ignore tests + that are marked as disabled. + + Disabled tests can still be run by explictly specifying that test + number. + + Closes #3075 + +- urlapi: starting with a drive letter on win32 is not an abs url + + ... and libcurl doesn't support any single-letter URL schemes (if there + even exist any) so it should be fairly risk-free. + + Reported-by: Marcel Raad + + Fixes #3070 + Closes #3071 + +Marcel Raad (2 Oct 2018) +- doh: fix curl_easy_setopt argument type + + CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit + MinGW. + +Daniel Stenberg (2 Oct 2018) +- RELEASE-NOTES: synced + +Jay Satiro (1 Oct 2018) +- [Ruslan Baratov brought this change] + + CMake: Improve config installation + + Use 'GNUInstallDirs' standard module to set destinations of installed + files. + + Use uppercase "CURL" names instead of lowercase "curl" to match standard + 'FindCURL.cmake' CMake module: + * https://cmake.org/cmake/help/latest/module/FindCURL.html + + Meaning: + * Install 'CURLConfig.cmake' instead of 'curl-config.cmake' + * User should call 'find_package(CURL)' instead of 'find_package(curl)' + + Use 'configure_package_config_file' function to generate + 'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template + file smaller and handle components better. E.g. current configuration + report no error if user specified unknown components (note: new + configuration expects no components, report error if user will try to + specify any). + + Closes https://github.com/curl/curl/pull/2849 + +Daniel Stenberg (1 Oct 2018) +- test1650: make it depend on http/2 + + Follow-up to 570008c99da0ccbb as it gets link errors. + + Reported-by: Michael Kaufmann + Closes #3068 + +- [Nate Prewitt brought this change] + + MANUAL: minor grammar fix + + Noticed a typo reading through the docs. + + Closes #3069 + +- doh: only build if h2 enabled + + The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version + of HTTP for use with DoH". + + Reported-by: Marcel Raad + Closes #3066 + +- test2100: require http2 to run + + Reported-by: Marcel Raad + Fixes #3064 + Closes #3065 + +- multi: fix memory leak in content encoding related error path + + ... a missing multi_done() call. + + Credit to OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728 + Closes #3063 + +- travis: bump the Secure Transport build to use xcode 10 + + Due to an issue with travis + (https://github.com/travis-ci/travis-ci/issues/9956) we've been using + Xcode 9.2 for darwinssl builds for a while. Now xcode 10 is offered as + an alternative and as it builds curl+darwinssl fine that seems like a + better choice. + + Closes #3062 + +- [Rich Turner brought this change] + + curl: enabled Windows VT Support and UTF-8 output + + Enabled Console VT support (if running OS supports VT) in tool_main.c. + + Fixes #3008 + Closes #3011 + +- multi: fix location URL memleak in error path + + Follow-up to #3044 - fix a leak OSS-Fuzz detected + Closes #3057 + +Sergei Nikulov (28 Sep 2018) +- cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...) + +- [Brad King brought this change] + + cmake: Backport to work with CMake 3.0 again + + Changes in commit 7867aaa9a0 (cmake: link curl to the OpenSSL targets + instead of lib absolute paths, 2018-07-17) and commit f826b4ce98 (cmake: + bumped minimum version to 3.4, 2018-07-19) required CMake 3.4 to fix + issue #2746. This broke support for users on older versions of CMake + even if they just want to build curl and do not care whether transitive + dependencies work. + + Backport the logic to work with CMake 3.0 again by implementing the + fix only when the version of CMake is at least 3.4. + +Marcel Raad (27 Sep 2018) +- curl_threads: fix classic MinGW compile break + + Classic MinGW still has _beginthreadex's return type as unsigned long + instead of uintptr_t [0]. uintptr_t is not even defined because of [1]. + + [0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167 + [1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90 + + Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807 + Closes https://github.com/curl/curl/pull/3051 + +Daniel Stenberg (26 Sep 2018) +- configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE + + fix a few leftovers + + Fixes #3006 + Closes #3049 + +- [Doron Behar brought this change] + + example/htmltidy: fix include paths of tidy libraries + + Closes #3050 + +- RELEASE-NOTES: synced + +- Curl_http2_done: fix memleak in error path + + Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for + early failures. + + Detected by OSS-Fuzz + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669 + Closes #3046 + +- http: fix memleak in rewind error path + + If the rewind would fail, a strdup() would not get freed. + + Detected by OSS-Fuzz + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665 + Closes #3044 + +Viktor Szakats (24 Sep 2018) +- test320: fix regression in [ci skip] + + The value in question is coming directly from `gnutls-serv`, so it cannot + be modified freely. + + Reported-by: Marcel Raad + Ref: https://github.com/curl/curl/commit/6ae6b2a533e8630afbb21f570305bd4ceece6348#commitcomment-30621004 + +Daniel Stenberg (24 Sep 2018) +- Curl_retry_request: fix memory leak + + Detected by OSS-Fuzz + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648 + Closes #3042 + +- openssl: load built-in engines too + + Regression since 38203f1 + + Reported-by: Jean Fabrice + Fixes #3023 + Closes #3040 + +- [Christian Heimes brought this change] + + OpenSSL: enable TLS 1.3 post-handshake auth + + OpenSSL 1.1.1 requires clients to opt-in for post-handshake + authentication. + + Fixes: https://github.com/curl/curl/issues/3026 + Signed-off-by: Christian Heimes <christian@python.org> + + Closes https://github.com/curl/curl/pull/3027 + +- [Even Rouault brought this change] + + Curl_dedotdotify(): always nul terminate returned string. + + This fixes potential out-of-buffer access on "file:./" URL + + $ valgrind curl "file:./" + ==24516== Memcheck, a memory error detector + ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. + ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info + ==24516== Command: /home/even/install-curl-git/bin/curl file:./ + ==24516== + ==24516== Conditional jump or move depends on uninitialised value(s) + ==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==24516== by 0x4EBB315: seturl (urlapi.c:801) + ==24516== by 0x4EBB568: parseurl (urlapi.c:861) + ==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199) + ==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044) + ==24516== by 0x4E67AEF: create_conn (url.c:3613) + ==24516== by 0x4E68A4F: Curl_connect (url.c:4119) + ==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440) + ==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173) + ==24516== by 0x4E7558C: easy_transfer (easy.c:686) + ==24516== by 0x4E75801: easy_perform (easy.c:779) + ==24516== by 0x4E75868: curl_easy_perform (easy.c:798) + + Was originally spotted by + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637 + Credit to OSS-Fuzz + + Closes #3039 + +Viktor Szakats (23 Sep 2018) +- update URLs in tests + + - and one in docs/MANUAL as well + + Closes https://github.com/curl/curl/pull/3038 + +- whitespace fixes + + - replace tabs with spaces where possible + - remove line ending spaces + - remove double/triple newlines at EOF + - fix a non-UTF-8 character + - cleanup a few indentations/line continuations + in manual examples + + Closes https://github.com/curl/curl/pull/3037 + +Daniel Stenberg (23 Sep 2018) +- http: add missing return code check + + Detected by Coverity. CID 1439610. + + Follow-up from 46e164069d1a523 + + Closes #3034 + +- ftp: don't access pointer before NULL check + + Detected by Coverity. CID 1439611. + + Follow-up from 46e164069d1a523 + +- unit1650: fix out of boundary access + + Fixes #2987 + Closes #3035 + +Viktor Szakats (23 Sep 2018) +- docs/examples: URL updates + + - also update two URLs outside of docs/examples + - fix spelling of filename persistant.c + - fix three long lines that started failing checksrc.pl + + Closes https://github.com/curl/curl/pull/3036 + +- examples/Makefile.m32: sync with core [ci skip] + + also: + - fix two warnings in synctime.c (one of them Windows-specific) + - upgrade URLs in synctime.c and remove a broken one + + Closes https://github.com/curl/curl/pull/3033 + +Daniel Stenberg (22 Sep 2018) +- examples/parseurl.c: show off the URL API a bit + + Closes #3030 + +- SECURITY-PROCESS: mention the bountygraph program [ci skip] + + Closes #3032 + +- url: use the URL API internally as well + + ... to make it a truly unified URL parser. + + Closes #3017 + +Viktor Szakats (22 Sep 2018) +- URL and mailmap updates, remove an obsolete directory [ci skip] + + Closes https://github.com/curl/curl/pull/3031 + +Daniel Stenberg (22 Sep 2018) +- RELEASE-NOTES: synced + +- configure: force-use -lpthreads on HPUX + + When trying to detect pthreads use on HPUX the checks will succeed + without the correct -l option but then end up failing at run-time. + + Reported-by: Eason-Yu on github + Fixes #2697 + Closes #3025 + +- [Erik Minekus brought this change] + + Curl_saferealloc: Fixed typo in docblock + + Closes #3029 + +- urlapi: fix support for address scope in IPv6 numerical addresses + + Closes #3024 + +- [Loganaden Velvindron brought this change] + + GnutTLS: TLS 1.3 support + + Closes #2971 + +- TODO: c-ares and CURLOPT_OPENSOCKETFUNCTION + + Removed DoH. + + Closes #2734 + +Jay Satiro (20 Sep 2018) +- vtls: fix ssl version "or later" behavior change for many backends + + - Treat CURL_SSLVERSION_MAX_NONE the same as + CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use + the minimum version also as the maximum. + + This is a follow-up to 6015cef which changed the behavior of setting + the SSL version so that the requested version would only be the minimum + and not the maximum. It appears it was (mostly) implemented in OpenSSL + but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to + mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. + + - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. + + Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was + erroneously treated as always TLS 1.3, and would cause an error if + OpenSSL was built without TLS 1.3 support. + + Co-authored-by: Daniel Gustafsson + + Fixes https://github.com/curl/curl/issues/2969 + Closes https://github.com/curl/curl/pull/3012 + +Daniel Stenberg (20 Sep 2018) +- certs: generate tests certs with sha256 digest algorithm + + As OpenSSL 1.1.1 starts to complain and fail on sha1 CAs: + + "SSL certificate problem: CA signature digest algorithm too weak" + + Closes #3014 + +- urlapi: document the error codes, remove two unused ones + + Assisted-by: Daniel Gustafsson + Closes #3019 + +- urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptance + + In order for this API to fully work for libcurl itself, it now offers a + CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host + name prefix just like libcurl always did. If there's no known prefix, it + will guess "http://". + + Separately, it relaxes the check of the host name so that IDN host names + can be passed in as well. + + Both these changes are necessary for libcurl itself to use this API. + + Assisted-by: Daniel Gustafsson + Closes #3018 + +Kamil Dudka (19 Sep 2018) +- nss: try to connect even if libnssckbi.so fails to load + + One can still use CA certificates stored in NSS database. + + Reported-by: Maxime Legros + Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html + + Closes #3016 + +Daniel Gustafsson (19 Sep 2018) +- urlapi: don't set value which is never read + + In the CURLUPART_URL case, there is no codepath which invokes url + decoding so remove the assignment of the urldecode variable. This + fixes the deadstore bug-report from clang static analysis. + + Closes #3015 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- todo: Update reference to already done item + + TODO item 1.1 was implemented in commit 946ce5b61f, update reference + to it with instead referencing the implemented option. + + Closes #3013 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (18 Sep 2018) +- RELEASE-NOTES: synced + +- [slodki brought this change] + + cmake: don't require OpenSSL if USE_OPENSSL=OFF + + User must have OpenSSL installed even if not used by libcurl at all + since 7.61.1 release. Broken at + 7867aaa9a01decf93711428462335be8cef70212 + + Reviewed-by: Sergei Nikulov + Closes #3001 + +- curl_multi_wait: call getsock before figuring out timeout + + .... since getsock may update the expiry timer. + + Fixes #2996 + Closes #3000 + +- examples/http2-pushinmemory: receive HTTP/2 pushed files in memory + + Closes #3004 + +Daniel Gustafsson (18 Sep 2018) +- darwinssl: Fix realloc memleak + + The reallocation was using the input pointer for the return value, which + leads to a memory leak on reallication failure. Fix by instead use the + safe internal API call Curl_saferealloc(). + + Closes #3005 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Nick Zitzmann <nickzman@gmail.com> + +- [Kruzya brought this change] + + examples: Fix memory leaks from realloc errors + + Make sure to not overwrite the reallocated pointer in realloc() calls + to avoid a memleak on memory errors. + +- memory: add missing curl_printf header + + ftp_send_command() was using vsnprintf() without including the libcurl + *rintf() replacement header. Fix by including curl_printf.h and also + add curl_memory.h while at it since memdebug.h depends on it. + + Closes #2999 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (16 Sep 2018) +- [Si brought this change] + + curl: update --tlsv* descriptions in --help output + + Closes #2994 + +- http: made Curl_add_buffer functions take a pointer-pointer + + ... so that they can clear the original pointer on failure, which makes + the error-paths and their cleanups easier. + + Closes #2992 + +- http2: fix memory leaks on error-path + +- [Rikard Falkeborn brought this change] + + libtest: Add chkdecimalpoint to .gitignore + + Closes #2998 + +Viktor Szakats (14 Sep 2018) +- secure Openwall URLs + +Daniel Stenberg (14 Sep 2018) +- openssl: show "proper" version number for libressl builds + + Closes #2989 + +- [Rainer Jung brought this change] + + openssl: assume engine support in 0.9.8 or later + + Fixes #2983 + Closes #2988 + +Daniel Gustafsson (13 Sep 2018) +- sendf: use failf() rather than Curl_failf() + + The failf() macro is the name used for invoking Curl_failf(). While + there isn't a way to turn off failf like there is for infof, but it's + still a good idea to use the macro. + + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- sendf: Fix whitespace in infof/failf concatenation + + Strings broken on multiple rows in the .c file need to have appropriate + whitespace padding on either side of the concatenation point to render + a correct amalgamated string. Fix by adding a space at the occurrences + found. + + Closes #2986 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- krb5: fix memory leak in krb_auth + + The FTP command allocated by aprintf() must be freed after usage. + + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- ftp: include command in Curl_ftpsend sendbuffer + + Commit 8238ba9c5f10414a88f502bf3f5d5a42d632984c inadvertently removed + the actual command to be sent from the send buffer in a refactoring. + Add back copying the command into the buffer. Also add more guards + against malformed input while at it. + + Closes #2985 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- ntlm_wb: Fix memory leaks in ntlm_wb_response + + When erroring out on a request being too large, the existing buffer was + leaked. Fix by explicitly freeing on the way out. + + Closes #2966 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (13 Sep 2018) +- [Yiming Jing brought this change] + + travis: build the MesaLink vtls backend with MesaLink 0.7.1 + +- [Yiming Jing brought this change] + + runtests.pl: run tests against the MesaLink vtls backend + +- [Yiming Jing brought this change] + + vtls: add a MesaLink vtls backend + + Closes #2984 + +- [Yiming Jing brought this change] + + configure.ac: add a MesaLink vtls backend + +- [Dave Reisner brought this change] + + curl_url_set.3: properly escape \n in example code + + This yields + + "the scheme is %s\n" + + instead of + + "the scheme is %s0 + + Closes #2970 + +- [Dave Reisner brought this change] + + curl_url_set.3: fix typo in reference to CURLU_APPENDQUERY + +- urlglob: improve error message + + to help user understand what the problem is + + Reported-by: Daniel Shahaf + + Fixes #2763 + Closes #2977 + +- [Yiming Jing brought this change] + + tests/certs: rebuild certs with 2048-bit RSA keys + + The previous test certificates contained RSA keys of only 1024 bits. + However, RSA claims that 1024-bit RSA keys are likely to become + crackable some time before 2010. The NIST recommends at least 2048-bit + keys for RSA for now. + + Better use full 2048 also for testing. + + Closes #2973 + +Daniel Gustafsson (12 Sep 2018) +- TODO: fix typo in item + + Closes #2968 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Marcel Raad (12 Sep 2018) +- anyauthput: fix compiler warning on 64-bit Windows + + On Windows, the read function from <io.h> is used, which has its byte + count parameter as unsigned int instead of size_t. + + Closes https://github.com/curl/curl/pull/2972 + +Viktor Szakats (12 Sep 2018) +- lib: fix gcc8 warning on Windows + + Closes https://github.com/curl/curl/pull/2979 + +Jay Satiro (12 Sep 2018) +- openssl: fix gcc8 warning + + - Use memcpy instead of strncpy to copy a string without termination, + since gcc8 warns about using strncpy to copy as many bytes from a + string as its length. + + Suggested-by: Viktor Szakats + + Closes https://github.com/curl/curl/issues/2980 + +Daniel Stenberg (10 Sep 2018) +- libcurl-url.3: overview man page for the URL API + + Closes #2967 + +- example/asiohiper: insert warning comment about its status + + This example is simply not working correctly but there's nobody around + with the skills and energy to fix it. + + Closes #2407 + +Kamil Dudka (10 Sep 2018) +- docs/cmdline-opts: update the documentation of --tlsv1.0 + + ... