diff options
| author | dartraiden <wowemuh@gmail.com> | 2024-05-24 23:43:03 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2024-05-24 23:43:03 +0300 |
| commit | ff76fe6c8f1e3b34c5571437612a038077f29860 (patch) | |
| tree | 0ae912a13465fa5658253185d4eeab21d6ecdfde /libs/libcurl/docs | |
| parent | 174bf88b63eaf4b49c00894a3f14fbf9194cae02 (diff) | |
libcurl: update to 8.8.0
Diffstat (limited to 'libs/libcurl/docs')
| -rw-r--r-- | libs/libcurl/docs/CHANGES | 7549 | ||||
| -rw-r--r-- | libs/libcurl/docs/THANKS | 41 |
2 files changed, 3657 insertions, 3933 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index 80d1cc84b5..5553b0a845 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,6 +6,3623 @@ Changelog
+Version 8.8.0 (22 May 2024)
+
+Daniel Stenberg (22 May 2024)
+
+- RELEASE-NOTES: synced
+
+- THANKS: add contributors from 8.8.0
+
+Nathan Moinvaziri (21 May 2024)
+
+- url: remove duplicate call to Curl_conncache_remove_conn when pruning
+
+ - remove unnecessary prunedead struct from prune_dead_connections
+ - rename extract_if_dead to prune_if_dead for clarity
+
+ Closes #13710
+
+Joseph Chen (21 May 2024)
+
+- curl_setup.h: add support for IAR compiler
+
+ Closes #13728
+
+Stephen Farrell (21 May 2024)
+
+- docs/ECH: typo/clarification
+
+ Closes #13727
+
+Viktor Szakats (21 May 2024)
+
+- hash: delete unused debug function
+
+ It had no use in the curl codebase and was also protected by the macro
+ `AGGRESSIVE_TEST` (renamed in 2020), also with no local reference.
+
+ Added in ca6e77083768858aa34207f8c5dce38b3c05336d (2002-11-11)
+
+ Closes #13729
+
+Stefan Eissing (21 May 2024)
+
+- content_encoding: reject transfer-encoding after chunked
+
+ reject a response that applies a transfer-encoding after a 'chunked'
+ encoding. RFC 9112 ch. 6.1 required chunked to be the final encoding.
+
+ Closes #13733
+
+- http: HEAD response body tolerance
+
+ - as reported in #13725, some servers wrongly send body bytes in
+ responses to a HEAD request. This used to be tolerated in curl
+ 8.4 and before and leads to failed transfers in newer versions.
+ - restore previous behaviour for HTTP/1.1 and HTTP/2:
+ * 1.1: do not add 'Transfer-Encoding' writers from HEAD
+ responses. RFC 9112 says they do not apply.
+ * 2: when the transfer expects 'no_body', to not report stream
+ resets as error when all response headers have been received.
+
+ Reported-by: Jeroen Ooms
+ Fixes #13725
+ Closes #13732
+
+Viktor Szakats (20 May 2024)
+
+- tests: fix TFTP test 2305 on Windows
+
+ Ref: #13692
+ Closes #13724
+
+Jay Satiro (20 May 2024)
+
+- openssl: revert keylog_callback support for LibreSSL
+
+ - Revert to the legacy TLS 1.2 key logging code for LibreSSL.
+
+ - Document SSLKEYLOGFILE for LibreSSL is TLS 1.2 max.
+
+ Prior to this change if the user specified a filename in the
+ SSLKEYLOGFILE environment variable and was using LibreSSL 3.5.0+ then
+ an empty file would be created and no keys would be logged.
+
+ This is effectively a revert of e43474b4 which changed openssl.c to use
+ SSL_CTX_set_keylog_callback for LibreSSL 3.5.0+. Unfortunately LibreSSL
+ added that function only as a stub that doesn't actually do anything.
+
+ Reported-by: Gonçalo Carvalho
+
+ Fixes https://github.com/curl/curl/issues/13672
+ Closes https://github.com/curl/curl/pull/13682
+
+renovate[bot] (19 May 2024)
+
+- GHA: pin dependencies
+
+ Closes #13712
+
+Viktor Szakats (19 May 2024)
+
+- appveyor: drop unnecessary `--clean-first` cmake option
+
+ In CI all machines are fresh on startup, making the `clean` operation
+ unnecessary. This can save some time/energy for each job run.
+
+ Closes #13707
+
+- cmake: merge two `if(BUILD_TESTING)` branches
+
+ Closes #13708
+
+Tatsuhiro Tsujikawa (19 May 2024)
+
+- GHA: bump nghttp2 to v1.62.1
+
+ Use gcc-12 explicitly to compile C++20 source files.
+
+ Closes #13702
+
+Viktor Szakats (19 May 2024)
+
+- GHA: add NetBSD, OpenBSD, FreeBSD/arm64 and OmniOS jobs
+
+ Add these jobs to GHA:
+ - NetBSD, cmake-unity, clang, OpenSSL, x86_64, with tests, w/o python,
+ no parallelism (was flaky sometimes)
+ - OpenBSD, cmake-unity, clang, LibreSSL, x86_64, with tests,
+ with python, -j8, TFTP results ignored due to #13623.
+ - FreeBSD, cmake-unity and autotools, clang, OpenSSL, arm64
+ (Tests disabled for arm64, because they are slow. It's available for
+ x86_64 with python, -j12.)
+ Configuration matches our existing Cirrus CI one.
+ - OmniOS, autotools, gcc, OpenSSL, x86_64, with tests, -j12.
+
+ All build with websockets and examples.
+
+ Closes #13583
+
+- GHA: disable TFTP test on native Windows
+
+ Some TFTP tests seem to enter into a loop and maybe hang?
+
+ E.g. 1007, 1009, 1238
+
+ Try fixing it by skipping all TFTP tests.
+
+ Ref: https://github.com/curl/curl/actions/runs/9141987545/job/25137038249?pr=
+ 13698
+
+ Also drop mingw-w64 test exclusions copy-pasted from MSYS jobs.
+
+ Possibly related: cffbcc3110c1eda2e333f9cfe2e269154618793a #5364
+
+ Close #13699
+
+renovate[bot] (18 May 2024)
+
+- GHA: pin dependencies
+
+ Closes #13691
+
+Viktor Szakats (18 May 2024)
+
+- cmake: do not pass linker flags to the static library tool
+
+ Do not add linker flags to the global CMake static library tool (aka
+ "static linker") (e.g. `ar`) flags list. They don't mix well. This was
+ only done after successfully detecting GSSAPI.
+
+ Linker flags seen on Old Linux CI:
+ ```
+ -- |GSS_LINKER_FLAGS|-Wl,--enable-new-dtags -Wl,-rpath -Wl,/usr/lib/x86_64-li
+ nux-gnu/heimdal|
+ -- |CMAKE_STATIC_LINKER_FLAGS| -Wl,--enable-new-dtags -Wl,-rpath -Wl,/usr/lib
+ /x86_64-linux-gnu/heimdal|
+ ```
+ Ref: https://github.com/curl/curl/actions/runs/9138988036/job/25130791712#ste
+ p:6:85
+
+ Causing:
+ ```
+ /usr/bin/ar qc libcurltool.a -Wl,--enable-new-dtags -Wl,-rpath -Wl,/usr/lib/
+ x86_64-linux-gnu/heimdal
+ CMakeFiles/curltool.dir/slist_wc.c.o CMakeFiles/curltool.dir/tool_binmode.c
+ .o CMakeFiles/curltool.dir/tool_bname.c.o
+ [...]
+ CMakeFiles/curltool.dir/tool_writeout_json.c.o CMakeFiles/curltool.dir/tool
+ _xattr.c.o CMakeFiles/curltool.dir/var.c.o
+ CMakeFiles/curltool.dir/__/lib/base64.c.o CMakeFiles/curltool.dir/__/lib/dy
+ nbuf.c.o
+ /usr/bin/ar: invalid option -- 'W'
+ Usage: /usr/bin/ar [emulation options] [-]{dmpqrstx}[abcDfilMNoPsSTuvV] [--pl
+ ugin <name>] [member-name] [count] archive-file file...
+ /usr/bin/ar -M [<mri-script]
+ ```
+ Ref: https://github.com/curl/curl/actions/runs/9138988036/job/25130791712#ste
+ p:9:125
+
+ This problem is invisible at the moment because of another bug (#13698)
+ that misses building unit tests when not using either the
+ `ENABLE_DEBUG=ON` or `ENABLE_CURLDEBUG=ON` options (to set
+ `-DCURLDEBUG`):
+ ```
+ test 1300 SKIPPED: curl lacks unittest support
+ ```
+ Ref: https://github.com/curl/curl/actions/runs/9135571781/job/25123104557#ste
+ p:9:2883
+
+ With that fixed, this becomes the next issue.
+
+ It's possible this bug also required an older CMake version and/or
+ a specific OS environment which uses linker flags in GSSAPI that are not
+ playing well with `ar` options, to reproduce.
+
+ Follow-up to 558814e16d84aa202c5ccc0c8108a9d728e77a58 (2014-09-25)
+ Ref: #13698
+ Closes #13697
+
+- GHA: ignore flaky test2302 results on Windows
+
+ WebSockets:
+ ```
+ TESTFAIL: These test cases failed: 2302
+ ```
+ Ref: https://github.com/curl/curl/actions/runs/9139155361/job/25131144383?pr=
+ 13689#step:14:9892
+
+ Follow-up to 36fd2dd6ee874726c628e67fcf6415a2e52bfe29 #13599
+ Ref: #13692
+ Closes #13696
+
+- GHA: add MSYS, mingw-w64, Cygwin jobs
+
+ - re-implement autotools MSYS and Cygwin AppVeyor jobs in GHA.
+ Now build with SSL and PSL to improve test coverage.
+ - re-implement MSYS2 mingw-w64 gcc 13 AppVeyor job in GHA.
+ `CMake, mingw-w64, gcc 13, Debug, x64, Schannel, Static, Unicode`
+ - add new cmake Cygwin job (build-only).
+ - enable `-j14` parallelism when running tests.
+ - delete the 5 migrated jobs from AppVeyor CI.
+ - add 2 build-only mingw-w64 builds, gcc Release and clang OpenSSL.
+ - also enable brotli, libssh2, nghttp2 for more test coverage.
+
+ These jobs offer better performance, more flexibility and
+ parallelization compared to the AppVeyor ones they replace. It also
+ offloads AppVeyor, allowing to iterate faster. They also appear more
+ reliable than e.g. Azure Windows jobs, where runners are prone to fail
+ [1].
+
+ Closes #13599
+
+ [1]:
+ `Exit code 143 returned from process: file name 'C:\Windows\system32\docker.E
+ XE',
+ arguments 'exec -i 6b13a669c6dfe7fb9f59414369872fd64d61c7182f880c3d39c135cb
+ 4c115c8f
+ C:\__a\externals\node\bin\node.exe C:\__w\_temp\containerHandlerInvoker.js'.`
+
+Stefan Eissing (17 May 2024)
+
+- pytest: fixes for recent python, add FTP tests
+
+ Fixes:
+ - in uds tests, abort also silently on os errors
+ - be conservative on the h3 goaway duration
+ - detect curl debug build and use in checks
+ - fix caddy version check for slight difference under linux
+ - set caddy default path fitting for linux
+ - fix deprecation warnings in valid time checks
+
+ FTP tests:
+ - add '--with-test-vsftpd=path' to configure
+ - use vsftpd default path suitable for linux
+ - add test_30 with plain FTP tests
+ - add test_31 with --ssl-reqd FTP tests
+ - add vsftpd to linux GHA for pytest workflows
+
+ Closes #13661
+
+- rustls: fix handshake done handling
+
+ - rustls report it has finished the TLS handshake *before*
+ all relevant data has been sent off, e.g. it FINISHED message
+ - On connections the send data immediately, this was never noticed
+ as the FINISHED in rustls buffers was send with the app data
+ - On passive FTP connections, curl does not send any data after
+ the handshake, leaving FINISHED unsent and the server never
+ responded as it was waiting on this.
+
+ Closes #13686
+
+Daniel Stenberg (17 May 2024)
+
+- x509asn1: return error on missing OID
+
+ to avoid crash when dereferencing a NULL pointer.
+
+ Reported-by: Trzik on github
+ Patch-by: Trzik on github
+ Fixes #13684
+ Closes #13685
+
+- CURLOPT_WRITEFUNCTION.md: fix the callback proto in the example
+
+ Reported-by: Michael Litwak
+ Fixes #13681
+ Closes #13687
+
+Viktor Szakats (17 May 2024)
+
+- src: tidy up types, add necessary casts
+
+ Cherry-picked from #13489
+ Closes #13614
+
+- lib: fix compiler warnings (gcc)
+
+ Seen when setting `ENABLE_DEBUG=ON` and `-DDEBUGBUILD` for mingw-w64
+ gcc 13.2.0 CMake unity builds in 'Release' configurations.
+
+ ```
+ curl/lib/curl_gethostname.c:71:5: error: 'strncpy' specified bound 1025 equal
+ s destination size [-Werror=stringop-truncation]
+ 71 | strncpy(name, force_hostname, namelen);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from curl/_bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity
+ _0_c.c:175:
+ In function 'hostcache_timestamp_remove',
+ inlined from 'Curl_hash_clean_with_criterium' at curl/lib/hash.c:265:19,
+ inlined from 'Curl_hash_clean_with_criterium' at curl/lib/hash.c:247:1,
+ inlined from 'hostcache_prune' at curl/lib/hostip.c:228:3,
+ inlined from 'Curl_hostcache_prune' at curl/lib/hostip.c:256:21:
+ curl/lib/hostip.c:205:12: error: 'now' may be used uninitialized [-Werror=may
+ be-uninitialized]
+ 205 | time_t age = prune->now - c->timestamp;
+ | ^~~
+ curl/lib/hostip.c: In function 'Curl_hostcache_prune':
+ curl/lib/hostip.c:241:10: note: 'now' was declared here
+ 241 | time_t now;
+ | ^~~
+ In function 'hostcache_timestamp_remove',
+ inlined from 'fetch_addr' at curl/lib/hostip.c:310:8:
+ curl/lib/hostip.c:205:23: error: 'user.now' may be used uninitialized [-Werro
+ r=maybe-uninitialized]
+ 205 | time_t age = prune->now - c->timestamp;
+ | ~~~~~^~~~~
+ curl/lib/hostip.c: In function 'fetch_addr':
+ curl/lib/hostip.c:304:33: note: 'user' declared here
+ 304 | struct hostcache_prune_data user;
+ | ^~~~
+ In file included from curl/_bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity
+ _0_c.c:40:
+ curl/lib/cf-socket.c: In function 'cf_socket_send':
+ curl/lib/cf-socket.c:1294:10: error: 'c' may be used uninitialized [-Werror=m
+ aybe-uninitialized]
+ 1294 | if(c >= ((100-ctx->wblock_percent)*256/100)) {
+ | ~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ curl/lib/cf-socket.c:1292:19: note: 'c' was declared here
+ 1292 | unsigned char c;
+ | ^
+ In file included from curl/_bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity
+ _0_c.c:364:
+ In function 'tftp_state_timeout',
+ inlined from 'tftp_multi_statemach' at curl/lib/tftp.c:1230:27:
+ curl/lib/tftp.c:1208:5: error: 'current' may be used uninitialized [-Werror=m
+ aybe-uninitialized]
+ 1208 | if(current > state->rx_time + state->retry_time) {
+ | ^
+ curl/lib/tftp.c: In function 'tftp_multi_statemach':
+ curl/lib/tftp.c:1192:10: note: 'current' was declared here
+ 1192 | time_t current;
+ | ^~~~~~~
+ ```
+ Ref: https://ci.appveyor.com/project/curlorg/curl/builds/49792835/job/91c8dj5
+ qb36spfe0#L112
+ Ref: https://github.com/curl/curl/actions/runs/9082968838/job/24960616145#ste
+ p:12:62
+
+ Ref: #13592
+ Closes #13643
+
+Andrew (16 May 2024)
+
+- wakeup_create: use FD_CLOEXEC/SOCK_CLOEXEC
+
+ for `pipe()`/`socketpair()`
+
+ Fixes #13618
+ Closes #13625
+
+Stefan Eissing (16 May 2024)
+
+- rustls: fix partial send handling
+
+ When TLS bytes could not completely sent off, the amount of plain bytes
+ already added to rustls were forgotten. This lead to send those byte
+ duplicate, corrupting the request send to the server.
+
+ Closes #13676
+
+- pytest: add DELETE tests, check server version
+
+ - add tests for DELETE working
+ - check apache version in keepalive test
+ - fix some comments
+
+ Closes #13679
+
+Juliusz Sosinowicz (16 May 2024)
+
+- vquic-tls: use correct cert name check API for wolfSSL
+
+ wolfSSL_X509_check_host checks the peer name against the alt names and
+ the common name.
+
+ Fixes #13487
+ Closes #13680
+
+Viktor Szakats (16 May 2024)
+
+- cmake: initialize `BUILD_TESTING` before first use
+
+ Before this patch `BUILD_TESTING` was used once, then initialized, then
+ used again. This caused the `curlu` library not being built when relying
+ on an implicit `BUILD_TESTING=ON` setting, and ending up with a link
+ error when building the `testdeps` target.
+
+ It did not cause issues when `BUILD_TESTING` was explicitly set.
+
+ Move the initialization before the first use to fix it.
+
+ Regression from aace27b0965c10394544d1dacc9c2cb2fe0de3d3 #12287
+ Closes #13668
+
+Daniel Stenberg (16 May 2024)
+
+- libtest: 2308 verifies CURLE_WRITE_ERROR after write callback error
+
+ Verifies that the issue in #13669 actually is fixed. This return code is
+ what the CURLOPT_WRITEFUNCTION manpage documents should be returned.
+
+ This code is mostly from the
+ Source-written-by: Trumeet on github
+ Closes #13671
+
+Antoine Bollengier (16 May 2024)
+
+- socketpair: fix compilation when USE_UNIX_SOCKETS is not defined
+
+ Closes #13666
+
+Stefan Eissing (16 May 2024)
+
+- rustsls: fix error code on receive
+
+ - use CURLE_RECV_ERROR instead of CURLE_READ_ERROR when receiving
+ data fails.
+
+ Closes #13670
+
+Max Dymond (16 May 2024)
+
+- ci: disable Renovate dashboard
+
+ The Renovate dashboard insists on an open issue,
+ which is a problem. Disable the dashboard. Status
+ can still be seen at https://developer.mend.io/github/curl/curl.
+
+ Fixes #13630
+ Closes #13673
+
+Daniel Stenberg (16 May 2024)
+
+- RELEASE-NOTES: synced
+
+renovate[bot] (16 May 2024)
+
+- GHA: update awslabs/aws-lc to v1.27.0
+
+ Closes #13667
+
+Daniel Stenberg (15 May 2024)
+
+- curl_easy_pause.md: use correct defines in example
+
+ Spotted-by: Harry Sintonen
+ Closes #13664
+
+Viktor Szakats (15 May 2024)
+
+- appveyor: more tidy-ups
+
+ - use `--disable` when calling `curl --version`. Just in case.
+
+ - use single-quotes for a constant.
+
+ Closes #13662
+
+- reuse: migrate standalone license file to dep5
+
+ Follow-up to 73a36021207284ad2b4340ffde34a51b0ba4d47a
+ Closes #13660
+
+- appveyor: guard against crash-build with VS2008
+
+ The combination of `-DDEBUGBUILD`, a shared `curl.exe`, and the VS2008
+ compiler creates a `curl.exe` segfaulting on startup:
+
+ ```
+ + _bld/src/curl.exe --version
+ ./appveyor.sh: line 122: 793 Segmentation fault "${curl}" --version
+ Command exited with code 139
+ ```
+ Ref: https://ci.appveyor.com/project/curlorg/curl/builds/49817266/job/651iy6q
+ n1e238pqj#L191
+
+ Add job that triggers the issue and add the necessary logic to skip
+ running the affected `curl.exe`.
+
+ Ref: #13592
+ Closes #13654
+
+renovate[bot] (15 May 2024)
+
+- GHA: pin dependencies
+
+ Closes #13628
+
+Orgad Shaneh (15 May 2024)
+
+- socket: remove redundant call to getsockname
+
+ The result "add" is unused.
+
+ Closes #13655
+
+renovate[bot] (15 May 2024)
+
+- CI: renovate updates
+
+ - GHA: update actions/checkout action to v4
+ - GHA: update wolfSSL/wolfssh to v1.4.17
+ - GHA: update wolfSSL/wolfssl to v5.7.0
+ - Update the regex config in renovate.json
+
+ Closes #13632
+ Closes #13641
+ Closes #13658
+ Closes #13659
+
+Max Dymond (15 May 2024)
+
+- ci: fix renovate config for WolfSSL/WolfSSH tagging scheme
+
+ WolfSSL/WolfSSH use a different versioning scheme;
+ stable builds end with `-stable`. Renovate requires
+ some extra configuration to extract the version
+ from these types of tags.
+
+ Closes #13644
+
+- ci: set semantic type as CI and include digests as CI operations
+
+ Replace "chore" with "ci" for renovate's semantic
+ type, and include digests with "pin" and
+ "pinDigest" as ci operations.
+
+ Closes #13644
+
+Daniel Stenberg (15 May 2024)
+
+- DEPRECATE.md: TLS libraries without 1.3 support
+
+ curl drops support for TLS libraries without TLS 1.3 capability after
+ May 2025.
+
+ It requires that a curl build using the library should be able to
+ negotiate and use TLS 1.3, or else it is not good enough. We support a
+ vast amount of other TLS libraries that are likely to satisfy users
+ better.
+
+ Closes #13544
+
+- Revert "ci: update nghttp2/nghttp2 to v1.62.0"
+
+ This reverts commit 14f2c767555b7598d7783ccd9093670b84d28488.
+
+ We need to also upgrade the C++ compiler for that bump to work.
+
+ Closes #13656
+
+renovate[bot] (15 May 2024)
+
+- Dockerfile: update debian digest to 911821c
+
+ Closes #13629
+
+- ci: update gnutls/gnutls to v3.8.5
+
+ Closes #13640
+
+- ci: update awslabs/aws-lc to v1.26.0
+
+ Closes #13647
+
+- ci: update cloudflare/quiche to v0.21.0
+
+ Closes #13648
+
+- ci: update libressl-portable/portable to v3.9.2
+
+ Closes #13649
+
+- ci: update nghttp2/nghttp2 to v1.62.0
+
+ Closes #13650
+
+- ci: update ngtcp2/nghttp3 to v1.3.0
+
+ Closes #13651
+
+- ci: update ngtcp2/ngtcp2 to v1.5.0
+
+ Closes #13652
+
+Max Dymond (14 May 2024)
+
+- ci: handle git submodules for mbedTLS
+
+- ci: reconfigure renovate
+
+ - set prefix for github actions updates to be gha:
+ - set prefix for other renovate actions to be ci:
+ - disable debian updates in linux-old.yml
+
+Viktor Szakats (14 May 2024)
+
+- tidy-up: whitespace [ci skip]
+
+- warnless: delete orphan declarations
+
+ Follow-up to 358f7e757781857c4b498a68634726609fa3884a #11932
+ Closes #13639
+
+Daniel Stenberg (14 May 2024)
+
+- BUG-BOUNTY.md: clarify the third party situation
+
+ We do not pay bounties for problems in other libraries.
+
+ Closes #13560
+
+Stefan Eissing (14 May 2024)
+
+- http tests: in CI skip test_02_23* for quiche
+
+ For unknown reasons, these tests fail in CI often, but run fine locally.
+ Skip them in CI to avoid unrelated PRs to have failures.
+
+ Closes #13638
+
+Daniel Gustafsson (14 May 2024)
+
+- hsts: explicitly skip blank lines
+
+ Keep blank lines or lines containing only whitespace to make it all
+ the way to the more expensive sscanf call in hsts_add.
+
+ Closes: #13603
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- autotools: Only probe for SGI MIPS compilers on IRIX
+
+ MIPSPro and the predecessor compiler which was part of the IDO (IRIS
+ Development Option) were only ever shipped on the SGI IRIX operating
+ system (with MIPSPro on 6.0+ which was released in 1994). Limit the
+ autoconf check to IRIX when probing for these compilers to save some
+ cycles on other platforms.
+
+ Closes: #13611
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Viktor Szakats (14 May 2024)
+
+- tests: fix test 1167 to skip digit-only symbols
+
+ This avoids mistaking symbols with their numeric value when using
+ certain C preprocessors which output these numeric values at the
+ beginning of the line as part of an expression.
+
+ Seen on OpenBSD 7.5 + clang.
+
+ Example `test1167.pl -v` output, before this patch:
+ ```
+ Source: cpp /home/runner/work/curl/curl/tests/../include/curl/curl.h
+ Symbol: 20000
+ Line #3835: 20000 + 142,
+ [...]
+ Bad symbols in public header files:
+ 20000
+ [...]
+ ```
+ Ref: https://github.com/curl/curl/actions/runs/9069136530/job/24918015357#ste
+ p:3:7513
+
+ Ref: #13583
+ Closes #13634
+
+Daniel Stenberg (14 May 2024)
+
+- lib: call Curl_strntolower instead of doing crafted loops
+
+ Closes #13627
+
+- setopt: acknowledge errors proper for CURLOPT_COOKIEJAR
+
+ Error out on error, do not continue.
+
+ Closes #13624
+
+- vtls: remove duplicate assign
+
+ Curl_ssl_peer_cleanup() already clears the ->sni field, no point in
+ assigning it again.
+
+ Spotted by CodeSonar
+
+ Closes #13626
+
+Max Dymond (13 May 2024)
+
+- Group all non-major updates together to reduce PR spam
+
+- Add the remainder of the workflows
+
+- Add some basic versioning for some workflows to check whether this is detecte
+ d properly
+
+renovate[bot] (13 May 2024)
+
+- Add renovate.json
+
+Daniel Stenberg (13 May 2024)
+
+- vauth: make two functions void that always just returned OK
+
+ Removes the need to check return values when they can never fail.
+
+ Pointed out by CodeSonar
+
+ Closes #13621
+
+- setopt: remove check for 'option' that is always true
+
+ - make sure that passing in option set to NULL clears the fields
+ correctly
+
+ - remove the weird second take if Curl_parse_login_details() returns
+ error
+
+ Follow-up to 7333faf00bf25db7cd1e0012d6b140
+
+ Spotted by CodeSonar
+
+ Closes #13619
+
+Viktor Szakats (13 May 2024)
+
+- tests: tidy up types in server code
+
+ Cherry-picked from #13489
+ Closes #13610
+
+Daniel Stenberg (13 May 2024)
+
+- setopt: make the setstropt_userpwd args compulsory
+
+ They were always used so no point in allowing them to be optional.
+
+ follow-up to 0e37b42dc956bd8a
+
+ Closes #13608
+ Reviewed-by: Daniel Gustafsson
+
+- RELEASE-NOTES: synced
+
+Daniel Gustafsson (13 May 2024)
+
+- websocket: Avoid memory leak in error path
+
+ In the errorpath for randstr being too long to copy into the buffer
+ we leak the randstr when returning CURLE_FAILED_INIT. Fix by using
+ an explicit free on randstr in the errorpath.
+
+ Closes: #13602
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- hsts: Remove single-use single-line function
+
+ The hsts_entry() function contains of a single line and is only
+ used in a single place in the code, so move the allocation into
+ hsts_create instead to improve code readability. C code usually
+ don't use the factory abstraction for object creation, and this
+ small example wasn't following our usual code style.
+
+ Closes: #13604
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Viktor Szakats (12 May 2024)
+
+- lib: bump hash sizes to `size_t`
+
+ Follow-up to cc907e80a2498c0599253271a6f657f614b52a4e #13502
+ Cherry-picked from #13489
+ Closes #13601
+
+- tests: make the unit test result type `CURLcode`
+
+ Before this patch, the result code was a mixture of `int` and
+ `CURLcode`.
+
+ Also adjust casts and fix a couple of minor issues found along the way.
+
+ Cherry-picked from #13489
+ Closes #13600
+
+- appveyor: tidy-ups
+
+ - delete a duplicate line.
+ - simplify a `make` call.
+ - merge two `if` branches.
+ - reorder autotools options for clarity.
+ - add `--enable-warnings` where missing (it's also the default.)
+ - add empty lines to YAML for readability.
+ - use lowercase install prefix/directory.
+
+ Closes #13598
+
+Daniel Stenberg (12 May 2024)
+
+- docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd
+
+ ... since users might look for those terms in the manpage.
+
+ Closes #13590
+
+- setopt: warn on Curl_set*opt() uses not using the return value
+
+ And switch the invokes that would "set" NULL to instead just plainly
+ free the pointer, as those were otherwise the invokes that would ignore
+ the return code. And possibly confuse static code analyzers.
+
+ Closes #13591
+
+Orgad Shaneh (12 May 2024)
+
+- autotools: delete unused functions
+
+ Closes #13605
+
+Viktor Szakats (11 May 2024)
+
+- examples: fix/silence `-Wsign-conversion`
+
+ - extend `FD_SET()` hack to all platforms (was only Cygwin).
+ Warnings may also happen in other envs, e.g. OmniOS.
+ Ref: https://github.com/libssh2/libssh2/actions/runs/8854199687/job/2431676
+ 2831#step:3:2021
+
+ - tidy-up `CURLcode` vs `int` use.
+
+ - cast an unsigned to `long` before passing to `curl_easy_setopt()`.
+
+ Cherry-picked from #13489
+ Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489
+ Closes #13501
+
+Orgad Shaneh (11 May 2024)
+
+- cmake: fix `HAVE_IOCTLSOCKET_FIONBIO` test with gcc 14
+
+ The function signature has had u_long flags since ever. This is how it
+ is defined in the documentation, and implemented in MinGW.
+
+ The code that uses ioctlsocket in nonblock.c also has unsigned long.
+
+ Error:
+ CurlTests.c:275:41: error: passing argument 3 of 'ioctlsocket' from incompati
+ ble pointer type [-Wincompatible-pointer-types]
+ 275 | if(0 != ioctlsocket(0, FIONBIO, &flags))
+ | ^~~~~~
+ | |
+ | int *
+ In file included from CurlTests.c:266:
+ /opt/mxe/usr/i686-w64-mingw32.static/include/winsock2.h:1007:76: note: expect
+ ed 'u_long *' {aka 'long unsigned int *'} but argument is of type 'int *'
+ 1007 | WINSOCK_API_LINKAGE int WSAAPI ioctlsocket(SOCKET s,__LONG32 cmd,u_
+ long *argp);
+ | ~~
+ ~~~~~~^~~~
+
+ Closes #13578
+
+Jay Satiro (10 May 2024)
+
+- ftp: fix build for CURL_DISABLE_VERBOSE_STRINGS
+
+ This is a follow-up to b7c7dffe which changed the FTP state change
+ verbose debug text (aka infof) to tracing debug text (aka trc).
+
+ Prior to this change if libcurl was without DEBUGBUILD and built with
+ CURL_DISABLE_VERBOSE_STRINGS (ie --disable-verbose) the build would
+ error.
