diff options
Diffstat (limited to 'libs/libcurl/docs/CHANGES')
| -rw-r--r-- | libs/libcurl/docs/CHANGES | 8968 |
1 files changed, 5282 insertions, 3686 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index a384fadba8..cbb1072dc5 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,5570 +6,7166 @@ Changelog -Version 7.33.0 (13 Oct 2013) +Version 7.60.0 (15 May 2018) -Daniel Stenberg (13 Oct 2013) -- RELEASE-NOTES: synced with 92cf6141ed0de +Daniel Stenberg (15 May 2018) +- RELEASE-NOTES: 7.60.0 release -- curl: fix --oauth2-bearer in the --help output - - After the option rename in 5df04bfafd1 +- THANKS: added people from the curl 7.60.0 release -- OpenSSL: improve the grammar of the language in 39beaa5ffbcc +- docs/libcurl/index.html: removed + + The HTML files are long gone from the dist, now remove the last HTML + file pointing to those missing files. - Reported-by: Petr Pisar + d -- [Andrej E Baranov brought this change] +- [steini2000 brought this change] - OpenSSL: use failf() when subjectAltName mismatches + http2: remove unused variable - Write to CURLOPT_ERRORBUFFER information about mismatch alternative - certificate subject names. + Closes #2570 + +- [steini2000 brought this change] + + http2: use easy handle of stream for logging + +- gcc: disable picky gcc-8 function pointer warnings in two places - Signed-off-by: Andrej E Baranov <admin@andrej-andb.ru> + Reported-by: Rikard Falkeborn + Bug: #2560 + Closes #2569 -- curl: rename --bearer to --oauth2-bearer +- http2: use the correct function pointer typedef - The option '--bearer' might be slightly ambiguous in name. It doesn't - create any conflict that I am aware of at the moment, however, OAUTH v2 - is not the only authentication mechanism which uses "bearer" tokens. + Fixes gcc-8 picky compiler warnings + Reported-by: Rikard Falkeborn + Bug: #2560 + Closes #2568 + +- CODE_STYLE: mention return w/o parens, but sizeof with - Reported-by: Kyle L. Huff - URL: http://curl.haxx.se/mail/lib-2013-10/0064.html + ... and remove the github markdown syntax so that it renders better on + the web site. Also, don't use back-ticks inlined to allow the CSS to + highlight source code better. -- [Kamil Dudka brought this change] +- [Rikard Falkeborn brought this change] - ssh: improve the logic for detecting blocking direction + examples: Fix format specifiers - This fixes a regression introduced by commit 0feeab78 limiting the speed - of SCP upload to 16384 B/s on a fast connection (such as localhost). - -Dan Fandrich (12 Oct 2013) -- Fixed typo in Makefile.inc that left http2.h out of the tar ball + Closes #2561 -Daniel Stenberg (11 Oct 2013) -- [Heinrich Schaefer brought this change] +- [Rikard Falkeborn brought this change] - minor fix in doc + tool: Fix format specifiers -- [Gisle Vanem brought this change] +- [Rikard Falkeborn brought this change] - curl_setup_once: fix errno access for lwip on Windows - - lib/curl_setup_once.h assumed lwIP on Windows uses 'SetLastError()' to - set network errors. It doesn't; it uses 'errno'. + ntlm: Fix format specifiers -- test1239: verify 4cd444e01ad and the simulated 304 response +- [Rikard Falkeborn brought this change] -- [Derek Higgins brought this change] + tests: Fix format specifiers - HTTP: Output http response 304 when modified time is too old - - When using the -w '%{http_code}' flag and simulating a Not Modified then - 304 should be output. +- [Rikard Falkeborn brought this change] -- contributors: helper script to dig out contributors from git + lib: Fix format specifiers -- RELEASE-NOTES: add twos refs to bug reports +- contributors.sh: use "on github", not at -- RELEASE-NOTES: synced with 173160c0d068 +- http2: getsock fix for uploads + + When there's an upload in progress, make sure to wait for the socket to + become writable. + + Detected-by: steini2000 on github + Bug: #2520 + Closes #2567 -Nick Zitzmann (2 Oct 2013) -- darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher +- pingpong: fix response cache memcpy overflow - Credit (for catching a cipher I forgot to add to the blocked ciphers list): - https://www.ssllabs.com/ssltest/viewMyClient.html + Response data for a handle with a large buffer might be cached and then + used with the "closure" handle when it has a smaller buffer and then the + larger cache will be copied and overflow the new smaller heap based + buffer. + + Reported-by: Dario Weisser + CVE: CVE-2018-1000300 + Bug: https://curl.haxx.se/docs/adv_2018-82c2.html -Daniel Stenberg (2 Oct 2013) -- OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER +- http: restore buffer pointer when bad response-line is parsed + + ... leaving the k->str could lead to buffer over-reads later on. - Setting only CURLOPT_SSL_VERIFYHOST without CURLOPT_SSL_VERIFYPEER set - should still verify that the host name fields in the server certificate - is fine or return failure. + CVE: CVE-2018-1000301 + Assisted-by: Max Dymond - Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html - Reported-by: Ishan SinghLevett + Detected by OSS-Fuzz. + Bug: https://curl.haxx.se/docs/adv_2018-b138.html + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 -- KNOWN_BUGS: #84: CURLINFO_SSL_VERIFYRESULT +Patrick Monnerat (13 May 2018) +- cookies: do not take cookie name as a parameter - CURLINFO_SSL_VERIFYRESULT is only implemented for the OpenSSL and NSS - backends and not for any other! + RFC 6265 section 4.2.1 does not set restrictions on cookie names. + This is a follow-up to commit 7f7fcd0. + Also explicitly check proper syntax of cookie name/value pair. + + New test 1155 checks that cookie names are not reserved words. + + Reported-By: anshnd at github + Fixes #2564 + Closes #2566 -- [François Charlier brought this change] +Daniel Stenberg (12 May 2018) +- smb: reject negative file sizes + + Assisted-by: Max Dymond + + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245 - xattr: add support for FreeBSD xattr API +- setup_transfer: deal with both sockets being -1 + + Detected by Coverity; CID 1435559. Follow-up to f8d608f38d00. It would + index the array with -1 if neither index was a socket. -- curl_easy_setopt.3: slight clarification of SEEKFUNCTION +- travis: add build using NSS + + Closes #2558 -Steve Holme (29 Sep 2013) -- tests: Fixed typos from commit 25a0c96a494297 +- [Sunny Purushe brought this change] -- tests: Updated email addresses in SMTP tests following recent changes + openssl: change FILE ops to BIO ops + + To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES + handling is causing problems. This fix changes the OpenSSL backend code + to use BIO functions instead of FILE I/O functions to circumvent those + problems. + + Closes #2512 -- test909: Removed custom EHLO response after recent changes +- travis: add a build using WolfSSL + + Assisted-by: Dan Fandrich - ...as it is no longer required following capability and authentication - changes and is now causing problems following commit 49341628b50007 as - the test number is obtained from the client address in the EHLO. + Closes #2528 -- ftpserver.pl: Fixed compilation error from commit 49341628b50007 +- RELEASE-NOTES: typo -- ftpserver.pl: Moved specifying the test number from the RCPT address +- RELEASE-NOTES: synced + +- [Daniel Gustafsson brought this change] + + URLs: fix one more http url - ...to the client address as this frees the RCPT strings to contain - just an email address and by passing the test number into curl as the - client address remains consistent with POP3 and IMAP tests as they are - specified in the URL. + This file wasn't included in commit 4af40b3646d3b09 which updated all + haxx.se http urls to https. The file was committed prior to that update, + but may have been merged after it and hence didn't get updated. + + Closes #2550 -- ftpserver.pl: Added unwanted argument check to SMTP DATA command handler +- github/lock: auto-lock closed issues after 90 days of inactivity -Daniel Stenberg (29 Sep 2013) -- getinmemory: remove a comment +- vtls: fix missing commas - The comment mentioned the need to free the data, but the example already - does that free + follow-up to e66cca046cef -- postinmemory: new example +- vtls: use unified "supports" bitfield member in backends - This is similar to getinmemory.c but with an initial POST. + ... instead of previous separate struct fields, to make it easier to + extend and change individual backends without having to modify them all. - Combined-by: Ulf Samuelsson + closes #2547 -- win32: fix Visual Studio 2010 build with WINVER >= 0x600 +- transfer: don't unset writesockfd on setup of multiplexed conns - If no WINVER and/or _WIN32_IWNNT define was set, the Windows platform - SDK often defaults to high value, e.g. 0x601 (whoch may probably depend - on the Windows version being used, in my case Windows 7). + Curl_setup_transfer() can be called to setup a new individual transfer + over a multiplexed connection so it shouldn't unset writesockfd. - If WINVER >= 0x600 then winsock2.h includes some defines for WSAPoll(), - e.g. POLLIN, POLLPRI, POLLOUT etc. These defines clash with cURL's - lib/select.h. + Bug: #2520 + Closes #2549 + +- [Frank Gevaerts brought this change] + + configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h - Make sure HAVE_STRUCT_POLLFD is defined then. + They are removed from the compiler flags. - Bug: http://curl.haxx.se/bug/view.cgi?id=1282 - Reported-by: "kdekker" - Patch-by: Marcel Raad - -Steve Holme (28 Sep 2013) -- ssluse.c: Fixed compilation warnings when ENGINE not supported + This ensures that make dependency tracking will force a rebuild whenever + configure --enable-debug or --enable-curldebug changes. - The function "ssl_ui_reader" was declared but never referenced - The function "ssl_ui_writer" was declared but never referenced + Closes #2548 -Daniel Stenberg (27 Sep 2013) -- configure: use icc options without space +- http: don't set the "rewind" flag when not uploading anything - The latest version(s) of the icc compiler no longer accept the extra - space in the -we (warning enable), -wd (warning disable), etc. + It triggers an assert. - Reported-by: Elmira A Semenova - Bug: http://curl.haxx.se/mail/lib-2013-09/0182.html + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144 + Closes #2546 -Steve Holme (25 Sep 2013) -- imap: Added clarification to the code about odd continuation responses - -- ftp.c: Fixed compilation warning +- travis: add an mbedtls build - There is an implicit conversion from "unsigned long" to "long" + Closes #2531 -- sasl: Centralised the authentication mechanism strings +- configure: only check for CA bundle for file-using SSL backends + + When only building with SSL backends that don't use the CA bundle file + (by default), skip the check. - Moved the standard SASL mechanism strings into curl_sasl.h rather than - hard coding the same values over and over again in the protocols that - use SASL authentication. + Fixes #2543 + Fixes #2180 + Closes #2545 + +- ssh-libssh.c: fix left shift compiler warning - For more information about the mechanism strings see: + ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to + represent, but 'int' only has 32 bits [-Wshift-overflow=] - http://www.iana.org/assignments/sasl-mechanisms + 'len' will never be that big anyway so I converted the run-time check to + a regular assert. -Daniel Stenberg (23 Sep 2013) -- RELEASE-NOTES: added recent contributors missing +- [Stephan Mühlstrasser brought this change] -Steve Holme (23 Sep 2013) -- test906: Fixed type-2 response + URL: fix ASCII dependency in strcpy_url and strlen_url + + Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the + changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of + the problem that strcpy_url() was modified unilaterally without also + modifying strlen_url(). As a consequence strcpy_url() was again + depending on ASCII encoding. + + This change fixes strlen_url() and strcpy_url() in parallel to use a + common host-encoding independent criterion for deciding whether an URL + character must be %-escaped. + + Closes #2535 -- test915: Corrected test number from commit 22bccb0edaf041 +- [Denis Ollier brought this change] -- test906: Fixed type-1 message not handled error + docs: remove extraneous commas in man pages - ...from commit f81d1e16664976 due to copy paste error. + Closes #2544 -- tests: Added SMTP AUTH NTLM test +- RELEASE-NOTES: synced -- tests: Added SMTP multiple and invalid --mail-rcpt test +- Revert "TODO: remove configure --disable-pthreads" + + This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3. + + --disable-pthreads can be used to disable pthreads and get the threaded + resolver to use the windows threading when building with mingw. -- tests: Added SMTP multiple --mail-rcpt test +- vtls: don't define MD5_DIGEST_LENGTH for wolfssl + + ... as it defines it (too) -- tests: Added SMTP invalid --mail-rcpt test +- TODO: remove configure --disable-pthreads -- tests: Regrouping of SMTP tests +Jay Satiro (2 May 2018) +- [David Garske brought this change] -Daniel Stenberg (22 Sep 2013) -- [Benoit Sigoure brought this change] + wolfssl: Fix non-blocking connect + + Closes https://github.com/curl/curl/pull/2542 - test1112: Increase the timeout from 7s to 16s +Daniel Stenberg (30 Apr 2018) +- CURLOPT_URL.3: add ENCODING section [ci skip] - As someone reported on the mailing list a while back, the hard-coded - arbitrary timeout of 7s in test 1112 is not sufficient in some build - environments. At Arista Networks we build and test curl as part of our - automated build system, and we've run into this timeout 170 times so - far. Our build servers are typically quite busy building and testing a - lot of code in parallel, so despite being beefy machines with 32 cores - and 128GB of RAM we still hit this 7s timeout regularly. + Feedback-by: Michael Kilburn + +- KNOWN_BUGS: Client cert with Issuer DN differs between backends - URL: http://curl.haxx.se/mail/lib-2010-02/0200.html + Closes #1411 -Steve Holme (22 Sep 2013) -- tests: Fixed smtp rcpt to addresses +- KNOWN_BUGS: Passive transfer tries only one IP address + + Closes #1508 + +- KNOWN_BUGS: --upload-file . hang if delay in STDIN + + Closes #2051 -- ftpserver.pl: Expanded the SMTP RCPT handler to validate TO addresses +- KNOWN_BUGS: Connection information when using TCP Fast Open - RCPT_smtp() will now check for a correctly formatted TO address which - allows for invalid recipient addresses to be added. + Closes #1332 -- ftpserver.pl: Added cURL SMTP server detection to HELO command handler +- travis: enable libssh2 on both macos and Linux + + It seems to not be detected by default anymore (which is a bug I + believe) - As curl will send a HELO command after an negative EHLO response, added - the same detection from commit b07709f7417c3e to the HELO handler to - ensure the test server is identified correctly and an upload isn't - performed. + Closes #2541 -- ftpserver.pl: Corrected response code for successful RCPT command +- TODO: Support the clienthello extension + + Closes #2299 -- ftpserver.pl: Moved invalid RCPT TO: address detection to RCPT handler +- TODO: CLOEXEC - Rather than detecting the TO address as missing in the DATA handler, - moved the detection to the RCPT command handler where an error response - can be generated. + Closes #2252 -- RELEASE-NOTES: Corrected missed addition +- tests: provide 'manual' as a feature to optionally require + + ... and make test 1026 rely on that feature so that --disable-manual + builds don't cause test failures. - Somehow commit 60a20461629fda missed the last item in the sync list - even though I'm sure I added it during editing. + Reported-by: Max Dymond and Anders Roxell + Fixes #2533 + Closes #2540 + +- CURLINFO_PROTOCOL.3: mention the existing defined names -- RELEASE-NOTES: Synced with 6dd8bd8d2f9729 +Jay Satiro (27 Apr 2018) +- [Daniel Gustafsson brought this change] -- curl.1: Added information about optional login options to --user in manpage + cookies: remove unused macro - Added missing information, from curl 7.31.0, regarding the use of the - optional login options that may be specified as part of --user. + Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused, + so remove as it's not part of the published API. - For example: + Closes https://github.com/curl/curl/pull/2537 + +Daniel Stenberg (27 Apr 2018) +- [Daniel Gustafsson brought this change] + + checksrc: force indentation of lines after an else - --user 'user:password;auth=NTLM' in IMAP, POP3 and SMTP protocols. + This extends the INDENTATION case to also handle 'else' statements + and require proper indentation on the following line. Also fixes the + offending cases found in the codebase. + + Closes #2532 -- ftpserver.pl: Moved cURL SMTP server detection into EHLO command handler +- http2: fix null pointer dereference in http2_connisdead - Moved the special SMTP server detection code from the DATA command - handler, which happens further down the operation chain after EHLO, - MAIL and RCPT commands, to the EHLO command as it is the first command - to be generated by a SMTP operation as well as containing the special - "verifiedserver" string from the URL. + This function can get called on a connection that isn't setup enough to + have the 'recv_underlying' function pointer initialized so it would try + to call the NULL pointer. - This not only makes it easier and quicker to detect but also means that - cURL doesn't need to specify "verifiedserver" as --mail-from and - --mail-rcpt arguments. + Reported-by: Dario Weisser - More importantly, this also makes the upcoming verification changes to - the RCPT handler easier to implement. + Follow-up to db1b2c7fe9b093f8 (never shipped in a release) + Closes #2536 -Daniel Stenberg (21 Sep 2013) -- openssl: use correct port number in error message +- http2: get rid of another strstr() - In ossl_connect_step2() when the "Unknown SSL protocol error" occurs, it - would output the local port number instead of the remote one which - showed when doing SSL over a proxy (but with the correct remote host - name). As libcurl only speaks SSL to the remote we know it is the remote - port. + Follow-up to 1514c44655e12e: replace another strstr() call done on a + buffer that might not be zero terminated - with a memchr() call, even if + we know the substring will be found. - Bug: http://curl.haxx.se/bug/view.cgi?id=1281 - Reported-by: Gordon Marler - -- test1415: adjusted to work for 32bit time_t + Assisted-by: Max Dymond - The libcurl date parser returns INT_MAX for all dates > 2037 so this - test is now made to use 2037 instead of 2038 to work the same for both - 32bit and 64bit time_t systems. - -Steve Holme (21 Sep 2013) -- tests: Reworked existing SMTP tests to be single recipient based + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021 - ...in preparation of upcoming multiple recipient tests. + Closes #2534 -- ftpserver.pl: Corrected SMTP QUIT response to be more realistic +- cyassl: adapt to libraries without TLS 1.0 support built-in + + WolfSSL doesn't enable it by default anymore -Daniel Stenberg (20 Sep 2013) -- curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value +- configure: provide --with-wolfssl as an alias for --with-cyassl -- [Kim Vandry brought this change] +- RELEASE-NOTES: synced - Documented --dns-* options in curl manpage +- [Daniel Gustafsson brought this change] -Steve Holme (20 Sep 2013) -- pop3: Added basic SASL XOAUTH2 support + os400.c: fix ASSIGNWITHINCONDITION checksrc warnings - Added the ability to use an XOAUTH2 bearer token [RFC6750] with POP3 for - authentication using RFC6749 "OAuth 2.0 Authorization Framework". + All occurrences of assignment within conditional expression in + os400sys.c rewritten into two steps: first assignment and then the check + on the success of the assignment. Also adjust related incorrect brace + positions to match project indentation style. - The bearer token is expected to be valid for the user specified in - conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has - an advertised auth mechanism of "XOAUTH2", the user and access token are - formatted as a base64 encoded string and sent to the server as - "AUTH XOAUTH2 <bearer token>". - -- curl: Added clarification to the --mail options in the --help output + This was spurred by seeing "if((inp = input_token))", but while in there + all warnings were fixed. - ... that these options apply to SMTP only. - -- ftpserver.pl: Moved SMTP RCPT response text into command handler + There should be no functional change from these changes. + + Closes #2525 -- tests: Added SMTP invalid --mail-from test +- [Daniel Gustafsson brought this change] -Nick Zitzmann (19 Sep 2013) -- darwinssl: enable BEAST workaround on iOS 7 & later + cookies: ensure that we have cookies before writing jar - iOS 7 finally added the option to enable 1/n-1 when using TLS 1.0 - and a CBC cipher, so we now always turn that on unless the user - manually turns it off using CURLSSLOPT_ALLOW_BEAST. + The jar should be written iff there are cookies, so ensure that we still + have cookies after expiration to avoid creating an empty file. - It appears Apple also added some new PSK ciphers, but no interface to - use them yet, so we at least support printing them if we find them. + Closes #2529 -Steve Holme (19 Sep 2013) -- tests: Updated SMTP AUTH tests to use the new AUTH directive +- strcpy_url: only %-encode values >= 0x80 - ...rather than specify a customised EHLO response. - -- tests: Corrected test913 as the QUIT response is received - -- tests: Added SMTP large message SIZE test - -- ftpserver.pl: Updated email regex from commit 98f7ca7e971006 + OSS-Fuzz detected - ...to not be as strict as it was rejecting valid numeric email - addresses. - -- tests: Fixed smtp mail from addresses + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000 + + Broke in dd7521bcc1b7 -- ftpserver.pl: Standardised CAPA and AUTH responses +- mime: avoid NULL pointer dereference risk + + Coverity detected, CID 1435120 + + Closes #2527 -- ftpserver.pl: Corrected POP3 QUIT reply to be more realistic +- [Stephan Mühlstrasser brought this change] -- runtests.pl: Fixed syntax error in commit c873375123343e + ctype: restore character classification for non-ASCII platforms - Possible unintended interpolation in string at line 796 - -- runtests.pl: Fixed smtp mail from address + With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic + character classification macros and functions were introduced in + curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on + non-ASCII, e.g. EBCDIC platforms. This change restores the previous set + of character classification macros when CURL_DOES_CONVERSIONS is + defined. - Following changes to ftpserver.pl fixed the mail from address to be a - correctly formatted address otherwise the server response will be 501 - Invalid address. + Closes #2494 -- ftpserver.pl: Fixed syntax error in commit 98f7ca7e971006 +- ftplistparser: keep state between invokes - Can't modify constant item in scalar assignment line 779, near "0;" - -- ftpserver.pl: Expanded the SMTP MAIL handler to validate messages + Fixes FTP wildcard parsing when done over a number of read buffers. - MAIl_smtp() will now check for a correctly formatted FROM address as - well as the optional SIZE parameter comparing it against the server - capability when specified. - -Daniel Stenberg (17 Sep 2013) -- [YAMADA Yasuharu brought this change] - - cookies: add expiration + Regression from f786d1f14 - Implement: Expired Cookies These following situation, curl removes - cookie(s) from struct CookieInfo if the cookie expired. - - Curl_cookie_add() - - Curl_cookie_getlist() - - cookie_output() + Reported-by: wncboy on github + Fixes #2445 + Closes #2526 -Steve Holme (17 Sep 2013) -- ftpserver.pl: Corrected response code for successful MAIL command +- examples/http2-upload: expand buffer to avoid silly warning + + http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated + writing between 2 and 11 bytes into a region of size between 8 and 17 -- ftpserver.pl: Moved SMTP MAIL handler into own function +- examples/sftpuploadresume: typecast fseek argument to long + + /docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long + int' from 'curl_off_t {aka long long int}' may alter its value -- dns: fix compilation with MinGW from commit df69440d05f113 +- Revert "ftplistparser: keep state between invokes" - Avoid 'interface' literal that some MinGW versions define as a macro + This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934. - Additionally, corrected some very, very minor coding style errors. + Caused fuzzer problems on travis not seen when this was a PR! -- tests: Fixed test 1406 following recent changes in ftpserver.pl +- Curl_memchr: zero length input can't match - By default the mail server doesn't send the SIZE capability but instead - it has to be specified as a supported capability. - -- tests: Added test for SMTP SIZE capability - -- ftpserver.pl: Added the ability to include spaces in capabilities + Avoids undefined behavior. - For example: + Reported-by: Geeknik Labs + +- ftplistparser: keep state between invokes - CAPA "SIZE 1048576" 8BITMIME BINARYMIME + Fixes FTP wildcard parsing when doing over a number of read buffers. - will populate the capabilities list with the following in: + Regression from f786d1f14 - SIZE 1048576 - 8BITMIME - BINARYMIME - -- ftpserver.pl: Corrected response code for successful SMTP QUIT command + Reported-by: wncboy on github + Fixes #2445 + Closes #2519 -- ftpserver.pl: Fixed syntax error in commit 33c1f2876b9029 +- ftplistparser: renamed some members and variables - Can't modify constant item in postincrement line 727, near "i++" + ... to make them better spell out what they're for. -- ftpserver.pl: Added CAPA & AUTH directive support to the SMTP EHLO handler +- RELEASE-NOTES: synced -- ftpserver.pl: Fixed SMTP QUIT handler from dadc495540946e +- [Christian Schmitz brought this change] -- ftpserver.pl: Moved SMTP EHLO and QUIT handlers in own functions + curl_global_sslset: always provide available backends + + Closes #2499 -- ftpserver.pl: Added support for SMTP HELO command +- http2: convert an assert to run-time check + + Fuzzing has proven we can reach code in on_frame_recv with status_code + not having been set, so let's detect that in run-time (instead of with + assert) and error error accordingly. - ...and updated test902 as explicit HELO response is no longer required. + (This should no longer happen with the latest nghttp2) + + Detected by OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903 + Closes #2514 + +- curl.1: clarify that options and URLs can be mixed + + Fixes #2515 + Closes #2517 -- ftpserver.pl: Added mailbox check to IMAP SELECT handler +Jay Satiro (23 Apr 2018) +- [Archangel_SDY brought this change] -- ftpserver.pl: Corrected invalid user details check + CURLOPT_SSLCERT.3: improve WinSSL-specific usage info + + Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780 - ...in both the IMAP LOGIN and POP3 PASS handlers introduced in commit - 187ac693744949 and 84ad1569e5fc93 respectively. + Closes https://github.com/curl/curl/pull/2504 -- ftpserver.pl: Moved IMAP LOGIN handler into own function +- [Archangel_SDY brought this change] -- ftpserver.pl: Moved POP3 USER and PASS handlers into own functions + schannel: fix build error on targets <= XP + + - Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't + support the latter. + + Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668 + + Closes https://github.com/curl/curl/pull/2504 -- ftpserver.pl: Corrected invalid argument check in POP3 TOP handler +Daniel Stenberg (23 Apr 2018) +- Revert "ftplistparser: keep state between invokes" - ...which was accidentally introduced in commit 4d6ef6297ae9b6. + This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9. + + Unfortunately this fix introduces memory leaks I've not been able to fix + in several days. Reverting this for now to get the leaks fixed. -- ftpserver.pl: Added capability prerequisite for extended POP3 commands +Jay Satiro (21 Apr 2018) +- tool_help: clarify --max-time unit of time is seconds + + Before: + -m, --max-time <time> Maximum time allowed for the transfer + + After: + -m, --max-time <seconds> Maximum time allowed for the transfer -- tests: Updated descriptions to be more meaningful +Daniel Stenberg (20 Apr 2018) +- http2: handle GOAWAY properly + + When receiving REFUSED_STREAM, mark the connection for close and retry + streams accordingly on another/fresh connection. + + Reported-by: Terry Wu + Fixes #2416 + Fixes #1618 + Closes #2510 -- ftpserver.pl: Added support for IMAP NOOP command +- http2: clear the "drain counter" when a stream is closed + + This fixes the notorious "httpc->drain_total >= data->state.drain" + assert. + + Reported-by: Anders Bakken + + Fixes #1680 + Closes #2509 -- imap: Fixed response check for NOOP command +- http2: avoid strstr() on data not zero terminated + + It's not strictly clear if the API contract allows us to call strstr() + on a string that isn't zero terminated even when we know it will find + the substring, and clang's ASAN check dislikes us for it. + + Also added a check of the return code in case it fails, even if I can't + think of a situation how that can trigger. + + Detected by OSS-Fuzz + Closes #2513 + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760 -- tests: Updated descriptions to be more meaningful +- [Stephan Mühlstrasser brought this change] -Daniel Stenberg (13 Sep 2013) -- curl.1: detail how short/long options work + openssl: fix subjectAltName check on non-ASCII platforms - URL: http://curl.haxx.se/bug/view.cgi?id=1279 - Suggested-by: Jerry Krinock + Curl_cert_hostcheck operates with the host character set, therefore the + ASCII subjectAltName string retrieved with OpenSSL must be converted to + the host encoding before comparison. + + Closes #2493 -Steve Holme (13 Sep 2013) -- curl: Fixed usage of DNS options when not using c-ares resolver +Jay Satiro (20 Apr 2018) +- openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages + + - Support handling verbose-mode trace messages of type + SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS, + SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO, + SSL3_MT_MESSAGE_HASH - Commit 32352ed6adddcb introduced various DNS options, however, these - would cause curl to exit with CURLE_NOT_BUILT_IN when c-ares wasn't - being used as the backend resolver even if the options weren't set - by the user. + Reported-by: iz8mbw@users.noreply.github.com - Additionally corrected some minor coding style errors from the same - commit. + Fixes https://github.com/curl/curl/issues/2403 -Daniel Stenberg (13 Sep 2013) -- curl_easy_setopt.3: mention RTMP URL quirks +Daniel Stenberg (19 Apr 2018) +- ftplistparser: keep state between invokes - URL: http://curl.haxx.se/bug/view.cgi?id=1278 - Reported-by: Gorilla Maguila + Regression from f786d1f14 + + Reported-by: wncboy on github + Fixes #2445 + Closes #2508 -- [Ben Greear brought this change] +- detect_proxy: only show proxy use if it had contents - curl: Add support for various DNS binding options. +- http2: handle on_begin_headers() called more than once - (Passed on to c-ares.) + This triggered an assert if called more than once in debug mode (and a + memory leak if not debug build). With the right sequence of HTTP/2 + headers incoming it can happen. - Allows something like this: + Detected by OSS-Fuzz - curl --dns-interface sta8 --dns-ipv4-addr 8.8.1.111 --interface sta8 \ - --localaddr 8.8.1.111 --dns-servers 8.8.8.1 www.google.com - - Signed-off-by: Ben Greear <greearb@candelatech.com> + Closes #2507 + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764 -- [Kim Vandry brought this change] +Jay Satiro (18 Apr 2018) +- [Dan McNulty brought this change] - libcurl: New options to bind DNS to local interfaces or IP addresses + schannel: add support for CURLOPT_CAINFO + + - Move verify_certificate functionality in schannel.c into a new + file called schannel_verify.c. Additionally, some structure defintions + from schannel.c have been moved to schannel.h to allow them to be + used in schannel_verify.c. + + - Make verify_certificate functionality for Schannel available on + all versions of Windows instead of just Windows CE. verify_certificate + will be invoked on Windows CE or when the user specifies + CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER. + + - In verify_certificate, create a custom certificate chain engine that + exclusively trusts the certificate store backed by the CURLOPT_CAINFO + file. + + - doc updates of --cacert/CAINFO support for schannel + + - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString + when available. This implements a TODO in schannel.c to improve + handling of multiple SANs in a certificate. In particular, all SANs + will now be searched instead of just the first name. + + - Update tool_operate.c to not search for the curl-ca-bundle.crt file + when using Schannel to maintain backward compatibility. Previously, + any curl-ca-bundle.crt file found in that search would have been + ignored by Schannel. But, with CAINFO support, the file found by + that search would have been used as the certificate store and + could cause issues for any users that have curl-ca-bundle.crt in + the search path. + + - Update url.c to not set the build time CURL_CA_BUNDLE if the selected + SSL backend is Schannel. We allow setting CA location for schannel + only when explicitly specified by the user via CURLOPT_CAINFO / + --cacert. + + - Add new test cases 3000 and 3001. These test cases check that the first + and last SAN, respectively, matches the connection hostname. New test + certificates have been added for these cases. For 3000, the certificate + prefix is Server-localhost-firstSAN and for 3001, the certificate + prefix is Server-localhost-secondSAN. + + - Remove TODO 15.2 (Add support for custom server certificate + validation), this commit addresses it. + + Closes https://github.com/curl/curl/pull/1325 -- libcurl.3: for multi interface connections are held in the multi handle +- schannel: fix warning + + - Fix warning 'integer from pointer without a cast' on 3rd arg in + CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer + type of the same size. - ... and a few more cleanups/clarifications + Follow-up to e35b025. + + Caught by Marc's CI builds. -Steve Holme (12 Sep 2013) -- ftpserver.pl: Fixed missing comma from 7fd84b14d219b1 +- [Jakub Wilk brought this change] -- ftpserver.pl: Fixed variable error introduced in 7fd84b14d219b1 + docs: fix typos - Global symbol "$mailbox" requires explicit package name + Closes https://github.com/curl/curl/pull/2503 -- ftpserver.pl: Added support for UID command +Daniel Stenberg (17 Apr 2018) +- RELEASE-NOTES: synced -- ftpserver.pl: Added support for LSUB command +Jay Satiro (17 Apr 2018) +- [Kees Dekker brought this change] -- imap: Fixed response check for LSUB and UID commands + winbuild: Support custom devel paths for each dependency + + - Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2, + OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH, + NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH. + + - Use lib.exe for making the static library instead of link.exe /lib. + The latter is undocumented and could cause problems as noted in the + comments. + + - Remove a dangling URL that no longer worked. (I was not able to find + the IDN download at MSDN/microsoft.com, so it seems to be removed.) + + - Remove custom override for release-ssh2-ssl-dll-zlib configuration. + Nobody knows why it was there and as far as we can see is unnecessary. + + Closes https://github.com/curl/curl/pull/2474 -- ftpserver.pl: Added support for IMAP COPY command +Daniel Stenberg (17 Apr 2018) +- [Jess brought this change] -- ftpserver.pl: Added support for IMAP CLOSE and EXPUNGE commands + README.md: add backers and sponsors + + Closes #2484 -- ftpserver.pl: Added support for POP3 RSET command +- [Archangel_SDY brought this change] -- ftpserver.pl: Added the ability to remember what messages are deleted + schannel: add client certificate authentication - ...as this will be required for IMAP CLOSE and EXPUNGE commands as well - as the POP3 RSET command. + Users can now specify a client certificate in system certificates store + explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"` + + Closes #2376 + +Marcel Raad (16 Apr 2018) +- [toughengineer brought this change] -Daniel Stenberg (10 Sep 2013) -- NI_MAXSERV: remove all use of it + ntlm_sspi: fix authentication using Credential Manager - Solaris with the SunStudio Compiler is reportedly missing this define, - but as we're using it without any good reason on all the places it was - used I've now instead switched to just use sensible buffer sizes that - fit a 32 bit decimal number. Which also happens to be smaller than the - common NI_MAXSERV value which is 32 on most machines. + If you pass empty user/pass asking curl to use Windows Credential + Storage (as stated in the docs) and it has valid credentials for the + domain, e.g. + curl -v -u : --ntlm example.com + currently authentication fails. + This change fixes it by providing proper SPN string to the SSPI API + calls. - Bug: http://curl.haxx.se/bug/view.cgi?id=1277 - Reported-by: D.Flinkmann + Fixes https://github.com/curl/curl/issues/1622 + Closes https://github.com/curl/curl/pull/1660 -- http2: use the support HTTP2 draft version in the upgrade header +Daniel Stenberg (16 Apr 2018) +- configure: keep LD_LIBRARY_PATH changes local - ... instead of HTTP/2.0 to work fine with the nghttpx proxy/server. - -Steve Holme (10 Sep 2013) -- ldap.c: Fix compilation warning + ... only set it when we actually have to run tests to reduce its impact + on for example build commands etc. - warning: comparison between signed and unsigned integer expressions - -- [Jiri Hruska brought this change] - - imap/pop3/smtp: Speed up SSL connection initialization + Fixes #2490 + Closes #2492 - Don't wait for the next callback call (usually 1 second) before - continuing with protocol specific connection initialization. + Reported-by: Dmitry Mikhirev -- ldap.c: Corrected build error from commit 857f999353f333 +Marcel Raad (16 Apr 2018) +- urldata: make service names unconditional + + The ifdefs have become quite long. Also, the condition for the + definition of CURLOPT_SERVICE_NAME and for setting it from + CURLOPT_SERVICE_NAME have diverged. We will soon also need the two + options for NTLM, at least when using SSPI, for + https://github.com/curl/curl/pull/1660. + Just make the definitions unconditional to make that easier. + + Closes https://github.com/curl/curl/pull/2479 -- RELEASE-NOTES: Corrected duplicate in bfefe2400a16b8 +Daniel Stenberg (16 Apr 2018) +- test1148: tolerate progress updates better + + Fixes #2446 + Closes #2488 -- RELEASE-NOTES: Corrected typo from bfefe2400a16b8 +- [Christian Schmitz brought this change] -- RELEASE-NOTES: synced with 25c68903756d6b + ssh: show libSSH2 error code when closing fails + + Closes #2500 -Daniel Stenberg (10 Sep 2013) -- README.http2: explain nghttp2 a little +Jay Satiro (15 Apr 2018) +- [Daniel Gustafsson brought this change] -Steve Holme (9 Sep 2013) -- tests: Added test for POP3 TOP command + vauth: Fix typo + + Address various spellings of "credentials". + + Closes https://github.com/curl/curl/pull/2496 -- ftpserver.pl: Added support for POP3 TOP command +- [Dagobert Michelsen brought this change] -- tests: Added test for POP3 UIDL command + system.h: Add sparcv8plus to oracle/sunpro 32-bit detection + + With specific compiler options selecting the arch like -xarch=sparc on + newer compilers like Oracle Studio 12.4 there is no definition of + __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the + 32ÎíÎñbit subset defined by the V8plus ISA specification, without the + Visual Instruction Set (VIS), and without other implementation-specific + ISA extensions. So it should be the same as __sparcv8. + + Closes https://github.com/curl/curl/pull/2491 -- ftpserver.pl: Added support for POP3 UIDL command +- [Daniel Gustafsson brought this change] -Daniel Stenberg (9 Sep 2013) -- http2: adjust to new nghttp2_pack_settings_payload proto + checksrc: Fix typo - This function was modified in nghttp2 git commit a1c3f89c72e51 + Fix typo in "semicolon" spelling and remove stray tab character. + + Closes https://github.com/curl/curl/pull/2498 + +- [Daniel Gustafsson brought this change] -Kamil Dudka (9 Sep 2013) -- url: handle abortion by read/write callbacks, too + all: Refactor malloc+memset to use calloc - Otherwise, the FTP protocol would unnecessarily hang 60 seconds if - aborted in the CURLOPT_HEADERFUNCTION callback. + When a zeroed out allocation is required, use calloc() rather than + malloc() followed by an explicit memset(). The result will be the + same, but using calloc() everywhere increases consistency in the + codebase and avoids the risk of subtle bugs when code is injected + between malloc and memset by accident. - Reported by: Tomas Mlcoch - Bug: https://bugzilla.redhat.com/1005686 + Closes https://github.com/curl/curl/pull/2497 -Daniel Stenberg (9 Sep 2013) -- ldap: fix the build for systems with ldap_url_parse() +Daniel Stenberg (12 Apr 2018) +- duphandle: make sure CURLOPT_RESOLVE is duplicated fine too - Make sure that the custom struct fields are only used by code that - doesn't use a struct defintion from the outside. + Verified in test 1502 now - Attempts to fix the problem introduced in 3dc6fc42bfc61b + Fixes #2485 + Closes #2486 + Reported-by: Ernst Sjöstrand -Steve Holme (9 Sep 2013) -- [Jiri Hruska brought this change] +- mailmap: add a monnerat fixup [ci skip] - pingpong: Check SSL library buffers for already read data +- proxy: show getenv proxy use in verbose output - Otherwise the connection can get stuck during various phases, waiting - for new data on the socket using select() etc., but it will never be - received as the data has already been read into SSL library. - -- imap: Fixed calculation of transfer when partial FETCH received + ... to aid debugging etc as it sometimes isn't immediately obvious why + curl uses or doesn't use a proxy. - The transfer size would be calculated incorrectly if the email contained - within the FETCH response, had been partially received by the pingpong - layer. As such the following, example output, would be seen if the - amount remaining was smaller than the amount received: + Inspired by #2477 - * Excess found in a non pipelined read: excess = 1394, size = 262, - maxdownload = 262, bytecount = 1374 - * transfer closed with -1112 bytes remaining to read + Closes #2480 + +- travis: build libpsl and make builds use it - Bug: http://curl.haxx.se/mail/lib-2013-08/0170.html - Reported-by: John Dunn + closes #2471 -- ftpserver.pl: Fixed empty array checks +- travis: bump to clang 6 and gcc 7 - ...from commits 28427b408326a1 and e8313697b6554b. + Extra-eye-on-this-by: Marcel Raad + + Closes #2478 -- ftpserver: Reworked AUTH support to allow for specifying the mechanisms +Marcel Raad (10 Apr 2018) +- travis: use trusty for coverage build - Renamed SUPPORTAUTH to AUTH and added support for specifying a list of - supported SASL mechanisms to return to the client. + This works now and precise is in the process of being decommissioned. - Additionally added the directive to the FILEFORMAT document. + Closes https://github.com/curl/curl/pull/2476 -- ftpserver: Reworked CAPA support to allow for specifying the capabilities +- lib: silence null-dereference warnings - Renamed SUPPORTCAPA to CAPA and added support for specifying a list of - supported capabilities to return to the client. + In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings + when dereferencing pointers after DEBUGASSERT-ing that they are not + NULL. + Fix this by removing the DEBUGASSERTs. - Additionally added the directive to the FILEFORMAT document. + Suggested-by: Daniel Stenberg + Ref: https://github.com/curl/curl/pull/2463 + +- [Kees Dekker brought this change] -- ftpserver.pl: Corrected POP3 LIST as message numbers should be contiguous + winbuild: fix URL - The message numbers given in the LIST response are an index into the - list, which are only valid for the current session, rather than being a - unique message identifier. An index would only be missing from the LIST - response if a DELE command had been issued within the same session and - had not been committed by the end of session QUIT command. Once - committed the POP3 server will regenerate the message numbers in the - next session to be contiguous again. As such our LIST response should - list message numbers contiguously until we support a DELE command in the - same session. + Follow up on https://github.com/curl/curl/pull/2472. + Now using en-us instead of nl-nl as language code in the URL. - Should a POP3 user require the unique message ID for any or all - messages then they should use the extended UIDL command. This command - will be supported by the test ftpserver in an upcoming commit. + Closes https://github.com/curl/curl/pull/2475 -Daniel Stenberg (8 Sep 2013) -- [Clemens Gruber brought this change] +Daniel Stenberg (9 Apr 2018) +- [Kees Dekker brought this change] - curl_easy_pause: suggest one way to unpause + winbuild: updated the documentation + + The setenv command no longer exists and visual studio build prompts got + changed. Used Visual Studio 2015/2017 as reference. + + Closes #2472 -Steve Holme (8 Sep 2013) -- tests: Updated descriptions to be more meaningful +- test1136: fix cookie order after commit c990eadd1277 -- tests: Added test for POP3 NOOP command +- build: cleanup to fix clang warnings/errors + + unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a + cast from integer to pointer is a GNU extension + + Reported-by: Rikard Falkeborn + + Fixes #2466 + Closes #2468 -- ftpserver.pl: Added support for POP3 NOOP command +Jay Satiro (7 Apr 2018) +- examples/sftpuploadresmue: Fix Windows large file seek + + - Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows. + + - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print + curl_off_t. + + Caught by Marc's CI builds. -- ftpserver.pl: Fixed 'Use of uninitialized value $args in string ne' +Daniel Stenberg (7 Apr 2018) +- curl_setup: provide a CURL_SA_FAMILY_T type if none exists + + ... and use this type instead of 