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9 + + Closes #2955 + +- docs/examples: do not wait when no transfers are running + + Closes #2948 + +Daniel Stenberg (10 Sep 2018) +- [Daniel Gustafsson brought this change] + + cookies: Move failure case label to end of function + + Rather than jumping backwards to where failure cleanup happens + to be performed, move the failure case to end of the function + where it is expected per existing coding convention. + + Closes #2965 + +- [Daniel Gustafsson brought this change] + + misc: fix typos in comments + + Closes #2963 + +- [Daniel Gustafsson brought this change] + + cookies: fix leak when writing cookies to file + + If the formatting fails, we error out on a fatal error and + clean up on the way out. The array was however freed within + the wrong scope and was thus never freed in case the cookies + were written to a file instead of STDOUT. + + Closes #2957 + +- [Daniel Gustafsson brought this change] + + cookies: Remove redundant expired check + + Expired cookies have already been purged at a later expiration time + before this check, so remove the redundant check. + + closes #2962 + +- ntlm_wb: bail out if the response gets overly large + + Exit the realloc() loop if the response turns out ridiculously large to + avoid worse problems. + + Reported-by: Harry Sintonen + Closes #2959 + +- [Daniel Gustafsson brought this change] + + url.c: fix comment typo and indentation + + Closes #2960 + +- urlapi: avoid derefencing a possible NULL pointer + + Coverity CID 1439134 + +- RELEASE-NOTES: synced + +Marcel Raad (8 Sep 2018) +- test324: fix after 3f3b26d6feb0667714902e836af608094235fca2 + + The expected error code is now 60. 51 is dead. + +Daniel Stenberg (8 Sep 2018) +- curl_url_set.3: correct description + +- curl_url-docs: fix AVAILABILITY as Added in curl 7.62.0 + +- URL-API + + See header file and man pages for API. All documented API details work + and are tested in the 1560 test case. + + Closes #2842 + +- curl_easy_upkeep: removed 'conn' from the name + + ... including the associated option. + + Fixes #2951 + Closes #2952 + +- [Max Dymond brought this change] + + upkeep: add a connection upkeep API: curl_easy_conn_upkeep() + + Add functionality so that protocols can do custom keepalive on their + connections, when an external API function is called. + + Add docs for the new options in 7.62.0 + + Closes #1641 + +- [Philipp Waehnert brought this change] + + configure: add option to disable automatic OpenSSL config loading + + Sometimes it may be considered a security risk to load an external + OpenSSL configuration automatically inside curl_global_init(). The + configuration option --disable-ssl-auto-load-config disables this + automatism. The Windows build scripts winbuild/Makefile.vs provide a + corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean + value. + + Setting neither of these options corresponds to the previous behavior + loading the external OpenSSL configuration automatically. + + Fixes #2724 + Closes #2791 + +- doh: minor edits to please Coverity + + The gcc typecheck macros and coverity combined made it warn on the 2nd + argument for ERROR_CHECK_SETOPT(). Here's minor rearrange to please it. + + Coverity CID 1439115 and CID 1439114. + +- schannel: avoid switch-cases that go to default anyway + + SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of + mingw and would require an ifdef otherwise. + + Reported-by: Thomas Glanzmann + Approved-by: Marc Hörsken + Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html + Closes #2950 + +- [Nicklas Avén brought this change] + + imap: change from "FETCH" to "UID FETCH" + + ... and add "MAILINDEX". + + As described in #2789, this is a suggested solution. Changing UID=xx to + actually get mail with UID xx and add "MAILINDEX" to get a mail with a + special index in the mail box (old behavior). So MAILINDEX=1 gives the + first non deleted mail in the mail box. + + Fixes #2789 + Closes #2815 + +- CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size + + This is step 3 of #2888. + + Fixes #2888 + Closes #2896 + +- travis: add the DOH tests to the torture testing + +- DOH: add test case 1650 and 2100 + +- curl: --doh-url added + +- setopt: add CURLOPT_DOH_URL + + Closes #2668 + +- [Han Han brought this change] + + ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code + + Long live CURLE_PEER_FAILED_VERIFICATION + +- [Han Han brought this change] + + x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert + + CURLE_PEER_FAILED_VERIFICATION makes more sense because Curl_parseX509 + does not allocate memory internally as its first argument is a pointer + to the certificate structure. The same error code is also returned by + Curl_verifyhost when its call to Curl_parseX509 fails so the change + makes error handling more consistent. + +- [Han Han brought this change] + + openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer + + Failure to extract the issuer name from the server certificate should + return a more specific error code like on other TLS backends. + +- [Han Han brought this change] + + schannel: unified error code handling + + Closes #2901 + +- [Han Han brought this change] + + darwinssl: more specific and unified error codes + + Closes #2901 + +- CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated + + Disable the CURLOPT_DNS_USE_GLOBAL_CACHE option and mark it for + deprecation and complete removal in six months. + + Bug: https://curl.haxx.se/mail/lib-2018-09/0010.html + Closes #2942 + +- url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled + + Closes #2709 + +- multiplex: enable by default + + Starting 7.62.0, multiplexing is enabled by default in multi handles. + +- [Jim Fuller brought this change] + + tests: add unit tests for url.c + + Approved-by: Daniel Gustafsson + Closes #2937 + +- test1452: mark as flaky + + makes it not run in the CI builds + + Closes #2941 + +- pipelining: deprecated + + Transparently. The related curl_multi_setopt() options all still returns + OK when pipelining is selected. + + To re-enable the support, the single line change in lib/multi.c needs to + be reverted. + + See docs/DEPRECATE.md + + Closes #2705 + +- RELEASE-NOTES: start working on 7.62.0 + +Version 7.61.1 (4 Sep 2018) + +Daniel Stenberg (4 Sep 2018) +- THANKS: 7.61.1 status + +- RELEASE-NOTES: 7.61.1 + +- Curl_getoff_all_pipelines: ignore unused return values + + Since scan-build would warn on the dead "Dead store/Dead increment" + +Viktor Szakats (4 Sep 2018) +- sftp: fix indentation + +Daniel Stenberg (4 Sep 2018) +- [Przemysław Tomaszewski brought this change] + + sftp: don't send post-qoute sequence when retrying a connection + + Fixes #2939 + Closes #2940 + +Kamil Dudka (3 Sep 2018) +- url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work + + This is a follow-up to PR #2607 and PR #2926. + + Closes #2936 + +Daniel Stenberg (3 Sep 2018) +- [Jay Satiro brought this change] + + tool_operate: Add http code 408 to transient list for --retry + + - Treat 408 request timeout as transient so that curl will retry the + request if --retry was used. + + Closes #2925 + +- [Jay Satiro brought this change] + + openssl: Fix setting TLS 1.3 cipher suites + + The flag indicating TLS 1.3 cipher support in the OpenSSL backend was + missing. + + Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187 + Reported-by: Kamil Dudka + + Closes #2926 + +- Curl_ntlm_core_mk_nt_hash: return error on too long password + + ... since it would cause an integer overflow if longer than (max size_t + / 2). + + This is CVE-2018-14618 + + Bug: https://curl.haxx.se/docs/CVE-2018-14618.html + Closes #2756 + Reported-by: Zhaoyang Wu + +- [Rikard Falkeborn brought this change] + + http2: Use correct format identifier for stream_id + + Closes #2928 + +Marcel Raad (2 Sep 2018) +- test1148: fix precheck output + + "precheck command error" is not very helpful. + +Daniel Stenberg (1 Sep 2018) +- all: s/int/size_t cleanup + + Assisted-by: Rikard Falkeborn + + Closes #2922 + +- ssh-libssh: use FALLTHROUGH to silence gcc8 + +Jay Satiro (31 Aug 2018) +- tool_operate: Fix setting proxy TLS 1.3 ciphers + +Daniel Stenberg (31 Aug 2018) +- [Daniel Gustafsson brought this change] + + cookies: support creation-time attribute for cookies + + According to RFC6265 section 5.4, cookies with equal path lengths + SHOULD be sorted by creation-time (earlier first). This adds a + creation-time record to the cookie struct in order to make cookie + sorting more deterministic. The creation-time is defined as the + order of the cookies in the jar, the first cookie read fro the + jar being the oldest. The creation-time is thus not serialized + into the jar. Also remove the strcmp() matching in the sorting as + there is no lexicographic ordering in RFC6265. Existing tests are + updated to match. + + Closes #2524 + +Marcel Raad (31 Aug 2018) +- Don't use Windows path %PWD for SSH tests + + All these tests failed on Windows because something like + sftp://%HOSTIP:%SSHPORT%PWD/ + expanded to + sftp://127.0.0.1:1234c:/msys64/home/bla/curl + and then curl complained about the port number ending with a letter. + + Use the original POSIX path instead of the Windows path created in + checksystem to fix this. + + Closes https://github.com/curl/curl/pull/2920 + +Jay Satiro (29 Aug 2018) +- CURLOPT_SSL_CTX_FUNCTION.3: clarify connection reuse warning + + Reported-by: Daniel Stenberg + + Closes https://github.com/curl/curl/issues/2916 + +Daniel Stenberg (28 Aug 2018) +- THANKS-filter: dedup Daniel Jeliński + +- RELEASE-NOTES: synced + +- CURLOPT_ACCEPT_ENCODING.3: list them comma-separated [ci skip] + +- CURLOPT_SSL_CTX_FUNCTION.3: might cause unintended connection reuse [ci skip] + + Added a warning! + + Closes #2915 + +- curl: fix time-of-check, time-of-use race in dir creation + + Patch-by: Jay Satiro + Detected by Coverity + Fixes #2739 + Closes #2912 + +- cmdline-opts/page-footer: fix edit mistake + + There was a missing newline. + + follow-up to a7ba60bb7250 + +- docs: clarify NO_PROXY env variable functionality + + Reported-by: Kirill Marchuk + Fixes #2773 + Closes #2911 + +Marcel Raad (24 Aug 2018) +- lib1522: fix curl_easy_setopt argument type + + CURLOPT_POSTFIELDSIZE is a long option. + +- curl_threads: silence bad-function-cast warning + + As uintptr_t and HANDLE are always the same size, this warning is + harmless. Just silence it using an intermediate uintptr_t variable. + + Closes https://github.com/curl/curl/pull/2908 + +Daniel Stenberg (24 Aug 2018) +- README: add appveyor build badge [ci skip] + + Closes #2913 + +- [Ihor Karpenko brought this change] + + schannel: client certificate store opening fix + + 1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) + while opening certificate store would be sufficient in this scenario and + less-demanding in sense of required user credentials ( for example, + IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore + call without any of flags mentioned above ), + + 2) as 'cert_store_name' is a DWORD, attempt to format its value like a + string ( in "Failed to open cert store" error message ) will throw null + pointer exception + + 3) adding GetLastError(), in my opinion, will make error message more + useful. + + Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html + + Closes #2909 + +- [Leonardo Taccari brought this change] + + gopher: Do not translate `?' to `%09' + + Since GOPHER support was added in curl `?' character was automatically + translated to `%09' (`\t'). + + However, this behaviour does not seems documented in RFC 4266 and for + search selectors it is documented to directly use `%09' in the URL. + Apart that several gopher servers in the current gopherspace have CGI + support where `?' is used as part of the selector and translating it to + `%09' often leads to surprising results. + + Closes #2910 + +Marcel Raad (23 Aug 2018) +- cookie tests: treat files as text + + Fixes test failures because of wrong line endings on Windows. + +Daniel Stenberg (23 Aug 2018) +- libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation + + Multi-threaded applictions basically MUST set CURLOPT_NO_SIGNAL to 1L to + avoid the risk of getting a SIGPIPE. + + Either way, a multi-threaded application that uses libcurl/openssl needs + to have a signhandler for or ignore SIGPIPE on its own. + + Based on discussions in #2800 + Closes #2904 + +- RELEASE-NOTES: synced + +Marcel Raad (22 Aug 2018) +- Tests: fixes for Windows + + - test 1268 requires unix sockets + - test 2072 must be disabled also for MSYS/MinGW + +Daniel Stenberg (22 Aug 2018) +- http2: abort the send_callback if not setup yet + + When Curl_http2_done() gets called before the http2 data is setup all + the way, we cannot send anything and this should just return an error. + + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012 + +- http2: remove four unused nghttp2 callbacks + + Closes #2903 + +- x509asn1: use FALLTHROUGH + + ... as no other comments are accepted since 014ed7c22f51463 + +Marcel Raad (21 Aug 2018) +- test1148: disable if decimal separator is not point + + Modifying the locale with environment variables doesn't work for native + Windows applications. Just disable the test in this case if the decimal + separator is something different than a point. Use a precheck with a + small C program to achieve that. + + Closes https://github.com/curl/curl/pull/2786 + +- Enable more GCC warnings + + This enables the following additional warnings: + -Wold-style-definition + -Warray-bounds=2 instead of the default 1 + -Wformat=2, but only for GCC 4.8+ as Wno-format-nonliteral is not + respected for older versions + -Wunused-const-variable, which enables level 2 instead of the default 1 + -Warray-bounds also in debug mode through -ftree-vrp + -Wnull-dereference also in debug mode through + -fdelete-null-pointer-checks + + Closes https://github.com/curl/curl/pull/2747 + +- curl-compilers: enable -Wimplicit-fallthrough=4 for GCC + + This enables level 4 instead of the default level 3, which of the + currently used comments only allows /* FALLTHROUGH */ to silence the + warning. + + Closes https://github.com/curl/curl/pull/2747 + +- curl-compilers: enable -Wbad-function-cast on GCC + + This warning used to be enabled only for clang as it's a bit stricter + on GCC. Silence the remaining occurrences and enable it on GCC too. + + Closes https://github.com/curl/curl/pull/2747 + +- configure: conditionally enable pedantic-errors + + Enable pedantic-errors for GCC >= 5 with --enable-werror. Before GCC 5, + pedantic-errors was synonymous to -Werror=pedantic [0], which is still + the case for clang [1]. With GCC 5, it became complementary [2]. + + Also fix a resulting error in acinclude.m4 as main's return type was + missing, which is illegal in C99. + + [0] https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Warning-Options.html + [1] https://clang.llvm.org/docs/UsersManual.html#options-to-control-error-and-warning-messages + [2] https://gcc.gnu.org/onlinedocs/gcc-5.1.0/gcc/Warning-Options.html + + Closes https://github.com/curl/curl/pull/2747 + +- Remove unused definitions + + Closes https://github.com/curl/curl/pull/2747 + +Daniel Stenberg (21 Aug 2018) +- x509asn1: make several functions static + + and remove the private SIZE_T_MAX define and use the generic one. + + Closes #2902 + +- INTERNALS: require GnuTLS >= 2.11.3 + + Since the public pinning support was brought in e644866caf4. GnuTLS + 2.11.3 was released in October 2010. + + Figured out in #2890 + +- http2: avoid set_stream_user_data() before stream is assigned + + ... before the stream is started, we have it set to -1. + + Fixes #2894 + Closes #2898 + +- SSLCERTS: improve the openssl command line + + ... for extracting certs from a live HTTPS server to make a cacerts.pem + from them. + +- docs/SECURITY-PROCESS: now we name the files after the CVE id + +- RELEASE-NOTES: synced + +- upload: change default UPLOAD_BUFSIZE to 64KB + + To make uploads significantly faster in some circumstances. + + Part 2 of #2888 + Closes #2892 + +- upload: allocate upload buffer on-demand + + Saves 16KB on the easy handle for operations that don't need that + buffer. + + Part 1 of #2888 + +- [Laurent Bonnans brought this change] + + vtls: reinstantiate engine on duplicated handles + + Handles created with curl_easy_duphandle do not use the SSL engine set + up in the original handle. This fixes the issue by storing the engine + name in the internal url state and setting the engine from its name + inside curl_easy_duphandle. + + Reported-by: Anton Gerasimov + Signed-of-by: Laurent Bonnans + Fixes #2829 + Closes #2833 + +- http2: make sure to send after RST_STREAM + + If this is the last stream on this connection, the RST_STREAM might not + get pushed to the wire otherwise. + + Fixes #2882 + Closes #2887 + Researched-by: Michael Kaufmann + +- test1268: check the stderr output as "text" + + Follow-up to 099f37e9c57 + + Pointed-out-by: Marcel Raad + +- urldata: remove unused pipe_broke struct field + + This struct field is never set TRUE in any existing code path. This + change removes the field completely. + + Closes #2871 + +- curl: warn the user if a given file name looks like an option + + ... simply because this is usually a sign of the user having omitted the + file name and the next option is instead "eaten" by the parser as a file + name. + + Add test1268 to verify + + Closes #2885 + +- http2: check nghttp2_session_set_stream_user_data return code + + Might help bug #2688 debugging + + Closes #2880 + +- travis: revert back to gcc-7 for coverage builds + + ... since the gcc-8 ones seem to fail frequently. + + Follow-up from b85207199544ca + + Closes #2886 + +- RELEASE-NOTES: synced + + ... and now listed in alphabetical order! + +- [Adrien brought this change] + + CMake: CMake config files are defining CURL_STATICLIB for static builds + + This change allows to use the CMake config files generated by Curl's + CMake scripts for static builds of the library. + The symbol CURL_STATIC lib must be defined to compile downstream, + thus the config package is the perfect place to do so. + + Fixes #2817 + Closes #2823 + Reported-by: adnn on github + Reviewed-by: Sergei Nikulov + +- TODO: host name sections in config files + +Kamil Dudka (14 Aug 2018) +- ssh-libssh: fix infinite connect loop on invalid private key + + Added test 656 (based on test 604) to verify the fix. + + Bug: https://bugzilla.redhat.com/1595135 + + Closes #2879 + +- ssh-libssh: reduce excessive verbose output about pubkey auth + + The verbose message "Authentication using SSH public key file" was + printed each time the ssh_userauth_publickey_auto() was called, which + meant each time a packet was transferred over network because the API + operates in non-blocking mode. + + This patch makes sure that the verbose message is printed just once + (when the authentication state is entered by the SSH state machine). + +Daniel Stenberg (14 Aug 2018) +- travis: disable h2 torture tests for "coverage" + + Since they started to fail almost 100% since a few days. + + Closes #2876 + +Marcel Raad (14 Aug 2018) +- travis: update to GCC 8 + + Closes https://github.com/curl/curl/pull/2869 + +Daniel Stenberg (13 Aug 2018) +- http: fix for tiny "HTTP/0.9" response + + Deal with tiny "HTTP/0.9" (header-less) responses by checking the + status-line early, even before a full "HTTP/" is received to allow + detecting 0.9 properly. + + Test 1266 and 1267 added to verify. + + Fixes #2420 + Closes #2872 + +Kamil Dudka (13 Aug 2018) +- docs: add disallow-username-in-url.d and haproxy-protocol.d on the list + + ... to make make the files appear in distribution tarballs + + Closes #2856 + +- .travis.yml: verify that man pages can be regenerated + + ... when curl is built from distribution tarball + + Closes #2856 + +Marcel Raad (11 Aug 2018) +- Split non-portable part off test 1133 + + Split off testing file names with double quotes into new test 1158. + Disable it for MSYS using a precheck as it doesn't support file names + with double quotes (but Cygwin does, for example). + + Fixes https://github.com/curl/curl/issues/2796 + Closes https://github.com/curl/curl/pull/2854 + +Jay Satiro (11 Aug 2018) +- projects: Improve Windows perl detection in batch scripts + + - Determine if perl is in the user's PATH by running perl.exe. + + Prior to this change detection was done by checking the PATH for perl/ + but that did not work in all cases (eg git install includes perl but + not in perl/ path). + + Bug: https://github.com/curl/curl/pull/2865 + Reported-by: Daniel Jeliński + +- [Michael Kaufmann brought this change] + + docs: Improve the manual pages of some callbacks + + - CURLOPT_HEADERFUNCTION: add newlines + - CURLOPT_INTERLEAVEFUNCTION: fix the description of 'userdata' + - CURLOPT_READDATA: mention crashes, same as in CURLOPT_WRITEDATA + - CURLOPT_READFUNCTION: rename 'instream' to 'userdata' and explain + how to set it + + Closes https://github.com/curl/curl/pull/2868 + +Marcel Raad (11 Aug 2018) +- GCC: silence -Wcast-function-type uniformly + + Pointed-out-by: Rikard Falkeborn + Closes https://github.com/curl/curl/pull/2860 + +- Silence GCC 8 cast-function-type warnings + + On Windows, casting between unrelated function types is fine and + sometimes even necessary, so just use an intermediate cast to + (void (*) (void)) to silence the warning as described in [0]. + + [0] https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html + + Closes https://github.com/curl/curl/pull/2860 + +Daniel Stenberg (11 Aug 2018) +- CURLINFO_SIZE_UPLOAD: fix missing counter update + + Adds test 1522 for verification. + + Reported-by: cjmsoregan + Fixes #2847 + Closes #2864 + +- [Daniel Jelinski brought this change] + + Documentation: fix CURLOPT_SSH_COMPRESSION copy/paste bug + + Closes #2867 + +- RELEASE-NOTES: synced + +- openssl: fix potential NULL pointer deref in is_pkcs11_uri + + Follow-up to 298d2565e + Coverity CID 1438387 + +Marcel Raad (10 Aug 2018) +- travis: execute "set -eo pipefail" for coverage build + + Follow-up to 2de63ab179eb78630ee039ad94fb2a5423df522d and + 0b87c963252d3504552ee0c8cf4402bd65a80af5. + + Closes https://github.com/curl/curl/pull/2862 + +Daniel Stenberg (10 Aug 2018) +- lib1502: fix memory leak in torture test + + Reported-by: Marcel Raad + Fixes #2861 + Closes #2863 + +- docs: mention NULL is fine input to several functions + + Fixes #2837 + Closes #2858 + Reported-by: Markus Elfring + +- [Bas van Schaik brought this change] + + README.md: add LGTM.com code quality grade for C/C++ + + Closes #2857 + +- [Rikard Falkeborn brought this change] + + test1531: Add timeout + + Previously, the macro TEST_HANG_TIMEOUT was unused, but since there is + looping going on, we might as well add timing instead of removing it. + + Closes #2853 + +- [Rikard Falkeborn brought this change] + + test1540: Remove unused macro TEST_HANG_TIMEOUT + + The macro has never been used, and it there is not really any place + where it would make sense to add timing checks. + + Closes #2852 + +- [Rikard Falkeborn brought this change] + + asyn-thread: Remove unused macro + + The macro seems to never have been used. + + Closes #2852 + +- [Rikard Falkeborn brought this change] + + http_proxy: Remove unused macro SELECT_TIMEOUT + + Usage was removed in 5113ad0424044458ac497fa1458ebe0101356b22. + + Closes #2852 + +- [Rikard Falkeborn brought this change] + + formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT + + Its usage was removed in + 84ad1fd3047815f9c6e78728bb351b828eac10b1. + + Closes #2852 + +- [Rikard Falkeborn brought this change] + + telnet: Remove unused macros TELOPTS and TELCMDS + + Their usage was removed in 3a145180cc754a5959ca971ef3cd243c5c83fc51. + + Closes #2852 + +- [Daniel Jelinski brought this change] + + openssl: fix debug messages + + Fixes #2806 + Closes #2843 + +- configure: fix for -lpthread detection with OpenSSL and pkg-config + + ... by making sure it uses the -I provided by pkg-config! + + Reported-by: pszemus on github + Fixes #2848 + Closes #2850 + +- RELEASE-NOTES: synced + +- windows: follow up to the buffer-tuning 1ba1dba7 + + Somehow I didn't include the amended version of the previous fix. This + is the missing piece. + + Pointed-out-by: Viktor Szakats + +- [Daniel Jelinski brought this change] + + windows: implement send buffer tuning + + Significantly enhances upload performance on modern Windows versions. + + Bug: https://curl.haxx.se/mail/lib-2018-07/0080.html + Closes #2762 + Fixes #2224 + +- [Anderson Toshiyuki Sasaki brought this change] + + ssl: set engine implicitly when a PKCS#11 URI is provided + + This allows the use of PKCS#11 URI for certificates and keys without + setting the corresponding type as "ENG" and the engine as "pkcs11" + explicitly. If a PKCS#11 URI is provided for certificate, key, + proxy_certificate or proxy_key, the corresponding type is set as "ENG" + if not provided and the engine is set to "pkcs11" if not provided. + + Acked-by: Nikos Mavrogiannopoulos + Closes #2333 + +- [Ruslan Baratov brought this change] + + CMake: Respect BUILD_SHARED_LIBS + + Use standard CMake variable BUILD_SHARED_LIBS instead of introducing + custom option CURL_STATICLIB. + + Use '-DBUILD_SHARED_LIBS=%SHARED%' in appveyor.yml. + + Reviewed-by: Sergei Nikulov + Closes #2755 + +- [John Butterfield brought this change] + + cmake: bumped minimum version to 3.4 + + Closes #2753 + +- [John Butterfield brought this change] + + cmake: link curl to the OpenSSL targets instead of lib absolute paths + + Reviewed-by: Jakub Zakrzewski + Reviewed-by: Sergei Nikulov + Closes #2753 + +- travis: build darwinssl on macos 10.12 + + ... as building on 10.13.x before 10.13.4 leads to link errors. + + Assisted-by: Nick Zitzmann + Fixes #2835 + Closes #2845 + +- DEPRECATE: remove release date from 7.62.0 + + Since it will slip and the version is the important part there, not the + date. + +- lib/Makefile: only do symbol hiding if told to + + This restores the ability to build a static lib with + --disable-symbol-hiding to keep non-curl_ symbols. + + Researched-by: Dan Fandrich + Reported-by: Ran Mozes + Fixes #2830 + Closes #2831 + +Marcel Raad (2 Aug 2018) +- hostip: fix unused variable warning + + addresses is only used in an infof call, which is a macro expanding to + nothing if CURL_DISABLE_VERBOSE_STRINGS is set. + +Daniel Stenberg (2 Aug 2018) +- test1307: disabled + + Turns out that since we're using the native fnmatch function now when + available, and they simply disagree on a huge number of test patterns + that make it hard to test this function like this... + + Fixes #2825 + +- smb: don't mark it done in smb_do + + Follow-up to 09e401e01bf9. The SMB protocol handler needs to use its + doing function too, which requires smb_do() to not mark itself as + done... + + Closes #2822 + +- [Rikard Falkeborn brought this change] + + general: fix printf specifiers + + Closes #2818 + +- RELEASE-NOTES: synced + +- mailmap: Daniel Jelinski + +- [Harry Sintonen brought this change] + + HTTP: Don't attempt to needlessly decompress redirect body + + This change fixes a regression where redirect body would needlessly be + decompressed even though it was to be ignored anyway. As it happens this + causes secondary issues since there appears to be a bug in apache2 that + it in certain conditions generates a corrupt zlib response. The + regression was created by commit: + dbcced8e32b50c068ac297106f0502ee200a1ebd + + Discovered-by: Harry Sintonen + Closes #2798 + +- curl: use Content-Disposition before the "URL end" for -OJ + + Regression introduced in 7.61.0 + + Reported-by: Thomas Klausner + Fixes #2783 + Closes #2813 + +- [Daniel Jelinski brought this change] + + retry: return error if rewind was necessary but didn't happen + + Fixes #2801 + Closes #2812 + +- http2: clear the drain counter in Curl_http2_done + + Reported-by: Andrei Virtosu + Fixes #2800 + Closes #2809 + +- smb: fix memory leak on early failure + + ... by making sure connection related data (->share) is stored in the + connection and not in the easy handle. + + Detected by OSS-fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369 + Fixes #2769 + Closes #2810 + +- travis: run a 'make checksrc' too + + ... to make sure the examples are all checked. + + Closes #2811 + +Jay Satiro (29 Jul 2018) +- examples/ephiperfifo: checksrc compliance + +- [Michael Kaufmann brought this change] + + sws: handle EINTR when calling select() + + Closes https://github.com/curl/curl/pull/2808 + +Daniel Stenberg (29 Jul 2018) +- test1157: follow-up to 35ecffb9 + + Ignore the user-agent line. + Pointed-out-by: Marcel Raad + +Michael Kaufmann (29 Jul 2018) +- tests/http_pipe.py: Use /usr/bin/env to find python + +Daniel Stenberg (28 Jul 2018) +- TODO: Support Authority Information Access certificate extension (AIA) + + Closes #2793 + +- conn_free: updated comment to clarify + + Let's call it disassociate instead of disconnect since the latter term + is used so much for (TCP) connections already. + +- test1157: test -H from empty file + + Verifies bugfix #2797 + +- [Tobias Blomberg brought this change] + + curl: Fix segfault when -H @headerfile is empty + + The curl binary would crash if the -H command line option was given a + filename to read using the @filename syntax but that file was empty. + + Closes #2797 + +- mime: check Curl_rand_hex's return code + + Bug: https://curl.haxx.se/mail/archive-2018-07/0015.html + Reported-by: Jeffrey Walton + Closes #2795 + +- [Josh Bialkowski brought this change] + + docs/examples: add hiperfifo example using linux epoll/timerfd + + Closes #2804 + +- [Darío Hereñú brought this change] + + docs/INSTALL.md: minor formatting fixes + + Closes #2794 + +- [Christopher Head brought this change] + + docs/CURLOPT_URL: fix indentation + + The statement, “The application does not have to keep the string around + after setting this option,” appears to be indented under the RTMP + paragraph. It actually applies to all protocols, not just RTMP. + Eliminate the extra indentation. + + Closes #2788 + +- [Christopher Head brought this change] + + docs/CURLOPT_WRITEFUNCTION: size is always 1 + + For compatibility with `fwrite`, the `CURLOPT_WRITEFUNCTION` callback is + passed two `size_t` parameters which, when multiplied, designate the + number of bytes of data passed in. In practice, CURL always sets the + first parameter (`size`) to 1. + + This practice is also enshrined in documentation and cannot be changed + in future. The documentation states that the default callback is + `fwrite`, which means `fwrite` must be a suitable function for this + purpose. However, the documentation also states that the callback must + return the number of *bytes* it successfully handled, whereas ISO C + `fwrite` returns the number of items (each of size `size`) which it + wrote. The only way these numbers can be equal is if `size` is 1. + + Since `size` is 1 and can never be changed in future anyway, document + that fact explicitly and let users rely on it. + + Closes #2787 + +- [Carie Pointer brought this change] + + wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random + + RNG structure must be freed by call to FreeRng after its use in + Curl_cyassl_random. This call fixes Valgrind failures when running the + test suite with wolfSSL. + + Closes #2784 + +- [Even Rouault brought this change] + + reuse_conn(): free old_conn->options + + This fixes a memory leak when CURLOPT_LOGIN_OPTIONS is used, together with + connection reuse. + + I found this with oss-fuzz on GDAL and curl master: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9582 + I couldn't reproduce with the oss-fuzz original test case, but looking + at curl source code pointed to this well reproducable leak. + + Closes #2790 + +Marcel Raad (25 Jul 2018) +- [Daniel Jelinski brought this change] + + system_win32: fix version checking + + In the current version, VERSION_GREATER_THAN_EQUAL 6.3 will return false + when run on windows 10.0. This patch addresses that error. + + Closes https://github.com/curl/curl/pull/2792 + +Daniel Stenberg (24 Jul 2018) +- [Johannes Schindelin brought this change] + + auth: pick Bearer authentication whenever a token is available + + So far, the code tries to pick an authentication method only if + user/password credentials are available, which is not the case for + Bearer authentictation... + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + Closes #2754 + +- [Johannes Schindelin brought this change] + + auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer token + + The Bearer authentication was added to cURL 7.61.0, but there is a + problem: if CURLAUTH_ANY is selected, and the server supports multiple + authentication methods including the Bearer method, we strongly prefer + that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer + authentication fails, we will never even try to attempt any other + method. + + This is particularly unfortunate when we already know that we do not + have any Bearer token to work with. + + Such a scenario happens e.g. when using Git to push to Visual Studio + Team Services (which supports Basic and Bearer authentication among + other methods) and specifying the Personal Access Token directly in the + URL (this aproach is frequently taken by automated builds). + + Let's make sure that we have a Bearer token to work with before we + select the Bearer authentication among the available authentication + methods. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + Closes #2754 + +Marcel Raad (22 Jul 2018) +- test320: treat curl320.out file as binary + + Otherwise, LF line endings are converted to CRLF on Windows, + but no conversion is done for the reply, so the test case fails. + + Closes https://github.com/curl/curl/pull/2776 + +Daniel Stenberg (22 Jul 2018) +- vtls: set conn->data when closing TLS + + Follow-up to 1b76c38904f0. The VTLS backends that close down the TLS + layer for a connection still needs a Curl_easy handle for the session_id + cache etc. + + Fixes #2764 + Closes #2771 + +Marcel Raad (21 Jul 2018) +- tests: fixes for Windows line endlings + + Set mode="text" when line endings depend on the system representation. + + Closes https://github.com/curl/curl/pull/2772 + +- test214: disable MSYS2's POSIX path conversion for URL + + By default, the MSYS2 bash converts all backslashes to forward slashes + in URLs. Disable this with MSYS2_ARG_CONV_EXCL for the test to pass. + + Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces + +Daniel Stenberg (20 Jul 2018) +- http2: several cleanups + + - separate easy handle from connections better + - added asserts on a number of places + - added sanity check of pipelines for debug builds + + Closes #2751 + +- smb_getsock: always wait for write socket too + + ... the protocol is doing read/write a lot, so it needs to write often + even when downloading. A more proper fix could check for eactly when it + wants to write and only ask for it then. + + Without this fix, an SMB download could easily get stuck when the event-driven + API was used. + + Closes #2768 + +Marcel Raad (20 Jul 2018) +- test1143: disable MSYS2's POSIX path conversion + + By default, the MSYS2 bash interprets http:/%HOSTIP:%HTTPPORT/want/1143 + as a POSIX file list and converts it to a Windows file list. + Disable this with MSYS2_ARG_CONV_EXCL for the test to pass. + + Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces + Closes https://github.com/curl/curl/pull/2765 + +Daniel Stenberg (18 Jul 2018) +- RELEASE-NOTES: sync + + ... and work toward 7.61.1 + +- [Ruslan Baratov brought this change] + + CMake: Update scripts to use consistent style + + Closes #2727 + Reviewed-by: Sergei Nikulov + +- header output: switch off all styles, not just unbold + + ... the "unbold" sequence doesn't work on the mac Terminal. + + Reported-by: Zero King + Fixes #2736 + Closes #2738 + +Nick Zitzmann (14 Jul 2018) +- [Rodger Combs brought this change] + + darwinssl: add support for ALPN negotiation + +Marcel Raad (14 Jul 2018) +- test1422: add required file feature + + curl configured with --enable-debug --disable-file currently complains + on test1422: + Info: Protocol "file" not supported or disabled in libcurl + + Make test1422 dependend on enabled FILE protocol to fix this. + + Fixes https://github.com/curl/curl/issues/2741 + Closes https://github.com/curl/curl/pull/2742 + +Patrick Monnerat (12 Jul 2018) +- content_encoding: accept up to 4 unknown trailer bytes after raw deflate data + + Some servers issue raw deflate data that may be followed by an undocumented + trailer. This commit makes curl tolerate such a trailer of up to 4 bytes + before considering the data is in error. + + Reported-by: clbr on github + Fixes #2719 + +Daniel Stenberg (12 Jul 2018) +- smb: fix memory-leak in URL parse error path + + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369 + Closes #2740 + +Marcel Raad (12 Jul 2018) +- schannel: enable CALG_TLS1PRF for w32api >= 5.1 + + The definition of CALG_TLS1PRF has been fixed in the 5.1 branch: + https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e6ba370de0d86ab878ad76a0dda7b5 + +Daniel Stenberg (12 Jul 2018) +- docs/SECURITY-PROCESS: mention bounty, drop pre-notify + + + The hackerone bounty and its process + + - We don't and can't handle pre-notification + +- multi: always do the COMPLETED procedure/state + + It was previously erroneously skipped in some situations. + + libtest/libntlmconnect.c wrongly depended on wrong behavior (that it + would get a zero timeout) when no handles are "running" in a multi + handle. That behavior is no longer present with this fix. Now libcurl + will always return a -1 timeout when all handles are completed. + + Closes #2733 + +- Curl_getoff_all_pipelines: improved for multiplexed + + On multiplexed connections, transfers can be removed from anywhere not + just at the head as for pipelines. + +- ares: check for NULL in completed-callback + +- conn: remove the boolean 'inuse' field + + ... as the usage needs to be counted. + +- [Paul Howarth brought this change] + + openssl: assume engine support in 1.0.0 or later + + Commit 38203f1585da changed engine detection to be version-based, + with a baseline of openssl 1.0.1. This does in fact break builds + with openssl 1.0.0, which has engine support - the configure script + detects that ENGINE_cleanup() is available - but <openssl/engine.h> + doesn't get included to declare it. + + According to upstream documentation, engine support was added to + mainstream openssl builds as of version 0.9.7: + https://github.com/openssl/openssl/blob/master/README.ENGINE + + This commit drops the version test down to 1.0.0 as version 1.0.0d + is the oldest version I have to test with. + + Closes #2732 + +Marcel Raad (11 Jul 2018) +- schannel: fix MinGW compile break + + Original MinGW's w32api has a sytax error in its definition of + CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF + until this bug [1] is fixed. + + [0] https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/blobs/d1d4a17e51a2b78e252ef0147d483267d56c90cc/w32api/include/wincrypt.h + [1] https://osdn.net/projects/mingw/ticket/38391 + + Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043 + Closes https://github.com/curl/curl/pull/2728 + +Daniel Stenberg (11 Jul 2018) +- examples/crawler.c: move #ifdef to column 0 + + Apparently the C => HTML converter on the web site doesn't quite like it + otherwise. + + Reported-by: Jeroen Ooms + +Version 7.61.0 (11 Jul 2018) + +Daniel Stenberg (11 Jul 2018) +- release: 7.61.0 + +- TODO: Configurable loading of OpenSSL configuration file + + Closes #2724 + +- post303.d: clarify that this is an RFC violation + + ... and not the other way around, which this previously said. + + Reported-by: Vasiliy Faronov + Fixes #2723 + Closes #2726 + +- [Ruslan Baratov brought this change] + + CMake: remove redundant and old end-of-block syntax + + Reviewed-by: Jakub Zakrzewski + Closes #2715 + +Jay Satiro (9 Jul 2018) +- lib/curl_setup.h: remove unicode character + + Follow-up to 82ce416. + + Ref: https://github.com/curl/curl/commit/8272ec5#commitcomment-29646818 + +Daniel Stenberg (9 Jul 2018) +- lib/curl_setup.h: remove unicode bom from 8272ec50f02 + +Marcel Raad (9 Jul 2018) +- schannel: fix -Wsign-compare warning + + MinGW warns: + /lib/vtls/schannel.c:219:64: warning: signed and unsigned type in + conditional expression [-Wsign-compare] + + Fix this by casting the ptrdiff_t to size_t as we know it's positive. + + Closes https://github.com/curl/curl/pull/2721 + +- schannel: workaround for wrong function signature in w32api + + Original MinGW's w32api has CryptHashData's second parameter as BYTE * + instead of const BYTE *. + + Closes https://github.com/curl/curl/pull/2721 + +- schannel: make more cipher options conditional + + They are not defined in the original MinGW's <wincrypt.h>. + + Closes https://github.com/curl/curl/pull/2721 + +- curl_setup: include <winerror.h> before <windows.h> + + Otherwise, only part of it gets pulled in through <windows.h> on + original MinGW. + + Fixes https://github.com/curl/curl/issues/2361 + Closes https://github.com/curl/curl/pull/2721 + +- examples: fix -Wformat warnings + + When size_t is not a typedef for unsigned long (as usually the case on + Windows), GCC emits -Wformat warnings when using lu and lx format + specifiers with size_t. Silence them with explicit casts to + unsigned long. + + Closes https://github.com/curl/curl/pull/2721 + +Daniel Stenberg (9 Jul 2018) +- smtp: use the upload buffer size for scratch buffer malloc + + ... not the read buffer size, as that can be set smaller and thus cause + a buffer overflow! CVE-2018-0500 + + Reported-by: Peter Wu + Bug: https://curl.haxx.se/docs/adv_2018-70a2.html + +- [Dave Reisner brought this change] + + scripts: include _curl as part of CLEANFILES + + Closes #2718 + +- [Nick Zitzmann brought this change] + + darwinssl: allow High Sierra users to build the code using GCC + + ...but GCC users lose out on TLS 1.3 support, since we can't weak-link + enumeration constants. + + Fixes #2656 + Closes #2703 + +- [Ruslan Baratov brought this change] + + CMake: Remove unused 'output_var' from 'collect_true' + + Variable 'output_var' is not used and can be removed. + Function 'collect_true' renamed to 'count_true'. + +- [Ruslan Baratov brought this change] + + CMake: Remove unused functions + + Closes #2711 + +- KNOWN_BUGS: Stick to same family over SOCKS proxy + +- libssh: goto DISCONNECT state on error, not SSH_SESSION_FREE + + ... because otherwise not everything get closed down correctly. + + Fixes #2708 + Closes #2712 + +- libssh: include line number in state change debug messages + + Closes #2713 + +- KNOWN_BUGS: Borland support is dropped, AIX problem is too old + +- [Jeroen Ooms brought this change] + + example/crawler.c: simple crawler based on libxml2 + + Closes #2706 + +- RELEASE-NOTES: synced + +- DEPRECATE: include year when specifying date + +- DEPRECATE: linkified + +- DEPRECATE: mention the PR that disabled axTLS + +- docs/DEPRECATE.md: spelling and minor formatting + +- DEPRECATE: new doc describing planned item removals + + Closes #2704 + +- [Gisle Vanem brought this change] + + telnet: fix clang warnings + + telnet.c(1401,28): warning: cast from function call of type 'int' to + non-matching type 'HANDLE' (aka 'void *') [-Wbad-function-cast] + + Fixes #2696 + Closes #2700 + +- docs: fix missed option name markups + +- [Gaurav Malhotra brought this change] + + openssl: Remove some dead code + + Closes #2698 + +- openssl: make the requested TLS version the *minimum* wanted + + The code treated the set version as the *exact* version to require in + the TLS handshake, which is not what other TLS backends do and probably + not what most people expect either. + + Reported-by: Andreas Olsson + Assisted-by: Gaurav Malhotra + Fixes #2691 + Closes #2694 + +- RELEASE-NOTES: synced + +- openssl: allow TLS 1.3 by default + + Reported-by: Andreas Olsson + Fixes #2692 + Closes #2693 + +- [Adrian Peniak brought this change] + + CURLINFO_TLS_SSL_PTR.3: improve the example + + The previous example was a little bit confusing, because SSL* structure + (or other "in use" SSL connection pointer) is not accessible after the + transfer is completed, therefore working with the raw TLS library + specific pointer needs to be done during transfer. + + Closes #2690 + +- travis: add a build using the synchronous name resolver + + ... since default uses the threaded one and we test the c-ares build + already. + + Closes #2689 + +- configure: remove CURL_CHECK_NI_WITHSCOPEID too + + Since it isn't used either and requires the getnameinfo check + + Follow-up to 0aeca41702d2 + +- getnameinfo: not used + + Closes #2687 + +- easy_perform: use *multi_timeout() to get wait times + + ... and trim the threaded Curl_resolver_getsock() to return zero + millisecond wait times during the first three milliseconds so that + localhost or names in the OS resolver cache gets detected and used + faster. + + Closes #2685 + +Max Dymond (27 Jun 2018) +- configure: Add dependent libraries after crypto + + The linker is pretty dumb and processes things left to right, keeping a + tally of symbols it hasn't resolved yet. So, we need -ldl to appear + after -lcrypto otherwise the linker won't find the dl functions. + + Closes #2684 + +Daniel Stenberg (27 Jun 2018) +- GOVERNANCE: linkify, changed some titles + +- GOVERNANCE: add maintainer details/duties + +- url: check Curl_conncache_add_conn return code + + ... it was previously unchecked in two places and thus errors could + remain undetected and cause trouble. + + Closes #2681 + +- include/README: remove "hacking" advice, not the right place + +- RELEASE-NOTES: synced + +- CURLOPT_SSL_VERIFYPEER.3: fix syntax mistake + + Follow-up to b6a16afa0aa5 + +- netrc: use a larger buffer + + ... to work with longer passwords etc. Grow it from a 256 to a 4096 + bytes buffer. + + Reported-by: Dario Nieuwenhuis + Fixes #2676 + Closes #2680 + +- [Patrick Schlangen brought this change] + + CURLOPT_SSL_VERIFYPEER.3: Add performance note + + Closes #2673 + +- [Javier Blazquez brought this change] + + multi: fix crash due to dangling entry in connect-pending list + + Fixes #2677 + Closes #2679 + +- ConnectionExists: make sure conn->data is set when "taking" a connection + + Follow-up to 2c15693. + + Bug #2674 + Closes #2675 + +- [Kevin R. Bulgrien brought this change] + + system.h: fix for gcc on 32 bit OpenServer + + Bug: https://curl.haxx.se/mail/lib-2018-06/0100.html + +- [Raphael Gozzo brought this change] + + cmake: allow multiple SSL backends + + This will make possible to select the SSL backend (using + curl_global_sslset()) even when the libcurl is built using CMake + + Closes #2665 + +- url: fix dangling conn->data pointer + + By masking sure to use the *current* easy handle with extracted + connections from the cache, and make sure to NULLify the ->data pointer + when the connection is put into the cache to make this mistake easier to + detect in the future. + + Reported-by: Will Dietz + Fixes #2669 + Closes #2672 + +- CURLOPT_INTERFACE.3: interface names not supported on Windows + +- travis: run more tests for coverage check + + ... run a few more tortured based and run all tests event-based. + + Closes #2664 + +- multi: fix memory leak when stopped during name resolve + + When the application just started the transfer and then stops it while + the name resolve in the background thread hasn't completed, we need to + wait for the resolve to complete and then