+
+ Caught by Circle CI job openssl-no-verbose.
+
+- lib: clear the easy handle's saved errno before transfer
+
+ - Clear data->state.os_errno before transfer.
+
+ - Explain the change in behavior in the CURLINFO_OS_ERRNO doc.
+
+ - Add to the CURLINFO_OS_ERRNO doc the list of libcurl network-related
+ errors that may cause the errno to be saved.
+
+ data->state.os_errno is saved before libcurl returns a network-related
+ failure such as connection failure. It is accessible to the user via
+ CURLINFO_OS_ERRNO so they can get more information about the failure.
+
+ Prior to this change it wasn't cleared before transfer, so if a user
+ retrieved the saved errno it could be from a previous transfer. That is
+ because an errno is not always saved for network-related errors.
+
+ Closes https://github.com/curl/curl/pull/13574
+
+Stefan Eissing (10 May 2024)
+
+- ftp: add tracing support
+
+ - add `Curl_trc_feat_ftp` for tracing via trace config
+ - add macro CURL_TRC_FTP(data, fmt, ...)
+ - replace DEBUGF(infof()) statements in ftp.c by CURL_TRC_FTP()
+ - always trace FTP connection state
+
+ Closes #13580
+
+Daniel Stenberg (10 May 2024)
+
+- http: remove redundant check
+
+ Spotted by CodeSonar
+
+ Closes #13582
+
+Viktor Szakats (10 May 2024)
+
+- ldap: fix unused variables (seen on OmniOS)
+
+ ```
+ ../../lib/ldap.c: In function 'ldap_do':
+ ../../lib/ldap.c:380:11: error: unused variable 'ldap_ca' [-Werror=unused-v
+ ariable]
+ 380 | char *ldap_ca = conn->ssl_config.CAfile;
+ | ^~~~~~~
+ ../../lib/ldap.c:379:9: error: unused variable 'ldap_option' [-Werror=unuse
+ d-variable]
+ 379 | int ldap_option;
+ | ^~~~~~~~~~~
+ ```
+ Ref: https://github.com/curl/curl/actions/runs/9033564377/job/24824192730#ste
+ p:3:6059
+
+ Ref: #13583
+ Closes #13588
+
+Daniel Stenberg (10 May 2024)
+
+- url: make parse_login_details use memdup0
+
+ Also make the user and password arguments mandatory, since all code
+ paths in libcurl used them anyway.
+
+ Adapted unit test case 1620 to the new rules.
+
+ Closes #13584
+
+Orgad Shaneh (10 May 2024)
+
+- digest: replace strcpy for empty string with simple assignment
+
+ Closes #13586
+
+Viktor Szakats (10 May 2024)
+
+- autotools: fix `HAVE_IOCTLSOCKET_FIONBIO` test for gcc 14
+
+ ```
+ conftest.c:152:41: error: passing argument 3 of 'ioctlsocket' from incompatib
+ le pointer type [-Wincompatible-pointer-types]
+ 152 | if(0 != ioctlsocket(0, FIONBIO, &flags))
+ | ^~~~~~
+ | |
+ | int *
+ ```
+
+ Reported-by: LigH
+ Fixes #13579
+ Closes #13587
+
+- CI: ignore test 286 on Appveyor gcc 7 build
+
+ Disabled earlier for gcc 9 builds. gcc 7 uses the same runner and
+ prone to similar intermittent failures.
+
+ Follow-up to f1e05a6e6e7225fa09952abb2c935ae1abe44f45 #12106 #12040
+ Closes #13575
+
+Daniel Stenberg (10 May 2024)
+
+- cf-socket: don't try getting local IP without socket
+
+ In cf_tcp_connect(), it might fail and not get a socket assigned to
+ ctx->sock but set_local_ip() is still called which would make
+ getsockname() get invoked with a negative file desriptor and fail.
+
+ By adding this check, set_local_ip() will now instead blank out the
+ fields correctly.
+
+ Spotted by CodeSonar
+
+ Closes #13577
+
+- tool_getparam: remove two redundant conditions
+
+ When getstr() does not return error, it returns a valid pointer.
+
+ Spotted by CodeSonar
+
+ Closes #13576
+
+Stefan Eissing (10 May 2024)
+
+- quiche: trust its timeout handling
+
+ - set the idle timeout transport parameter
+ in milliseconds as documented by quiche
+ - do not calculate the idle timeout, rely on
+ quiche handling it
+
+ Closes #13581
+
+Daniel Stenberg (10 May 2024)
+
+- dmaketgz: accept a SOURCE_DATE_EPOCH as an second argument
+
+ to make it easier to reproduce a tarball
+
+ Closes #13573
+
+- RELEASE-NOTES: synced
+
+Stefan Eissing (10 May 2024)
+
+- h3/ngtcp2: improve error handling
+
+ - identify ngtcp2 and nghttp3 error codes that are fatal
+ - close quic connection on fatal errors
+ - refuse further filter operations once connection is closed
+ - confusion about the nghttp3 API. We should close the QUIC stream on
+ cancel and not use the nghttp3 calls intended to be invoked when the
+ QUIC stream was closed by the peer.
+
+ Closes #13562
+
+Jay Satiro (10 May 2024)
+
+- docs: fix some CURLINFO examples
+
+ - improve getinfo result check for example sections:
+ CURLINFO_ACTIVESOCKET, CURLINFO_LASTSOCKET, CURLINFO_SSL_VERIFYRESULT,
+ CURLINFO_PROXY_SSL_VERIFYRESULT
+
+ - fix getinfo result check for example sections:
+ CURLINFO_NUM_CONNECTS, CURLINFO_OS_ERRNO
+
+ - fix verify result check for example sections:
+ CURLINFO_PROXY_SSL_VERIFYRESULT
+
+ Bug: https://github.com/curl/curl/discussions/13557#discussion-6625507
+ Reported-by: farazrbx@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/13559
+
+Daniel Stenberg (9 May 2024)
+
+- KNOWN_BUGS: gssapi library name + version is missing in curl_version_info()
+
+ Closes #13492
+ Closes #13570
+
+- krb5: use dynbuf
+
+ Closes #13568
+
+- managen: fix the option sort order
+
+ ... it used to strip off the .d file extension to sort correctly but
+ ever since the extension changed to .md the operation failed and the
+ sort got wrong.
+
+ Follow-up to 2494b8dd5175cee7f2e
+
+ Closes #13567
+
+Stefan Eissing (8 May 2024)
+
+- GHA: repair the linux-old job
+
+ package libc6_2.28-10+deb10u2_amd64.deb changed to
+ libc6_2.28-10+deb10u3_amd64.deb
+
+ Closes #13564
+
+Viktor Szakats (8 May 2024)
+
+- appveyor: make gcc 6 mingw64 job build-only
+
+ This job has proven to be the flakiest of all, and it's also the oldest
+ Windows runner we had tests running on: 'Visual Studio 2015', that is
+ running on Windows Server 2012 R2:
+ https://www.appveyor.com/docs/windows-images-software/
+
+ Turn off tests on this job to help stabilizing CI runs.
+
+ This was also one of the slowest running job amongst the AppVeyor CI ones.
+
+ Flakiness data:
+ https://testclutch.curl.se/static/reports/summary.html
+ Entries:
+ Appveyor / CMake, mingw-w64, gcc 6, Debug, x86, Schannel, Static, no-unity
+ (curl) [current]
+ Appveyor / CMake, mingw-w64, gcc 6, Debug, x86, Schannel, Static (curl) [fo
+ rmer]
+
+ Closes #13566
+
+Stefan Eissing (8 May 2024)
+
+- unit2604: use alloc instead of overlong string const
+
+ Closes #13563
+
+Daniel Gustafsson (8 May 2024)
+
+- bufq: remove duplicate word in comment
+
+ Inspired by 13552.
+
+ Closes: #13554
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Viktor Szakats (8 May 2024)
+
+- lib/cf-h1-proxy: silence compiler warnings (gcc 14)
+
+ They came up ealier with gcc 12 (Windows), but apparently gcc 14 is
+ still reporting them, also under Linux.
+
+ ```
+ /home/runner/work/curl-for-win/curl-for-win/curl/lib/cf-h1-proxy.c: In functi
+ on 'cf_h1_proxy_close':
+ /home/runner/work/curl-for-win/curl-for-win/curl/lib/cf-h1-proxy.c:1060:17: w
+ arning: null pointer dereference [-Wnull-dereference]
+ 1060 | cf->connected = FALSE;
+ /home/runner/work/curl-for-win/curl-for-win/curl/lib/cf-h1-proxy.c:1061:8: wa
+ rning: null pointer dereference [-Wnull-dereference]
+ 1061 | if(cf->ctx) {
+ | ~~^~~~~
+ In function 'tunnel_free',
+ inlined from 'cf_h1_proxy_destroy' at /home/runner/work/curl-for-win/curl
+ -for-win/curl/lib/cf-h1-proxy.c:1053:3:
+ /home/runner/work/curl-for-win/curl-for-win/curl/lib/cf-h1-proxy.c:198:27: wa
+ rning: null pointer dereference [-Wnull-dereference]
+ 198 | struct h1_tunnel_state *ts = cf->ctx;
+ | ^~
+ ```
+ Ref: https://github.com/curl/curl-for-win/actions/runs/8985369476/job/2467921
+ 9528#step:3:6320
+
+ Fixes #13237
+ Closes #13555
+
+Michał Antoniak (8 May 2024)
+
+- mbedtls: support TLS 1.3
+
+ Closes #13539
+
+Daniel Stenberg (8 May 2024)
+
+- version: use msnprintf instead of strncpy
+
+ - to ensure a terminating null byte
+ - to avoid zero-padding the target
+
+ debug code only
+
+ Closes #13549
+
+- curl_path: make Curl_get_pathname use dynbuf
+
+ ... instead of malloc and memcpy
+
+ - unit test 2604 verifies Curl_get_pathname()
+
+ Closes #13550
+
+- lib: make protocol handlers store scheme name lowercase
+
+ - saves a lowercase operation when the "[scheme]_proxy" name is
+ generated
+ - appears less "shouting"
+ - update test 970, 972, 1438 and 1536
+
+ Closes #13553
+
+- lib: remove two instances of "only only" messages
+
+ Fixes #13551
+ Reported-by: Lucas Nussbaum
+ Closes #13552
+
+Pavel Pavlov (7 May 2024)
+
+- asyn-thread: fix curl_global_cleanup crash in Windows
+
+ - Make sure that asynchronous resolves handled by Winsock are stopped
+ before WSACleanup is called.
+
+ This is implemented by ensuring that when Curl_resolver_kill is called
+ (eg via multi_done) it will cancel the Winsock asynchronous resolve and
+ wait for the cancellation to complete. Winsock runs the asynchronous
+ completion routine immediately when a resolve is canceled.
+
+ Prior to this change it was possible that during curl_global_cleanup
+ "a DNS resolver thread created by GetAddrInfoExW did not terminate yet,
+ however curl is already shutting down, deinitializing Winsock with
+ WSACleanup() leading to an access violation."
+
+ Background:
+
+ If libcurl is built with the asynchronous threaded resolver option for
+ Windows then it resolves in one of two ways. For Windows 8.1 and later,
+ libcurl resolves by using the Winsock asynchronous resolver which does
+ its own thread management. For older versions of Windows, libcurl
+ resolves by creating a separate thread that calls getaddrinfo. This
+ change only affects the former and it's already handled for the latter.
+
+ Reported-by: Ch40zz@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/13509
+ Closes https://github.com/curl/curl/pull/13518
+
+Jay Satiro (7 May 2024)
+
+- asyn-thread: fix Curl_thread_create result check
+
+ - Compare to curl_thread_t_null instead of 0 for error.
+
+ Currently for both supported thread libraries (pthreads and Windows)
+ curl_thread_t_null is defined as 0. However, the pattern throughout the
+ code is to check against curl_thread_t_null and not 0 since for
+ posterity some thread library may not use 0 for error.
+
+ Closes https://github.com/curl/curl/pull/13542
+
+- curl_multibyte: remove access() function wrapper for Windows
+
+ - Remove curlx_win32_access() which was a wrapper to use access() in
+ Windows.
+
+ This is a follow-up to 602fc213, one of two commits which removed
+ access() calls from the codebase and banned use of the function.
+
+ Closes https://github.com/curl/curl/pull/13529
+
+Daniel Gustafsson (6 May 2024)
+
+- tls: Remove EXAMPLEs from deprecated options
+
+ CURLOPT_EGDSOCKET and CURLOPT_RANDOM_FILE are both completely dead
+ so remove their example sections since the code there is useless.
+ There is still a way to inject a random file for OpenSSL older than
+ 1.1.0 but it's not what the example showed (and it's not even done
+ with this option) so we refrain from documenting it here.
+
+ Closes: #13540
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- tests: Only require EXAMPLE for non-deprecated options
+
+ Manpages which document deprecated CURLOPT_ or CURLINFO_ are not
+ required to have an EXAMPLE section since they might effectively
+ be dead no-ops which we don't want to trick users into believing
+ they can use by copying example code.
+
+ Closes: #13540
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (6 May 2024)
+
+- EXPERIMENTAL: add graduation requirements for each feature
+
+ Starting now, experimental features should have a set of documentated
+ requirements of what is needed for the feature to graduate.
+
+ This adds requirements to all existing experiments.
+
+ Closes #13541
+
+Ivan (6 May 2024)
+
+- misc: fix typos, quoting and spelling
+
+ Fix wording of comments, and misquotings where `' is markdown parsed
+ where it shouldn't be, and remove a misspelled preprocessor comment
+ which really isn't needed (and removing it makes it match surrounding
+ code better).
+
+ Closes: #13538
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Daniel Gustafsson (6 May 2024)
+
+- tests: Mark tftpd timer function as noreturn
+
+ This avoids the below compiler warning:
+
+ tftpd.c:280:1: warning: function 'timer' could be declared with
+ attribute 'noreturn' [-Wmissing-noreturn]
+
+ Closes: #13534
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- doh: Remove unused function prototype
+
+ Closes: #13536
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (6 May 2024)
+
+- doh: cleanups in ECH related functions
+
+ - make local_decode_rdata_name use dynbuf instead of calloc + memcpy
+ - avoid extra memdup in local_decode_rdata_alpn
+ - no need to if() before free()
+ - use memdup instead of calloc + memcpy in Curl_doh_decode_httpsrr
+
+ Reviewed-by: Stephen Farrell
+ Closes #13526
+
+Viktor Szakats (5 May 2024)
+
+- libssh2: delete redundant feature guard
+
+ Delete `HAVE_LIBSSH2_VERSION` (equivalent to
+ `LIBSSH2_VERSION_NUM` > 0x010100) guard surrounding
+ a `LIBSSH2_VERSION_NUM` > 0x010B00 one.
+
+ Reviewed-by: Daniel Gustafsson
+ Closes #13537
+
+Jan Venekamp (5 May 2024)
+
+- tool_cfgable: free {proxy_}cipher13_list on exit
+
+ Author: Jan Venekamp
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+ Closes: #13531
+
+RainRat (4 May 2024)
+
+- doh: Fix typo in comment
+
+ Closes: #13504
+ Author: RainRat on Github
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Christian Schmitz (4 May 2024)
+
+- dynbuf: Fix returncode on memory error
+
+ Curl_dyn_vaddf should return a proper error code in case allocating
+ memory failed.
+
+ Closes: #13533
+ Author: Christian Schmitz <support@monkeybreadsoftware.de>
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Daniel Stenberg (3 May 2024)
+
+- RELEASE-NOTES: synced
+
+Jan Venekamp (2 May 2024)
+
+- bearssl: use common code for cipher suite lookup
+
+ Take advantage of the Curl_cipher_suite_walk_str() and
+ Curl_cipher_suite_get_str() functions introduced in commit fba9afeb.
+
+ This also fixes CURLOPT_SSL_CIPHER_LIST not working at all for bearssl
+ due to commit ff74cef5.
+
+ Closes #13464
+
+Daniel Stenberg (2 May 2024)
+
+- curl.h: change CURL_SSLVERSION_* from enum to defines
+
+ C++20 and later compilers emit a deprecation warning if values from two
+ different enums are combined with a bitwise operation the way the
+ CURL_SSLVERSION_* values were previously created.
+
+ Reported-by: Michael Kaufmann
+ Fixes #13510
+ Closes #13511
+
+- configure: error on missing perl if docs or manual is enabled
+
+ Fixes #13508
+ Reported-by: Harmen Stoppels
+ Closes #13514
+
+- tool_cb_rea: limit rate unpause for -T . uploads
+
+ To avoid getting stuck in a busy-loop when nothing is read from stdin,
+ this function now checks the call rate and might enforce a short sleep
+ when called repeatedly without uploading anything. It is a crude
+ work-around to avoid a 100% busy CPU.
+
+ Reported-by: magisterquis on hackerone
+ Fixes #13174
+ Closes #13506
+
+Viktor Szakats (1 May 2024)
+
+- appveyor: enable websockets for VS2017 jobs
+
+ Follow-up to eb4fe6c6340c3d5b0c347c6e30be004d4f9117d7 #13232
+ Closes #13513
+
+Daniel Stenberg (30 Apr 2024)
+
+- if2ip: make the buf_size arg a size_t
+
+ sizes should be size_t
+
+ Ref: #13489
+ Closes #13505
+
+- cf-https-connect: use timeouts as unsigned ints
+
+ To match the type used in 'set.happy_eyeballs_timeout'.
+
+ Ref: #13489
+ Closes #13503
+
+- hash: change 'slots' to size_t from int
+
+ - an unsigned type makes more sense
+ - size_t seems suitable
+ - on 64 bit args, the struct alignment makes the new Curl_hash remain
+ the same size
+
+ Closes #13502
+
+Viktor Szakats (30 Apr 2024)
+
+- libssh2: replace `access()` with `stat()`
+
+ Prefer `stat()` to verify the presence of key files.
+
+ This drops the last uses of `access()` in the codebase, which was
+ reported to cause issues in some cases.
+
+ Also add `access()` to the list of banned functions in checksrc.
+
+ Ref: https://github.com/curl/curl/pull/13412#issuecomment-2065505415
+ Ref: https://github.com/curl/curl/pull/13482#issuecomment-2078980522
+ Ref: #13497
+ Co-authored-by: Jay Satiro
+ Closes #13498
+
+Daniel Stenberg (30 Apr 2024)
+
+- multi: remove useless assignment
+
+ Spotted by CodeSonar
+
+ Closes #13500
+
+- RELEASE-NOTES: synced
+
+fuzzard (29 Apr 2024)
+
+- cmake: FindNGHTTP2 add static lib name to find_library call
+
+ Add the static library name, nghttp2_static as a name to search.
+
+ This provides cmake parity with the winbuild Makefile.vc allowing
+ the cmake build to find and allow the link to static nghttp2 library.
+
+Viktor Szakats (29 Apr 2024)
+
+- DISTROS: add patch and issues link for curl-for-win
+
+ curl-for-win sometimes includes curl patches that were already merged in
+ master, but not yet part of a stable release.
+
+ Also include the Issues link. Build-specific issues are handled there.
+
+ Ref: #13493
+ Closes #13499
+
+Daniel Stenberg (29 Apr 2024)
+
+- mime: avoid using access()
+
+ If stat() fails, there is no point in calling access()
+
+ Also: return error immediately if the stat() fails.
+
+ Ref: #13482
+ Closes #13497
+
+Stefan Eissing (29 Apr 2024)
+
+- tests: add SNI and peer name checks
+
+ - connect to DNS names with trailing dot
+ - connect to DNS names with double trailing dot
+ - rustls, always give `peer->hostname` and let it
+ figure out SNI itself
+ - add SNI tests for ip address and localhost
+ - document in code and TODO that QUIC with ngtcp2+wolfssl
+ does not do proper peer verification of the certificate
+ - mbedtls, skip tests with ip address verification as not
+ supported by the library
+
+ Closes #13486
+
+Daniel Stenberg (29 Apr 2024)
+
+- curl_getdate.md: document two-digit year handling
+
+ Mentioned-by: Paul Gilmartin
+ Ref: https://curl.se/mail/archive-2024-04/0014.html
+ Closes #13494
+
+Viktor Szakats (29 Apr 2024)
+
+- cmake: add `BUILD_EXAMPLES` option to build examples
+
+ You can enable it with `-DBUILD_EXAMPLES=ON`.
+
+ To match autotools' `make examples` feature.
+ Windows (static) builds not tested.
+
+ Also enable examples in a pair of CI jobs.
+
+ Apply related updates to the macOS CI workflow:
+ - drop unused `CXX` envs.
+ - drop no longer needed `-Wno-error=undef -Wno-error=conversion` flags.
+ - pass `-Wno-deprecated-declarations` to GCC too (for `BUILD_EXAMPLES`).
+ - document why `-Wno-deprecated-declarations` is necessary.
+
+ Closes #13491
+
+Stefan Eissing (26 Apr 2024)
+
+- http3: quiche+ngtcp2 improvements
+
+ - quiche: error transfers that try to receive on a closed
+ or draining connection
+ - ngtcp2: use callback for extending max bidi streams. This
+ allows more precise calculation of MAX_CONCURRENT as we
+ only can start a new stream when the server acknowledges
+ the close - not when we locally have closed it.
+ - remove a fprintf() from h2-download client to avoid excess
+ log files on tests timing out.
+
+ Closes #13475
+
+- vtls: TLS session storage overhaul
+
+ - add session with destructor callback
+ - remove vtls `session_free` method
+ - let `Curl_ssl_addsessionid()` take ownership
+ of session object, freeing it also on failures
+ - change tls backend use
+ - test_17, add tests for SSL session resumption
+
+ Closes #13386
+
+- multi: multi_wait improvements
+
+ - only call `multi_getsock()` once for all transfers
+ - realloc pollset array on demand
+ - fold repeated sockets
+
+ Closes #13150
+
+Philip Heiduck (25 Apr 2024)
+
+- ci: remove microsoft-prod.list
+
+ This is added by default, and it is often broken, but we don't need
+ anything from it.
+
+ Closes #13473
+
+Evgeny Grin (Karlson2k) (25 Apr 2024)
+
+- curl_setup.h: detect 'inline' support
+
+ Closes #13355
+
+Daniel Stenberg (25 Apr 2024)
+
+- multi: avoid memory-leak risk
+
+ 'newurl' is allocated in some conditions and used in a few scenarios,
+ but there were theoretical combinations in which it would not get freed.
+ Move the free to happen unconditionally. Never triggered by tests, but
+ spotted by Coverity.
+
+ Closes #13471
+
+Johann Sebastian Schicho (25 Apr 2024)
+
+- sendf: Curl_cwriter_write: remove comment disallowing zero length writes
+
+ They are needed to pass CLIENTWRITE_EOS.
+
+ Closes #13477
+
+Stefan Eissing (25 Apr 2024)
+
+- CI: macos fixes for new ARM GHA images
+
+ - based on #13478 with additions from #13476
+ - make homebrew install path flexible
+ - fix OpenSSL pkgconfig files libdir
+ - add path to --with-libssh2 target
+ - disable gcc securetransport due to linker
+ errors (missing symbols), probably because
+ the os version is no longer low enough
+
+ Assisted-by: Viktor Szakats
+
+ Closes #13479
+
+- content_encoding: ignore duplicate chunked encoding
+
+ - ignore duplicate "chunked" transfer-encodings from
+ a server to accomodate for broken implementations
+ - add test1482 and test1483
+
+ Reported-by: Mel Zuser
+ Fixes #13451
+ Closes #13461
+
+Daniel Stenberg (25 Apr 2024)
+
+- tool: move tool_ftruncate64 to tool_util.c
+
+ ... and the prototype to tool_setup.h, to make them both available more
+ widely and accurately.
+
+ Follow-up to 00bef95946d3511
+
+ Fixes #13458
+ Closes #13459
+
+Viktor Szakats (24 Apr 2024)
+
+- lib: silence `-Wsign-conversion` in base64, strcase, mprintf
+
+ Closes #13467
+
+- CI: retain failure code after `./configure` with Circle CI
+
+ Suggested-by: Dan Fandrich
+ Follow-up to 43299e93c06b96fea8a8dc9b1c2e49c82bc21801 #13462
+ Follow-up to d7332e3e46c3ef401b34e6a1a129eb4dd846c452 #12635
+ Closes #13468
+
+Daniel Stenberg (24 Apr 2024)
+
+- RELEASE-NOTES: synced
+
+Jan Venekamp (24 Apr 2024)
+
+- mbedTLS: implement CURLOPT_SSL_CIPHER_LIST option
+
+ Use a lookup list to set the cipher suites, allowing the
+ ciphers to be set by either openssl or IANA names.
+
+ To keep the binary size of the lookup list down we compress
+ each entry in the cipher list down to 2 + 6 bytes using the
+ C preprocessor.
+
+ Closes #13442
+
+Viktor Szakats (24 Apr 2024)
+
+- CI: show more failed `config.log` on Circle CI
+
+ Show last 1000 lines of `config.log` if `./configure` fails. This was
+ already done for one job, this patch extends it to all.
+
+ Ref: #13438
+ Closes #13462
+
+Daniel Stenberg (24 Apr 2024)
+
+- telnet: check return code from fileno()
+
+ and return error if necessary
+
+ Spotted by CodeSonar
+
+ Closes #13457
+
+Viktor Szakats (24 Apr 2024)
+
+- tls: fix SecureTransport + BearSSL cmake unity builds
+
+ Avoid clashing static function names by namespacing them.
+
+ Pointed-out-by: Jan Venekamp
+ Ref: https://github.com/curl/curl/pull/13442#discussion_r1576350700
+ Closes #13450
+
+Jay Satiro (24 Apr 2024)
+
+- dllmain: Call OpenSSL thread cleanup for Windows and Cygwin
+
+ - Call OPENSSL_thread_stop on thread termination (DLL_THREAD_DETACH)
+ to prevent a memory leak in case OpenSSL is linked statically.
+
+ - Warn in libcurl-thread.3 that if OpenSSL is linked statically then it
+ may require thread cleanup.
+
+ OpenSSL may need per-thread cleanup to stop a memory leak. For Windows
+ and Cygwin if libcurl was built as a DLL then we can do that for the
+ user by calling OPENSSL_thread_stop on thread termination. However, if
+ libcurl was built statically then we do not have notification of thread
+ termination and cannot do that for the user.
+
+ Also, there are several other unusual cases where it may be necessary
+ for the user to call OPENSSL_thread_stop, so in the libcurl-thread
+ warning I added a link to the OpenSSL documentation.
+
+ Co-authored-by: Viktor Szakats
+
+ Reported-by: southernedge@users.noreply.github.com
+ Reported-by: zmcx16@users.noreply.github.com
+
+ Ref: https://www.openssl.org/docs/man3.0/man3/OPENSSL_thread_stop.html#NOTES
+
+ Fixes https://github.com/curl/curl/issues/12327
+ Closes https://github.com/curl/curl/pull/12408
+
+Jan Venekamp (24 Apr 2024)
+
+- rustls: remove incorrect SSLSUPP_TLS13_CIPHERSUITES flag
+
+ The rustls backend advertises SSLSUPP_TLS13_CIPHERSUITES, but
+ the code does not actually seem to support it (yet?). Removed
+ the flag and corrected documentation.
+
+ Closes #13452
+
+Stefan Eissing (24 Apr 2024)
+
+- quiche: expire all active transfers on connection close
+
+ - when a connection close is detected, all ongoing transfers
+ need to expire bc no more POLL events are likely to happen
+ for them.
+
+ Fixes #13439
+ Reported-by: Jay Satiro
+ Closes #13447
+
+Dan Fandrich (23 Apr 2024)
+
+- tests: fix feature case in test1481
+
+ This test was being skipped everywhere because the feature never
+ matched.
+
+ Closes #13445
+
+Gusted (23 Apr 2024)
+
+- tool_operate: don't truncate the etag save file by default
+
+ This fixes a regression of 75d79a4486b279100209ddf8c7fdb12955fb66e9. The
+ code in tool-operate truncated the etag save file, under the assumption
+ that the file would be written with a new etag value. However since
+ 75d79a4486b279100209ddf8c7fdb12955fb66e9 that might not be the case
+ anymore and could result in the file being truncated when --etag-compare
+ and --etag-save was used and that the etag value matched with what the
+ server responded. Instead the truncation should not be done when a new
+ etag value should be written.
+
+ Test 3204 was added to verify that the file with the etag value doesn't
+ change the contents when used by --etag-compare and --etage-save and
+ that value matches with what the server returns on a non 2xx response.
+
+ Closes #13432
+
+Abdullah Alyan (22 Apr 2024)
+
+- tests: enable test 1117 for hyper
+
+ Closes #13436
+
+Daniel Stenberg (22 Apr 2024)
+
+- sendf: useless assignment in cr_lc_read()
+
+ Spotted by CodeSonar
+
+ Closes #13437
+
+- tool_paramhlp: remove duplicate assign
+
+ Spotted by CodeSonar
+
+ Closes #13433
+
+- transfer: remove useless assignment
+
+ in Curl_xfer_recv_resp
+
+ Spotted by CodeSonar
+
+ Closes #13435
+
+- http: acknowledge a returned error code
+
+ ... and do not overwrite it with a new value that could then hide the
+ problem.
+
+ Spotted by CodeSonar
+
+ Closes #13434
+
+- tool_operate: init vars unconditionally in post_per_transfer
+
+ In case of (the unlikely) early return, they could otherwise remain
+ uninitialized
+
+ Spotted by CodeSonar
+
+ Closes #13430
+
+- RELEASE-NOTES: synced
+
+- urlapi: allow setting port number zero
+
+ Also set and check errno when strtoul() parsing numbers for better error
+ checking.
+
+ Updated test 1560
+
+ Closes #13427
+
+- http_aws_sigv4: remove useless assignment
+
+ This code assigned the variable the same value it already had
+
+ Spotted by CodeSonar
+
+ Closes #13426
+
+- file: remove useless assignment
+
+ This code assigned the variable the same value it already had.
+
+ Spotted by CodeSonar
+
+ Closes #13425
+
+- test2406: verify -f with HTTP/2
+
+Stefan Eissing (19 Apr 2024)
+
+- http2 + ngtcp2: pass CURLcode errors from callbacks
+
+ - errors returned by Curl_xfer_write_resp() and the header variant are
+ not errors in the protocol. The result needs to be returned on the
+ next recv() from the protocol filter.
+
+ - make xfer write errors for response data cause the stream to be
+ cancelled
+
+ - added pytest test_02_14 and test_02_15 to verify that also for
+ parallel processing
+
+ Reported-by: Laramie Leavitt
+ Fixes #13411
+ Closes #13424
+
+Daniel Stenberg (19 Apr 2024)
+
+- request: make Curl_req_init return void
+
+ Since it could not return error and therefore this change removes dead
+ code for the caller.
+
+ Spotted by CodeSonar.
+
+ Closes #13423
+
+- multi: remove the unused Curl_preconnect function
+
+ The implementation has been removed, no point in keeping it around.