'sa_family_t' in the code since several + platforms don't have it. + + Closes #2463 -- tests: Added test for POP3 STAT command +- [Eric Gallager brought this change] -- ftpserver.pl: Added support for POP STAT command + build: add picky compiler warning flags for gcc 6 and 7 -- ftpserver.pl: Moved POP3 QUIT handler into own function +- configure: detect sa_family_t -- ftpserver.pl: Reordered the POP3 handlers to be alphabetical - - In preparation for additional POP3 tests, re-ordered the command - function defintions to be sorted alphabetically. +Jay Satiro (7 Apr 2018) +- [Stefan Agner brought this change] -- ftpserver.pl: Corrected misaligned indentation in POP3 handlers + tool_operate: Fix retry on FTP 4xx to ignore other protocols + + Only treat response code as FTP response codes in case the + protocol type is FTP. + + This fixes an issue where an HTTP download was treated as FTP + in case libcurl returned with 33. This happens when the + download has already finished and the server responses 416: + HTTP/1.1 416 Requested Range Not Satisfiable - Fixed incorrect indentation used in both the RETR_pop3 and LIST_pop3 - functions which was 5 and 9 characters rather than 4 and 8. + This should not be treated as an FTP error. + + Fixes #2464 + Closes #2465 -- tests: Added test for POP3 DELE command +Daniel Stenberg (6 Apr 2018) +- hash: calculate sizes with size_t instead of longs + + ... since they return size_t anyway! + + closes #2462 -unknown (7 Sep 2013) -- [Steve Holme brought this change] +- RELEASE-NOTES: synced - ftpserver.pl: Added support for POP3 DELE command +- [Jay Satiro brought this change] -Daniel Stenberg (7 Sep 2013) -- http2: include curl_memory.h + build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 - Detected by test 1132 - -Nick Zitzmann (7 Sep 2013) -- http: fix build warning under LLVM + .. and do the same for build-wolfssl.bat. + + Because MS calls it VC14.1. - When building the code using LLVM Clang without NGHTTP2, I was getting - this warning: - ../lib/http.h:155:1: warning: empty struct is a GNU extension [-Wgnu] - Placing a dummy variable into the data structure silenced the warning. + Closes https://github.com/curl/curl/pull/2189 -Daniel Stenberg (7 Sep 2013) -- http2: actually init nghttp2 and send HTTP2-Settings properly +- [Kees Dekker brought this change] -- README.http2: how to use it best with the multi API? + winbuild: make the clean target work without build-type + + Due to the check in Makefile.vc and MakefileBuild.vc, no make call can + be invoked unless a build-type was specified. However, a clean target + only existed when a build type was specified. As a result, the clean + target was unreachable. Made clean target unconditional. + + Closes #2455 -- http2: first embryo toward Upgrade: +- [patelvivekv1993 brought this change] -- http: rename use_http_1_1 to use_http_1_1plus + build-openssl.bat: allow custom paths for VS and perl - Since it now actually says if 1.1 or a later version should be used. + Fixes #2430 + Closes #2457 -- configure: improve CURL_CHECK_COMPILER_PROTOTYPE_MISMATCH +- [Laurie Clark-Michalek brought this change] + + FTP: allow PASV on IPv6 connections when a proxy is being used + + In the situation of a client connecting to an FTP server using an IPv6 + tunnel proxy, the connection info will indicate that the connection is + IPv6. However, because the server behing the proxy is IPv4, it is + permissable to attempt PSV mode. In the case of the FTP server being + IPv4 only, EPSV will always fail, and with the current logic curl will + be unable to connect to the server, as the IPv6 fwdproxy causes curl to + think that EPSV is impossible. - The compiler test used a variable before it was assigned when it tried - to see how it acts on a mismatching prototype, which could cause a false - positive. + Closes #2432 -- [Petr Písař brought this change] +- [Jon DeVree brought this change] - Pass password to OpenSSL engine by user interface + file: restore old behavior for file:////foo/bar URLs - Recent OpenSSL uses user interface abstraction to negotiate access to - private keys in the cryprographical engines. An OpenSSL application is - expected to implement the user interface. Otherwise a default one - provided by OpenSSL (interactive standard I/O) will be used and the - aplication will have no way how to pass a password to the engine. + curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC + 8089 but then returns an error saying this is unimplemented. This is + actually a regression in behavior on both Windows and Unix. - Longer-desc: http://curl.haxx.se/mail/lib-2013-08/0265.html - -- urlglob: improved error messages and column number on bad use + Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and + then passed to the relevant OS API. This means that the behavior of this + case is actually OS dependent. - Introduce a convenience macro and keep of the column better so that it - can point out the offending column better. + The Unix path resolution rules say that the OS must handle swallowing + the extra "/" and so this path is the same as "/foo/bar" - Updated test 75 accordingly. - -- urlglob: avoid error code translation + The Windows path resolution rules say that this is a UNC path and + automatically handles the SMB access for the program. So curl on Windows + was already doing Appendix E.3.2 without any special code in curl. + + Regression - By using the correct values from the start we don't have to translate - them! + Closes #2438 -- urlglob: avoid NULL pointer dereference +- [Gaurav Malhotra brought this change] + + Revert "openssl: Don't add verify locations when verifypeer==0" + + This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb. - Thanks to clang-analyzer + libcurl (with the OpenSSL backend) performs server certificate verification + even if verifypeer == 0 and the verification result is available using + CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the + CURLINFO_SSL_VERIFYRESULT to not have useful information for the + verifypeer == 0 use case (it would always have + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY). + + Closes #2451 -- [Gisle Vanem brought this change] +- [Wyatt O'Day brought this change] - http2: use correct include for snprintf + tls: fix mbedTLS 2.7.0 build + handle sha256 failures - Using the first little merge of nghttp2 into libcurl, I stumbeled on the - missing 'snprintf' in MSVCRT. Isn't this how we do it for other libcurl - files? I.e. use 'curl_msnprintf' and not 'snprintf' directly: + (mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) + + Closes #2453 -- --data: mention CRLF treatment when reading from file +- [Lauri Kasanen brought this change] -- [Geoff Beier brought this change] + cookie: case-insensitive hashing for the domains + + closes #2458 - LDAP: fix bad free() when URL parsing failed +Patrick Monnerat (4 Apr 2018) +- cookie: fix and optimize 2nd top level domain name extraction - When an error occurs parsing an LDAP URL, The ludp->lud_attrs[i] entries - could be freed even though they sometimes point to data within an - allocated area. + This fixes a segfault occurring when a name of the (invalid) form "domain..tld" + is processed. - This change introduces a lud_attrs_dup[] array for the duplicated string - pointers, and it removes the unused lud_exts array. + test46 updated to cover this case. - Bug: http://curl.haxx.se/mail/lib-2013-08/0209.html - -Nick Zitzmann (5 Sep 2013) -- darwinssl: add support for PKCS#12 files for client authentication + Follow-up to commit c990ead. - I also documented the fact that the OpenSSL engine also supports them. + Ref: https://github.com/curl/curl/pull/2440 -Daniel Stenberg (5 Sep 2013) -- symbols: added HTTP2 symbols and sorted list +Daniel Stenberg (4 Apr 2018) +- openssl: provide defines for argument typecasts to build warning-free - CURL_HTTP_VERSION_2_0 and CURL_VERSION_HTTP2 are new + ... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types. -- configure: add HTTP2 as a curl-config --feature output - - Fixes the test 1014 failure +- [Bernard Spil brought this change] -- curl: unbreak --http1.0 again + openssl: fix build with LibreSSL 2.7 - I broke it in 2eabb7d590 - -- SASL: fix compiler warnings + - LibreSSL 2.7 implements (most of) OpenSSL 1.1 API - comparison between signed and unsigned integer expressions + Fixes #2319 + Closes #2447 + Closes #2448 - suggest parentheses around '&&' within '||' (twice) + Signed-off-by: Bernard Spil <brnrd@FreeBSD.org> -- curl: add --http1.1 and --http2.0 options +- [Lauri Kasanen brought this change] -- Curl_setopt: refuse CURL_HTTP_VERSION_2_0 if built without support + cookie: store cookies per top-level-domain-specific hash table + + This makes libcurl handle thousands of cookies much better and speedier. + + Closes #2440 -- http2: add http2.[ch] and add nghttp2 version output +- [Lauri Kasanen brought this change] -- curl -V: output HTTP2 as a feature if present + cookies: when reading from a file, only remove_expired once + + This drops the cookie load time for 8k cookies from 178ms to 15ms. + + Closes #2441 -- curl.h: add CURL_VERSION_HTTP2 as a feature +- test1148: set a fixed locale for the test + + ...as otherwise it might use a different decimal sign. - It isn't added as a separate protocol as HTTP2 will be done over HTTP:// - URLs that can be upgraded to HTTP2 if the server supports it as well. + Bug: #2436 + Reported-by: Oumph on github -Steve Holme (4 Sep 2013) -- imap/smtp: Fixed incorrect SASL mechanism selection with XOAUTH2 servers +Jay Satiro (31 Mar 2018) +- docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T - XOAUTH2 would be selected in preference to LOGIN and PLAIN if the IMAP - or SMTP server advertised support for it even though a user's password - was supplied but bearer token wasn't. + - Put a percent sign before each CURL_FORMAT_CURL_OFF_T in printf. - Modified the selection logic so that XOAUTH2 will only be selected if - the server supports it and A) The curl user/libcurl programmer has - specifically asked for XOAUTH via the ;AUTH=XOAUTH login option or 2) - The bearer token is specified. Obviously if XOAUTH is asked for via - the login option but no token is specified the user will receive a - authentication failure which makes more sense than no known - authentication mechanisms supported! + For example "%" CURL_FORMAT_CURL_OFF_T becomes %lld or similar. + + Bug: https://curl.haxx.se/mail/lib-2018-03/0140.html + Reported-by: David L. + +Sergei Nikulov (27 Mar 2018) +- [Michał Janiszewski brought this change] -Daniel Stenberg (4 Sep 2013) -- curl.h: added CURL_HTTP_VERSION_2_0 + cmake: Add advapi32 as explicit link library for win32 + + ARM targets need advapi32 explicitly. - Initial library considerations documented in lib/README.http2 + Closes #2363 -- configure: added --with-nghttp2 +Daniel Stenberg (27 Mar 2018) +- TODO: connection cache sharing is now supporte -- acinclude: fix --without-ca-path when cross-compiling +Jay Satiro (26 Mar 2018) +- travis: enable apt retry on fail - The commit 7b074a460b64811 to CURL_CHECK_CA_BUNDLE in 7.31 (don't check - for paths when cross-compiling) causes --without-ca-path to no longer - works when cross-compiling, since ca and capath only ever get set to - "no" when not cross-compiling, I attach a patch that works for me. Also - in the cross-compilation case, no ca-path seems to be a better default - (IMVHO) than empty ca-path. + This is a workaround for an unsolved travis issue that is causing CI + instances to sporadically fail due to 'unable to connect' issues during + apt stage. - Bug: http://curl.haxx.se/bug/view.cgi?id=1273 - Patch-by: Stefan Neis + Ref: https://github.com/travis-ci/travis-ci/issues/8507 + Ref: https://github.com/travis-ci/travis-ci/issues/9112#issuecomment-376305909 -Steve Holme (2 Sep 2013) -- lib1512.c: Fixed compilation warning +Michael Kaufmann (26 Mar 2018) +- runtests.pl: fix warning 'use of uninitialized value' - An enumerated type is mixed with another type. + follow-up to a9a7b60 - ...as well as a small coding style error. + Closes #2428 -Guenter Knauf (1 Sep 2013) -- Killed warning 'res' might be used uninitialized. +Daniel Stenberg (24 Mar 2018) +- gitignore: ignore more generated files -Steve Holme (1 Sep 2013) -- url.c: Fixed compilation warning +- threaded resolver: track resolver time and set suitable timeout values - An enumerated type is mixed with another type - -- easy.c: Fixed compilation warning + In order to make curl_multi_timeout() return suitable "sleep" times even + when there's no socket to wait for while the name is being resolved in a + helper thread. - warning: `code' might be used uninitialized in this function - -Daniel Stenberg (31 Aug 2013) -- -x: rephrased the --proxy section somewhat + It will increases the timeouts as time passes. + + Closes #2419 -Steve Holme (31 Aug 2013) -- tests: Added test for IMAP CHECK command +- [Howard Chu brought this change] -- ftpserver.pl: Added support for the IMAP CHECK command + openldap: fix for NULL return from ldap_get_attribute_ber() + + Closes #2399 -Guenter Knauf (31 Aug 2013) -- Removed reference to krb4.c. +GitHub (22 Mar 2018) +- [Sergei Nikulov brought this change] -Steve Holme (31 Aug 2013) -- ftpserver.pl: Corrected flawed logic in commit 1ca6ed7b75cad0 + travis-ci: enable -Werror for CMake builds (#2418) -- imap: Fixed response check for EXPUNGE command +- [Sergei Nikulov brought this change] -- ftpserver.pl: Added argument check to IMAP command handlers + cmake: avoid warn-as-error during config checks (#2411) - Added BAD argument check to the following IMAP command handlers: + - Move the CURL_WERROR option processing after the configuration checks + to avoid failures in case of warnings during the configuration checks. - APPEND, STORE, LIST, EXAMINE, STATUS and SEARCH + This is a partial fix for #2358 -- ftpserver.pl: More whitespace corrections - - LIST_imap() had a second level of indentation at 9 characters and not 8. +- [Sergei Nikulov brought this change] -- ftpserver.pl: Small correction tidy up + timeval: remove compilation warning by casting (#2417) - Corrected some IMAP variable names and whitespace issues. + This is fixes #2358 -- [Kyle L. Huff brought this change] +Daniel Stenberg (22 Mar 2018) +- http2: read pending frames (including GOAWAY) in connection-check + + If a connection has received a GOAWAY frame while not being used, the + function now reads frames off the connection before trying to reuse it + to avoid reusing connections the server has told us not to use. + + Reported-by: Alex Baines + Fixes #1967 + Closes #2402 - docs: Added documentation for CURLOPT_BEARER +- [Bas van Schaik brought this change] -- [Kyle L. Huff brought this change] + CI: add lgtm.yml for tweaking lgtm.com analysis + + Closes #2414 - curl.1: Add usage of '--bearer' option +- CURLINFO_SSL_VERIFYRESULT.3: fix the example, add some text + + Reported-by: Michal Trybus + + Fixes #2400 -- tests: Added tests for IMAP CREATE, DELETE and RENAME commands +- TODO: expand ~/ in config files + + Closes #2317 -Daniel Stenberg (30 Aug 2013) -- ftpserver: Bareword "to_mailbox" not allowed +- cookie.d: mention that "-" as filename means stdin - Added missing $ + Reported-by: Dongliang Mu + Fixes #2410 -Steve Holme (30 Aug 2013) -- ftpserver.pl: Added support for IMAP CREATE, DELETE and RENAME commands +- CURLINFO_COOKIELIST.3: made the example not leak memory + + Reported-by: Muz Dima -Daniel Stenberg (29 Aug 2013) -- FTP: fix getsock during DO_MORE state +- vauth/cleartext: fix integer overflow check - ... when doing upload it would return the wrong values at times. This - commit attempts to cleanup the mess. + Make the integer overflow check not rely on the undefined behavior that + a size_t wraps around on overflow. - Bug: http://curl.haxx.se/mail/lib-2013-08/0109.html - Reported-by: Mike Mio + Detected by lgtm.com + Closes #2408 -- curl_multi_remove_handle: allow multiple removes +- lib/curl_path.h: add #ifdef header guard - When removing an already removed handle, avoid that to ruin the - internals and just return OK instead. + Detected by lgtm.com -Steve Holme (29 Aug 2013) -- ftpserver.pl: Updated IMAP EXAMINE handler to use dynamic test data +- vauth/ntlm.h: fix the #ifdef header guard + + Detected by lgtm.com -Daniel Stenberg (29 Aug 2013) -- unit1304: include memdebug and free everything correctly +Jay Satiro (20 Mar 2018) +- examples/hiperfifo: checksrc compliance -- Curl_parsenetrc: document that the arguments must be allocated +Daniel Stenberg (19 Mar 2018) +- [Nikos Tsipinakis brought this change] -- easy: rename struct monitor to socketmonitor - - 'struct monitor', introduced in 6cf8413e, already exists in an IRIX - header file (sys/mon.h) which gets included via various standard headers - by lib/easy.c + parsedate: support UT timezone - cc-1101 cc: ERROR File = ../../curl/lib/easy.c, Line = 458 - "monitor" has already been declared in the current scope. + RFC822 section 5.2 mentions Universal Time, 'UT', to be synonymous with + GMT. - Reported-by: Tor Arntsen + Closes #2401 -Steve Holme (29 Aug 2013) -- ftpserver.pl: Added SELECT check to IMAP FETCH and STORE handlers +- RELEASE-NOTES: synced -- ftpserver.pl: Corrected accidental move of logmsg() call - - Corrected the call to logmsg() in the IMAP SEARCH handler from commit - 4ae7b7ea691497 as it should have been outputting the what argument and - not the test number. +- [Don brought this change] -Daniel Stenberg (28 Aug 2013) -- ftpserver: add missing '}' from 4ae7b7ea69149 - -Steve Holme (28 Aug 2013) -- ftpserver.pl: Added SELECT check to IMAP SEARCH command + cmake: add support for brotli + + Currently CMake cannot detect Brotli support. This adds detection of the + libraries and associated header files. It also adds this to the + generated config. + + Closes #2392 -- ftpserver.pl: Fixed IMAP SEARCH command +- [Chris Araman brought this change] -Daniel Stenberg (28 Aug 2013) -- bump: next release is 7.33.0 due to added features + darwinssl: fix iOS build -- symbols-in-versions: add CURLOPT_XOAUTH2_BEARER +Patrick Monnerat (18 Mar 2018) +- ILE/RPG binding: Add CURLOPT_HAPROXYPROTOCOL/Fix CURLOPT_DNS_SHUFFLE_ADDRESSES -Steve Holme (28 Aug 2013) -- tests: Added test for IMAP SEARCH command +Daniel Stenberg (17 Mar 2018) +- [Rick Deist brought this change] -Daniel Stenberg (28 Aug 2013) -- valgrind.supp: fix for regular curl_easy_perform too + resolve: add CURLOPT_DNS_SHUFFLE_ADDRESSES - When we introduced curl_easy_perform_ev, this got a slightly modified - call trace. Without this, test 165 causes a false positive valgrind - error. - -- valgrind.supp: add the event-based call stack-trace too + This patch adds CURLOPT_DNS_SHUFFLE_ADDRESSES to explicitly request + shuffling of IP addresses returned for a hostname when there is more + than one. This is useful when the application knows that a round robin + approach is appropriate and is willing to accept the consequences of + potentially discarding some preference order returned by the system's + implementation. - Without this, test 165 triggers a valgrind error when ran with - curl_easy_perform_ev + Closes #1694 -- multi_socket: improved 100-continue timeout handling +- add_handle/easy_perform: clear errorbuffer on start if set - When waiting for a 100-continue response from the server, the - Curl_readwrite() will refuse to run if called until the timeout has been - reached. + To offer applications a more defined behavior, we clear the buffer as + early as possible. - We timeout code in multi_socket() allows code to run slightly before the - actual timeout time, so for test 154 it could lead to the function being - executed but refused in Curl_readwrite() and then the application would - just sit idling forever. + Assisted-by: Jay Satiro - This was detected with runtests.pl -e on test 154. + Fixes #2190 + Closes #2377 -Steve Holme (27 Aug 2013) -- ftpserver.pl: Added support for IMAP SEARCH command - -- tool_operate.c: Fixed compilation warning - - warning: implicit declaration of function 'checkpasswd' +- [Lawrence Matthews brought this change] -- curl: Moved check for password out of get parameter loop + CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocol - Moved the calls to checkpasswd() out of the getparameter() function - which allows for any related arguments to be specified on the command - line before or after --user (and --proxy-user). + Add --haproxy-protocol for the command line tool - For example: --bearer doesn't need to be specified before --user to - prevent curl from asking for an unnecessary password as is the case - with commit e7dcc454c67a2f. + Closes #2162 -- RELEASE-NOTES: synced with acf59be7f09a7 +- curl_version_info.3: fix ssl_version description + + Reported-by: Vincas Razma + Fixes #2364 -- [Kyle L. Huff brought this change] +- multi: improved pending transfers handling => improved performance + + When a transfer is requested to get done and it is put in the pending + queue when limited by number of connections, total or per-host, libcurl + would previously very aggressively retry *ALL* pending transfers to get + them transferring. That was very time consuming. + + By reducing the aggressiveness in how pending are being retried, we + waste MUCH less time on putting transfers back into pending again. + + Some test cases got a factor 30(!) speed improvement with this change. + + Reported-by: Cyril B + Fixes #2369 + Closes #2383 - curl: added --bearer option to help +- pause: when changing pause state, update socket state + + Especially unpausing a transfer might have to move the socket back to the + "currently used sockets" hash to get monitored. Otherwise it would never get + any more data and get stuck. Easily triggered with pausing using the + multi_socket API. - Added the --bearer option to the help output + Reported-by: Philip Prindeville + Bug: https://curl.haxx.se/mail/lib-2018-03/0048.html + Fixes #2393 + Closes #2391 -- [Kyle L. Huff brought this change] +- [Philip Prindeville brought this change] - curl: added basic SASL XOAUTH2 support + examples/hiperfifo.c: improved - Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the - --bearer option. + * use member struct event’s instead of pointers to alloc’d struct + events - Example usage: - curl --url "imaps://imap.gmail.com:993/INBOX/;UID=1" --ssl-reqd - --bearer ya29.AHES6Z...OMfsHYI --user username@example.com - -- tool_urlglob.c: Fixed compiler warnings + * simplify the cases for the mcode_or_die() function via macros; - warning: 'variable' may be used uninitialized in this function - -Daniel Stenberg (26 Aug 2013) -- security.h: rename to curl_sec.h to avoid name collision + * make multi_timer_cb() actually do what the block comment says it + should; - I brought back security.h in commit bb5529331334e. As we actually - already found out back in 2005 in commit 62970da675249, the file name - security.h causes problems so I renamed it curl_sec.h instead. + * accept a “stop” command on the FIFO to shut down the service; + + * use cleaner notation for unused variables than the (void) hack; + + * allow following redirections (304’s); -- runtests.pl: allow -vc point to a separate curl binary to verify with +- rate-limit: use three second window to better handle high speeds + + Due to very frequent updates of the rate limit "window", it could + attempt to rate limit within the same milliseconds and that then made + the calculations wrong, leading to it not behaving correctly on very + fast transfers. - The specified curl binary will then be used to verify the running - server(s) instead of the development version. This is very useful in - some cases when the development version fails to verify correctly as - then the test case may not run at all. + This new logic updates the rate limit "window" to be no shorter than the + last three seconds and only updating the timestamps for this when + switching between the states TOOFAST/PERFORM. - The actual test will still be run with the "normal" curl executable - (unless the test case specifies something differently). + Reported-by: 刘佩东 + Fixes #2386 + Closes #2388 -Steve Holme (26 Aug 2013) -- [Kyle L. Huff brought this change] +- [luz.paz brought this change] - smtp: added basic SASL XOAUTH2 support + cleanup: misc typos in strings and comments - Added the ability to use an XOAUTH2 bearer token [RFC6750] with SMTP for - authentication using RFC6749 "OAuth 2.0 Authorization Framework". + Found via `codespell` - The bearer token is expected to be valid for the user specified in - conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has - an advertised auth mechanism of "XOAUTH2", the user and access token are - formatted as a base64 encoded string and sent to the server as - "AUTH XOAUTH2 <bearer token>". + Closes #2389 -- [Kyle L. Huff brought this change] +- RELEASE-NOTES: toward 7.60.0 - imap: added basic SASL XOAUTH2 support +- [Kobi Gurkan brought this change] + + http2: fixes typo - Added the ability to use an XOAUTH2 bearer token [RFC6750] with IMAP for - authentication using RFC6749 "OAuth 2.0 Authorization Framework". + Closes #2387 + +- user-agent.d:: mention --proxy-header as well - The bearer token is expected to be valid for the user specified in - conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has - an advertised auth mechanism of "XOAUTH2", the user and access token are - formatted as a base64 encoded string and sent to the server as - "A001 AUTHENTICATE XOAUTH2 <bearer token>". + Bug: https://github.com/curl/curl/issues/2381 -- security.h: Fixed compilation warning +- transfer: make HTTP without headers count correct body size - ISO C forbids forward references to 'enum' types + This is what "HTTP/0.9" basically looks like. + + Reported on IRC + + Closes #2382 -Daniel Stenberg (26 Aug 2013) -- KNOWN_BUGS: refer to bug numbers with the existing number series +- test1208: marked flaky - The old numbers would still redirect but who knows for how long... + It fails somewhere between every 3rd to 10th travis-CI run -Steve Holme (25 Aug 2013) -- [Kyle L. Huff brought this change] +- SECURITY-PROCESS: mention how we write/add advisories - options: added basic SASL XOAUTH2 support +- [dasimx brought this change] + + FTP: fix typo in recursive callback detection for seeking - Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the - option CURLOPT_XOAUTH2_BEARER for authentication using RFC6749 "OAuth - 2.0 Authorization Framework". + Fixes #2380 + +Version 7.59.0 (13 Mar 2018) -- [Kyle L. Huff brought this change] +Daniel Stenberg (13 Mar 2018) +- release: 7.59.0 - sasl: added basic SASL XOAUTH2 support +Kamil Dudka (13 Mar 2018) +- tests/.../spnego.py: fix identifier typo - Added the ability to generated a base64 encoded XOAUTH2 token - containing: "user=<username>^Aauth=Bearer <bearer token>^A^A" - as per RFC6749 "OAuth 2.0 Authorization Framework". + Detected by Coverity Analysis: + + Error: IDENTIFIER_TYPO: + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo: + * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code. + * Identifier "SupportedMech" is referenced elsewhere at least 4 times. + curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech". + curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech". + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function). + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"? + + Closes #2379 -Daniel Stenberg (25 Aug 2013) -- FTP: remove krb4 support +Daniel Stenberg (13 Mar 2018) +- CURLOPT_COOKIEFILE.3: "-" as file name means stdin - We've announced this pending removal for a long time and we've - repeatedly asked if anyone would care or if anyone objects. Nobody has - objected. It has probably not even been working for a good while since - nobody has tested/used this code recently. + Reported-by: Aron Bergman + Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html - The stuff in krb4.h that was generic enough to be used by other sources - is now present in security.h + [ci skip] -- easy: define away easy_events() for non-debug builds +- Revert "hostip: fix compiler warning: 'variable set but not used'" + + This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248. + + The assignment really needs to be there or we risk working with an + uninitialized pointer. -- FAQ: editorial updates +Michael Kaufmann (12 Mar 2018) +- limit-rate: fix compiler warning - Several language fixes. Several reformats that should make the HTML - generation of this document look better. + follow-up to 72a0f62 + +Viktor Szakats (12 Mar 2018) +- checksrc.pl: add -i and -m options - Reported-by: Dave Thompson + To sync it with changes made for the libssh2 project. + Also cleanup some whitespace. -- RELEASE-NOTES: synced with 22adb46a32bee +- curl-openssl.m4: fix spelling [ci skip] -- multi: move on from STATE_DONE faster +- FAQ: fix a broken URL [ci skip] + +Daniel Stenberg (12 Mar 2018) +- http2: mark the connection for close on GOAWAY - Make sure we always return CURLM_CALL_MULTI_PERFORM when we reach - CURLM_STATE_DONE since the state is transient and it can very well - continue executing as there is nothing to wait for. + ... don't consider it an error! - Bug: http://curl.haxx.se/mail/lib-2013-08/0211.html - Reported-by: Yi Huang + Assisted-by: Jay Satiro + Reported-by: Łukasz Domeradzki + Fixes #2365 + Closes #2375 -- curl.h: name space pollution by "enum type" - - Renamed to "enum curl_khtype" now. Will break compilation for programs - that rely on the enum name. +- credits: Viktor prefers without accent + +- openldap: white space changes, fixed up the copyright years + +- openldap: check ldap_get_attribute_ber() results for NULL before using - Bug: https://github.com/bagder/curl/pull/76 - Reported-by: Shawn Landden + CVE-2018-1000121 + Reported-by: Dario Weisser + Bug: https://curl.haxx.se/docs/adv_2018-97a2.html -- TFTP: make the CURLOPT_LOW_SPEED* options work +- FTP: reject path components with control codes - ... this also makes sure that the progess callback gets called more - often during TFTP transfers. + Refuse to operate when given path components featuring byte values lower + than 32. - Added test 1238 to verify. + Previously, inserting a %00 sequence early in the directory part when + using the 'singlecwd' ftp method could make curl write a zero byte + outside of the allocated buffer. - Bug: http://curl.haxx.se/bug/view.cgi?id=1269 - Reported-by: Jo3 + Test case 340 verifies. + + CVE-2018-1000120 + Reported-by: Duy Phan Thanh + Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html -- tftpd: support "writedelay" within <servercmd> +- readwrite: make sure excess reads don't go beyond buffer end + + CVE-2018-1000122 + Bug: https://curl.haxx.se/docs/adv_2018-b047.html + + Detected by OSS-fuzz -- tftpd: convert 6 global variables into local ones +- BUGS: updated link to security process -- [Gisle Vanem brought this change] +- limit-rate: kick in even before "limit" data has been received + + ... and make sure to avoid integer overflows with really large values. + + Reported-by: 刘佩东 + Fixes #2371 + Closes #2373 + +- docs/SECURITY.md -> docs/SECURITY-PROCESS.md - curl_easy_perform_ev: make it CURL_EXTERN +- SECURITY.md: call it the security process + +Michael Kaufmann (11 Mar 2018) +- Curl_range: fix FTP-only and FILE-only builds - I build curl.exe (using MingW) with '-DCURLDEBUG' and by importing from - libcurl.dll. Which means the new curl_easy_perform_ev() must be - exported from libcurl.dll. + follow-up to e04417d + +- hostip: fix compiler warning: 'variable set but not used' -- CURLM_ADDED_ALREADY: new error code +Daniel Stenberg (11 Mar 2018) +- HTTP: allow "header;" to replace an internal header with a blank one - Doing curl_multi_add_handle() on an easy handle that is already added to - a multi handle now returns this error code. It previously returned - CURLM_BAD_EASY_HANDLE for this condition. + Reported-by: Michael Kaufmann + Fixes #2357 + Closes #2362 -- multi_init: moved init code here from add_handle +- http2: verbose output new MAX_CONCURRENT_STREAMS values - The closure_handle is "owned" by the multi handle and it is - unconditional so the setting up of it should be in the Curl_multi_handle - function rather than curl_multi_add_handle. + ... as it is interesting for many users. -- multi: remove dns cache creation code from *add_handle +- SECURITY: distros' max embargo time is 14 days now + +Patrick Monnerat (8 Mar 2018) +- curl tool: accept --compressed also if Brotli is enabled and zlib is not. + +Daniel Stenberg (5 Mar 2018) +- THANKS + mailmap: remove duplicates, fixup full names + +- [sergii.kavunenko brought this change] + + WolfSSL: adding TLSv1.3 - As it is done unconditionally in multi_init() this code will never run! + Closes #2349 -- curl_easy_perform_ev: debug/test function +- RELEASE-NOTES/THANKS: synced with cc1d4c505 + +- [Richard Alcock brought this change] + + winbuild: prefer documented zlib library names - This function is meant to work *exactly* as curl_easy_perform() but will - use the event-based libcurl API internally instead of - curl_multi_perform(). To avoid relying on an actual event-based library - and to not use non-portable functions (like epoll or similar), there's a - rather inefficient emulation layer implemented on top of Curl_poll() - instead. + Check for existence of import and static libraries with documented names + and use them if they do. Fallback to previous names. - There's currently some convenience logging done in curl_easy_perform_ev - which helps when tracking down problems. They may be suitable to remove - or change once things seem to be fine enough. + According to + https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on + Windows, the names of the import library is "zdll.lib" and static + library is "zlib.lib". - curl has a new --test-event option when built with debug enabled that - then uses curl_easy_perform_ev() instead of curl_easy_perform(). If - built without debug, using --test-event will only output a warning - message. + closes #2354 + +Marcel Raad (4 Mar 2018) +- krb5: use nondeprecated functions - NOTE: curl_easy_perform_ev() is not part if the public API on purpose. - It is only present in debug builds of libcurl and MUST NOT be considered - stable even then. Use it for libcurl-testing purposes only. + gss_seal/gss_unseal have been deprecated in favor of + gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first + version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June + 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and + "GSS_Unwrap() (formerly GSS_Unseal())". - runtests.pl now features an -e command line option that makes it use - --test-event for all curl command line tests. The man page is updated. - -- [Gisle Vanem brought this change] + Use the nondeprecated functions to avoid deprecation warnings. + + [1] https://tools.ietf.org/html/rfc2078 + [2] https://tools.ietf.org/html/rfc1964 + + Closes https://github.com/curl/curl/pull/2356 - transfer: the recent sessionhandle change broke CURL_DOES_CONVERSIONS +Daniel Stenberg (4 Mar 2018) +- curl.1: mention how to add numerical IP addresses in NO_PROXY -- test1237: verify 1000+ letter user name + passwords +- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses -- [Jonathan Nieder brought this change] +- NO_PROXY: fix for IPv6 numericals in the URL + + Added test 1265 that verifies. + + Reported-by: steelman on github + Fixes #2353 + Closes #2355 - url: handle arbitrary-length username and password before '@' +- build: get CFLAGS (including -werror) used for examples and tests + + ... so that the CI and more detects compiler warnings/errors properly! - libcurl quietly truncates usernames, passwords, and options from - before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) - characters to fit in fixed-size buffers on the stack. Allocate a - buffer large enough to fit the parsed fields on the fly instead to - support longer passwords. + Closes #2337 + +Marcel Raad (3 Mar 2018) +- curl_ctype: fix macro redefinition warnings - After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH - left, so stop defining that constant while at it. The hardcoded max - username and password length constants, on the other hand, are still - used in HTTP proxy credential handling (which this patch doesn't - touch). + On MinGW and Cygwin, GCC and clang have been complaining about macro + redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this + by undefining the macros before redefining them as suggested in + https://github.com/curl/curl/pull/2269. - Reported-by: Colby Ranger + Suggested-by: Daniel Stenberg -- [Jonathan Nieder brought this change] +Dan Fandrich (2 Mar 2018) +- unit1307: proper cleanup on OOM to fix torture tests - url: handle exceptional cases first in parse_url_login() +Marcel Raad (28 Feb 2018) +- unit1309: fix warning on Windows x64 - Instead of nesting "if(success)" blocks and leaving the reader in - suspense about what happens in the !success case, deal with failure - cases early, usually with a simple goto to clean up and return from - the function. + When targeting x64, MinGW-w64 complains about conversions between + 32-bit long and 64-bit pointers. Fix this by reusing the + GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic + from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST / + CURLX_INTEGER_TO_POINTER_CAST. - No functional change intended. The main effect is to decrease the - indentation of this function slightly. - -- [Jonathan Nieder brought this change] + Closes https://github.com/curl/curl/pull/2341 - Curl_setopt: handle arbitrary-length username and password +- travis: update compiler versions - libcurl truncates usernames, passwords, and options set with - curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters. - This doesn't affect the return value from curl_easy_setopt(), so from - the caller's point of view, there is no sign anything strange has - happened, except that authentication fails. + Update clang to version 3.9 and GCC to version 6. - For example: + Closes https://github.com/curl/curl/pull/2345 + +Daniel Stenberg (26 Feb 2018) +- docs/MANUAL: formfind.pl is not accessible on the site anymore - # Prepare a long (300-char) password. - s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s; - # Start a server. - nc -l -p 8888 | tee out & pid=$! - # Tell curl to pass the password to the server. - curl --user me:$s http://localhost:8888 & sleep 1; kill $pid - # Extract the password. - userpass=$( - awk '/Authorization: Basic/ {print $3}' <out | - tr -d '\r' | - base64 -d - ) - password=${userpass#me:} - echo ${#password} + Fixes #2342 + +Jay Satiro (24 Feb 2018) +- curl-openssl.m4: Fix version check for OpenSSL 1.1.1 - Expected result: 300 - Actual result: 255 + - Add OpenSSL 1.1.1 to the header/library version lists. - The fix is simple: allocate appropriately sized buffers on the heap - instead of trying to squeeze the provided values into fixed-size - on-stack buffers. + - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark, + which was added in that version. - Bug: http://bugs.debian.org/719856 - Reported-by: Colby Ranger + Prior to this change an erroneous header/library mismatch was caused by + lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1. -- [Jonathan Nieder brought this change] - - netrc: handle longer username and password +Viktor Szakats (23 Feb 2018) +- lib655: silence compiler warning - libcurl truncates usernames and passwords it reads from .netrc to - LOGINSIZE and PASSWORDSIZE (64) characters without any indication to - the user, to ensure the values returned from Curl_parsenetrc fit in a - caller-provided buffer. + Closes https://github.com/curl/curl/pull/2335 + +- spelling fixes - Fix the interface by passing back dynamically allocated buffers - allocated to fit the user's input. The parser still relies on a - 256-character buffer to read each line, though. + Detected using the `codespell` tool. - So now you can include an ~246-character password in your .netrc, - instead of the previous limit of 63 characters. + Also contains one URL protocol upgrade. - Reported-by: Colby Ranger + Closes https://github.com/curl/curl/pull/2334 -- [Jonathan Nieder brought this change] - - url: allocate username, password, and options on the heap +Daniel Stenberg (24 Feb 2018) +- projects/README: remove reference to dead IDN link/package + + Reported-by: Stefan Kanthak and Rod Widdowson - This makes it possible to increase the size of the buffers when needed - in later patches. No functional change yet. + Fixes #2325 -- [Jonathan Nieder brought this change] +Jay Satiro (23 Feb 2018) +- [Rod Widdowson brought this change] - url: use goto in create_conn() for exception handling + winbuild: Use macros for the names of some build utilities - Instead of remembering before each "return" statement which temporary - allocations, if any, need to be freed, take care to set pointers to - NULL when no longer needed and use a goto to a common block to exit - the function and free all temporaries. + - Add macros to the top of the makefile for rc and mt utilities so that + it is easier to change their locations. - No functional change intended. Currently the only temporary buffer in - this function is "proxy" which is already correctly freed when - appropriate, but there will be more soon. + Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html + Reported-by: Stefan Kanthak + + Closes https://github.com/curl/curl/issues/2329 + +Daniel Stenberg (23 Feb 2018) +- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2 -- [Jonathan Nieder brought this change] +- curl_share_setopt.3: connection cache is shared within multi handles - sasl: allow arbitrarily long username and password +Jay Satiro (22 Feb 2018) +- [Rod Widdowson brought this change] + + winbuild: Use CALL to run batch scripts - Use appropriately sized buffers on the heap instead of fixed-size - buffers on the stack, to allow for longer usernames and passwords. + Co-authored-by: Stefan Kanthak - Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp. - MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet. + Closes https://github.com/curl/curl/issues/2330 + Closes https://github.com/curl/curl/pull/2331 + +Patrick Monnerat (22 Feb 2018) +- os400: add curl_resolver_start_callback type to ILE/RPG binding + +Daniel Stenberg (22 Feb 2018) +- form.d: rephrased somewhat, added two example command lines -Steve Holme (19 Aug 2013) -- [Alex McLellan brought this change] +Jay Satiro (21 Feb 2018) +- [Francisco Sedano brought this change] - imap: Fixed response check for SEARCH command + url: Add option CURLOPT_RESOLVER_START_FUNCTION + + - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that + will be called every time before a new resolve request is started + (ie before a host is resolved) with a pointer to backend-specific + resolver data. Currently this is only useful for ares. + + - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to + pass to the resolver start callback. - Adding this line allows libcurl to return the server response when - performing a search command via a custom request. + Closes https://github.com/curl/curl/pull/2311 -Daniel Stenberg (16 Aug 2013) -- glob: error out on range overflow +- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS - The new multiply() function detects range value overflows. 