cleanup data accordingly. + + Enabled test 1553 again and added test 1590 to also check when the host + name resolves successfully. + + Detected by OSS-fuzz. + Closes #1968 + +Viktor Szakats (15 Jun 2018) +- maketgz: delete .bak files, fix indentation + + Ref: https://github.com/curl/curl/pull/2660 + + Closes https://github.com/curl/curl/pull/2662 + +Daniel Stenberg (15 Jun 2018) +- runtests.pl: remove debug leftover from bb9a340c73f3 + +- curl-confopts.m4: fix typo from ed224f23d5beb + + Fixes my local configure to detect a custom installed c-ares without + pkgconfig. + +- docs/RELEASE-PROCEDURE.md: renamed to use .md extension + + Closes #2663 + +- RELEASE-PROCEDURE: gpg sign the tags + +- RELEASE-NOTES: synced + +- CURLOPT_HTTPAUTH.3: CURLAUTH_BEARER was added in 7.61.0 + +- [Mamta Upadhyay brought this change] + + maketgz: fix sed issues on OSX + + maketgz creates release tarballs and removes the -DEV string in curl + version (e.g. 7.58.0-DEV), else -DEV shows up on command line when curl + is run. maketgz works fine on linux but fails on OSX. Problem is with + the sed commands that use option -i without an extension. Maketgz + expects GNU sed instead of BSD and this simply won't work on OSX. Adding + a backup extension .bak after -i fixes this issue + + Running the script as if on OSX gives this error: + + sed: -e: No such file or directory + + Adding a .bak extension resolves it + + Closes #2660 + +- configure: enhance ability to detect/build with static openssl + + Fix the -ldl and -ldl + -lpthread checks for OpenSSL, necessary for + building with static libs without pkg-config. + + Reported-by: Marcel Raad + Fixes #2199 + Closes #2659 + +- configure: use pkg-config for c-ares detection + + First check if there's c-ares information given as pkg-config info and use + that as first preference. + + Reported-by: pszemus on github + Fixes #2203 + Closes #2658 + +- GOVERNANCE.md: explains how this project is run + + Closes #2657 + +- KNOWN_BUGS: NTLM doen't support password with § character + + Closes #2120 + +- KNOWN_BUGS: slow connect to localhost on Windows + + Closes #2281 + +- [Matteo Bignotti brought this change] + + mk-ca-bundle.pl: make -u delete certdata.txt if found not changed + + certdata.txt should be deleted also when the process is interrupted by + "same certificate downloaded, exiting" + + The certdata.txt is currently kept on disk even if you give the -u + option + + Closes #2655 + +- progress: remove a set of unused defines + + Reported-by: Peter Wu + Closes #2654 + +- TODO: "Option to refuse usernames in URLs" done + + Implemented by Björn in 946ce5b61f + +- [Lyman Epp brought this change] + + Curl_init_do: handle NULL connection pointer passed in + + Closes #2653 + +- runtests: support variables in <strippart> + + ... and make use of that to make 1455 work better without using a fixed + local port number. + + Fixes #2649 + Closes #2650 + +- Curl_debug: remove dead printhost code + + The struct field is never set (since 5e0d9aea3) so remove the use of it + and remove the connectdata pointer from the prototype. + + Reported-by: Tejas + Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html + Closes #2647 + +Viktor Szakats (12 Jun 2018) +- schannel: avoid incompatible pointer warning + + with clang-6.0: + ``` + vtls/schannel_verify.c: In function 'add_certs_to_store': + vtls/schannel_verify.c:212:30: warning: passing argument 11 of 'CryptQueryObject' from incompatible pointer type [-Wincompatible-pointer-types] + &cert_context)) { + ^ + In file included from /usr/share/mingw-w64/include/schannel.h:10:0, + from /usr/share/mingw-w64/include/schnlsp.h:9, + from vtls/schannel.h:29, + from vtls/schannel_verify.c:40: + /usr/share/mingw-w64/include/wincrypt.h:4437:26: note: expected 'const void **' but argument is of type 'CERT_CONTEXT ** {aka struct _CERT_CONTEXT **}' + WINIMPM WINBOOL WINAPI CryptQueryObject (DWORD dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags, + ^~~~~~~~~~~~~~~~ + ``` + Ref: https://msdn.microsoft.com/library/windows/desktop/aa380264 + + Closes https://github.com/curl/curl/pull/2648 + +Daniel Stenberg (12 Jun 2018) +- [Robert Prag brought this change] + + schannel: support selecting ciphers + + Given the contstraints of SChannel, I'm exposing these as the algorithms + themselves instead; while replicating the ciphersuite as specified by + OpenSSL would have been preferable, I found no way in the SChannel API + to do so. + + To use this from the commandline, you need to pass the names of contants + defining the desired algorithms. For example, curl --ciphers + "CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM" + https://github.com The specific names come from wincrypt.h + + Closes #2630 + +- [Bernhard M. Wiedemann brought this change] + + test 46: make test pass after 2025 + + shifting the expiry date to 2037 for now + to be before the possibly problematic year 2038 + + similar in spirit to commit e6293cf8764e9eecb + + Closes #2646 + +- [Marian Klymov brought this change] + + cppcheck: fix warnings + + - Get rid of variable that was generating false positive warning + (unitialized) + + - Fix issues in tests + + - Reduce scope of several variables all over + + etc + + Closes #2631 + +- openssl: assume engine support in 1.0.1 or later + + Previously it was checked for in configure/cmake, but that would then + leave other build systems built without engine support. + + While engine support probably existed prior to 1.0.1, I decided to play + safe. If someone experience a problem with this, we can widen the + version check. + + Fixes #2641 + Closes #2644 + +- RELEASE-NOTES: synced + +- RELEASE-PROCEDURE: update the release calendar for 2019 + +- [Gisle Vanem brought this change] + + boringssl + schannel: undef X509_NAME in lib/schannel.h + + Fixes the build problem when both boringssl and schannel are enabled. + + Fixes #2634 + Closes #2643 + +- [Vladimir Kotal brought this change] + + mk-ca-bundle.pl: leave certificate name untouched in decode() + + Closes #2640 + +- [Rikard Falkeborn brought this change] + + tests/libtests/Makefile.am: Add lib1521.c to CLEANFILES + + This removes the generated lib1521.c when running make clean. + + Closes #2633 + +- [Rikard Falkeborn brought this change] + + tests/libtest: Add lib1521 to nodist_SOURCES + + Since 467da3af0, lib1521.c is generated instead of checked in. According + to the commit message, the intention was to remove it from the tarball + as well. However, it is still present when running make dist. To remove + it, add it to nodist_lib1521_SOURCES. This also means there is no need + for the manually added dist-rule in the Makefile. + + Also update CMakelists.txt to handle the fact that we now may have + nodist_SOURCES. + +- [Stephan Mühlstrasser brought this change] + + system.h: add support for IBM xlc C compiler + + Added a section to system.h guarded with __xlc__ for the IBM xml C + compiler. Before this change the section titled 'generic "safe guess" on + old 32 bit style' was used, which resulted in a wrong definition of + CURL_TYPEOF_CURL_SOCKLEN_T, and for 64-bit also CURL_TYPEOF_CURL_OFF_T + was wrong. + + Compilation warnings fixed with this change: + + CC libcurl_la-ftp.lo + "ftp.c", line 290.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "ftp.c", line 293.48: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "ftp.c", line 1070.49: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "ftp.c", line 1154.53: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "ftp.c", line 1187.51: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + CC libcurl_la-connect.lo + "connect.c", line 448.56: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "connect.c", line 516.66: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "connect.c", line 687.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "connect.c", line 696.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + CC libcurl_la-tftp.lo + "tftp.c", line 1115.33: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + + Closes #2637 + +- cmdline-opts/cert-type.d: mention "p12" as a recognized type as well + +Viktor Szakats (3 Jun 2018) +- spelling fixes + + Detected using the `codespell` tool (version 1.13.0). + + Also secure and fix an URL. + +Daniel Stenberg (2 Jun 2018) +- axtls: follow-up spell fix of comment + +- axTLS: not considered fit for use + + URL: https://curl.haxx.se/mail/lib-2018-06/0000.html + + This is step one. It adds #error statements that require source edits to + make curl build again if asked to use axTLS. At a later stage we might + remove the axTLS specific code completely. + + Closes #2628 + +- build: remove the Borland specific makefiles + + According to the user survey 2018, not even one out of 670 users use + them. Nobody on the mailing list spoke up for them either. + + Closes #2629 + +- curl_addrinfo: use same #ifdef conditions in source as header + + ... for curl_dofreeaddrinfo + +- multi: remove a DEBUGF() + + ... it might call infof() with a NULL first argument that isn't harmful + but makes it not do anything. The infof() line is not very useful + anymore, it has served it purpose. Good riddance! + + Fixes #2627 + +- [Alibek.Jorajev brought this change] + + CURLOPT_RESOLVE: always purge old entry first + + If there's an existing entry using the selected name. + + Closes #2622 + +- fnmatch: use the system one if available + + If configure detects fnmatch to be available, use that instead of our + custom one for FTP wildcard pattern matching. For standard compliance, + to reduce our footprint and to use already well tested and well + exercised code. + + A POSIX fnmatch behaves slightly different than the internal function + for a few test patterns currently and the macOS one yet slightly + different. Test case 1307 is adjusted for these differences. + + Closes #2626 + +Patrick Monnerat (31 May 2018) +- os400: add new option in ILE/RPG binding + + Follow-up to commit 946ce5b + +Daniel Stenberg (31 May 2018) +- tests/libtest/.gitignore: follow-up fix to ignore lib5* too + +- KNOWN_BUGS: CURL_GLOBAL_SSL + + Closes #2276 + +- [Bernhard Walle brought this change] + + configure: check for declaration of getpwuid_r + + On our x86 Android toolchain, getpwuid_r is implemented but the header + is missing: + + netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration] + + Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved + the prototype to curl_setup.h. + + Signed-off-by: Bernhard Walle <bernhard@bwalle.de> + Closes #2609 + +- [Rikard Falkeborn brought this change] + + tests: update .gitignore for libtests + + Closes #2624 + +- [Rikard Falkeborn brought this change] + + strictness: correct {infof, failf} format specifiers + + Closes #2623 + +- [Björn Stenberg brought this change] + + option: disallow username in URL + + Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes + libcurl reject URLs with a username in them. + + Closes #2340 + +- libcurl-security.3: improved layout for two rememdy lists + +- libcurl-security.3: refer to URL instead of in-source markdown file + +Viktor Szakats (30 May 2018) +- curl.rc: embed manifest for correct Windows version detection + + * enable it in `src/Makefile.m32` + * enable it in `winbuild/MakefileBuild.vc` if a custom manifest is + _not_ enabled via the existing `EMBED_MANIFEST` option + * enable it for all Windows CMake builds (also disable the built-in + minimal manifest, added by CMake by default.) + + For other build systems, add the `-DCURL_EMBED_MANIFEST` option to + the list of RC (Resource Compiler) flags to enable the manifest + included in `src/curl.rc`. This may require to disable whatever + automatic or other means in which way another manifest is added to + `curl.exe`. + + Notice that Borland C doesn't support this method due to a + long-pending resource compiler bug. Watcom C may also not handle + it correctly when the `-zm` `wrc` option is used (this option may + be unnecessary though) and regardless of options in certain earlier + revisions of the 2.0 beta version. + + Closes https://github.com/curl/curl/pull/1221 + Fixes https://github.com/curl/curl/issues/2591 + +Patrick Monnerat (30 May 2018) +- os400: sync EBCDIC wrappers and ILE/RPG binding with latest options + +- os400: implement mime api EBCDIC wrappers + + Also sync ILE/RPG binding to define the new functions. + +Daniel Stenberg (29 May 2018) +- setopt: add TLS 1.3 ciphersuites + + Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. + + curl: added --tls13-ciphers and --proxy-tls13-ciphers + + Fixes #2435 + Reported-by: zzq1015 on github + Closes #2607 + +- configure: override AR_FLAGS to silence warning + + The automake default ar flags are 'cru', but the 'u' flag in there + causes warnings on many modern Linux distros. Removing 'u' may have a + minor performance impact on older distros but should not cause harm. + + Explained on the automake mailing list already back in April 2015: + + https://www.mail-archive.com/automake-patches@gnu.org/msg07705.html + + Reported-by: elephoenix on github + Fixes #2617 + Closes #2619 + +Sergei Nikulov (29 May 2018) +- cmake: fixed comments in compile checks code + +Daniel Stenberg (29 May 2018) +- INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib + + ... the older description doesn't work + + Reported-by: Peter Varga + Fixes #2615 + Closes #2616 + +- [Will Dietz brought this change] + + KNOWN_BUGS: restore text regarding #2101. + + This was added earlier but appears to have been removed accidentally. + + AFAICT this is very much still an issue. + + ----- + + I say "accidentally" because the text seems to have harmlessly snuck + into [1] (which makes no mention of it). [1] was later reverted for + unspecified reasons in [2], presumably because the mentioned issue was + fixed or invalid. + + [1] de9fac00c40db321d44fa6fbab6eb62ec4c83998 + [2] 16d1f369403cbb04bd7b085eabbeebf159473fc2 + + Closes #2618 + +- fnmatch: insist on escaped bracket to match + + A non-escaped bracket ([) is for a character group - as documented. It + will *not* match an individual bracket anymore. Test case 1307 updated + accordingly to match. + + Problem detected by OSS-Fuzz, although this fix is probably not a final + fix for the notorious timeout issues. + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8525 + Closes #2614 + +Patrick Monnerat (28 May 2018) +- psl: use latest psl and refresh it periodically + + The latest psl is cached in the multi or share handle. It is refreshed + before use after 72 hours. + New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing. + If the latest psl is not available, the builtin psl is used. + + Reported-by: Yaakov Selkowitz + Fixes #2553 + Closes #2601 + +Daniel Stenberg (28 May 2018) +- [Fabrice Fontaine brought this change] + + configure: fix ssh2 linking when built with a static mbedtls + + The ssh2 pkg-config file could contain the following lines when build + with a static version of mbedtls: + Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a + Libs.private: /xxx/libmbedcrypto.a + + This static mbedtls library must be used to correctly detect ssh2 + support and this library must be copied in libcurl.pc otherwise + compilation of any application (such as upmpdcli) with libcurl will fail + when trying to found mbedtls functions included in libssh2. So, replace + pkg-config --libs-only-l by pkg-config --libs. + + Fixes: + - http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a + + Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> + Closes #2613 + +- RELEASE-NOTES: synced + +- [Bernhard Walle brought this change] + + cmake: check for getpwuid_r + + The autotools-based build system does it, so we do it also in CMake. + + Bug: #2609 + Signed-off-by: Bernhard Walle <bernhard@bwalle.de> + +- cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options + +- [Frank Gevaerts brought this change] + + curl.1: Fix cmdline-opts reference errors. + + --data, --form, and --ntlm were declared to be mutually exclusive with + non-existing options. --data and --form referred to --upload (which is + short for --upload-file and therefore did work, so this one was merely + a bit confusing), --ntlm referred to --negotiated instead of --negotiate. + + Closes #2612 + +- [Frank Gevaerts brought this change] + + docs: fix cmdline-opts metadata headers case consistency. + + Almost all headers start with an uppercase letter, but some didn't. + +- mailmap: Max Savenkov + +Sergei Nikulov (28 May 2018) +- [Max