+
+ Follow-up to 476adfeac019ed
+
+ Closes #13422
+
+- Curl_creader_read: init two variables to avoid using them uninited
+
+ Spotted by CodeSonar
+
+ Closes #13419
+
+- http: reject HTTP major version switch mid connection
+
+ A connection that has seen an HTTP major version now refuses any other
+ major HTTP version in future responses. Previously, a HTTP/1.x
+ connection would just silently accept HTTP/2 or HTTP/3 in the status
+ lines as long as it had support for those built-in. It would then just
+ lead to confusion and badness.
+
+ Indirectly Spotted by CodeSonar which identified a duplicate assignment
+ in this function.
+
+ Add test 471 to verify
+
+ Closes #13421
+
+- mqtt: when Curl_xfer_recv returns error, don't use nread
+
+ A returned error code makes other return value unreliable, and in this
+ case potentially uninitialized. On error, do not read other return
+ values like the nread counter.
+
+ Spotted by CodeSonar
+
+ Closes #13418
+
+- ftp: fix socket leak on rare error
+
+ In the function AcceptServerConnect() the newly created socket would
+ leak if Curl_conn_tcp_accepted_set() returns error. Which basically
+ should never happen.
+
+ Spotted by CodeSonar.
+
+ Closes #13417
+
+- urlapi: remove unused flags argument from Curl_url_set_authority
+
+ The function is only called from a single place (for HTTP/2 server push)
+ so might as well just assume this fixed option every time.
+
+ Closes #13409
+
+- github/ISSUE_TEMPLATE: tweak the commericual support text
+
+- github/ISSUE_TEMPLATE: link the GitHub discussions too
+
+ ... and move the feature request line to the bottom.
+
+- curl_url_get.md: clarify queries and fragments and CURLU_GET_EMPTY
+
+ Follow-up to 3eac21d86bc5
+
+ Closes #13407
+
+Stefan Eissing (18 Apr 2024)
+
+- tests: check caddy server version to match test expectations
+
+ - new caddy servers no longer return 200 on POSTs, but 405
+ as they should
+
+ Closes #13405
+
+Daniel Stenberg (18 Apr 2024)
+
+- curl_url_set.md: extended
+
+ Closes #13404
+
+- urlapi: add CURLU_GET_EMPTY for empty queries and fragments
+
+ By default the API inhibits empty queries and fragments extracted.
+ Unless this new flag is set.
+
+ This also makes the behavior more consistent: without it set, zero
+ length queries and fragments are considered not present in the URL. With
+ the flag set, they are returned as a zero length strings if they were in
+ fact present in the URL.
+
+ This applies when extracting the individual query and fragment
+ components and for the full URL.
+
+ Closes #13396
+
+- RELEASE-NOTES: synced
+
+- lib1560: test with leading zeroes and more IPv4 versions
+
+ Inspired by WHATWG URL Spec test inputs
+
+ Closes #13400
+
+Christian Schmitz (17 Apr 2024)
+
+- smtp: result of Curl_bufq_cread was not used
+
+ return the result back to the caller.
+
+ Closes #13398
+
+Daniel Stenberg (17 Apr 2024)
+
+- urlapi: fix relative redirects to fragment-only
+
+ Using the URL API for a redirect URL when the redirected-to string
+ starts with a hash, ie is only a fragment, the API would produce the
+ wrong final URL.
+
+ Adjusted test 1560 to test for several new redirect cases.
+
+ Closes #13394
+
+Jiwoo Park (17 Apr 2024)
+
+- url: fix use of an uninitialized variable
+
+ Closes #13399
+
+Patrick Monnerat (17 Apr 2024)
+
+- os400: sync with latest changes
+
+ - Conversion support for new version info character field rtmp_version.
+ - New ILE/RPG declarations.
+
+ Closes #13402
+
+Daniel Stenberg (17 Apr 2024)
+
+- ngtcp2: fix macro use
+
+ macro "H3_STREAM_CTX" requires 2 arguments, but only 1 given
+
+ Follow-up to c6655f7029ec5c128561e3ecf1f93db3ed0432a4
+
+ Closes #13401
+
+Christian Schmitz (17 Apr 2024)
+
+- sendf: fix two typos in comments
+
+ The parameters are named data, not date.
+
+ Closes #13393
+
+- lib: silence warnings on comma misuse
+
+ Building curl with -Wcomma, I see warnings about "possible misuse of
+ comma operator here" and moving fields assignment out of the for() fixes
+ it.
+
+ Closes #13392
+
+Stefan Eissing (17 Apr 2024)
+
+- http/2, http/3: decouple stream state from easy handle
+
+ - add `Curl_hash_offt` as hashmap between a `curl_off_t` and
+ an object. Use this in h2+h3 connection filters to associate
+ `data->id` with the internal stream state.
+ - changed implementations of all affected connection filters
+ - removed `h2_ctx*` and `h3_ctx*` from `struct HTTP` and thus
+ the easy handle
+ - solves the problem of attaching "foreign protocol" easy handles
+ during connection shutdown
+
+ Test 1616 verifies the new hash functions.
+
+ Closes #13204
+
+Daniel Stenberg (17 Apr 2024)
+
+- ROADMAP: remove completed entries, mention websocket
+
+- THANKS-filter: name fixes
+
+Christian Schmitz (17 Apr 2024)
+
+- winbuild: add ENABLE_WEBSOCKETS option
+
+ Closes #13232
+
+Daniel Stenberg (17 Apr 2024)
+
+- dmaketgz: compacter
+
+ Removes the need for disabling shellcheck warnings.
+
+ Follow-up to d28f74913c2
+ Proposed-by: Viktor Szakats
+ Closes #13391
+
+Dan Fandrich (16 Apr 2024)
+
+- tests: Fix uninitialized value warning
+
+ The check for an option must be predicated on options existing at all.
+
+ Follow-up to f7cc9e91
+
+Christian Schmitz (17 Apr 2024)
+
+- idn: add native AppleIDN (icucore) support for macOS/iOS
+
+ I implemented the IDN functions for macOS and iOS using Unicode
+ libraries coming with macOS and iOS.
+
+ Builds and runs here on macOS 14.2.1. Also verified to load and
+ run on older macOS version 10.13.
+
+ Build requires macOS SDK 13 or equivalent.
+
+ Set `-DUSE_APPLE_IDN=ON` CMake option to enable it.
+ With autotools and other build tools, set these manual options:
+ ```
+ CPPFLAGS=-DUSE_APPLE_IDN
+ LIBS=-licucore
+ ```
+
+ Completes TODO 1.6.
+
+ TODO: add autotools option and feature-detection.
+
+ Refs: #5330 #5371
+ Co-authored-by: Viktor Szakats
+ Closes #13246
+
+Stefan Eissing (16 Apr 2024)
+
+- http3: extend download abort tests, fixes in ngtcp2
+
+ - fix flow handling in ngtcp2 to ACK data on streams
+ we abort ourself.
+ - extend test_02_23* cases to also run for h3
+ - skip test_02_23* for OpenSSL QUIC as it gets stalled
+ on progressing the connection
+
+ Closes #13374
+
+Daniel Stenberg (16 Apr 2024)
+
+- tests: add -q as first option when invoking curl for tests
+
+ To reduce the risk that the user running the tests has a .curlrc present
+ that messes things up.
+
+ Support 'option="no-q"' for the <command> tag to switch it off on demand.
+ Use this new feature in test 433 and 436.
+
+ Ref: #13284
+ Closes #13387
+
+- dmaketgz: release tarball generation using docker
+
+ For easier reproducibility.
+
+ Mention using this script in RELEASE-PROCEDURE
+
+ Closes #13388
+
+Viktor Szakats (16 Apr 2024)
+
+- cmake: update ECH code and minor fixups
+
+ - `openssl_check_symbol_exists()` expects a 4th argument now.
+ Follow-up to edc2702a1fe3a4a5386ffd9aa4f240f0c0197fa2 #13373
+
+ - minor comment/script touch-ups.
+ Follow-up to a362962b7289ec02b412890c9515657cf0ed50ac #11922
+
+ - fix indentation.
+
+ Closes #13383
+
+- tests: fix shellcheck issues in `ech_tests.sh`
+
+ Add double-quotes where missing.
+
+ Follow-up to a362962b7289ec02b412890c9515657cf0ed50ac #11922
+ Closes #13382
+
+- dist: add ECH files to tarball
+
+ Also sort `EXTRA_DIST` list in `tests/Makefile.am` and make it diffable.
+
+ Follow-up to a362962b7289ec02b412890c9515657cf0ed50ac #11922
+ Closes #13381
+
+- openvms: look for `USE_IPV6` in `config.h` (was: `ENABLE_IPV6`)
+
+ The OpenVMS script `config_h.com` is parsing the config header
+ generated by autotools. Let's make it look for the macro name we now
+ use universally across the codebase.
+
+ Follow-up to e411c98f702f0fb38dceec95e7507ef15a00d12c #13349
+ Closes #13360
+
+daniel-j-h (16 Apr 2024)
+
+- Dockerfile: for release automation and reproducibility
+
+ Closes #13250
+
+Stefan Eissing (16 Apr 2024)
+
+- cw-out: improved error handling
+
+ - remember error encountered in invoking write callback and always fail
+ afterwards without further invokes
+
+ - check behaviour in test_02_17 with h2-pausing client
+
+ Reported-by: Pavel Kropachev
+ Fixes #13337
+ Closes #13340
+
+Daniel Stenberg (16 Apr 2024)
+
+- version: add "ECH" as a feature
+
+ If available
+
+ Follow-up to a362962b7
+ Closes #13378
+
+- CURLOPT_ECH: polish
+
+ - remove the pointer to build instructions, it won't work in manpages
+ - add see-also
+ - minor white space edits
+
+ Closes #13379
+
+Viktor Szakats (16 Apr 2024)
+
+- tidy-up: whitespace [ci skip]
+
+- mbedtls: fix building with v3 in CMake Unity mode
+
+ Before this patch the internal feature detection macro
+ `HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS` was defined in three files,
+ with an incomplete logic in one of them. In Unity mode that spilled
+ into another source file and broke the build.
+
+ Closes #13377
+
+- cmake: add librtmp/rtmpdump option and detection
+
+ Add CMake option `USE_LIBRTMP`. Disabled by default.
+
+ This library requires OpenSSL TLS-backend when linked statically.
+
+ Follow-up to 6eb9e65781fa1fd8a0bcfe0715187a3a35f09ae4 #13364
+ Closes #13373
+
+Stephen Farrell (16 Apr 2024)
+
+- TLS: add support for ECH (Encrypted Client Hello)
+
+ An EXPERIMENTAL feature used with CURLOPT_ECH and --ech.
+
+ Closes #11922
+
+Daniel Stenberg (15 Apr 2024)
+
+- RELEASE-NOTES: synced
+
+- multi: introduce SETUP state for better timeouts
+
+ Since we can go to the CONNECT state from PENDING, potentially multiple
+ times for a single transfer, this change introdues a SETUP state that
+ happens before CONNECT when doing a new transfer.
+
+ Now, doing a redirect on a handle goes back to SETUP (not CONNECT like
+ before) and we initilize the connect timeout etc in SETUP. Previously,
+ we would do it in CONNECT but that would make it unreliable in cases
+ where a transfer goes in and out between CONNECT and PENDING multiple
+ times.
+
+ SETUP is transient, so the handle never actually stays in that state.
+
+ Additionally: take care of timeouts of PENDING transfers in
+ curl_multi_perform()
+
+ Ref: #13227
+ Closes #13371
+
+Tal Regev (15 Apr 2024)
+
+- cmake: forward `USE_LIBRTMP` option to C
+
+ Define in C `USE_LIBRTMP` if user requested it from cmake.
+
+ Closes #13364
+
+Daniel Stenberg (15 Apr 2024)
+
+- curl_version_info: provide librtmp version
+
+ Ref: https://github.com/curl/curl/pull/13364#issuecomment-2054151942
+ Reported-by: talregev on github
+ Closes #13368
+
+blankie (15 Apr 2024)
+
+- docs: clarify CURLOPT_MAXFILESIZE and CURLOPT_MAXFILESIZE_LARGE
+
+ The bounds of the size parameter were not specified, and nor was it
+ specified how to disable the maximum file size check.
+
+ The documentation also incorrectly stated that CURLOPT_MAXFILESIZE
+ always returns CURLE_OK and that CURLOPT_MAXFILESIZE_LARGE only returns
+ CURLE_OK or CURLE_UNKNOWN_OPTION.
+
+ It also did not mention what the default value is, which is zero. This
+ commit updates the documentation to make note of all these things.
+
+ Closes #13372
+
+Patrick Monnerat (15 Apr 2024)
+
+- OS400: post-shellcheck changes adjustments
+
+ Build scripts must be executed by the os/400 shell (sh), not bash which
+ is a PASE program.
+
+ Shell function get_make_vars() escaping reworked to match $() subcommand
+ construct.
+
+ Follow-up to 8a622baf9e9233241bbe93d6599c99cb46478614
+ Closes #13366
+
+Viktor Szakats (15 Apr 2024)
+
+- OS400: tidy-up
+
+ Drop/fixup mods trying to make some syntax highlighters happier.
+
+ Follow-up to 8a622baf9e9233241bbe93d6599c99cb46478614 #13309
+ Closes #13362
+
+Daniel Stenberg (15 Apr 2024)
+
+- multi: timeout handles even without connection
+
+ When there is a "change" in a multi handle and pending handles are moved
+ back to the main list to be retested if they can proceed further (for
+ example a previous transfer completed or a connection has a confirmed
+ multiplexed state), the timeout check in multi_runsingle() would not
+ trigger because it required an established connection.
+
+ This could make a pending tranfer go back to pending state even though
+ it had been "in progress" for a longer time than permitted. By removing
+ the requirement for an associated connection, the timeout check will be
+ done proper even for transfers that has not yet been assigned one.
+
+ Ref #13227
+ Reported-by: Rahul Krishna M
+ Closes #13276
+
+Patrick Monnerat (15 Apr 2024)
+
+- mprintf: check fputc error rather than matching returned character
+
+ OS/400 ascii fputc wrapper deviates from the posix standard by the
+ fact that it returns the ebcdic encoding of the original ascii
+ character. Testing for a matching value for success will then always
+ fail.
+
+ This commit replaces the chariacter comparison by an explicit error
+ return check.
+
+ Follow-up to ef2cf58
+ Closes #13367
+
+Viktor Szakats (14 Apr 2024)
+
+- ci: add CMake build variation, fixup libssh detection in `linux-old`
+
+ To test without c-ares and hit `easy_lock.h` on an old system. Use this
+ new build step to introduce small variations, and also test libssh2.
+
+ Also add workaround to existing job to enable libssh. (CMake's generic
+ auto-detection doesn't seem to work here.):
+ ```
+ CMake Warning at CMakeLists.txt:908 (find_package):
+ Could not find a package configuration file provided by "libssh" with any
+ of the following names:
+
+ libsshConfig.cmake
+ libssh-config.cmake
+ ```
+ Ref: https://github.com/curl/curl/actions/runs/8661316091/job/23750974358#ste
+ p:5:69
+
+ Closes #13361
+
+- lib: merge `ENABLE_QUIC` C macro into `USE_HTTP3`
+
+ Before this patch `lib/curl_setup.h` defined these two macros right
+ next to each other, then the source code used them interchangeably.
+
+ After this patch, `USE_HTTP3` guards all HTTP/3 / QUIC features.
+ (Like `USE_HTTP2` does for HTTP/2.) `ENABLE_QUIC` is no longer used.
+
+ This patch doesn't change the way HTTP/3 is enabled via autotools
+ or CMake. Builders who enabled HTTP/3 manually by defining both of
+ these macros via `CPPFLAGS` can now delete `-DENABLE_QUIC`.
+
+ Closes #13352
+
+- build: prefer `USE_IPV6` macro internally (was: `ENABLE_IPV6`)
+
+ Before this patch, two macros were used to guard IPv6 features in curl
+ sources: `ENABLE_IPV6` and `USE_IPV6`. This patch makes the source use
+ the latter for consistency with other similar switches.
+
+ `-DENABLE_IPV6` remains accepted for compatibility as a synonym for
+ `-DUSE_IPV6`, when passed to the compiler.
+
+ `ENABLE_IPV6` also remains the name of the CMake and `Makefile.vc`
+ options to control this feature.
+
+ Closes #13349
+
+Dan Fandrich (12 Apr 2024)
+
+- DISTROS: mark rolling release distros
+
+ These are ones that are unlikely to have back-ported curl patches.
+
+ Closes #13353
+
+Daniel Stenberg (12 Apr 2024)
+
+- mbedtls: cut off trailing newlines from debug logs
+
+ To avoid double newlines in the output.
+
+ Reported-by: Gisle Vanem
+ Fixes #13321
+ Closes #13356
+
+- RELEASE-NOTES: synced
+
+Stefan Eissing (12 Apr 2024)
+
+- CURLINFO_REQUEST_SIZE: fixed, add tests for transfer infos reported
+
+ - tests for 'size_request' and other stats reported, for
+ presence and consistency
+
+ Reported-by: Jonatan Vela
+ Fixes #13269
+ Closes #13275
+
+Viktor Szakats (11 Apr 2024)
+
+- dist: add files missing from release tarball
+
+ Closes #13346
+
+- ci: parallelize more, tidy up cmake commands (distcheck, macos)
+
+ Also enable `-DCURL_WERROR=ON` in the Linux cmake build test.
+
+ Closes #13343
+
+Toon Claes (11 Apr 2024)
+
+- docs: add CURLOPT_NOPROGRESS to CURLOPT_XFERINFOFUNCTION example
+
+ It's important to set `CURLOPT_NOPROGRESS` to `0` if you want your
+ transfer callback function, set by `CURLOPT_XFERINFOFUNCTION`, getting
+ called. To emphasize this to the users, add this to the code example.
+
+ Closes #13348
+
+RainRat (11 Apr 2024)
+
+- misc: fix typos
+
+ Closes #13344
+
+Colin Leroy-Mira (11 Apr 2024)
+
+- file: add support for getting basic directory listings
+
+ Not supported on Windows (yet)
+
+ Closes #13137
+
+Viktor Szakats (11 Apr 2024)
+
+- ci: add curl-for-win builds: Linux MUSL, macOS, Windows
+
+ Linux MUSL (llvm/clang), macOS Apple clang, Windows (llvm/clang).
+
+ Configured with HTTP/2 and HTTP/3 and other dependencies (the default
+ curl-for-win) for a comprehensive build test.
+
+ ```
+ curl 8.8.0-DEV (x86_64-unknown-linux-musl) libcurl/8.8.0-DEV LibreSSL/3.9.1 z
+ lib/1.3.1 brotli/1.1.0 zstd/1.5.6 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.61.0
+ ngtcp2/1.4.0 nghttp3/1.2.0
+ Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns
+ mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
+ Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefil
+ e libz NTLM PSL SSL threadsafe UnixSockets zstd
+
+ curl 8.8.0-DEV (x86_64-apple-darwin) libcurl/8.8.0-DEV LibreSSL/3.9.1 zlib/1.
+ 3.1 brotli/1.1.0 zstd/1.5.6 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.61.0 ngtcp
+ 2/1.4.0 nghttp3/1.2.0
+ Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns
+ ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws w
+ ss
+ Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefil
+ e libz NTLM PSL SSL threadsafe UnixSockets zstd
+
+ curl 8.8.0-DEV (x86_64-w64-mingw32) libcurl/8.8.0-DEV LibreSSL/3.9.1 zlib/1.3
+ .1 brotli/1.1.0 zstd/1.5.6 WinIDN libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.61.0
+ ngtcp2/1.4.0 nghttp3/1.2.0
+ Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns
+ ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws w
+ ss
+ Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerb
+ eros Largefile libz NTLM PSL SPNEGO SSL SSPI threadsafe UnixSockets zstd
+ ```
+
+ Limited to x64, because for build testing the additional CPUs don't add
+ much value compared to the extra build time. They can be enabled easily
+ if deemed useful.
+
+ To the extent of curl-for-win configuration options, it's trivial to add
+ further build combinations.
+
+ Closes #13335
+
+- OS400: fix shellcheck warnings in scripts
+
+ - use `$()` instead of backticks, and re-arrange double-quotes inside.
+ - add missing `|| exit 1` to `cd` calls. (could be dropped by using `set -eu`
+ .)
+ - add `-n` to a few `if`s.
+ - shorten redirections by using `{} >` (as shellcheck recommended).
+ - silence warnings where variables were detected as unused (SC2034).
+ - a couple misc updates to silence warnings.
+ - switch to bash shebang for `-ot` feature.
+ - split two lines to unbreak syntax highlighting in my editor. (`$(expr \`, `
+ $(dirname \`)
+
+ Also enable CI checks for OS/400 shell scripts.
+
+ Ref: #13307
+ Closes #13309
+
+Stefan Eissing (11 Apr 2024)
+
+- lib: add Curl_xfer_write_resp_hd
+
+ Add method in protocol handlers to allow writing of a single,
+ 0-terminated header line. Avoids parsing and copying these lines.
+
+ Closes #13165
+
+- llist: add Curl_llist_append()
+
+ - use for better readability in all places where the "insert_next"
+ actually performs an append to the list
+ - add some tests in unit1300
+
+ Closes #13336
+
+- gnutls: lazy init the trust settings
+
+ - delay loading of trust anchors and CRLs after the ClientHello
+ has been sent off
+ - add tracing to IO operations
+ - on IO errors, return the CURLcode of the underlying filter
+
+ Closes #13339
+
+Marcel Raad (10 Apr 2024)
+
+- http_negotiate: fix `CURL_DISABLE_PROXY` build
+
+ `proxyuserpwd` was removed from `dynamically_allocated_data` in commit
+ f46385d36df.
+
+ Closes https://github.com/curl/curl/pull/13334
+
+Viktor Szakats (10 Apr 2024)
+
+- quic: fixup duplicate static function name (for cmake unity)
+
+ Visible in daily curl-for-win builds:
+ https://github.com/curl/curl-for-win/actions/runs/8621925870
+
+ ```
+ lib/vquic/curl_ngtcp2.c:1916:12: error: redefinition of 'ossl_new_session_cb'
+ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ ^
+ lib/vtls/openssl.c:2978:12: note: previous definition is here
+ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ ^
+ ```
+ https://github.com/curl/curl-for-win/actions/runs/8621925870/job/23631885439#
+ step:3:6965
+
+ Follow-up to 3210101088dfa3d6a125d213226b092f2f866722 #13172
+ Closes #13332
+
+- appveyor: make VS2010 job build-only, enable Schannel, fix compiler warnings
+
+ Tests were consistently flaky for a while.
+
+ Also fix compiler warnings in `CertOpenStore()` calls for old MSVC compilers:
+ ```
+ C:/projects/curl/lib/vtls/schannel.c(688):
+ warning C4306: 'type cast' : conversion from 'int' to 'LPCSTR' of greater s
+ ize
+ C:/projects/curl/lib/vtls/schannel_verify.c(642):
+ warning C4306: 'type cast' : conversion from 'int' to 'LPCSTR' of greater s
+ ize
+ ```
+ Ref: https://ci.appveyor.com/project/curlorg/curl/builds/49580310/job/ywu2y44
+ kymgc0nif#L106
+
+ Closes #13330
+
+Daniel Stenberg (10 Apr 2024)
+
+- projects: drop MSVC project files for recent versions
+
+ We encourage users to generate visual studio project files using CMake.
+
+ We keep project files in git for ancient visual studio versions that
+ cmake cannot generate files for, but we no longer ship the project files
+ in the tarballs.
+
+ appveyor: switch VisualStudioSolution job to VC12 (Visual Studio 2013)
+
+ Co-Authored-by: Viktor Szakats
+ Co-Authored-by: Jay Satiro
+
+ Closes #13311
+
+Viktor Szakats (9 Apr 2024)
+
+- cmake: use namespaced custom target names
+
+ Rename custom target to namespaced (unique) names to avoid colliding
+ with 3rd-party projects (e.g. libzip) built together with curl.
+
+ Reported-by: hammlee96 on github
+ Fixes #13324
+ Closes #13326
+
+- appveyor: re-enable OpenSSL 3, bump to 3.2.1
+
+ Ref: b62454a875d70f93ab5347c050903596feb45a23 #13266
+ Closes #13329
+
+Stefan Eissing (9 Apr 2024)
+
+- CI: upgrade openssl version to 3.3.0 for openssl-quic
+
+ Closes #13328
+
+Daniel Stenberg (9 Apr 2024)
+
+- RELEASE-NOTES: synced
+
+ Bump to 8.8.0-DEV
+
+- curl_multi_waitfds.md: add protocol mention
+
+ Follow-up to 02beac6bb6b
+
+Dmitry Karpov (9 Apr 2024)
+
+- lib: add curl_multi_waitfds
+
+ New function call, similar to curl_multi_fdset()
+
+ Closes #13135
+
+Viktor Szakats (9 Apr 2024)
+
+- dist: verify tarball reproducibility in CI
+
+ Closes #13327
+
+Stefan Eissing (9 Apr 2024)
+
+- tests: stabilitze test_02_23*
+
+ - h2-download now always opens the output file on first write callback
+ invocation, if it will pause the transfer or not.
+ - Checks on output files then does not depend on the amount of data curl
+ has collected for the first write.
+
+ Closes #13323
+
+- tls: fix compile issues on old-linux CI
+
+ Follow-up to 3210101088dfa
+ Closes #13325
+
+Viktor Szakats (9 Apr 2024)
+
+- dist: add reproducible dir entries to tarballs
+
+ In the initial implementation of reproducible tarballs, they were
+ missing directory entries, while .zip archives had them. It meant
+ that on extracting the tarball, on-disk directory entries got the
+ current timestamp.
+
+ This patch fixes this by including directory entries in the tarball,
+ with reproducible timestamps. It also moves sorting inside tar,
+ to ensure reproducible directory entry timestamps on extract
+ (without the need of `--delay-directory-restore` option, when
+ extracting with GNU tar. BSD tar got that right by default.)
+
+ GNU tar 1.28 (2014-07-28) introduced `--sort=`.
+
+ Ref: https://github.com/curl/curl/pull/13299#discussion_r1555957350
+ Follow-up to 860cd5fc2dc8e165fadd2c19a9b7c73b3ae5069d #13299
+ Closes #13322
+
+Stefan Eissing (9 Apr 2024)
+
+- tls: use shared init code for TCP+QUIC
+
+ Closes #13172
+
+Daniel Stenberg (9 Apr 2024)
+
+- .mailmap: update Gisle's preferred email
+
+Jan Macku (9 Apr 2024)
+
+- doc: pytest `--repeat` -> `--count`
+
+ Pytest doesn't have a `--repeat` option, but it does have a `--count`
+ option.
+
+ ```
+ --count=COUNT Number of times to repeat each test
+ ```
+
+ Closes #13218
+
+Daniel Stenberg (9 Apr 2024)
+
+- src/Makefile.am: access curl.txt using a relative path, not abs
+
+ ... to make it work when mounted using different mount points. Like when
+ generated/used inside and outside of a docker image.
+
+ Closes #13320
+
+- build: remove MacOSX-Framework script
+
+ I don't think this is much used these days.
+
+ Also remove the libcurl.plist file used (only) by this script
+
+ Closes #13313
+
+- release-tools.sh: store the timestamp and release tag too
+
+ When maketgz invokes this script to generate the docs/RELEASE-TOOLS.md
+ file that gets bundled in the release, it now also passes on the exact
+ timestamp and version number so that those details also get mentioned in
+ the document. They will help users reproduce an identical tarball.
+
+ Closes #13319
+
+Viktor Szakats (8 Apr 2024)
+
+- GHA: disable permissions where missing
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13306
+
+Stefan Eissing (8 Apr 2024)
+
+- CI: update component versions
+
+ - ngtcp2: v1.4.0
+ - nghttp3: v1.2.0
+ - nghttp2: v1.61.0
+ - mod_h2: v2.0.27
+
+ Closes #13316
+
+Jérôme Leclercq (8 Apr 2024)
+
+- CMake: check fseeko after detecting HAVE_FILE_OFFSET_BITS
+
+ Closes #13264
+
+Stefan Eissing (8 Apr 2024)
+
+- http2: emit RST when client write fails
+
+ - When the writing of response data fails, reset the stream
+ and do not return a callback error to nghttp2. That would
+ be a fatal error for the connection and harm other requests.
+ - add test cases for various abort scenarios
+
+ Reported-by: Konstantin Kuzov
+ Fixes #13292
+ Closes #13298
+
+Kailun Qin (8 Apr 2024)
+
+- mbedtls: call mbedtls_ssl_setup() after RNG callback is set
+
+ Since mbedTLS v3.6.0, the RNG check added in ssl_conf_check() will fail
+ if no RNG is provided when calling mbedtls_ssl_setup().
+
+ Therefore, mbedtls_ssl_conf_rng() needs to be called before the SSL
+ context is passed to mbedtls_ssl_setup().
+
+ Ref: https://github.com/Mbed-TLS/mbedtls/commit/b422cab052b51ec84758638d6783d
+ 6ba4fc60613
+
+ Signed-off-by: Kailun Qin <kailun.qin@intel.com>
+ Closes #13314
+
+Daniel Stenberg (8 Apr 2024)
+
+- NTLM_WB: drop support
+
+ The feature has not worked for months and has been marked as DEPRECATED
+ for six+ months.
+
+ Closes #13249
+
+- curl_trc: fix build error when lacking verbose messages
+
+ Follow-up from 0b28ece657b2273
+ Closes #13312
+
+Viktor Szakats (8 Apr 2024)
+
+- contrithanks: honor `CURLWWW` variable
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13315
+
+- GHA: add shellcheck job and fix warnings, shell tidy-ups
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13307
+
+- dist: do not require Perl in `maketgz`
+
+ Perl remains required for the tarball build process.
+
+ Follow-up to 860cd5fc2dc8e165fadd2c19a9b7c73b3ae5069d #13299
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13310
+
+Daniel Stenberg (8 Apr 2024)
+
+- RELEASE-NOTES: synced
+
+- docs/cmdline-opts: invoke managen using a relative path
+
+ ... no need to use an absolute path, that makes the build unncessarily
+ fail if invoked using a different mount point. managen now takes options
+ to find the input files.
+
+ Update test1478 to provide the dir arguments to managen
+
+ Closes #13281
+
+- GHA: add valgrind to a wolfSSL build
+
+ Closes #13274
+
+Viktor Szakats (7 Apr 2024)
+
+- dist: `set -eu`, fix shellcheck, make reproducible and smaller tarballs
+
+ - set bash `-eu` and fix fallouts.
+ - fix shellcheck warnings.
+ - set and use `SOURCE_DATE_EPOCH` for reproducibility.
+ Authored-by: Daniel J. H.
+ Ref: #13280
+ - set `TZ=UTC` and `LC_ALL=C` for reproducibility.
+ - make file timestamps in tarball/zip reproducible.
+ - make directory timestamps in zip reproducible.
+ - make timestamps of tarballs/zip reproducible.
+ - make file order in tarball/zip reproducible.
+ - omit extra file metadata from zip for reproducibility.
+ - use maximum zip compression.
+ - use POSIX `ustar` tarball format to avoid supply chain vulnerability:
+ https://seclists.org/oss-sec/2021/q4/0
+ - make uid/gid in tarball reproducible.