32bit - machines will overflow on a 32bit boundary while 64bit hosts support - ranges up to the full 64 bit range. + - In keeping with the naming of our other connect timeout options rename + CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS. - Added test 1236 to verify. + This change adds the _MS suffix since the option expects milliseconds. + This is more intuitive for our users since other connect timeout options + that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS, + CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS. - Bug: http://curl.haxx.se/bug/view.cgi?id=1267 - Reported-by: Will Dietz + The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms. + + Follow-up to 2427d94 which added the lib and tool option yesterday. + + Ref: https://github.com/curl/curl/pull/2260 -- urlglob: better detect unclosed braces, empty lists and overflows +Patrick Monnerat (21 Feb 2018) +- sasl: prefer PLAIN mechanism over LOGIN - A rather big overhaul and cleanup. + SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says + PLAIN should be used instead if available. + +Daniel Stenberg (21 Feb 2018) +- RELEASE-NOTES: synced with 2427d94c6 + +Jay Satiro (20 Feb 2018) +- [Anders Bakken brought this change] + + url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT - 1 - curl wouldn't properly detect and reject globbing that ended with an - open brace if there were brackets or braces before it. Like "{}{" or - "[0-1]{" + - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy + eyeball timeout value. - 2 - curl wouldn't properly reject empty lists so that "{}{}" would - result in curl getting (nil) strings in the output. + - Add new optval macro CURL_HET_DEFAULT to represent the default happy + eyeballs timeout value (currently 200 ms). - 3 - By using strtoul() instead of sscanf() the code will now detected - over and underflows. It now also better parses the step argument to only - accept positive numbers and only step counters that is smaller than the - delta between the maximum and minimum numbers. + - Add new tool option --happy-eyeballs-timeout-ms to expose + CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the + other -timeout options in the tool expect seconds not milliseconds. - 4 - By switching to unsigned longs instead of signed ints for the - counters, the max values for []-ranges are now very large (on 64bit - machines). + Closes https://github.com/curl/curl/pull/2260 + +- hostip: fix 'potentially uninitialized variable' warning - 5 - Bumped the maximum number of globs in a single URL to 100 (from 10) + Follow-up to 50d1b33. - 6 - Simplified the code somewhat and now it stores fixed strings as - single- entry lists. That's also one of the reasons why I did (5) as now - all strings between "globs" will take a slot in the array. + Caught by AppVeyor. + +Daniel Stenberg (20 Feb 2018) +- TODO: warning if curl version is not in sync with libcurl version + +Jay Satiro (20 Feb 2018) +- [Anders Bakken brought this change] + + CURLOPT_RESOLVE: Add support for multiple IP addresses per entry - Added test 1234 and 1235 to verify. Updated test 87. + This enables users to preresolve but still take advantage of happy + eyeballs and trying multiple addresses if some are not connecting. - This commit fixes three separate bug reports. + Ref: https://github.com/curl/curl/pull/2260 + +Daniel Stenberg (20 Feb 2018) +- [Sergio Borghese brought this change] + + examples/sftpuploadresume: resume upload via CURLOPT_APPEND - Bug: http://curl.haxx.se/bug/view.cgi?id=1264 - Bug: http://curl.haxx.se/bug/view.cgi?id=1265 - Bug: http://curl.haxx.se/bug/view.cgi?id=1266 - Reported-by: Will Dietz + URL: https://curl.haxx.se/mail/lib-2018-02/0072.html -- [John Malmberg brought this change] +- curl --version: show PSL if the run-time lib has it enabled + + ... not of the #define was set at build-time! - VMS: Add RELEASE-NOTES to vms document +- TODO: "Support in-memory certs/ca certs/keys" - Add the curl release notes to the release note document generated for - VMS packages. + removed SSLKEYLOGFILE support (fixed) - Add the different filenames generated by a daily build to the - cleanup procedures. + removed "consider SSL patches" (outdated) + + Closes #2310 -- [Tor Arntsen brought this change] +- CURLOPT_HEADER.3: clarify problems with different data sizes - tests 2032, 2033: Don't hardcode port in expected output +- test1556: verify >16KB headers to the header callback -- ftp: convert state names to a global array +- header callback: don't chop headers into smaller pieces - ... just to make them easier to print in debug ouputs while debugging. - They are still within #ifdef [debugbuild]. + Reported-by: Guido Berhoerster + Fixes #2314 + Closes #2316 -- --help: fix the --sasl-ir in the help output +- test1154: verify that long HTTP headers get rejected -- ftp_domore_getsock: when passive mode, the second conn is already there +- http: fix the max header length detection logic + + Previously, it would only check for max length if the existing alloc + buffer was to small to fit it, which often would make the header still + get used. - This makes the socket callback get called with the proper bitmask as - otherwise the application could be left hanging waiting for reading on - an upload connection! + Reported-by: Guido Berhoerster + Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html - Bug: http://curl.haxx.se/mail/lib-2013-08/0043.html - Reported-by: Bill Doyle + Closes #2315 -- curl: make --no-[option] work properly for several options +- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813 - --create-dirs, --crlf, --socks5-gssapi-nec and --sasl-ir + Reported-by: Erik Johansson + Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495 -Kamil Dudka (12 Aug 2013) -- nss: make sure that NSS is initialized +- CURLOPT_HEADERFUNCTION.3: mention folded headers + +- TODO: 1.1 Option to refuse usernames in URLs - ... prior to calling PK11_GenerateRandom() + Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas. + +- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies -Daniel Stenberg (12 Aug 2013) -- multi: s/easy/data +- ssh: add two missing state names + + The list of state names (used in debug builds) was out of sync in + relation to the list of states (used in all builds). + + I now added an assert to make sure the sizes of the two lists match, to + aid in detecting this mistake better in the future. + + Regression since c92d2e14cf, shipped in 7.58.0. + + Reported-by: Somnath Kundu - With everything being struct SessionHandle pointers now, this rename - makes multi.c use the library-wide practise of calling that pointer - 'data' instead of the previously used 'easy'. + Fixes #2312 + Closes #2313 -- cleanup: removed one function, made one static +- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy" - Moved Curl_easy_addmulti() from easy.c to multi.c, renamed it to - easy_addmulti and made it static. + This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998. - Removed Curl_easy_initHandleData() and uses of it since it was emptied - in commit cdda92ab67b47d74a. + Reported-by: Jay Satiro -- SessionHandle: the protocol specific pointer is now a void * +Jay Satiro (15 Feb 2018) +- non-ascii: fix implicit declaration warning - All protocol handler structs are now opaque (void *) in the - SessionHandle struct and moved in the request-specific sub-struct - 'SingleRequest'. The intension is to keep the protocol specific - knowledge in their own dedicated source files [protocol].c etc. + Follow-up to b46cfbc. - There's some "leakage" where this policy is violated, to be addressed at - a later point in time. + Caught by Travis CI. -- urldata: clean up the use of the protocol specific structs +Daniel Stenberg (15 Feb 2018) +- travis: add build with iconv enabled - 1 - always allocate the struct in protocol->setup_connection. Some - protocol handlers had to get this function added. + ... to verify it builds and works fine. - 2 - always free at the end of a request. This is also an attempt to keep - less memory in the handle after it is completed. + Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html + + Closes #1872 -- version number: bump to 7.32.1 for now +- TODO: 18.18 retry on network is unreachable - Start working on the next version and up some counters. + Closes #1603 -Version 7.32.0 (11 Aug 2013) +- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy + + Closes #1254 -Daniel Stenberg (11 Aug 2013) -- THANKS: added contributors from the 7.32.0 release notes +Kamil Dudka (15 Feb 2018) +- nss: use PK11_CreateManagedGenericObject() if available + + ... so that the memory allocated by applications using libcurl does not + grow per each TLS connection. + + Bug: https://bugzilla.redhat.com/1510247 + + Closes #2297 -- [Fabian Keil brought this change] +Daniel Stenberg (15 Feb 2018) +- [Björn Stenberg brought this change] - test1228: add 'HTTP proxy' to the keywords + TODO fixed: Detect when called from within callbacks + + Closes #2302 -- [Fabian Keil brought this change] +- BINDINGS: fix curb link (and remove ruby-curl-multi) + + Reported-by: Klaus Stein - tests: add keywords for a couple of FILE tests +- curl_gssapi: make sure this file too uses our *printf() -- [Fabian Keil brought this change] +- libcurl-security.3: separate file:// section + + ... just to make it more apparent. Even if it repeats + some pieces of information. - tests: add 'FAILURE' keywords to tests 1409 and 1410 +- libcurl-security.3: the http://192.168.0.1/my_router_config case + + Mentioned-By: Rich Moore -- [Fabian Keil brought this change] +- libcurl-security.3: mention the URL standards problems too - tests: add keywords for a couple of HTTP tests +- libcurl-security.3: split out from libcurl-tutorial.3 + + To make more accessible. + + Merged in some new language from "URLs are dangerous things" as discussed on + the mailing list a few days ago: + + Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html -- [Fabian Keil brought this change] +- RELEASE-NOTES: synced with e551910f8 - tests: add keywords for a couple of FTP tests +Patrick Monnerat (13 Feb 2018) +- tests: new tests for http raw mode + + Test 319 checks proper raw mode data with non-chunked gzip + transfer-encoded server data. + Test 326 checks raw mode with chunked server data. + + Bug: #2303 + Closes #2308 -- [Fabian Keil brought this change] +Kamil Dudka (12 Feb 2018) +- tlsauthtype.d: works only if libcurl is built with TLS-SRP support + + Bug: https://bugzilla.redhat.com/1542256 + + Closes #2306 - test1511: consistently terminate headers with CRLF +Patrick Monnerat (12 Feb 2018) +- smtp: fix processing of initial dot in data + + RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command + should be taken into account when chasing the <CRLF>.<CRLF> end marker. + Thus a leading dot character in data is also subject to escaping. + + Tests 911 and test server are adapted to this situation. + New tests 951 and 952 check proper handling of initial dot in data. + + Closes #2304 + +Daniel Stenberg (12 Feb 2018) +- sha256: avoid redefine -- DISABLED: shut of test 1512 for now +- [Douglas Mencken brought this change] + + sha256: build with OpenSSL < 0.9.8 too + + support for SHA-2 was introduced in OpenSSL 0.9.8 - It shows intermittent failures and I haven't been able to track them - down yet. Disable this test for now. + Closes #2305 -- curl_multi_add_handle.3: ... that timer callback is for event-based +- [Bruno Grasselli brought this change] -- comments: remove old and wrong multi/easy interface statements + README: language fix + + s/off/from + + Closes #2300 -- curl_multi_add_handle.3: mention the CURLMOPT_TIMERFUNCTION use +Patrick Monnerat (12 Feb 2018) +- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on + + Bug: #2303 + Reported-By: Henry Roeland -- [John E. Malmberg brought this change] +Daniel Stenberg (9 Feb 2018) +- get_posix_time: only check for overflows if they can happen! - KNOWN_BUGS: 22 and 57 have been fixed and committed +Michael Kaufmann (9 Feb 2018) +- schannel: fix "no previous prototype" compiler warning -- RELEASE-NOTES: synced with d20def20462e7 +Jay Satiro (9 Feb 2018) +- [Mohammad AlSaleh brought this change] -- global dns cache: fix memory leak + content_encoding: Add "none" alias to "identity" - The take down of the global dns cache didn't take CURLOPT_RESOLVE names - into account. - -- global dns cache: didn't work [regression] + Some servers return a "content-encoding" header with a non-standard + "none" value. - CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c43127414d89ccb (been - broken since the libcurl 7.29.0 release). While this option has been - documented as deprecated for almost a decade and nobody even reported - this bug, it should remain functional. + Add "none" as an alias to "identity" as a work-around, to avoid + unrecognised content encoding type errors. - Added test case 1512 to verify + Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com> + + Closes https://github.com/curl/curl/pull/2298 + +Steve Holme (8 Feb 2018) +- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output -Yang Tse (8 Aug 2013) -- [John Malmberg brought this change] +- build-openssl.bat: Fixed incorrect move if destination build folder exists - packages/vms: update VMS build files +Michael Kaufmann (8 Feb 2018) +- schannel: fix compiler warnings - VMS modified files either missing from a previous commit and changes - to remove references to CVS repositories. + Closes #2296 -Daniel Stenberg (8 Aug 2013) -- FTP: renamed several local functions +Steve Holme (7 Feb 2018) +- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows - The previous naming scheme ftp_state_post_XXXX() wasn't really helpful - as it wasn't always immediately after 'xxxx' and it wasn't easy to - understand what it does based on such a name. + Windows 10.0.17061 SDK introduces support for Unix Domain Sockets. + Added the necessary include file to curl_addrinfo.c. - This new one is instead ftp_state_yyyy() where yyyy describes what it - does or sends. + Note: The SDK (which is considered beta) has to be installed, VS 2017 + project file has to be re-targeted for Windows 10.0.17061 and #define + enabled in config-win32.h. -- mk-ca-bundle.1: don't install on make install - - Since the mk-ca-bundle tool itself isn't installed with make install, - there's no point in installing its documentation. +Patrick Monnerat (7 Feb 2018) +- fnmatch: optimize processing of consecutive *s and ?s pattern characters - Bug: http://curl.haxx.se/mail/lib-2013-08/0057.html - Reported-by: Guenter Knauf + Reported-By: Daniel Stenberg + Fixes #2291 + Closes #2293 -Yang Tse (7 Aug 2013) -- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST +Steve Holme (6 Feb 2018) +- build-openssl.bat/build-wolfssl.bat: Build platform is optional + + Whilst the compiler parameter is mandatory, platform is optional as it + is automatically calculated by the :configure section. + + This partially reverts commit 6d62d2c55d. -- [John Malmberg brought this change] +Daniel Stenberg (6 Feb 2018) +- [Patrick Schlangen brought this change] - Building_vms_pcsi_kit + openssl: Don't add verify locations when verifypeer==0 - These are the files needed to build VMS distribution packages known as - PCSI kits. + When peer verification is disabled, calling + SSL_CTX_load_verify_locations is not necessary. Only call it when + verification is enabled to save resources and increase performance. - Also minor update to the existing files, mainly to the documentation and - file clean up code. + Closes #2290 -Daniel Stenberg (6 Aug 2013) -- LIBCURL-STRUCTS: new document +Steve Holme (5 Feb 2018) +- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional - This is the first version of this new document, detailing the seven - perhaps most important internal structs in libcurl source code: - - 1.1 SessionHandle - 1.2 connectdata - 1.3 Curl_multi - 1.4 Curl_handler - 1.5 conncache - 1.6 Curl_share - 1.7 CookieInfo + ...and not just the Community Edition. -- CONTRIBUTE: minor language polish +- build-openssl.bat: Extend VC15 support to include Enterprise and Professional + + ...and not just the Community Edition. -- FTP: when EPSV gets a 229 but fails to connect, retry with PASV +Michael Kaufmann (5 Feb 2018) +- time-cond: fix reading the file modification time on Windows - This is a regression as this logic used to work. It isn't clear when it - broke, but I'm assuming in 7.28.0 when we went all-multi internally. + On Windows, stat() may adjust the unix file time by a daylight saving time + offset. Avoid this by calling GetFileTime() instead. - This likely never worked with the multi interface. As the failed - connection is detected once the multi state has reached DO_MORE, the - Curl_do_more() function was now expanded somewhat so that the - ftp_do_more() function can request to go "back" to the previous state - when it makes another attempt - using PASV. + Fixes #2164 + Closes #2204 + +Daniel Stenberg (5 Feb 2018) +- formdata: use the mime-content type function - Added test case 1233 to verify this fix. It has the little issue that it - assumes no service is listening/accepting connections on port 1... + Reduce code duplication by making Curl_mime_contenttype available and + used by the formdata function. This also makes the formdata function + recognize a set of more file extensions by default. - Reported-by: byte_bucket in the #curl IRC channel - -Nick Zitzmann (5 Aug 2013) -- md5: remove use of CommonCrypto-to-OpenSSL macros for the benefit of Leopard + PR #2280 brought this to my attention. - For some reason, OS X 10.5's GCC suddenly stopped working correctly with - macros that change MD5_Init etc. in the code to CC_MD5_Init etc., so I - worked around this by removing use of the macros and inserting static - functions that just call CommonCrypto's implementations of the functions - instead. + Closes #2282 -Guenter Knauf (5 Aug 2013) -- Simplify check for trusted certificates. +- getdate: return -1 for out of range - This changes the previous check for untrusted certs to a check for - certs explicitely marked as trusted. - The change is backward-compatible (tested with certdata.txt v1.80). - -Daniel Stenberg (5 Aug 2013) -- configure: warn on bad env variable use, don't error + ...as that's how the function is documented to work. + + Reported-by: Michael Kaufmann + Bug found in an autobuild with 32 bit time_t - Use XC_CHECK_BUILD_FLAGS instead XC_CHECK_USER_FLAGS. + Closes #2278 + +- [Ben Greear brought this change] -- Revert "configure: don't error out on variable confusions, just warn" + build: fix termios issue on android cross-compile - This reverts commit 6b27703b5f525eccdc0a8409f51de8595c75132a. + Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html + Signed-off-by: Ben Greear <greearb@candelatech.com> -- formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used +- time_t-fixes: remove typecasts to 'long' for info.filetime - The internal function that's used to detect known file extensions for - the default Content-Type got the the wrong pointer passed in when - CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that - strlen() would be used which could lead to an out-of-bounds read (and - thus segfault). In most cases it would only lead to it not finding or - using the correct default content-type. + They're now wrong. - It also showed that test 554 and test 587 were testing for the - previous/wrong behavior and now they're updated as well. + Reported-by: Michael Kaufmann - Bug: http://curl.haxx.se/bug/view.cgi?id=1262 - Reported-by: Konstantin Isakov + Closes #2277 -Guenter Knauf (4 Aug 2013) -- Skip more untrusted certificates. +- curl_setup: move the precautionary define of SIZEOF_TIME_T - Christian Heimes brought to our attention that the certdata.txt - format has recently changed [1], causing ca-bundle.crt created - with mk-ca-bundle.[pl|vbs] to include untrusted certs. + ... up to before it may be used for the TIME_T_MAX/MIN logic. - [1] http://lists.debian.org/debian-release/2012/11/msg00411.html - -Daniel Stenberg (4 Aug 2013) -- configure: don't error out on variable confusions, just warn + Reported-by: Michael Kaufmann -- configure: rephrase the notice in _XC_CHECK_VAR_* +- parsedate: s/#if/#ifdef - Instead of claiming it is an error, we call it a "note" to reduce the - severity level. But the following text now says the [variable] "*should* - only be used to specify"... instead of previously having said "may". + Reported-by: Michael Kaufmann + Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479 -- multi: remove data->state.current_conn struct field +Patrick Monnerat (31 Jan 2018) +- fnmatch: pattern syntax can no longer fail + + Whenever an expected pattern syntax rule cannot be matched, the + character starting the rule loses its special meaning and the parsing + is resumed: + - backslash at the end of pattern string matches itself. + - Error in [:keyword:] results in set containing :\[dekorwy. + + Unit test 1307 updated for this new situation. - Not needed + Closes #2273 -- multi: remove the one_easy struct field +- fnmatch: accept an alphanum to be followed by a non-alphanum in char set - Since the merge of SessionHandle with Curl_one_easy, this indirection - isn't used anymore. + Also be more tolerant about set pattern syntax. + Update unit test 1307 accordingly. + + Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html -- multi: rename all Curl_one_easy to SessionHandle +- fnmatch: do not match the empty string with a character set -- multi: remove the multi_pos struct field +Jay Satiro (30 Jan 2018) +- build: fix windows build methods for curl_ctype.c - Since Curl_one_easy is really a SessionHandle now, this indirection - doesn't exist anymore. - -- multi: remove easy_handle struct field + - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as + curlx files since they are required by both src and lib. - It isn't needed anymore + Follow-up to 4272a0b which added curl_ctype. -- multi: remove 'Curl_one_easy' struct, phase 1 +Daniel Stenberg (30 Jan 2018) +- progress-bar.d: update to match implementation - The motivation for having a separate struct that keep track of an easy - handle when using the multi handle was removed when we switched to - always using the multi interface internally. Now they were just two - separate struct that was always allocated for each easy handle. + ... since commit 993dd5651a6 - This first step just moves the Curl_one_easy struct members into the - SessionHandle struct and hides this somehow (== keeps the source code - changes to a minimum) by defining Curl_one_easy to SessionHandle + Reported-by: Martin Dreher + Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228 - The biggest changes in this commit are: + Closes #2271 + +- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging - 1 - the linked list of easy handles had to be changed somewhat due - to the new struct layout. This made the main linked list pointer - get renamed to 'easyp' and there's also a new pointer to the last - node, called easylp. It is no longer circular but ends with ->next - pointing to NULL. New nodes are still added last. + ... instead of doing it unconditionally in debug builds. It cluttered up + the output a little too much. + +- [Max Dymond brought this change] + + file: Check the return code from Curl_range and bail out on error + +- [Max Dymond brought this change] + + Curl_range: add check to ensure "from <= to" + +- [Max Dymond brought this change] + + Curl_range: commonize FTP and FILE range handling - 2 - easy->state is now called easy->mstate to avoid name collision + Closes #2205 -Steve Holme (2 Aug 2013) -- Revert "DOCS: Added IMAP URL example for listing new messages" +- RELEASE-NOTES: synced with 811beab9f + +- curlver: next release will be 7.59.0 + +- [Michał Janiszewski brought this change] + + curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6 + + Closes #2275 + +- time: support > year 2038 time stamps for system with 32bit long + + ... with the introduction of CURLOPT_TIMEVALUE_LARGE and + CURLINFO_FILETIME_T. - This reverts commit 82ab5f1b0c7c3f as this was the wrong place to - document the complexity of IMAP URLs and Custom Requests. + Fixes #2238 + Closes #2264 -- DOCS: Added IMAP URL example for listing new messages +- curl_easy_reset: clear digest auth state - In addition to listing the folder contents, in the URL examples, added - an example to list the new messages waiting in the user's inbox. + Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html + Reported-by: Ruurd Beerstra + Fixes #2255 + Closes #2272 -Yang Tse (1 Aug 2013) -- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST +- [Adam Marcionek brought this change] -- [John Malmberg brought this change] + winbuild: make linker generate proper PDB + + Link.exe requires /DEBUG to properly generate a full pdb file on release + builds. + + Closes #2274 - Add in the files needed to build libcurl shared images on VMS. +- curl: add --proxy-pinnedpubkey - Update the packages/vms/readme file to be current. + To verify a proxy's public key. For when using HTTPS proxies. - Also some files for the GNV based build were either missing or needed an - update. + Fixes #2192 + Closes #2268 + +- configure: set PATH_SEPARATOR to colon for PATH w/o separator - curl_crtl_init.c is a special file that is run before main() to - set up the proper C runtime behavior. + The logic tries to figure out what the path separator in the $PATH + variable is, but if there's only one directory in the $PATH it + fails. This change make configure *guess* on colon instead of erroring + out, simply because that is probably the more common character. - generate_vax_transfer.com generates the VAX transfer vector modules from - the gnv_libcurl_symbols.opt file. + PATH_SEPARATOR can always be set by the user to override the guessing. - gnv_conftest.c_first is a helper file needed for configure scripts to - come up with the expected answers on VMS. + (tricky bug to reproduce, as in my case for example the configure script + requires binaries in more than one directory so passing in a PATH with a + single dir fails.) - gnv_libcurl_symbols.opt is the public symbols for the libcurl shared - image. + Reported-by: Earnestly on github + Fixes #2202 + Closes #2265 + +- curl_ctype: private is*() type macros and functions - gnv_link_curl.com builds the shared libcurl image and rebuilds other - programs to use it. + ... since the libc provided one are locale dependent in a way we don't + want. Also, the "native" isalnum() (for example) works differently on + different platforms which caused test 1307 failures on macos only. - macro32_exactcase.patch is a hack to make a local copy of the VMS Macro32 - assembler case sensitive, which is needed to build the VAX transfer modules. + Closes #2269 + +Marcel Raad (29 Jan 2018) +- build: open VC15 projects with VS 2017 - report_openssl_version.c is a tool for help verify that the libcurl - shared image is being built for a minium version of openssl. + Previously, they were opened with Visual Studio 2015 by default, which + cannot build them. -- curl: second follow-up for commit 5af2bfb9 +Daniel Stenberg (29 Jan 2018) +- RELEASE-NOTES: synced with 094647fca + +- TODO: UTF-8 filenames in Content-Disposition - Display progress-bar unconditionally on first call + Closes #1888 -- curl: follow-up for commit 5af2bfb9 +- KNOWN_BUGS: DICT responses show the underlying protocol - Use tvnow() and tvdiff() to avoid introducing new linkage issues + Closes #1809 -Daniel Stenberg (31 Jul 2013) -- curl: --progress-bar max update frequency now at 5Hz +Jay Satiro (27 Jan 2018) +- [Alessandro Ghedini brought this change] -- curl: make --progress-bar update the line less frequently + docs: fix typos in man pages - Also, use memset() instead of a lame loop. + Closes https://github.com/curl/curl/pull/2266 + +Patrick Monnerat (26 Jan 2018) +- lib555: drop text conversion and encode data as ascii codes - The previous logic that tried to avoid too many updates were very - ineffective for really fast transfers, as then it could easily end up - doing hundreds of updates per second that would make a significant - impact in transfer performance! + If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs, + giving a result that is different from what is expected. + This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data + to upload in ascii. - Bug: http://curl.haxx.se/mail/archive-2013-07/0031.html - Reported-by: Marc Doughty + Bug: https://github.com/curl/curl/pull/1872 -Nick Zitzmann (30 Jul 2013) -- darwinssl: added LFs to some strings passed into infof() +Daniel Stenberg (26 Jan 2018) +- lib517: make variable static to avoid compiler warning - (This doesn't need to appear in the release notes.) I noticed a few places - where infof() was called, and there should've been an LF at the end of the - string, but there wasn't. + ... with clang on macos -- darwinssl: fix build error in crypto authentication under Snow Leopard +Patrick Monnerat (26 Jan 2018) +- lib544: sync ascii code data with textual data - It turns out Snow Leopard not only has SecItemCopyMatching() defined in - a header not included by the omnibus header, but it won't work for our - purposes, because searching for SecIdentityRef objects wasn't added - to that API until Lion. So we now use the old SecKeychainSearch API - instead if the user is building under, or running under, Snow Leopard. + Data mismatch caused test 545 to fail when character encoding + conversion is enabled. - Bug: http://sourceforge.net/p/curl/bugs/1255/ - Reported by: Edward Rudd + Bug: https://github.com/curl/curl/pull/1872 + +Daniel Stenberg (25 Jan 2018) +- [Travis Burtrum brought this change] -- md5 & metalink: use better build macros on Apple operating systems + GSKit: restore pinnedpubkey functionality - Previously we used __MAC_10_X and __IPHONE_X to mark digest-generating - code that was specific to OS X and iOS. Now we use - __MAC_OS_X_VERSION_MAX_ALLOWED and __IPHONE_OS_VERSION_MAX_ALLOWED - instead of those macros. + inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37 - Bug: http://sourceforge.net/p/curl/bugs/1255/ - Reported by: Edward Rudd + Closes #2263 -Yang Tse (29 Jul 2013) -- tool_operhlp.c: fix add_file_name_to_url() OOM handling +- [Dair Grant brought this change] -- tool_operate.c: fix brace placement for vi/emacs delimiter matching - -- tool_operate.c: move <fabdef.h> header inclusion location + darwinssl: Don't import client certificates into Keychain on macOS + + Closes #2085 -Daniel Stenberg (29 Jul 2013) -- RELEASE-NOTES: synced with b5478a0e033e7 +- configure: fix the check for unsigned time_t + + Assign the time_t variable negative value and then check if it is + greater than zero, which will evaluate true for unsigned time_t but + false for signed time_t. -- curl_easy_pause: on unpause, trigger mulit-socket handling +- parsedate: fix date parsing for systems with 32 bit long + + Make curl_getdate() handle dates before 1970 as well (returning negative + values). + + Make test 517 test dates for 64 bit time_t. - When the multi-socket API is used, we need the handle to be checked - again when it gets unpaused. + This fixes bug (3) mentioned in #2238 - Bug: http://curl.haxx.se/mail/lib-2013-07/0239.html - Reported-by: Justin Karneges + Closes #2250 -- [John E. Malmberg brought this change] +- [McDonough, Tim brought this change] - curl_formadd: fix file upload on VMS + openssl: fix pinned public key build error in FIPS mode - For the standard VMS text file formats, VMS needs to read the file to - get the actual file size. + Here is a version that should work with all versions of openssl 0.9.7 + through 1.1.0. - For the standard VMS binary file formats, VMS needs a special format of - fopen() call so that it stops reading at the logical end of file instead - of at the end of the blocks allocated to the file. + Links to the docs: + https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html + https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html - I structured the patch this way as I was not sure about changing the - structures or parameters to the routines, but would prefer to only call - the stat() function once and pass the information to where the fopen() - call is made. - - Bug: https://sourceforge.net/p/curl/bugs/758/ - -- formadd: CURLFORM_FILECONTENT wrongly rejected some option combos + At the very bottom of the 1.1.0 documentation there is a history section + that states, " stack allocated EVP_MD_CTXs are no longer supported." - The code for CURLFORM_FILECONTENT had its check for duplicate options - wrong so that it would reject CURLFORM_PTRNAME if used in combination - with it (but not CURLFORM_COPYNAME)! The flags field used for this - purpose cannot be interpreted that broadly. + If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a + simple mapping can be used as described here: + https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes - Bug: http://curl.haxx.se/mail/lib-2013-07/0258.html - Reported-by: Byrial Jensen + Closes #2258 -Yang Tse (25 Jul 2013) -- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST +- [Travis Burtrum brought this change] -- [John E. Malmberg brought this change] + SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum - VMS: intial set of files to allow building using GNV toolkit. +- [Travis Burtrum brought this change] -- string formatting: fix too many arguments for format + SChannel/WinSSL: Implement public key pinning + + Closes #1429 -- string formatting: fix zero-length printf format string +- bump: towards 7.58.1 -- easy.c: curl_easy_getinfo() fix va_start/va_end matching +- cookies: remove verbose "cookie size:" output + + It was once used for some debugging/verifying logic but should never have + ended up in git! -- imap.c: imap_sendf() fix va_start/va_end matching +- TODO: hardcode the "localhost" addresses -- string formatting: fix 15+ printf-style format strings +- TODO: CURL_REFUSE_CLEARTEXT + + An idea that popped up in discussions on twitter. -Patrick Monnerat (24 Jul 2013) -- OS400: sync ILE/RPG binding with current curl.h +- progress-bar: don't use stderr explicitly, use bar->out + + Reported-By: Gisle Vanem + Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080 -Yang Tse (24 Jul 2013) -- string formatting: fix 25+ printf-style format strings +GitHub (24 Jan 2018) +- [Gisle Vanem brought this change] -Daniel Stenberg (23 Jul 2013) -- Makefile.am: use LDFLAGS as well when linking libcurl + Fixes for MSDOS etc. + + djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not + But djgpp seems the only choice for MSDOS anyway. - Linking on Solaris 10 x86 with Sun Studio 12 failed when we upgraded - automake for the release builds. + PellesC do have a 'F_OK' defined in it's <unistd.h>. - Bug: http://curl.haxx.se/bug/view.cgi?id=1217 - Reported-by: Dagobert Michelsen + Update year in Copyright. -- [Fabian Keil brought this change] +- [Gisle Vanem brought this change] - url.c: Fix dot file path cleanup when using an HTTP proxy - - Previously the path was cleaned, but the URL wasn't properly updated. + Fix small typo. -- [Fabian Keil brought this change] +Version 7.58.0 (23 Jan 2018) - tests: test1232 verifies dotdot removal from path with proxy +Daniel Stenberg (23 Jan 2018) +- RELEASE: 7.58.0 -- [Fabian Keil brought this change] +- [Gisle Vanem brought this change] - dotdot.c: Fix a RFC section number in a comment for Curl_dedotdotify() + progress-bar: get screen width on windows -- [John E. Malmberg brought this change] +- test1454: --connect-to with IPv6 address w/o IPv6 support! - build_vms.com: fix debug and float options +- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support - In the reorganization of the build_vms.com the debug and float options - were not fixed up correctly. + Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html + Reported-by: John Hascall + + Closes #2257 -- [John E. Malmberg brought this change] +- docs: fix man page syntax to make test 1140 OK again - curl: fix upload of a zip file in OpenVMS +- http: prevent custom Authorization headers in redirects - Two fixes: + ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how + curl already handles Authorization headers created internally. - 1. Force output file format to be stream-lf so that partial downloads - can be continued. + Note: this changes behavior slightly, for the sake of reducing mistakes. - This should have minor impact as if the file does not exist, it was - created with stream-lf format. The only time this was an issue is if - there was already an existing file with a different format. + Added test 317 and 318 to verify. - 2. Fix file uploads are now fixed. + Reported-by: Craig de Stigter + Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html + +- curl: progress bar refresh, get width using ioctl() - a. VMS binary files such as ZIP archives are now uploaded - correctly. + Get screen width from the environment variable COLUMNS first, if set. If + not, use ioctl(). If nether works, assume 79. - b. VMS text files are read once to get the correct size - and then converted to line-feed terminated records as - they are read into curl. + Closes #2242 - The default VMS text formats do not contain either line-feed or - carriage-return terminated records. Those delimiters are added by the - operating system file read calls if the application requests them. + The "refresh" is for the -# output when no total transfer size is + known. It will now only use a single updated line even for this case: - Bug: http://curl.haxx.se/bug/view.cgi?id=496 + The "-=O=-" ship moves when data is transferred. The four flying + "hashes" move (on a sine wave) on each refresh, independent of data. -Yang Tse (22 Jul 2013) -- libtest: fix data type of some *_setopt() 'long' arguments +- RELEASE-NOTES: synced with bb0ffcc36 -- curl: fix symbolic names for CURL_NETRC_* enum in --libcurl output +- libcurl-env.3: first take -- curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output +- TODO: two possible name resolver improvements -- tool_operate.c: fix passing curl_easy_setopt long arg on some x64 ABIs - - We no longer pass our 'bool' data type variables nor constants as - an argument to my_setopt(), instead we use proper 1L or 0L values. - - This also fixes macro used to pass string argument for CURLOPT_SSLCERT, - CURLOPT_SSLKEY and CURLOPT_EGDSOCKET using my_setopt_str() instead of - my_setopt(). - - This also casts enum or int argument data types to long when passed to - my_setopt_enum(). +- [Kartik Mahajan brought this change] -Daniel Stenberg (21 Jul 2013) -- curl_multi_wait: fix revents - - Commit 6d30f8ebed34e7276 didn't work properly. First, it used the wrong - array index, but this fix also: + http2: don't close connection when single transfer is stopped - 1 - only does the copying if indeed there was any activity + Fixes #2237 + Closes #2249 + +- test558: fix for multissl builds - 2 - makes sure to properly translate between internal and external - bitfields, which are not guaranteed to match + vtls.c:multissl_init() might do a curl_free() call so strip that out to + make this work with more builds. We just want to verify that + memorytracking works so skipping one line is no harm. + +- examples/url2file.c: add missing curl_global_cleanup() call - Reported-by: Evgeny Turnaev + Reported-by: XhstormR on github + Fixes #2245 -- RELEASE-NOTES: synced with d529f3882b9bca +- [Michael Gmelin brought this change] -- curl_easy_perform: gradually increase the delay time + SSH: Fix state machine for ssh-agent authentication - Instead of going 50,100,150 etc millisecond delay time when nothing has - been found to do or wait for, we now start lower and double each loop as - in 4,8,16,32 etc. + In case an identity didn't match[0], the state machine would fail in + state SSH_AUTH_AGENT instead of progressing to the next identity in + ssh-agent. As a result, ssh-agent authentication only worked if the + identity required happened to be the first added to ssh-agent. - This lowers the minimum wait without sacrifizing the longer wait too - much with unnecessary CPU cycles burnt. + This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which + stated that the "else" statement was required to prevent getting stuck + in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's + interface I couldn't see how this could happen or reproduce it and I + also couldn't find a more detailed description of the problem which + would explain a test case to reproduce the problem this was supposed to + fix. - Bug: http://curl.haxx.se/mail/lib-2013-07/0103.html - Reported-by: Andreas Malzahn - -- ftp_do_more: consider DO_MORE complete when server connects back - - In the case of an active connection when ftp_do_more() detects that the - server has connected back, it must make sure to mark it as complete so - that the multi_runsingle() function will detect this and move on to the - next state. + [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED - Bug: http://curl.haxx.se/mail/lib-2013-07/0115.html - Reported-by: Clemens Gruber - -Yang Tse (19 Jul 2013) -- Makefile.b32: Borland makefile adjustments. Tested with BCC 5.5.1 - -- WIN32 MemoryTracking: require UNICODE for wide strdup code support + Closes #2248 -Daniel Stenberg (18 Jul 2013) -- CURLOPT_XFERINFOFUNCTION: introducing a new progress callback +- openssl: fix potential memory leak in SSLKEYLOGFILE logic - CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function - and CURLOPT_PROGRESSFUNCTION is considered deprecated. - - This new callback uses pure 'curl_off_t' arguments to pass on full - resolution sizes. It otherwise retains the same characteristics: the - same call rate, the same meanings for the arguments and the return code - is used the same way. - - The progressfunc.c example is updated to show how to use the new - callback for newer libcurls while supporting the older one if built with - an older libcurl or even built with a newer libcurl while running with - an older. + Coverity CID 1427646. -Yang Tse (18 Jul 2013) -- Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage". +- openssl: fix the libressl build again - This reverts commit 7ed25cc, reinstating commit 8ec2cb5. + Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is + late OpenSSL version... - As of 18-jul-2013 we still do have code in libcurl that makes use of these - memory functions. Commit 8ec2cb5 comment still applies and is yet valid. + Fixes #2246 + Closes #2247 - These memory functions are solely used in Windows builds, so all related - code is protected with '#ifdef WIN32' preprocessor conditional compilation - directives. + Reported-by: jungle-boogie on github + +- unit1307: test many wildcards too + +- curl_fnmatch: only allow 5 '*' sections in a single pattern - Specifically, wcsdup() _wcsdup() are used when building a Windows target with - UNICODE and USE_WINDOWS_SSPI preprocessor symbols defined. This is the case - when building a Windows UNICODE target with Windows native SSL/TLS support - enabled. + ... to avoid excessive recursive calls. The number 5 is totally + arbitrary and could be modified if someone has a good motivation. + +- ftp-wildcard: fix matching an empty string with "*[^a]" - Realizing that wcsdup() _wcsdup() are used is a bit tricky given that usage - of these is hidden behind _tcsdup() which is MS way of dealing with code - that must tolerate UNICODE and non-UNICODE compilation. Additionally, MS - header files and those compatible from other compilers use this preprocessor - conditional compilation directive in order to select at compilation time - whether 'wide' or 'ansi' MS API functions are used. + .... and avoid advancing the pointer to trigger an out of buffer read. - Without this code, Windows build targets with Windows native SSL/TLS support - enabled and MemoryTracking support enabled misbehave in tracking memory usage, - regardless of being a UNICODE enabled build or not. - -- xc-am-iface.m4: comments refinement + Detected by OSS-fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251 + Assisted-by: Max Dymond -- configure: fix 'subdir-objects' distclean related issue +- SMB: fix numeric constant suffix and variable types - See XC_AMEND_DISTCLEAN comments for details. + 1. don't use "ULL" suffix since unsupported in older MSVC + 2. use curl_off_t instead of custom long long ifdefs + 3. make get_posix_time() not do unaligned data access + + Fixes #2211 + Closes #2240 + Reported-by: Chester Liu -Daniel Stenberg (18 Jul 2013) -- [Evgeny Turnaev brought this change] +- [rouzier brought this change] - curl_multi_wait: set revents for extra fds + CURLOPT_TCP_NODELAY.3: fix typo - Pass back the revents that happened for the user-provided file - descriptors. - -- [Ben Greear brought this change] + Closes #2239 - asyn-ares: Don't blank ares servers if none configured. +- smtp/pop3/imap_get_message: decrease the data length too... - Best to just let c-ares use it's defaults if none are configured - in (lib)curl. + Follow-up commit to 615edc1f73 which was incomplete. - Signed-off-by: Ben Greear <greearb@candelatech.com> + Assisted-by: Max Dymond + Detected by OSS-fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206 -- [Sergei Nikulov brought this change] +- openssl: enable SSLKEYLOGFILE support by default + + Fixes #2210 + Closes #2236 - cmake: Fix for MSVC2010 project generation +Patrick Monnerat (14 Jan 2018) +- mime: clone mime tree upon easy handle duplication. - Fixed issue with static build for MSVC2010. + A mime tree attached to an easy handle using CURLOPT_MIMEPOST is + strongly bound to the handle: there is a pointer to the easy handle in + each item of the mime tree and following the parent pointer list + of mime items ends in a dummy part stored within the handle. - After some investigation I've discovered known issue - http://public.kitware.com/Bug/view.php?id=11240 When .rc file is linked - to static lib it fails with following linker error + Because of this binding, a mime tree cannot be shared between different + easy handles, thus it needs to be cloned upon easy handle duplication. - LINK : warning LNK4068: /MACHINE not specified; defaulting to X86 - file.obj : fatal error LNK1112: module machine type 'x64' conflicts with - target machine type 'X86' + There is no way for the caller to get the duplicated mime tree + handle: it is then set to be automatically destroyed upon freeing the + new easy handle. - Fix add target property /MACHINE: for MSVC generation. + New test 654 checks proper mime structure duplication/release. - Also removed old workarounds - it caused errors during msvc build. + Add a warning note in curl_mime_data_cb() documentation about sharing + user data between duplicated handles. - Bug: http://curl.haxx.se/mail/lib-2013-07/0046.html + Closes #2235 -- mk-ca-bundle.1: point out certdata.txt format docs +- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata -Yang Tse (16 Jul 2013) -- slist.c: Curl_slist_append_nodup() OOM handling fix +Daniel Stenberg (13 Jan 2018) +- test395: HTTP with overflow Content-Length value -Daniel Stenberg (16 Jul 2013) -- test1414: FTP PORT download without SIZE support +- test394: verify abort of rubbish in Content-Length: value -Yang Tse (16 Jul 2013) -- tests/Makefile.am: add configurehelp.pm to DISTCLEANFILES +- test393: verify --max-filesize with excessive Content-Length -Patrick Monnerat (15 Jul 2013) -- curl_slist_append(): fix error detection +- HTTP: bail out on negative Content-Length: values + + ... and make the max filesize check trigger if the value is too big. + + Updates test 178. + + Reported-by: Brad Spencer + Fixes #2212 + Closes #2223 -- slist.c: fix indentation +Marcel Raad (13 Jan 2018) +- [Dan Johnson brought this change] -- OS400: new SSL backend GSKit + configure.ac: append extra linker flags instead of prepending them. + + Link order should list libraries after the libraries that use them, + so when we're guessing that we might also need to add -ldl in order + to use -lssl, we should add -ldl after -lssl. + + Closes https://github.com/curl/curl/pull/2234 -- OS400: add slist and certinfo EBCDIC support +Daniel Stenberg (13 Jan 2018) +- RELEASE-NOTES: synced with 6fa10c8fa -- config-os400.h: enable system strdup(), strcmpi(), etc. +Jay Satiro (13 Jan 2018) +- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values + + Broken since f121575 (precedes 7.56.1). + + Bug: https://github.com/curl/curl/issues/2225 + Reported-by: cmfrolick@users.noreply.github.com + + Closes https://github.com/curl/curl/pull/2227 -- x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract - Use from qssl backend +Patrick Monnerat (13 Jan 2018) +- setopt: reintroduce non-static Curl_vsetopt() for OS400 support + + This also upgrades ILE/RPG bindings with latest setopt options. + + Reported-By: jonrumsey on github + Fixes #2230 + Closes #2233 -- ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL +Jay Satiro (11 Jan 2018) +- [Zhouyihai Ding brought this change] -- Merge branch 'master' of github.com:bagder/curl + http2: fix incorrect trailer buffer size - Merge for resync + Prior to this change the stored byte count of each trailer was + miscalculated and 1 less than required. It appears any trailer + after the first that was passed to Curl_client_write would be truncated + or corrupted as well as the size. Potentially the