Savenkov brought this change] + + Fix the test for fsetxattr and strerror_r tests in CMake to work without compiling + +Daniel Stenberg (27 May 2018) +- mailmap: a Richard Alcock fixup + +- [Richard Alcock brought this change] + + schannel: add failf calls for client certificate failures + + Closes #2604 + +- [Richard Alcock brought this change] + + winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST + + Change requirement from $(DISTDIR) to $(DIRDIST) + + closes #2603 + +- [Richard Alcock brought this change] + + winbuild: only delete OUTFILE if it exists + + This removes the slightly annoying "Could not file LIBCURL_OBJS.inc" and + "Could not find CURL_OBJS.inc.inc" message when building into a clean + folder. + + closes #2602 + +- [Alejandro R. Sedeño brought this change] + + content_encoding: handle zlib versions too old for Z_BLOCK + + Fallback on Z_SYNC_FLUSH when Z_BLOCK is not available. + + Fixes #2606 + Closes #2608 + +- multi: provide a socket to wait for in Curl_protocol_getsock + + ... even when there's no protocol specific handler setup. + + Bug: https://curl.haxx.se/mail/lib-2018-05/0062.html + Reported-by: Sean Miller + Closes #2600 + +- [Linus Lewandowski brought this change] + + httpauth: add support for Bearer tokens + + Closes #2102 + +- TODO: CURLINFO_PAUSE_STATE + + Closes #2588 + +Sergei Nikulov (24 May 2018) +- cmake: set -d postfix for debug builds if not specified + using -DCMAKE_DEBUG_POSTFIX explicitly + + fixes #2121, obsoletes #2384 + +Daniel Stenberg (23 May 2018) +- configure: add basic test of --with-ssl prefix + + When given a prefix, the $PREFIX_OPENSSL/lib/openssl.pc or + $PREFIX_OPENSSL/include/openssl/ssl.h files must be present or cause an + error. Helps users detect when giving configure the wrong path. + + Reported-by: Oleg Pudeyev + Assisted-by: Per Malmberg + Fixes #2580 + +Patrick Monnerat (22 May 2018) +- http resume: skip body if http code 416 (range error) is ignored. + + This avoids appending error data to already existing good data. + + Test 92 is updated to match this change. + New test 1156 checks all combinations of --range/--resume, --fail, + Content-Range header and http status code 200/416. + + Fixes #1163 + Reported-By: Ithubg on github + Closes #2578 + +Daniel Stenberg (22 May 2018) +- tftp: make sure error is zero terminated before printfing it + +- configure: add missing m4/ax_compile_check_sizeof.m4 + + follow-up to mistake in 6876ccf90b4 + +Jay Satiro (22 May 2018) +- [Johannes Schindelin brought this change] + + schannel: make CAinfo parsing resilient to CR/LF + + OpenSSL has supported --cacert for ages, always accepting LF-only line + endings ("Unix line endings") as well as CR/LF line endings ("Windows + line endings"). + + When we introduced support for --cacert also with Secure Channel (or in + cURL speak: "WinSSL"), we did not take care to support CR/LF line + endings, too, even if we are much more likely to receive input in that + form when using Windows. + + Let's fix that. + + Happily, CryptQueryObject(), the function we use to parse the ca-bundle, + accepts CR/LF input already, and the trailing LF before the END + CERTIFICATE marker catches naturally any CR/LF line ending, too. So all + we need to care about is the BEGIN CERTIFICATE marker. We do not + actually need to verify here that the line ending is CR/LF. Just + checking for a CR or an LF is really plenty enough. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + + Closes https://github.com/curl/curl/pull/2592 + +Daniel Stenberg (22 May 2018) +- CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit + +- RELEASE-NOTES: synced + +- KNOWN_BUGS: mention the -O with %-encoded file names + + Closes #2573 + +- checksrc: make sure sizeof() is used *with* parentheses + + ... and unify the source code to adhere. + + Closes #2563 + +- curl: added --styled-output + + It is enabled by default, so --no-styled-output will switch off the + detection/use of bold headers. + + Closes #2538 + +- curl: show headers in bold + + The feature is only enabled if the output is believed to be a tty. + + -J: There's some minor differences and improvements in -J handling, as + now J should work with -i and it actually creates a file first using the + initial name and then *renames* that to the one found in + Content-Disposition (if any). + + -i: only shows headers for HTTP transfers now (as documented). + Previously it would also show for pieces of the transfer that were HTTP + (for example when doing FTP over a HTTP proxy). + + -i: now shows trailers as well. Previously they were not shown at all. + + --libcurl: the CURLOPT_HEADER is no longer set, as the header output is + now done in the header callback. + +- configure: compile-time SIZEOF checks + + ... instead of exeucting code to get the size. Removes the use of + LD_LIBRARY_PATH for this. + + Fixes #2586 + Closes #2589 + Reported-by: Bernhard Walle + +- configure: replace AC_TRY_RUN with CURL_RUN_IFELSE + + ... and export LD_LIBRARY_PATH properly. This is a follow-up from + 2d4c215. + + Fixes #2586 + Reported-by: Bernhard Walle + +- docs: clarify CURLOPT_HTTPGET somewhat + + Reported-by: bsammon on github + Fixes #2590 + +- curl_fnmatch: only allow two asterisks for matching + + The previous limit of 5 can still end up in situation that takes a very + long time and consumes a lot of CPU. + + If there is still a rare use case for this, a user can provide their own + fnmatch callback for a version that allows a larger set of wildcards. + + This commit was triggered by yet another OSS-Fuzz timeout due to this. + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369 + + Closes #2587 + +- checksrc: fix too long line + + follow-up to e05ad5d + +- [Aleks brought this change] + + docs: mention HAproxy protocol "version 1" + + ...as there's also a version 2. + + Closes #2579 + +- examples/progressfunc: make it build on older libcurls + + This example was changed in ce2140a8c1 to use the new microsecond based + getinfo option. This change makes it conditionally keep using the older + option so that the example still builds with older libcurl versions. + + Closes #2584 + +- stub_gssapi: fix numerous 'unused parameter' warnings + + follow-up to d9e92fd9fd1d + +- [Philip Prindeville brought this change] + + getinfo: add microsecond precise timers for various intervals + + Provide a set of new timers that return the time intervals using integer + number of microseconds instead of floats. + + The new info names are as following: + + CURLINFO_APPCONNECT_TIME_T + CURLINFO_CONNECT_TIME_T + CURLINFO_NAMELOOKUP_TIME_T + CURLINFO_PRETRANSFER_TIME_T + CURLINFO_REDIRECT_TIME_T + CURLINFO_STARTTRANSFER_TIME_T + CURLINFO_TOTAL_TIME_T + + Closes #2495 + +- openssl: acknowledge --tls-max for default version too + + ... previously it only used the max setting if a TLS version was also + explicitly asked for. + + Reported-by: byte_bucket + Fixes #2571 + Closes #2572 + +- bump: start working on the pending 7.61.0 + +- [Dagobert Michelsen brought this change] + + tests/libtest/Makefile: Do not unconditionally add gcc-specific flags + + The warning flag leads e.g. Sun Studio compiler to bail out. + + Closes #2576 + +- schannel_verify: fix build for non-schannel + +Jay Satiro (16 May 2018) +- rand: fix typo + +- schannel: disable manual verify if APIs not available + + .. because original MinGW and old compilers do not have the Windows API + definitions needed to support manual verification. + +- [Archangel_SDY brought this change] + + schannel: disable client cert option if APIs not available + + Original MinGW targets Windows 2000 by default, which lacks some APIs and + definitions for this feature. Disable it if these APIs are not available. + + Closes https://github.com/curl/curl/pull/2522 + +Version 7.60.0 (15 May 2018) + +Daniel Stenberg (15 May 2018) +- RELEASE-NOTES: 7.60.0 release + +- THANKS: added people from the curl 7.60.0 release + +- docs/libcurl/index.html: removed + + The HTML files are long gone from the dist, now remove the last HTML + file pointing to those missing files. + + d + +- [steini2000 brought this change] + + http2: remove unused variable + + Closes #2570 + +- [steini2000 brought this change] + + http2: use easy handle of stream for logging + +- gcc: disable picky gcc-8 function pointer warnings in two places + + Reported-by: Rikard Falkeborn + Bug: #2560 + Closes #2569 + +- http2: use the correct function pointer typedef + + Fixes gcc-8 picky compiler warnings + Reported-by: Rikard Falkeborn + Bug: #2560 + Closes #2568 + +- CODE_STYLE: mention return w/o parens, but sizeof with + + ... and remove the github markdown syntax so that it renders better on + the web site. Also, don't use back-ticks inlined to allow the CSS to + highlight source code better. + +- [Rikard Falkeborn brought this change] + + examples: Fix format specifiers + + Closes #2561 + +- [Rikard Falkeborn brought this change] + + tool: Fix format specifiers + +- [Rikard Falkeborn brought this change] + + ntlm: Fix format specifiers + +- [Rikard Falkeborn brought this change] + + tests: Fix format specifiers + +- [Rikard Falkeborn brought this change] + + lib: Fix format specifiers + +- contributors.sh: use "on github", not at + +- http2: getsock fix for uploads + + When there's an upload in progress, make sure to wait for the socket to + become writable. + + Detected-by: steini2000 on github + Bug: #2520 + Closes #2567 + +- pingpong: fix response cache memcpy overflow + + Response data for a handle with a large buffer might be cached and then + used with the "closure" handle when it has a smaller buffer and then the + larger cache will be copied and overflow the new smaller heap based + buffer. + + Reported-by: Dario Weisser + CVE: CVE-2018-1000300 + Bug: https://curl.haxx.se/docs/adv_2018-82c2.html + +- http: restore buffer pointer when bad response-line is parsed + + ... leaving the k->str could lead to buffer over-reads later on. + + CVE: CVE-2018-1000301 + Assisted-by: Max Dymond + + Detected by OSS-Fuzz. + Bug: https://curl.haxx.se/docs/adv_2018-b138.html + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 + +Patrick Monnerat (13 May 2018) +- cookies: do not take cookie name as a parameter + + RFC 6265 section 4.2.1 does not set restrictions on cookie names. + This is a follow-up to commit 7f7fcd0. + Also explicitly check proper syntax of cookie name/value pair. + + New test 1155 checks that cookie names are not reserved words. + + Reported-By: anshnd at github + Fixes #2564 + Closes #2566 + +Daniel Stenberg (12 May 2018) +- smb: reject negative file sizes + + Assisted-by: Max Dymond + + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245 + +- setup_transfer: deal with both sockets being -1 + + Detected by Coverity; CID 1435559. Follow-up to f8d608f38d00. It would + index the array with -1 if neither index was a socket. + +- travis: add build using NSS + + Closes #2558 + +- [Sunny Purushe brought this change] + + openssl: change FILE ops to BIO ops + + To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES + handling is causing problems. This fix changes the OpenSSL backend code + to use BIO functions instead of FILE I/O functions to circumvent those + problems. + + Closes #2512 + +- travis: add a build using WolfSSL + + Assisted-by: Dan Fandrich + + Closes #2528 + +- RELEASE-NOTES: typo + +- RELEASE-NOTES: synced + +- [Daniel Gustafsson brought this change] + + URLs: fix one more http url + + This file wasn't included in commit 4af40b3646d3b09 which updated all + haxx.se http urls to https. The file was committed prior to that update, + but may have been merged after it and hence didn't get updated. + + Closes #2550 + +- github/lock: auto-lock closed issues after 90 days of inactivity + +- vtls: fix missing commas + + follow-up to e66cca046cef + +- vtls: use unified "supports" bitfield member in backends + + ... instead of previous separate struct fields, to make it easier to + extend and change individual backends without having to modify them all. + + closes #2547 + +- transfer: don't unset writesockfd on setup of multiplexed conns + + Curl_setup_transfer() can be called to setup a new individual transfer + over a multiplexed connection so it shouldn't unset writesockfd. + + Bug: #2520 + Closes #2549 + +- [Frank Gevaerts brought this change] + + configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h + + They are removed from the compiler flags. + + This ensures that make dependency tracking will force a rebuild whenever + configure --enable-debug or --enable-curldebug changes. + + Closes #2548 + +- http: don't set the "rewind" flag when not uploading anything + + It triggers an assert. + + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144 + Closes #2546 + +- travis: add an mbedtls build + + Closes #2531 + +- configure: only check for CA bundle for file-using SSL backends + + When only building with SSL backends that don't use the CA bundle file + (by default), skip the check. + + Fixes #2543 + Fixes #2180 + Closes #2545 + +- ssh-libssh.c: fix left shift compiler warning + + ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to + represent, but 'int' only has 32 bits [-Wshift-overflow=] + + 'len' will never be that big anyway so I converted the run-time check to + a regular assert. + +- [Stephan Mühlstrasser brought this change] + + URL: fix ASCII dependency in strcpy_url and strlen_url + + Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the + changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of + the problem that strcpy_url() was modified unilaterally without also + modifying strlen_url(). As a consequence strcpy_url() was again + depending on ASCII encoding. + + This change fixes strlen_url() and strcpy_url() in parallel to use a + common host-encoding independent criterion for deciding whether an URL + character must be %-escaped. + + Closes #2535 + +- [Denis Ollier brought this change] + + docs: remove extraneous commas in man pages + + Closes #2544 + +- RELEASE-NOTES: synced + +- Revert "TODO: remove configure --disable-pthreads" + + This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3. + + --disable-pthreads can be used to disable pthreads and get the threaded + resolver to use the windows threading when building with mingw. + +- vtls: don't define MD5_DIGEST_LENGTH for wolfssl + + ... as it defines it (too) + +- TODO: remove configure --disable-pthreads + +Jay Satiro (2 May 2018) +- [David Garske brought this change] + + wolfssl: Fix non-blocking connect + + Closes https://github.com/curl/curl/pull/2542 + +Daniel Stenberg (30 Apr 2018) +- CURLOPT_URL.3: add ENCODING section [ci skip] + + Feedback-by: Michael Kilburn + +- KNOWN_BUGS: Client cert with Issuer DN differs between backends + + Closes #1411 + +- KNOWN_BUGS: Passive transfer tries only one IP address + + Closes #1508 + +- KNOWN_BUGS: --upload-file . hang if delay in STDIN + + Closes #2051 + +- KNOWN_BUGS: Connection information when using TCP Fast Open + + Closes #1332 + +- travis: enable libssh2 on both macos and Linux + + It seems to not be detected by default anymore (which is a bug I + believe) + + Closes #2541 + +- TODO: Support the clienthello extension + + Closes #2299 + +- TODO: CLOEXEC + + Closes #2252 + +- tests: provide 'manual' as a feature to optionally require + + ... and make test 1026 rely on that feature so that --disable-manual + builds don't cause test failures. + + Reported-by: Max Dymond and Anders Roxell + Fixes #2533 + Closes #2540 + +- CURLINFO_PROTOCOL.3: mention the existing defined names + +Jay Satiro (27 Apr 2018) +- [Daniel Gustafsson brought this change] + + cookies: remove unused macro + + Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused, + so remove as it's not part of the published API. + + Closes https://github.com/curl/curl/pull/2537 + +Daniel Stenberg (27 Apr 2018) +- [Daniel Gustafsson brought this change] + + checksrc: force indentation of lines after an else + + This extends the INDENTATION case to also handle 'else' statements + and require proper indentation on the following line. Also fixes the + offending cases found in the codebase. + + Closes #2532 + +- http2: fix null pointer dereference in http2_connisdead + + This function can get called on a connection that isn't setup enough to + have the 'recv_underlying' function pointer initialized so it would try + to call the NULL pointer. + + Reported-by: Dario Weisser + + Follow-up to db1b2c7fe9b093f8 (never