+ - omit owner user/group names from tarball for reproducibility and privacy.
+ - omit current timestamp from .gz header for reproducibility.
+ - display SHA-256 hashes of produced tarballs/zip.
+ - fix whitespace.
+
+ `.tar.gz` also became smaller in the process: 4,462,311 -> 4,148,249 bytes (8
+ .7.1)
+
+ Requires GNU tar, GNU date, `sha256sum`.
+
+ Reviewed-by: Daniel Stenberg
+ Ref: #13250
+ Closes #13299
+
+Gisle Vanem (7 Apr 2024)
+
+- tests/http: fix compiler warning
+
+ - Init result code variable to fix clang warning that it may be used
+ uninitialized.
+
+ Fixes https://github.com/curl/curl/issues/13301
+ Closes https://github.com/curl/curl/pull/13304
+
+Stefan Eissing (6 Apr 2024)
+
+- vquic: use new curl_int64_t type
+
+ - add curl_int64_t signed 64-bit type for lib use
+
+ - define CURL_PRId64, CURL_PRIu64 format ids
+
+ - use curl_int64_t in vquic
+
+ curl_int64_t signed complements the existing curl_uint64_t unsigned.
+
+ Note that `curl_int64_t` and `int64_t` are assignable from each other
+ but not identical. Some platforms with 64 long type defint int64_t as
+ "long long" (staring at macOS) which messes up things like pointers and
+ format identifiers.
+
+ Closes https://github.com/curl/curl/pull/13293
+
+Jay Satiro (5 Apr 2024)
+
+- lib: use multi instead of multi_easy for the active multi
+
+ - Use data->multi and not data->multi_easy to refer to the active multi.
+
+ The easy handle's active multi is always data->multi.
+
+ This is a follow up to 757dfdf which changed curl so that an easy handle
+ used with the easy interface and then multi interface cannot have two
+ different multi handles associated with it at the same time
+ (data->multi_easy from the easy interface and data->multi from the multi
+ interface).
+
+ Closes https://github.com/curl/curl/pull/12665
+
+Viktor Szakats (5 Apr 2024)
+
+- tidy-up: whitespace [ci skip]
+
+Daniel Stenberg (5 Apr 2024)
+
+- makefile: remove the sorting from the vc-ide action
+
+ This target generates the MSVC project files. This change removes the
+ extra sorting and instead makes the script use the order of the files as
+ listed in the variables - which are mostly sorted anyway.
+
+ This is an attempt to make the project file generation more easily
+ reproducible.
+
+ Ref: #13250
+ Closes #13294
+
+Gisle Vanem (5 Apr 2024)
+
+- bearssl: fix compiler warnings
+
+ "variables may be uninitialized when used"
+
+ Fixes #13290
+ Closes #13297
+
+Daniel Stenberg (5 Apr 2024)
+
+- DISTROS: Cygwin updates
+
+ Brought-by: Brian Inglis
+ Fixes #13258
+ Co-authored-by: Viktor Szakats
+ Closes #13279
+
+Stefan Eissing (5 Apr 2024)
+
+- lib: add trace support for client reads and writes
+
+ - add `CURL_TRC_READ()` and `CURL_TRC_WRITE()`
+ - use in generic client writers and readers, as well
+ as http headers, chunking and websockets
+
+ Closes #13223
+
+Michał Antoniak (5 Apr 2024)
+
+- urldata: remove fields not used depending on used features
+
+ Reduced size of dynamically_allocated_data structure.
+
+ Reduced number of stored values in enum dupstring and enum dupblob. This
+ affects the reduced array placed in the UserDefined structure.
+
+ Closes #13188
+
+Viktor Szakats (5 Apr 2024)
+
+- cmake: enable `-pedantic-errors` for clang when `CURL_WERROR=ON`
+
+ clang doesn't have the issues of GCC and old CMake versions.
+
+ Note: This introduces asymmetry with autotools, which only enables
+ this for GCC.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13286
+
+- cmake: fix `CURL_WERROR=ON` for old CMake and use it in GHA/linux-old
+
+ - cmake: fix `-pedantic-errors` for old CMake with `CURL_WERROR=ON` set.
+
+ `-pedantic-errors` option throws a warning with GCC (all versions) and
+ makes `check_symbol_exists()` fail in CMake versions older than
+ v3.23.0 (2022-03-29), when CMake introduced a workaround:
+
+ https://gitlab.kitware.com/cmake/cmake/-/issues/13208
+ https://gitlab.kitware.com/cmake/cmake/-/commit/eeb45401163d831b8c841ef6eba
+ 81466b4067b68
+ https://gitlab.kitware.com/cmake/cmake/-/commit/1ab7c3cd28b27ca162c4559e102
+ 6e5cad1898ade
+
+ Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489
+
+ - set `CURL_WERROR=ON` for the `linux-old` job in CI.
+
+ Closes #13282
+
+- lib: use `#error` instead of invalid syntax in `curl_setup_once.h`
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13287
+
+Daniel Stenberg (5 Apr 2024)
+
+- GHA: on macOS remove $HOME/.curlrc
+
+ A recent image upgrade added a $HOME/.curlrc by default using --ipv4.
+
+ Ref: https://github.com/actions/runner-images/pull/9586
+ Fixes #13284
+ Closes #13285
+
+Viktor Szakats (4 Apr 2024)
+
+- cmake: fixup `DEPENDS` filename
+
+ Fixing:
+ ```
+ make[2]: Circular docs/curl-config.1 <- docs/curl-config.1 dependency dropped
+ .
+ make[2]: Circular docs/mk-ca-bundle.1 <- docs/mk-ca-bundle.1 dependency dropp
+ ed.
+ ```
+ Ref: https://github.com/curl/curl/actions/runs/8559617487/job/23456740844?pr=
+ 13282#step:6:18
+
+ Follow-up to 5023ffad2c27d4b916ddb91800f99ecc5d3aad07 #13197
+ Closes #13283
+
+- GHA: enable unity mode for cmake jobs + tidy-ups
+
+ Unity mode is not supported by CMake v3.7.2 used in linux-old, but
+ enable it anyway for consistency and to kick in automatically once
+ migrating to a newer old Linux in the future.
+
+ Also:
+ - replace `CMAKE_COMPILE_WARNING_AS_ERROR` with `CURL_WERROR`.
+ - delete default build option `PICKY_COMPILER=ON`.
+
+ Closes #13277
+
+Dan Fandrich (4 Apr 2024)
+
+- CI: Add CI build on Debian stretch to test old support
+
+ This version still has ELTS support and contains some old versions of
+ key components like cmake to help prevent us from breaking that support.
+
+ Closes #13029
+
+Stefan Eissing (4 Apr 2024)
+
+- request: paused upload on completed download, assess connection
+
+ A transfer with a completed download that is still uploading needs to
+ check the connection state when it is PAUSEd, since connection
+ close/errors would otherwise go unnoticed.
+
+ Reported-by: Sergey Bronnikov
+ Fixes #13260
+ Closes #13271
+
+Daniel Stenberg (4 Apr 2024)
+
+- url: do not URL decode proxy crendentials
+
+ The two options CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD set the
+ actual names as-is, not URL encoded.
+
+ Modified test 503 to use percent-encoded strings in the credential
+ strings that should be passed on as-is.
+
+ Reported-by: Sergey Ogryzkov
+ Fixes #13265
+ Closes #13270
+
+Viktor Szakats (4 Apr 2024)
+
+- appveyor: enable cmake unity mode by default
+
+ Leave one non-unity cmake job. This makes the jobs finish slightly
+ quicker, while giving more coverage for unity issues.
+
+ Before:
+ https://ci.appveyor.com/project/curlorg/curl/builds/49496977
+ https://ci.appveyor.com/project/curlorg/curl/builds/49500372
+ After:
+ https://ci.appveyor.com/project/curlorg/curl/builds/49500338
+
+ Also fixup unrelated whitespace.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13217
+
+Daniel Stenberg (4 Apr 2024)
+
+- RELEASE-NOTES: synced
+
+Viktor Szakats (4 Apr 2024)
+
+- cmake: speed up libcurl doc building again
+
+ This time limit the number of files per command to avoid exceeding
+ limitations of certain OS/shell envs.
+
+ Such known env is Windows with the `cmd.exe` shell, which features an
+ 8K command-line length limit to this day.
+
+ Allowlisting `UNIX` to have no limit and using a limit of 200 for other
+ envs to be safe. If there is a way to detect `cmd.exe` and/or we know
+ which precise envs are sensitive to this, we can tweak these conditions
+ further.
+
+ Even with the low limit, this patch reduces external commands by 200x,
+ making builds much faster.
+
+ Ref: #12762 2620aa930bc73af1e4c70b10e3125b957b96ecfb (initial)
+ Ref: #13047 f03c85635f35269f1f45b983bf216624f541760a (revert)
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13207
+
+- cmake: tidy-up to use `WORKING_DIRECTORY`
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13206
+
+- cmake: generate misc manpages and install `mk-ca-bundle.pl`
+
+ - install `mk-ca-bundle.pl` like autotools does.
+
+ - generate and install `mk-ca-bundle.1` and `curl-config.1` like
+ autotools. This fixes tests 1140 and 1173.
+
+ Reported-by: Dan Fandrich
+ Fixes #13194
+
+ - add option `BUILD_MISC_DOCS` to control building the above two
+ manpages. Enabled by default.
+
+ - appveyor: stop disabling tests 1140 and 1173.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #13197
+
+Fabian Keil (4 Apr 2024)
+
+- wolfssl: plug memory leak in wolfssl_connect_step2()
+
+ Fixes:
+
+ test 2034...[simple HTTPS GET with DER public key pinning]
+ ==61829== 22,610 (3,744 direct, 18,866 indirect) bytes in 1 blocks are d
+ efinitely lost in loss record 51 of 54
+ ==61829== at 0x484BB74: malloc (vg_replace_malloc.c:446)
+ ==61829== by 0x4B53A80: wolfSSL_Malloc (memory.c:344)
+ ==61829== by 0x4C1C8E1: wolfSSL_X509_new (x509.c:5326)
+ ==61829== by 0x4C3977D: d2i_X509orX509REQ (x509.c:3628)
+ ==61829== by 0x4C1D1F4: wolfSSL_X509_d2i (x509.c:3664)
+ ==61829== by 0x4C1C37B: wolfSSL_X509_dup (x509.c:13425)
+ ==61829== by 0x4C197DB: wolfSSL_get_peer_certificate (ssl.c:18765)
+ ==61829== by 0x33297C: wolfssl_connect_step2 (wolfssl.c:875)
+ ==61829== by 0x331669: wolfssl_connect_common (wolfssl.c:1287)
+ ==61829== by 0x3303E9: wolfssl_connect_nonblocking (wolfssl.c:1319)
+ ==61829== by 0x32FE89: ssl_connect_nonblocking (vtls.c:510)
+ ==61829== by 0x32DBE5: ssl_cf_connect (vtls.c:1679)
+ ==61829== by 0x27ABD7: Curl_conn_cf_connect (cfilters.c:307)
+ ==61829== by 0x27D9CF: cf_setup_connect (connect.c:1199)
+ ==61829== by 0x27ABD7: Curl_conn_cf_connect (cfilters.c:307)
+ ==61829== by 0x283CEA: cf_hc_baller_connect (cf-https-connect.c:135)
+
+ Closes #13272
+
+Viktor Szakats (3 Apr 2024)
+
+- appveyor: OpenSSL 3 no longer found by CMake, revert to 1.1.1
+
+ OpenSSL moved directories, and bumped versions in AppVeyor CI.
+
+ Downgrading is not an ideal solution, but however trivial the solution
+ may be, I failed to come with anything that made CMake recognize either
+ OpenSSL 3.1 or 3.2.
+
+ Possibly caused by:
+ https://github.com/appveyor/build-images/commit/702e8cdca01f28f6a40687783f493
+ c786cebbe2c
+ https://github.com/appveyor/build-images/pull/149
+
+ Closes #13266
+
+hongfei.li (3 Apr 2024)
+
+- winbuild: use $(RC) correctly
+
+ Cloes #13267
+
+Daniel Stenberg (3 Apr 2024)
+
+- dist: remove the curl-config.1 from the tarball
+
+ The markdown file is already there and the .1 file gets generated in the
+ build.
+
+ Ref: #13250
+ Closes #13268
+
+- curl_global_trace.md: shorten the description
+
+ Closes #13263
+
+- test1901: verify chunked POST from callback with CURLOPT_POSTFIELDSIZE set
+
+ Follow-up to 721941aadf4ad
+
+ Ref: #13257
+ Closes #13262
+
+Stefan Eissing (2 Apr 2024)
+
+- http: with chunked POST forced, disable length check on read callback
+
+ - when an application forces HTTP/1.1 chunked transfer encoding
+ by setting the corresponding header and instructs curl to use
+ the CURLOPT_READFUNCTION, disregard any POST length information.
+ - this establishes backward compatibility with previous curl versions
+
+ Applications are encouraged to not force "chunked", but rather
+ set length information for a POST. By setting -1, curl will
+ auto-select chunked on HTTP/1.1 and work properly on other HTTP
+ versions.
+
+ Reported-by: Jeff King
+ Fixes #13229
+ Closes #13257
+
+Jay Satiro (1 Apr 2024)
+
+- INSTALL-CMAKE.md: explain `cmake -G <generator-name>`
+
+ - Explain that CMake's -G option can be used to specify which build
+ system to generate files for.
+
+ Example: cmake ../curl -G "MinGW Makefiles"
+
+ Ref: https://github.com/curl/curl/pull/12224#issuecomment-2026813645
+
+ Closes https://github.com/curl/curl/pull/13244
+
+Daniel Stenberg (1 Apr 2024)
+
+- libcurl-opts: mention pipelining less
+
+ libcurl has not supported HTTP pipelining since many years. Remove a few
+ (more) mentions of the feature.
+
+ Closes #13254
+
+Daniel McCarney (31 Mar 2024)
+
+- m4: reposition USE_RUSTLS="yes" for pkg-config
+
+ It's necessary to set this var to "yes" _after_ AC_DEFINE and AC_SUBST
+ in order for a later `test` to pass so that `check_for_ca_bundle=1` ends
+ up being set. This is in turn required for the default CA certificate
+ bundle to be set when building w/ rustls & pkg-config.
+
+ Reported-by: Matt Jolly
+ Fixes #13248
+ Closes #13251
+
+Daniel Stenberg (31 Mar 2024)
+
+- maketgz: put docs/RELEASE-TOOL.md into the tarball
+
+ Generated with scripts/release-tools.sh
+
+ The script lists the exact Debian package names and version numbers for
+ the tools that are used to generate the tarball.
+
+ Closes #13239
+
+- cd2nroff/manage: use UTC when SOURCE_DATE_EPOCH is set
+
+ Make them independent of the TZ setting. Also set a date string like
+ YYYY-MM-DD to avoid a local month name in the date.
+
+ Reported-by: Carlos Henrique Lima Melara
+ Fixes #13242
+ Closes #13243
+
+- RELEASE-NOTES: synced
+
+- docs/MAIL-ETIQUETTE: convert to markdown
+
+ To render nicer. To get spellchecked.
+
+ Closes #13247
+
+- reuse: add copyright + license info to individual docs/*.md files
+
+ Instead of use 'docs/*.md' in dep5. For clarity and avoiding a wide-
+ matching wildcard.
+
+ + Remove mention of old files from .reuse/dep5
+ + add info to .github/dependabot.yml
+ + make scripts/copyright.pl warn on non-matching patterns
+
+ Closes #13245
+
+- test470: warn about unicode quote character read from config file
+
+ Idea-by: Emanuele Torre
+
+- test469: verify warning when argument has unicode quote
+
+- tool_getparam: output warning for leading unicode quote character
+
+ ... in the option argument.
+
+ Typically this is a mistake done when copying example command lines from
+ online documentation using the wrong quote character.
+
+ Presumably there are also other potential quote characters that might be
+ used, and this check is done without even knowing that unicode is used!
+
+ Reported-by: Sanjay Pujare
+ Fixes #13214
+ Closes #13215
+
+- tool: follow-up getenv fix
+
+ Remove a double free. Change the IPFS env use to a plain getenv() simply
+ because coverity gets confused.
+
+ Follow-up to 9126b141c9398fe
+ Closes #13241
+
+- idn: make Curl_idnconvert_hostname() use Curl_idn_decode()
+
+ In the name of less code duplication
+
+ Closes #13236
+
+- curl-confopts.m4: define CARES_NO_DEPRECATED when c-ares is used
+
+ Starting in 1.28.0 c-ares added deprecation warnings for some API calls
+ libcurl uses.
+
+ Closes #13240
+
+- vquic: use CURL_FORMAT_CURL_OFF_T for 64 bit printf output
+
+ Reported-by: Keitagit-kun on github
+ Fixes #13224
+ Closes #13231
+
+- openldap: create ldap URLs correctly for IPv6 addresses
+
+ Reported-by: Sergio Durigan Junior
+ Fixes #13228
+ Closes #13235
+
+- curl: use curl_getenv instead of the curlx_ version
+
+ The curlx one was once introduced when we still considered dropping the
+ libcurl function at some point. To reduce confusion and to make it
+ easier to understand when curl_free() should be used, use the actual
+ libcurl function call directly instead.
+
+ Closes #13230
+
+Evgeny Grin (Karlson2k) (30 Mar 2024)
+
+- curl_sha512_256: do not use workaround for NetBSD when not needed
+
+ Assisted-by: riastradh on github
+ Assisted-by: Michael Kaufmann
+ Closes #13225
+
+Matt Jolly (30 Mar 2024)
+
+- m4: fix rustls pkg-config codepath
+
+ The previous pkg-config code would successfully detect rustls but did
+ not set all appropriate variables and call the right macros to properly
+ configure cURL.
+
+ Reported-by: kpcyrd on github
+ Fixes #13200
+ Closes #13202
+
+Daniel McCarney (30 Mar 2024)
+
+- deps: update librustls 0.12.0 -> 0.13.0
+
+ This commit updates the optional rustls-ffi librustls dependency from
+ 0.12.0 to 0.13.0. This version is based on the latest available rustls
+ release (0.23.4).
+
+ The breaking API changes from 0.12.0 to 0.13.0 are in API surface unused
+ by curl, so this is an in-place update without any code changes.
+
+ The `RUSTLS.md` documentation is updated to reflect the new version in
+ use, and to clarify that `cbindgen` isn't required to build `librustls`
+ - it's only used by developers to update the vendored `rustls.h` header
+ file maintained upstream.
+
+ Closes #13238
+
+Daniel Stenberg (28 Mar 2024)
+
+- RELEASE-NOTES: synced
+
+- tool_xattr: "guess" URL scheme if none is provided
+
+ ... when figuring out the source URL to store.
+
+ Reported-by: Dagfinn Ilmari Mannsåker
+ Fixes #13205
+ Closes #13221
+
+- tool_xattr: in debug builds, act normally if CURL_FAKE_XATTR is not set
+
+ Closes #13220
+
+Stefan Eissing (28 Mar 2024)
+
+- content_encoding: brotli and others, pass through 0-length writes
+
+ - curl's transfer handling may write 0-length chunks at the end of the
+ download with an EOS flag. (HTTP/2 does this commonly)
+
+ - content encoders need to pass-through such a write and not count this
+ as error in case they are finished decoding
+
+ Fixes #13209
+ Fixes #13212
+ Closes #13219
+
+Tobias Stoeckmann (28 Mar 2024)
+
+- libssh2: set length to 0 if strdup failed
+
+ Internally, libssh2 dereferences the NULL pointer if length is non-zero.
+ The callback function cannot return the error condition, so at least
+ prevent subsequent crash.
+
+ Closes #13213
+
+Daniel Stenberg (28 Mar 2024)
+
+- RELEASE-PROCEDURE: mention an initial working build
+
+ This is the step that was not done and caused the 8.7.0 mishap (it
+ lacked the correctly generated hugehelp file).
+
+ Remove the mention of the copyright script as this is verified by a CI
+ job these days: the REUSE one.
+
+ Closes #13216
+
+Paul Howarth (28 Mar 2024)
+
+- curl_sha512_255: fix detection of OpenSSL 1.1.1 or later
+
+ Use the same OPENSSL_VERSION_NUMBER comparison as in lib/vtls/openssl.c.
+
+ Closes #13208
+
+Robert Moreton (28 Mar 2024)
+
+- cf-socket: remove references to l_ip, l_port
+
+ Fixes #13210
+ Closes #13211
+
+Daniel Stenberg (28 Mar 2024)
+
+- openssl: do not set SSL_MODE_RELEASE_BUFFERS
+
+ While it might save some memory, it causes OpenSSL to instead do a huge
+ amount of allocations.
+
+ Ref: #13136
+ Closes #13203
+
+- curl: make --help adapt to the terminal width
+
+ Instead of assuming and working with 80 colums, try figuring out what
+ width is actually used.
+
+ Ref: #13141
+
+ Closes #13171
+
+- RELEASE-NOTES: synced
+
+ and bump to 8.7.2 for now
+
+- configure: make --disable-docs imply --disable-manual
+
+ Because when the docs is not built, the necesary curl.txt file is not
+ present so then the manual cannot get built.
+
+ Reported-by: Harry Sintonen
+ Closes #13191
+
+Chris Webb (27 Mar 2024)
+
+- cmdline-docs: fix make install with configure --disable-docs
+
+ make -C docs/cmdline-opts install depends on all-am, which in turn
+ depends on $(MANS), unconditionally defined to be $(man_MANS).
+
+ As with CLEANFILES, only add curl.1 to man_MANS when BUILD_DOCS is true
+ so we don't try to build curl.1 unnecessarily.
+
+ Closes #13198
+
Version 8.7.1 (27 Mar 2024)
Daniel Stenberg (27 Mar 2024)
@@ -7090,3935 +10707,3 @@ boilingoden (4 Nov 2023) xref: https://curl.se/changes.html#7_70_0
Closes #12266
-
-Viktor Szakats (3 Nov 2023)
-
-- appveyor: make VS2008-built curl tool runnable
-
- By linking the CRT statically. This avoids the error about missing
- runtime DLL `MSVCR90.dll` when running the freshly built `curl.exe`.
-
- Closes #12263
-
-Stefan Eissing (3 Nov 2023)
-
-- url: proxy ssl connection reuse fix
-
- - tunnel https proxy used for http: transfers does
- no check if proxy-ssl configuration matches
- - test cases added, test_10_12 fails on 8.4.0
-
- Closes #12255
-
-Jay Satiro (3 Nov 2023)
-
-- curl_sspi: support more revocation error names in error messages
-
- - Add these revocation errors to sspi error list:
- CRYPT_E_NO_REVOCATION_DLL, CRYPT_E_NO_REVOCATION_CHECK,
- CRYPT_E_REVOCATION_OFFLINE and CRYPT_E_NOT_IN_REVOCATION_DATABASE.
-
- Prior to this change those error codes were not matched to their macro
- name and instead shown as "unknown error".
-
- Before:
-
- schannel: next InitializeSecurityContext failed:
- Unknown error (0x80092013) - The revocation function was
- unable to check revocation because the revocation server was offline.
-
- After:
-
- schannel: next InitializeSecurityContext failed:
- CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was
- unable to check revocation because the revocation server was offline.
-
- Bug: https://github.com/curl/curl/issues/12239
- Reported-by: Niracler Li
-
- Closes https://github.com/curl/curl/pull/12241
-
-- strdup: don't allow Curl_strndup to read past a null terminator
-
- - Use malloc + strncpy instead of Curl_memdup to dupe the string before
- null terminating it.
-
- Prior to this change if Curl_strndup was passed a length longer than
- the allocated string then it could copy out of bounds.
-
- This change is for posterity. Curl_strndup was added in the parent
- commit and currently none of the calls to it pass a length that would
- cause it to read past the allocated length of the input.
-
- Follow-up to d3b3ba35.
-
- Closes https://github.com/curl/curl/pull/12254
-
-Daniel Stenberg (2 Nov 2023)
-
-- lib: add and use Curl_strndup()
-
- The Curl_strndup() function is similar to memdup(), but copies 'n' bytes
- then adds a terminating null byte ('\0').
-
- Closes #12251
-
-- CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO
-
-Stefan Eissing (2 Nov 2023)
-
-- pytest: use lower count in repeat tests
-
- - lower large iteration counts in some tests somewhat for
- the same coverage with less duration
-
- Closes #12248
-
-Daniel Stenberg (2 Nov 2023)
-
-- RELEASE-NOTES: synced
-
-- docs: clarify that curl passes on input unfiltered
-
- ... for several options.
-
- Reported-by: Ophir Lojkine
-
- Closes #12249
-
-- urlapi: when URL encoding the fragment, pass in the right length
-
- A benign bug because it would only add an extra null terminator.
-
- Made lib1560 get a test that runs this code.
-
- Closes #12250
-
-Stefan Eissing (2 Nov 2023)
-
-- vtls: late clone of connection ssl config
-
- - perform connection cache matching against `data->set.ssl.primary`
- and proxy counterpart
- - fully clone connection ssl config only when connection is used
-
- Closes #12237
-
-- msh3: error when built with CURL_DISABLE_SOCKETPAIR set
-
- Reported-by: Gisle Vanem
- Closes #12252
- Fixes #12213
-
-Daniel Stenberg (2 Nov 2023)
-
-- hsts: skip single-dot hostname
-
- Reported-by: Maksymilian Arciemowicz
-
- Closes #12247
-
-- vtls: fix build without proxy
-
- Follow-up to bf0e278a3c54bc7fee7360da17c
-
- closes #12243
-
-- docs/example/keepalive.c: show TCP keep-alive options
-
- Closes #12242
-
-- lib1560: verify appending blank URL encoded query string
-
-- urlapi: skip appending NULL pointer query
-
- Reported-by: kirbyn17 on hackerone
-
- Closes #12240
-
-- lib1560: verify setting host to "" with and without URL encode
-
-- urlapi: avoid null deref if setting blank host to url encode
-
- Reported-by: kirbyn17 on hackerone
-
- Closes #12240
-
-- dynbuf: assert for NULL pointer inputs
-
- Help us catch more mistakes.
-
- Closes #12238
-
-- HTTP3: ngtcp2 builds are no longer experimental
-
- The other HTTP/3 backends are still experimental.
-
- Closes #12235
-
-Stefan Eissing (31 Oct 2023)
-
-- vtls: cleanup SSL config management
-
- - remove `Curl_ssl_get_config()`, no longer needed
-
- Closes #12204
-
-Daniel Stenberg (31 Oct 2023)
-
-- libcurl-thread.3: simplify the TLS section
-
- All TLS libraries curl can use are threadsafe since OpenSSL 1.1.x, August
- 2016.
-
- Closes #12233
-
-- configure: better --disable-http
-
- - disable HTTPS-proxy as well, since it can't work without HTTP
-
- - curl_setup: when HTTP is disabled, also disable all features that are
- HTTP-only
-
- - version: HTTPS-proxy only exists if HTTP support exists
-
- Closes #12223
-
-- http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine
-
- Finding a 'Content-Range:' in the response changed the handling.
-
- Add test case 1475 to verify -C - with 416 and Content-Range: header,
- which is almost exactly like test 194 which instead uses a fixed -C
- offset. Adjusted test 194 to also be considered fine.
-
- Fixes #10521
- Reported-by: Smackd0wn
- Fixes #12174
- Reported-by: Anubhav Rai
- Closes #12176
-
-Stefan Eissing (30 Oct 2023)
-
-- GHA: fix checkout of quictls repository to use correct branch name
-
- Follow-up to c868b0e30f10cd0ac7
-
- Closes #12232
-
-Daniel Stenberg (30 Oct 2023)
-
-- docs/example/localport.c: show off CURLOPT_LOCALPORT
-
- Closes #12230
-
-- docs/examples/interface.c: show CURLOPT_INTERFACE use
-
- Although super simple.
-
- Closes #12229
-
-Viktor Szakats (30 Oct 2023)
-
-- build: fix compiler warning with auths disabled
-
- ```
- ./curl/lib/http.c:979:12: warning: unused function 'is_valid_auth_separator'
- [-Wunused-function]
- static int is_valid_auth_separator(char ch)
- ^
- 5 warnings generated.
- ```
-
- Follow-up to e92edfbef64448ef461117769881f3ed776dec4e #11490
-
- Closes #12227
-
-- build: require Windows XP or newer
-
- After this patch we assume availability of `getaddrinfo` and
- `freeaddrinfo`, first introduced in Windows XP. Meaning curl
- now requires building for Windows XP as a minimum.
-
- TODO: assume these also in autotools.
-
- Ref: https://github.com/curl/curl/pull/12221#issuecomment-1783761806
- Closes #12225
-
-- appveyor: bump one job to OpenSSL 3.1 (was 1.1.1)
-
- Use 3.1 with the modern runner image.
-
- We still use 1.1.1 in 8 jobs.
-
- 1.1.1 is EOL since 2023-09-11:
- https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
-
- Also:
- - add missing SSL-backend to job descriptions.
- - tidy up CPU in job descriptions.
-
- Closes #12226
-
-Daniel Stenberg (30 Oct 2023)
-
-- RELEASE-NOTES: synced
-
-- GHA: bump ngtcp2, nghttp3, nghttp2 and quictls versions
-
- ngtcp2 1.0.1
- nghttp3 1.0.0
- nghttp2 1.58.0
- quictls 3.1.4+quic
-
- also sync HTTP3.md with these changes
-
- Closes #12132
-
-Kareem (29 Oct 2023)
-
-- wolfssl: add default case for wolfssl_connect_step1 switch
-
- Closes #12218
-
-Jay Satiro (29 Oct 2023)
-
-- curl_setup: disallow Windows IPv6 builds missing getaddrinfo
-
- - On Windows if IPv6 is enabled but getaddrinfo is missing then #error
- the build.
-
- curl can be built with IPv6 support (ENABLE_IPV6) but without the
- ability to resolve hosts to IPv6 addresses (HAVE_GETADDRINFO). On
- Windows this is highly unlikely and should be considered a bad build
- configuration.
-
- Such a bad configuration has already given us a bug that was hard to
- diagnose. See #12134 and #12136 for discussion.
-
- Ref: https://github.com/curl/curl/issues/12134
- Ref: https://github.com/curl/curl/pull/12136
-
- Closes https://github.com/curl/curl/pull/12221
-
-Nico Rieck (29 Oct 2023)
-
-- openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs
-
- - If CURLSSLOPT_NATIVE_CA on Windows then import from intermediate CA
- "CA" store after importing from root CA "ROOT" store.
-
- This change allows curl to work in situations where a server does not
- send all intermediate certs and they are present in the "CA" store (the
- store with intermediate CAs). This is already allowed by the Schannel
- backend.
-
- Also this change makes partial chain verification possible for those
- certs since we allow partial chain verification by default for OpenSSL
- (unless CURLSSLOPT_NO_PARTIALCHAIN). This is not allowed by the Schannel
- backend.
-
- Prior to this change CURLSSLOPT_NATIVE_CA only imported "ROOT" certs.
-
- Fixes https://github.com/curl/curl/issues/12155
- Closes https://github.com/curl/curl/pull/12185
-
-Viktor Szakats (28 Oct 2023)
-
-- Makefile.mk: fix `-rtmp` option for non-Windows [ci skip]
-
-Daniel Stenberg (28 Oct 2023)
-
-- asyn-ares: handle no connection in the addrinfo callback
-
- To avoid crashing.
-
- Follow-up from 56a4db2
- Closes #12219
-
-Jay Satiro (28 Oct 2023)
-
-- hostip6: fix DEBUG_ADDRINFO builds
-
- - Removed unused and incorrect parameter from dump_addrinfo().
-
- Bug: https://github.com/curl/curl/commit/56a4db2e#commitcomment-131050442
- Reported-by: Gisle Vanem
-
- Closes https://github.com/curl/curl/pull/12212
-
-Viktor Szakats (28 Oct 2023)
-
-- Makefile.mk: restore `_mingw.h` for default `_WIN32_WINNT`
-
- In 8.4.0 we deleted `_mingw.h` as part of purging old-mingw support.
- Turns out `_mingw.h` had the side-effect of setting a default
- `_WIN32_WINNT` value expected by `lib/config-win32.h` to enable
- `getaddrinfo` support in `Makefile.mk` mingw-w64 builds. This caused
- disabling support for this unless specifying the value manually.
-
- Restore this header and update its comment to tell why we continue
- to need it.
-
- This triggered a regression in official Windows curl builds starting
- with 8.4.0_1. Fixed in 8.4.0_6. (8.5.0 will be using CMake.)
-
- Regression from 38029101e2d78ba125732b3bab6ec267b80a0e72 #11625
-
- Reported-by: zhengqwe on github
- Helped-by: Nico Rieck
- Fixes #12134
- Fixes #12136
- Closes #12217
-
-- hostip: silence compiler warning `-Wparentheses-equality`
-
- Seen with LLVM 17.
-
- ```
- hostip.c:1336:22: warning: equality comparison with extraneous parentheses [-
- Wparentheses-equality]
- 1336 | (a->ai_family == PF_INET)) {
- | ~~~~~~~~~~~~~^~~~~~~~~~
- hostip.c:1336:22: note: remove extraneous parentheses around the comparison t
- o silence this warning
- 1336 | (a->ai_family == PF_INET)) {
- | ~ ^ ~
- hostip.c:1336:22: note: use '=' to turn this equality comparison into an assi
- gnment
- 1336 | (a->ai_family == PF_INET)) {
- | ^~
- | =
- 1 warning generated.
- ```
-
- Follow-up to b651aba0962bb31353f55de4dc35f745952a1b10 #12145
-
- Reviewed-by: Daniel Stenberg
- Closes #12215
-
-Stefan Eissing (27 Oct 2023)
-
-- doh: use PIPEWAIT when HTTP/2 is attempted
-
- Closes #12214
-
-Daniel Stenberg (27 Oct 2023)
-
-- setopt: remove outdated cookie comment
-
- Closes #12206
-
-Stefan Eissing (27 Oct 2023)
-
-- cfilter: provide call to tell connection to forget a socket
-
- - fixed libssh.c workaround for a socket being closed by
- the library
- - eliminate the terrible hack in cf-socket.c to guess when
- this happened and try not closing the socket again.
- - fixes race in eyeballing when socket could have failed to
- be closed for a discarded connect attempt
-
- Closes #12207
-
-- url: protocol handler lookup tidy-up
-
- - rename lookup to what it does
- - use ARRAYSIZE instead of NULL check for end
- - offer alternate lookup for 0-terminated strings
-
- Closes #12216
-
-Viktor Szakats (27 Oct 2023)
-
-- build: variadic macro tidy-ups
-
- - delete unused `HAVE_VARIADIC_MACROS_C99/GCC` feature checks.
- (both autotools and CMake.)
- - delete duplicate `NULL` check in `Curl_trc_cf_infof()`.
- - fix compiler warning in `CURL_DISABLE_VERBOSE_STRINGS` builds.
- ```
- ./lib/cf-socket.c:122:41: warning: unused parameter 'data' [-Wunused-parame
- ter]
- static void nosigpipe(struct Curl_easy *data,
- ^
- ```
- - fix `#ifdef` comments in `lib/curl_trc.{c,h}`.
- - fix indentation in some `infof()` calls.
-
- Follow-up to dac293cfb7026b1ca4175d88b80f1432d3d3c684 #12167
-
- Cherry-picked from #12105
- Closes #12210
-
-- cmake: speed up threads setup for Windows
-
- Win32 threads are always available. We enabled them unconditionally
- (with `ENABLE_THREADED_RESOLVER`). CMake built-in thread detection
- logic has this condition hard-coded for Windows as well (since at least
- 2007).
-
- Instead of doing all the work of detecting pthread combinations on
- Windows, then discarding those results, skip these efforts and assume
- built-in thread support when building for Windows.
-
- This saves 1-3 slow CMake configuration steps.
-
- Reviewed-by: Daniel Stenberg
- Closes #12202
-
-- cmake: speed up zstd detection
-
- Before this patch we detected the presence of a specific zstd API to
- see if we can use the library. zstd published that API in its first
- stable release: v1.0.0 (2016-08-31).
-
- Replace that method by detecting the zstd library version instead and
- accepting if it's v1.0.0 or newer. Also display this detected version
- and display a warning if the zstd found is unfit for curl.
-
- We use the same version detection method as zstd itself, via its public
- C header.
-
- This deviates from autotools which keeps using the slow method of
- looking for the API by building a test program. The outcome is the same
- as long as zstd keeps offering this API.
-
- Ref: https://github.com/facebook/zstd/commit/5a0c8e24395079f8e8cdc90aa1659cd5
- ab1b7427 (2016-08-12, committed)
- Ref: https://github.com/facebook/zstd/releases/tag/v0.8.1 (2016-08-18, first
- released)
- Ref: https://github.com/facebook/zstd/releases/tag/v1.0.0
-
- Reviewed-by: Daniel Stenberg
- Closes #12200
-
-Daniel Stenberg (26 Oct 2023)
-
-- openssl: fix infof() to avoid compiler warning for %s with null
-
- vtls/openssl.c: In function ‘ossl_connect_step2’:
- ../lib/curl_trc.h:120:10: error: ‘%s’ directive argument is null [-Werror
- =format-overflow=]
- 120 | Curl_infof(data, __VA_ARGS__); } while(0)
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- vtls/openssl.c:4008:5: note: in expansion of macro ‘infof’
- 4008 | infof(data, "SSL connection using %s / %s / %s / %s",
- | ^~~~~
- vtls/openssl.c:4008:49: note: format string is defined here
- 4008 | infof(data, "SSL connection using %s / %s / %s / %s",
- | ^~
-
- Follow-up to b6e6d4ff8f253c8b8055bab
- Closes #12196
-
-Stefan Eissing (26 Oct 2023)
-
-- lib: apache style infof and trace macros/functions
-
- - test for a simplified C99 variadic check
- - args to infof() in --disable-verbose are no longer disregarded but
- must compile.
-
- Closes #12167
- Fixes #12083
- Fixes #11880
- Fixes #11891
-
-Daniel Stenberg (26 Oct 2023)
-
-- RELEASE-NOTES: synced
-
-Stefan Eissing (26 Oct 2023)
-
-- urldata: move async resolver state from easy handle to connectdata
-
- - resolving is done for a connection, not for every transfer
- - save create/dup/free of a cares channel for each transfer
- - check values of setopt calls against a local channel if no
- connection has been attached yet, when needed.
-
- Closes #12198
-
-Daniel Stenberg (26 Oct 2023)
-
-- CURLOPT_WRITEFUNCTION.3: clarify what libcurl returns for CURL_WRITEFUNC_ERRO
- R
-
- It returns CURLE_WRITE_ERROR. It was not previously stated clearly.
-
- Reported-by: enWILLYado on github
- Fixes #12201
- Closes #12203
-
-Viktor Szakats (25 Oct 2023)
-
-- autotools: update references to deleted `crypt-auth` option
-
- Delete leftovers of the `crypt-auth` `./configure` option and
- add the new ones that replaced them.
-
- Follow-up to e92edfbef64448ef461117769881f3ed776dec4e #11490
-
- Reviewed-by: Daniel Stenberg
- Closes #12194
-
-Stefan Eissing (25 Oct 2023)
-
-- lib: introduce struct easy_poll_set for poll information
-
- Connection filter had a `get_select_socks()` method, inspired by the
- various `getsocks` functions involved during the lifetime of a
- transfer. These, depending on transfer state (CONNECT/DO/DONE/ etc.),
- return sockets to monitor and flag if this shall be done for POLLIN
- and/or POLLOUT.
-
- Due to this design, sockets and flags could only be added, not
- removed. This led to problems in filters like HTTP/2 where flow control
- prohibits the sending of data until the peer increases the flow
- window. The general transfer loop wants to write, adds POLLOUT, the
- socket is writeable but no data can be written.
-
- This leads to cpu busy loops. To prevent that, HTTP/2 did set the
- `SEND_HOLD` flag of such a blocked transfer, so the transfer loop cedes
- further attempts. This works if only one such filter is involved. If a
- HTTP/2 transfer goes through a HTTP/2 proxy, two filters are
- setting/clearing this flag and may step on each other's toes.
-
- Connection filters `get_select_socks()` is replaced by
- `adjust_pollset()`. They get passed a `struct easy_pollset` that keeps
- up to `MAX_SOCKSPEREASYHANDLE` sockets and their `POLLIN|POLLOUT`
- flags. This struct is initialized in `multi_getsock()` by calling the
- various `getsocks()` implementations based on transfer state, as before.
-
- After protocol handlers/transfer loop have set the sockets and flags
- they want, the `easy_pollset` is *always* passed to the filters. Filters
- "higher" in the chain are called first, starting at the first
- not-yet-connection one. Each filter may add sockets and/or change
- flags. When all flags are removed, the socket itself is removed from the
- pollset.
-
- Example:
-
- * transfer wants to send, adds POLLOUT
- * http/2 filter has a flow control block, removes POLLOUT and adds
- POLLIN (it is waiting on a WINDOW_UPDATE from the server)
- * TLS filter is connected and changes nothing
- * h2-proxy filter also has a flow control block on its tunnel stream,
- removes POLLOUT and adds POLLIN also.
- * socket filter is connected and changes nothing
- * The resulting pollset is then mixed together with all other transfers
- and their pollsets, just as before.
-
- Use of `SEND_HOLD` is no longer necessary in the filters.
-
- All filters are adapted for the changed method. The handling in
- `multi.c` has been adjusted, but its state handling the the protocol
- handlers' `getsocks` method are untouched.
-
- The most affected filters are http/2, ngtcp2, quiche and h2-proxy. TLS
- filters needed to be adjusted for the connecting handshake read/write
- handling.
-
- No noticeable difference in performance was detected in local scorecard
- runs.
-
- Closes #11833
-
-Daniel Stenberg (25 Oct 2023)
-
-- tests/README: SOCKS tests are not using OpenSSH, it has its own server
-
- Follow-up to 04fd67555cc
-
- Closes #12195
-
-Jacob Hoffman-Andrews (25 Oct 2023)
-
-- tets: make test documentation more user-friendly
-
- Put the instructions to run tests right at the top of tests/README.md.
-
- Give instructions to read the runtests.1 man page for information
- about flags. Delete redundant copy of the flags documentation in the
- README.
-
- Add a mention in README.md of the important parallelism flag, to make
- test runs go much faster.
-
- Move documentation of output line format into the runtests.1 man page,
- and update it with missing flags.
-
- Fix the order of two flags in the man page.
-
- Closes #12193
-
-Viktor Szakats (24 Oct 2023)
-
-- cmake: pre-fill rest of detection values for Windows
-
- The goal of this patch is to avoid unnecessary feature detection work
- when doing Windows builds with CMake. Do this by pre-filling well-known
- detection results for Windows and specifically for mingw-w64 and MSVC
- compilers. Also limit feature checks to platforms where the results are
- actually used. Drop a few redundant ones. And some tidying up.
-
- - pre-fill remaining detection values in Windows CMake builds.
-
- Based on actual detection results observed in CI runs, preceding
- similar work over libssh2 and matching up values with
- `lib/config-win32.h`.
-
- This brings down CMake configuration time from 58 to 14 seconds on the
- same local machine.
-
- On AppVeyor CI this translates to:
- - 128 seconds -> 50 seconds VS2022 MSVC with OpenSSL (per CMake job):
- https://ci.appveyor.com/project/curlorg/curl/builds/48208419/job/4gw66ecr
- jpy7necb#L296
- https://ci.appveyor.com/project/curlorg/curl/builds/48217440/job/8m4fwrr2
- fe249uo8#L186
- - 62 seconds -> 16 seconds VS2017 MINGW (per CMake job):
- https://ci.appveyor.com/project/curlorg/curl/builds/48208419/job/s1y8q5iv
- lcs7ub29?fullLog=true#L290
- https://ci.appveyor.com/project/curlorg/curl/builds/48217440/job/pchpxyjs
- yc9kl13a?fullLog=true#L194
-
- The formula is about 1-3 seconds delay for each detection. Almost all
- of these trigger a full compile-link cycle behind the scenes, slow
- even today, both cross and native, mingw-w64 and apparently MSVC too.
- Enabling .map files or other custom build features slows it down
- further. (Similar is expected for autotools configure.)
-
- - stop detecting `idn2.h` if idn2 was deselected.
- autotools does this.
-
- - stop detecting `idn2.h` if idn2 was not found.
- This deviates from autotools. Source code requires both header and
- lib, so this is still correct, but faster.
-
- - limit `ADDRESS_FAMILY` detection to Windows.
-
- - normalize `HAVE_WIN32_WINNT` value to lowercase `0x0a12` format.
-
- - pre-fill `HAVE_WIN32_WINNT`-dependent detection results.
- Saving 4 (slow) feature-detections in most builds: `getaddrinfo`,
- `freeaddrinfo`, `inet_ntop`, `inet_pton`
-
- - fix pre-filled `HAVE_SYS_TIME_H`, `HAVE_SYS_PARAM_H`,
- `HAVE_GETTIMEOFDAY` for mingw-w64.
- Luckily this do not change build results, as `WIN32` took
- priority over `HAVE_GETTIMEOFDAY` with the current source
- code.
-
- - limit `HAVE_CLOCK_GETTIME_MONOTONIC_RAW` and
- `HAVE_CLOCK_GETTIME_MONOTONIC` detections to non-Windows.
- We're not using these in the source code for Windows.
-
- - reduce compiler warning noise in CMake internal logs:
- - fix to include `winsock2.h` before `windows.h`.
- Apply it to autotools test snippets too.
- - delete previous `-D_WINSOCKAPI_=` hack that aimed to fix the above.
- - cleanup `CMake/CurlTests.c` to emit less warnings.
-
- - delete redundant `HAVE_MACRO_SIGSETJMP` feature check.
- It was the same check as `HAVE_SIGSETJMP`.
-
- - delete 'experimental' marking from `CURL_USE_OPENSSL`.
-
- - show CMake version via `CMakeLists.txt`.
- Credit to the `zlib-ng` project for the idea:
- https://github.com/zlib-ng/zlib-ng/blob/61e181c8ae93dbf56040336179c9954078b
- d1399/CMakeLists.txt#L7
-
- - make `CMake/CurlTests.c` pass `checksrc`.
-
- - `CMake/WindowsCache.cmake` tidy-ups.
-
- - replace `WIN32` guard with `_WIN32` in `CMake/CurlTests.c`.
-
- Closes #12044
-
-Jay Satiro (24 Oct 2023)
-
-- page-footer: clarify exit code 25
-
- - Clarify that curl tool exit code 25 means an upload failed to start.
-
- Exit code 25 is equivalent to CURLE_UPLOAD_FAILED (25). Prior to this
- change the documentation only mentioned the case of FTP STOR failing.
-
- Reported-by: Emanuele Torre
-
- Ref: https://github.com/curl/curl/blob/curl-8_4_0/docs/libcurl/libcurl-errors
- .3#L113-L115
-
- Fixes https://github.com/curl/curl/issues/12189
- Closes https://github.com/curl/curl/pull/12190
-
-Daniel Stenberg (24 Oct 2023)
-
-- scripts/cijobs.pl: adjust for appveyor
-
- Follow-up to a1d73a6bb
-
-Alex Bozarth (24 Oct 2023)
-
-- OpenSSL: Include SIG and KEM algorithms in verbose
-
- Currently the verbose output does not include which algorithms are used
- for the signature and key exchange when using OpenSSL. Including the
- algorithms used will enable better debugging when working on using new
- algorithm implementations. Know what algorithms are used has become more
- important with the fast growing research into new quantum-safe
- algorithms.
-
- This implementation includes a build time check for the OpenSSL version
- to use a new function that will be included in OpenSSL 3.2 that was
- introduced in openssl/openssl@6866824
-
- Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com>
- Closes #12030
-
-Daniel Stenberg (23 Oct 2023)
-
-- http2: provide an error callback and failf the message
-
- Getting nghttp2's error message helps users understand what's going
- on. For example when the connection is brought down due a forbidden
- header is used - as that header is then not displayed by curl itself.
-
- Example:
-
- curl: (92) Invalid HTTP header field was received: frame type: 1,
- stream: 1, name: [upgrade], value: [h2,h2c]
-
- Ref: #12172
- Closes #12179
-
-Turiiya (23 Oct 2023)
-
-- BINDINGS: add V binding
-
- Closes #12182
-
-Daniel Stenberg (22 Oct 2023)
-
-- configure: check for the fseeko declaration too
-
- ... and make the code require both symbol and declaration.
-
- This is because for Android, the symbol is always present in the lib at
- build-time even when not actually available in run-time.
-
- Assisted-by: Viktor Szakats
- Reported-by: 12932 on github
- Fixes #12086
- Closes #12158
-
-Viktor Szakats (22 Oct 2023)
-
-- cmake: fix OpenSSL quic detection in quiche builds
-
- An orphan call to `CheckQuicSupportInOpenSSL()` remained after a recent
- update when checking QUIC for quiche. Move back QUIC detection to
- a function and fixup callers to use that. Also make sure that quiche
- gets QUIC from BoringSSL, because it doesn't support other forks at this
- time.
-
- Regression from dee310d54261f9a8416e87d50bccfe2cbe404949 #11555
-
- Reported-by: Casey Bodley <cbodley@redhat.com>
- Fixes #12160
- Closes #12162
-
-Daniel Stenberg (22 Oct 2023)
-
-- RELEASE-NOTES: synced
-
- bump to 8.5.0 for pending release
-
-Dan Fandrich (21 Oct 2023)
-
-- test3103: add missing quotes around a test tag attribute
-
-Loïc Yhuel (21 Oct 2023)
-
-- tool: fix --capath when proxy support is disabled
-
- After 95e8515ca0, --capath always sets CURLOPT_PROXY_CAPATH, which fails
- with CURLE_UNKNOWN_OPTION when proxy support is disabled.
-
- Closes #12089
-
-Daniel Stenberg (21 Oct 2023)
-
-- openldap: move the alloc of ldapconninfo to *connect()
-
- Fixes a minor memory leak on LDAP connection reuse.
-
- Doing the allocation already in *setup_connection() is wrong since that
- connect struct might get discarded early when an existing connection is
- reused instead.
-
- Closes #12166
-
-- openldap: set the callback argument in oldap_do
-
- ... to make sure it has the current 'data' pointer and not a stale old
- one.
-
- Reported-by: Dan Fandrich
- Closes #12166
-
-- gnutls: support CURLSSLOPT_NATIVE_CA
-
- Remove the CURL_CA_FALLBACK logic. That build option was added to allow
- primarily OpenSSL to use the default paths for loading the CA certs. For
- GnuTLS it was instead made to load the "system certs", which is
- different and not desirable.
-
- The native CA store loading is now asked for with this option.
-
- Follow-up to 7b55279d1d856
-
- Co-authored-by: Jay Satiro
-
- Closes #12137
-
-Stefan Eissing (21 Oct 2023)
-
-- RTSP: improved RTP parser
-
- - fix HTTP header parsing to report incomplete
- lines it buffers as consumed!
- - re-implement the RTP parser for interleave RTP
- messages for robustness. It is now keeping its
- state at the connection
- - RTSP protocol handler "readwrite" implementation
- now tracks if the response is before/in/after
- header parsing or "in" a bod by calling
- "Curl_http_readwrite_headers()" itself. This
- allows it to know when non-RTP bytes are "junk"
- or HEADER or BODY.
- - tested with #12035 and various small receive
- sizes where current master fails
-
- Closes #12052
-
-- http2: header conversion tightening
-
- - fold the code to convert dynhds to the nghttp2 structs
- into a dynhds internal method
- - saves code duplication
- - pacifies compiler analyzers
-
- Closes #12097
-
-Daniel Stenberg (21 Oct 2023)
-
-- curl_ntlm_wb: fix elif typo
-
- Reported-by: Manfred Schwarb
- Follow-up to d4314cdf65ae
- Bug: https://github.com/curl/curl/commit/d4314cdf65aee295db627016934bd9eb621a
- b077#r130551295
-
-Dan Fandrich (20 Oct 2023)
-
-- test1683: remove commented-out check alternatives
-
- Python precheck/postcheck alternatives were included but commented out.
- Since these are not used and perl is guaranteed to be available to run
- the perl versions anyway, the Python ones are removed.
-
-Daniel Stenberg (20 Oct 2023)
-
-- hostip: show the list of IPs when resolving is done
-
- Getting 'curl.se' today then gets this verbose output which might help
- debugging connectivity related matters.
-
- * Host curl.se:80 was resolved.
- * IPv6: 2a04:4e42::347, 2a04:4e42:200::347, 2a04:4e42:400::347,
- 2a04:4e42:600::347, 2a04:4e42:800::347, 2a04:4e42:a00::347,
- 2a04:4e42:c00::347, 2a04:4e42:e00::347
- * IPv4: 151.101.193.91, 151.101.1.91, 151.101.65.91, 151.101.129.91
-
- Co-authored-by: Jay Satiro
- Closes #12145
-
-rilysh (20 Oct 2023)
-
-- docs: fix function typo in curl_easy_option_next.3
-
- Closes #12170
-
-Daniel Stenberg (20 Oct 2023)
-
-- vssh: remove the #ifdef for Curl_ssh_init, use empty macro
-
- In the same style as other init calls
-
-- easy: remove duplicate wolfSSH init call
-
- It is already done in Curl_ssh_init() where it belongs.
-
- Closes #12168
-
-- socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
-
- Fixes #11949
- Reported-by: Ammar Faizi
- Closes #12163
-
-- urldata: move the 'internal' boolean to the state struct
-
- ... where all the other state bits for the easy handles live.
-
- Closes #12165
-
-- url: don't touch the multi handle when closing internal handles
-
- Reported-by: Maksymilian Arciemowicz
- Closes #12165
-
-Faraz Fallahi (19 Oct 2023)
-
-- getenv: PlayStation doesn't have getenv()
-
- Closes #12140
-
-Daniel Stenberg (19 Oct 2023)
-
-- transfer: only reset the FTP wildcard engine in CLEAR state
-
- To avoid the state machine to start over and redownload all the files
- *again*.
-
- Reported-by: lkordos on github
- Regression from 843b3baa3e3cb228 (shipped in 8.1.0)
- Bisect-by: Dan Fandrich
- Fixes #11775
- Closes #12156
-
-Stefan Eissing (19 Oct 2023)
-
-- GHA: move mod_h2 version in CI to v2.0.25
-
- Closes #12157
-
-Daniel Stenberg (19 Oct 2023)
-
-- ntlm_wb: use pipe instead of socketpair when possible
-
- Closes #12149
-
-- RELEASE-NOTES: synced
-
-- asyn-thread: use pipe instead of socketpair for IPC when available
-
- If pipe() is present. Less overhead.
-
- Helped-by: Viktor Szakats
- Closes #12146
-
-Dan Fandrich (17 Oct 2023)
-
-- tests: Fix Windows test helper tool search & use it for handle64
-
- The checkcmd() and checktestcmd() functions would not have worked on
- Windows due to hard-coding the UNIX PATH separator character and not
- adding .exe file extension. This meant that tools like stunnel, valgrind
- and nghttpx would not have been found and used on Windows, and
- inspection of previous test runs show none of those being found in pure
- Windows CI builds.
-
- With this fixed, they can be used to detect the handle64.exe program
- before attempting to use it. When handle64.exe was called
- unconditionally without it existing, it caused perl to abort the test
- run with the error
-
- The running command stopped because the preference variable
- "ErrorActionPreference" or common parameter is set to Stop:
- sh: handle64.exe: command not found
-
- Closes #12115
-
-Daniel Stenberg (17 Oct 2023)
-
-- multi: use pipe instead of socketpair to *wakeup()
-
- If pipe() is present. Less overhead.
-
- Closes #12142
-
-Jay Satiro (17 Oct 2023)
-
-- build: fix 'threadsafe' feature detection for older gcc
-
- - Add 'threadsafe' to the feature list shown during build if POSIX
- threads are being used.
-
- This is a follow-up to 5adb6000 which added support for building a
- thread-safe libcurl with older versions of gcc where atomic is not
- available but pthread is.
-
- Reported-by: Dan Fandrich
- Co-authored-by: Dan Fandrich
-
- Fixes https://github.com/curl/curl/issues/12125
- Closes https://github.com/curl/curl/pull/12127
-
-Daniel Stenberg (16 Oct 2023)
-
-- test729: verify socks4a with excessive proxy user name length
-
-- socks: better buffer size checks for socks4a user and hostname
-
- Also limit the proxy user name to 255 bytes, which is the same limit as
- in SOCKS5.
-
- Reported-by: sd0 on hackerone
- Closes #12139
-
-- curl.h: on FreeBSD include sys/param.h instead of osreldate.h
-
- Should things build on Playstation as well
-
- Fixes #12107
- Reported-by: Faraz Fallahi
- Closes #12123
-
-Marcin Rataj (16 Oct 2023)
-
-- tool_operate: fix links in ipfs errors
-
- URL fragment links generated from headers in
- https://curl.se/docs/ipfs.html are lowercase.
-
- Closes #12133
-
-Viktor Szakats (15 Oct 2023)
-
-- cmake: replace `check_library_exists_concat()`
-
- The idea of `check_library_exists_concat()` is that it detects an
- optional component and adds it to the list of libs that we also use in
- subsequent component checks. This caused problems when detecting
- components with unnecessary dependencies that were not yet built.
-
- CMake offers the `CMAKE_REQUIRED_LIBRARIES` variable to set libs used
- for component checks, which we already use in most cases. That left 4
- uses of `check_library_exists_concat()`. Only one of these actually
- needed the 'concat' feature (ldap/lber).
-
- Delete this function and replace it with standard
- `check_library_exists()` and manual management of our `CURL_LIBS`
- list we use when linking build targets. And special logic to handle the
- ldap/lber case.
-
- (We have a similar function for headers: `check_include_file_concat()`.
- It works, but problematic for performance reasons and because it hides
- the actual headers required in `check_symbol_exists()` calls.)
-
- Ref: #11537 #11558
- Fixes #11285
- Fixes #11648
- Closes #12070
-
-LoRd_MuldeR (15 Oct 2023)
-
-- tool_cb_wrt: fix write output for very old Windows versions
-
- - Pass missing parameter for 'lpNumberOfCharsWritten' to WriteConsoleW()
- function.
-
- Apparently this parameter was *not* optional on older Windows versions.
-
- Issue observed on Windows XP SP2. Issue not observed on Windows 7 SP1.
- So at some point between those two Microsoft changed the behavior.
-
- Prior to this change, on those versions if parameter is NULL then the
- function call fails with error ERROR_INVALID_ACCESS.
-
- Regression since af3f4e41.
-
- Ref: https://github.com/MicrosoftDocs/Console-Docs/issues/299
-
- Fixes https://github.com/curl/curl/issues/12131
- Closes https://github.com/curl/curl/pull/12130
-
-Jay Satiro (15 Oct 2023)
-
-- tool_urlglob: fix build for old gcc versions
-
- - Don't use __builtin_mul_overflow for GCC 4 and earlier.
-
- The function was added in GCC 5.
-
- Ref: https://gcc.gnu.org/gcc-5/changes.html
-
- Reported-by: Dan Fandrich
-
- Fixes https://github.com/curl/curl/issues/12124
- Closes https://github.com/curl/curl/pull/12128
-
-Carlos Henrique Lima Melara (14 Oct 2023)
-
-- docs/libcurl: fix three minor man page format mistakes
-
- Reported-by: Samuel Henrique
-
- Closes https://github.com/curl/curl/pull/12126
-
-Jay Satiro (14 Oct 2023)
-
-- tests/server: add more SOCKS5 handshake error checking
-
- - Add additional checking for missing and too-short SOCKS5 handshake
- messages.
-
- Prior to this change the SOCKS5 test server did not check that all parts
- of the handshake were received successfully. If those parts were missing
- or too short then the server would access uninitialized memory.
-
- This issue was discovered in CI job 'memory-sanitizer' test results.
- Test 2055 was failing due to the SOCKS5 test server not running. It was
- not running because either it crashed or memory sanitizer aborted it
- during Test 728. Test 728 connects to the SOCKS5 test server on a
- redirect but does not send any data on purpose. The test server was not
- prepared for that.
-
- Reported-by: Dan Fandrich
-
- Fixes https://github.com/curl/curl/issues/12117
- Closes https://github.com/curl/curl/pull/12118
-
-Daniel Stenberg (14 Oct 2023)
-
-- RELEASE-NOTES: synced
-
-Sohom Datta (14 Oct 2023)
-
-- tool_getparam: limit --rate to be smaller than number of ms
-
- Currently, curl allows users to specify absurd request rates that might
- be higher than the number of milliseconds in the unit (ex: curl --rate
- 3600050/h http://localhost:8080 does not error out despite there being
- only 3600000ms in a hour).
-
- This change adds a conditional check before the millisecond calculation
- making sure that the number is not higher than the numerator (the unit)
- If the number is higher, curl errors out with PARAM_NUMBER_TOO_LARGE
-
- Closes #12116
-
-Daniel Stenberg (14 Oct 2023)
-
-- opts: fix two minor man page format mistakes
-
-Jay Satiro (14 Oct 2023)
-
-- curl_trc: remove a bad assertion
-
- - Remove DEBUGASSERT that an internal handle must not have user
- private_data set before calling the user's debug callback.
-
- This is a follow-up to 0dc40b2a. The user can distinguish their easy
- handle from an internal easy handle by setting CURLOPT_PRIVATE on their
- easy handle. I had wrongly assumed that meant the user couldn't then
- set CURLOPT_PRIVATE on an internal handle as well.
-
- Bug: https://github.com/curl/curl/pull/12060#issuecomment-1754594697
- Reported-by: Daniel Stenberg
-
- Closes https://github.com/curl/curl/pull/12104
-
-Dan Fandrich (13 Oct 2023)
-
-- test613: stop showing an error on missing output file
-
- This test would show an error message if the output was missing during
- the log post-processing step, but the message was not captured by the
- test harness and wasn't useful since the normal golden log file
- comparison would the problem more clearly.