shipped in a release) + Closes #2536 + +- http2: get rid of another strstr() + + Follow-up to 1514c44655e12e: replace another strstr() call done on a + buffer that might not be zero terminated - with a memchr() call, even if + we know the substring will be found. + + Assisted-by: Max Dymond + + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021 + + Closes #2534 + +- cyassl: adapt to libraries without TLS 1.0 support built-in + + WolfSSL doesn't enable it by default anymore + +- configure: provide --with-wolfssl as an alias for --with-cyassl + +- RELEASE-NOTES: synced + +- [Daniel Gustafsson brought this change] + + os400.c: fix ASSIGNWITHINCONDITION checksrc warnings + + All occurrences of assignment within conditional expression in + os400sys.c rewritten into two steps: first assignment and then the check + on the success of the assignment. Also adjust related incorrect brace + positions to match project indentation style. + + This was spurred by seeing "if((inp = input_token))", but while in there + all warnings were fixed. + + There should be no functional change from these changes. + + Closes #2525 + +- [Daniel Gustafsson brought this change] + + cookies: ensure that we have cookies before writing jar + + The jar should be written iff there are cookies, so ensure that we still + have cookies after expiration to avoid creating an empty file. + + Closes #2529 + +- strcpy_url: only %-encode values >= 0x80 + + OSS-Fuzz detected + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000 + + Broke in dd7521bcc1b7 + +- mime: avoid NULL pointer dereference risk + + Coverity detected, CID 1435120 + + Closes #2527 + +- [Stephan Mühlstrasser brought this change] + + ctype: restore character classification for non-ASCII platforms + + With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic + character classification macros and functions were introduced in + curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on + non-ASCII, e.g. EBCDIC platforms. This change restores the previous set + of character classification macros when CURL_DOES_CONVERSIONS is + defined. + + Closes #2494 + +- ftplistparser: keep state between invokes + + Fixes FTP wildcard parsing when done over a number of read buffers. + + Regression from f786d1f14 + + Reported-by: wncboy on github + Fixes #2445 + Closes #2526 + +- examples/http2-upload: expand buffer to avoid silly warning + + http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated + writing between 2 and 11 bytes into a region of size between 8 and 17 + +- examples/sftpuploadresume: typecast fseek argument to long + + /docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long + int' from 'curl_off_t {aka long long int}' may alter its value + +- Revert "ftplistparser: keep state between invokes" + + This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934. + + Caused fuzzer problems on travis not seen when this was a PR! + +- Curl_memchr: zero length input can't match + + Avoids undefined behavior. + + Reported-by: Geeknik Labs + +- ftplistparser: keep state between invokes + + Fixes FTP wildcard parsing when doing over a number of read buffers. + + Regression from f786d1f14 + + Reported-by: wncboy on github + Fixes #2445 + Closes #2519 + +- ftplistparser: renamed some members and variables + + ... to make them better spell out what they're for. + +- RELEASE-NOTES: synced + +- [Christian Schmitz brought this change] + + curl_global_sslset: always provide available backends + + Closes #2499 + +- http2: convert an assert to run-time check + + Fuzzing has proven we can reach code in on_frame_recv with status_code + not having been set, so let's detect that in run-time (instead of with + assert) and error error accordingly. + + (This should no longer happen with the latest nghttp2) + + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903 + Closes #2514 + +- curl.1: clarify that options and URLs can be mixed + + Fixes #2515 + Closes #2517 + +Jay Satiro (23 Apr 2018) +- [Archangel_SDY brought this change] + + CURLOPT_SSLCERT.3: improve WinSSL-specific usage info + + Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780 + + Closes https://github.com/curl/curl/pull/2504 + +- [Archangel_SDY brought this change] + + schannel: fix build error on targets <= XP + + - Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't + support the latter. + + Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668 + + Closes https://github.com/curl/curl/pull/2504 + +Daniel Stenberg (23 Apr 2018) +- Revert "ftplistparser: keep state between invokes" + + This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9. + + Unfortunately this fix introduces memory leaks I've not been able to fix + in several days. Reverting this for now to get the leaks fixed. + +Jay Satiro (21 Apr 2018) +- tool_help: clarify --max-time unit of time is seconds + + Before: + -m, --max-time <time> Maximum time allowed for the transfer + + After: + -m, --max-time <seconds> Maximum time allowed for the transfer + +Daniel Stenberg (20 Apr 2018) +- http2: handle GOAWAY properly + + When receiving REFUSED_STREAM, mark the connection for close and retry + streams accordingly on another/fresh connection. + + Reported-by: Terry Wu + Fixes #2416 + Fixes #1618 + Closes #2510 + +- http2: clear the "drain counter" when a stream is closed + + This fixes the notorious "httpc->drain_total >= data->state.drain" + assert. + + Reported-by: Anders Bakken + + Fixes #1680 + Closes #2509 + +- http2: avoid strstr() on data not zero terminated + + It's not strictly clear if the API contract allows us to call strstr() + on a string that isn't zero terminated even when we know it will find + the substring, and clang's ASAN check dislikes us for it. + + Also added a check of the return code in case it fails, even if I can't + think of a situation how that can trigger. + + Detected by OSS-Fuzz + Closes #2513 + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760 + +- [Stephan Mühlstrasser brought this change] + + openssl: fix subjectAltName check on non-ASCII platforms + + Curl_cert_hostcheck operates with the host character set, therefore the + ASCII subjectAltName string retrieved with OpenSSL must be converted to + the host encoding before comparison. + + Closes #2493 + +Jay Satiro (20 Apr 2018) +- openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages + + - Support handling verbose-mode trace messages of type + SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS, + SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO, + SSL3_MT_MESSAGE_HASH + + Reported-by: iz8mbw@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/2403 + +Daniel Stenberg (19 Apr 2018) +- ftplistparser: keep state between invokes + + Regression from f786d1f14 + + Reported-by: wncboy on github + Fixes #2445 + Closes #2508 + +- detect_proxy: only show proxy use if it had contents + +- http2: handle on_begin_headers() called more than once + + This triggered an assert if called more than once in debug mode (and a + memory leak if not debug build). With the right sequence of HTTP/2 + headers incoming it can happen. + + Detected by OSS-Fuzz + + Closes #2507 + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764 + +Jay Satiro (18 Apr 2018) +- [Dan McNulty brought this change] + + schannel: add support for CURLOPT_CAINFO + + - Move verify_certificate functionality in schannel.c into a new + file called schannel_verify.c. Additionally, some structure defintions + from schannel.c have been moved to schannel.h to allow them to be + used in schannel_verify.c. + + - Make verify_certificate functionality for Schannel available on + all versions of Windows instead of just Windows CE. verify_certificate + will be invoked on Windows CE or when the user specifies + CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER. + + - In verify_certificate, create a custom certificate chain engine that + exclusively trusts the certificate store backed by the CURLOPT_CAINFO + file. + + - doc updates of --cacert/CAINFO support for schannel + + - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString + when available. This implements a TODO in schannel.c to improve + handling of multiple SANs in a certificate. In particular, all SANs + will now be searched instead of just the first name. + + - Update tool_operate.c to not search for the curl-ca-bundle.crt file + when using Schannel to maintain backward compatibility. Previously, + any curl-ca-bundle.crt file found in that search would have been + ignored by Schannel. But, with CAINFO support, the file found by + that search would have been used as the certificate store and + could cause issues for any users that have curl-ca-bundle.crt in + the search path. + + - Update url.c to not set the build time CURL_CA_BUNDLE if the selected + SSL backend is Schannel. We allow setting CA location for schannel + only when explicitly specified by the user via CURLOPT_CAINFO / + --cacert. + + - Add new test cases 3000 and 3001. These test cases check that the first + and last SAN, respectively, matches the connection hostname. New test + certificates have been added for these cases. For 3000, the certificate + prefix is Server-localhost-firstSAN and for 3001, the certificate + prefix is Server-localhost-secondSAN. + + - Remove TODO 15.2 (Add support for custom server certificate + validation), this commit addresses it. + + Closes https://github.com/curl/curl/pull/1325 + +- schannel: fix warning + + - Fix warning 'integer from pointer without a cast' on 3rd arg in + CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer + type of the same size. + + Follow-up to e35b025. + + Caught by Marc's CI builds. + +- [Jakub Wilk brought this change] + + docs: fix typos + + Closes https://github.com/curl/curl/pull/2503 + +Daniel Stenberg (17 Apr 2018) +- RELEASE-NOTES: synced + +Jay Satiro (17 Apr 2018) +- [Kees Dekker brought this change] + + winbuild: Support custom devel paths for each dependency + + - Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2, + OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH, + NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH. + + - Use lib.exe for making the static library instead of link.exe /lib. + The latter is undocumented and could cause problems as noted in the + comments. + + - Remove a dangling URL that no longer worked. (I was not able to find + the IDN download at MSDN/microsoft.com, so it seems to be removed.) + + - Remove custom override for release-ssh2-ssl-dll-zlib configuration. + Nobody knows why it was there and as far as we can see is unnecessary. + + Closes https://github.com/curl/curl/pull/2474 + +Daniel Stenberg (17 Apr 2018) +- [Jess brought this change] + + README.md: add backers and sponsors + + Closes #2484 + +- [Archangel_SDY brought this change] + + schannel: add client certificate authentication + + Users can now specify a client certificate in system certificates store + explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"` + + Closes #2376 + +Marcel Raad (16 Apr 2018) +- [toughengineer brought this change] + + ntlm_sspi: fix authentication using Credential Manager + + If you pass empty user/pass asking curl to use Windows Credential + Storage (as stated in the docs) and it has valid credentials for the + domain, e.g. + curl -v -u : --ntlm example.com + currently authentication fails. + This change fixes it by providing proper SPN string to the SSPI API + calls. + + Fixes https://github.com/curl/curl/issues/1622 + Closes https://github.com/curl/curl/pull/1660 + +Daniel Stenberg (16 Apr 2018) +- configure: keep LD_LIBRARY_PATH changes local + + ... only set it when we actually have to run tests to reduce its impact + on for example build commands etc. + + Fixes #2490 + Closes #2492 + + Reported-by: Dmitry Mikhirev + +Marcel Raad (16 Apr 2018) +- urldata: make service names unconditional + + The ifdefs have become quite long. Also, the condition for the + definition of CURLOPT_SERVICE_NAME and for setting it from + CURLOPT_SERVICE_NAME have diverged. We will soon also need the two + options for NTLM, at least when using SSPI, for + https://github.com/curl/curl/pull/1660. + Just make the definitions unconditional to make that easier. + + Closes https://github.com/curl/curl/pull/2479 + +Daniel Stenberg (16 Apr 2018) +- test1148: tolerate progress updates better + + Fixes #2446 + Closes #2488 + +- [Christian Schmitz brought this change] + + ssh: show libSSH2 error code when closing fails + + Closes #2500 + +Jay Satiro (15 Apr 2018) +- [Daniel Gustafsson brought this change] + + vauth: Fix typo + + Address various spellings of "credentials". + + Closes https://github.com/curl/curl/pull/2496 + +- [Dagobert Michelsen brought this change] + + system.h: Add sparcv8plus to oracle/sunpro 32-bit detection + + With specific compiler options selecting the arch like -xarch=sparc on + newer compilers like Oracle Studio 12.4 there is no definition of + __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the + 32ÎíÎñbit subset defined by the V8plus ISA specification, without the + Visual Instruction Set (VIS), and without other implementation-specific + ISA extensions. So it should be the same as __sparcv8. + + Closes https://github.com/curl/curl/pull/2491 + +- [Daniel Gustafsson brought this change] + + checksrc: Fix typo + + Fix typo in "semicolon" spelling and remove stray tab character. + + Closes https://github.com/curl/curl/pull/2498 + +- [Daniel Gustafsson brought this change] + + all: Refactor malloc+memset to use calloc + + When a zeroed out allocation is required, use calloc() rather than + malloc() followed by an explicit memset(). The result will be the + same, but using calloc() everywhere increases consistency in the + codebase and avoids the risk of subtle bugs when code is injected + between malloc and memset by accident. + + Closes https://github.com/curl/curl/pull/2497 + +Daniel Stenberg (12 Apr 2018) +- duphandle: make sure CURLOPT_RESOLVE is duplicated fine too + + Verified in test 1502 now + + Fixes #2485 + Closes #2486 + Reported-by: Ernst Sjöstrand + +- mailmap: add a monnerat fixup [ci skip] + +- proxy: show getenv proxy use in verbose output + + ... to aid debugging etc as it sometimes isn't immediately obvious why + curl uses or doesn't use a proxy. + + Inspired by #2477 + + Closes #2480 + +- travis: build libpsl and make builds use it + + closes #2471 + +- travis: bump to clang 6 and gcc 7 + + Extra-eye-on-this-by: Marcel Raad + + Closes #2478 + +Marcel Raad (10 Apr 2018) +- travis: use trusty for coverage build + + This works now and precise is in the process of being decommissioned. + + Closes https://github.com/curl/curl/pull/2476 + +- lib: silence null-dereference warnings + + In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings + when dereferencing pointers after DEBUGASSERT-ing that they are not + NULL. + Fix this by removing the DEBUGASSERTs. + + Suggested-by: Daniel Stenberg + Ref: https://github.com/curl/curl/pull/2463 + +- [Kees Dekker brought this change] + + winbuild: fix URL + + Follow up on https://github.com/curl/curl/pull/2472. + Now using en-us instead of nl-nl as language code in the URL. + + Closes https://github.com/curl/curl/pull/2475 + +Daniel Stenberg (9 Apr 2018) +- [Kees Dekker brought this change] + + winbuild: updated the documentation + + The setenv command no longer exists and visual studio build prompts got + changed. Used Visual Studio 2015/2017 as reference. + + Closes #2472 + +- test1136: fix cookie order after commit c990eadd1277 + +- build: cleanup to fix clang warnings/errors + + unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a + cast from integer to pointer is a GNU extension + + Reported-by: Rikard Falkeborn + + Fixes #2466 + Closes #2468 + +Jay Satiro (7 Apr 2018) +- examples/sftpuploadresmue: Fix Windows large file seek + + - Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows. + + - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print + curl_off_t. + + Caught by Marc's CI builds. + +Daniel Stenberg (7 Apr 2018) +- curl_setup: provide a CURL_SA_FAMILY_T type if none exists + + ... and use this type instead of 'sa_family_t' in the code since several + platforms don't have it. + + Closes #2463 + +- [Eric Gallager brought this change] + + build: add picky compiler warning flags for gcc 6 and 7 + +- configure: detect sa_family_t + +Jay Satiro (7 Apr 2018) +- [Stefan Agner brought this change] + + tool_operate: Fix retry on FTP 4xx to ignore