-
-Stefan Eissing (13 Oct 2023)
-
-- quic: manage connection idle timeouts
-
- - configure a 120s idle timeout on our side of the connection
- - track the timestamp when actual socket IO happens
- - check IO timestamp to our *and* the peer's idle timeouts
- in "is this connection alive" checks
-
- Reported-by: calvin2021y on github
- Fixes #12064
- Closes #12077
-
-Dan Fandrich (13 Oct 2023)
-
-- CI: ignore test 286 on Appveyor gcc 9 build
-
- This test fails sometimes with a super fast retry loop due to what may
- just be a compiler bug. The test results are ignored on the one CI job
- where it occurs because there seems to be nothing we can do to fix it.
-
- Fixes #12040
- Closes #12106
-
-Viktor Szakats (13 Oct 2023)
-
-- lib: fix gcc warning in printf call
-
- Do not pass NULL to printf %s.
-
- Seen with gcc 13.2.0 on Debian:
- ```
- .../curl/lib/connect.c:696:27: warning: '%s' directive argument is null [-Wfo
- rmat-overflow=]
- ```
- Ref: https://github.com/curl/curl-for-win/actions/runs/6476161689/job/1758442
- 6483#step:3:11104
-
- Ref: #10284
- Co-authored-by: Jay Satiro
- Closes #12082
-
-Alex Klyubin (13 Oct 2023)
-
-- http2: safer invocation of populate_binsettings
-
- populate_binsettings now returns a negative value on error, instead of a
- huge positive value. Both places which call this function have been
- updated to handle this change in its contract.
-
- The way populate_binsettings had been used prior to this change the huge
- positive values -- due to signed->unsigned conversion of the potentially
- negative result of nghttp2_pack_settings_payload which returns negative
- values on error -- are not possible. But only because http2.c currently
- always provides a large enough output buffer and provides H2 SETTINGS
- IVs which pass the verification logic inside nghttp2. If the
- verification logic were to change or if http2.c started passing in more
- IVs without increasing the output buffer size, the overflow could become
- reachable, and libcurl/curl might start leaking memory contents to
- servers/proxies...
-
- Closes #12101
-
-Daniel Stenberg (13 Oct 2023)
-
-- openssl: avoid BN_num_bits() NULL pointer derefs
-
- Reported-by: icy17 on github
- Fixes #12099
- Closes #12100
-
-- wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA
-
- This define is set in wolfssl's options.h file when this function and
- feature is present. Handles both builds with the feature explicitly
- disabled and wolfSSL versions before 5.5.2 - which introduced this API
- call.
-
- Closes #12108
-
-- tool_urlglob: make multiply() bail out on negative values
-
- - Does not work correctly with negative values
- - use __builtin_mul_overflow() on gcc
-
- Reported-by: Torben Dury
- Closes #12102
-
-Loïc Yhuel (13 Oct 2023)
-
-- cmake: fix CURL_DISABLE_GETOPTIONS
-
- - Add CURL_DISABLE_GETOPTIONS to curl_config.h.cmake.
-
- Prior to this change the option had no effect because it was missing
- from that file.
-
- Closes https://github.com/curl/curl/pull/12091
-
-- easy_lock: add a pthread_mutex_t fallback
-
- This allows to keep the init threadsafe with gcc < 4.9.0 (no C11
- atomics).
-
- Closes https://github.com/curl/curl/pull/12090
-
-Viktor Szakats (12 Oct 2023)
-
-- CI: add autotools, out-of-tree, debug build to distro check job
-
- Add a job that builds curl from a generated source tarball sample, with
- autotools, out-of-tree, in debug mode.
-
- Ref: #12085
- Closes #12088
-
-Daniel Stenberg (12 Oct 2023)
-
-- http: avoid Expect: 100-continue if Upgrade: is used
-
- Reported-by: Daniel Jelinski
- Fixes #12022
- Closes #12062
-
-Jan Alexander Steffens (heftig) (12 Oct 2023)
-
-- docs: use SOURCE_DATE_EPOCH for generated manpages
-
- This should make builds from Git reproducible.
-
- Closes #12092
-
-Daniel Stenberg (12 Oct 2023)
-
-- RELEASE-NOTES: synced
-
- Bumped to 8.4.1
-
-Viktor Szakats (12 Oct 2023)
-
-- cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection
-
- Fix `HAVE_H_ERRNO_ASSIGNABLE` to not run, only compile its test snippet,
- aligning this with autotools. This fixes an error when doing
- cross-builds and also actually detects this feature. It affected systems
- not allowlisted into this, e.g. SerenityOS.
-
- We used this detection result to enable `HAVE_GETADDRINFO_THREADSAFE`.
-
- Follow-up to 04a3a377d83fd72c4cf7a96c9cb6d44785e33264 #11979
- Ref: #12095 (closed in favour of this patch)
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Reported-by: Kartatz on Github
- Assisted-by: Kartatz on Github
- Fixes #12093
- Closes #12094
-
-- build: add `src/.checksrc` to source tarball
-
- Regression from e5bb88b8f824ed87620bd923552534c83c2a516e #11958
-
- Bug: https://github.com/curl/curl/pull/11958#issuecomment-1757079071
- Reported-by: Romain Geissler
- Fixes #12084
- Closes #12085
-
-Version 8.4.0 (11 Oct 2023)
-
-Daniel Stenberg (11 Oct 2023)
-
-- RELEASE-NOTES: synced
-
-- THANKS: add contributors from 8.4.0
-
-Jay Satiro (11 Oct 2023)
-
-- socks: return error if hostname too long for remote resolve
-
- Prior to this change the state machine attempted to change the remote
- resolve to a local resolve if the hostname was longer than 255
- characters. Unfortunately that did not work as intended and caused a
- security issue.
-
- Bug: https://curl.se/docs/CVE-2023-38545.html
-
-Stefan Eissing (10 Oct 2023)
-
-- CI: remove slowed-network tests
-
- - remove these tests as they are currently not reliable in our CI
- setups.
-
- curl handles the test cases, but CI sometimes fails on these due to
- additional conditions. Rather than mix them in, an additional CI job
- will be added in the future that is specific to them.
-
- Closes https://github.com/curl/curl/pull/12075
-
-Jay Satiro (10 Oct 2023)
-
-- libcurl-env-dbg.3: move debug variables from libcurl-env.3
-
- - Move documentation of libcurl environment variables used only in debug
- builds from libcurl-env into a separate document libcurl-env-dbg.
-
- - Document more debug environment variables.
-
- Previously undocumented or missing a description:
-
- CURL_ALTSVC_HTTP, CURL_DBG_SOCK_WBLOCK, CURL_DBG_SOCK_WPARTIAL,
- CURL_DBG_QUIC_WBLOCK, CURL_DEBUG, CURL_DEBUG_SIZE, CURL_GETHOSTNAME,
- CURL_HSTS_HTTP, CURL_FORCETIME, CURL_SMALLREQSEND, CURL_SMALLSENDS,
- CURL_TIME.
-
- Closes https://github.com/curl/curl/pull/11811
-
-Dan Fandrich (9 Oct 2023)
-
-- test670: increase the test timeout
-
- This should make it more immune to loaded servers.
-
- Ref: #11328
-
-Stefan Eissing (9 Oct 2023)
-
-- MQTT: improve receive of ACKs
-
- - add `mq->recvbuf` to provide buffering of incomplete
- ACK responses
- - continue ACK reading until sufficient bytes available
- - fixes test failures on low network receives
-
- Closes #12071
-
-Viktor Szakats (9 Oct 2023)
-
-- quic: fix BoringSSL build
-
- Add guard around `SSL_CTX_set_ciphersuites()` use.
-
- Bug: https://github.com/curl/curl/pull/12065#issuecomment-1752171885
-
- Follow-up to aa9a6a177017e4b74d33cdf85a3594900f4a7f81
-
- Co-authored-by: Jay Satiro
- Reviewed-by: Daniel Stenberg
- Closes #12067
-
-Stefan Eissing (9 Oct 2023)
-
-- test1540: improve reliability
-
- - print that bytes have been received on pausing, but not how many
-
- Closes #12069
-
-- test2302: improve reliability
-
- - make result print collected write data, unless
- change in meta flags is detected
- - will show same result even when data arrives via
- several writecb invocations
-
- Closes #12068
-
-Daniel Stenberg (9 Oct 2023)
-
-- curl_easy_pause: set "in callback" true on exit if true
-
- Because it might have called another callback in the mean time that then
- set the bit FALSE on exit.
-
- Reported-by: Jay Satiro
- Fixes #12059
- Closes #12061
-
-Viktor Szakats (8 Oct 2023)
-
-- h3: add support for ngtcp2 with AWS-LC builds
-
- ```
- curl 8.4.0-DEV (x86_64-apple-darwin) libcurl/8.4.0-DEV (SecureTransport) AWS-
- LC/1.15.0 nghttp2/1.56.0 ngtcp2/0.19.1 nghttp3/0.15.0
- Release-Date: [unreleased]
- Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps
- mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
- Features: alt-svc AsynchDNS HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile Multi
- SSL NTLM SSL threadsafe UnixSockets
- ```
-
- Also delete an obsolete GnuTLS TODO and update the header comment in
- `FindNGTCP2.cmake`.
-
- Reviewed-by: Daniel Stenberg
- Closes #12066
-
-- build: do not publish `HAVE_BORINGSSL`, `HAVE_AWSLC` macros
-
- Syncing this up with CMake.
-
- Source code uses the built-in `OPENSSL_IS_AWSLC` and
- `OPENSSL_IS_BORINSSL` macros to detect BoringSSL and AWS-LC. No help is
- necessary from the build tools.
-
- The one use of `HAVE_BORINGSSL` in the source turned out to be no longer
- necessary for warning-free BoringSSL + Schannel builds. Ref: #1610 #2634
-
- autotools detects this anyway for display purposes.
- CMake detects this to decide whether to use the BoringSSL-specific
- crypto lib with ngtcp2. It detects AWS-LC, but doesn't use the detection
- result just yet (planned in #12066).
-
- Ref: #11964
-
- Reviewed-by: Daniel Stenberg
- Reviewed-by: Jay Satiro
- Closes #12065
-
-Marc Hoersken (8 Oct 2023)
-
-- CI: move distcheck job from Azure Pipelines to GitHub Actions
-
- This will allow for more trigger excludes within Azure Pipelines.
-
- Also fixes seemingly broken check with scripts/installcheck.sh.
- Ref: 190374c74ec4e5247d9066544c86e8d095e1d7b5
-
- Assisted-by: Philip Heiduck
- Closes #9532
-
-Daniel Stenberg (8 Oct 2023)
-
-- url: fall back to http/https proxy env-variable if ws/wss not set
-
- Reported-by: Craig Andrews
- Fixes #12031
- Closes #12058
-
-Stefan Eissing (8 Oct 2023)
-
-- cf-socket: simulate slow/blocked receives in debug
-
- add 2 env variables for non-UDP sockets:
- 1. CURL_DBG_SOCK_RBLOCK: percentage of receive calls that randomly
- should return EAGAIN
- 2. CURL_DBG_SOCK_RMAX: max amount of bytes read from socket
-
- Closes #12035
-
-- http2: refused stream handling for retry
-
- - answer HTTP/2 streams refused via a GOAWAY from the server to
- respond with CURLE_RECV_ERROR in order to trigger a retry
- on another connection
-
- Reported-by: black-desk on github
- Ref #11859
- Closes #12054
-
-Jay Satiro (8 Oct 2023)
-
-- CURLOPT_DEBUGFUNCTION.3: warn about internal handles
-
- - Warn that the user's debug callback may be called with the handle
- parameter set to an internal handle.
-
- Without this warning the user may assume that the only handles their
- debug callback receives are the easy handles on which they set
- CURLOPT_DEBUGFUNCTION.
-
- This is a follow-up to f8cee8cc which changed DoH handles to inherit
- the debug callback function set in the user's easy handle. As a result
- those handles are now passed to the user's debug callback function.
-
- Closes https://github.com/curl/curl/pull/12034
-
-- url: fix typo
-
-Daniel Stenberg (8 Oct 2023)
-
-- test458: verify --expand-output, expanding a file name accepting option
-
- Verifies the fix in #12055 (commit f2c8086ff15e6e995e1)
-
-- tool_getparam: accept variable expansion on file names too
-
- Reported-by: PBudmark on github
- Fixes #12048
- Closes #12055
-
-- RELEASE-NOTES: synced
-
-- multi: do CURLM_CALL_MULTI_PERFORM at two more places
-
- ... when it does a state transition but there is no particular socket or
- timer activity. This was made apparent when commit b5bb84c removed a
- superfluous timer expiry.
-
- Reported-by: Dan Fandrich.
- Fixes #12033
- Closes #12056
-
-Viktor Szakats (7 Oct 2023)
-
-- GHA/linux: mbedtls 3.5.0 + minor dep bumps
-
- Closes #12057
-
-Dan Fandrich (7 Oct 2023)
-
-- CI: bump OpenLDAP package version on FreeBSD
-
- The old one is no longer available.
-
-Marc Hoersken (7 Oct 2023)
-
-- docs/libcurl/opts/Makefile.inc: add missing manpage files
-
- Detected with #9532
-
-Dan Fandrich (7 Oct 2023)
-
-- tests: fix a race condition in ftp server disconnect
-
- If a client disconnected and reconnected quickly, before the ftp server
- had a chance to respond, the protocol message/ack (ping/pong) sequence
- got out of sync, causing messages sent to the old client to be delivered
- to the new. A disconnect must now be acknowledged and intermediate
- requests thrown out until it is, which ensures that such synchronization
- problems can't occur. This problem could affect ftp, pop3, imap and smtp
- tests.
-
- Fixes #12002
- Closes #12049
-
-Viktor Szakats (7 Oct 2023)
-
-- appveyor: bump mingw-w64 job to gcc 13 (was: 8)
-
- This sets gcc 6, 7, 9, 13 in our test mix (was: 6, 7, 8, 9).
- Adding a modern gcc version to the tests.
-
- (The gcc 8 job used to take around 50 minutes. The new image with gcc 13
- finished in 32, 35, 34 minutes in the 3 test runs so far.)
-
- It also adds a modern CMake version and OS env to our mingw-w64 builds.
-
- Closes #12051
-
-David Benjamin (6 Oct 2023)
-
-- openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR
-
- While the struct is still public in OpenSSL, there is a (somewhat
- inconvenient) accessor. Use it to remain compatible if it becomes opaque
- in the future.
-
- Closes #12038
-
-Daniel Stenberg (6 Oct 2023)
-
-- curl_easy_pause.3: mention it works within callbacks
-
- Reported-by: Maxim Dzhura
- Bug: https://curl.se/mail/lib-2023-10/0010.html
- Closes #12046
-
-- curl_easy_pause.3: mention h2/h3 buffering
-
- Asked-by: Maxim Dzhura
- Ref: https://curl.se/mail/lib-2023-10/0011.html
-
- Closes #12045
-
-Viktor Szakats (6 Oct 2023)
-
-- cmake: re-add missed C89 headers for specific detections
-
- We removed C89 `setjmp.h` and `signal.h` detections and excluded them
- from the global header list we use when detecting functions [1]. Then
- missed to re-add these headers to the specific functions which need
- them to be detected [2]. Fix this omission in this patch.
-
- [1] Follow-up to 3795fcde995d96db641ddbcc8a04f9f0f03bef9f #11951
- [2] Follow-up to 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940
-
- Closes #12043
-
-Daniel Stenberg (6 Oct 2023)
-
-- multi: set CURLM_CALL_MULTI_PERFORM after switch to DOING_MORE
-
- Since there is nothing to wait for there. Avoids the test 1233 hang
- reported in #12033.
-
- Reported-by: Dan Fandrich
- Closes #12042
-
-Dan Fandrich (5 Oct 2023)
-
-- test1903: actually verify the cookies after the test
-
- The test otherwise could do just about anything (except leak memory in
- debug mode) and its bad behaviour wouldn't be detected. Now, check the
- resulting cookie file to ensure the cookies are still there.
-
- Closes #12041
-
-- test: add missing <feature>s
-
- The tests will otherwise fail if curl has them disabled.
-
-- test1906: set a lower timeout since it's hit on Windows
-
- msys2 builds actually hit the connect timeout in normal operation, so
- lower the timeout from 5 minutes to 5 seconds to reduce test time.
-
- Ref: #11328
- Closes #12036
-
-Daniel Stenberg (5 Oct 2023)
-
-- RELEASE-NOTES: synced
-
-Jay Satiro (5 Oct 2023)
-
-- idn: fix WinIDN null ptr deref on bad host
-
- - Return CURLE_URL_MALFORMAT if IDN hostname cannot be converted from
- UTF-8 to UTF-16.
-
- Prior to this change a failed conversion erroneously returned CURLE_OK
- which meant 'decoded' pointer (what would normally point to the
- punycode) would not be written to, remain NULL and be dereferenced
- causing an access violation.
-
- Closes https://github.com/curl/curl/pull/11983
-
-Dan Fandrich (4 Oct 2023)
-
-- tests: close the shell used to start sshd
-
- This shell isn't needed once sshd starts, so use "exec" so it doesn't
- stick around.
-
- Closes #12032
-
-Daniel Stenberg (4 Oct 2023)
-
-- base64: also build for curl
-
- Since the tool itself now uses the base64 code using the curlx way, it
- needs to build also when the tool needs it. Starting now, the tool build
- defines BULDING_CURL to allow lib-side code to use it.
-
- Follow-up to 2e160c9c6525
-
- Closes #12010
-
-Eduard Strehlau (4 Oct 2023)
-
-- tests: Fix zombie processes left behind by FTP tests.
-
- ftpserver.pl correctly cleans up spawned server processes,
- but forgets to wait for the shell used to spawn them.
- This is barely noticeable during a normal testrun,
- but causes process exhaustion and test failure
- during a complete torture run of the FTP tests.
-
- Fixes #12018
- Closes #12020
-
-Dan Fandrich (4 Oct 2023)
-
-- github/labeler: improve labeler matches
-
-- test574: add a timeout to the test
-
- This one hangs occasionally, so this will speed up a test run and allow
- logs to be seen when it does.
-
- Closes #12025
-
-- tests: propagate errors in libtests
-
- Use the test macros to automatically propagate some errors, and check
- and log others while running the tests. This can help in debugging
- exactly why a test has failed.
-
-- tests: set --expect100-timeout to improve test reliability
-
- On an overloaded server, the default 1 second timeout can go by without
- the test server having a chance to respond with the expected headers,
- causing tests to fail. Increase the 1 second timeout to 99 seconds so
- this failure mode is no longer a problem on test 1129. Some other tests
- already set a high value, but make them consistently 99 seconds so if
- something goes wrong the test is stalled for less time.
-
- Ref: #11328
-
-- CI: ignore the "flaky" and "timing-dependent" test results in CMake
-
- This was already done for automake builds but CMake builds were missed.
- Test 1086 actually causes the test harness to crash with:
-
- Warning: unable to close filehandle DWRITE properly: Broken pipe at C:/projec
- ts/curl/tests/ftpserver.pl line 527
-
- Rather than fix it now, this change leaves test 1086 entirely skipped on
- those builds that show this problem.
-
- Follow-up to 589dca761
-
- Ref: #11865
-
-Viktor Szakats (4 Oct 2023)
-
-- cmake: improve OpenLDAP builds
-
- - cmake: detect OpenLDAP based on function `ldap_init_fd`.
- autotools does this. autotools also publishes this detection result
- in `HAVE_LDAP_INIT_FD`. We don't mimic that with CMake as the source
- doesn't use this value. (it might need to be remove-listed in
- `scripts/cmp-config.pl` for future OpenLDAP test builds.)
- This also deletes existing self-declaration method via the
- CMake-specific `CURL_USE_OPENLDAP` configuration.
-
- - cmake: define `LDAP_DEPRECATED=1` for OpenLDAP.
- Like autotools does. This fixes a long list of these warnings:
- ```
- /usr/local/opt/openldap/include/ldap.h:1049:5: warning: 'LDAP_DEPRECATED' i
- s not defined, evaluates to 0 [-Wundef]
- ```
-
- - cmake: delete LDAP TODO comment no longer relevant.
-
- Also:
-
- - autotools: replace domain name `dummy` with `0.0.0.0` in LDAP feature
- detection functions.
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #12024
-
-- cmake: fix unity builds for more build combinations
-
- By using unique static function/variable names in source files
- implementing these interfaces.
-
- - OpenLDAP combined with any SSH backend.
-
- - MultiSSL with mbedTLS, OpenSSL, wolfSSL, SecureTransport.
-
- Closes #12027
-
-Daniel Stenberg (4 Oct 2023)
-
-- tests: remove leading spaces from some tags
-
- The threee tags `<name>`, `</name>` and `<command>` were frequently used
- with a leading space that this removes. The reason this habbit is so
- widespread in testcases is probably that they have been copy and pasted.
-
- Hence, fixing them all now might curb this practice from now on.
-
- Closes #12028
-
-Viktor Szakats (4 Oct 2023)
-
-- GHA: bump actions/checkout
-
- Follow-up to 2e0fa50fc16b9339f51e0a7bfff0352829323acb #11964
- Follow-up to c39585d9b7ef3cbfc1380812dec60e7b275b6af3 #12000
-
- Closes #12023
-
-- spelling: fix codespell 2.2.6 typos
-
- Closes #12019
-
-Daniel Stenberg (3 Oct 2023)
-
-- GHA: add workflow to compare configure vs cmake outputs
-
- Uses scripts/cmp-config.pl two compare two curl_config.h files,
- presumbly generated with configure and cmake. It displays the
- differences and filters out a lot of known lines we ignore.
-
- The script also shows the matches that were *not* used. Possibly
- subjects for removal.
-
- Closes #11964
-
-- appveyor: enable test 571
-
- Follow-up from 8a940fd55c175f7 / #12013
-
- Closes #12017
-
-Viktor Szakats (3 Oct 2023)
-
-- build: alpha-sort source files for lib and src
-
- Closes #12014
-
-- cmake: delete old `HAVE_LDAP_URL_PARSE` logic
-
- Left there by accident after adding proper detection for this.
-
- Follow-up to 772f0d8edf1c3c2745543f42388ccec5a16ee2c0 #12006
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #12015
-
-Stefan Eissing (3 Oct 2023)
-
-- tests: increase lib571 timeout from 3s to 30s
-
- - 3s is too short for our CI, making this test fail occasionally
- - test usually experiences no delay run locally, so 30s wont hurt
-
- Closes #12013
-
-Viktor Szakats (3 Oct 2023)
-
-- cmake: fix unity with Windows Unicode + TrackMemory
-
- Found the root cause of the startup crash in unity builds with Unicode
- and TrackMemory enabled at the same time.
-
- We must make sure that the `memdebug.h` header doesn't apply to
- `lib/curl_multibyte.c` (as even noted in a comment there.) In unity
- builds all headers apply to all sources, including `curl_multibyte.c`.
- This probably resulted in an infinite loop on startup.
-
- Exclude this source from unity compilation with TrackMemory enabled,
- in both libcurl and curl tool. Enable unity mode for a debug Unicode
- CI job to keep it tested. Also delete the earlier workaround that
- fully disabled unity for affected builds.
-
- Follow-up to d82b080f6374433ce7c98241329189ad2d3976f8 #12005
- Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719 #11095
-
- Closes #11928
-
-- cmake: disable unity mode with Windows Unicode + TrackMemory
-
- "TrackMemory" is `ENABLE_DEBUG=ON` (aka `ENABLE_CURLDEBUG=ON`,
- aka `-DCURLDEBUG`).
-
- There is an issue with memory tracking and Unicode when built in "unity"
- mode, which results in the curl tool crashing right on startup, even
- without any command-line option. Interestingly this doesn't happen under
- WINE (at least on the system I tested this on), but consistenly happens
- on real Windows machines. Crash is 0xC0000374 heap corruption. Both
- shared and static curl executables are affected.
-
- This limitation probably won't hit too many people, but it remains
- a TODO to find and fix the root cause and drop this workaround.
-
- Example builds and runs:
- https://ci.appveyor.com/project/curlorg/curl/builds/48169111/job/17cptxhtpubd
- 7iwj#L313 (static)
- https://ci.appveyor.com/project/curlorg/curl/builds/48169111/job/76e1ge758tby
- qu9c#L317 (shared)
-
- Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719 #11095
-
- Ref: #11928
- Closes #12005
-
-- cmake: tidy-up `NOT_NEED_LBER_H` detection
-
- Follow-up to 772f0d8edf1c3c2745543f42388ccec5a16ee2c0 #12006
-
-- appveyor: rewrite batch in PowerShell + CI improvements
-
- 1. Rewrite in PowerShell:
-
- - rewrite MS-DOS batch build script in PowerShell.
- - move some bash operations into native PowerShell.
- - fixups for PowerShell insisting on failure when a command outputs
- something to stderr.
- - fix to actually run `curl -V` after every build.
- (and exclude ARM64 builds.)
- - also say why we skipped `curl -V` if we had to skip.
- - fix CMake warnings about unused configuration variables, by adapting
- these dynamically for build cases.
- - dedupe OpenSSL path into a variable.
- - disable `test1451` failing with a warning anyway due to missing python
- impacket. (after trying and failing to install impacket)
- PowerShell promotes these warnings to errors by PowerShell. We can also
- suppress they wholesale if they start causing issues in the future,
- like we already to with `autoreconf` and `./configure`.
-
- PowerShell is better than MS-DOS batches, so the hope is this makes it
- easier to extend and maintain the AppVeyor build logic. POSIX/bash isn't
- supported inline by AppVeyor on Windows build machines, but we are okay
- to keep it in an external script, so it's also an option.
-
- 2. CI improvements:
-
- - enable tests for a "unity" build job.
- - speed-up CI initialization by using shallow clones of the curl repo.
- - speed-up CMake MSVC jobs with `TrackFileAccess=false`.
- - enable parallelism in `VisualStudioSolution` builds.
- - display CMake version before builds.
- - always show the CPU in job names.
- - tell which jobs are build-only in job names.
- - move `TESTING:` value next to `DISABLED_TESTS:` in two jobs.
- - add `config.log` (autotools) to dumped logs (need to enable manually).
-
- 3. Style:
-
- - use single-quotes in YAML like we do in other CI YAML files.
- It also allows to drop quoting characters and lighter to write/read.
- (keep double quotes for PowerShell strings needing expansion.)
-
- Closes #11999
-
-- cmake: fix `HAVE_LDAP_SSL`, `HAVE_LDAP_URL_PARSE` on non-Windows
-
- - set `HAVE_LDAP_URL_PARSE` if `ldap_url_parse` function exists.
- Before this patch we set it based it on the presence of `stricmp`,
- which correctly enabled it on e.g. Windows, but was inaccurate for
- other platforms.
-
- - always set `HAVE_LDAP_SSL` if an LDAP backend is detected and
- LDAPS is not explicitly disabled. This mimics autotools behaviour.
- Previously we set it only for Windows LDAP. After this fix, LDAPS is
- correctly enabled in default macOS builds.
-
- - enable LDAP[S] for a CMake macOS CI job. Target OS X 10.9 (Mavericks)
- to avoid deprecation warnings for LDAP API.
-
- - always detect `HAVE_LDAP_SSL_H`, even with LDAPS explicitly disabled.
- This doesn't make much sense, but let's do it to sync behaviour with
- autotools.
-
- - fix benign typo in variable name.
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #12006
-
-- autotools: restore `HAVE_IOCTL_*` detections
-
- This restores `CURL_CHECK_FUNC_IOCTL` detection. I deleted it in
- 4d73854462f30948acab12984b611e9e33ee41e6 and
- c3456652a0c72d1845d08df9769667db7e159949 (2022-08), because the
- `HAVE_IOCTL` result it generated was unused in the source. But,
- I did miss the fact that this had two dependent checks:
- `CURL_CHECK_FUNC_IOCTL_FIONBIO`,
- `CURL_CHECK_FUNC_IOCTL_SIOCGIFADDR` that we do actually need:
- `HAVE_IOCTL_FIONBIO`, `HAVE_IOCTL_SIOCGIFADDR`.
-
- Regression from 4d73854462f30948acab12984b611e9e33ee41e6
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #12008
-
-Daniel Stenberg (2 Oct 2023)
-
-- RELEASE-PROCEDURE.md: updated coming release dates
-
-- RELEASE-NOTES: synced
-
-Viktor Szakats (1 Oct 2023)
-
-- cmake: pre-cache `HAVE_POLL_FINE` on Windows
-
- Windows doesn't support `poll()`, so we can safely skip checking for
- fine poll.
-
- Closes #12003
-
-- gha: bump actions to latest versions
-
- - actions@checkout@v4 (from v3 and v2)
-
- - fsfe/reuse-action@v2 (from v1)
-
- Closes #12000
-
-Stefan Eissing (30 Sep 2023)
-
-- h2: testcase and fix for pausing h2 streams
-
- - refs #11982 where it was noted that paused transfers may
- close successfully without delivering the complete data
- - made sample poc into tests/http/client/h2-pausing.c and
- added test_02_27 to reproduce
-
- Closes #11989
- Fixes #11982
- Reported-by: Harry Sintonen
-
-Viktor Szakats (30 Sep 2023)
-
-- cmake: validate `CURL_DEFAULT_SSL_BACKEND` config value
-
- Before this patch CMake builds accepted any value and it was used at
- runtime as-is. This patch make sure that the selected default backend
- is also enabled in the build. It also enforces a full lowercase value.
-
- This improves reproducibility and brings CMake in sync with autotools
- which already worked like described above.
-
- Follow-up to 26c7feb8b9d51a57fab3325571b4bbfa03b11af0 #11774
-
- Closes #11998
-
-- autotools: adjust `CURL_CA_PATH` value to CMake
-
- autotools was using the same value as CMake, but with an ending
- slash. Delete the ending slash to match configurations.
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #11997
-
-- cmake: detect `sys/wait.h` and `netinet/udp.h`
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #11996
-
-Daniel Stenberg (30 Sep 2023)
-
-- lib: provide and use Curl_hexencode
-
- Generates a lower case ASCII hex output from a binary input.
-
- Closes #11990
-
-- configure: check for the capath by default
-
- ... if the chosen TLS backend supports it: OpenSSL, GnuTLS, mbedTLS or wolfSS
- L
-
- cmake: synced
-
- Assisted-by: Viktor Szakats
- Closes #11987
-
-- wolfssl: ignore errors in CA path
-
- The default wolfSSL_CTX_load_verify_locations() function is quite picky
- with the certificates it loads and will for example return error if just
- one of the certs has expired.
-
- With the *_ex() function and its WOLFSSL_LOAD_FLAG_IGNORE_ERR flag, it
- behaves more similar to what OpenSSL does by default.
-
- Even the set of default certs on my Debian unstable has several expired
- ones.
-
- Assisted-by: Juliusz Sosinowicz
- Assisted-by: Michael Osipov
-
- Closes #11987
-
-- create-dirs.d: clarify it also uses --output-dirs
-
- Reported-by: Robert Simpson
- Fixes #11991
- Closes #11995
-
-Viktor Szakats (30 Sep 2023)
-
-- appveyor: fix yamlint issues, indent
-
- Also:
- - use double quotes in all batch if statements.
-
- Closes #11994
-
-- cmake: detect `HAVE_CLOCK_GETTIME_MONOTONIC_RAW`
-
- Based on existing autotools logic.
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #11981
-
-- cmake: detect `HAVE_GETADDRINFO_THREADSAFE`
-
- Based on existing autotools logic.
-
- autotools checks for old versions of the allowlisted target OSes and
- disables this feature when seeing them. In CMake we assume we're running
- on newer systems and enable regardless of OS version.
-
- autotools always runs all 3 probes for non-fast-tracked systems and
- enables this feature if any one of them was successful. To save
- configuration time, CMake stops at the first successful check.
-
- OpenBSD is not fast-tracked and then gets blocklisted as a generic BSD
- system. I haven't double-checked if this is correct, but looks odd.
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #11979
-
-- cmake: fix `HAVE_WRITABLE_ARGV` detection
-
- Move detection before the creation of detection results in
- `curl_config.h`.
-
- Ref: #11964 (effort to sync cmake detections with autotools)
-
- Closes #11978
-
-- appveyor: minor improvements
-
- - run `curl -V` after builds to see if they run and with what features.
- Except for one job where a CRT DLL is missing. And ARM64 which should
- fail, but is silently not launched instead.
-
- - copy libcurl DLL next to curl tool and tests binaries in shared mode.
- This makes it possible to run the tests. (We don't run tests after
- these builds yet.)
-
- - list the DLLs and EXEs present after the builds.
-
- - add `DEBUG` variable for CMake builds to allow disabling it, for
- testing non-debug builds. (currently enabled for all)
-
- - add commented lines that dump CMake configuration logs for debugging
- build/auto-detection issues.
-
- - add gcc version to jobs where missing.
-
- - switch a job to the native MSYS2 mingw-w64 toolchain. This adds gcc 9
- to the build mix.
-
- - make `SHARED=OFF` and `OPENSSL=OFF` defaults global.
-
- - delete a duplicate backslash.
-
- Closes #11976
-
-- configure: replace adhoc domain with `localhost` in tests
-
- Reviewed-by: Daniel Stenberg
- Closes #11988
-
-- tidy-up: use more example domains
-
- Also make use of the example TLD:
- https://en.wikipedia.org/wiki/.example
-
- Reviewed-by: Daniel Stenberg
- Closes #11992
-
-Dan Fandrich (29 Sep 2023)
-
-- runtests: display the test status if tests appear hung
-
- It sometimes happens that a test hangs during a test run and never
- returns. The test harness will wait indefinitely for the results and on
- CI servers the CI job will eventually be killed after an hour or two.
- At the end of a test run, if results haven't come in within a couple of
- minutes, display the status of all test runners and what tests they're
- running to help in debugging the problem.
-
- This feature is really only kick in with parallel testing enabled, which
- is fine because without parallel testing it's usually easy to tell what
- test has hung.
-
- Closes #11980
-
-- github/labeler: remove workaround for labeler
-
- This was added due to what seemed to be a bug regarding the sync-labels:
- config option, but it looks like it wasn't necessary.
-
- Follow-up to b2b0534e7
-
-Viktor Szakats (29 Sep 2023)
-
-- docs: upgrade an URL to HTTPS in `BINDINGS.md` [ci skip]
-
-Daniel Stenberg (29 Sep 2023)
-
-- docs: replace made up domains with example.com
-
- in FAQ and MANUAL.md
-
- - example.com was made for this purpose.
-
- - reduces the risk that one of those domains suddenly start hosting
- something nasty and we provide links to them
-
- Closes #11986
-
-Michael Osipov (29 Sep 2023)
-
-- acinclude.m4: Document proper system truststore on FreeBSD
-
- The default system truststore on FreeBSD has been /etc/ssl/certs for many
- years now. It is managed canonically through certctl(8) and contains hashed
- symlinks for OpenSSL and other TLS providers.
- The previous ones require security/ca_root_nss which might not be installed o
- r
- will not contain any custom CA certificates.
-
- Closes #11985
-
-Daniel Stenberg (29 Sep 2023)
-
-- FAQ: How do I upgrade curl.exe in Windows?
-
- This is a growing question, better answer it here to get somewhere to
- point users to.
-
- Closes #11984
-
-Viktor Szakats (28 Sep 2023)
-
-- cmake: pre-cache `HAVE_BASENAME` for mingw-w64 and MSVC
-
- `basename` is present in mingw-w64, missing from MSVC. Pre-cache
- accordingly to make configure faster.
-
- Notice that `basename` has a bug so we later disable it even with
- mingw-w64:
- https://github.com/curl/curl/blob/781242ffa44a9f9b95b6da5ac5a1bf6372ec6257/li
- b/curl_setup.h#L820-L825
-
- Closes #11974
-
-Daniel Stenberg (28 Sep 2023)
-
-- cmake: add missing checks
-
- - check for arc4random. To make rand.c use it accordingly.
- - check for fcntl
- - fix fseek detection
- - add SIZEOF_CURL_SOCKET_T
- - fix USE_UNIX_SOCKETS
- - define HAVE_SNPRINTF to 1
- - check for fnmatch
- - check for sched_yield
- - remove HAVE_GETPPID duplicate from curl_config.h
- - add HAVE_SENDMSG
-
- Ref: #11964
-
- Co-authored-by: Viktor Szakats
- Closes #11973
-
-- configure: remove unused checks
-
- - for sys/uio.h
- - for fork
- - for connect
-
- Ref: #11964
-
- Closes #11973
-
-- lib: remove TIME_WITH_SYS_TIME
-
- It is not used in any code anywhere.
-
- Ref: #11964
- Closes #11975
-
-- docs: update curl man page references
-
- Detected by the manpage-syntax update
-
- Closes #11963
-
-- manpage-syntax: verify curl man page references
-
- 1. References to curl symbols are now checked that they indeed exist as
- man pages. This for \f references as well as the names referenced in the
- SEE ALSO section.
-
- Allowlist curl.1 since it is not always built in builds
-
- 2. References to curl symbols that lack section now causes warning, since tha
- t
- will prevent them from getting linked properly
-
- 3. Check for "bare" references to curl functions and warn, they should be
- references
-
- Closes #11963
-
-- cmake: add check for suseconds_t
-
- And fix the HAVE_LONGLONG define
-
- Ref: #11964
- Closes #11977
-
-Viktor Szakats (28 Sep 2023)
-
-- tidy-up: whitespace fixes
-
- Closes #11972
-
-- cmake: detect TLS-SRP in OpenSSL/wolfSSL/GnuTLS
-
- With new option `CURL_DISABLE_SRP=ON` to force-disable it.
- To match existing option and detection logic in autotools.
-
- Also:
- - fix detecting GnuTLS.
- We assume `nettle` as a GnuTLS dependency.
- - add CMake GnuTLS CI job.
- - bump AppVeyor CMake OpenSSL MSVC job to OpenSSL 1.1.1 (from 1.0.2)
- TLS-SRP fails to detect with 1.0.2 due to an OpenSSL header bug.
- - fix compiler warning when building with GnuTLS and disabled TLS-SRP.
- - fix comment typos, whitespace.
-
- Ref: #11964
-
- Closes #11967
-
-- tool: use our own stderr variable
-
- Earlier this year we changed our own stderr variable to use the standard
- name `stderr` (to avoid bugs where someone is using `stderr` instead of
- the curl-tool specific variable). This solution needed to override the
- standard `stderr` symbol via the preprocessor. This in turn didn't play
- well with unity builds and caused curl tool to crash or stay silent due
- to an uninitialized stderr. This was a hard to find issue, fixed by
- manually breaking out one file from the unity sources.
-
- To avoid two these two tricks, this patch implements a different
- solution: Restore using our own local variable for our stderr output and
- leave `stderr` as-is. To avoid using `stderr` by mistake, add a
- `checksrc` rule (based on logic we already used in lib for `strerror`)
- that detects any `stderr` use in `src` and points to using our own
- variable instead: `tool_stderr`.
-
- Follow-up to 06133d3e9b8aeb9e9ca0b3370c246bdfbfc8619e
- Follow-up to 2f17a9b654121dd1ecf4fc043c6d08a9da3522db
-
- Closes #11958
-
-Loïc Yhuel (28 Sep 2023)
-
-- connect: only start the happy eyeballs timer when needed
-
- The timeout is only used when there is a second address family, for the
- delayed eyeballer.
-
- Closes #11939
-
-Daniel Stenberg (28 Sep 2023)
-
-- tool_operate: free 'gateway' correctly
-
- Pointed out by Coverity. The fix in 93885cf3a8d4e was incomplete.
-
- Also removed repeated wording in IPFS related error messages.
-
- Closes #11969
-
-Stefan Eissing (28 Sep 2023)
-
-- lib: move handling of `data->req.writer_stack` into Curl_client_write()
-
- - move definitions from content_encoding.h to sendf.h
- - move create/cleanup/add code into sendf.c
- - installed content_encoding writers will always be called
- on Curl_client_write(CLIENTWRITE_BODY)
- - Curl_client_cleanup() frees writers and tempbuffers from
- paused transfers, irregardless of protocol
-
- Closes #11908
-
-Loïc Yhuel (28 Sep 2023)
-
-- multi: round the timeout up to prevent early wakeups
-
- Curl_timediff rounds down to the millisecond, so curl_multi_perform can
- be called too early, then we get a timeout of 0 and call it again.
-
- The code already handled the case of timeouts which expired less than
- 1ms in the future. By rounding up, we make sure we will never ask the
- platform to wake up too early.
-
- Closes #11938
-
-Daniel Stenberg (28 Sep 2023)
-
-- RELEASE-NOTES: spell out that IPFS is via gateway
-
-- RELEASE-NOTES: synced
-
-- tool_operate: avoid strlen() -1 on zero length content from file
-
- Follow-up to 65b563a96a226649ba12cb1e
-
- Closes #11959
-
-- tool_operate: fix memory mixups
-
- Switch to plain getenv() from curl_getenv() to avoid the allocation and
- having to keep track of which free() or curl_free() that need to be
- used.
-
- Coverity found issues and a memory leak.
-
- Follow-up to 65b563a96a226649ba12cb1e
-
- Closes #11959
-
-Viktor Szakats (27 Sep 2023)
-
-- curl-functions.m4: fixup recent bad edits
-
- Follow-up to 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940
-
- Closes #11966
-
-Daniel Stenberg (27 Sep 2023)
-
-- curl-functions.m4: fix include line
-
- This made the getaddrinfo detection fail, but we did not spot it in the
- CI because it graciously falled back to using legacy functions instead!
-
- Follow-up to 96c29900bcec (#11940)
-
- Closes #11965
-
-- inet_ntop: add typecast to silence Coverity
-
- CID 1024653: Integer handling issues (SIGN_EXTENSION)
-
- Suspicious implicit sign extension: "src[i]" with type "unsigned char
- const" (8 bits, unsigned) is promoted in "src[i] << (1 - i % 2 << 3)" to
- type "int" (32 bits, signed), then sign-extended to type "unsigned long"
- (64 bits, unsigned). If "src[i] << (1 - i % 2 << 3)" is greater than
- 0x7FFFFFFF, the upper bits of the result will all be 1.
-
- 111 words[i/2] |= (src[i] << ((1 - (i % 2)) << 3));
-
- The value will not be greater than 0x7FFFFFFF so this still cannot
- happen.
-
- Also, switch to ints here instead of longs. The values stored are 16 bit
- so at least no need to use 64 bit variables. Also, longs are 32 bit on
- some platforms so this logic still needs to work with 32 bits.
-
- Closes #11960
-
-- docs: adapt SEE ALSO sections to new requirements
-
- To please manpage-syntax.pl used by test 1173
-
- Closes #11957
-
-- manpage-syntax.pl: verify SEE ALSO syntax
-
- - Enforce a single reference per .BR line
- - Skip the quotes around the section number for example (3)
- - Insist on trailing commas on all lines except the last
- - Error on comma on the last SEE ALSO entry
-
- - List the entries alpha-sorted, not enforced just recommended
-
- Closes #11957
-
-- connect: expire the timeout when trying next
-
- ... so that it gets called again immediately and can continue trying
- addresses to connect to. Otherwise it might unnecessarily wait for a
- while there.
-
- Fixes #11920
- Reported-by: Loïc Yhuel
- Closes #11935
-
-- http: remove wrong comment for http_should_fail
-
- Reported-by: Christian Schmitz
- Ref: #11936
- Closes #11941
-
-Dan Fandrich (26 Sep 2023)
-
-- tool_setopt: remove unused function tool_setopt_flags
-
- This function is identical to tool_setopt_bitmask except that it treats
- the argument as unsigned.
-
- Closes #11943
-
-Viktor Szakats (26 Sep 2023)
-
-- cmake: add feature checks for `memrchr` and `getifaddrs`
-
- - `HAVE_MEMRCHR` for `memrchr`.
- - `HAVE_GETIFADDRS` for `getifaddrs`.
- This was present in `lib/curl_config.h.cmake` but missed the detection
- logic.
-
- To match existing autotools feature checks.
-
- Closes #11954
-
-- cmake: move global headers to specific checks
-
- Before this patch we added standard headers unconditionally to the
- global list of headers used for feature checks. This is unnecessary
- and also doesn't help CMake 'Generate' performance. This patch moves
- these headers to each feature check where they are actually needed.
- Stop using `stddef.h`, as it seems unnecessary.
-
- I've used autotools' `m4/curl-functions.m4` to figure out these
- dependencies.
-
- Also delete checking for the C89 standard header `time.h`, that I
- missed in the earlier commit.
-
- Ref: 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940
-
- Closes #11951
-
-- src/mkhelp: make generated code pass `checksrc`
-
- Closes #11955
-
-- tests: show which curl tool `runtests.pl` is using
-
- To help debugging when there is issue finding or running it.
-
- Closes #11953
-
-- CI/azure: make `MAKEFLAGS` global to parallelize all jobs
-
- https://dev.azure.com/daniel0244/curl/_build/results?buildId=17528 (before)
- https://dev.azure.com/daniel0244/curl/_build/results?buildId=17545 (after, wi
- th -j3)
-
- Closes #11952
-
-- CI/azure: migrate old mingw MSYS1 jobs to MSYS2
-
- Also delete an accidental variable reference.
-
- Follow-up to 38029101e2d78ba125732b3bab6ec267b80a0e72
-
- Closes #11945
-
-Daniel Stenberg (26 Sep 2023)
-
-- docs: add see also curl_multi_get_handles to some man pages
-
- Assisted-by: Jay Satiro
-
- Closes #11942
-
-Viktor Szakats (26 Sep 2023)
-
-- cmake: assume `_fseeki64` and no `fseeko` on Windows
-
- `_fseeki64` is present in mingw-w64 1.0 (2011-09-26) headers, and
- at least Watcom C 1.9 (2010) headers and MSVS 2008 [1].
-
- `fseeko` is not present in any of these.
-
- (mingw-w64 1.0 also offers `fseeko64`.)
-
- [1] https://github.com/curl/curl/pull/11944#issuecomment-1734995004
-
- Follow-up to 9c7165e96a3a9a2d0b7059c87c699b5ca8cdae93 #11918
-
- Closes #11950
-
-- build: delete checks for C89 standard headers
-
- Delete checks and guards for standard C89 headers and assume these are
- available: `stdio.h`, `string.h`, `time.h`, `setjmp.h`, `stdlib.h`,
- `stddef.h`, `signal.h`.
-
- Some of these we already used unconditionally, some others we only used
- for feature checks.
-
- Follow-up to 9c7165e96a3a9a2d0b7059c87c699b5ca8cdae93 #11918 (for `stdio.h` i
- n CMake)
-
- Closes #11940
-
-Stefan Eissing (26 Sep 2023)
-
-- multiif.h: remove Curl_multi_dump declaration
-
- Follow-up to d850eea2 which removed the Curl_multi_dump definition.
-
- Closes https://github.com/curl/curl/pull/11946
-
-Jay Satiro (26 Sep 2023)
-
-- config-win32: define HAVE__FSEEKI64
-
- Follow-up to 9c7165e9 which added an fseeko wrapper to the lib that
- calls _fseeki64 if it is available.
-
- Closes https://github.com/curl/curl/pull/11944
-
-- docs: explain how PINNEDPUBLICKEY is independent of VERIFYPEER
-
- - Explain that peer verification via CURLOPT_PINNEDPUBLICKEY takes place
- even if peer verification via CURLOPT_SSL_VERIFYPEER is turned off.
-
- The behavior is verified by test2048.
-
- Bug: https://github.com/curl/curl/issues/2935#issuecomment-418371872
- Reported-by: claudiusaiz@users.noreply.github.com
-
- Bug: https://github.com/curl/curl/discussions/11910
- Reported-by: Hakan Sunay Halil
-
- Closes https://github.com/curl/curl/pull/11930
-
-Stefan Eissing (26 Sep 2023)
-
-- openssl: improve ssl shutdown handling
-
- - If SSL shutdown is not finished then make an additional call to
- SSL_read to gather additional tracing.
-
- - Fix http2 and h2-proxy filters to forward do_close() calls to the next
- filter.
-
- For example h2 and SSL shutdown before and after this change:
-
- Before:
-
- Curl_conn_close -> cf_hc_close -> Curl_conn_cf_discard_chain ->
- ssl_cf_destroy
-
- After:
-
- Curl_conn_close -> cf_hc_close -> cf_h2_close -> cf_setup_close ->
- ssl_cf_close
-
- Note that currently the tracing does not show output on the connection
- closure handle. Refer to discussion in #11878.
-
- Ref: https://github.com/curl/curl/discussions/11878
-
- Closes https://github.com/curl/curl/pull/11858
-
-Loïc Yhuel (26 Sep 2023)
-
-- multi: fix small timeouts
-
- Since Curl_timediff rounds down to the millisecond, timeouts which
- expire in less than 1ms are considered as outdated and removed from the
- list. We can use Curl_timediff_us instead, big timeouts could saturate
- but this is not an issue.
-
- Closes #11937
-
-Viktor Szakats (25 Sep 2023)
-
-- cmake: fix stderr initialization in unity builds
-
- Before this patch, in certain build configurations the curl tool may
- not have displayed anything (debug, macOS), or crashed at startup
- (debug, Windows).
-
- Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719
- Necessary after 2f17a9b654121dd1ecf4fc043c6d08a9da3522db
-
- Closes #11929
-
-- cmake: fix missing `zlib.h` when compiling `libcurltool`
-
- Came up while testing debug/testing build for Windows. I'm not sure why
- it didn't come up in earlier tests with similar config.
- `tool_hugehelp.c` might indeed require `zlib.h` and without linking
- `CURL_LIBS` to the `curltool` target, CMake doesn't seem to add detected
- dependency headers to the compiler command.
-
- ```
- [ 25%] Building C object src/CMakeFiles/curltool.dir/tool_hugehelp.c.obj
- cd .../curl/bld-cmake-llvm-x64/src && /usr/local/opt/llvm/bin/clang
- --target=x86_64-w64-mingw32 --sysroot=/usr/local/opt/mingw-w64/toolchain-x8
- 6_64
- -DCURLDEBUG -DCURL_STATICLIB -DHAVE_CONFIG_H -DUNICODE -DUNITTESTS -D_UNICO
- DE
- -I.../curl/include -I.../curl/lib -I.../curl/bld-cmake-llvm-x64/lib
- -I.../curl/bld-cmake-llvm-x64/include -I.../curl/src -Wno-unused-command-li
- ne-argument
- -D_UCRT -DDEBUGBUILD -DHAS_ALPN -DUSE_MANUAL=1 -fuse-ld=lld -Wl,-s -static
- -libgcc
- -lucrt [...] -O3 -DNDEBUG -municode -MD
- -MT src/CMakeFiles/curltool.dir/tool_hugehelp.c.obj
- -MF CMakeFiles/curltool.dir/tool_hugehelp.c.obj.d
- -o CMakeFiles/curltool.dir/tool_hugehelp.c.obj -c .../curl/bld-cmake-llvm-x
- 64/src/tool_hugehelp.c
- .../curl/bld-cmake-llvm-x64/src/tool_hugehelp.c:6:10: fatal error: 'zlib.h' f
- ile not found
- 6 | #include <zlib.h>
- | ^~~~~~~~
- ```
-
- Follow-up to 39e7c22bb459c2e818f079984989a26a09741860
-
- Closes #11927
-
-- cmake: fix duplicate symbols when linking tests
-
- The linker resolves this automatically in non-unity builds. In unity
- builds the linker cannot drop a single object with the duplicates,
- resulting in these errors. The root issue is that we started including
- certain objects both via both libcurlu and libcurltool libs.
-
- Regression from 39e7c22bb459c2e818f079984989a26a09741860
-
- Windows errors:
- ```
- [ 3%] Linking C executable unit1303.exe
- [ 3%] Building C object tests/server/CMakeFiles/rtspd.dir/__/__/lib/curl_mul
- tibyte.c.obj
- ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_convert_UTF8_to_wch
- ar':
- C:/projects/curl/lib/curl_multibyte.c:44: multiple definition of `curlx_conve
- rt_UTF8_to_wchar'
- ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
- c:44: first defined here
- ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_convert_wchar_to_UT
- F8':
- C:/projects/curl/lib/curl_multibyte.c:66: multiple definition of `curlx_conve
- rt_wchar_to_UTF8'
- ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
- c:66: first defined here
- ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_open':
- C:/projects/curl/lib/curl_multibyte.c:92: multiple definition of `curlx_win32
- _open'
- ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
- c:92: first defined here
- ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_fopen':
- C:/projects/curl/lib/curl_multibyte.c:120: multiple definition of `curlx_win3
- 2_fopen'
- ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
- c:120: first defined here
- ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_stat':
- [...]
- ```
- Ref: https://ci.appveyor.com/project/curlorg/curl/builds/48110107/job/nvlhpt9
- aa4ehny5q#L247
-
- macOS errors:
- ```
- [ 56%] Linking C executable unit1302
- duplicate symbol '_curlx_sotouz' in:
- ../../lib/libcurlu.a(unity_0_c.c.o)
- ../../src/libcurltool.a(unity_0_c.c.o)
- duplicate symbol '_curlx_sitouz' in:
- ../../lib/libcurlu.a(unity_0_c.c.o)
- ../../src/libcurltool.a(unity_0_c.c.o)
- duplicate symbol '_curlx_uztosz' in:
- ../../lib/libcurlu.a(unity_0_c.c.o)
- ../../src/libcurltool.a(unity_0_c.c.o)
- [...]
- ```
- with config:
- ```
- -DCMAKE_UNITY_BUILD=ON \
- -DENABLE_DEBUG=ON -DBUILD_TESTING=ON -DCMAKE_C_FLAGS=-DDEBUGBUILD \
- -DBUILD_SHARED_LIBS=ON \
- -DBUILD_STATIC_LIBS=OFF
- ```
-
- Closes #11926
-
-- cmake: lib `CURL_STATICLIB` fixes (Windows)
-
- - always define `CURL_STATICLIB` when building libcurl for Windows.
-
- This disables `__declspec(dllexport)` for exported libcurl symbols.
- In normal mode (hide symbols) these exported symbols are specified
- via `libcurl.def`. When not hiding symbols, all symbols are exported
- by default.
-
- Regression from 1199308dbc902c52be67fc805c72dd2582520d30
-
- Fixes #11844
-
- - fix to omit `libcurl.def` when not hiding private symbols.
-
- Regression from 2ebc74c36a19a1700af394c16855ce144d9878e3
-
- - fix `ENABLED_DEBUG=ON` + shared curl tool Windows builds by also
- omitting `libcurl.def` in this case, and exporting all symbols
- instead. This ensures that a shared curl tool can access all debug
- functions which are not normally exported from libcurl DLL.
-
- - delete `INTERFACE_COMPILE_DEFINITIONS "CURL_STATICLIB"` for "objects"
- target.
-
- Follow-up to 2ebc74c36a19a1700af394c16855ce144d9878e3
-
- - delete duplicate `BUILDING_LIBCURL` definitions.
-
- - fix `HIDES_CURL_PRIVATE_SYMBOLS` to not overwrite earlier build settings.
-
- Follow-up to 1199308dbc902c52be67fc805c72dd2582520d30
-
- Closes #11914
-
-Daniel Stenberg (25 Sep 2023)
-
-- RELEASE-NOTES: synced
-
-Dan Fandrich (25 Sep 2023)
-
-- tests: fix log directory path in IPFS tests
-
- Hard-coding the log directory name fails with parallel tests.
-
- Follow-up to 65b563a96
-
- Ref: #8805
-
-Daniel Stenberg (25 Sep 2023)
-
-- curl_multi_get_handles: get easy handles from a multi handle
-
- Closes #11750
-
-Stefan Eissing (25 Sep 2023)
-
-- http: h1/h2 proxy unification
-
- - use shared code for setting up the CONNECT request
- when tunneling, used in HTTP/1.x and HTTP/2 proxying
- - eliminate use of Curl_buffer_send() and other manipulations
- of `data->req` or `data->state.ulbuf`
-
- Closes #11808
-
-Natanael Copa (25 Sep 2023)
-
-- lib: use wrapper for curl_mime_data fseek callback
-
- fseek uses long offset which does not match with curl_off_t. This leads
- to undefined behavior when calling the callback and caused failure on
- arm 32 bit.
-
- Use a wrapper to solve this and use fseeko which uses off_t instead of
- long.
-
- Thanks to the nice people at Libera IRC #musl for helping finding this
- out.
-
- Fixes #11882
- Fixes #11900
- Closes #11918
-
-- configure: sort AC_CHECK_FUNCS
-
- No functional changes.
-
-Daniel Stenberg (25 Sep 2023)
-
-- warnless: remove unused functions
-
- Previously put there for use with the intel compiler
-
- Closes #11932
-
-- GHA/linux: run singleuse to detect single-use global functions
-
- Use --unit for configure --enable-debug builds
-
- Closes #11932
-
-- singleuse: add scan for use in other source codes
-
- This should reduce false-positive to almost zero. Checks for presence in
- unit tests if --unit is specified, which is intended for debug builds
- where unit testing is enabled.
-
- Closes #11932
-
-- multi: remove Curl_multi_dump
-
- A debug-only function that is basically never used. Removed to ease the
- use of the singleuse script to detect non-static functions not used
- outside the file where it is defined.
-
- Closes #11931
-
-Viktor Szakats (24 Sep 2023)
-
-- tests: fix compiler warnings
-
- Seen with llvm 17 on Windows x64.
-
- ```
- .../curl/tests/server/rtspd.c:136:13: warning: no previous extern declaration
- for non-static variable 'logdir' [-Wmissing-variable-declarations]
- 136 | const char *logdir = "log";
- | ^
- .../curl/tests/server/rtspd.c:136:7: note: declare 'static' if the variable i
- s not intended to be used outside of this translation unit
- 136 | const char *logdir = "log";
- | ^
- .../curl/tests/server/rtspd.c:137:6: warning: no previous extern declaration
- for non-static variable 'loglockfile' [-Wmissing-variable-declarations]
- 137 | char loglockfile[256];
- | ^
- .../curl/tests/server/rtspd.c:137:1: note: declare 'static' if the variable i
- s not intended to be used outside of this translation unit
- 137 | char loglockfile[256];
- | ^
- .../curl/tests/server/fake_ntlm.c:43:13: warning: no previous extern declarat
- ion for non-static variable 'logdir' [-Wmissing-variable-declarations]
- 43 | const char *logdir = "log";
- | ^
- .../curl/tests/server/fake_ntlm.c:43:7: note: declare 'static' if the variabl
- e is not intended to be used outside of this translation unit
- 43 | const char *logdir = "log";
- | ^
- .../curl/src/tool_doswin.c:350:8: warning: possible misuse of comma operator
- here [-Wcomma]
- 350 | ++d, ++s;
- | ^
- .../curl/src/tool_doswin.c:350:5: note: cast expression to void to silence wa
- rning
- 350 | ++d, ++s;
- | ^~~
- | (void)( )
- ```
-
- ```
- .../curl/tests/libtest/lib540.c:146:27: warning: result of comparison 'long'
- > 2147483647 is always false [-Wtautological-type-limit-compare]
- 146 | int itimeout = (L > (long)INT_MAX) ? INT_MAX : (int)L;
- | ~ ^ ~~~~~~~~~~~~~
- 1 warning generated.
-
- .../curl/tests/libtest/libntlmconnect.c:195:31: warning: result of comparison
- 'long' > 2147483647 is always false [-Wtautological-type-limit-compare]
- 195 | int itimeout = (timeout > (long)INT_MAX) ? INT_MAX : (int)timeo
- ut;
- | ~~~~~~~ ^ ~~~~~~~~~~~~~
- 1 warning generated.
-
- .../curl/tests/libtest/lib591.c:117:31: warning: result of comparison 'long'
- > 2147483647 is always false [-Wtautological-type-limit-compare]
- 117 | int itimeout = (timeout > (long)INT_MAX) ? INT_MAX : (int)timeo
- ut;
- | ~~~~~~~ ^ ~~~~~~~~~~~~~
- 1 warning generated.
- .../curl/tests/libtest/lib597.c:99:31: warning: result of comparison 'long' >
- 2147483647 is always false [-Wtautological-type-limit-compare]
- 99 | int itimeout = (timeout > (long)INT_MAX) ? INT_MAX : (int)timeo
- ut;
- | ~~~~~~~ ^ ~~~~~~~~~~~~~
- 1 warning generated.
- ```
-
- Seen on macOS Intel:
- ```
- .../curl/tests/server/sws.c:440:64: warning: field precision should have type
- 'int', but argument has type 'size_t' (aka 'unsigned long') [-Wformat]
- msnprintf(logbuf, sizeof(logbuf), "Got request: %s %.*s HTTP/%d.%d"
- ,
- ~~^~
- 1 warning generated.
- ```
-
- Closes #11925
-
-Jay Satiro (24 Sep 2023)
-
-- url: fix netrc info message
-
- - Fix netrc info message to use the generic ".netrc" filename if the
- user did not specify a netrc location.
-
- - Update --netrc doc to add that recent versions of curl on Windows
- prefer .netrc over _netrc.
-
- Before:
- * Couldn't find host google.com in the (nil) file; using defaults
-
- After:
- * Couldn't find host google.com in the .netrc file; using defaults
-
- Closes https://github.com/curl/curl/pull/11904
-
-Dan Fandrich (23 Sep 2023)
-
-- wolfssh: do cleanup in Curl_ssh_cleanup
-
- Closes: #11921
-
-Daniel Stenberg (24 Sep 2023)
-
-- tool_listhelp: regenerated
-
- Polished the --ipfs-gateway description
-
- Fixed the --trace-config description
-
- The script also fixed some other small mistakes
-
- Closes #11923
-
-Viktor Szakats (23 Sep 2023)
-
-- Makefile.mk: always set `CURL_STATICLIB` for lib (Windows)
-
- Also fix to export all symbols in Windows debug builds, making
- `-debug-dyn` builds work with `-DCURL_STATICLIB` set.