other protocols + + Only treat response code as FTP response codes in case the + protocol type is FTP. + + This fixes an issue where an HTTP download was treated as FTP + in case libcurl returned with 33. This happens when the + download has already finished and the server responses 416: + HTTP/1.1 416 Requested Range Not Satisfiable + + This should not be treated as an FTP error. + + Fixes #2464 + Closes #2465 + +Daniel Stenberg (6 Apr 2018) +- hash: calculate sizes with size_t instead of longs + + ... since they return size_t anyway! + + closes #2462 + +- RELEASE-NOTES: synced + +- [Jay Satiro brought this change] + + build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 + + .. and do the same for build-wolfssl.bat. + + Because MS calls it VC14.1. + + Closes https://github.com/curl/curl/pull/2189 + +- [Kees Dekker brought this change] + + winbuild: make the clean target work without build-type + + Due to the check in Makefile.vc and MakefileBuild.vc, no make call can + be invoked unless a build-type was specified. However, a clean target + only existed when a build type was specified. As a result, the clean + target was unreachable. Made clean target unconditional. + + Closes #2455 + +- [patelvivekv1993 brought this change] + + build-openssl.bat: allow custom paths for VS and perl + + Fixes #2430 + Closes #2457 + +- [Laurie Clark-Michalek brought this change] + + FTP: allow PASV on IPv6 connections when a proxy is being used + + In the situation of a client connecting to an FTP server using an IPv6 + tunnel proxy, the connection info will indicate that the connection is + IPv6. However, because the server behing the proxy is IPv4, it is + permissable to attempt PSV mode. In the case of the FTP server being + IPv4 only, EPSV will always fail, and with the current logic curl will + be unable to connect to the server, as the IPv6 fwdproxy causes curl to + think that EPSV is impossible. + + Closes #2432 + +- [Jon DeVree brought this change] + + file: restore old behavior for file:////foo/bar URLs + + curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC + 8089 but then returns an error saying this is unimplemented. This is + actually a regression in behavior on both Windows and Unix. + + Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and + then passed to the relevant OS API. This means that the behavior of this + case is actually OS dependent. + + The Unix path resolution rules say that the OS must handle swallowing + the extra "/" and so this path is the same as "/foo/bar" + + The Windows path resolution rules say that this is a UNC path and + automatically handles the SMB access for the program. So curl on Windows + was already doing Appendix E.3.2 without any special code in curl. + + Regression + + Closes #2438 + +- [Gaurav Malhotra brought this change] + + Revert "openssl: Don't add verify locations when verifypeer==0" + + This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb. + + libcurl (with the OpenSSL backend) performs server certificate verification + even if verifypeer == 0 and the verification result is available using + CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the + CURLINFO_SSL_VERIFYRESULT to not have useful information for the + verifypeer == 0 use case (it would always have + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY). + + Closes #2451 + +- [Wyatt O'Day brought this change] + + tls: fix mbedTLS 2.7.0 build + handle sha256 failures + + (mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) + + Closes #2453 + +- [Lauri Kasanen brought this change] + + cookie: case-insensitive hashing for the domains + + closes #2458 + +Patrick Monnerat (4 Apr 2018) +- cookie: fix and optimize 2nd top level domain name extraction + + This fixes a segfault occurring when a name of the (invalid) form "domain..tld" + is processed. + + test46 updated to cover this case. + + Follow-up to commit c990ead. + + Ref: https://github.com/curl/curl/pull/2440 + +Daniel Stenberg (4 Apr 2018) +- openssl: provide defines for argument typecasts to build warning-free + + ... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types. + +- [Bernard Spil brought this change] + + openssl: fix build with LibreSSL 2.7 + + - LibreSSL 2.7 implements (most of) OpenSSL 1.1 API + + Fixes #2319 + Closes #2447 + Closes #2448 + + Signed-off-by: Bernard Spil <brnrd@FreeBSD.org> + +- [Lauri Kasanen brought this change] + + cookie: store cookies per top-level-domain-specific hash table + + This makes libcurl handle thousands of cookies much better and speedier. + + Closes #2440 + +- [Lauri Kasanen brought this change] + + cookies: when reading from a file, only remove_expired once + + This drops the cookie load time for 8k cookies from 178ms to 15ms. + + Closes #2441 + +- test1148: set a fixed locale for the test + + ...as otherwise it might use a different decimal sign. + + Bug: #2436 + Reported-by: Oumph on github + +Jay Satiro (31 Mar 2018) +- docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T + + - Put a percent sign before each CURL_FORMAT_CURL_OFF_T in printf. + + For example "%" CURL_FORMAT_CURL_OFF_T becomes %lld or similar. + + Bug: https://curl.haxx.se/mail/lib-2018-03/0140.html + Reported-by: David L. + +Sergei Nikulov (27 Mar 2018) +- [Michał Janiszewski brought this change] + + cmake: Add advapi32 as explicit link library for win32 + + ARM targets need advapi32 explicitly. + + Closes #2363 + +Daniel Stenberg (27 Mar 2018) +- TODO: connection cache sharing is now supporte + +Jay Satiro (26 Mar 2018) +- travis: enable apt retry on fail + + This is a workaround for an unsolved travis issue that is causing CI + instances to sporadically fail due to 'unable to connect' issues during + apt stage. + + Ref: https://github.com/travis-ci/travis-ci/issues/8507 + Ref: https://github.com/travis-ci/travis-ci/issues/9112#issuecomment-376305909 + +Michael Kaufmann (26 Mar 2018) +- runtests.pl: fix warning 'use of uninitialized value' + + follow-up to a9a7b60 + + Closes #2428 + +Daniel Stenberg (24 Mar 2018) +- gitignore: ignore more generated files + +- threaded resolver: track resolver time and set suitable timeout values + + In order to make curl_multi_timeout() return suitable "sleep" times even + when there's no socket to wait for while the name is being resolved in a + helper thread. + + It will increases the timeouts as time passes. + + Closes #2419 + +- [Howard Chu brought this change] + + openldap: fix for NULL return from ldap_get_attribute_ber() + + Closes #2399 + +GitHub (22 Mar 2018) +- [Sergei Nikulov brought this change] + + travis-ci: enable -Werror for CMake builds (#2418) + +- [Sergei Nikulov brought this change] + + cmake: avoid warn-as-error during config checks (#2411) + + - Move the CURL_WERROR option processing after the configuration checks + to avoid failures in case of warnings during the configuration checks. + + This is a partial fix for #2358 + +- [Sergei Nikulov brought this change] + + timeval: remove compilation warning by casting (#2417) + + This is fixes #2358 + +Daniel Stenberg (22 Mar 2018) +- http2: read pending frames (including GOAWAY) in connection-check + + If a connection has received a GOAWAY frame while not being used, the + function now reads frames off the connection before trying to reuse it + to avoid reusing connections the server has told us not to use. + + Reported-by: Alex Baines + Fixes #1967 + Closes #2402 + +- [Bas van Schaik brought this change] + + CI: add lgtm.yml for tweaking lgtm.com analysis + + Closes #2414 + +- CURLINFO_SSL_VERIFYRESULT.3: fix the example, add some text + + Reported-by: Michal Trybus + + Fixes #2400 + +- TODO: expand ~/ in config files + + Closes #2317 + +- cookie.d: mention that "-" as filename means stdin + + Reported-by: Dongliang Mu + Fixes #2410 + +- CURLINFO_COOKIELIST.3: made the example not leak memory + + Reported-by: Muz Dima + +- vauth/cleartext: fix integer overflow check + + Make the integer overflow check not rely on the undefined behavior that + a size_t wraps around on overflow. + + Detected by lgtm.com + Closes #2408 + +- lib/curl_path.h: add #ifdef header guard + + Detected by lgtm.com + +- vauth/ntlm.h: fix the #ifdef header guard + + Detected by lgtm.com + +Jay Satiro (20 Mar 2018) +- examples/hiperfifo: checksrc compliance + +Daniel Stenberg (19 Mar 2018) +- [Nikos Tsipinakis brought this change] + + parsedate: support UT timezone + + RFC822 section 5.2 mentions Universal Time, 'UT', to be synonymous with + GMT. + + Closes #2401 + +- RELEASE-NOTES: synced + +- [Don brought this change] + + cmake: add support for brotli + + Currently CMake cannot detect Brotli support. This adds detection of the + libraries and associated header files. It also adds this to the + generated config. + + Closes #2392 + +- [Chris Araman brought this change] + + darwinssl: fix iOS build + +Patrick Monnerat (18 Mar 2018) +- ILE/RPG binding: Add CURLOPT_HAPROXYPROTOCOL/Fix CURLOPT_DNS_SHUFFLE_ADDRESSES + +Daniel Stenberg (17 Mar 2018) +- [Rick Deist brought this change] + + resolve: add CURLOPT_DNS_SHUFFLE_ADDRESSES + + This patch adds CURLOPT_DNS_SHUFFLE_ADDRESSES to explicitly request + shuffling of IP addresses returned for a hostname when there is more + than one. This is useful when the application knows that a round robin + approach is appropriate and is willing to accept the consequences of + potentially discarding some preference order returned by the system's + implementation. + + Closes #1694 + +- add_handle/easy_perform: clear errorbuffer on start if set + + To offer applications a more defined behavior, we clear the buffer as + early as possible. + + Assisted-by: Jay Satiro + + Fixes #2190 + Closes #2377 + +- [Lawrence Matthews brought this change] + + CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocol + + Add --haproxy-protocol for the command line tool + + Closes #2162 + +- curl_version_info.3: fix ssl_version description + + Reported-by: Vincas Razma + Fixes #2364 + +- multi: improved pending transfers handling => improved performance + + When a transfer is requested to get done and it is put in the pending + queue when limited by number of connections, total or per-host, libcurl + would previously very aggressively retry *ALL* pending transfers to get + them transferring. That was very time consuming. + + By reducing the aggressiveness in how pending are being retried, we + waste MUCH less time on putting transfers back into pending again. + + Some test cases got a factor 30(!) speed improvement with this change. + + Reported-by: Cyril B + Fixes #2369 + Closes #2383 + +- pause: when changing pause state, update socket state + + Especially unpausing a transfer might have to move the socket back to the + "currently used sockets" hash to get monitored. Otherwise it would never get + any more data and get stuck. Easily triggered with pausing using the + multi_socket API. + + Reported-by: Philip Prindeville + Bug: https://curl.haxx.se/mail/lib-2018-03/0048.html + Fixes #2393 + Closes #2391 + +- [Philip Prindeville brought this change] + + examples/hiperfifo.c: improved + + * use member struct event’s instead of pointers to alloc’d struct + events + + * simplify the cases for the mcode_or_die() function via macros; + + * make multi_timer_cb() actually do what the block comment says it + should; + + * accept a “stop” command on the FIFO to shut down the service; + + * use cleaner notation for unused variables than the (void) hack; + + * allow following redirections (304’s); + +- rate-limit: use three second window to better handle high speeds + + Due to very frequent updates of the rate limit "window", it could + attempt to rate limit within the same milliseconds and that then made + the calculations wrong, leading to it not behaving correctly on very + fast transfers. + + This new logic updates the rate limit "window" to be no shorter than the + last three seconds and only updating the timestamps for this when + switching between the states TOOFAST/PERFORM. + + Reported-by: 刘佩东 + Fixes #2386 + Closes #2388 + +- [luz.paz brought this change] + + cleanup: misc typos in strings and comments + + Found via `codespell` + + Closes #2389 + +- RELEASE-NOTES: toward 7.60.0 + +- [Kobi Gurkan brought this change] + + http2: fixes typo + + Closes #2387 + +- user-agent.d:: mention --proxy-header as well + + Bug: https://github.com/curl/curl/issues/2381 + +- transfer: make HTTP without headers count correct body size + + This is what "HTTP/0.9" basically looks like. + + Reported on IRC + + Closes #2382 + +- test1208: marked flaky + + It fails somewhere between every 3rd to 10th travis-CI run + +- SECURITY-PROCESS: mention how we write/add advisories + +- [dasimx brought this change] + + FTP: fix typo in recursive callback detection for seeking + + Fixes #2380 + +Version 7.59.0 (13 Mar 2018) + +Daniel Stenberg (13 Mar 2018) +- release: 7.59.0 + +Kamil Dudka (13 Mar 2018) +- tests/.../spnego.py: fix identifier typo + + Detected by Coverity Analysis: + + Error: IDENTIFIER_TYPO: + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo: + * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code. + * Identifier "SupportedMech" is referenced elsewhere at least 4 times. + curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech". + curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech". + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function). + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"? + + Closes #2379 + +Daniel Stenberg (13 Mar 2018) +- CURLOPT_COOKIEFILE.3: "-" as file name means stdin + + Reported-by: Aron Bergman + Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html + + [ci skip] + +- Revert "hostip: fix compiler warning: 'variable set but not used'" + + This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248. + + The assignment really needs to be there or we risk working with an + uninitialized pointer. + +Michael Kaufmann (12 Mar 2018) +- limit-rate: fix compiler warning + + follow-up to 72a0f62 + +Viktor Szakats (12 Mar 2018) +- checksrc.pl: add -i and -m options + + To sync it with changes made for the libssh2 project. + Also cleanup some whitespace. + +- curl-openssl.m4: fix spelling [ci skip] + +- FAQ: fix a broken URL [ci skip] + +Daniel Stenberg (12 Mar 2018) +- http2: mark the connection for close on GOAWAY + + ... don't consider it an error! + + Assisted-by: Jay Satiro + Reported-by: Łukasz Domeradzki + Fixes #2365 + Closes #2375 + +- credits: Viktor prefers without accent + +- openldap: white space changes, fixed up the copyright years + +- openldap: check ldap_get_attribute_ber() results for NULL before using + + CVE-2018-1000121 + Reported-by: Dario Weisser + Bug: https://curl.haxx.se/docs/adv_2018-97a2.html + +- FTP: reject path components with control codes + + Refuse to operate when given path components featuring byte values lower + than 32. + + Previously, inserting a %00 sequence early in the directory part when + using the 'singlecwd' ftp method could make curl write a zero byte + outside of the allocated buffer. + + Test case 340 verifies. + + CVE-2018-1000120 + Reported-by: Duy Phan Thanh + Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html + +- readwrite: make sure excess reads don't go beyond buffer end + + CVE-2018-1000122 + Bug: https://curl.haxx.se/docs/adv_2018-b047.html + + Detected by OSS-fuzz + +- BUGS: updated link to security process + +- limit-rate: kick in even before "limit" data has been received + + ... and make sure to avoid integer overflows with really large values. + + Reported-by: 刘佩东 + Fixes #2371 + Closes #2373 + +- docs/SECURITY.md -> docs/SECURITY-PROCESS.md + +- SECURITY.md: call it the security process + +Michael Kaufmann (11 Mar 2018) +- Curl_range: fix FTP-only and FILE-only builds + + follow-up to e04417d + +- hostip: fix compiler warning: 'variable set but not used' + +Daniel Stenberg (11 Mar 2018) +- HTTP: allow "header;" to replace an internal header with a blank one + + Reported-by: Michael Kaufmann + Fixes #2357 + Closes #2362 + +- http2: verbose output new MAX_CONCURRENT_STREAMS values + + ... as it is interesting for many users. + +- SECURITY: distros' max embargo time is 14 days now + +Patrick Monnerat (8 Mar 2018) +- curl tool: accept --compressed also if Brotli is enabled and zlib is not. + +Daniel Stenberg (5 Mar 2018) +- THANKS + mailmap: remove duplicates, fixup full names + +- [sergii.kavunenko brought this change] + + WolfSSL: adding TLSv1.3 + + Closes #2349 |