-
- Ref: https://github.com/curl/curl/pull/11914 (same for CMake)
-
- Closes #11924
-
-Daniel Stenberg (23 Sep 2023)
-
-- quic: set ciphers/curves the same way regular TLS does
-
- for OpenSSL/BoringSSL
-
- Fixes #11796
- Reported-by: Karthikdasari0423 on github
- Assisted-by: Jay Satiro
- Closes #11836
-
-- test457: verify --max-filesize with chunked encoding
-
-- lib: let the max filesize option stop too big transfers too
-
- Previously it would only stop them from getting started if the size is
- known to be too big then.
-
- Update the libcurl and curl docs accordingly.
-
- Fixes #11810
- Reported-by: Elliot Killick
- Assisted-by: Jay Satiro
- Closes #11820
-
-Viktor Szakats (23 Sep 2023)
-
-- mingw: delete support for legacy mingw.org toolchain
-
- Drop support for "old" / "legacy" / "classic" / "v1" / "mingw32" MinGW:
- https://en.wikipedia.org/wiki/MinGW, https://osdn.net/projects/mingw/
- Its homepage used to be http://mingw.org/ [no HTTPS], and broken now.
- It supported the x86 CPU only and used a old Windows API header and
- implib set, often causing issues. It also misses most modern Windows
- features, offering old versions of both binutils and gcc (no llvm/clang
- support). It was last updated 2 years ago.
-
- curl now relies on toolchains based on the mingw-w64 project:
- https://www.mingw-w64.org/ https://sourceforge.net/projects/mingw-w64/
- https://www.msys2.org/ https://github.com/msys2/msys2
- https://github.com/mstorsjo/llvm-mingw
- (Also available via Linux and macOS package managers.)
-
- Closes #11625
-
-Mark Gaiser (23 Sep 2023)
-
-- curl: add support for the IPFS protocols:
-
- - ipfs://<cid>
- - ipns://<cid>
-
- This allows you tu use ipfs in curl like:
- curl ipfs://<cid>
- and
- curl ipns://<cid>
-
- For more information consult the readme at:
- https://curl.se/docs/ipfs.html
-
- Closes #8805
-
-Daniel Stenberg (23 Sep 2023)
-
-- bufq: remove Curl_bufq_skip_and_shift (unused)
-
- Closes #11915
-
-- scripts/singleuse.pl: add curl_global_trace
-
-Viktor Szakats (22 Sep 2023)
-
-- cmake: fix unity symbol collisions in h2 builds
-
- Regression from 331b89a319d0067fa1e6441719307cfef9c7960f
-
- Reviewed-by: Daniel Stenberg
- Reviewed-by: Jay Satiro
- Closes #11912
-
-Daniel Stenberg (22 Sep 2023)
-
-- RELEASE-NOTES: synced
-
-Dan Fandrich (21 Sep 2023)
-
-- github/labeler: improve the match patterns
-
- This includes new rules for setting the appleOS and logging labels and
- matches on some example files. Also, enable dot mode for wildcard
- matches in the .github directory.
-
-Daniel Stenberg (21 Sep 2023)
-
-- upload-file.d: describe the file name slash/backslash handling
-
- Closes #11911
-
-Jakub Jelen (21 Sep 2023)
-
-- libssh: cap SFTP packet size sent
-
- Due to libssh limitations
-
- Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-
- Closes #11804
-
-Daniel Stenberg (21 Sep 2023)
-
-- curl.h: mark CURLSSLBACKEND_NSS as deprecated since 8.3.0
-
- Closes #11905
-
-- mailmap: unify Michael Osipov under a single email
-
-Ted Lyngmo (21 Sep 2023)
-
-- docs: use CURLSSLBACKEND_NONE
-
- [ssl] use CURLSSLBACKEND_NONE instead of (curl_sslbackend)-1 in
- documentation and examples.
-
- Signed-off-by: Ted Lyngmo <ted@lyncon.se>
-
- Closes #11909
-
-Dan Fandrich (21 Sep 2023)
-
-- github/labeler: give the sync-labels config item a default value
-
- This shouldn't be necessary and is likely a bug with this beta version
- of the labeller.
-
- Also, fix the negative matches for the documentation label.
-
- Follow-up to dd12b452a
- Closes #11907
-
-- github/labeler: fix up more the labeler config format
-
- The new version didn't like the workaround we had for a bug in the
- previous labeler version, and it should no longer be needed.
-
- Follow-up to dd12b452a
- Closes #11906
-
-- github/labeler: fix indenting to try to appease labeller
-
- Follow-up to dd12b452a
-
-Jay Satiro (21 Sep 2023)
-
-- libssh2: fix error message on failed pubkey-from-file
-
- - If libssh2_userauth_publickey_fromfile_ex returns -1 then show error
- message "SSH public key authentication failed: Reason unknown (-1)".
-
- When libssh2_userauth_publickey_fromfile_ex returns -1 it does so as a
- generic error and therefore doesn't set an error message. AFAICT that is
- not documented behavior.
-
- Prior to this change libcurl retrieved the last set error message which
- would be from a previous function failing. That resulted in misleading
- auth failed error messages in verbose mode.
-
- Bug: https://github.com/curl/curl/issues/11837#issue-1891827355
- Reported-by: consulion@users.noreply.github.com
-
- Closes https://github.com/curl/curl/pull/11881
-
-Stefan Eissing (21 Sep 2023)
-
-- pytest: exclude test_03_goaway in CI runs due to timing dependency
-
- Closes #11860
-
-- lib: disambiguate Curl_client_write flag semantics
-
- - use CLIENTWRITE_BODY *only* when data is actually body data
- - add CLIENTWRITE_INFO for meta data that is *not* a HEADER
- - debug assertions that BODY/INFO/HEADER is not used mixed
- - move `data->set.include_header` check into Curl_client_write
- so protocol handlers no longer have to care
- - add special in FTP for `data->set.include_header` for historic,
- backward compatible reasons
- - move unpausing of client writes from easy.c to sendf.c, so that
- code is in one place and can forward flags correctly
-
- Closes #11885
-
-Patrick Monnerat (21 Sep 2023)
-
-- tftpd: always use curl's own tftp.h
-
- Using the system's provided arpa/tftp.h and optimizing, GCC 12 detects
- and reports a stringop-overread warning:
-
- tftpd.c: In function ‘write_behind.isra’:
- tftpd.c:485:12: warning: ‘write’ reading between 1 and 2147483647 bytes f
- rom a region of size 0 [-Wstringop-overread]
- 485 | return write(test->ofile, writebuf, count);
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- In file included from tftpd.c:71:
- /usr/include/arpa/tftp.h:58:30: note: source object ‘tu_data’ of size 0
- 58 | char tu_data[0]; /* data or error stri
- ng */
- | ^~~~~~~
-
- This occurs because writebuf points to this field and the latter
- cannot be considered as being of dynamic length because it is not
- the last field in the structure. Thus it is bound to its declared
- size.
-
- This commit always uses curl's own version of tftp.h where the
- target field is last in its structure, effectively avoiding the
- warning.
-
- As HAVE_ARPA_TFTP_H is not used anymore, cmake/configure checks for
- arpa/tftp.h are removed.
-
- Closes #11897
-
-Dan Fandrich (20 Sep 2023)
-
-- test1474: make precheck more robust on non-Solaris systems
-
- If uname -r returns something odd, perl could return an error code and
- the test would be erroneously skipped. The qx// syntax avoid this.
-
- Followup to 08f9b2148
-
-- github/labeler: switch to the 5 beta version
-
- This version adds an important feature that will allow more PRs to be
- labelled. Rather than being limited to labeling PRs with files that
- match a single glob, it can now label them if multiple changed files
- match any one of a number of globs.
-
-Daniel Stenberg (20 Sep 2023)
-
-- lib: enable hmac for digest as well
-
- Previously a build that disabled NTLM and aws-sigv4 would fail to build
- since the hmac was disabled, but it is also needed for digest auth.
-
- Follow-up to e92edfbef64448ef
-
- Fixes #11890
- Reported-by: Aleksander Mazur
- Closes #11896
-
-- idn: if idn2_check_version returns NULL, return error
-
- ... this avoids a NULL dereference for this unusual case.
-
- Reported-by: s0urc3_ on hackerone
- Closes #11898
-
-- http: fix CURL_DISABLE_BEARER_AUTH breakage
-
- When bearer auth was disabled, the if/else logic got wrong and caused
- problems.
-
- Follow-up to e92edfbef64448ef461
- Fixes #11892
- Reported-by: Aleksander Mazur
- Closes #11895
-
-Michael Osipov (20 Sep 2023)
-
-- wolfssl: allow capath with CURLOPT_CAINFO_BLOB
-
- Remain consistent with OpenSSL. While CAfile is nulled as documented
- with CURLOPT_CAINFO_BLOB, CApath remains intact.
-
- Closes #11886
-
-- wolfssl: use ssl_cafile/ssl_capath variables consistent with openssl.c
-
- Closes #11886
-
-Dan Fandrich (19 Sep 2023)
-
-- test1474: disable test on NetBSD, OpenBSD and Solaris 10
-
- These kernels only send a fraction of the requested amount of the first
- large block, invalidating the assumptions of the test and causing it to
- fail.
-
- Assisted-by: Christian Weisgerber
- Ref: https://curl.se/mail/lib-2023-09/0021.html
- Closes #11888
-
-Ryan Schmidt (20 Sep 2023)
-
-- cmake, configure: also link with CoreServices
-
- When linking with CoreFoundation, also link with CoreServices which is
- apparently required to avoid an NSInvalidArgumentException in software
- linking with libcurl on macOS Sonoma 14 and later.
-
- Fixes #11893
- Closes #11894
-
-Marc Hoersken (19 Sep 2023)
-
-- CI/azure: remove pip, wheel, cryptography, pyopenssl and impacket
-
- These dependencies are now already included in the Docker image.
-
- Ref: https://github.com/mback2k/curl-docker-winbuildenv/commit/2607a31bcab544
- b41d15606e97f38cf312c1ce56
-
- Closes #11889
-
-Daniel Stenberg (19 Sep 2023)
-
-- wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files
-
- Ref: #11883
- Reported-by: Michael Osipov
- Closes #11884
-
-- RELEASE-NOTES: synced
-
-- test3103: CURLOPT_COOKIELIST test
-
-- cookie: set ->running in cookie_init even if data is NULL
-
- This is a regression introduced in b1b326ec500 (shipped in curl 8.1.0)
-
- Test 3103 verifies.
-
- Fixes #11875
- Reported-by: wangp on github
- Closes #11876
-
-- test498: total header size for all redirects is larger than accepted
-
-- http: use per-request counter to check too large headers
-
- Not the counter that accumulates all headers over all redirects.
-
- Follow-up to 3ee79c1674fd6
-
- Do a second check for 20 times the limit for the accumulated size for
- all headers.
-
- Fixes #11871
- Reported-by: Joshix-1 on github
- Closes #11872
-
-Jay Satiro (18 Sep 2023)
-
-- THANKS: add Eric Murphy
-
- He reported #11850 (quiche build error) but I forgot to add a
- 'reported-by' entry in the fix 267e14f1.
-
-Daniel Stenberg (18 Sep 2023)
-
-- h2-proxy: remove left-over mistake in drain_tunnel()
-
- Left-over from 331b89a319
-
- Reported-by: 南宫雪珊
-
- Closes https://github.com/curl/curl/pull/11877
-
-vvb2060 (18 Sep 2023)
-
-- lib: failf/infof compiler warnings
-
- Closes #11874
-
-Daniel Stenberg (17 Sep 2023)
-
-- rand: fix 'alnum': array is too small to include a terminating null character
-
- It was that small on purpose, but this change now adds the null byte to
- avoid the error.
-
- Follow-up to 3aa3cc9b052353b1
-
- Reported-by: Dan Fandrich
- Ref: #11838
- Closes #11870
-
-Mathias Fuchs (16 Sep 2023)
-
-- cmake: fix the help text to the static build option in CMakeLists.txt
-
- Closes #11843
-
-John Haugabook (16 Sep 2023)
-
-- MANUAL.md: change domain to example.com
-
- Closes #11866
-
-Daniel Stenberg (16 Sep 2023)
-
-- doh: inherit DEBUGFUNCTION/DATA
-
- When creating new transfers for doing DoH, they now inherit the debug
- settings from the initiating transfer, so that the application can
- redirect and handle the verbose output correctly even for the DoH
- transfers.
-
- Reported-by: calvin2021y on github
- Fixes #11864
- Closes #11869
-
-Dan Fandrich (16 Sep 2023)
-
-- http_aws_sigv4: fix sorting with empty parts
-
- When comparing with an empty part, the non-empty one is always
- considered greater-than. Previously, the two would be considered equal
- which would randomly place empty parts amongst non-empty ones. This
- showed as a test 439 failure on Solaris as it uses a different
- implementation of qsort() that compares parts differently.
-
- Fixes #11855
- Closes #11868
-
-- CI: ignore the "flaky" and "timing-dependent" test results
-
- CI builds will now run these tests, but will ignore the results if they
- fail. The relevant tests are ones that are sensitive to timing or
- have edge conditions that make them more likely to fail on CI servers,
- which are often heavily overloaded and slow.
-
- This change only adds two additional tests to be ignored, since the
- others already had the flaky keyword.
-
- Closes #11865
-
-- runtests: eliminate a warning on old perl versions
-
- The warning "Use of implicit split to @_ is deprecated" showed between
- perl versions about 5.8 through 5.11.
-
-- tests: log the test result code after each libtest
-
- This makes it easier to determine the test status. Also, capitalize
- FAILURE and ABORT messages in log lines to make them easier to spot.
-
-Harry Sintonen (16 Sep 2023)
-
-- misc: better random strings
-
- Generate alphanumerical random strings.
-
- Prior this change curl used to create random hex strings. This was
- mostly okay, but having alphanumerical random strings is better: The
- strings have more entropy in the same space.
-
- The MIME multipart boundary used to be mere 64-bits of randomness due
- to being 16 hex chars. With these changes the boundary is 22
- alphanumerical chars, or little over 130 bits of randomness.
-
- Closes #11838
-
-Daniel Stenberg (15 Sep 2023)
-
-- cookie: reduce variable scope, add const
-
-- cookie: do not store the expire or max-age strings
-
- Convert it to an expire time at once and save memory.
-
- Closes #11862
-
-- cookie: remove unnecessary struct fields
-
- Plus: reduce the hash table size from 256 to 63. It seems unlikely to
- make much of a speed difference for most use cases but saves 1.5KB of
- data per instance.
-
- Closes #11862
-
-- RELEASE-NOTES: synced
-
- Bumped to 8.4.0, the next presumed version
-
-Dan Fandrich (14 Sep 2023)
-
-- test2600: remove special case handling for USE_ALARM_TIMEOUT
-
- This was originally added to handle platforms that supported only 1
- second granularity in connect timeouts, but after some recent changes
- the test currently permafails on several Windows platforms.
-
- The need for this special-case was removed in commit 8627416, which
- increased the connect timeout in all cases to well above 1 second.
-
- Fixes #11767
- Closes #11849
-
-Daniel Stenberg (14 Sep 2023)
-
-- SECURITY-PROCESS.md. call it vulnerability disclosure policy
-
- SECURITY-PROCESS.md -> VULN-DISCLOSURE-POLICY.md
-
- This a name commonly used for a document like this. This name helps
- users find it.
-
- Closes #11852
-
-Junho Choi (14 Sep 2023)
-
-- quiche: fix build error with --with-ca-fallback
-
- - Fix build error when curl is built with --with-quiche
- and --with-ca-fallback.
-
- - Add --with-ca-fallback to the quiche CI job.
-
- Fixes https://github.com/curl/curl/issues/11850
- Closes https://github.com/curl/curl/pull/11847
-
-Jay Satiro (14 Sep 2023)
-
-- escape: replace Curl_isunreserved with ISUNRESERVED
-
- - Use the ALLCAPS version of the macro so that it is clear a macro is
- being called that evaluates the variable multiple times.
-
- - Also capitalize macro isurlpuntcs => ISURLPUNTCS since it evaluates
- a variable multiple times.
-
- This is a follow-up to 291d225a which changed Curl_isunreserved into an
- alias macro for ISUNRESERVED. The problem is the former is not easily
- identified as a macro by the caller, which could lead to a bug.
-
- For example, ISUNRESERVED(*foo++) is easily identifiable as wrong but
- Curl_isunreserved(*foo++) is not even though they both are the same.
-
- Closes https://github.com/curl/curl/pull/11846
-
-Dan Fandrich (13 Sep 2023)
-
-- tests: increase the default server logs lock timeout
-
- This timeout is used to wait for the server to finish writing its logs
- before checking them against the expected values. An overloaded machine
- could take more than the two seconds previously allocated, so increase
- the timeout to 5 seconds.
-
- Ref: #11328
- Closes #11834
-
-- tests: increase TEST_HANG_TIMEOUT in two tests
-
- These tests had a 5 second timeout compared to 60 seconds for all other
- tests. Make these consistent with the others for more reliability on
- heavily-loaded machines.
-
- Ref: #11328
-
-- test1056: disable on Windows
-
- This test relies on the IPv6 scope field being ignored when connecting to
- ipv6-localhost (i.e. [::1%259999] is treated as [::1]). Maybe this is a bit
- dodgy, but it works on all our test platforms except Windows. This
- test was disabled manually on all Windows CI builds already, so instead
- add an incompatible feature and precheck so it's skipped on Windows
- everywhere automatically.
-
-- test587: add a slight delay after test
-
- This test is designed to connect to the server, then immediately send a
- few bytes and disconnect. In some situations, such as on a loaded
- server, this doesn't give the server enough time to write its lock file
- before its existence is checked. The test harness then fails to find the
- server's input log file (because it hasn't been written yet) and fails
- the test. By adding a short delay after the test, the HTTP server has
- enough time to write its lock file which gives itself more time to write
- its remaining files.
-
- Ref: #11328
-
-- tests: stop overriding the lock timeout
-
- These tests reduce the server lock wait timeout which can increase
- flakiness on loaded machines. Since this is merely an optimization,
- eliminate them in favour of reliability.
-
- Ref: #11328
-
-- tests: add some --expect100-timeout to reduce timing dependencies
-
- These tests can fail when the test machine is so slow that the test HTTP
- server didn't get a chance to complete before the client's one second
- 100-continue timeout triggered. Increase that 1 second to 999 seconds so
- this situation doesn't happen.
-
- Ref: #11328
-
-- test661: return from test early in case of curl error
-
-- tests: add the timing-dependent keyword on several tests
-
- These are ones likely to fail on heavily-loaded machines that alter the
- normal test timing. Most of these tests already had the flaky keyword
- since this condition makes them more likely to fail on CI.
-
-- test1592: greatly increase the maximum test timeout
-
- It was too short to be reliable on heavily loaded CI machines, and
- as a fail-safe only, it didn't need to be short.
-
- Ref: #11328
-
-- test: minor test cleanups
-
- Remove an obsolete block of code in tests 2032 & 576.
- Add a comment in test 1474.
-
-- tests: quadruple the %FTPTIME2 and %FTPTIME3 timeouts
-
- This gives more of a margin for error when running on overloaded CI
- servers.
-
- Ref: #11328
-
-- tests: improve SLOWDOWN test reliability by reducing sent data
-
- These tests are run in SLOWDOWN mode which adds a 10 msec delay after
- each character output, which means it takes at least 1.6 seconds (and
- 320 kernel calls) just to get through the long welcome banner. On an
- overloaded system, this can end up taking much more than 1.6 seconds,
- and even more than the 7 or 16 second curl timeout that the tests rely
- on, causing them to fail. Reducing the size of the welcome banner drops
- the total number of characters sent before the transfer starts by more
- than half, which reduces the opportunity for test-breaking slowdowns by
- the same amount.
-
- Ref: #11328
-
-- test650: fix an end tag typo
-
-Jay Satiro (13 Sep 2023)
-
-- tool_cb_wrt: fix debug assertion
-
- - Fix off-by-one out-of-bounds array index in Windows debug assertion.
-
- Bug: https://github.com/curl/curl/commit/af3f4e41#r127212213
- Reported-by: Gisle Vanem
-
-Daniel Stenberg (13 Sep 2023)
-
-- ctype: add ISUNRESERVED()
-
- ... and make Curl_isunreserved() use that macro instead of providing a
- separate funtion for the purpose.
-
- Closes #11840
-
-Version 8.3.0 (13 Sep 2023)
-
-Daniel Stenberg (13 Sep 2023)
-
-- RELEASE-NOTES: syn ced
-
- curl 8.3.0 release
-
-- THANKS: contributors from 8.3.0
-
-Thorsten Klein (12 Sep 2023)
-
-- cmake: set SIZEOF_LONG_LONG in curl_config.h
-
- in order to support 32bit builds regarding wolfssl CTC_SETTINGS
-
- Closes #11839
-
-Jay Satiro (12 Sep 2023)
-
-- curl_ngtcp2: fix error message
-
-- http_aws_sigv4: handle no-value user header entries
-
- - Handle user headers in format 'name:' and 'name;' with no value.
-
- The former is used when the user wants to remove an internal libcurl
- header and the latter is used when the user actually wants to send a
- no-value header in the format 'name:' (note the semi-colon is converted
- by libcurl to a colon).
-
- Prior to this change the AWS header import code did not special case
- either of those and the generated AWS SignedHeaders would be incorrect.
-
- Reported-by: apparentorder@users.noreply.github.com
-
- Ref: https://curl.se/docs/manpage.html#-H
-
- Fixes https://github.com/curl/curl/issues/11664
- Closes https://github.com/curl/curl/pull/11668
-
-Dan Fandrich (11 Sep 2023)
-
-- CI: run pytest with the -v option
-
- This lists of the test cases being run so it can be tracked over time.
-
- Closes #11824
-
-Daniel Stenberg (11 Sep 2023)
-
-- HTTP3: the msquic backend is not functional
-
- I ask that we do not submit bugs for this backend just yet as we know it
- does not fully work.
-
- Closes #11831
- Closes #11819
-
-- aws_sigv4: the query canon code miscounted URL encoded input
-
- Added some extra ampersands to test 439 to verify "blank" query parts
-
- Follow-up to fc76a24c53b08cdf
-
- Closes #11829
-
-vvb2060 (11 Sep 2023)
-
-- quic: don't set SNI if hostname is an IP address
-
- We already do this for TLS connections.
-
- RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in
- "HostName".
-
- Ref: https://www.rfc-editor.org/rfc/rfc6066#section-3
-
- Fixes https://github.com/curl/curl/issues/11827
- Closes https://github.com/curl/curl/pull/11828
-
-Daniel Stenberg (10 Sep 2023)
-
-- RELEASE-NOTES: synced
diff --git a/libs/libcurl/docs/THANKS b/libs/libcurl/docs/THANKS index ecd6e9eb9a..7910255eda 100644 --- a/libs/libcurl/docs/THANKS +++ b/libs/libcurl/docs/THANKS @@ -19,6 +19,7 @@ Aaron Oneal Aaron Orenstein
Aaron Scarisbrick
aasivov on github
+Abdullah Alyan
Abhinav Singh
Abram Pousada
accountantM on github
@@ -181,6 +182,7 @@ Andrei Sedoi Andrei Valeriu BICA
Andrei Virtosu
Andrej E Baranov
+Andrew
Andrew Barnert
Andrew Barnes
Andrew Benham
@@ -225,6 +227,7 @@ Anthony Hu Anthony Ramine
Anthony Shaw
Antoine Aubert
+Antoine Bollengier
Antoine Calando
Antoine du Hamel
Antoine Pietri
@@ -357,6 +360,7 @@ Björn Stenberg black-desk on github
Blaise Potard
Blake Burkhart
+blankie
bnfp on github
Bo Anderson
Bob Relyea
@@ -455,6 +459,7 @@ cbartl on github cclauss on github
Cering on github
Cesar Eduardo Barros
+Ch40zz on github
Chad Monroe
Chandrakant Bagul
Chara White
@@ -540,6 +545,7 @@ Colin Blair Colin Cross
Colin Hogben
Colin Leroy
+Colin Leroy-Mira
Colin O'Dell
Colin Watson
Colm Buckley
@@ -573,6 +579,7 @@ d912e3 on github Da-Yoon Chung
daboul on github
Dag Ekengren
+Dagfinn Ilmari Mannsåker
Dagobert Michelsen
Daiki Ueno
Dair Grant
@@ -604,6 +611,7 @@ Daniel Faust Daniel Gustafsson
Daniel Hallberg
Daniel Hwang
+Daniel J. H.
Daniel Jeliński
Daniel Johnson
Daniel Kahn Gillmor
@@ -613,6 +621,7 @@ Daniel Kurečka Daniel Lee Hwang
Daniel Lublin
Daniel Marjamäki
+Daniel McCarney
Daniel Melani
Daniel Mentz
Daniel Romero
@@ -912,6 +921,7 @@ Fabrizio Ammollo Fahim Chandurwala
Faizur Rahman
Faraz Fallahi
+farazrbx on github
Farzin on github
Fata Nugraha
Fawad Mirza
@@ -974,6 +984,7 @@ FuccDucc on github Fujii Hironori
fullincome on github
fundawang on github
+fuzzard
Gabe
Gabriel Corona
Gabriel Kuri
@@ -1033,6 +1044,7 @@ Glenn Sheridan Glenn Strauss
godmar on github
Godwin Stewart
+Gonçalo Carvalho
Google Inc.
Gordon Marler
Gorilla Maguila
@@ -1067,6 +1079,7 @@ Gunter Knauf guoxinvmware on github
Gustaf Hui
Gustavo Grieco
+Gusted
Guy Poizat
GwanYeong Kim
Gwen Shapira
@@ -1079,6 +1092,7 @@ Hagai Auro Haibo Huang
Hakan Sunay Halil
Hamish Mackenzie
+hammlee96 on github
hamstergene on github
Han Han
Han Qiao
@@ -1095,6 +1109,7 @@ Hans-Jurgen May Hao Wu
Hardeep Singh
Haris Okanovic
+Harmen Stoppels
Harold Stuart
Harry Mallon
Harry Sarson
@@ -1130,6 +1145,7 @@ Hiroki Kurosawa Hirotaka Tagawa
Ho-chi Chen
Hoi-Ho Chan
+Hongfei Li
Hongli Lai
Hongyi Zhao
Howard Blaise
@@ -1192,6 +1208,7 @@ Isaac Boukris Isaiah Norton
Ishan SinghLevett
Ithubg on github
+Ivan
Ivan Avdeev
Ivan Tsybulin
ivanfywang
@@ -1353,6 +1370,7 @@ Jiri Dvorak Jiri Hruska
Jiri Jaburek
Jishan Shaikh
+Jiwoo Park
Jiří Bok
Jiří Malák
jmdavitt on github
@@ -1372,6 +1390,7 @@ Johan Anderson Johan Lantz
Johan Nilsson
Johan van Selst
+Johann Sebastian Schicho
Johann150 on github
Johannes Bauer
Johannes Ernst
@@ -1513,6 +1532,7 @@ jzinn on github János Fekete
Jérémy Rabasco
Jérémy Rocher
+Jérôme Leclercq
Jörg Mueller-Tolk
Jörn Hartroth
Jürgen Gmach
@@ -1524,7 +1544,9 @@ Kai Noda Kai Pastor
Kai Sommerfeld
Kai-Uwe Rommel
+Kailun Qin
Kalle Vahlman
+kalvdans on github
Kamil Dudka
Kane York
Kang Lin
@@ -1592,12 +1614,13 @@ Koichi Shiraishi kokke on github
Konstantin Isakov
Konstantin Kushnir
+Konstantin Kuzov
Konstantin Vlasov
KotlinIsland on github
kotoriのねこ
kouzhudong on github
Kovalkov Dmitrii
-kpcyrd
+kpcyrd on github
kreshano on github
Kris Kennaway
Krishnendu Majumdar
@@ -1709,6 +1732,7 @@ Luca Niccoli Lucas Adamski
Lucas Clemente Vella
Lucas Holt
+Lucas Nussbaum
Lucas Pardue
Lucas Servén Marín
Lucas Severo
@@ -1740,6 +1764,7 @@ Maciej Puzio Maciej W. Rozycki
madblobfish on github
MaeIsBad on github
+magisterquis on hackerone
Mahmoud Samir Fayed
Maks Naumov
Maksim Arhipov
@@ -1917,6 +1942,7 @@ Median Median Stride mehatzri on github
Mehmet Bozkurt
Mekonikum
+Mel Zuser
Melissa Mears
Melroy van den Berg
Mert Yazıcıoğlu
@@ -1948,6 +1974,7 @@ Michael Kolechkin Michael Kujawa
Michael König
Michael Lee
+Michael Litwak
Michael Maltese
Michael Mealling
Michael Mueller
@@ -2203,6 +2230,7 @@ Pau Garcia i Quiles Paul B. Omta
Paul Donohue
Paul Dreik
+Paul Gilmartin
Paul Groke
Paul Harrington
Paul Harris
@@ -2224,6 +2252,7 @@ Paulo Roberto Tomasi Pavel Cenek
Pavel Gushchin
Pavel Kalyugin
+Pavel Kropachev
Pavel Löbl
Pavel Mayorov
Pavel Orehov
@@ -2352,6 +2381,7 @@ Rafael Sagula Rafayel Mkrtchyan
Rafaël Carré
Rafał Mikrut
+Rahul Krishna M
Rainer Canavan
Rainer Jung
Rainer Koenig
@@ -2398,10 +2428,12 @@ Renaud Guillard Renaud Lehoux
Rene Bernhardt
Rene Rebe
+renovate[bot]
Reuven Wachtfogel
RevaliQaQ on github
Reza Arbab
Rianov Viacheslav
+riastradh on github
Ricardo Cadime
Ricardo Gomes
Ricardo M. Correia
@@ -2572,6 +2604,7 @@ SandakovMM on github Sander Gates
Sandor Feldi
Sandro Jaeckel
+Sanjay Pujare
Santhana Todatry
Santino Keupp
Saqib Ali
@@ -2683,6 +2716,7 @@ Sohom Datta Somnath Kundu
Song Ma
Sonia Subramanian
+southernedge on github
Spacen Jasset
Spezifant on github
Spiridonoff A.V
@@ -2730,6 +2764,7 @@ Stephane Pellegrino Stephen Boost
Stephen Brokenshire
Stephen Collyer
+Stephen Farrell
Stephen Kick
Stephen M. Coakley
Stephen More
@@ -2915,6 +2950,7 @@ Ton Voon Toni Moreno
Tony Kelman
tonystz on Github
+Toon Claes
Toon Verwaest
Tor Arntsen
Torben Dannhauer
@@ -2931,6 +2967,8 @@ Trivikram Kamat Troels Walsted Hansen
Troy Engel
trrui-huawei
+Trumeet on github
+Trzik on github
Tseng Jun
Tuomas Siipola
Tuomo Rinne
@@ -3117,6 +3155,7 @@ zhihaoy on github Zhouyihai Ding
ZimCodes on github
zloi-user on github
+zmcx16 on github
Zmey Petroff
Zvi Har'El
zzq1015 on github
|