size of some + subsequent trailer could be erroneously extracted from the contents of + that trailer, and since that size is used by client write an + out-of-bounds read could occur and cause a crash or be otherwise + processed by client write. + + The bug appears to have been born in 0761a51 (precedes 7.49.0). + + Closes https://github.com/curl/curl/pull/2231 -- slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup() +- [Basuke Suzuki brought this change] -Yang Tse (15 Jul 2013) -- sslgen.c: fix Curl_rand() compiler warning + easy: fix connection ownership in curl_easy_pause - Use simple seeding method upon RANDOM_FILE seeding method failure. - -- sslgen.c: fix unreleased Curl_rand() infinite recursion + Before calling Curl_client_chop_write(), change the owner of connection + to the current Curl_easy handle. This will fix the issue #2217. + + Fixes https://github.com/curl/curl/issues/2217 + Closes https://github.com/curl/curl/pull/2221 -Daniel Stenberg (14 Jul 2013) -- [Dave Reisner brought this change] +Daniel Stenberg (9 Jan 2018) +- [Dimitrios Apostolou brought this change] - src/tool: allow timeouts to accept decimal values + system.h: Additionally check __LONG_MAX__ for defining curl_off_t - Implement wrappers around strtod to convert the user argument to a - double with sane error checking. Use this to allow --max-time and - --connect-timeout to accept decimal values instead of strictly integers. + __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced + in GCC 3.3. - The manpage is updated to make mention of this feature and, - additionally, forewarn that the actual timeout of the operation can - vary in its precision (particularly as the value increases in its - decimal precision). + Closes #2216 -- [Dave Reisner brought this change] +- COPYING: it's 2018! - curl.1: fix long line, found by checksrc.pl - -- [Dave Reisner brought this change] +- progress: calculate transfer speed on milliseconds if possible + + to increase accuracy for quick transfers + + Fixes #2200 + Closes #2206 - src/tool_paramhlp: try harder to catch negatives +Jay Satiro (7 Jan 2018) +- scripts: allow all perl scripts to be run directly + + - Enable execute permission (chmod +x) - strto* functions happily chomp off leading whitespace, so simply - checking for str[0] can lead to false negatives. Do the full parse and - check the out value instead. + - Change interpreter to /usr/bin/env perl + + Closes https://github.com/curl/curl/pull/2222 -- [John E. Malmberg brought this change] +- mail-rcpt.d: fix short-text description - build_vms.com: detect and use zlib shared image +- build: remove HAVE_LIMITS_H check - Update the build_vms.com to detect and use zlib shared image installed - by the ZLIB kit produced by Jean-Francois Pieronne, and the also the - future ZLIB 1.2.8 kit in addition to the older ZLIB kits. + .. because limits.h presence isn't optional, it's required by C89. - Also fix the indentation to match one of the common standards used for - VMS DCL command files and removed the hard tab characters. + Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2 - Tested on OpenVMS 8.4 Alpha and IA64, and OpenVMS 7.3 VAX. + Closes https://github.com/curl/curl/pull/2215 -Yang Tse (14 Jul 2013) -- url.c: fix parse_url_login() OOM handling +- openssl: fix memory leak of SSLKEYLOGFILE filename + + - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl + initialization. + + Caught by ASAN. -- http_digest.c: SIGSEGV and OOM handling fixes +- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX" + + This reverts commit c97648b55080343bb371522bf4233e94a2a13a99. + + SIZEOF_LONG should not be checked in system.h since that macro is only + defined when building libcurl. + + Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080 + Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html -- url.c: fix parse_login_details() OOM handling +Michael Kaufmann (30 Dec 2017) +- test1554: improve the error handling -- [John E. Malmberg brought this change] +- test1554: add global initialization and cleanup - setup-vms.h: sk_pop symbol tweak +Daniel Stenberg (29 Dec 2017) +- curl_version_info.3: call the argument 'age' - Newer versions of curl are referencing a sk_pop symbol while the HP - OpenSSL library has the symbol in uppercase only. - -- getinfo.c: fix enumerated type mixed with another type + Reported-by: Pete Lomax + Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html -- test 1511: fix enumerated type mixed with another type +Patrick Monnerat (27 Dec 2017) +- [Mikalai Ananenka brought this change] -- url.c: fix SIGSEGV + brotli: data at the end of content can be lost + + Decoding loop implementation did not concern the case when all + received data is consumed by Brotli decoder and the size of decoded + data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE. + For content with unencoded length greater than CURL_MAX_WRITE_SIZE this + can result in the loss of data at the end of content. + + Closes #2194 -- dotdot.c: fix global declaration shadowing +Jay Satiro (26 Dec 2017) +- examples/cacertinmem: ignore cert-already-exists error + + - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback + since it's possible the cert may have already been loaded by libcurl. + + - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc. + Instead have it direct the reader to this cacertinmem.c example. + + - Fix the CA certificate to use the right CA for example.com, Digicert. + + Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html + Reported-by: Thomas van Hesteren + + Closes https://github.com/curl/curl/pull/2182 -- easy.c: fix global declaration shadowing +- [Gisle Vanem brought this change] -Kamil Dudka (9 Jul 2013) -- Revert "curl.1: document the --time-cond option in the man page" + tool_getparam: Support size modifiers for --max-filesize + + - Move the size modifier detection code from limit-rate to its own + function so that it can also be used with max-filesize. + + Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc. + + For example --max-filesize 1G - This reverts commit 3a0e931fc715a80004958794a96b12cf90503f99 because - the documentation of --time-cond was duplicated by mistake. + Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html - Reported by: Dave Reisner + Closes https://github.com/curl/curl/pull/2179 -- curl.1: document the --sasl-ir option in the man page +Steve Holme (22 Dec 2017) +- build: Fixed incorrect script termination from commit ad1dc10e61 -- curl.1: document the --post303 option in the man page +- Makefile.vc: Added our standard copyright header -- curl.1: document the --time-cond option in the man page +- winbuild: Added support for VC15 -Yang Tse (9 Jul 2013) -- configure: automake 1.14 compatibility tweak (use XC_AUTOMAKE) +- build: Added Visual Studio 2017 project files -- xc-am-iface.m4: provide XC_AUTOMAKE macro +- build-wolfssl.bat: Added support for VC15 -Guenter Knauf (8 Jul 2013) -- Added winssl-zlib target to VC builds. +- build-openssl.bat: Added support for VC15 -- Synced Makefile.vc6 with recent changes. +Jay Satiro (22 Dec 2017) +- [Dimitrios Apostolou brought this change] + + curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX - Issue posted to the list by malinowsky AT FTW DOT at. + Closes https://github.com/curl/curl/pull/2186 -- Added libmetalink URL; added Android versions. +- [Mattias Fornander brought this change] -Dan Fandrich (3 Jul 2013) -- examples: Moved usercertinmem.c to COMPLICATED_EXAMPLES + examples/rtsp: fix error handling macros - This prevents it from being built during a "make check" since it - depends on OpenSSL. + Closes https://github.com/curl/curl/pull/2185 -Nick Zitzmann (2 Jul 2013) -- Merge branch 'master' of https://github.com/bagder/curl +Patrick Monnerat (20 Dec 2017) +- curl_easy_reset: release mime-related data. + + Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level + functions dealing with UserDefined structure contents. + This avoids memory leakages on curl-generated part mime headers. + New test 2073 checks this using the cli tool --next option: it + triggers a valgrind error if bug is present. + + Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html + Reported-by: Martin Galvan -- darwinssl: SSLv2 connections are aborted if unsupported by the OS +- content_encoding: rework zlib_inflate + + - When zlib version is < 1.2.0.4, process gzip trailer before considering + extra data as an error. + - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data + and minimize corrupt data output. + - Do not try to restart deflate decompression in raw mode if output has + started or if the leading data is not available anymore. + - New test 232 checks inflating raw-deflated content. - I just noticed that OS X no longer supports SSLv2. Other TLS engines return - an error if the requested protocol isn't supported by the underlying - engine, so we do that now for SSLv2 if the framework returns an error - when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is - only enabled in curl when starting the app with the -2 argument; it's off - by default. SSLv2 is really old and insecure.) + Closes #2068 -Marc Hoersken (1 Jul 2013) -- lib506.c: Fixed possible use of uninitialized variables +- brotli: allow compiling with version 0.6.0. + + Some error codes were not yet defined in brotli 0.6.0: do not issue code + for them in this case. -Kamil Dudka (30 Jun 2013) -- url: restore the functionality of 'curl -u :' +Daniel Stenberg (13 Dec 2017) +- CURLOPT_READFUNCTION.3: refer to argument with correct name - This commit fixes a regression introduced in - fddb7b44a79d78e05043e1c97e069308b6b85f79. + Bug: #2175 - Reported by: Markus Moeller - Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html - -Daniel Stenberg (25 Jun 2013) -- digest: append the timer to the random for the nonce + [ci skip] -- digest: improve nonce generation +- rand: add a clang-analyzer work-around - Use the new improved Curl_rand() to generate better random nonce for - Digest auth. + scan-build would warn on a potential access of an uninitialized + buffer. I deem it a false positive and had to add this somewhat ugly + work-around to silence it. -- curl.1: fix typo in --xattr description +- krb5: fix a potential access of uninitialized memory - Bug: http://curl.haxx.se/bug/view.cgi?id=1252 - Reported-by: Jean-Noël Rouvignac + A scan-build warning. -- RELEASE-NOTES: synced with 365c5ba39591 +- conncache: fix a return code [regression] - The 10 first bug fixes for the pending release... + This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed + out by scan-build! -- formpost: better random boundaries +- curl: support >256 bytes warning messsages - When doing multi-part formposts, libcurl used a pseudo-random value that - was seeded with time(). This turns out to be bad for users who formpost - data that is provided with users who then can guess how the boundary - string will look like and then they can forge a different formpost part - and trick the receiver. + Bug: #2174 + +Michael Kaufmann (12 Dec 2017) +- libssh: fix a syntax error in configure.ac - My advice to such implementors is (still even after this change) to not - rely on the boundary strings being cryptographically strong. Fix your - code and logic to not depend on them that much! + Follow-up to c92d2e1 - I moved the Curl_rand() function into the sslgen.c source file now to be - able to take advantage of the SSL library's random function if it - provides one. If not, try to use the RANDOM_FILE for seeding and as a - last resort keep the old logic, just modified to also add microseconds - which makes it harder to properly guess the exact seed. + Closes #2172 + +Daniel Stenberg (12 Dec 2017) +- examples/smtp-mail.c: use separate defines for options and mail - The formboundary() function in formdata.c is now using 64 bit entropy - for the boundary and therefore the string of dashes was reduced by 4 - letters and there are 16 hex digits following it. The total length is - thus still the same. + ... to make it clearer that the options want address-only, while the + headers in an email can also have the real name. - Bug: http://curl.haxx.se/bug/view.cgi?id=1251 - Reported-by: "Floris" + Assisted-by: Sean MacLennan -- printf: make sure %x are treated unsigned +- THANKS: added missing names - When using %x, the number must be treated as unsigned as otherwise it - would get sign-extended on for example 64bit machines and do wrong - output. This problem showed when doing printf("%08x", 0xffeeddcc) on a - 64bit host. + ... as I reran the contrithanks script after the mailmap name fixups. -- tests: add test1395 to the tarball +- mailmap: added/clarified several names -- SIGPIPE: don't use 'data' in sigpipe restore +- setopt: less *or equal* than INT_MAX/1000 should be fine - Follow-up fix from 7d80ed64e43515. + ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and + CURLOPT_SERVER_RESPONSE_TIMEOUT range checks. - The SessionHandle may not be around to use when we restore the sigpipe - sighandler so we store the no_signal boolean in the local struct to know - if/how to restore. - -- TODO: 1.8 Modified buffer size approach + Reported-by: Dominik Hölzl + Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html - Thoughts around buffer sizes and what might be possible to do... + Closes #2173 -- c-ares: improve error message on failed resolve - - When the c-ares based resolver backend failed to resolve a name, it - tried to show the name that failed from existing structs. This caused - the wrong output and shown hostname when for example --interface - [hostname] was used and that name resolving failed. +- [Dmitry Kostjuchenko brought this change] + + vtls: replaced getenv() with curl_getenv() - Now we use the hostname used in the actual resolve attempt in the error - message as well. + Fixed undefined symbol of getenv() which does not exist when compiling + for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with + curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP + is defined. - Bug: http://curl.haxx.se/bug/view.cgi?id=1191 - Reported-by: Kim Vandry + Closes #2171 -- ossl_recv: check for an OpenSSL error, don't assume - - When we recently started to treat a zero return code from SSL_read() as - an error we also got false positives - which primarily looks to be - because the OpenSSL documentation is wrong and a zero return code is not - at all an error case in many situations. +- RELEASE-NOTES: synced with 3b9ea70ee + +- TODO: Expose tried IP addresses that failed - Now ossl_recv() will check with ERR_get_error() to see if there is a - stored error and only then consider it to be a true error if SSL_read() - returned zero. + Suggested-by: Rainer Canavan - Bug: http://curl.haxx.se/bug/view.cgi?id=1249 - Reported-by: Nach M. S. - Patch-by: Nach M. S. + Closes #2126 -Nick Zitzmann (22 Jun 2013) -- Merge branch 'master' of https://github.com/bagder/curl +- curl.1: mention http:// and https:// as valid proxy prefixes -- darwinssl: fix crash that started happening in Lion - - Something (a recent security update maybe?) changed in Lion, and now it - has changed SSLCopyPeerTrust such that it may return noErr but also give - us a null trust, which caught us off guard and caused an eventual crash. +- curl.1: documented two missing valid exit codes + +- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference -Daniel Stenberg (22 Jun 2013) -- SIGPIPE: ignored while inside the library +- Revert "curl: don't set CURLOPT_INTERLEAVEDATA" - ... and restore the ordinary handling again when it returns. This is - done for curl_easy_perform() and curl_easy_cleanup() only for now - and - only when built to use OpenSSL as backend as this is the known culprit - for the spurious SIGPIPEs people have received. + This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955. - Bug: http://curl.haxx.se/bug/view.cgi?id=1180 - Reported by: Lluís Batlle i Rossell + It was actually added rather recently in 8e8afa82cbb629 due to a crash + that would otherwise happen in the RTSP code. As I don't think we've + fixed that behavior yet, we better keep this work-around until we have + fixed it better. -- KNOWN_BUGS: #83 unable to load non-default openssl engines +Michael Kaufmann (10 Dec 2017) +- tests: mark data files as non-executable in git -- test1396: invoke the correct test tool! - - This erroneously run unit test 1310 instead of 1396! +- tests: update .gitignore for libtests -Kamil Dudka (22 Jun 2013) -- test1230: avoid using hard-wired port number +Daniel Stenberg (10 Dec 2017) +- multi_done: prune DNS cache - ... to prevent failure when a non-default -b option is given - -- curl-config.in: replace tabs by spaces - -Nick Zitzmann (22 Jun 2013) -- darwinssl: reform OS-specific #defines + Prune the DNS cache immediately after the dns entry is unlocked in + multi_done. Timed out entries will then get discarded in a more orderly + fashion. - This doesn't need to be in the release notes. I cleaned up a lot of the #if - lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and - MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like - __MAC_10_6 or whatever were defined, because for some SDKs Apple has released - they were defined out of place. - -Daniel Stenberg (22 Jun 2013) -- [Alessandro Ghedini brought this change] + Test506 is updated + + Reported-by: Oleg Pudeyev + + Fixes #2169 + Closes #2170 - docs: fix typo in curl_easy_getinfo manpage +- mailmap: fixup two old git Author "aliases" -- dotdot: introducing dot file path cleanup +Jay Satiro (10 Dec 2017) +- openssl: Disable file buffering for Win32 SSLKEYLOGFILE - RFC3986 details how a path part passed in as part of a URI should be - "cleaned" from dot sequences before getting used. The described - algorithm is now implemented in lib/dotdot.c with the accompanied test - case in test 1395. + Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just + like it does for other platforms. However, the Windows CRT does not + actually support line buffering (_IOLBF) and will use full buffering + (_IOFBF) instead. We can't use full buffering because multiple processes + may be writing to the file and that could lead to corruption, and since + full buffering is the only buffering available this commit disables + buffering for Windows SSLKEYLOGFILE entirely (_IONBF). - Bug: http://curl.haxx.se/bug/view.cgi?id=1200 - Reported-by: Alex Vinnik + Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901 -- bump: start working towards what most likely will become 7.32.0 +Daniel Stenberg (10 Dec 2017) +- RESOLVE: output verbose text when trying to set a duplicate name + + ... to help users understand what is or isn't done! -- THANKS: added 24 new contributors from the 7.31.0 release +- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE -Version 7.31.0 (22 Jun 2013) +- [John DeHelian brought this change] -Daniel Stenberg (22 Jun 2013) -- RELEASE-NOTES: synced with 0de7249bb39a2 - 7.31.0 + sftp: allow quoted commands to use relative paths + + Closes #1900 -- unit1396: unit tests to verify curl_easy_(un)escape +Jay Satiro (8 Dec 2017) +- [Richard Alcock brought this change] -- Curl_urldecode: no peeking beyond end of input buffer + CURLOPT_PRIVATE.3: fix grammar - Security problem: CVE-2013-2174 + - Change "never does nothing" double-negative to "never does anything". - If a program would give a string like "%FF" to curl_easy_unescape() but - ask for it to decode only the first byte, it would still parse and - decode the full hex sequence. The function then not only read beyond the - allowed buffer but it would also deduct the *unsigned* counter variable - for how many more bytes there's left to read in the buffer by two, - making the counter wrap. Continuing this, the function would go on - reading beyond the buffer and soon writing beyond the allocated target - buffer... - - Bug: http://curl.haxx.se/docs/adv_20130622.html - Reported-by: Timo Sirainen - -Guenter Knauf (20 Jun 2013) -- Use opened body.out file and write content to it. + Closes https://github.com/curl/curl/pull/2168 -Daniel Stenberg (20 Jun 2013) -- multi_socket: react on socket close immediately +Daniel Stenberg (8 Dec 2017) +- curl: remove __EMX__ #ifdefs - As a remedy to the problem when a socket gets closed and a new one is - opened with the same file descriptor number and as a result - multi.c:singlesocket() doesn't detect the difference, the new function - Curl_multi_closed() gets told when a socket is closed so that it can be - removed from the socket hash. When the old one has been removed, a new - socket should be detected fine by the singlesocket() on next invoke. + These are OS/2-specific things added to the code in the year 2000. They + were always ugly. If there's any user left, they still don't need it + done this way. - Bug: http://curl.haxx.se/bug/view.cgi?id=1248 - Reported-by: Erik Johansson - -- RELEASE-NOTES: synced with e305f5ec715f + Closes #2166 -- TODO: mention the DANE patch from March +Jay Satiro (8 Dec 2017) +- openssl: improve data-pending check for https proxy + + - Allow proxy_ssl to be checked for pending data even when connssl does + not yet have an SSL handle. + + This change is for posterity. Currently there doesn't seem to be a code + path that will cause a pending data check when proxyssl could have + pending data and the connssl handle doesn't yet exist [1]. + + [1]: Recall that an https proxy connection starts out in connssl but if + the destination is also https then the proxy SSL backend data is moved + from connssl to proxyssl, which means connssl handle is temporarily + empty until an SSL handle for the destination can be created. + + Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542 + + Closes https://github.com/curl/curl/pull/1916 -- CURLOPT_COOKIELIST: take cookie share lock +Daniel Stenberg (8 Dec 2017) +- curl: don't set CURLOPT_INTERLEAVEDATA - When performing COOKIELIST operations the cookie lock needs to be taken - for the cases where the cookies are shared among multiple handles! + That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback + and that option isn't set or used by the curl tool! - Verified by Benjamin Gilbert's updated test 506 + Updates the 9 tests that verify --libcurl + + Closes #2167 + +- curl.h: remove incorrect comment about ERRORBUFFER - Bug: http://curl.haxx.se/bug/view.cgi?id=1215 - Reported-by: Benjamin Gilbert + ... error messages are _not_ sent to stderr if this is not set. -- [Benjamin Gilbert brought this change] +- [Michael Felt brought this change] - test506: verify that CURLOPT_COOKIELIST takes share lock + configure: add AX_CODE_COVERAGE only if using gcc - It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215 + Fixes #2076 + Closes #2125 -- TODO: HTTP2/SPDY support +- curl: limit -# update frequency for unknown total size + + Make it use a max 10Hz update frequency for this case as well. Return + early if the "point" hasn't moved since last invoke. + + Reported-by: Elliot Saba + + Fixes #2158 + Closes #2163 -- curl_easy_setopt.3: clarify CURLOPT_PROGRESSFUNCTION frequency +- BINDINGS: another PostgreSQL client + + ...the former link is dead. - Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be - called more frequently than once per second when things are happening. + Reported-by: Frank Gevaerts -- RELEASE-NOTES: synced with 9c3e098259b82 +- [Zachary Seguin brought this change] + + CONNECT: keep close connection flag in http_connect_state struct - Mention 7 recent bug fixes and their associated contributors + Fixes #2088 + Closes #2157 -- curl_multi_wait.3: clarify the numfds counter +- [Per Malmberg brought this change] -- curl_easy_perform: avoid busy-looping + include: get netinet/in.h before linux/tcp.h - When curl_multi_wait() finds no file descriptor to wait for, it returns - instantly and this must be handled gracefully within curl_easy_perform() - or cause a busy-loop. Starting now, repeated fast returns without any - file descriptors is detected and a gradually increasing sleep will be - used (up to a max of 1000 milliseconds) before continuing the loop. + ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc + 4.8.5) - Bug: http://curl.haxx.se/bug/view.cgi?id=1238 - Reported-by: Miguel Angel + Closes #2160 + +- openldap: fix checksrc nits -- [YAMADA Yasuharu brought this change] +- [Stepan Broz brought this change] - cookies: follow-up fix for path checking + openldap: add commented out debug possibilities + + ... to aid debugging openldap library using its built-in debug messages. - The initial fix to only compare full path names were done in commit - 04f52e9b4db0 but found out to be incomplete. This takes should make the - change more complete and there's now two additional tests to verify - (test 31 and 62). + Closes #2159 -- [Sergei Nikulov brought this change] +- examples: move threaded-shared-conn.c to the "complicated" ones + + ... due it relying on pthreads to link. - lib1900: use tutil_tvnow instead of gettimeofday +- RELEASE-NOTES: synced with b261c44e8 - Makes it build on windows + ... and bump next release version to 7.58.0 -- [Eric Hu brought this change] +- [Jan Ehrhardt brought this change] - axtls: now done non-blocking + URL: tolerate backslash after drive letter for FILE: + + ... as in "file://c:\some\path\curl.out" + + Reviewed-by: Matthew Kerwin + Closes #2154 -- [Eric Hu brought this change] +- [Randall S. Becker brought this change] - test2033: requires NTLM support + tests: added netinet/in6.h includes in test servers -- KNOWN_BUGS: #82 failed build with Borland compiler +- [Randall S. Becker brought this change] -- Curl_output_digest: support auth-int for empty entity body + configure: check for netinet/in6.h - By always returning the md5 for an empty body when auth-int is asked - for, libcurl now at least sometimes does the right thing. + Needed by HPE NonStop NSE and NSX systems - Bug: http://curl.haxx.se/bug/view.cgi?id=1235 - Patched-by: Nach M. S. + Fixes #2146 + Closes #2155 -- multi_socket: reduce timeout inaccuracy margin +- curl-config: add --ssl-backends - Allow less room for "triggered too early" mistakes by applications / - timers on non-windows platforms. Starting now, we assume that a timeout - call is never made earlier than 3 milliseconds before the actual - timeout. This greatly improves timeout accuracy on Linux. + Lists all SSL backends that were enabled at build-time. - Bug: http://curl.haxx.se/bug/view.cgi?id=1228 - Reported-by: Hang Su + Suggested-by: Oleg Pudeyev + Fixes #2128 -- cert_stuff: avoid double free in the PKCS12 code +- conncache: only allow multiplexing within same multi handle - In the pkcs12 code, we get a list of x509 records returned from - PKCS12_parse but when iterating over the list and passing each to - SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from - the "stack", which made them get freed twice (both in sk_X509_pop_free() - and then later in SSL_CTX_free). + Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing + only get additional transfers added to them if the existing connection + is held by the same multi or easy handle. libcurl does not support doing + HTTP/2 streams in different threads using a shared connection. - This isn't really documented anywhere... - - Bug: http://curl.haxx.se/bug/view.cgi?id=1236 - Reported-by: Nikaiw + Closes #2152 -- cert_stuff: remove code duplication in the pkcs12 logic +- threaded-shared-conn.c: fixed typo in commenta -- [Aleksey Tulinov brought this change] +- threaded-shared-conn.c: new example - axtls: honor disabled VERIFYHOST +- conncache: fix several lock issues - When VERIFYHOST == 0, libcurl should let invalid certificates to pass. - -- [Peter Gal brought this change] + If the lock is released before the dealings with the bundle is over, it may + have changed by another thread in the mean time. + + Fixes #2132 + Fixes #2151 + Closes #2139 - curl_easy_setopt.3: HTTP header with no content +- libssh: remove dead code in sftp_qoute + + ... by removing a superfluous NULL pointer check that also confuses + Coverity. - Update the documentation on how to specify a HTTP header with no - content. + Fixes #2143 + Closes #2153 -- RELEASE-NOTES: synced with 87cf677eca55 +- sasl_getmesssage: make sure we have a long enough string to pass + + For pop3/imap/smtp, added test 891 to somewhat verify the pop3 + case. + + For this, I enhanced the pingpong test server to be able to send back + responses with LF-only instead of always using CRLF. - Added 11 bugs and 7 contributors + Closes #2150 -- lib1500: remove bad check +- libssh2: remove dead code from SSH_SFTP_QUOTE - After curl_multi_wait() returns, this test checked that we got exactly - one file descriptor told to read from, but we cannot be sure that is - true. curl_multi_wait() will sometimes return earlier without any file - descriptor to handle, just just because it is a suitable time to call - *perform(). + Figured out while reviewing code in the libssh backend. The pointer was + checked for NULL after having been dereferenced, so we know it would + always equal true or it would've crashed. - This problem showed up with commit 29bf0598. + Pointed-out-by: Nikos Mavrogiannopoulos - Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html - Reported-by: Fabian Keil + Bug #2143 + Closes #2148 -- tests/Makefile: typo in the perlcheck target +- ssh-libssh.c: please checksrc + +Nikos Mavrogiannopoulos (4 Dec 2017) +- libssh: fixed dereference in statvfs access - Bug: http://curl.haxx.se/bug/view.cgi?id=1239 - Reported-by: Christian Weisgerber + The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS + handling fails. + + Fixes #2142 -- test1230: verify CONNECT to a numerical ipv6-address +Daniel Stenberg (4 Dec 2017) +- [Guitared brought this change] -- sws: support extracting test number from CONNECT ipv6-address! + RESOURCES: update spec names - If an ipv6-address is provided to CONNECT, the last hexadecimal group in - the address will be used as the test number! For example the address - "[1234::ff]" would be treated as test case 255. + Closes #2145 -- curl_multi_wait: only use internal timer if not -1 +Nikos Mavrogiannopoulos (3 Dec 2017) +- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS - commit 29bf0598aad5 introduced a problem when the "internal" timeout is - prefered to the given if shorter, as it didn't consider the case where - -1 was returned. Now the internal timeout is only considered if not -1. + The previous code was incorrectly following the libssh2 error detection + for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs. - Reported-by: Tor Arntsen - Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html - -Dan Fandrich (3 Jun 2013) -- libcurl-tutorial.3: added a section on IPv6 + Fixes #2142 - Also added a (correctly-escaped) backslash to the autoexec.bat - example file and a new Windows character device name with - a colon as examples of other characters that are special - and potentially dangerous (this reverts and reworks commit - 7d8d2a54). + Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> -Daniel Stenberg (3 Jun 2013) -- curl_multi_wait: reduce timeout if the multi handle wants to +- libssh: no need to call sftp_get_error as ssh_get_error is sufficient - If the multi handle's pending timeout is less than what is passed into - this function, it will now opt to use the shorter time anyway since it - is a very good hint that the handle wants to process something in a - shorter time than what otherwise would happen. + Fixes #2141 - curl_multi_wait.3 was updated accordingly to clarify + Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +Daniel Stenberg (2 Dec 2017) +- libssh: fix minor static code analyzer nits + + - remove superfluous NULL check which otherwise tricks the static code + analyzers to assume NULL pointer dereferences. - This is the reason for bug #1224 + - fix fallthrough in switch() - Bug: http://curl.haxx.se/bug/view.cgi?id=1224 - Reported-by: Andrii Moiseiev + - indent mistake -- multi_runsingle: switch an if() condition for readability +- openssl: pkcs12 is supported by boringssl + + Removes another #ifdef for BoringSSL - ... because there's an identical check right next to it so using the - operators in the check in the same order increases readability. + Pointed-out-by: David Benjamin + + Closes #2134 -Marc Hoersken (2 Jun 2013) -- curl_schannel.c: Removed variable unused since 35874298e4 +- [Jay Satiro brought this change] -- curl_setup.h: Fixed redefinition warning using mingw-w64 + travis: use pip2 instead of pip + + .. since now mac osx image expects pip2 or pip3, and doesn't know pip: + + 0.01s$ pip install --user cpp-coveralls + /Users/travis/.travis/job_stages: line 57: pip: command not found + + Ref: https://github.com/travis-ci/travis-ci/issues/8829 + + Closes https://github.com/curl/curl/pull/2133 -Daniel Stenberg (30 May 2013) -- multi_runsingle: add braces to clarify the code +- [Nikos Mavrogiannopoulos brought this change] -- libcurl-tutorial.3: remove incorrect backslash + lib582: do not verify host for SFTP - A single backslash in the content is not legal nroff syntax. + This SFTP test fails with libssh back-end due to failure to verify + the peer. Disable peer verification in the test as there seems to + be the intention of the test. - Reported and fixed by: Eric S. Raymond - Bug: http://curl.haxx.se/bug/view.cgi?id=1234 - -- curl_formadd.3: fixed wrong "end-marker" syntax + Note that the libssh back-end automatically verifies the peer's + host using the default known_hosts file. - Reported and fixed by: Eric S. Raymond - Bug: http://curl.haxx.se/bug/view.cgi?id=1233 + Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> -- curl.1: clarify that --silent still outputs data +- [Nikos Mavrogiannopoulos brought this change] -- Digest auth: escape user names with \ or " in them + libssh: added SFTP support - When sending the HTTP Authorization: header for digest, the user name - needs to be escaped if it contains a double-quote or backslash. + The SFTP back-end supports asynchronous reading only, limited + to 32-bit file length. Writing is synchronous with no other + limitations. - Test 1229 was added to verify + This also brings keyboard-interactive authentication. - Reported and fixed by: Nach M. S - Bug: http://curl.haxx.se/bug/view.cgi?id=1230 + Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> -- [Mike Giancola brought this change] +- [Nikos Mavrogiannopoulos brought this change] - ossl_recv: SSL_read() returning 0 is an error too + symbols-in-versions: added new symbols with 7.56.3 version - SSL_read can return 0 for "not successful", according to the open SSL - documentation: http://www.openssl.org/docs/ssl/SSL_read.html + Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> -- [Mike Giancola brought this change] +- [Nikos Mavrogiannopoulos brought this change] - ossl_send: SSL_write() returning 0 is an error too + .travis.yml: added build --with-libssh - We found that in specific cases if the connection is abruptly closed, - the underlying socket is listed in a close_wait state. We continue to - call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs - report the socket closed / connection finished. Since we have cases - where the multi connection is only used once, this can pose a problem - for us. I've read that if another connection was to come in, curl would - see the socket as bad and attempt to close it at that time - - unfortunately, this does not work for us. + Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> + +- [Nikos Mavrogiannopoulos brought this change] + + libssh2: return CURLE_UPLOAD_FAILED on failure to upload - I found that in specific situations, if SSL_write returns 0, curl did - not recognize the socket as closed (or errored out) and did not report - it to the application. I believe we need to change the code slightly, to - check if ssl_write returns 0. If so, treat it as an error - the same as - a negative return code. + This brings its in sync with the error code returned by the + libssh backend. - For OpenSSL - the ssl_write documentation is here: - http://www.openssl.org/docs/ssl/SSL_write.html + Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> -- KNOWN_BUGS: curl -OJC- fails to resume - - Bug: http://curl.haxx.se/bug/view.cgi?id=1169 +- [Nikos Mavrogiannopoulos brought this change] -- Curl_cookie_add: handle IPv6 hosts + libssh2: send the correct CURLE error code on scp file not found - 1 - don't skip host names with a colon in them in an attempt to bail out - on HTTP headers in the cookie file parser. It was only a shortcut anyway - and trying to parse a file with HTTP headers will still be handled, only - slightly slower. + That also updates tests to expect the right error code - 2 - don't skip domain names based on number of dots. The original - netscape cookie spec had this oddity mentioned and while our code - decreased the check to only check for two, the existing cookie spec has - no such dot counting required. + libssh2 back-end returns CURLE_SSH error if the remote file + is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND + which is sent by the libssh backend. - Bug: http://curl.haxx.se/bug/view.cgi?id=1221 - Reported-by: Stefan Neis + Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> -- curl_easy_setopt.3: expand the PROGRESSFUNCTION section +- [Nikos Mavrogiannopoulos brought this change] + + Added support for libssh SSH SCP back-end + + libssh is an alternative library to libssh2. + https://www.libssh.org/ - Explain the callback and its arguments better and with more descriptive - text. + That patch set also introduces support for ECDSA + ed25519 keys, as well as gssapi authentication. + + Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> -- tests: add test1394 file to the tarball +- RELEASE-NOTES: synced with af8cc7a69 -- tarball: include the xmlstream example +- curlver: towards 7.57.1 -- [David Strauss brought this change] +- [W. Mark Kubacki brought this change] - xmlstream: XML stream parsing example source code + lib: don't export all symbols, just everything curl_* + + Absent any 'symbol map' or script to limit what gets exported, static + linking of libraries previously resulted in a libcurl with curl's and + those other symbols being (re-)exported. + + This did not happen if 'versioned symbols' were enabled (which is not + the default) because then a version script is employed. + + This limits exports to everything starting in 'curl_*'., which is + what "libcurl.vers" exports. - Add an XML stream parsing example using Expat. Add missing ignore for - the binary from an unrelated example. + This avoids strange side-effects such as with mixing methods + from system libraries and those erroneously offered by libcurl. + + Closes #2127 -- [YAMADA Yasuharu brought this change] +- [Johannes Schindelin brought this change] - cookies: only consider full path matches + SSL: Avoid magic allocation of SSL backend specific data - I found a bug which cURL sends cookies to the path not to aim at. - For example: - - cURL sends a request to http://example.fake/hoge/ - - server returns cookie which with path=/hoge; - the point is there is NOT the '/' end of path string. - - cURL sends a request to http://example.fake/hogege/ with the cookie. + Originally, my idea was to allocate the two structures (or more + precisely, the connectdata structure and the four SSL backend-specific + strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so + that they all could be free()d together. - The reason for this old "feature" is because that behavior is what is - described in the original netscape cookie spec: - http://curl.haxx.se/rfc/cookie_spec.html + However, getting the alignment right is tricky. Too tricky. - The current cookie spec (RFC6265) clarifies the situation: - http://tools.ietf.org/html/rfc6265#section-5.2.4 - -- [Eric Hu brought this change] + So let's just bite the bullet and allocate the SSL backend-specific + data separately. + + As a consequence, we now have to be very careful to release the memory + allocated for the SSL backend-specific data whenever we release any + connectdata. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + + Closes #2119 - axtls: prevent memleaks on SSL handshake failures +- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL + + Reported-by: Dima Tisnek -- Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage" +- travis: add boringssl build - This reverts commit 8ec2cb5544b86306b702484ea785b6b9596562ab. + Uses a separate build without --enable-debug and no valgrind. - We don't have any code anywhere in libcurl (or the curl tool) that use - wcsdup so there's no such memory use to track. It seems to cause mild - problems with the Borland compiler though that we may avoid by reverting - this change again. + The debug option causes far too many warnings in boringssl's headers + (C++ comments, trailing commas etc). Valgrind triggers some false + positive errors in thread-local data used by boringssl. - Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html + Closes #2118 -- RELEASE-NOTES: synced with ae26ee3489588f0 +Version 7.57.0 (29 Nov 2017) -Guenter Knauf (11 May 2013) -- Updated zlib version in build files. +Daniel Stenberg (29 Nov 2017) +- RELEASE-NOTES: curl 7.57.0 -Daniel Stenberg (9 May 2013) -- [Renaud Guillard brought this change] +- THANKS: added contributors from 7.57.0 release - OS X framework: fix invalid symbolic link +- openssl: fix boringssl build again + + commit d3ab7c5a21e broke the boringssl build since it doesn't have + RSA_flags(), so we disable that code block for boringssl builds. + + Reported-by: W. Mark Kubacki + Fixes #2117 -Kamil Dudka (9 May 2013) -- [Daniel Stenberg brought this change] +- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided - nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send - - Reported by: David Strauss - Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html +- libcurl-share.3: the connection cache is shareable now -Daniel Stenberg (8 May 2013) -- libtest: gitignore more binary files +- global_init: ignore CURL_GLOBAL_SSL's absense + + This bit is no longer used. It is not clear what it meant for users to + "init the TLS" in a world with different TLS backends and since the + introduction of multissl, libcurl didn't properly work if inited without + this bit set. + + Not a single user responded to the call for users of it: + https://curl.haxx.se/mail/lib-2017-11/0072.html + + Reported-by: Evgeny Grin + Assisted-by: Jay Satiro + + Fixes #2089 + Fixes #2083 + Closes #2107 -- servercert: allow empty subject +- ntlm: avoid integer overflow for malloc size + + Reported-by: Alex Nichols + Assisted-by: Kamil Dudka and Max Dymond - Bug: http://curl.haxx.se/bug/view.cgi?id=1220 - Patch by: John Gardiner Myers + CVE-2017-8816 + + Bug: https://curl.haxx.se/docs/adv_2017-11e7.html -- [Steve Holme brought this change] +- wildcardmatch: fix heap buffer overflow in setcharset + + The code would previous read beyond the end of the pattern string if the + match pattern ends with an open bracket when the default pattern + matching function is used. + + Detected by OSS-Fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 + + CVE-2017-8817 + + Bug: https://curl.haxx.se/docs/adv_2017-ae72.html - tests: Added new SMTP tests to verify commit 99b40451836d +- [Jay Satiro brought this change] -- runtests.pl: support nonewline="yes" in client/stdin sections + url: fix alignment of ssl_backend_data struct + + - Align the array of ssl_backend_data on a max 32 byte boundary. + + 8 is likely to be ok but I went with 32 for posterity should one of + the ssl_backend_data structs change to contain a larger sized variable + in the future. + + Prior to this change (since dev 70f1db3, release 7.56) the connectdata + structure was undersized by 4 bytes in 32-bit builds with ssl enabled + because long long * was mistakenly used for alignment instead of + long long, with the intention being an 8 byte boundary. Also long long + may not be an available type. + + The undersized connectdata could lead to oob read/write past the end in + what was expected to be the last 4 bytes of the connection's secondary + socket https proxy ssl_backend_data struct (the secondary socket in a + connection is used by ftp, others?). + + Closes https://github.com/curl/curl/issues/2093 + + CVE-2017-8818 + + Bug: https://curl.haxx.se/docs/adv_2017-af0a.html -- build: fixed unit1394 for debug and metlink builds +- ssh: remove check for a NULL pointer (!) + + With this check present, scan-build warns that we might dereference this + point in other places where it isn't first checked for NULL. Thus, if it + *can* be NULL we have a problem on a few places. However, this pointer + should not be possible to be NULL here so I remove the check and thus + also three different scan-build warnings. + + Closes #2111 -Kamil Dudka (6 May 2013) -- unit1394.c: plug the curl tool unit test in +- [Matthew Kerwin brought this change] -- [Jared Jennings brought this change] + test: add test for bad UNC/SMB path in file: URL - unit1394.c: basis of a unit test for parse_cert_parameter() +- [Matthew Kerwin brought this change] -- src/Makefile.am: build static lib for unit tests if enabled + test: add tests to ensure basic file: URLs -- tool_getparam: ensure string termination in parse_cert_parameter() +- [Matthew Kerwin brought this change] -- tool_getparam: fix memleak in handling the -E option + URL: update "file:" URL handling + + * LOTS of comment updates + * explicit error for SMB shares (e.g. "file:////share/path/file") + * more strict handling of authority (i.e. "//localhost/") + * now accepts dodgy old "C:|" drive letters + * more precise handling of drive letters in and out of Windows + (especially recognising both "file:c:/" and "file:/c:/") + + Closes #2110 -- tool_getparam: describe what parse_cert_parameter() does +- metalink: fix memory-leak and NULL pointer dereference + + Reported by scan-build - ... and de-duplicate the code initializing *passphrase + Closes #2109 -- curl.1: document escape sequences recognized by -E +- [Alessandro Ghedini brought this change] -- [Jared Jennings brought this change] + connect: add support for new TCP Fast Open API on Linux + + The new API added in Linux 4.11 only requires setting a socket option + before connecting, without the whole sento() machinery. + + Notably, this makes it possible to use TFO with SSL connections on Linux + as well, without the need to mess around with OpenSSL (or whatever other + SSL library) internals. + + Closes #2056 - curl -E: allow to escape ':' in cert nickname +- make: fix "make distclean" + + Fixes #2097 + Closes #2108 -Marc Hoersken (5 May 2013) -- curl_schannel.c: Fixed invalid memory access during SSL shutdown +- RELEASE-NOTES: synced with 31f18d272 -Steve Holme (4 May 2013) -- smtp: Fix trailing whitespace warning +Jay Satiro (23 Nov 2017) +- connect: improve the bind error message + + eg consider a non-existent interface eth8, curl --interface eth8 + + Before: curl: (45) Could not resolve host: eth8 + After: curl: (45) Couldn't bind to 'eth8' + + Bug: https://github.com/curl/curl/issues/2104 + Reported-by: Alfonso Martone -- smtp: Fix compilation warning +Daniel Stenberg (23 Nov 2017) +- examples/rtsp: clear RANGE again after use - comparison between signed and unsigned integer expressions + Fixes #2106 + Reported-by: youngchopin on github -- RELEASE-NOTES: synced with 92ef5f19c801 +- [Michael Kaufmann brought this change] -- smtp: Updated RFC-2821 references to RFC-5321 + test1264: verify URL with space in host name being rejected -- smtp: Fixed sending of double CRLF caused by first in EOB +- url: reject ASCII control characters and space in host names - If the mail sent during the transfer contains a terminating <CRLF> then - we should not send the first <CRLF> of the EOB as specified in RFC-5321. + Host names like "127.0.0.1 moo" would otherwise be accepted by some + getaddrinfo() implementations. - Additionally don't send the <CRLF> if there is "no mail data" as the - DATA command already includes it. - -- tests: Corrected MAIL SIZE for CRLF line endings + Updated test 1034 and 1035 accordingly. - ... which was missed in commit: f5c3d9538452 + Fixes #2073 + Closes #2092 -- tests: Corrected infilesize for CRLF line endings +- Curl_open: fix OOM return error correctly - ... which was missed in commit: f5c3d9538452 + Closes #2098 -- tests: Corrected test1406 to be RFC2821 compliant +- http2: fix "Value stored to 'end' is never read" scan-build error -- tests: Corrected test1320 to be RFC2821 compliant +- http2: fix "Value stored to 'hdbuf' is never read" scan-build error -- tests: Corrected typo in test909 - - Introduced in commit: 514817669e9e +- openssl: fix "Value stored to 'rc' is never read" scan-build error -- tests: Corrected test909 to be RFC2821 compliant +- mime: fix "Value stored to 'sz' is never read" scan-build error -- tests: Updated test references to 909 from 1411 +- Curl_llist_remove: fix potential NULL pointer deref - ...and removed references to libcurl and test1406. + Fixes a scan-build warning. + +- ntlm: remove unnecessary NULL-check to please scan-build -- tests: Renamed test1411 to test909 as this is a main SMTP test +- BUGS: spellchecked -Daniel Stenberg (1 May 2013) -- [Lars Johannesen brought this change] +Jay Satiro (18 Nov 2017) +- [fmmedeiros brought this change] - bindlocal: move brace out of #ifdef + examples/curlx: Fix code style - The code within #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID wrongly had two - closing braces when it should only have one, so builds without that - define would fail. + - Add braces around multi-line if statement. - Bug: http://curl.haxx.se/mail/lib-2013-05/0000.html + Closes https://github.com/curl/curl/pull/2096 -Steve Holme (30 Apr 2013) -- smtp: Tidy up to move the eob counter to the per-request structure +Daniel Stenberg (17 Nov 2017) +- resolve: allow IP address within [] brackets - Move the eob counter from the smtp_conn structure to the SMTP structure - as it is associated with a SMTP payload on a per-request basis. + ... so that IPv6 addresses can be passed like they can for connect-to + and how they're used in URLs. + + Added test 1324 to verify + Reported-by: Alex Malinovich + + Fixes #2087 + Closes #2091 -- TODO: Updated following the addition of CURLOPT_SASL_IR +- [Pavol Markovic brought this change] -- smtp: Fixed unknown percentage complete in progress bar + macOS: Fix missing connectx function with Xcode version older than 9.0 - The curl command line utility would display the the completed progress - bar with a percentage of zero as the progress routines didn't know the - size of the transfer. + The previous fix https://github.com/curl/curl/pull/1788 worked just for + Xcode 9. This commit extends the fix to older Xcode versions effectively + by not using connectx function. + + Fixes https://github.com/curl/curl/issues/1330 + Fixes https://github.com/curl/curl/issues/2080 + Closes https://github.com/curl/curl/pull/1336 + Closes #2082 + +- [Dirk Feytons brought this change] -Daniel Stenberg (29 Apr 2013) -- ftpserver: silence warnings + openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY - Fix regressions in commit b56e3d43e5d. Make @data local and filter off - non-numerical digits from $testno in STATUS_imap. + Fixes #2079 + Closes #2081 -Steve Holme (29 Apr 2013) -- ftpserver.pl: Corrected the imap LOGIN response +- TODO: ignore private IP addresses in PASV response - ...to be more realistic and consistent with the other imap responses. + Closes #1455 -- tests: Added imap STATUS command test +- RELEASE-NOTES: synced with ae7369b6d -- tests: Corrected the SMTP tests to be RFC2821 compliant +Michael Kaufmann (14 Nov 2017) +- URL: return error on malformed URLs with junk after IPv6 bracket - The emails that are sent to the server during these tests were - incorrectly formatted as they contained one or more LF terminated lines - rather than being CRLF terminated as per Section 2.3.7 of RFC-2821. + Follow-up to aadb7c7. Verified by new test 1263. - This wasn't a problem for the test suite as the <stdin> data matched the - <upload> data but anyone using these tests as reference would be sending - incorrect data to a server. + Closes #2072 -- email: Tidy up of *_perform_authenticate() - - Removed the hard returns from imap and pop3 by using the same style for - sending the authentication string as smtp. Moved the "Other mechanisms - not supported" check in smtp to match that of imap and pop3 to provide - consistency between the three email protocols. +Daniel Stenberg (14 Nov 2017) +- INTERNALS: we may use libidn2 now, not libidn -- smtp: Updated limit check to be more readable like the check in pop3 +Patrick Monnerat (13 Nov 2017) +- zlib/brotli: only include header files in modules needing them + + There is a conflict on symbol 'free_func' between openssl/crypto.h and + zlib.h on AIX. This is an attempt to resolve it. + + Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html + Reported-By: Michael Felt -- pop3: Added 255 octet limit check when sending initial response +Daniel Stenberg (13 Nov 2017) +- SMB: fix uninitialized local variable - Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034. + Reported-by: Brian Carpenter -- DOCS: Corrected line length of recent Secure Transport changes +- [Orgad Shaneh brought this change] -Nick Zitzmann (27 Apr 2013) -- darwinssl: add TLS crypto authentication + connect.c: remove executable bit on file - Users using the Secure Transport (darwinssl) back-end can now use a - certificate and private key to authenticate with a site using TLS. Because - Apple's security system is based around the keychain and does not have any - non-public function to create a SecIdentityRef data structure from data - loaded outside of the Keychain, the certificate and private key have to be - loaded into the Keychain first (using the certtool command line tool or - the Security framework's C API) before we can find it and use it. + Closes #2071 -Steve Holme (27 Apr 2013) -- Corrected version numbers after bump +- [hsiao yi brought this change] -Daniel Stenberg (27 Apr 2013) -- bump version + README.md: fixed layout - Since we're adding new stuff, the next release will bump the minor - version and we're looking forward to 7.31.0 - -Steve Holme (27 Apr 2013) -- RELEASE-NOTES: synced with f4e6e201b146 + Closes #2069 -- DOCS: Updated following the addition of CURLOPT_SASL_IR +- setopt: split out curl_easy_setopt() to its own file - Documented the the option in curl_easy_setopt() and added it to - symbols-in-versions. + ... to make url.c smaller. + + Closes #1944 -- tests: Corrected command line arguments in test907 and test908 +Jay Satiro (10 Nov 2017) +- [John Starks brought this change] -- tests: Added SMTP AUTH with initial response tests + cmake: Add missing setmode check + + Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this, + curl will corrupt binary files when writing them to stdout on Windows. + + Closes https://github.com/curl/curl/pull/2067 -- tests: Updated SMTP tests to decouple client initial response +Daniel Stenberg (10 Nov 2017) +- curl_share_setopt: va_end was not called if conncache errors - Updated test903 and test904 following the addition of CURLOPT_SASL_IR - as the default behaviour of SMTP AUTH responses is now to not include - the initial response. New tests with --sasl-ir support to follow. + CID 984459, detected by Coverity -- imap: Added support for overriding the SASL initial response +Sergei Nikulov (10 Nov 2017) +- [John Starks brought this change] + + cmake: Correctly include curl.rc in Windows builds (#2064) - In addition to checking for the SASL-IR capability the user can override - the sending of the client's initial response in the AUTHENTICATION - command with the use of CURLOPT_SASL_IR should the server erroneously - not report SASL-IR when it does support it. + Update CMakeLists.txt to add curl.rc to the correct list. + +Daniel Stenberg (9 Nov 2017) +- RELEASE-NOTES: synced with 32828cc4f -- smtp: Added support for disabling the SASL initial response +- [Luca Boccassi brought this change] + + --interface: add support for Linux VRF + + The --interface command (CURLOPT_INTERFACE option) already uses + SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP + address first, which fails in case the user passes a VRF. - Updated the default behaviour of sending the client's initial response in the AUTH - command to not send it and added support for CURLOPT_SASL_IR to allow the user to - specify including the response. + Try to use the socket option immediately and parse it as a fallback + instead. Update the documentation to mention this feature, and that it + requires the binary to be ran by root or with CAP_NET_RAW capabilities + for this to work. - Related Bug: http://curl.haxx.se/mail/lib-2012-03/0114.html - Reported-by: Gokhan Sengun + Closes #2024 -- pop3: Added support for enabling the SASL initial response +- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT - Allowed the user to specify whether to send the client's intial response - in the AUTH command via CURLOPT_SASL_IR. + Closes #2043 + +- examples: add shared-connection-cache + +- test1554: verify connection cache sharing -- sasl-ir: Added --sasl-ir option to curl command line tool +- share: add support for sharing the connection cache -- sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial response +- imap: deal with commands case insensitively + + As documented in RFC 3501 section 9: + https://tools.ietf.org/html/rfc3501#section-9 + + Closes #2061 -Daniel Stenberg (26 Apr 2013) -- curl_easy_init: use less mallocs +- connect: store IPv6 connection status after valid connection - By introducing an internal alternative to curl_multi_init() that accepts - parameters to set the hash sizes, easy handles will now use tiny socket - and connection hash tables since it will only ever add a single easy - handle to that multi handle. + ... previously it would store it already in the happy eyeballs stage + which could lead to the IPv6 bit being set for an IPv4 connection, + leading to curl not wanting to do EPSV=>PASV for FTP transfers. - This decreased the number mallocs in test 40 (which is a rather simple - and typical easy interface use case) from 1142 to 138. The maximum - amount of memory allocated used went down from 118969 to 78805. + Closes #2053 -Steve Holme (26 Apr 2013) -- ftpserver.pl: Fixed imap logout confirmation data +- curl_multi_fdset.3: emphasize curl_multi_timeout - An IMAP server should response with the BYE continuation response before - confirming the LOGOUT command was successful. + ... even when there's no socket to wait for, the timeout can still be + very short. -Daniel Stenberg (26 Apr 2013) -- ftp_state_pasv_resp: connect through proxy also when set by env +Jay Satiro (9 Nov 2017) +- content_encoding: fix inflate_stream for no bytes available - When connecting back to an FTP server after having sent PASV/EPSV, - libcurl sometimes didn't use the proxy properly even though the proxy - was used for the initial connect. + - Don't call zlib's inflate() when avail_in stream bytes is 0. - The function wrongly checked for the CURLOPT_PROXY variable to be set, - which made it act wrongly if the proxy information was set with an - environment variable. + This is a follow up to the parent commit 19e66e5. Prior to that change + libcurl's inflate_stream could call zlib's inflate even when no bytes + were available, causing inflate to return Z_BUF_ERROR, and then + inflate_stream would treat that as a hard error and return + CURLE_BAD_CONTENT_ENCODING. - Added test case 711 to verify (based on 707 which uses --socks5). Also - added test712 to verify another variation of setting the proxy: with - --proxy socks5:// + According to the zlib FAQ, Z_BUF_ERROR is not fatal. - Bug: http://curl.haxx.se/bug/view.cgi?id=1218 - Reported-by: Zekun Ni - -Kamil Dudka (26 Apr 2013) -- [Zdenek Pavlas brought this change] - - url: initialize speed-check data for file:// protocol + This bug would happen randomly since packet sizes are arbitrary. A test + of 10,000 transfers had 55 fail (ie 0.55%). - ... in order to prevent an artificial timeout event based on stale - speed-check data from a previous network transfer. This commit fixes - a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e. + Ref: https://zlib.net/zlib_faq.html#faq05 - Bug: https://bugzilla.redhat.com/906031 + Closes https://github.com/curl/curl/pull/2060 -Daniel Stenberg (25 Apr 2013) -- test709: clarify the test in the name +Patrick Monnerat (7 Nov 2017) +- content_encoding: do not write 0 length data -- sshserver: disable StrictHostKeyChecking +Daniel Stenberg (6 Nov 2017) +- fnmatch: remove dead code - I couldn't figure out why the host key logic isn't working, but having - it set to yes prevents my SSH-based test cases to run. I also don't see - a strong need to use strict host key checking on this test server. + There was a duplicate check for backslashes in the setcharset() + function. - So I disabled it. + Coverity CID 1420611 -- runtests: log more commands in verbose mode +- url: remove unncessary NULL-check + + Since 'conn' won't be NULL in there and we also access the pointer in + there without the check. - ... to aid tracking down failures + Coverity CID 1420610 -Steve Holme (25 Apr 2013) -- TODO: Corrected copy/paste typo +Viktor Szakats (6 Nov 2017) +- src/Makefile.m32: fix typo in brotli lib customization + + Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31 -- TODO: Added new ideas for future SMTP, POP3 and IMAP features +- Makefile.m32: allow to customize brotli libs + + It adds the ability to link against static brotli libs. + + Also fix brotli include path. -- TODO: Updated following the addition of ;auth=<MECH> support +Patrick Monnerat (5 Nov 2017) +- travis: add a job with brotli enabled -- DOCS: Minor rewording / clarification of host name protocol detection +- [Viktor Szakats brought this change] -- RELEASE-NOTES: synced with a8c92cb60890 + Makefile.m32: add brotli support -- DOCS: Added reference to IETF draft for SMTP URL Interface +- HTTP: implement Brotli content encoding - ...when mentioning login options. Additional minor clarification of - "Windows builds" to be "Windows builds with SSPI"as a way of enabling - NTLM as Windows builds may be built with OpenSSL to enable NTLM or - without NTLM support altogether. - -Linus Nielsen Feltzing (23 Apr 2013) -- HISTORY: Fix spelling error. + This uses the brotli external library (https://github.com/google/brotli). + Brotli becomes a feature: additional curl_version_info() bit and + structure fields are provided for it and CURLVERSION_NOW bumped. + + Tests 314 and 315 check Brotli content unencoding with correct and + erroneous data. + + Some tests are updated to accomodate with the now configuration dependent + parameters of the Accept-Encoding header. -Steve Holme (23 Apr 2013) -- DOCS: Reworked the scheme calculation explanation under CURLOPT_URL +- HTTP: support multiple Content-Encodings + + This is implemented as an output streaming stack of unencoders, the last + calling the client write procedure. + + New test 230 checks this feature. + + Bug: https://github.com/curl/curl/pull/2002 + Reported-By: Daniel Bankhead -- url: Added smtp and pop3 hostnames to the protocol detection list +Jay Satiro (4 Nov 2017) +- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES + + Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value + check on this option is incorrect; we have to accept any value. + + Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES + erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT. + + Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120 -Daniel Stenberg (23 Apr 2013) -- HISTORY: correct some years/dates +Daniel Stenberg (4 Nov 2017) +- ntlm: avoid malloc(0) for zero length passwords + + It triggers an assert() when built with memdebug since malloc(0) may + return NULL *or* a valid pointer. - Thanks to archive.org's wayback machine I updated this document with - some facts from the early httpget/urlget web page: + Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054 - http://web.archive.org/web/19980216125115/http://www.inf.ufrgs.br/~sagula/urlget.html + Assisted-by: Max Dymond + Closes #2054 -- [Alessandro Ghedini brought this change] +- RELEASE-NOTES: synced with ee8016b3d - tests: add test1511 to check timecond clean-up +- curl: speed up handling of many URLs - Verifies the timecond fix in commit c49ed0b6c0f - -- [Alessandro Ghedini brought this change] + By properly keeping track of the last entry in the list of URLs/uploads + to handle, curl now avoids many meaningless traverses of the list which + speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K + URLs). + + Added test 1291, to verify that it doesn't take ages - but we don't have + any detection of "too slow" command in the test suite. + + Reported-by: arainchik on github + Fixes #1959 + Closes #2052 - getinfo.c: reset timecond when clearing session-info variables +- curl: pass through [] in URLs instead of calling globbing error - Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783 - Reported-by: Ludovico Cavedon <cavedon@debian.org> + Assisted-by: Per Lundberg + Fixes #2044 + Closes #2046 + Closes #2048 -Steve Holme (22 Apr 2013) -- DOCS: Added information about login options to CURLOPT_USERPWD +- CURLOPT_INFILESIZE: accept -1 + + Regression since f121575 + + Reported-by: Petr Voytsik + Fixes #2047 -- DOCS: Added information about login options in the URL +Jay Satiro (2 Nov 2017) +- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1 + + Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT + erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT. -- url: Fixed missing length check in parse_proxy() +Dan Fandrich (1 Nov 2017) +- http2: Fixed OOM handling in upgrade request - Commit 11332577b3cb removed the length check that was performed by the - old scanf() code. + This caused the torture tests on test 1800 to fail. -- url: Fixed crash when no username or password supplied for proxy +- tests: Fixed torture tests on tests 556 and 650 - Fixed an issue in parse_proxy(), introduced in commit 11332577b3cb, - where an empty username or password (For example: http://:@example.com) - would cause a crash. + Test cleanup after OOM wasn't being consistently performed. -- url: Removed unused text length constants +Daniel Stenberg (1 Nov 2017) +- CURLOPT_MAXREDIRS: allow -1 as a value + + ... which is valid according to documentation. Regression since + f121575c0b5f. + + Verified now in test 501. + + Reported-by: cbartl on github + Fixes #2038 + Closes #2039 -- url: Updated proxy URL parsing to use parse_login_details() +- include: remove conncache.h inclusion from where its not needed -- url: Tidy up of setstropt_userpwd() parameters +Jay Satiro (1 Nov 2017) +- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 - Updated the naming convention of the login parameters to match those of - other functions. - -- url: Tidy up of code and comments following recent changes + .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE. - Tidy up of variable names and comments in setstropt_userpwd() and - parse_login_details(). - -- url: Simplified setstropt_userpwd() following recent changes + Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE + erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT. - There is no need to perform separate clearing of data if a NULL option - pointer is passed in. Instead this operation can be performed by simply - not calling parse_login_details() and letting the rest of the code do - the work. + Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html + Reported-by: Andrew Lambert -- url: Correction to scope of if statements when setting data - -- url: Fixed memory leak in setstropt_userpwd() +Daniel Stenberg (31 Oct 2017) +- cookie: avoid NULL dereference + + ... when expiring old cookies. - setstropt_userpwd() was calling setstropt() in commit fddb7b44a79d to - set each of the login details which would duplicate the strings and - subsequently cause a memory leak. + Reported-by: Pavel Gushchin + Fixes #2032 + Closes #2035 -- RELEASE-NOTES: synced with d535c4a2e1f7 +Marcel Raad (30 Oct 2017) +- memdebug: use send/recv signature for curl_dosend/curl_dorecv + + This avoids build errors and warnings caused by implicit casts. + + Closes https://github.com/curl/curl/pull/2031 -- url: Added overriding of URL login options from CURLOPT_USERPWD +Daniel Stenberg (30 Oct 2017) +- [Juro Bystricky brought this change] -- tool_paramhlp: Fixed options being included in username + mkhelp.pl: support reproducible build - Fix to prevent the options from being displayed when curl requests the - user's password if the following command line is specified: + Do not generate line with the current date, such as: - --user username;options - -- url: Added support for parsing login options from the CURLOPT_USERPWD + * Generation time: Tue Oct-24 18:01:41 2017 + + This will improve reproducibility. The generated string is only + part of a comment, so there should be no adverse consequences. + + Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> - In addition to parsing the optional login options from the URL, added - support for parsing them from CURLOPT_USERPWD, to allow the following - supported command line: + closes #2026 + +Dan Fandrich (30 Oct 2017) +- runtests.pl: Fixed typo in message + +Daniel Stenberg (30 Oct 2017) +- curlx: the timeval functions are no longer provided as curlx_* - --user username:password;options + Pointed-out-by: Dmitri Tikhonov + Bug: #2034 -- url: Added bounds checking to parse_login_details() +- select: update comments - Added bounds checking when searching for the separator characters within - the login string as this string may not be NULL terminated (For example - it is the login part of a URL). We do this in preference to allocating a - new string to copy the login details into which could then be passed to - parse_login_details() for performance reasons. + s/curlx_tvnow/Curl_now -- url: Added size_t cast to pointer based length calculations +- INTERNALS: remove curlx_tv* functions no longer provided -- url: Corrected minor typo in comment +- [Dmitri Tikhonov brought this change] -Daniel Stenberg (18 Apr 2013) -- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling + timeval: use mach time on MacOS - When cross-compiling we can't scan and detect existing files or paths. + If clock_gettime() is not supported, use mach_absolute_time() on MacOS. - Bug: http://curl.haxx.se/mail/lib-2013-04/0294.html + closes #2033 -- [Ishan SinghLevett brought this change] +Patrick Monnerat (29 Oct 2017) +- cli tool: improve ";type=" handling in -F option arguments - usercertinmem.c: add example showing user cert in memory +- cli tool: in -F option arg, comma is a delimiter for files only - Relies on CURLOPT_SSL_CTX_FUNCTION, which is OpenSSL specific - -Steve Holme (18 Apr 2013) -- url: Fix chksrc longer than 79 columns warning + Also upgrade test 1133 to cover this case and clarify man page about + form data quoting. + + Bug: https://github.com/curl/curl/issues/2022 + Reported-By: omau on github -- url: Fix incorrect variable type for result code +Daniel Stenberg (29 Oct 2017) +- timeleft: made two more users of Curl_timeleft use timediff_t -- url: Fix compiler warning +Jakub Zakrzewski (28 Oct 2017) +- cmake: Export libcurl and curl targets to use by other cmake projects - signed and unsigned type in conditional expression - -- url: Moved parsing of login details out of parse_url_login() + The config files define curl and libcurl targets as imported targets + CURL::curl and CURL::libcurl. For backward compatibility with CMake- + provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are + also set. - Separated the parsing of login details from the processing of them in - parse_url_login() ready for use by setstropt_userpwd(). + Closes #1879 -- url: Re-factored set_userpass() and parse_url_userpass() - - Re-factored these functions to reflect their new behaviour following the - addition of login options. +Daniel Stenberg (28 Oct 2017) +- RELEASE-NOTES: synced with f20cbac97 -- url: Reworked URL parsing to allow overriding by CURLOPT_USERPWD +- [Florin Petriuc brought this change] -Daniel Stenberg (18 Apr 2013) -- maketgz: make bzip2 creation work with Parallel BZIP2 too + auth: Added test cases for RFC7616 - Apparently the previous usage didn't work with that implementation, - while this updated version works with at least both Parallel BZIP2 - v1.1.8 and regular bzip "Version 1.0.6, 6-Sept-2010". + Updated docs to include support for RFC7616 + + Signed-off-by: Florin <petriuc.florin@gmail.com> + + Closes #1934 -Linus Nielsen Feltzing (18 Apr 2013) -- Add tests/http_pipe.py to the tarball build +- [Florin Petriuc brought this change] -Steve Holme (16 Apr 2013) -- smtp: Re-factored all perform based functions + auth: add support for RFC7616 - HTTP Digest access authentication - Standardised the naming of all perform based functions to be in the form - smtp_perform_something(). + Signed-off-by: Florin <petriuc.florin@gmail.com> -- smtp: Added description comments to all perform based functions +- [Daniel Bankhead brought this change] -- smtp: Moved smtp_quit() to be with the other perform functions + TODO: support multiple Content-Encodings + + Closes #2002 -- smtp: Moved smtp_rcpt_to() to be with the other perform functions +- ROADMAP: cleanup + + Removed done stuff. Removed entries no longer considered for the near + term. -- smtp: Moved smtp_mail() to be with the other perform functions +- [Magicansk brought this change] -Daniel Stenberg (16 Apr 2013) -- [Wouter Van Rooy brought this change] + ROADMAP.md: spelling fixes + + Closes #2028 - curl-config: don't output static libs when they are disabled +- Curl_timeleft: change return type to timediff_t - Curl-config outputs static libraries even when they are disabled in - configure. + returning 'time_t' is problematic when that type is unsigned and we + return values less than zero to signal "already expired", used in + several places in the code. - This causes problems with the build of pycurl. + Closes #2021 -- [Dave Reisner brought this change] +- appveyor: add a win32 build - docs/libcurl: fix formatting in manpage +- setopt: fix CURLOPT_SSH_AUTH_TYPES option read - Commit c3ea3eb6 introduced some minor cosmetic errors in - curl_mutli_socket_action(3). - -- [Paul Howarth brought this change] + Regression since f121575c0b5f + + Reported-by: Rob Cotrone - Add extra libs for lib1900 and lib2033 test programs +Marcel Raad (27 Oct 2017) +- resolvers: only include anything if needed + + This avoids warnings about unused stuff. - These are needed in cases where clock_gettime is used, from librt. + Closes https://github.com/curl/curl/pull/2023 -Dan Fandrich (15 Apr 2013) -- FAQ: mention that the network connection can be monitored +Daniel Stenberg (27 Oct 2017) +- HELP-US: rename the subtitle too since the label is changed - Also note the prohibition on sharing handles across threads. + "PR-welcome" was the former name. -Steve Holme (15 Apr 2013) -- pop3: Added missing comment for pop3_state_apop_resp() +- curl_setup.h: oops, shorten the too long line -- smtp: Updated the coding style of smtp_state_servergreet_resp() +- [Martin Storsjo brought this change] + + curl_setup: Improve detection of CURL_WINDOWS_APP + + If WINAPI_FAMILY is defined, it should be safe to try to include + winapifamily.h to check what the define evaluates to. - Updated the coding style, in this function, to be consistant with other - response functions rather then performing a hard return on failure. + This should fix detection of CURL_WINDOWS_APP if building with + _WIN32_WINNT set to 0x0600. + + Closes #2025 -- pop3: Updated the coding style of pop3_state_servergreet_resp() +Jay Satiro (26 Oct 2017) +- transfer: Fix chunked-encoding upload bug + + - When uploading via chunked-encoding don't compare file size to bytes + sent to determine whether the upload has finished. - Updated the coding style, in this function, to be consistent with other - response functions rather then performing a hard return on failure. + Chunked-encoding adds its own overhead which why the bytes sent is not + equal to the file size. Prior to this change if a file was uploaded in + chunked-encoding and its size was known it was possible that the upload + could end prematurely without sending the final few chunks. That would + result in a server hang waiting for the remaining data, likely followed + by a disconnect. + + The scope of this bug is limited to some arbitrary file sizes which have + not been determined. One size that triggers the bug is 475020. + + Bug: https://github.com/curl/curl/issues/2001 + Reported-by: moohoorama@users.noreply.github.com + + Closes https://github.com/curl/curl/pull/2010 -- pop3: Re-factored all perform based functions +Daniel Stenberg (26 Oct 2017) +- timeval: make timediff_t also work on 32bit windows + + ... by using curl_off_t for the typedef if time_t is larger than 4 + bytes. - Standardised the naming of all perform based functions to be in the form - pop3_perform_something() following the changes made to IMAP. + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co + mmitcomment-25205058 + Closes #2019 -- pop3: Added description comments to all perform based functions +- curl_fnmatch: return error on illegal wildcard pattern + + ... instead of doing an infinite loop! + + Added test 1162 to verify. + + Reported-by: Max Dymond + Fixes #2015 + Closes #2017 -- pop3: Moved pop3_quit() to be with the other perform functions +- [Max Dymond brought this change] -- pop3: Moved pop3_command() to be with the other perform functions + wildcards: don't use with non-supported protocols - Started to apply the same tidy up to the POP3 code as applied to the - IMAP code in the 7.30.0 release. - -- RELEASE-NOTES: Removed erroneous spaces + Fixes timeouts in the fuzzing tests for non-FTP protocols. + + Closes #2016 -- RELEASE-NOTES: synced with 8723cade21fb +- [Max Dymond brought this change] -- smtp: Added support for ;auth=<mech> in the URL + multi: allow table handle sizes to be overridden - Added support for specifying the preferred authentication mechanism in - the URL as per Internet-Draft 'draft-earhart-url-smtp-00'. + Allow users to specify their own hash define for + CURL_CONNECTION_HASH_SIZE so that both values can be overridden. + + Closes #1982 -- pop3: Reworked authentication type constants +- time: rename Curl_tvnow to Curl_now + + ... since the 'tv' stood for timeval and this function does not return a + timeval struct anymore. - ... to use left-shifted values, like those defined in curl.h, rather - than 16-bit hexadecimal values. + Also, cleaned up the Curl_timediff*() functions to avoid typecasts and + clean up the descriptive comments. + + Closes #2011 -- pop3: Small consistency tidy up +- ftplistparser: follow-up cleanup to remove PL_ERROR() -- pop3: Added support for ;auth=<mech> in the URL - - Added support for specifying the preferred authentication type and SASL - mechanism in the URL as per RFC-2384. +- [Max Dymond brought this change] -- imap: Added support for ;auth=<mech> in the URL + ftplistparser: free off temporary memory always - Added support for specifying the preferred authentication mechanism in - the URL as per RFC-5092. - -- sasl: Reworked SASL mechanism constants + When using the FTP list parser, ensure that the memory that's + allocated is always freed. - ... to use left-shifted values, like those defined in curl.h, rather - than 16-bit hexadecimal values. + Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682 + Closes #2013 -- sasl: Added predefined preferred mechanism values +- timediff: return timediff_t from the time diff functions - In preparation for the upcoming changes to IMAP, POP3 and SMTP added - preferred mechanism values. - -- url: Added support for parsing login options from the URL + ... to cater for systems with unsigned time_t variables. - As well as parsing the username and password from the URL, added support - for parsing the optional options part from the login details, to allow - the following supported URL format: + - Renamed the functions to curlx_timediff and Curl_timediff_us. - schema://username:password;options@example.com/path?q=foobar + - Added overflow protection for both of them in either direction for + both 32 bit and 64 bit time_ts - This will only be used by IMAP, POP3 and SMTP at present but any - protocol that may be given login options in the URL will be able to - add support for them. - -- smtp: Fix compiler warning + - Reprefixed the curlx_time functions to use Curl_* - warning: unused variable 'smtp' introduced in commit 73cbd21b5ee6. + Reported-by: Peter Piekarski + Fixes #2004 + Closes #2005 -- smtp: Moved parsing of url path into separate function +- [Paul Howarth brought this change] -Daniel Stenberg (12 Apr 2013) -- FTP: handle a 230 welcome response + libtest: Add required test libraries for lib1552 and lib1553 - ...instead of the 220 we otherwise expect. + They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too. - Made the ftpserver.pl support sending a custom "welcome" and then - created test 1219 to verify this fix with such a 230 welcome. + This fixes build failures on Fedora 13. - Bug: http://curl.haxx.se/mail/lib-2013-02/0102.html - Reported by: Anders Havn + Closes #2006 -- configure: try pthread_create without -lpthread - - For libc variants without a spearate pthread lib (like bionic), try - using pthreads without the pthreads lib first and only if that fails try - the -lpthread linker flag. +- [Alessandro Ghedini brought this change] + + libcurl-tutorial.3: fix typo - Bug: http://curl.haxx.se/bug/view.cgi?id=1216 - Reported by: Duncan + closes #2008 + +Alessandro Ghedini (23 Oct 2017) +- curl_mime_filedata.3: fix typos + +Daniel Stenberg (23 Oct 2017) +- RELEASE-NOTES: clean slate towards 7.57.0 -- FTP: access files in root dir correctly +- [Max Dymond brought this change] + + travis: exit if any steps fail - Accessing a file with an absolute path in the root dir but with no - directory specified was not handled correctly. This fix comes with four - new test cases that verify it. + We don't expect any steps to fail in travis. Exit the script if they do. - Bug: http://curl.haxx.se/mail/lib-2013-04/0142.html - Reported by: Sam Deane + Closes #1966 + +Version 7.56.1 (23 Oct 2017) -Steve Holme (12 Apr 2013) -- pop3: Reworked the function description for Curl_pop3_write() +Daniel Stenberg (23 Oct 2017) +- RELEASE-NOTES: 7.56.1 -- pop3: Added function description to pop3_parse_custom_request() +- THANKS: update at 7.56.1 release time -- pop3: Moved utility functions to end of pop3.c +- [Jon DeVree brought this change] -Nick Zitzmann (12 Apr 2013) -- darwinssl: add TLS session resumption + mk-ca-bundle: Remove URL for aurora - This ought to speed up additional TLS handshakes, at least in theory. + Aurora is no longer used by Mozilla + https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/ -Steve Holme (12 Apr 2013) -- imap: Added function description to imap_parse_custom_request() +- [Jon DeVree brought this change] -- imap: Moved utility functions to end of imap.c (Part 3/3) + mk-ca-bundle: Fix URL for NSS + + The 'tip' is the most recent branch committed to, this should be + 'default' like the URLs for the browser are. - Moved imap_is_bchar() be with the other utility based functions. + Closes #1998 -- imap: Moved utility functions to end of imap.c (Part 2/3) +- imap: if a FETCH response has no size, don't call write callback - Moved imap_parse_url_path() and imap_parse_custom_request() to the end of the - file allowing all utility functions to be grouped together. + CVE-2017-1000257 + + Reported-by: Brian Carpenter and 0xd34db347 + Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 -- imap: Moved utility functions to end of imap.c (Part 1/3) +- ftp: reject illegal IP/port in PASV 227 response + + ... by using range checks. Among other things, this avoids an undefined + behavior for a left shift that could happen on negative or very large + values. - Moved imap_atom() and imap_sendf() to the end of the file allowing all - utility functions to be grouped together. + Closes #1997 + + Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694 -- imap: Corrected function description for imap_connect() +Patrick Monnerat (20 Oct 2017) +- test653: check reuse of easy handle after mime data change + + See issue #1999 -Kamil Dudka (12 Apr 2013) -- tests: prevent test206, test1060, and test1061 from failing +- mime: do not reuse previously computed multipart size - ... in case runtests.pl is invoked with non-default -b option + The contents might have changed: size must be recomputed. + + Reported-by: moteus on github + Fixes #1999 + +- test308: disable if MultiSSL feature enabled - Fixes a regression caused by 1e29d275c643ef6aab7948f0f55a7a9397e56b42. + Even if OpenSSL is enabled, it might not be the default backend when + multi-ssl is enabled, causing the test to fail. -Daniel Stenberg (12 Apr 2013) -- [David Strauss brought this change] +- runtests: support MultiSSL client feature - libcurl-share.3: update what it does and does not share. +- vtls: change struct Curl_ssl `close' field name to `close_one'. - Update sharing interface documentation to provide exhaustive list of - what it does and does not share. + On OS/400, `close' is an ASCII system macro that corrupts the code if + not used in a context not targetting the close() system API. -- THANKS: remove duplicated names +- os400: add missing symbols in config file. + + Also adjust makefile to renamed files and warn about installation dirs mix-up. -- bump: start working towards next release +- test652: curl_mime_data + base64 encoder with large contents -- THANKS: added people from the 7.30.0 RELEASE-NOTES +- mime: limit bas64-encoded lines length to 76 characters -Version 7.30.0 (12 Apr 2013) +Daniel Stenberg (16 Oct 2017) +- RELEASE-NOTES: synced with f121575c0 -Daniel Stenberg (12 Apr 2013) -- RELEASE-NOTES: cleaned up for 7.30 (synced with 5c5e1a1cd20) +- setopt: range check most long options - Most notable the security advisory: - http://curl.haxx.se/docs/adv_20130412.html + ... filter early instead of risking "funny values" having to be dealt + with elsewhere. -- test1218: another cookie tailmatch test +- setopt: avoid integer overflows when setting millsecond values - ... and make 1216 also verify it with a file input + ... that are multiplied by 1000 when stored. - These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie - domain tailmatch" vulnerability. See - http://curl.haxx.se/docs/adv_20130412.html - -- [YAMADA Yasuharu brought this change] + For 32 bit long systems, the max value accepted (2147483 seconds) is > + 596 hours which is unlikely to ever be set by a legitimate application - + and previously it didn't work either, it just caused undefined behavior. + + Also updated the man pages for these timeout options to mention the + return code. + + Closes #1938 - cookie: fix tailmatching to prevent cross-domain leakage +Viktor Szakats (15 Oct 2017) +- makefile.m32: allow to override gcc, ar and ranlib - Cookies set for 'example.com' could accidentaly also be sent by libcurl - to the 'bexample.com' (ie with a prefix to the first domain name). + Allow to ovverride certain build tools, making it possible to + use LLVM/Clang to build curl. The default behavior is unchanged. + To build with clang (as offered by MSYS2), these settings can + be used: - This is a security vulnerabilty, CVE-2013-1944. + CURL_CC=clang + CURL_AR=llvm-ar + CURL_RANLIB=llvm-ranlib - Bug: http://curl.haxx.se/docs/adv_20130412.html + Closes https://github.com/curl/curl/pull/1993 -Guenter Knauf (11 Apr 2013) -- Enabled MinGW sync resolver builds. +- ldap: silence clang warning + + Use memset() to initialize a structure to avoid LLVM/Clang warning: + ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers] + + Closes https://github.com/curl/curl/pull/1992 -Yang Tse (10 Apr 2013) -- if2ip.c: fix compiler warning +Daniel Stenberg (14 Oct 2017) +- runtests: use valgrind for torture as well + + NOTE: it makes them terribly slow. I recommend only using valgrind for + specific torture tests or using lots of patience. -Guenter Knauf (10 Apr 2013) -- Fixed lost OpenSSL output with "-t" - followup. +- memdebug: trace send, recv and socket + + ... to allow them to be included in torture tests too. - The previously applied patch didnt work on Windows; we cant rely - on shell commands like 'echo' since they act diffently on each - platform and each shell. - In order to keep this script platform-independent the code must - only use pure Perl. + closes #1980 -Daniel Stenberg (9 Apr 2013) -- test1217: verify parsing 257 responses with "rubbish" before path +- configure: remove the C++ compiler check - Test 1217 verifies commit e0fb2d86c9f78, and without that change this - test fails. + ... we used it only for the fuzzer, which we now have in a separate git + repo. + + Closes #1990 + +Patrick Monnerat (13 Oct 2017) +- mime: do not call failf() if easy handle is NULL. -- [Bill Middlecamp brought this change] +Daniel Stenberg (13 Oct 2017) +- test651: curl_formadd with huge COPYCONTENTS - FTP: handle "rubbish" in front of directory name in 257 responses +- mime: fix the content reader to handle >16K data properly - When doing PWD, there's a 257 response which apparently some servers - prefix with a comment before the path instead of after it as is - otherwise the norm. + Reported-by: Jeroen Ooms + Closes #1988 + +Patrick Monnerat (12 Oct 2017) +- mime: keep "text/plain" content type if user-specified. - Failing to parse this, several otherwise legitimate use cases break. + Include test cases in 554, 587, 650. - Bug: http://curl.haxx.se/mail/lib-2013-04/0113.html + Fixes https://github.com/curl/curl/issues/1986 -Guenter Knauf (9 Apr 2013) -- Fixed ares-enabled builds with static makefiles. - -- Fixed lost OpenSSL output with "-t". +- cli tool: use file2memory() to buffer stdin in -F option. - The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM - output wrote to a temporary file. Consequently, the OpenSSL output was - lost when the temp file was renamed to the final file at script finish - (overwriting the final file written earlier by openssl). - Patch posted to the list by Richard Michael (rmichael edgeofthenet org). + Closes PR https://github.com/curl/curl/pull/1985 -Daniel Stenberg (9 Apr 2013) -- test1216: test tailmatching cookie domains +- cli tool: reimplement stdin buffering in -F option. - This test is an attempt to repeat the problem YAMADA Yasuharu reported - at http://curl.haxx.se/mail/lib-2013-04/0108.html - -- RELEASe-NOTES: synced with 29fdb2700f797 + If stdin is not a regular file, its content is memory-buffered to enable + a possible data "rewind". + In all cases, stdin data size is determined before real use to avoid + having an unknown part's size. - added "tcpkeepalive on Mac OS X" + --libcurl generated code is left as an unbuffered stdin fread/fseek callback + part with unknown data size. + + Buffering is not supported in deprecated curl_formadd() API. + +Daniel Stenberg (12 Oct 2017) +- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2 -Nick Zitzmann (8 Apr 2013) -- darwinssl: disable insecure ciphers by default +- HELP-US: the label "PR-welcome" is now renamed to "help wanted" - I noticed that aria2's SecureTransport code disables insecure ciphers such - as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later. - That's a good idea, and now we do the same thing in order to prevent curl - from accessing a "secure" site that only negotiates insecure ciphersuites. + following the new github "standard" -Daniel Stenberg (8 Apr 2013) -- [Robert Wruck brought this change] +- RELEASE-NOTES: synced with 5505df7d2 - tcpkeepalive: Support CURLOPT_TCP_KEEPIDLE on OSX +Jay Satiro (11 Oct 2017) +- [Artak Galoyan brought this change] + + url: Update current connection SSL verify params in setopt + + Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active + connection updates the current connection's (i.e.'connectdata' + structure) appropriate ssl_config (and ssl_proxy_config) structures + variables, making these options effective for ongoing connection. - MacOS X doesn't have TCP_KEEPIDLE/TCP_KEEPINTVL but only a single - TCP_KEEPALIVE (see - http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ManPages/man4/tcp.4.html). - Here is a patch for CURLOPT_TCP_KEEPIDLE on OSX platforms. + This functionality was available before and was broken by the + following change: + "proxy: Support HTTPS proxy and SOCKS+HTTP(s)" + CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151. + + Bug: https://github.com/curl/curl/issues/1941 + + Closes https://github.com/curl/curl/pull/1951 + +Daniel Stenberg (11 Oct 2017) +- [David Benjamin brought this change] -- configure: remove CURL_CHECK_FUNC_RECVFROM + openssl: don't use old BORINGSSL_YYYYMM macros - 1 - We don't use the results from the test and we never did. recvfrom() - is only used by the TFTP code and it has not caused any problems. + Those were temporary things we'd add and remove for our own convenience + long ago. The last few stayed around for too long as an oversight but + have since been removed. These days we have a running + BORINGSSL_API_VERSION counter which is bumped when we find it + convenient, but 2015-11-19 was quite some time ago, so just check + OPENSSL_IS_BORINGSSL. - 2 - the CURL_CHECK_FUNC_RECVFROM function is extremely slow + Closes #1979 -Steve Holme (8 Apr 2013) -- RELEASE-NOTES: Corrected duplicate NTLM memory leaks +- test950; verify SMTP with custom request -- RELEASE-NOTES: Removed trailing full stop +- ftpserver: support case insensitive commands -Daniel Stenberg (8 Apr 2013) -- [Fabian Keil brought this change] +- smtp_done: free data before returning (on send failure) + + ... as otherwise it could leak that memory. + + Detected by OSS-fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600 + + Assisted-by: Max Dymond + Closes #1977 - proxy: make ConnectionExists() check credential of proxyconnections too +- FTP: URL decode path for dir listing in nocwd mode - Previously it only compared credentials if the requested needle - connection wasn't using a proxy. This caused NTLM authentication - failures when using proxies as the authentication code wasn't send on - the connection where the challenge arrived. + Reported-by: Zenju on github - Added test 1215 to verify: NTLM server authentication through a proxy - (This is a modified copy of test 67) + Test 244 added to verify + Fixes #1974 + Closes #1976 -- RELEASE-NOTES: sync with 704a5dfca9 +- test298: verify --ftp-method nowcwd with URL encoded path + + Ref: #1974 -- TODO-RELEASE: cleaned up, not really maintained lately +- CURLOPT_XFERINFODATA.3: fix duplicate see also -Marc Hoersken (7 Apr 2013) -- if2ip.c: Fixed another warning: unused parameter 'remote_scope' +- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction -Daniel Stenberg (7 Apr 2013) -- [Marc Hoersken brought this change] +- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION - cookie.c: Made cookie sort function more deterministic +- openssl: enable PKCS12 support for !BoringSSL - Since qsort implementations vary with regards to handling the order - of similiar elements, this change makes the internal sort function - more deterministic by comparing path length first, then domain length - and finally the cookie name. Spotted with testcase 62 on Windows. + Enable PKCS12 for all non-boringssl builds without relying on configure + or cmake checks. + + Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html + Reported-by: Christian Schmitz + Closes #1948 -Marc Hoersken (7 Apr 2013) -- curl_schannel.c: Follow up on memory leak fix ae4558d +- [Kristiyan Tsaklev brought this change] -- Revert "getpart.pm: Strip carriage returns to fix Windows support" + curl: don't pass semicolons when parsing Content-Disposition + + Test 1422 updated to verify. - This reverts commit e51b23c925a2721cf7c29b2b376d3d8903cfb067. - As discussed on the mailinglist, this was not the correct approach. + Closes #1964 -- http_negotiate.c: Fixed passing argument from incompatible pointer type +Patrick Monnerat (9 Oct 2017) +- mime: properly unbind mime structure in curl_mime_free(). + + This allows freeing a mime structure bound to the easy handle before + curl_easy_cleanup(). + + Fixes #1970. -- ftp.c: Added missing brackets around ABOR command logic +Daniel Stenberg (9 Oct 2017) +- RTSP: avoid integer overflow on funny RTSP response + + ... like a very large non-existing RTSP version number. + + Added test 577 to verify. + + Detected by OSS-fuzz. + Closes #1969 -- sockfilt.c: Fixed detection of client-side connection close +Patrick Monnerat (8 Oct 2017) +- ftpserver: properly reset $ftptargetdir. + +- test643: verify curl_mime_subparts() rejects cyclic additions. + +- mime: refuse to add subparts to one of their own descendants. - WINSOCK only: - Since FD_CLOSE is only signaled once, it may trigger at the same - time as FD_READ. Data actually being available makes it impossible - to detect that the connection was closed by checking that recv returns - zero. Another recv attempt could block the connection if it was - not closed. This workaround abuses exceptfds in conjunction with - readfds to signal that the connection has actually closed. + Reported-by: Alexey Melnichuk + Fixes #1962 -- curl_schannel.c: Fixed memory leak if connection was not successful +- mime: avoid resetting a part's encoder when part's contents change. -- if2ip.c: Fixed warning: unused parameter 'remote_scope' +- mime: improve unbinding top multipart from easy handle. + + Also avoid dangling pointers in referencing parts. -- runtests.pl: Fixed --verbose parameter passed to http_pipe.py +Daniel Stenberg (8 Oct 2017) +- RELEASE-NOTES: synced with a4c1c75da30af1 -- sockfilt.c: Reduce CPU load while running under a Windows PIPE +- curlver.h: next expected release is 7.57.0 -- tftpd.c: Apply sread timeout to the whole data transfer session +Patrick Monnerat (8 Oct 2017) +- mime: be tolerant about setting twice the same header list in a part. -- getpart.pm: Strip carriage returns to fix Windows support +- docs: clarify form/mime usage of non-regular data files. -Daniel Stenberg (6 Apr 2013) -- ftp tests: libcurl returns CURLE_FTP_ACCEPT_FAILED better now +Daniel Stenberg (8 Oct 2017) +- Revert "multi_done: wait for name resolve to finish if still ongoing" + + This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe. - Since commit 57aeabcc1a20f, it handles errors on the control connection - while waiting for the data connection better. + Caused memory leaks in the fuzzer, needs to be done differently. - Test 591 and 592 are updated accordingly. + Disable test 1553 for now too, as it causes memory leaks without this + commit! -- FTP: wait on both connections during active STOR state +- remove_handle: call multi_done() first, then clear dns cache pointer - When doing PORT and upload (STOR), this function needs to extract the - file descriptor for both connections so that it will respond immediately - when the server eventually connects back. + Closes #1960 + +- multi_done: wait for name resolve to finish if still ongoing + + ... as we must clean up memory. + +- pingpong: return error when trying to send without connection + + When imap_done() got called before a connection is setup, it would try + to "finish up" and dereffed a NULL pointer. - This flaw caused active connections to become unnecessary slow but they - would still often work due to the normal polling on a timeout. The bug - also would not occur if the server connected back very fast, like when - testing on local networks. + Test case 1553 managed to reproduce. I had to actually use a host name + to try to resolve to slow it down, as using the normal local server IP + will make libcurl get a connection in the first curl_multi_perform() + loop and then the bug doesn't trigger. - Bug: http://curl.haxx.se/bug/view.cgi?id=1183 - Reported by: Daniel Theron + Fixes #1953 + Assisted-by: Max Dymond -Marc Hoersken (6 Apr 2013) -- tftpd.c: Follow up cleanup and restore of previous sockopt +Dan Fandrich (6 Oct 2017) +- tests: added flaky keyword to tests 587 and 644 + + These are around 5% flaky in my Linux x86 autobuilds. -Daniel Stenberg (6 Apr 2013) -- [Kim Vandry brought this change] +Marcel Raad (6 Oct 2017) +- vtls: fix warnings with --disable-crypto-auth + + When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters + are not used. - connect: treat an interface bindlocal() problem as a non-fatal error +Daniel Stenberg (6 Oct 2017) +- multi_cleanup: call DONE on handles that never got that - I am using curl_easy_setopt(CURLOPT_INTERFACE, "if!something") to force - transfers to use a particular interface but the transfer fails with - CURLE_INTERFACE_FAILED, "Failed binding local connection end" if the - interface I specify has no IPv6 address. The cause is as follows: + ... fixes a memory leak with at least IMAP when remove_handle is never + called and the transfer is abruptly just abandoned early. - The remote hostname resolves successfully and has an IPv6 address and an - IPv4 address. + Test 1552 added to verify - cURL attempts to connect to the IPv6 address first. + Detected by OSS-fuzz + Assisted-by: Max Dymond + Closes #1954 + +- [Benbuck Nason brought this change] + + strtoofft: Remove extraneous null check - bindlocal (in lib/connect.c) fails because Curl_if2ip cannot find an - IPv6 address on the interface. + Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str' + argument. - This is a fatal error in singleipconnect() + Closes #1952 + +- openssl: fix build without HAVE_OPAQUE_EVP_PKEY - This change will make cURL try the next IP address in the list. + Reported-by: Javier Sixto + Fixes #1955 + Closes #1956 + +Viktor Szakats (6 Oct 2017) +- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS - Also included are two changes related to IPv6 address scope: + The source code is now prepared to handle the case when both + Win32 Crypto and OpenSSL/NSS crypto backends are enabled + at the same time, making it now possible to enable `USE_WIN32_CRYPTO` + whenever the targeted Windows version supports it. Since this + matches the minimum Windows version supported by curl + (Windows 2000), enable it unconditionally for the Win32 platform. - - Filter the choice of address in Curl_if2ip to only consider addresses - with the same scope ID as the connection address (mismatched scope for - local and remote address does not result in a working connection). + This in turn enables SMB (and SMBS) protocol support whenever + Win32 Crypto is available, regardless of what other crypto backends + are enabled. - - bindlocal was ignoring the scope ID of addresses returned by - Curl_if2ip . Now it uses them. + Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052 - Bug: http://curl.haxx.se/bug/view.cgi?id=1189 - -Marc Hoersken (6 Apr 2013) -- tftpd.c: Fixed sread timeout on Windows by setting it manually - -- ftp.pm: Added tskill to support Windows XP Home - -- runtests.pl: Modularization of MinGW/Msys compatibility functions + Closes https://github.com/curl/curl/pull/1943 -- ftp.pm: Made Perl testsuite able to handle Windows processes +Daniel Stenberg (5 Oct 2017) +- build: fix --disable-crypto-auth + + Reported-by: Wyatt O'Day + Fixes #1945 + Closes #1947 -- util.c: Revert workaround eeefcdf, 6eb56e7 and e3787e8 +Jay Satiro (5 Oct 2017) +- [Nick Zitzmann brought this change] -- ftp.pm: Made Perl testsuite able to kill Windows processes + darwinssl: add support for TLSv1.3 + + Closes https://github.com/curl/curl/pull/1794 -- util.c: Follow up cleanup on eeefcdf +Daniel Stenberg (4 Oct 2017) +- [Felix Kaiser brought this change] -Daniel Stenberg (6 Apr 2013) -- cpp: use #ifdef __MINGW32__ to avoid compiler complaints + docs: fix typo in curl_mime_data_cb man page - ... instead of just #if + Closes #1946 -Marc Hoersken (6 Apr 2013) -- util.c: Made write_pidfile write the correct PID on MinGW/Msys +Viktor Szakats (4 Oct 2017) +- lib/Makefile.m32: allow customizing dll suffixes - This workaround fixes an issue on MinGW/Msys regarding the Perl - testsuite scripts not being able to signal or control the server - processes. The MinGW Perl runtime only sees the Msys processes and - their corresponding PIDs, but sockfilt (and other servers) wrote the - Windows PID into their PID-files. Since this PID is useless to the - testsuite, the write_pidfile function was changed to search for the - Msys PID and write that into the PID-file. - -Daniel Stenberg (5 Apr 2013) -- RELEASE-NOTES: synced with 5e722b2d09087 + - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated + libcurl dll name. Useful to add `-x64` to 64-bit builds so that + it can live in the same directory as the 32-bit one. By default + this is empty. - 3 more bug fixes, 6 more contributors - -Marc Hoersken (5 Apr 2013) -- sockfilt.c: Fixed handling of multiple fds being signaled - -Kamil Dudka (5 Apr 2013) -- curl_global_init.3: improve description of CURL_GLOBAL_ALL + - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the + generated import library (implib) for libcurl .dll. It defaults + to `dll`, and it's useful to modify that to `.dll` to have the + standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`. - Reported by: Tomas Mlcoch + Closes https://github.com/curl/curl/pull/1942 + +Daniel Stenberg (4 Oct 2017) +- [Max Dymond brought this change] -- examples/multi-single.c: fix the order of destructions + fuzzer: move to using external curl-fuzzer - ... so that it adheres to the API documentation. + Use the external curl-fuzzer repository for fuzzing. - Reported by: Tomas Mlcoch + Closes #1923 -Daniel Stenberg (5 Apr 2013) -- Curl_open: restore default MAXCONNECTS to 5 +- failf: skip the sprintf() if there are no consumers - At some point recently we lost the default value for the easy handle's - connection cache, and this change puts it back to 5 - which is the - former default value and it is documented in the curl_easy_setopt.3 man - page. + Closes #1936 -Marc Hoersken (4 Apr 2013) -- sockfilt.c: Added wrapper functions to fix Windows console issues +- ftp: UBsan fixup 'pointer index expression overflowed' - The new read and write wrapper functions support reading from stdin - and writing to stdout/stderr on Windows by using the appropriate - Windows API functions and data types. + Closes #1939 + +- RELEASE-PROCEDURE: update the release schedule -Yang Tse (4 Apr 2013) -- lib1509.c: fix compiler warnings +Version 7.56.0 (4 Oct 2017) -- easy.c: fix compiler warning +Daniel Stenberg (4 Oct 2017) +- RELEASE-NOTES: curl 7.56.0 -Daniel Stenberg (4 Apr 2013) -- --engine: spellfix the help message +- THANKS: added new 7.56.0 contributors + +Jay Satiro (4 Oct 2017) +- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported - Reported by: Fredrik Thulin + Ref: https://github.com/curl/curl/issues/1002 -Yang Tse (4 Apr 2013) -- http_negotiate.c: follow-up for commit 3dcc1a9c +Michael Kaufmann (3 Oct 2017) +- idn: fix source code comment -Linus Nielsen Feltzing (4 Apr 2013) -- easy: Fix the broken CURLOPT_MAXCONNECTS option +- vtls: compare and clone ssl configs properly + + Compare these settings in Curl_ssl_config_matches(): + - verifystatus (CURLOPT_SSL_VERIFYSTATUS) + - random_file (CURLOPT_RANDOM_FILE) + - egdsocket (CURLOPT_EGDSOCKET) - Copy the CURLOPT_MAXCONNECTS option to CURLMOPT_MAXCONNECTS in - curl_easy_perform(). + Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(), + and copy the setting "sessionid" unconditionally. - Bug: http://curl.haxx.se/bug/view.cgi?id=1212 - Reported-by: Steven Gu + This means that reusing connections that are secured with a client + certificate is now possible, and the statement "TLS session resumption + is disabled when a client certificate is used" in the old advisory at + https://curl.haxx.se/docs/adv_20170419.html is obsolete. + + Reviewed-by: Daniel Stenberg + + Closes #1917 -Guenter Knauf (4 Apr 2013) -- Updated copyright date. +- proxy: read the "no_proxy" variable only if necessary + + Reviewed-by: Daniel Stenberg + + Closes #1919 -- Another small output fix for --help and --version. +Patrick Monnerat (3 Oct 2017) +- libcurl-tutorial: add casts in example to avoid compilation warnings. -Yang Tse (4 Apr 2013) -- http_negotiate.c: fix several SPNEGO memory handling issues +Daniel Stenberg (3 Oct 2017) +- examples: bring back curl_formadd-using examples + + ... now with a -formadd suffix. While the new mime API is introduced in + 7.56.0 we must acknowledge that lots of users can't upgrade their curl + versions immediately. -Guenter Knauf (4 Apr 2013) -- Added a cont to specify base64 line wrap. +- test1153: verify quoted double-qoutes in PWD response -- Fixed version output. +- FTP: zero terminate the entry path even on bad input + + ... a single double quote could leave the entry path buffer without a zero + terminating byte. CVE-2017-1000254 + + Test 1152 added to verify. + + Reported-by: Max Dymond + Bug: https://curl.haxx.se/docs/adv_20171004.html -- Added support for --help and --version options. +Jay Satiro (2 Oct 2017) +- [Sergei Nikulov brought this change] -- Added option to specify length of base64 output. + cmake: disable tests and man generation if perl/nroff not found - Based on a patch posted to the list by Richard Michael. + Fixes https://github.com/curl/curl/issues/1500 + Reported-by: Jay Satiro + + Fixes https://github.com/curl/curl/pull/1662 + Assisted-by: Tom Seddon + Assisted-by: dpull@users.noreply.github.com + Assisted-by: elelel@users.noreply.github.com + + Closes https://github.com/curl/curl/pull/1924 -Daniel Stenberg (3 Apr 2013) -- curl_easy_setopt.3: CURLOPT_HTTPGET disables CURLOPT_UPLOAD +Patrick Monnerat (2 Oct 2017) +- libcurl-tutorial: fix two typos. -- [Yasuharu Yamada brought this change] +- TODO: remove deprecated form API items. - Curl_cookie_add: only increase numcookies for new cookies +- libcurl-tutorial: describe MIME API and deprecate form API. - Count up numcookies in Curl_cookie_add() only when cookie is new one + Include a guide to form/mime API conversion. -- SO_SNDBUF: don't set SNDBUF for win32 versions vista or later +Daniel Stenberg (30 Sep 2017) +- cookie: fix memory leak if path was set twice in header - The Microsoft knowledge-base article - http://support.microsoft.com/kb/823764 describes how to use SNDBUF to - overcome a performance shortcoming in winsock, but it doesn't apply to - Windows Vista and later versions. If the described SNDBUF magic is - applied when running on those more recent Windows versions, it seems to - instead have the reversed effect in many cases and thus make libcurl - perform less good on those systems. + ... this will let the second occurance override the first. - This fix thus adds a run-time version-check that does the SNDBUF magic - conditionally depending if it is deemed necessary or not. + Added test 1161 to verify. - Bug: http://curl.haxx.se/bug/view.cgi?id=1188 - Reported by: Andrew Kurushin - Tested by: Christian Hägele + Reported-by: Max Dymond + Fixes #1932 + Closes #1933 -Nick Zitzmann (1 Apr 2013) -- darwinssl: additional descriptive messages of SSL handshake errors +Dan Fandrich (30 Sep 2017) +- test650: Use variable replacement to set the host address and port - (This doesn't need to appear in the release notes.) + Otherwise, the test fails when the -b test option is used to set a + different test port range. -Guenter Knauf (1 Apr 2013) -- Added dns and connect time to output. - -Daniel Stenberg (1 Apr 2013) -- RELEASE-NOTES: synced with 0614b902136 +- Set and use more necessary options when some protocols are disabled + + When curl and libcurl are built with some protocols disabled, they stop + setting and receiving some options that don't make sense with those + protocols. In particular, when HTTP is disabled many options aren't set + that are used only by HTTP. However, some options that appear to be + HTTP-only are actually used by other protocols as well (some despite + having HTTP in the name) and should be set, but weren't. This change now + causes some of these options to be set and used for more (or for all) + protocols. In particular, this fixes tests 646 through 649 in an + HTTP-disabled build, which use the MIME API in the mail protocols. -- code-policed +Daniel Stenberg (29 Sep 2017) +- test1160: verifies cookie leak for large cookies + + The fix done in 20ea22ff735 -- tcpkeepalive: support TCP_KEEPIDLE/TCP_KEEPINTVL on win32 +- cookie: fix memory leak on oversized rejection + + Regression brought by 2bc230de63b - Patch by: Robert Wruck - Bug: http://curl.haxx.se/bug/view.cgi?id=1209 + Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513 + Assisted-by: Max Dymond + + Closes #1930 -- BINDINGS: BBHTTP is a cocoa binding, Julia has a binding +- [Anders Bakken brought this change] -- ftp_sendquote: use PPSENDF, not FTPSENDF + connect: fix race condition with happy eyeballs timeout + + The timer should be started after conn->connecttime is set. Otherwise + the timer could expire without this condition being true: - The last remaining code piece that still used FTPSENDF now uses PPSENDF. - In the problematic case, a PREQUOTE series was done on a re-used - connection when Curl_pp_init() hadn't been called so it had messed up - pointers. The init call is done properly from Curl_pp_sendf() so this - change fixes this particular crash. + /* should we try another protocol family? */ + if(i == 0 && conn->tempaddr[1] == NULL && + curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) { - Bug: http://curl.haxx.se/mail/lib-2013-03/0319.html - Reported by: Sam Deane + Ref: #1928 -Steve Holme (27 Mar 2013) -- RELEASE-NOTES: Corrected typo +Michael Kaufmann (28 Sep 2017) +- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS + + Closes #1922 -Daniel Stenberg (27 Mar 2013) -- [Clemens Gruber brought this change] +- docs: clarify the use of environment variables for proxy + + Closes #1921 - multi-uv.c: remove unused variable +- http: add custom empty headers to repeated requests + + Closes #1920 -- RELEASE-NOTES: add two references +- reuse_conn: don't copy flags that are known to be equal + + A connection can only be reused if the flags "conn_to_host" and + "conn_to_port" match. Therefore it is not necessary to copy these flags + in reuse_conn(). + + Closes #1918 -- test1509: verify proxy header response headers count +Daniel Stenberg (27 Sep 2017) +- curl.h: include <sys/select.h> on cygwin too - Modified sws to support and use custom CONNECT responses instead of the - previously naive hard-coded version. Made the HTTP test server able to - extract test case number from the host name in a CONNECT request by - finding the number after the last dot. It makes 'machine.moo.123' use - test case 123. + When building with -std=c++14 on cygwin, this header won't be + automatically included as it otherwise is. - Adapted a larger amount of tests to the new <connect> style. + The <sys/select.h> include decision should ideally be reversed and be + avoided where that header file doesn't exist. - Bug: http://curl.haxx.se/bug/view.cgi?id=1204 - Reported by: Martin Jansen - -- [Clemens Gruber brought this change] + Reported-by: Ian Fette + Fixes #1925 - Added libuv example multi-uv.c +- RELEASE-NOTES: synced with d8ab5dc50 -Yang Tse (25 Mar 2013) -- NTLM: fix several NTLM code paths memory leaks +Michael Kaufmann (24 Sep 2017) +- tests: adjust .gitignore for new tests -- WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage +Jay Satiro (23 Sep 2017) +- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header - As of 25-mar-2013 wcsdup() _wcsdup() and _tcsdup() are only used in - WIN32 specific code, so tracking of these has not been extended for - other build targets. Without this fix, memory tracking system on - WIN32 builds, when using these functions, would provide misleading - results. + .. and include the core NTLM header in all NTLM-related source files. - In order to properly extend this support for all targets curl.h - would have to define curl_wcsdup_callback prototype and consequently - wchar_t should be visible before that in curl.h. IOW curl_wchar_t - defined in curlbuild.h and this pulling whatever system header is - required to get wchar_t definition. + Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT + but did not include vtls.h where it was defined. - Additionally a new curl_global_init_mem() function that also receives - user defined wcsdup() callback would be required. + Closes https://github.com/curl/curl/pull/1911 -- curl_ntlm_msgs.c: revert commit 463082bea4 +Daniel Stenberg (23 Sep 2017) +- file_range: avoid integer overflow when figuring out byte range - reverts unreleased invalid memory leak fix - -Daniel Stenberg (23 Mar 2013) -- RELEASE-NOTES: synced with bc6037ed3ec02 + When trying to bump the value with one and the value is already at max, + it causes an integer overflow. - More changes, bugfixes and contributors! + Closes #1908 + Detected by oss-fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465 + + Assisted-by: Max Dymond -- [Martin Jansen brought this change] +Michael Kaufmann (23 Sep 2017) +- tests: fix a compiler warning in test 643 - Curl_proxyCONNECT: count received headers +Jay Satiro (23 Sep 2017) +- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry - Proxy servers tend to add their own headers at the beginning of - responses. The size of these headers was not taken into account by - CURLINFO_HEADER_SIZE before this change. + - Use spaces instead of tabs as the delimiter. - Bug: http://curl.haxx.se/bug/view.cgi?id=1204 + Follow up to 7c52b12 which added the entry. The entry had used tabs but + the symbol-scan parser doesn't recognize tabs and would fail the symbol. -Steve Holme (21 Mar 2013) -- sasl: Corrected a few violations of the curl coding standards +Viktor Szakats (22 Sep 2017) +- metalink: fix NSS issue in MultiSSL builds - Corrected some incorrectly positioned pointer variable declarations to - be "char *" rather than "char* ". - -- multi.c: Corrected a couple of violations of the curl coding standards + In MultiSSL mode (i.e. when more than one SSL backend is compiled + in), we cannot use the compile time flag `USE_NSS` as indicator that + the NSS backend is in use. As far as Metalink is concerned, the SSL + backend is only used for MD5, SHA-1 and SHA-256 calculations, + therefore one of the available SSL backends is selected at compile + time, in a strict order of preference. - Corrected some incorrectly positioned pointer variable declarations to - be "type *" rather than "type* ". - -- imap-tests: Added CRLF to reply data to be compliant with RFC-822 + Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used + to determine whether the SSL backend used for Metalink is the NSS + backend, and use that to guard the code that wants to de-initialize + the NSS-specific data structure. - Updated the reply data in tests: 800, 801, 802, 804 and 1321 to possess - the CRLF as per RFC-822. + Ref: https://github.com/curl/curl/pull/1848 -- multi.c: Fix compilation warning +- ntlm: use strict order for SSL backend #if branches - warning: an enumerated type is mixed with another type - -- multi.c: fix compilation error + With the recently introduced MultiSSL support multiple SSL backends + can be compiled into cURL That means that now the order of the SSL - warning: conversion from enumeration type to different enumeration type - -- lib1900.c: fix compilation warning + One option would be to use the same SSL backend as was configured + via `curl_global_sslset()`, however, NTLMv2 support would appear + to be available only with some SSL backends. For example, when + eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced + support for NTLMv1 using Windows' Crypt API, it specifically did + *not* introduce NTLMv2 support using Crypt API at the same time. + + So let's select one specific SSL backend for NTLM support when + compiled with multiple SSL backends, using a priority order such + that we support NTLMv2 even if only one compiled-in SSL backend can + be used for that. - warning: declaration of 'time' shadows a global declaration + Ref: https://github.com/curl/curl/pull/1848 -Yang Tse (20 Mar 2013) -- [John E. Malmberg brought this change] +Daniel Stenberg (22 Sep 2017) +- symbols-in-versions: add CURLSSLSET_NO_BACKENDS + + ...fixup from b8e0fe19ec - build_vms.com: use existing curlbuild.h and parsing fix +- imap: quote atoms properly when escaping characters - This patch removes building curlbuild.h from the build_vms.com procedure - and uses the one in the daily or release tarball instead. + Updates test 800 to verify - packages/vms/build_curlbuild_h.com is obsolete with this change. + Fixes #1902 + Closes #1903 + +- tests: make the imap server not verify user+password - Accessing the library module name "tool_main" needs different handling - when the optional extended parsing is enabled. + ... as the test cases themselves do that and it makes it easier to add + crazy test cases. - Tested on IA64/VMS 8.4 and VAX/VMS 7.3 - -Nick Zitzmann (19 Mar 2013) -- darwinssl: disable ECC ciphers under Mountain Lion by default + Test 800 updated to use user name + password that need quoting. - I found out that ECC doesn't work as of OS X 10.8.3, so those ciphers are - turned off until the next point release of OS X. - -Steve Holme (18 Mar 2013) -- FEATURES: Small tidy up for constancy and grammar - -Daniel Stenberg (18 Mar 2013) -- [Oliver Schindler brought this change] + Test 856 updated to trigger an auth fail differently. + + Ref: #1902 - Curl_proxyCONNECT: clear 'rewindaftersend' on success +- vtls: provide curl_global_sslset() even in non-SSL builds - After having done a POST over a CONNECT request, the 'rewindaftersend' - boolean could be holding the previous value which could lead to badness. + ... it just returns error: - This should be tested for in a new test case! + Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367 + Reported-by: Marcel Raad - Bug: https://groups.google.com/d/msg/msysgit/B31LNftR4BI/KhRTz0iuGmUJ + Closes #1906 -Steve Holme (18 Mar 2013) -- TODO: Reordered the protocol and security sections - - Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the - other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and - GnuTLS as these are all security related. +Patrick Monnerat (22 Sep 2017) +- form/mime: field names are not allowed to contain zero-valued bytes. - Additionally fixed numbering of the SSL and GnuTLS sections as they - weren't consecutive. + Also suppress length argument of curl_mime_name() (names are always + zero-terminated). -Yang Tse (18 Mar 2013) -- tests: specify 'text' mode for some output files in verify section +Daniel Stenberg (21 Sep 2017) +- [Dirk Feytons brought this change] -Steve Holme (17 Mar 2013) -- imap: Fixed incorrect initial response generation for SASL AUTHENTICATE + openssl: only verify RSA private key if supported - Fixed incorrect initial response generation for the NTLM and LOGIN SASL - authentication mechanisms when the SASL-IR was detected. + In some cases the RSA key does not support verifying it because it's + located on a smart card, an engine wants to hide it, ... + Check the flags on the key before trying to verify it. + OpenSSL does the same thing internally; see ssl/ssl_rsa.c - Introduced in commit: 6da7dc026c14. - -- FEATURES: Expanded the supported enhanced IMAP command list - -- TODO: Corrected typo in TOC + Closes #1904 -- TODO: Added IMAP section and removed unused Other protocols section +Marcel Raad (21 Sep 2017) +- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE + + Otherwise, typecheck-gcc.h warns on MinGW-w64. -- TODO: Added graceful base64 decoding failure to SMTP and POP3 +Patrick Monnerat (20 Sep 2017) +- mime: rephrase the multipart output state machine (#1898) ... + + ... in hope coverity will like it much. -- TODO: Corrected typo on section 10.2 heading +- mime: fix an explicit null dereference (#1899) -Yang Tse (16 Mar 2013) -- tests: 96, 558, 1330: strip build subdirectory dependent leading path +Daniel Stenberg (20 Sep 2017) +- curl: check fseek() return code and bail on error + + Detected by coverity. CID 1418137. -Steve Holme (15 Mar 2013) -- TODO: Added section 10.2 Initial response to POP3 to do list +- smtp: fix memory leak in OOM + + Regression since ce0881edee + + Coverity CID 1418139 and CID 1418136 found it, but it was also seen in + torture testing. -- imap-tests: Corrected copy/paste error in test808 reply data +- RELEASE-NOTES: synced with 5fe85587c -Yang Tse (15 Mar 2013) -- unit1330.c: fix date +- [Pavel Pavlov brought this change] -- tests: add #96 #558 and #1330 + cookies: use lock when using CURLINFO_COOKIELIST - These verfy that the 'memory tracking' subsystem is actually doing its - job when using curl tool (#96), a test in libtest (#558) and also a unit - test (#1330), in order to prevent regressions in this functionallity. + Closes #1896 -Steve Holme (15 Mar 2013) -- imap-tests: Added test808 for custom EXAMINE command +- [Max Dymond brought this change] -Daniel Stenberg (15 Mar 2013) -- HTTP proxy: insert slash in URL if missing + ossfuzz: changes before merging the generated corpora - curl has been accepting URLs using slightly wrong syntax for a long - time, such as when completely missing as slash "http://example.org" or - missing a slash when a query part is given - "http://example.org?q=foobar". + Before merging in the oss-fuzz corpora from Google, there are some changes + to the fuzzer. + - Add a read corpus script, to display corpus files nicely. + - Change the behaviour of the fuzzer so that TLV parse failures all now + go down the same execution paths, which should reduce the size of the + corpora. + - Make unknown TLVs a failure to parse, which should decrease the size + of the corpora as well. - curl would translate these into a legitimate HTTP request to servers, - although as was shown in bug #1206 it was not adjusted properly in the - cases where a HTTP proxy was used. - - Test 1213 and 1214 were added to the test suite to verify this fix. - - The test HTTP server was adjusted to allow us to specify test number in - the host name only without using any slashes in a given URL. - - Bug: http://curl.haxx.se/bug/view.cgi?id=1206 - Reported by: ScottJi + Closes #1881 -Steve Holme (14 Mar 2013) -- ftpserver.pl: Added EXAMINE_imap() for IMAP EXAMINE commands +- mime:escape_string minor clarification change - Used hard coded data from RFC-3501 section 6.3.2. - -Yang Tse (14 Mar 2013) -- curl_memory.h: introduce CURLX_NO_MEMORY_CALLBACKS usage possibility + ... as it also removes a warning with old gcc versions. - This commit alone does not fix anything nor modifies existing - interfaces or behaviors, although it is a prerequisite for other - fixes. + Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html + Reported-by: Ben Greear -- Makefile.vc6: add missing files +- [Max Dymond brought this change] -Linus Nielsen Feltzing (14 Mar 2013) -- pipelining: Remove dead code. + ossfuzz: don't write out to stdout + + Don't make the fuzzer write out to stdout - instead write some of the + contents to a memory block so we exercise the data output code but + quietly. + + Closes #1885 -- Multiple pipelines and limiting the number of connections. +- cookies: reject oversized cookies + + ... instead of truncating them. + + There's no fixed limit for acceptable cookie names in RFC 6265, but the + entire cookie is said to be less than 4096 bytes (section 6.1). This is + also what browsers seem to implement. - Introducing a number of options to the multi interface that - allows for multiple pipelines to the same host, in order to - optimize the balance between the penalty for opening new - connections and the potential pipelining latency. + We now allow max 5000 bytes cookie header. Max 4095 bytes length per + cookie name and value. Name + value together may not exceed 4096 bytes. - Two new options for limiting the number of connections: + Added test 1151 to verify - CURLMOPT_MAX_HOST_CONNECTIONS - Limits the number of running connections - to the same host. When adding a handle that exceeds this limit, - that handle will be put in a pending state until another handle is - finished, so we can reuse the connection. + Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html + Reported-by: Kevin Smith - CURLMOPT_MAX_TOTAL_CONNECTIONS - Limits the number of connections in total. - When adding a handle that exceeds this limit, - that handle will be put in a pending state until another handle is - finished. The free connection will then be reused, if possible, or - closed if the pending handle can't reuse it. + Closes #1894 + +- travis: on mac, don't install openssl or libidn - Several new options for pipelining: + - openssl is already installed and causes warnings when trying to + install again - CURLMOPT_MAX_PIPELINE_LENGTH - Limits the pipeling length. If a - pipeline is "full" when a connection is to be reused, a new connection - will be opened if the CURLMOPT_MAX_xxx_CONNECTIONS limits allow it. - If not, the handle will be put in a pending state until a connection is - ready (either free or a pipe got shorter). + - libidn isn't used these days, and homebrew doesn't seem to have a + libidn2 package to replace with easily - CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE - A pipelined connection will not - be reused if it is currently processing a transfer with a content - length that is larger than this. + Closes #1895 + +- curl: make str2udouble not return values on error - CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE - A pipelined connection will not - be reused if it is currently processing a chunk larger than this. + ... previously it would store a return value even when it returned + error, which could make the value get used anyway! - CURLMOPT_PIPELINING_SITE_BL - A blacklist of hosts that don't allow - pipelining. + Reported-by: Brian Carpenter + Closes #1893 + +Jay Satiro (18 Sep 2017) +- socks: fix incorrect port number in SOCKS4 error message - CURLMOPT_PIPELINING_SERVER_BL - A blacklist of server types that don't allow - pipelining. + Prior to this change it appears the SOCKS5 port parsing was erroneously + used for the SOCKS4 error message, and as a result an incorrect port + would be shown in the error message. - See the curl_multi_setopt() man page for details. + Bug: https://github.com/curl/curl/issues/1892 + Reported-by: Jackarain@users.noreply.github.com + +- [Marc Aldorasi brought this change] -Yang Tse (13 Mar 2013) -- tool_main.c: remove redundant vms_show storage-class specifier + schannel: Support partial send for when data is too large - vms_show 'extern' storage-class specifier removed from tool_main.c due to... + Schannel can only encrypt a certain amount of data at once. Instead of + failing when too much data is to be sent at once, send as much data as + we can and let the caller send the remaining data by calling send again. - - Advice from Tor Arntsen: http://curl.haxx.se/mail/lib-2013-03/0164.html + Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html - - HP OpenVMS docs stating that 'Extern is the default storage class for - variables declared outside a function.' - http://h71000.www7.hp.com/commercial/c/docs/dec_c_help_5.html - (Storage_Classes section) + Closes https://github.com/curl/curl/pull/1890 -- test509: libcurl initialization with memory callbacks and actual usage +- [David Benjamin brought this change] -Steve Holme (13 Mar 2013) -- pop3: Removed unnecessary transfer cancellation + openssl: add missing includes - Following commit e450f66a02d8 and the changes in the multi interface - being used internally, from 7.29.0, the transfer cancellation in - pop3_dophase_done() is no longer required. + lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include + their headers directly rather than relying on other OpenSSL headers + including things. + + Closes https://github.com/curl/curl/pull/1891 -Yang Tse (13 Mar 2013) -- Makefile.am: add VMS files not being included in tarball +Daniel Stenberg (15 Sep 2017) +- conversions: fix several compiler warnings -- [Tom Grace brought this change] +- server/getpart: provide dummy function to build conversion enabled - build_vms.com: VMS build fixes +- non-ascii: use iconv() with 'char **' argument - Added missing slash in cc_full_list. - Removed unwanted extra quotes inside symbol tool_main - for non-VAX architectures that triggered link failure. - Replaced curl_sys_inc with sys_inc. + Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html + +- escape.c: error: pointer targets differ in signedness + +- docs: clarify the CURLOPT_INTERLEAVE* options behavior -- [Tom Grace brought this change] +- [Max Dymond brought this change] - tool_main.c: fix VMS global variable storage-class specifier + rtsp: Segfault in rtsp.c when using WRITEDATA - An extern submits a psect and a global reference to the linker to point - to it. Using "extern int vms_show = 0" also creates a globaldef. + If the INTERLEAVEFUNCTION is defined, then use that plus the + INTERLEAVEDATA information when writing RTP. Otherwise, use + WRITEFUNCTION and WRITEDATA. - The use of the extern by itself does declare a psect but does not declare - a globalsymbol. It does declare a globalref. But the linker needs one and - only one globaldef or there is an error. + Fixes #1880 + Closes #1884 -Patrick Monnerat (12 Mar 2013) -- OS400: synchronize RPG binding +Marcel Raad (15 Sep 2017) +- [Isaac Boukris brought this change] -Steve Holme (12 Mar 2013) -- pop3: Fixed continuous wait when using --ftp-list + tests: enable gssapi in travis-ci linux build - Don't initiate a transfer when using --ftp-list. + Closes https://github.com/curl/curl/pull/1687 -Kamil Dudka (12 Mar 2013) -- [Zdenek Pavlas brought this change] +- [Isaac Boukris brought this change] - curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag + tests: add initial gssapi test using stub implementation - The flag can be used in pycurl-based applications where using the multi - interface would not be acceptable because of the performance lost caused - by implementing the select() loop in python. + The stub implementation is pre-loaded using LD_PRELOAD + and emulates common gssapi uses (only builds if curl is + initially built with gssapi support). - Bug: http://curl.haxx.se/bug/view.cgi?id=1168 - Downstream Bug: https://bugzilla.redhat.com/919127 + The initial tests are currently disabled for debug builds + as LD_PRELOAD is not used then. + + Ref: https://github.com/curl/curl/pull/1687 -- easy: do not ignore poll() failures other than EINTR +Daniel Stenberg (15 Sep 2017) +- test1150: verify same host fetch using different ports over proxy + + Closes #1889 -Yang Tse (12 Mar 2013) -- curl.h: stricter CURL_EXTERN linkage decorations logic +- URL: on connection re-use, still pick the new remote port - No API change involved. + ... as when a proxy connection is being re-used, it can still get a + different remote port. - Info: http://curl.haxx.se/mail/lib-2013-02/0234.html + Fixes #1887 + Reported-by: Oli Kingshott -Daniel Stenberg (11 Mar 2013) -- THANKS: Latin-1'ified Jiri's name +- RELEASE-NOTES: synced with 87501e57f -Steve Holme (11 Mar 2013) -- test806: Added CRLF to reply data to be compliant with RFC-822 - -Daniel Stenberg (11 Mar 2013) -- test805: added crlf newlines to make data size match +- code style: remove wrong uses of multiple spaces - since mails sent are supposed to have CRLF line endings I added them and - now the data size after (\Seen) matches again properly - -- test: fix newline for the data check of 807 + Closes #1878 -Yang Tse (11 Mar 2013) -- test801 to test807: fix protocol section line endings +- checksrc: detect and warn for multiple spaces -Steve Holme (10 Mar 2013) -- Makefile.am: Corrected a couple of spurious tab characters - - Corrected a couple of tab characters between test702 and test703, and - between test900 and test901 which should be spaces. +- code style: use space after semicolon -- [Jiri Hruska brought this change] +- checksrc: verify space after semicolons - imap: Added test807 for custom request functionality (STORE) +- code style: use spaces around pluses -- [Jiri Hruska brought this change] +- checksrc: detect and warn for lack of spaces next to plus signs - imap: Added test806 for IMAP (folder) LIST command +- code style: use spaces around equals signs -- [Jiri Hruska brought this change] +- checksrc: verify spaces around equals signs + + ... as the code style mandates. - imap: Added test805 for APPEND functionality +- Curl_checkheaders: make it available for IMAP and SMTP too + + ... not only HTTP uses this now. + + Closes #1875 -- [Jiri Hruska brought this change] +- travis: add build without HTTP/SMTP/IMAP - imap: Added test804 for skipping SELECT if in the same mailbox +Jay Satiro (10 Sep 2017) +- mbedtls: enable CA path processing + + CA path processing was implemented when mbedtls.c was added to libcurl + in fe7590f, but it was never enabled. + + Bug: https://github.com/curl/curl/issues/1877 + Reported-by: SBKarr@users.noreply.github.com -- [Jiri Hruska brought this change] +Daniel Stenberg (8 Sep 2017) +- rtsp: do not call fwrite() with NULL pointer FILE * + + If the default write callback is used and no destination has been set, a + NULL pointer would be passed to fwrite()'s 4th argument. + + OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327 + (not publicly open yet) + + Detected by OSS-fuzz + Closes #1874 - imap: Added test802 and test803 for UIDVALIDITY verification +- configure: use -Wno-varargs on clang 3.9[.X] debug builds - Added one test for a request with matching UIDVALIDITY and one which is - a mismatched request that will fail. + ... to avoid a clang bug -- [Jiri Hruska brought this change] +- [Max Dymond brought this change] - imap: Added test801 for UID and SECTION URL parameters + ossfuzz: add some more handled CURL options + + Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT, + MAIL_FROM and uploading data. -- [Jiri Hruska brought this change] +- configure: check for C++ compiler after C, to make it non-fatal + + The tests for object file/executable file extensions are presumably only + done for the first of these macros in the configure file. + + Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515 + Reported-by: Marcel Raad + Closes #1873 + +Patrick Monnerat (7 Sep 2017) +- form API: add new test 650. + + Now that the form API is deprecated and not used anymore in curl tool, + a lot of its features left untested. Test 650 attempts to check all these + features not tested elsewhere. - imap-tests: Accept quoted parameters in ftpserver.pl +Jay Satiro (7 Sep 2017) +- configure: fix curl_off_t check's include order + + - Prepend srcdir include path instead of append. + + Prior to this change it was possible that during the check for the size + of curl_off_t the include path of a user's already installed curl could + come before the include path of the to-be-built curl, resulting in the + system.h of the former being incorrectly included for that check. - Any IMAP parameter can come in escaped and in double quotes. Added a - simple function to unquote the command parameters and applied it to - the IMAP command handlers. + Closes https://github.com/curl/curl/pull/1870 -- [Jiri Hruska brought this change] +Daniel Stenberg (7 Sep 2017) +- [Jakub Zakrzewski brought this change] - tests: Fix ftpserver.pl indentation + KNOWN_BUGS: Remove CMake symbol hiding issue - The whole of FETCH_imap() had one extra space of indentation, whilst - APPEND_imap() used indentation of 2 instead of 4 in places. + It has already been fixed in 6140dfc -- Makefile.am: Corrected end of line filler character +- http-proxy: when not doing CONNECT, that phase is done immediately - The majority of lines, that specify a test file for inclusion, end with - a tab character before the slash whilst some end with a space. Corrected - those that end with a space to end with a tab character as well. + `conn->connect_state` is NULL when doing a regular non-CONNECT request + over the proxy and should therefor be considered complete at once. + + Fixes #1853 + Closes #1862 + Reported-by: Lawrence Wagerfield + +- [Johannes Schindelin brought this change] -- email-tests: Updated the test data that corresponds to the test number + OpenSSL: fix yet another mistake while encapsulating SSL backend data + + Another mistake in my manual fixups of the largely mechanical + search-and-replace ("connssl->" -> "BACKEND->"), just like the previous + commit concerning HTTPS proxies (and hence not caught during my + earlier testing). + + Fixes #1855 + Closes #1871 - Finished segregating the email protocol tests, into their own protocol - based ranges, in preparation of adding more e-mail related tests to the - test suite. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- email-tests: Renamed the IMAP test to be 800 +- [Johannes Schindelin brought this change] + + OpenSSL: fix erroneous SSL backend encapsulation + + In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private + data, 2017-06-21), this developer prepared for a separation of the + private data of the SSL backends from the general connection data. + + This conversion was partially automated (search-and-replace) and + partially manual (e.g. proxy_ssl's backend data). + + Sadly, there was a crucial error in the manual part, where the wrong + handle was used: rather than connecting ssl[sockindex]' BIO to the + proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason + was an incorrect location to paste "BACKEND->"... d'oh. - Continued segregating the email protocol tests, into their own protocol - based ranges, in preparation of adding more e-mail related tests to the - test suite. + Reported by Jay Satiro in https://github.com/curl/curl/issues/1855. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +- [Jay Satiro brought this change] -- email-tests: Renamed the SMTP tests to be in the range 900-906 + vtls: fix memory corruption + + Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data, + 2017-07-28), the code handling HTTPS proxies was broken because the + pointer to the SSL backend data was not swapped between + conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but + instead set to NULL (causing segmentation faults). + + [jes: provided the commit message, tested and verified the patch] - Continued segregating the email protocol tests, into their own protocol - based ranges, in preparation of adding more e-mail related tests to the - test suite. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- email-tests: Renamed the POP3 tests to be in the range 850-857 +- vtls: switch to CURL_SHA256_DIGEST_LENGTH define - Started segregating the email protocol tests, into their own protocol - based ranges, in preparation of adding more e-mail related tests to the - test suite. + ... instead of the prefix-less version since WolfSSL 3.12 now uses an + enum with that name that causes build failures for us. + + Fixes #1865 + Closes #1867 + Reported-by: Gisle Vanem -Daniel Stenberg (10 Mar 2013) -- hiperfifo: updated to use current libevent API +- travis: add c-ares enabled builds linux + osx - Patch by: Myk Taylor + Closes #1868 -Steve Holme (10 Mar 2013) -- imap: Reworked some function descriptions +- HISTORY: added some recent items -- imap: Added some missing comments to imap_sendf() +Jay Satiro (6 Sep 2017) +- SSL: fix unused parameter warnings -- email: Removed hard returns from init functions +Patrick Monnerat (6 Sep 2017) +- mime: drop internal FILE * support. + + - The part kind MIMEKIND_FILE and associated code are suppressed. + - Seek data origin offset not used anymore: suppressed. + - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions + renamed accordingly. + - Curl_getformdata() processes stdin via a callback. -Daniel Stenberg (9 Mar 2013) -- curl_multi_wait: avoid second loop if nothing to do +Daniel Stenberg (6 Sep 2017) +- configure: remove --enable-soname-bump and SONAME_BUMP + + Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we + determine the native type for `curl_off_t`. To really make sure we + didn't break ABI without bumping SONAME, we introduced logic that + attempted to detect that it would use a different size and thus not be + compatible. We also provided a manual switch that allowed users to tell + configure to bump SONAME by force. + + Today, we know of no one who ever got a SONAME bump auto-detected and we + don't know of anyone who's using the manual bump feature. The auto- + detection is also no longer working since we introduced defining + curl_off_t in system.h (7.55.0). + + Finally, this bumping logic is not present in the cmake build. - ... hopefully this will also make clang-analyzer stop warning on - potentional NULL dereferences (which were false positives anyway). + Closes #1861 -- multi_runsingle: avoid NULL dereference +Jay Satiro (6 Sep 2017) +- [Gisle Vanem brought this change] + + vtls: select ssl backend case-insensitive (follow-up) + + - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well. + + - Change Curl_strcasecompare calls to strcasecompare + (maps to the former but shorter). - When Curl_do() returns failure, the connection pointer could be NULL so - the code path following needs to that that into account. + Follow-up to c290b8f. - Bug: http://curl.haxx.se/mail/lib-2013-03/0062.html - Reported by: Eric Hu + Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313 + + Co-authored-by: Jay Satiro -Steve Holme (9 Mar 2013) -- imap: Re-factored all perform based functions +- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation + + This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations. + + The first one, written for old OpenSSL versions: + https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c + + The second one, written for BoringSSL and new OpenSSL versions: + https://github.com/curl/curl/pull/1346 + + Note the first one is GPL licensed but the author gave permission to + waive that license for libcurl. + + As of right now this feature is disabled by default, and does not have + a configure option to enable it. To enable this feature define + ENABLE_SSLKEYLOGFILE when building libcurl and set environment + variable SSLKEYLOGFILE to a pathname that will receive the keys. + + And in Wireshark change your preferences to point to that key file: + Edit > Preferences > Protocols > SSL > Master-Secret + + Co-authored-by: Peter Wu - Standardised the naming of all perform based functions to be in the form - imap_perform_something(). + Ref: https://github.com/curl/curl/pull/1030 + Ref: https://github.com/curl/curl/pull/1346 + + Closes https://github.com/curl/curl/pull/1866 -Daniel Stenberg (9 Mar 2013) -- [Cédric Deltheil brought this change] +Patrick Monnerat (5 Sep 2017) +- mime: fix a trivial warning. - examples/getinmemory.c: abort the transfer if not enough memory +- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code. - No more use exit(3) but instead tell libcurl that no byte has been - written to let it return a `CURLE_WRITE_ERROR`. In addition, check - curl easy handle return code. + mime_state is now a typedef. -- RELEASE-NOTES: synced with ca3c0ed3a9c +- mime: implement encoders. - 8 more bugfixes, one change and a bunch of contributors + curl_mime_encoder() is operational and documented. + curl tool -F option is extended with ";encoder=". + curl tool --libcurl option generates calls to curl_mime_encoder(). + New encoder tests 648 & 649. + Test 1404 extended with an encoder specification. + +- runtests.pl: support attribute "nonewline" in part verify/upload. -Yang Tse (9 Mar 2013) -- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility +- [Daniel Stenberg brought this change] -Steve Holme (9 Mar 2013) -- imap: Added description comments to all perform based functions + fixup data/test1135 + +- [Daniel Stenberg brought this change] -- imap: Removed the need for separate custom request functions + mime: unified to use the typedef'd mime structs everywhere - Moved the custom request processing into the LIST command as the logic - is the same. + ... and slightly edited to follow our code style better. -- imap: Corrected typo in comment +- [Daniel Stenberg brought this change] -Yang Tse (9 Mar 2013) -- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility + curl.h: use lower case curl_mime* as for all public symbols -Steve Holme (9 Mar 2013) -- imap: Moved imap_logout() to be grouped with the other perform functions +- [Daniel Stenberg brought this change] -- email: Updated the function descriptions for the logout / quit functions - - Updated the function description comments following commit 4838d196fdbf. + docs/curl_mime_*.3: use correct variable types in examples -- email: Simplified the logout / quit functions +Kamil Dudka (5 Sep 2017) +- openssl: use OpenSSL's default ciphers by default - Moved the blocking state machine to the disconnect functions so that the - logout / quit functions are only responsible for sending the actual - command needed to logout or quit. + Up2date versions of OpenSSL maintain the default reasonably secure + without breaking compatibility, so it is better not to override the + default by curl. Suggested at https://bugzilla.redhat.com/1483972 - Additionally removed the hard return on failure. + Closes #1846 -- email: Tidied up the *_regular_transfer() functions - - Added comments and simplified convoluted dophase_done comparison. +Viktor Szakats (5 Sep 2017) +- examples/mime: minor example code fixes -- email: Simplified nesting of if statements in *_doing() functions +Daniel Stenberg (5 Sep 2017) +- docs/curl_mime_*.3: added examples -Daniel Stenberg (8 Mar 2013) -- RELEASE-NOTES: mention that krb4 is up for consideration - -Steve Holme (8 Mar 2013) -- imap: Fixed handling of untagged responses for the STORE custom command +- configure: add MultiSSL to FEATURES when enabled - Added an exception, for the STORE command, to the untagged response - processor in imap_endofresp() as servers will back respones containing - the FETCH keyword instead. + ...for curl-config and its corresponding test 1014 -Yang Tse (8 Mar 2013) -- curlbuild.h.dist: enhance non-configure GCC ABI detection logic - - GCC specific adjustments: +- http-proxy: treat all 2xx as CONNECT success - - check __ILP32__ before 32 and 64bit processor architectures in - order to detect ILP32 programming model on 64 bit processors - which, of course, also support LP64 programming model, when using - gcc 4.7 or newer. + Added test 1904 to verify. - - keep 32bit processor architecture checks in order to support gcc - versions older than 4.7 which don't define __ILP32__ - - - check __LP64__ for gcc 3.3 and newer, while keeping 64bit processor - architecture checks for older versions which don't define __LP64__ + Reported-by: Lawrence Wagerfield + Fixes #1859 + Closes #1860 + +- MAIL-ETIQUETTE: added "1.9 Your emails are public" -- curlbuild.h.dist: fix GCC build on ARM systems without configure script +- curl.h: fix "unused checksrc ignore", remove dangling reference - Bug: http://curl.haxx.se/bug/view.cgi?id=1205 - Reported by: technion + ... to a README file that doesn't exist anymore -- [Gisle Vanem brought this change] +Viktor Szakats (4 Sep 2017) +- docs: Update to secure URL versions + +- mime: use CURL_ZERO_TERMINATED in examples + + and some minor whitespace fixes - polarssl.c: fix header filename typo +Daniel Stenberg (4 Sep 2017) +- schannel: return CURLE_SSL_CACERT on failed verification + + ... not *CACERT_BADFILE as it isn't really because of a bad file. + + Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html + Closes #1858 -- configure: use XC_LIBTOOL for portability across libtool versions +- test1135: fixed after bd8070085f9 -- xc-lt-iface.m4: provide XC_LIBTOOL macro +- examples/post-callback: stop returning one byte at a time + + ... since people copy and paste code from this example and thus they get + an inefficient POST operation without a good reason and sometimes + without understanding why. + + Instead this now returns as much data as possible. -Steve Holme (7 Mar 2013) -- imap: Fixed SELECT not being performed for custom requests +- RELEASE-NOTES: fixed the function counter script -- email: Minor code tidy up following recent changes +- curl.h: make the curl_strequal() protos use the same style - Removed unwanted braces and added variable initialisation. + ... as the other functions. Makes it easier to machine-parse! -- DOCS: Corrected the IMAP URL grammar of the UIDVALIDITY parameter +- docs: curl_mime_*.3 man page formatting edits -- FEATURES: Provided a little clarity in some IMAP features +- RELEASE-NOTES: synced with 1ab9e9b50 -- email: Optimised block_statemach() functions - - Optimised the result test in each of the block_statemach() functions. +Patrick Monnerat (4 Sep 2017) +- lib: bump version info (soname). Adapt and reenable test 1135. -- DOCS: Added the list command to the IMAP URL section +Daniel Stenberg (3 Sep 2017) +- headers: move the global_sslset() proto from multi.h to curl.h - Added examples of the list command and clarified existing example URLs - following recent changes. + As it was added to multi.h simply to not break test 1135, which now has + been disabled due to the mime API addition anyway and su we can now move + the sslset stuff to where the other curl_global_* prototypes are. -- FEATURES: Updated for recent imap additions +Patrick Monnerat (3 Sep 2017) +- mime: fix signed/unsigned conversions. - Updated the imap features list, corrected a typo in the smtp features - and clarified a pop3 feature. + Use and generate CURL_ZERO_TERMINATED in curl tool and tests. -Daniel Stenberg (7 Mar 2013) -- version bump: the next release will be 7.30.0 +Jay Satiro (3 Sep 2017) +- tool_formparse: fix some trivial warnings -- checksrc: ban unsafe functions +Patrick Monnerat (3 Sep 2017) +- mime: use size_t instead of ssize_t in public API interface. + + To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED + has been introduced. - The list of unsafe functions currently consists of sprintf, vsprintf, - strcat, strncat and gets. + Documentation updated accordingly. - Subsequently, some existing code needed updating to avoid warnings on - this. + symbols in versions updated. Added form API symbols deprecation info. -Steve Holme (7 Mar 2013) -- RELEASE-NOTES: Added missing imap fixes and additions +- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata(). - With all the recent imap changes it wasn't clear what new features and - fixes should be included in the release notes. + This feature is badly supported in Windows: as a replacement, a caller has + to use curl_mime_data_cb() with fread, fseek and possibly fclose + callbacks to process opened files. + + The cli tool and documentation are updated accordingly. + + The feature is however kept internally for form API compatibility, with + the known caveats it always had. + + As a side effect, stdin size is not determined by the cli tool even if + possible and this results in a chunked transfer encoding. Test 173 is + updated accordingly. -Nick Zitzmann (6 Mar 2013) -- RELEASE-NOTES: brought this up-to-date with the latest changes +- mime: fix some implicit curl_off_t --> size_t conversion warnings. -Steve Holme (6 Mar 2013) -- [Jiri Hruska brought this change] +- mime: tests and examples. + + Additional mime-specific tests. + Existing tests updated to reflect small differences (Expect: 100-continue, + data size change due to empty lines, etc). + Option -F headers= keyword added to tests. + test1135 disabled until the entry point order change is resolved. + New example smtp-mime. + Examples postit2 and multi-post converted from form API to mime API. - imap: Fixed test801 and test1321 to specify a message UID +- mime: use in curl cli tool instead of form API. - Just a folder list would be retrieved if UID was not specified now. + Extended -F option syntax to support multipart mail messages. + -F keyword headers= added to include custom headers in parts. + Documentation upgraded. -- [Jiri Hruska brought this change] +- mime: new MIME API. + + Available in HTTP, SMTP and IMAP. + Deprecates the FORM API. + See CURLOPT_MIMEPOST. + Lib code and associated documentation. - imap: Fixed ftpserver.pl to allow verification even through LIST command +- test564: Add a warning comment about shell profile output. - Commit 198012ee inadvertently broke LIST_imap(). + Shell profile output makes the SSH server failing and this problem reason + is not easy to find when no hint is given. -- imap: Tidied up the APPEND and final APPEND response functions +- checksrc: disable SPACEBEFOREPAREN for case statement. - Removed unnecessary state changes on failure and setting of result codes - on success. + The case keyword may be followed by a constant expression and thus should + allow it to start with an open parenthesis. -- imap: Tidied up the final FETCH response function +- runtests.pl: allow <file[1-4]> tags in client section. - Removed unnecessary state change on failure and setting of result code on - success. + This enables tests to create more than one file on the client side. -- imap: Tidied up the LIST response function +- runtests.pl: Apply strippart to upload too. - Reworked comments as they referenced custom commands, removed - unnecessary state change on failure and setting of result code on - success. + This will allow substitution of boundaries in mail messages. -- imap: Removed the custom request response function +- Curl_base64_encode: always call with a real data handle. - Removed imap_state_custom_resp() as imap_state_list_resp() provides the - same functionality. + Some calls in different modules were setting the data handle to NULL, causing + segmentation faults when using builds that enable character code conversions. -- [Jiri Hruska brought this change] +- non-ascii: allow conversion functions to be called with a NULL data handle. - imap: Updated ftpserver.pl to be more compliant, added new commands - - Enriched IMAP capabilities of ftpserver.pl in order to be able to - add tests for the new IMAP features. +- http: fix a memory leakage in checkrtspprefix(). + +Daniel Stenberg (2 Sep 2017) +- [Max Dymond brought this change] + + ossfuzz: Move to C++ for curl_fuzzer. - * Added support for APPEND - Saves uploaded data to log/upload.$testno - * Added support for LIST - Returns the contents of <reply/> section in - the current test, like e.g FETCH. - * Added support for STORE - Returns hardcoded updated flags - * Changed handling of SELECT - Returns much more information in the - usual set of untagged responses; uses hardcoded data from an example - in the IMAP RFC - * Changed handling of FETCH - Fixed response format + Automake gets confused if you want to use C++ static libraries with C + code - basically we need to involve the clang++ linker. The easiest way + of achieving this is to rename the C code as C++ code. This gets us a + bit further along the path and ought to be compatible with Google's + version of clang. -- imap: Added check for empty UID in FETCH command +- curl_global_sslset: select backend by name case insensitively - As the UID has to be specified by the user for the FETCH command to work - correctly, added a check to imap_fetch(), although strictly speaking it - is protected by the call from imap_perform(). + Closes #1849 + +- [Max Dymond brought this change] -Kamil Dudka (6 Mar 2013) -- nss: fix misplaced code enabling non-blocking socket mode + ossfuzz: additional seed corpora - The option needs to be set on the SSL socket. Setting it on the model - takes no effect. Note that the non-blocking mode is still not enabled - for the handshake because the code is not yet ready for that. + Create simple seed corpora for: + - FTP + - telnet + - dict + - tftp + - imap + - pop3 + + based off the tests of the same number. + + Closes #1842 -Daniel Stenberg (6 Mar 2013) -- imap: fix compiler warning +- [Max Dymond brought this change] + + ossfuzz: moving towards the ideal integration - imap.c:694:21: error: unused variable 'imapc' [-Werror=unused-variable] + - Start with the basic code from the ossfuzz project. + - Rewrite fuzz corpora to be binary files full of Type-Length-Value + data, and write a glue layer in the fuzzing function to convert + corpora into CURL options. + - Have supporting functions to generate corpora from existing tests + - Integrate with Makefile.am -Steve Holme (5 Mar 2013) -- imap: Added support for list command +- strcase: corrected comment header for Curl_strcasecompare() -- imap: Added list perform and response handler functions +- unit1301: fix error message on first test -- imap: Introduced IMAP_LIST state +- curl_global_sslset.3: show the struct and enum too + + ... so that users can actually write code based on the man page alone, + not having to read the header file. -- imap: Small tidy up of imap_select() to match imap_append() +Jay Satiro (31 Aug 2017) +- darwinssl: handle long strings in TLS certs (follow-up) - Updated the style of imap_select() before adding the LIST command. + - Fix handling certificate subjects that are already UTF-8 encoded. + + Follow-up to b3b75d1 from two days ago. Since then a copy would be + skipped if the subject was already UTF-8, possibly resulting in a NULL + deref later on. + + Ref: https://github.com/curl/curl/issues/1823 + Ref: https://github.com/curl/curl/pull/1831 + + Closes https://github.com/curl/curl/pull/1836 -- imap: Moved mailbox check from the imap_do() function +Daniel Stenberg (31 Aug 2017) +- cyassl: call it the "WolfSSL" backend - In preparation for the addition of the LIST command, moved the mailbox - check from imap_do() to imap_select() and imap_append(). + ... instead of cyassl, as this is the current name for it. + + Closes #1844 -- curl_setup.h: Added S_IRDIR() macro for compilers that don't support it +- polarssl: fix multissl breakage - Commit 26eaa8383001 introduces the use of S_ISDIR() yet some compilers, - such as MSVC don't support it, so we must define a substitute using - file flags and mask. + Reported-by: Dan Fandrich + Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html + Closes #1843 -Daniel Stenberg (4 Mar 2013) -- AddFormData: prevent only directories from being posted +- configure: remove the leading comma from the backends list + + ... when darwinssl is used. - Commit f4cc54cb4746ae5a6d (shipped as part of the 7.29.0 release) was a - bug fix that introduced a regression in that while trying to avoid - allowing directory names, it also forbade "special" files like character - devices and more. like "/dev/null" as was used by Oliver who reported - this regression. + Reported-by: Viktor Szakats + Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493 - Reported by: Oliver Gondža - Bug: http://curl.haxx.se/mail/archive-2013-02/0040.html + Closes #1845 -Nick Zitzmann (3 Mar 2013) -- darwinssl: fix infinite loop if server disconnected abruptly +Kamil Dudka (30 Aug 2017) +- examples/sslbackend.c: fix failure of 'make checksrc' - If the server hung up the connection without sending a closure alert, - then we'd keep probing the socket for data even though it's dead. Now - we're ready for this situation. + ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE) + } else if(isdigit(*name)) { + ^ + ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE) + } else + ^ + +Viktor Szakats (30 Aug 2017) +- makefile.m32: add multissl support - Bug: http://curl.haxx.se/mail/lib-2013-03/0014.html - Reported by: Aki Koskinen + Closes https://github.com/curl/curl/pull/1840 -Steve Holme (3 Mar 2013) -- imap: Added comments to imap_append() +Daniel Stenberg (30 Aug 2017) +- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value + + The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for + CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk + for a similar mistake, define the backend aliases to use the enum values + instead. + + Reported-by: Gisle Vanem + Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html -- [Jiri Hruska brought this change] +- curl_global_sslset.3: clarify + + it is a one time *set*, not necessarily a one time use... it can be + called again if the first call failed or just listed the alternatives. + + clarify that the available backends are the ones this build supports + + plus add some formatting + + Reported-by: Rich Gray + Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html - imap: Added required mailbox check for FETCH and APPEND commands +- curl/multi.h: remove duplicated closing c++ brace + + Regression since 1328f69d53f2f2e93 + + Fixes #1841 + Reported-by: Andrei Karas -- pingpong.c: Fix enumerated type mixed with another type +- RELEASE-NOTES: synced with 8c33c963a -- smtp: Updated the coding style for state changes after a send operation +- HELP-US.md: spelling + +- HELP-US.md: "How to get started helping out in the curl project" - Some state changes would be performed after a failure test that - performed a hard return, whilst others would be performed within a test - for success. Updated the code, for consistency, so all instances are - performed within a success test. + Closes #1837 -- pop3: Updated the coding style for state changes after a send operation +Dan Fandrich (29 Aug 2017) +- asyn-thread: Fixed cleanup after OOM - Some state changes would be performed after a failure test that - performed a hard return, whilst others would be performed within a test - for success. Updated the code, for consistency, so all instances are - performed within a success test. + destroy_async_data() assumes that if the flag "done" is not set yet, the + thread itself will clean up once the request is complete. But if an + error (generally OOM) occurs before the thread even has a chance to + start, it will never get a chance to clean up and memory will be leaked. + By clearing "done" only just before starting the thread, the correct + cleanup sequence will happen in all cases. + +Daniel Stenberg (28 Aug 2017) +- curl_global_init.3: mention curl_global_sslset(3) -- imap: Fixed typo in variable assignment +Dan Fandrich (28 Aug 2017) +- unit1606: Fixed shadowed variable warning -- [Jiri Hruska brought this change] +- asyn-thread: Improved cleanup after OOM situations - imap: Fixed custom request handling in imap_done() +- asyn-thread: Set errno to the proper value ENOMEM in OOM situation - Fixed imap_done() so that neither the FINAL states are not entered when - a custom command has been performed. + This used to be set in some configurations to EAI_MEMORY which is not a + valid value for errno and caused Curl_strerror to fail an assertion. -- [Jiri Hruska brought this change] +Daniel Stenberg (28 Aug 2017) +- [Johannes Schindelin brought this change] - imap: Enabled custom requests in imap_select_resp() + configure: Handle "MultiSSL" specially When versioning symbols - Changed imap_select_resp() to invoke imap_custom() instead of - imap_fetch() after the mailbox has been selected if a custom - command has been set. + There is a mode in which libcurl is compiled with versioned symbols, + depending on the active SSL backend. + + When multiple SSL backends are active, it does not make sense to favor + one over the others, so let's not: introduce a new prefix for the case + where multiple SSL backends are compiled into cURL. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Enabled custom requests in imap_perform() + configure: allow setting the default SSL backend + + Previously, we used as default SSL backend whatever was first in the + `available_backends` array. + + However, some users may want to override that default without patching + the source code. + + Now they can: with the --with-default-ssl-backend=<backend> option of + the ./configure script. - Modified imap_perform() to start with the custom command instead of - SELECT when a custom command is to be performed and no mailbox has - been given. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added custom request perform and response handler functions + vtls: use Curl_ssl_multi pseudo backend only when needed - Added imap_custom(), which initiates the custom command processing, - and an associated response handler imap_state_custom_resp(), which - handles any responses by sending them to the client as body data. + When only one SSL backend is configured, it is totally unnecessary to + let multissl_init() configure the backend at runtime, we can select the + correct backend at build time already. - All untagged responses with the same name as the first word of the - custom request string are accepted, with the exception of SELECT and - EXAMINE which have responses that cannot be easily identified. An - extra check has been provided for them so that any untagged responses - are accepted for them. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- pop3: Fixed unnecessary parent structure reference +- [Johannes Schindelin brought this change] + + version: if built with more than one SSL backend, report all of them + + To discern the active one from the inactive ones, put the latter into + parentheses. - Updated pop3 code following recent imap changes. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added custom request parsing + version: add the CURL_VERSION_MULTI_SSL feature flag - Added imap_parse_custom_request() for parsing the CURLOPT_CUSTOMREQUEST - parameter which URL decodes the value and separates the request from - any parameters - This makes it easier to filter untagged responses - by the request command. + This new feature flag reports When cURL was built with multiple SSL + backends. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Introduced custom request parameters + metalink: allow compiling with multiple SSL backends - Added custom request parameters to the per-request structure. - -- [Jiri Hruska brought this change] + Previously, the code assumed that at most one of the SSL backends would + be compiled in, emulating OpenSSL's functions if the configured backend + was not OpenSSL itself. + + However, now we allow building with multiple SSL backends and choosing + one at runtime. Therefore, metalink needs to be adjusted to handle this + scenario, too. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> - imap: Introduced IMAP_CUSTOM state +- [Johannes Schindelin brought this change] -- imap: Minor code tidy up + docs/examples: demonstrate how to select SSL backends - Minor tidy up of code layout and comments following recent changes. - -- imap: Simplified the imap_state_append_resp() function + The newly-introduced curl_global_sslset() function deserves to be + show-cased. - Introduced the result code variable to simplify the state changes and - remove the hard returns. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- imap: Changed successful response logic in imap_state_append_resp() - - For consistency changed the logic of the imap_state_append_resp() - function to test for an unsucessful continuation response rather than a - succesful one. +- [Johannes Schindelin brought this change] -- imap: Standardised imapcode condition tests + Add a man page for curl_global_sslset() - For consistency changed two if(constant != imapcode) tests to be - if(imapcode != constant). - -- imap: Moved imap_append() to be with the other perform functions + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Enabled APPEND support in imap_perform() + vtls: introduce curl_global_sslset() + + Let's add a compile time safe API to select an SSL backend. This + function needs to be called *before* curl_global_init(), and can be + called only once. + + Side note: we do not explicitly test that it is called before + curl_global_init(), but we do verify that it is not called multiple times + (even implicitly). + + If SSL is used before the function was called, it will use whatever the + CURL_SSL_BACKEND environment variable says (or default to the first + available SSL backend), and if a subsequent call to + curl_global_sslset() disagrees with the previous choice, it will fail + with CURLSSLSET_TOO_LATE. + + The function also accepts an "avail" parameter to point to a (read-only) + NULL-terminated list of available backends. This comes in real handy if + an application wants to let the user choose between whatever SSL backends + the currently available libcurl has to offer: simply call - Added logic in imap_perform() to perform an APPEND rather than SELECT - and FETCH if an upload has been specified. + curl_global_sslset(-1, NULL, &avail); + + which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail + variable to point to the relevant information to present to the user. + + Just like with the HTTP/2 push functions, we have to add the function + declaration of curl_global_sslset() function to the header file + *multi.h* because VMS and OS/400 require a stable order of functions + declared in include/curl/*.h (where the header files are sorted + alphabetically). This looks a bit funny, but it cannot be helped. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Implemented APPEND final processing + vtls: refactor out essential information about the SSL backends + + There is information about the compiled-in SSL backends that is really + no concern of any code other than the SSL backend itself, such as which + function (if any) implements SHA-256 summing. + + And there is information that is really interesting to the user, such as + the name, or the curl_sslbackend value. - The APPEND operation needs to be performed in several steps: - 1) We send "<tag> APPEND <mailbox> <flags> {<size>}\r\n" - 2) Server responds with continuation respose "+ ...\r\n" - 3) We start the transfer and send <size> bytes of data - 4) Only now we end the request command line by sending "\r\n" - 5) Server responds with "<tag> OK ...\r\n" + Let's factor out the latter into a publicly visible struct. This + information will be used in the upcoming API to set the SSL backend + globally. - This commit performs steps 4 and 5, in the DONE phase, as more - processing is required after the transfer. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added APPEND perform and response handler functions + vtls: allow selecting which SSL backend to use at runtime + + When building software for the masses, it is sometimes not possible to + decide for all users which SSL backend is appropriate. + + Git for Windows, for example, uses cURL to perform clones, fetches and + pushes via HTTPS, and some users strongly prefer OpenSSL, while other + users really need to use Secure Channel because it offers + enterprise-ready tools to manage credentials via Windows' Credential + Store. + + The current Git for Windows versions use the ugly work-around of + building libcurl once with OpenSSL support and once with Secure Channel + support, and switching out the binaries in the installer depending on + the user's choice. + + Needless to say, this is a super ugly workaround that actually only + works in some cases: Git for Windows also comes in a portable form, and + in a form intended for third-party applications requiring Git + functionality, in which cases this "swap out libcurl-4.dll" simply is + not an option. - Added imap_append() function to initiate upload and imap_append_resp() - to handle the continuation response and start the transfer. + Therefore, the Git for Windows project has a vested interest in teaching + cURL to make the SSL backend a *runtime* option. + + This patch makes that possible. + + By running ./configure with multiple --with-<backend> options, cURL will + be built with multiple backends. + + For the moment, the backend can be configured using the environment + variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and + "schannel"). + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Introduced IMAP_APPEND and IMAP_APPEND_FINAL states + vtls: fold the backend ID into the Curl_ssl structure + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Updated setting of transfer variables in imap_state_fetch_resp() + curl_ntlm_core: don't complain but #include OpenSSL header if needed - Add number of bytes retrieved from the PP cache to req.bytecount and set - req.maxdownload only when starting a proper download. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Improved FETCH response parsing + vtls: encapsulate SSL backend-specific data - Added safer parsing of the untagged FETCH response line and the size of - continuation data. - -- imap: Fixed accidentally lossing the result code + So far, all of the SSL backends' private data has been declared as + part of the ssl_connect_data struct, in one big #if .. #elif .. #endif + block. + + This can only work as long as the SSL backend is a compile-time option, + something we want to change in the next commits. + + Therefore, let's encapsulate the exact data needed by each SSL backend + into a private struct, and let's avoid bleeding any SSL backend-specific + information into urldata.h. This is also necessary to allow multiple SSL + backends to be compiled in at the same time, as e.g. OpenSSL's and + CyaSSL's headers cannot be included in the same .c file. - Accidentally lost the result code in imap_state_capability() and - imap_state_login() with commit b06a78622609. + To avoid too many malloc() calls, we simply append the private structs + to the connectdata struct in allocate_conn(). + + This requires us to take extra care of alignment issues: struct fields + often need to be aligned on certain boundaries e.g. 32-bit values need to + be stored at addresses that divide evenly by 4 (= 32 bit / 8 + bit-per-byte). + + We do that by assuming that no SSL backend's private data contains any + fields that need to be aligned on boundaries larger than `long long` + (typically 64-bit) would need. Under this assumption, we simply add a + dummy field of type `long long` to the `struct connectdata` struct. This + field will never be accessed but acts as a placeholder for the four + instances of ssl_backend_data instead. the size of each ssl_backend_data + struct is stored in the SSL backend-specific metadata, to allow + allocate_conn() to know how much extra space to allocate, and how to + initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend + pointers. + + This would appear to be a little complicated at first, but is really + necessary to encapsulate the private data of each SSL backend correctly. + And we need to encapsulate thusly if we ever want to allow selecting + CyaSSL and OpenSSL at runtime, as their headers cannot be included within + the same .c file (there are just too many conflicting definitions and + declarations for that). + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- imap: Another minor comment addition / tidy up +- [Johannes Schindelin brought this change] -- imap: Updated the coding style for state changes after a send operation + vtls: prepare the SSL backends for encapsulated private data - Some state changes would be performed after a failure test that - performed a hard return, whilst others would be performed within a test - for success. Updated the code, for consistency, so all instances are - performed within a success test. - -- pop3 / smtp: Small comment tidy up + At the moment, cURL's SSL backend needs to be configured at build time. + As such, it is totally okay for them to hard-code their backend-specific + data in the ssl_connect_data struct. - Small tidy up to keep some comments consistant across each of the email - protocols. + In preparation for making the SSL backend a runtime option, let's make + the access of said private data a bit more abstract so that it can be + adjusted later in an easy manner. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: FETCH response handler cleanup before further changes + urldata.h: move SSPI-specific #include to correct location - Removed superfluous NULL assignment after Curl_safefree() and rewrote - some comments and logging messages. - -- pop3: Small tidy up of function arguments + In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables, + 2014-12-03), an SSPI-specific field was added to the kerberos5data + struct without moving the #include "curl_sspi.h" later in the same file. + + This broke the build when SSPI was enabled, unless Secure Channel was + used as SSL backend, because it just so happens that Secure Channel also + requires "curl_sspi.h" to be #included. + + In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled, + 2017-02-21), this bug was fixed incorrectly: Instead of moving the + appropriate conditional #include, the Secure Channel-conditional part + was now also SSPI-conditional. + + Fix this problem by moving the correct #include instead. + + This is also required for an upcoming patch that moves all the Secure + Channel-specific stuff out of urldata.h and encapsulates it properly in + vtls/schannel.c instead. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- imap: Small tidy up of function arguments +- [Johannes Schindelin brought this change] -- smtp: Corrected debug message for POP3_AUTH_FINAL constant + urldata.h: remove support for obsolete PolarSSL version - Following commit ad3177da24b8 corrected the debug message in state() - from AUTH to AUTH_FINAL. - -- pop3: Corrected debug message for POP3_AUTH_FINAL constant + Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require + a newer PolarSSL version. No need to keep code trying to support any + older version. - Following commit afad1ce753a1 corrected the debug message in state() - from AUTH to AUTH_FINAL. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +- [Johannes Schindelin brought this change] -- imap: Corrected debug message for IMAP_AUTHENTICATE_FINAL constant + getinfo: access SSL internals via Curl_ssl - Following commit 13006f3de9ec corrected the debug message in state() - from AUTHENTICATE to AUTHENTICATE_FINAL. + In the ongoing endeavor to abstract out all SSL backend-specific + functionality, this is the next step: Instead of hard-coding how the + different SSL backends access their internal data in getinfo.c, let's + implement backend-specific functions to do that task. + + This will also allow for switching SSL backends as a runtime option. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Fixed error code returned for invalid FETCH response + vtls: move SSL backends' private constants out of their header files - If the FETCH command does not result in an untagged response the the - UID is probably invalid. As such do not return CURLE_OK. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added processing of the final FETCH responses + axtls: use Curl_none_* versions of init() and cleanup() - Not processing the final FETCH responses was not optimal, not only - because the response code would be ignored but it would also leave data - unread on the socket which would prohibit connection reuse. + There are convenient no-op versions of the init/cleanup functions now, + no need to define private ones for axTLS. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Introduced FETCH_FINAL state for processing final fetch responses + vtls: remove obsolete declarations of SSL backend functionality - A typical FETCH response can be broken down into four parts: + These functions are all available via the Curl_ssl struct now, no need + to declare them separately anymore. - 1) "* <uid> FETCH (<what> {<size>}\r\n", using continuation syntax - 2) <size> bytes of the actual message - 3) ")\r\n", finishing the untagged response - 4) "<tag> OK ...", finishing the command + As the global declarations are removed, the corresponding function + definitions are marked as file-local. The only two exceptions here are + Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the + declarations were removed, there are no function definitions to mark + file-local. - Part 1 is read in imap_fetch_resp(), part 2 is consumed in the PERFORM - phase by the transfer subsystem, parts 3 and 4 are currently ignored. - -- imap: fix autobuild warning + Please note that Curl_nss_force_init() is *still* declared globally, as + the only SSL backend-specific function, because it was introduced + specifically for the use case where cURL was compiled with + `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add + support for NSS, 2010-06-27). - Removed whitespace from imap_perform() + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- imap: fix compiler warning - - error: declaration of 'imap' shadows a previous local +- [Johannes Schindelin brought this change] -- smtp: Re-factored the final SMTP_AUTH constant + schannel: reorder functions topologically - Changed the final SMTP_AUTH constant to SMTP_AUTH_FINAL for consistency - with the response function. - -- pop3: Re-factored the final POP3_AUTH constant + The _shutdown() function calls the _session_free() function; While this + is not a problem now (because schannel.h declares both functions), a + patch looming in the immediate future with make all of these functions + file-local. - Changed the final POP3_AUTH constant to POP3_AUTH_FINAL for consistency - with the response function. - -- imap: Re-factored final IMAP_AUTHENTICATE constant + So let's just move the _session_free() function's definition before it + is called. - Changed the final IMAP_AUTHENTICATE constant to IMAP_AUTHENTICATE_FINAL - for consistency with the response function. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- imap: Updated the coding style of imap_state_servergreet_resp() - - Updated the coding style, in this function, to be consistant with other - response functions rather then performing a hard return on failure. +- [Johannes Schindelin brought this change] -- imap: Reversed the logic of the (un)successful tagged SELECT response + axtls: reorder functions topologically - Reversed the logic of the unsuccessful vs successful tagged SELECT - response in imap_state_select_resp() to be more logical to read. - -- imap: Reversed the logic of the (un)successful tagged CAPABILITY response + The connect_finish() function (like many other functions after it) calls + the Curl_axtls_close() function; While this is not a problem now + (because axtls.h declares the latter function), a patch looming in the + immediate future with make all of these functions file-local. - Reversed the logic of the unsuccessful vs successful tagged CAPABILITY - response in imap_state_capability_resp() to be more logical to read. - -- imap: Corrected char* references with char * + So let's just move the Curl_axtls_close() function's definition before + it is called. - Corrected char* references made in commit: 709b3506cd9b. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added processing of more than one response when sent in same packet + vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct + + That will allow us to choose the SSL backend at runtime. - Added a loop to imap_statemach_act() in which Curl_pp_readresp() is - called until the cache is drained. Without this multiple responses - received in a single packet could result in a hang or delay. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added skipping of SELECT command if already in the same mailbox + vtls: convert the have_curlssl_* constants to runtime flags + + The entire idea of introducing the Curl_ssl struct to describe SSL + backends is to prepare for choosing the SSL backend at runtime. + + To that end, convert all the #ifdef have_curlssl_* style conditionals + to use bit flags instead. - Added storage and checking of the last mailbox userd to prevent - unnecessary switching. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Introduced the mailbox variable + vtls: move sha256sum into the Curl_ssl struct - Added the mailbox variable to the per-connection structure in - preparation for checking for an already selected mailbox. - -- email: Slight reordering of connection based variables + The SHA-256 checksumming is also an SSL backend-specific function. + Let's include it in the struct declaring the functionality of SSL + backends. + + In contrast to MD5, there is no fall-back code. To indicate this, the + respective entries are NULL for those backends that offer no support for + SHA-256 checksumming. - Reordered the state and ssl_done variables in order to provide more - consistency between the email protocols as well as for for an upcoming - change. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- imap: Tidied up comments for connection based variables +- [Johannes Schindelin brought this change] -- DOCS: Added the IMAP UIDVALIDITY property to the CURLOPT_URL section + vtls: move md5sum into the Curl_ssl struct + + The MD5 summing is also an SSL backend-specific function. So let's + include it, offering the previous fall-back code as a separate function + now: Curl_none_md5sum(). To allow for that, the signature had to be + changed so that an error could be returned from the implementation + (Curl_none_md5sum() can run out of memory). + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added verification of UIDVALIDITY mailbox attribute + vtls: use the Curl_ssl struct to access all SSL backends' functionality - Added support for checking the UIDVALIDITY, and aborting the request, if - it has been specified in the URL and the server response is different. + This is the first step to unify the SSL backend handling. Now all the + SSL backend-specific functionality is accessed via a global instance of + the Curl_ssl struct. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added support for parsing the UIDVALIDITY property + vtls: declare Curl_ssl structs for every SSL backend + + The idea of introducing the Curl_ssl struct was to unify how the SSL + backends are declared and called. To this end, we now provide an + instance of the Curl_ssl struct for each and every SSL backend. - Added support for parsing the UIDVALIDITY property from the SELECT - response and storing it in the per-connection structure. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Introduced the mailbox_uidvalidity variable + vtls: introduce a new struct for SSL backends - Added the mailbox_uidvalidity variable to the per-connection structure - in preparation for checking the UIDVALIDITY mailbox attribute. + This new struct is similar in nature to Curl_handler: it will define the + functions and capabilities of all the SSL backends (where Curl_handler + defines the functions and capabilities of protocol handlers). + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- imap: Corrected comment in imap_endofresp() +- [Johannes Schindelin brought this change] -- imap: Corrected whitespace + vtls: make sure every _sha256sum()'s first arg is const + + This patch makes the signature of the _sha256sum() functions consistent + among the SSL backends, in preparation for unifying the way all SSL + backends are accessed. + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added filtering of CAPABILITY and FETCH untagged responses + vtls: make sure all _data_pending() functions return bool + + This patch makes the signature of the _data_pending() functions + consistent among the SSL backends, in preparation for unifying the way + all SSL backends are accessed. - Only responses that contain "CAPABILITY" and "FETCH", respectively, - will be sent to their response handler. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added a helper function for upcoming untagged response filtering + vtls: make sure all _cleanup() functions return void - RFC 3501 states that "the client MUST be prepared to accept any response - at all times" yet we assume anything received with "* " at the beginning - is the untagged response we want. + This patch makes the signature of the _cleanup() functions consistent + among the SSL backends, in preparation for unifying the way all SSL + backends are accessed. - Introduced a helper function that checks whether the input looks like a - response to specified command, so that we may filter the ones we are - interested in according to the current state. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Moved CAPABILITY response handling to imap_state_capability_resp() + vtls: use consistent signature for _random() implementations + + This will make the upcoming multissl backend much easier to implement. - Introduced similar handling to the FETCH responses, where even the - untagged data responses are handled by the response handler of the - individual state. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -Linus Nielsen Feltzing (26 Feb 2013) -- Remove unused variable in smtp_state_data_resp() +- strtooff: fix build for systems with long long but no strtoll option + + Closes #1829 + + Reported-by: Dan Fandrich + Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615 -Steve Holme (25 Feb 2013) -- email: Small tidy up following recent changes +- darwinssl: handle long strings in TLS certs + + ... as the previous fixed length 128 bytes buffer was sometimes too + small. + + Fixes #1823 + Closes #1831 + + Reported-by: Benjamin Sergeant + Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann -- smtp: Removed bytecountp from the per-request structure +- system.h: include sys/poll.h for AIX + + ... to get the event/revent defines that might be used for the poll + struct. - Removed this pointer to a downloaded bytes counter because it was set in - smtp_init() to point to the same variable the transfer functions keep - the count in (k->bytecount), effectively making the code in transfer.c - "*k->bytecountp = k->bytecount" a no-op. + Reported-by: Michael Smith + Fixes #1828 + Closes #1833 -- pop3: Removed bytecountp from the per-request structure +Dan Fandrich (26 Aug 2017) +- tests: Make sure libtests & unittests call curl_global_cleanup() - Removed this pointer to a downloaded bytes counter because it was set in - pop3_init() to point to the same variable the transfer functions keep - the count in (k->bytecount), effectively making the code in transfer.c - "*k->bytecountp = k->bytecount" a no-op. + These were missed in commit c468c27b. -- [Jiri Hruska brought this change] +Jay Satiro (26 Aug 2017) +- [theantigod brought this change] - imap: Removed bytecountp from the per-request structure + winbuild: fix embedded manifest option - Removed this pointer to a downloaded bytes counter because it was set in - imap_init() to point to the same variable the transfer functions keep - the count in (k->bytecount), effectively making the code in transfer.c - "*k->bytecountp = k->bytecount" a no-op. + Embedded manifest option didn't work due to incorrect path. + + Fixes https://github.com/curl/curl/issues/1832 + +Daniel Stenberg (25 Aug 2017) +- fuzz/Makefile.am: remove curlbuild.h leftovers -- [Jiri Hruska brought this change] +- examples/threaded-ssl: mention that this is for openssl before 1.1 - imap: Adjusted SELECT and FETCH function order +- imap: use defined names for response codes + + When working on this code I found the previous setup a bit weird while + using proper defines increases readability. - Moved imap_select() and imap_fetch() to be grouped with the other - perform functions. + Closes #1824 -- [Jiri Hruska brought this change] +- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD - imap: Adjusted SELECT and FETCH state order in imap_statemach_act() +- imap: support PREAUTH - Exchanged the position of these states in the switch statements to - match the state enum, execution and function order. - -- imap: Minor tidy up of comments in imap_parse_url_path() + It is a defined possible greeting at server startup that means the + connection is already authenticated. See + https://tools.ietf.org/html/rfc3501#section-7.1.4 + + Test 846 added to verify. - Tidy up of comments before next round of imap changes. + Fixes #1818 + Closes #1820 -- imap: Fixed incorrect comparison for STARTTLS in imap_endofresp() +Jay Satiro (23 Aug 2017) +- config-tpf: define SIZEOF_LONG - Corrected the comparison type in addition to commit 1dac29fa83a9. + Recent changes that replaced CURL_SIZEOF_LONG in the source with + SIZEOF_LONG broke builds that use the premade configuration files and + don't have SIZEOF_LONG defined. + + Bug: https://github.com/curl/curl/issues/1816 + +Dan Fandrich (23 Aug 2017) +- test1453: Fixed <features> + +Daniel Stenberg (22 Aug 2017) +- [Gisle Vanem brought this change] -- DOCS: Corrected IMAP URL examples according to RFC5092 + config-dos: add missing defines, SIZEOF_* and two others - URL examples that included the UID weren't technically correct although - would pass the curl parser. + Bug: #1816 -Nick Zitzmann (24 Feb 2013) -- darwinssl: fix undefined $ssllib warning in runtests.pl +- curl: shorten and clean up CA cert verification error message - I also added --with-darwinssl to the list of SSL options in configure. + The previous message was just too long for ordinary people and it was + encouraging users to use `--insecure` a little too easy. + + Based-on-work-by: Frank Denis + + Closes #1810 + Closes #1817 + +- request-target.d: mention added in 7.55.0 -Steve Holme (24 Feb 2013) -- imap: Added check for new internal imap response code +Marcel Raad (22 Aug 2017) +- tool_main: turn off MinGW CRT's globbing + + By default, the MinGW CRT globs command-line arguments. This prevents + getting a single asterisk into an argument as test 1299 does. Turn off + globbing by setting the global variable _CRT_glob to 0 for MinGW. + + Fixes https://github.com/curl/curl/issues/1751 + Closes https://github.com/curl/curl/pull/1813 -- imap: Changed the order of the response types in imap_endofresp() +Viktor Szakats (22 Aug 2017) +- makefile.m32: add support for libidn2 - From a maintenance point of view the code reads better to view tagged - responses, then untagged followed by continuation responses. + libidn was replaced with libidn2 last year in configure. + Caveat: libidn2 may depend on a list of further libs. + These can be manually specified via CURL_LDFLAG_EXTRAS. - Additionally, this matches the order of responses in POP3. + Closes https://github.com/curl/curl/pull/1815 -- [Jiri Hruska brought this change] +Jay Satiro (22 Aug 2017) +- [Viktor Szakats brought this change] - imap: Added stricter parsing of continuation responses + config-win32: define SIZEOF_LONG - Enhanced the parsing to only allow continuation responses in some - states. + Recent changes that replaced CURL_SIZEOF_LONG in the source with + SIZEOF_LONG broke builds that use the premade configuration files and + don't have SIZEOF_LONG defined. + + Closes https://github.com/curl/curl/pull/1814 -- imap: Simplified memcmp() in tagged response parsing +Daniel Stenberg (20 Aug 2017) +- cmake: enable picky compiler options with clang and gcc + + closes #1799 -- [Jiri Hruska brought this change] +- curl/system.h: fix build for hppa + + Reported-by: John David Anglin + Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10 - imap: Reworked the logic of untagged command responses +- [Even Rouault brought this change] -- imap: Corrected spacing of trailing brace + tftp: fix memory leak on too long filename + + Fixes + + $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz + + ==9752== Memcheck, a memory error detector + ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. + ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info + ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz + ==9752== + curl: (71) TFTP file name too long + + ==9752== + ==9752== HEAP SUMMARY: + ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11 + ==9752== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==9752== by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl) + ==9752== by 0x40E849: operate (in /home/even/install-curl-git/bin/curl) + ==9752== by 0x402693: main (in /home/even/install-curl-git/bin/curl) + + Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568 + Credit to OSS Fuzz + + Closes #1808 -- [Jiri Hruska brought this change] +Dan Fandrich (19 Aug 2017) +- runtests: fixed case insensitive matching of keywords + + Commit 5c2aac71 didn't work in the case of mixed-case keywords given on + the command-line. - imap: Added stricter parsing of tagged command responses +- tests: Make sure libtests call curl_global_cleanup() - Enhanced the parsing of tagged responses which must start with "OK", - "NO" or "BAD" + This ensures that global data allocations are freed so Valgrind stays + happy. This was a problem with at least PolarSSL and mbedTLS. -- [Jiri Hruska brought this change] +Daniel Stenberg (18 Aug 2017) +- RELEASE-NOTES: synced with 8baead425 - imap: Simplified command response test in imap_endofresp() +- scripts/contri*sh: use "git log --use-mailmap" -- [Jiri Hruska brought this change] +- mailmap: de-duplify some git authors - imap: Corrected comment in imap_endofresp() +- http2_recv: return error better on fatal h2 errors + + Ref #1012 + Figured-out-by: Tatsuhiro Tsujikawa -- DOCS: Corrected layout of POP3 and IMAP URL examples +- KNOWN_BUGS: HTTP test server 'connection-monitor' problems - Corrected layout issues with the POP3 and IMAP URL examples introduced - in commit cb3ae6894fb2. + Closes #868 -- DOCS: Updated CURLOPT_URL section following recent POP3 and IMAP changes +- curl/system.h: check for __ppc__ as well - Updated the POP3 sub-section to refer to message ID rather than mailbox. + ... regression since issue #1774 (commit 10b3df10596a) since obviously + some older gcc doesn't know __powerpc__ while some newer doesn't know + __ppc__ ... - Added an IMAP sub-section with example URLs depicting the specification - of mailbox, uid and section. + Fixes #1797 + Closes #1798 + Reported-by: Ryan Schmidt -- pop3: Refactored the mailbox variable as it didn't reflect it's purpose - - Updated the mailbox variable to correctly reflect it's purpose. The - name mailbox was a leftover from when IMAP and POP3 support was - initially added to curl. +- [Jan Alexander Steffens (heftig) brought this change] -- FEATURES: Updated following recent IMAP changes + http: Don't wait on CONNECT when there is no proxy + + Since curl 7.55.0, NetworkManager almost always failed its connectivity + check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP + CONNECT process entirely non-blocking). + + This patch replaces !Curl_connect_complete with Curl_connect_ongoing, + which returns false if the CONNECT state was left uninitialized and lets + the connection continue. + + Closes #1803 + Fixes #1804 + + Also-fixed-by: Gergely Nagy -- [Jiri Hruska brought this change] +- [Johannes Schindelin brought this change] - imap: Added the ability to FETCH a specific UID and SECTION - - Updated the FETCH command to send the UID and SECTION parsed from the - URL. By default the BODY specifier doesn't include a section, BODY[] is - now sent whereas BODY[TEXT] was previously sent. In my opinion - retrieving just the message text is rarely useful when dealing with - emails, as the headers are required for example, so that functionality - is not retained. In can however be simulated by adding SECTION=TEXT to - the URL. + metalink: adjust source code style - Also updated test801 and test1321 due to the BODY change. + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -- email: Additional tidy up of comments following recent changes +- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG -- smtp: Removed some FTP heritage leftovers +- lib557: no longer use CURL_SIZEOF_* defines + +- config-win32: define SIZEOF_CURL_OFF_T + +- cmake: sizeof curl_off_t, remove unused detections + +- system.h: remove all CURL_SIZEOF_* defines - Removed user and passwd from the SMTP struct as these cannot be set on - a per-request basis and are leftover from legacy FTP code. + ... as they're not used externally and internally we check for the sizes + already in configure etc. - Changed some comments still using FTP terminology. + Closes #1767 -- smtp: Moved the per-request variables to the per-request data structure +- ftp: fix CWD when doing multicwd then nocwd on same connection - Moved the rcpt variable from the per-connection struct smtp_conn to the - new per-request struct and fixed references accordingly. + Fixes #1782 + Closes #1787 + Reported-by: Peter Lamare -- pop3: Introduced a custom SMTP structure for per-request data +- CURLOPT_SSH_COMPRESSION.3: enable with 1L - Created a new SMTP structure and changed the type of the smtp proto - variable in connectdata from FTP* to SMTP*. + (leaves other values reserved for the future) -unknown (23 Feb 2013) -- [Steve Holme brought this change] +- compressed-ssh.d: "Added: 7.56.0" - imap: Minor correction of comments for max line length +- curl/system.h: checksrc compliance -Daniel Stenberg (23 Feb 2013) -- strcasestr: remove check for this unused function +Jay Satiro (17 Aug 2017) +- [Viktor Szakats brought this change] -- pop3: fix compiler warning + ssh: add the ability to enable compression (for SCP/SFTP) + + The required low-level logic was already available as part of + `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1] + option.) - error: declaration of 'pop3' shadows a previous local + This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION` + (boolean) and the new `curl` command-line option `--compressed-ssh` + to request this `libssh2` feature. To have compression enabled, it + is required that the SSH server supports a (zlib) compatible + compression method and that `libssh2` was built with `zlib` support + enabled. + + [1] https://www.libssh2.org/libssh2_session_flag.html + + Ref: https://github.com/curl/curl/issues/1732 + Closes https://github.com/curl/curl/pull/1735 -Steve Holme (23 Feb 2013) -- [Jiri Hruska brought this change] +- examples/ftpuploadresume: checksrc compliance - imap: Added URL parsing of new variables +- [Maksim Stsepanenka brought this change] + + http_proxy: fix build error for CURL_DOES_CONVERSIONS - Updated the imap_parse_url_path() function to parse uidvalidity, uid and - section parameters based on RFC-5092. + Closes https://github.com/curl/curl/pull/1793 -- [Jiri Hruska brought this change] +GitHub (16 Aug 2017) +- [Nick Zitzmann brought this change] - imap: Introduced imap_is_bchar() function + configure: check for __builtin_available() availability (#1788) - Added imap_is_bchar() for testing if a given character is a valid bchar - or not. + This change does two things: + 1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently + failing trying to compile connectx() in lib/connect.c.) + 2. It finally weak-links the connectx() function, and falls back on + connect() when run on older operating systems. -- [Jiri Hruska brought this change] +Daniel Stenberg (16 Aug 2017) +- travis: add metalink to some osx builds + + Closes #1790 - imap: Introduced new per-request veriables +- [Max Dymond brought this change] + + coverage: Use two coveralls commands to get lib/vtls results - Added uidvalidity, uid and section variables to the per-request IMAP - structure in preparation for upcoming URL parsing. + closes #1747 -- pingpong: Renamed curl_ftptransfer to curl_pp_transfer +- darwinssi: fix error: variable length array used -- pop3: Removed some FTP heritage leftovers +- m4/curl-compilers.m4: use proper quotes around string, not backticks - Removed user and passwd from the POP3 struct as these cannot be set on - a per-request basis and are leftover from legacy FTP code. + ... when setting clang version to assume 3.7 - Changed some comments still using FTP terminology. + Caused a lot of "integer expression expected" warnings by configure. -- pop3: Moved the per-request variables to the per-request data structure - - Moved the mailbox and custom request variables from the per-connection - struct pop3_conn to the new per-request struct and fixed references - accordingly. +- [Benbuck Nason brought this change] -- pop3: Introduced a custom POP3 structure for per-request data + cmake: remove dead code for DISABLED_THREADSAFE - Created a new POP3 structure and changed the type of the pop3 proto - variable in connectdata from FTP* to POP*. + Closes #1786 -- [Jiri Hruska brought this change] +Jay Satiro (15 Aug 2017) +- [Jakub Zakrzewski brought this change] - imap: Fixed escaping of mailbox names + curl-confopts.m4: fix --disable-threaded-resolver - Used imap_atom() to escape mailbox names in imap_select(). + Closes https://github.com/curl/curl/issues/1784 -- pingpong: Moved curl_ftptransfer definition to pingpong.h - - Moved the ftp transfer structure into pingpong.h so other protocols that - require it don't have to include ftp.h. +Daniel Stenberg (15 Aug 2017) +- [Ryan Winograd brought this change] -- urldata.h: Fixed comment for opt_no_body variable + progress: Track total times following redirects + + Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`, + `t_pretransfer`, and `t_starttransfer` to track the total times for + these activities when a redirect is followed. Previously, only the times + for the most recent request would be tracked. - Corrected comment for opt_no_body variable to CURLOPT_NOBODY. + Related changes: + + - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes` + now that the function only resets transfer sizes and no longer + modifies any of the progress timers. + + - Add a bool to the `Progress` struct that is used to prevent + double-counting `t_starttransfer` times. + + Added test case 1399. + + Fixes #522 and Known Bug 1.8 + Closes #1602 + Reported-by: joshhe on github -- email: Minor tidy up following IMAP changes +- [Benbuck Nason brought this change] -- [Jiri Hruska brought this change] + cmake: remove dead code for CURL_DISABLE_RTMP + + Closes #1785 - imap: Removed more FTP leftovers +Kamil Dudka (15 Aug 2017) +- zsh.pl: produce a working completion script again - Changed some variables and comments still using FTP terminology. + Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help + to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to + produce a broken completion script: + + % curl --<TAB> + _curl:10: no such file or directory: seconds + + Closes #1779 -- [Jiri Hruska brought this change] +Daniel Stenberg (15 Aug 2017) +- curlver: toward 7.56.0? - imap: Removed some FTP heritage leftovers - - Removed user and passwd from the IMAP struct as these cannot be set on - a per-request basis and are leftover from legacy FTP code. +- RELEASE-NOTES: synced with 91c46dc44 -- [Jiri Hruska brought this change] +- test1449: FTP download range with an too large size - imap: Introduced a custom IMAP structure for per-request data +- strtoofft: reduce integer overflow risks globally - Created a new IMAP structure and changed the type of the imap proto - variable in connectdata from FTP* to the new IMAP*. + ... make sure we bail out on overflows. - Moved the mailbox variable from the per-connection struct imap_conn to - the new per-request struct and fixed references accordingly. + Reported-by: Brian Carpenter + Closes #1758 -- pop3: Updated do phrase clean-up comment +- travis: build the examples too - Following commit 65644b833532 for the IMAP module updated the clean-up - comment in POP3. - -- imap: Fixed memory leak when performing multiple selects + to make sure they keep building warning-free - Moved the clean-up of the mailbox variable from imap_disconnect() to - imap_done() as this variable is allocated in the do phase, yet would - have only been freed only once if multiple selects where preformed - on a single connection. + Closes #1777 -Daniel Stenberg (22 Feb 2013) -- [Alexander Klauer brought this change] +- runtests: match keywords case insensitively - Documentation: Typo in docs/CONTRIBUTE +- examples/ftpuploadresume.c: use portable code - Fixes a typo get → git in docs/CONTRIBUTE. + ... converted from the MS specific _snscanf() -- [Alexander Klauer brought this change] +Version 7.55.1 (13 Aug 2017) - repository: ignore patch files generated by git - - Ignores the patch files generated by the 'git format-patch' command. +Daniel Stenberg (13 Aug 2017) +- RELEASE-NOTES/THANKS: curl 7.55.1 release time -- [Alexander Klauer brought this change] +- gitignore: ignore .xz now instead of .lzma - libcurl documentation: clarifications and typos - - * Elaborates on default values of some curl_easy_setopt() options. - * Reminds the user to cast variadic arguments to curl_easy_setopt() to - 'void *' where curl internally interprets them as such. - * Clarifies the working of the CURLOPT_SEEKFUNCTION option for - curl_easy_setopt(). - * Fixes typo 'forth' → 'fourth'. - * Elaborates on CURL_SOCKET_TIMEOUT. - * Adds some missing periods. - * Notes that the return value of curl_version() must not be passed to - free(). +- [Sergei Nikulov brought this change] -- [Alexander Klauer brought this change] + cmake: Threads detection update. ref: #1702 + + Closes #1719 - lib/url.c: Generic read/write data pointers +- ipv6_scope: support unique local addresses - Always interprets the pointer passed with the CURLOPT_WRITEDATA or - CURLOPT_READDATA options of curl_easy_setopt() as a void pointer in - order to avoid problems in environments where FILE and void pointers - have non-trivial conversion. + Fixes #1764 + Closes #1773 + Reported-by: James Slaughter -- [Alexander Klauer brought this change] +- [Alex Potapenko brought this change] - libcurl documentation: updates HTML index + curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__ - * Adds several links to documentation of library functions which were - missing. - * Marks documentation of deprecated library functions "(deprecated)". - * Removes spurious .html suffixes. + Closes #1774 -- ossl_seed: avoid recursive seeding! +- test1448: verify redirect to IDN using URL + + Closes #1772 -Steve Holme (22 Feb 2013) -- [Jiri Hruska brought this change] +- [Salah-Eddin Shaban brought this change] - Fixed checking the socket if there is data waiting in the cache + redirect: skip URL encoding for host names + + This fixes redirects to IDN URLs - Use Curl_pp_moredata() in Curl_pp_multi_statemach() to check if there is - more data to be received, rather than the socket state, as a task could - hang waiting for more data from the socket itself. + Fixes #1441 + Closes #1762 + Reported by: David Lord -- imap.c: Fixed an incorrect variable reference +- test2032: mark as flaky (again) + +- travis: test cmake build on tarball too - Fixed an incorrect variable reference which was introduced in commit - a1701eea289f as a result of a copy and paste from SMTP/POP3. + Could've prevented #1755 -- [Jiri Hruska brought this change] +- [Simon Warta brought this change] - pingpong: Introduce Curl_pp_moredata() + cmake: allow user to override CMAKE_DEBUG_POSTFIX - A simple function to test whether the PP is not sending and there are - still more data in its receiver cache. This will be later utilized to: + Closes #1763 + +- connect-to.d: better language + +- connect-to.d: clarified + +- bagder/Curl_tvdiff_us: fix the math - 1) Change Curl_pp_multi_statemach() and Curl_pp_easy_statemach() to - not test socket state and just call user's statemach_act() function - when there are more data to process, because otherwise the task would - just hang, waiting for more data from the socket. + Regression since adef394ac5 (released in 7.55.0) - 2) Allow PP users to read multiple responses by looping as long as there - are more data available and current phase is not finished. - (Currently needed for correct processing of IMAP SELECT responses.) + Reported-by: Han Qiao + Fixes #1769 + Closes #1771 -Nick Zitzmann (19 Feb 2013) -- FEATURES: why yes, we do support metalink +- curl/system.h: add Oracle Solaris Studio - I just noticed Metalink support wasn't listed as a feature of the tool. + Fixes #1752 -- metalink: fix improbable crash parsing metalink filename +- [Alessandro Ghedini brought this change] + + docs: fix typo funtion -> function - The this_url pointer wasn't being initialized, so if strdup() would return - null when copying the filename in a metalink file, then hilarity would - ensue during the cleanup phase. This change was brought to you by clang, - which noticed this and raised a warning. + Closes #1770 + +Alessandro Ghedini (12 Aug 2017) +- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description -Yang Tse (19 Feb 2013) -- smtp.c: fix enumerated type mixed with another type +- docs: fix typo stuct -> struct -- polarssl threadlock cleanup +Dan Fandrich (12 Aug 2017) +- test1447: require a curl with http support -Nick Zitzmann (18 Feb 2013) -- docs: schannel and darwinssl documentation improvements +Daniel Stenberg (11 Aug 2017) +- [Thomas Petazzoni brought this change] + + curl/system.h: support more architectures + + The long list of architectures in include/curl/system.h is annoying to + maintain, and needs to be extended for each and every architecture to + support. + + Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler + (we are in the GNUC condition anyway), which tells us if long is 4 + bytes or 8 bytes. + + This fixes the build of libcurl 7.55.0 on architectures such as + OpenRISC or ARC. - Schannel and darwinssl use the certificates built into the - OS to do vert verification instead of bundles. darwinssl - is thread-safe. Corrected typos in the NSS docs. + Closes #1766 + + Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> -Daniel Stenberg (18 Feb 2013) -- resolver_error: remove wrong error message output +- test2033: this went flaky again - The attempt to use gai_strerror() or alternative function didn't work as - the 'sock_error' field didn't contain the proper error code. But since - this hasn't been reported and thus isn't really a big deal I decided to - just scrap the whole attempt to output the detailed resolver error and - instead remain with just stating that the resolving of the name failed. + Suspicion: when we enabled the threaded resolver by default. -- [Kim Vandry brought this change] +- test1447: verifies the parse proxy fix in 6e0e152ce5c - Curl_resolver_is_resolved: show proper host name on failed resolve +- [Even Rouault brought this change] -- Curl_resolver_is_resolved: fix compiler warning + parse_proxy(): fix memory leak in case of invalid proxy server name + + Fixes the below leak: + + $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1 + curl: (5) Couldn't resolve proxy name + ==5048== + ==5048== HEAP SUMMARY: + ==5048== in use at exit: 532 bytes in 12 blocks + ==5048== total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated + ==5048== + ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12 + ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==5048== by 0x4E6CB79: parse_login_details (url.c:5614) + ==5048== by 0x4E6BA82: parse_proxy (url.c:5091) + ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346) + ==5048== by 0x4E6EA18: create_conn (url.c:6498) + ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967) + ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436) + ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160) + ==5048== by 0x4E7C515: easy_transfer (easy.c:708) + ==5048== by 0x4E7C74A: easy_perform (easy.c:794) + ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813) + ==5048== by 0x414025: operate_do (tool_operate.c:1563) + ==5048== + ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12 + ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==5048== by 0x4E6CBB6: parse_login_details (url.c:5621) + ==5048== by 0x4E6BA82: parse_proxy (url.c:5091) + ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346) + ==5048== by 0x4E6EA18: create_conn (url.c:6498) + ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967) + ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436) + ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160) + ==5048== by 0x4E7C515: easy_transfer (easy.c:708) + ==5048== by 0x4E7C74A: easy_perform (easy.c:794) + ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813) + ==5048== by 0x414025: operate_do (tool_operate.c:1563) - conversion to 'int' from 'long int' may alter its value + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984 + Credit to OSS Fuzz for discovery + + Closes #1761 + +- RELEASE-NOTES: synced with 37f2195a9 -- compiler warning fix +- curlver: bump to 7.55.1 + +- openssl: fix "error: this statement may fall through" - follow-up to commit ed7174c6f66, rename 'wait' to 'block' + A gcc7 warning. + +- [David Benjamin brought this change] -- compiler warning fix: declaration of 'wait' shadows a global declaration + openssl: remove CONST_ASN1_BIT_STRING. - It seems older gcc installations (at least) will cause warnings if we - name a variable 'wait'. Now changed to 'block' instead. + Just making the pointer as const works for the pre-1.1.0 path too. - Reported by: Jiří Hruška - Bug: http://curl.haxx.se/mail/lib-2013-02/0247.html + Closes #1759 -Nick Zitzmann (17 Feb 2013) -- MacOSX-Framework: Make script work in Xcode 4.0 and later +- maketgz: remove old *.dist files before making the tarball - Apple made a number of changes to Xcode 4. The SDKs were moved, the entire - Developer folder was moved, and PowerPC support was removed. The script - will now adapt to those changes and should be future-proofed against - additional changes in case Apple moves the Developer folder ever again. - Also, the minimum OS X version compiler option was removed, so that the - framework can be built against the latest SDK but still run in older cats. + To avoid "old crap" unintentionally getting shipped. + + Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html + Reported-by: Christian Weisgerber -Daniel Stenberg (17 Feb 2013) -- docs: refer to CURLOPT_ACCEPT_ENCODING instead of the old name +Jay Satiro (10 Aug 2017) +- mkhelp.pl: allow executing this script directly + + - Enable execute permission (chmod +x) + + - Change interpreter to /usr/bin/env perl + + Ref: https://github.com/curl/curl/issues/1743 -Steve Holme (16 Feb 2013) -- email: Tidied up result code variables +Daniel Stenberg (10 Aug 2017) +- configure: use the threaded resolver backend by default if possible - Tidied up result variables to be consistent in name, declaration order - and default values. + Closes #1647 -Nick Zitzmann (16 Feb 2013) -- ntlm_core: fix compiler warning when building with clang +- cmake: move cmake_uninstall.cmake to CMake/ - Fixed a 64-to-32 compiler warning raised when building with - clang and the --with-darwinssl option. + Closes #1756 -Daniel Stenberg (16 Feb 2013) -- Guile-curl: a new libcurl binding +- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead -- polarsslthreadlock: #include the proper memory and debug includes +- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too - Pointed out by Steve Holme + Fixes #1755 -Steve Holme (16 Feb 2013) -- email: Removed unnecessary forward declaration +- travis: verify "make install" - Due to the reordering of functions in commit 586f5d361474 the forward - declaration to state_upgrade_tls() are no longer required. + Help-by: Jay Satiro + Closes #1753 -- pop3.c: Added reference to RFC-5034 +Marcel Raad (10 Aug 2017) +- build: check out *.sln files with Windows line endings + + Visual Studio doesn't like LF line endings in solution files and always + converts them to CRLF when doing changes to the solution. Notably, this + affects the solutions in the release archive. + + Closes https://github.com/curl/curl/pull/1746 -Daniel Stenberg (15 Feb 2013) -- [Willem Sparreboom brought this change] +- gitignore: ignore top-level .vs folder + + This folder is generated when using the CMake build system from within + Visual Studio. + + Closes https://github.com/curl/curl/pull/1746 - PolarSSL: Change to cURL coding style +Jay Satiro (10 Aug 2017) +- digest_sspi: Don't reuse context if the user/passwd has changed + + Bug: https://github.com/curl/curl/issues/1685 + Reported-by: paulharris@users.noreply.github.com + + Assisted-by: Isaac Boukris - Repaired all curl/lib/checksrc.pl warnings in the previous four patches + Closes https://github.com/curl/curl/pull/1742 -- [Willem Sparreboom brought this change] +Daniel Stenberg (9 Aug 2017) +- [Adam Sampson brought this change] - PolarSSL: WIN32 threading support for entropy + dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST - Added WIN32 threading support for PolarSSL entropy if - --enable-threaded-resolver config flag is set and process.h can be found. + These weren't included in the 7.55.0 release, but are required in order + to run the full test suite. + + Closes #1744 -- [Willem Sparreboom brought this change] +- [Adam Sampson brought this change] - PolarSSL: pthread support for entropy + curl: do bounds check using a double comparison + + The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't + complete: if the parsed number in num is larger than will fit in a long, + the conversion is undefined behaviour (causing test1427 to fail for me + on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting + rid of the cast means the comparison will be done using doubles. - Added pthread support for polarssl entropy if --enable-threaded-resolver - config flag is set and pthread.h can be found. + It might make more sense for the max argument to also be a double... + + Fixes #1750 + Closes #1749 -- [Willem Sparreboom brought this change] +- make install: add 8 missing man pages to the installation - PolarSSL: changes to entropy/ctr_drbg/HAVEGE_RANDOM +- build: fix 'make install' with configure, install docs/libcurl/* too + + Broken since d24838d4da9faa - Add non-threaded entropy and ctr_drbg and removed HAVEGE_RANDOM define + Reported-by: Bernard Spil -- [Willem Sparreboom brought this change] +Version 7.55.0 (9 Aug 2017) - PolarSSL: added human readable error strings - - Print out human readable error strings for PolarSSL related errors +Daniel Stenberg (9 Aug 2017) +- RELEASE-NOTES: curl 7.55.0 -Steve Holme (15 Feb 2013) -- pop3: Removed unnecessary state changes on failure +- THANKS: 20 new contributors in 7.55.0 -- imap: Removed unnecessary state change on failure +- [Viktor Szakats brought this change] -Daniel Stenberg (15 Feb 2013) -- metalink_cleanup: yet another follow-up fix + docs/comments: Update to secure URL versions + + Closes #1741 -- metalink_cleanup: define it without argument +- configure: fix recv/send/select detection on Android + + ... since they now provide several functions as + __attribute__((overloadable)), the argument detection logic need + updates. + + Patched-by: destman at github - Since the function takes no argument, the macro shouldn't take one as - some compilers will error out on that. + Fixes #1738 + Closes #1739 -- rename "easy" statemachines: call them block instead +Marcel Raad (8 Aug 2017) +- ax_code_coverage.m4: update to latest version - ... since they're not used by the easy interface really, I wanted to - remove the association. Also, I unified the pingpong statemachine driver - into a single function with a 'wait' argument: Curl_pp_statemach. + This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d + from August 01, 2017. Notably, this removes the lconv version whitelist. + + Closes https://github.com/curl/curl/pull/1716 -Yang Tse (15 Feb 2013) -- [Gisle Vanem brought this change] +Daniel Stenberg (7 Aug 2017) +- test1427: verify command line parser integer overflow detection - curl_setup_once.h: definition of HAVE_CLOSE_S defines sclose() to close_s() +- curl: detect and bail out early on parameter integer overflows + + Make the number parser aware of the maximum limit curl accepts for a + value and return an error immediately if larger, instead of running an + integer overflow later. + + Fixes #1730 + Closes #1736 -- [Gisle Vanem brought this change] +- glob: do not continue parsing after a strtoul() overflow range + + Added test 1289 to verify. + + CVE-2017-1000101 + + Bug: https://curl.haxx.se/docs/adv_20170809A.html + Reported-by: Brian Carpenter - config-dos.h: define HAVE_CLOSE_S for MSDOS/Watt-32 +- tftp: reject file name lengths that don't fit + + ... and thereby avoid telling send() to send off more bytes than the + size of the buffer! + + CVE-2017-1000100 + + Bug: https://curl.haxx.se/docs/adv_20170809B.html + Reported-by: Even Rouault + + Credit to OSS-Fuzz for the discovery -- [Gisle Vanem brought this change] +- [Even Rouault brought this change] - config-dos.h: define strerror() to strerror_s_() for High-C + file: output the correct buffer to the user + + Regression brought by 7c312f84ea930d8 (April 2017) + + CVE-2017-1000099 + + Bug: https://curl.haxx.se/docs/adv_20170809C.html + + Credit to OSS-Fuzz for the discovery -- [Gisle Vanem brought this change] +- easy_events: make event data static + + First: this function is only used in debug-builds and not in + release/real builds. It is used to drive tests using the event-based + API. + + A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the + CURLMOPT_TIMERFUNCTION calback can in fact be called even after this + funtion returns, namely when curl_multi_remove_handle() is called. + + Reported-by: Brian Carpenter + +- getparameter: avoid returning uninitialized 'usedarg' + + Fixes #1728 - config-dos.h: define HAVE_TERMIOS_H only for djgpp +Marcel Raad (5 Aug 2017) +- [Isaac Boukris brought this change] -Steve Holme (14 Feb 2013) -- smtp.c: Fixed a trailing whitespace + gssapi: fix memory leak of output token in multi round context - Remove tailing whitespace introduced in commit 7ed689d24a4e. + When multiple rounds are needed to establish a security context + (usually ntlm), we overwrite old token with a new one without free. + Found by proposed gss tests using stub a gss implementation (by + valgrind error), though I have confirmed the leak with a real + gssapi implementation as well. + + Closes https://github.com/curl/curl/pull/1733 -- pop3: Fixed blocking SSL connect when connecting via POP3S +- darwinssl: fix compiler warning + + clang complains: + vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive + [-Werror,-Wextra-tokens] - A call to Curl_ssl_connect() was accidentally left in when the SSL/TLS - connection layer was reworked in 7.29. Not only would this cause the - connection to block but had the additional overhead of calling the - non-blocking connect a little bit later. + This breaks the darwinssl build on Travis. Fix it by making this token + a comment. + + Closes https://github.com/curl/curl/pull/1734 -- smtp: Refactored the smtp_state_auth_resp() function +- CMake: fix CURL_WERROR for MSVC + + When using CURL_WERROR in MSVC builds, the debug flags were overridden + by the release flags and /WX got added twice in debug mode. - Renamed smtp_state_auth_resp() function to match the implementations in - IMAP and POP3. + Closes https://github.com/curl/curl/pull/1715 -Daniel Stenberg (14 Feb 2013) -- remove ifdefs +Daniel Stenberg (4 Aug 2017) +- RELEASE-NOTES: synced with 561e9217c + +- test1010: verify that #1718 is fixed - Clarify the code by reducing ifdefs + ... by doing two transfers in nocwd mode and check that there's no + superfluous CWD command. -- strlcat: remove function +- FTP: skip unnecessary CWD when in nocwd mode - This function was only used twice, both in places where performance - isn't crucial (socks + if2ip). Removing the use of this function removes - the need to have our private version for systems without it == reduced - amount of code. + ... when reusing a connection. If it didn't do any CWD previously. - Also, in the SOCKS case it is clearly better to fail gracefully rather - than to truncate the results. + Fixes #1718 + +Marcel Raad (4 Aug 2017) +- travis: explicitly specify dist - This work was triggered by a bug report on the strcal prototype in - strequal.h. + This makes the builds more reproducible as travis is currently rolling + out trusty as default dist [1]. Specifically, this avoids coverage + check failures when trusty is used as seen in [2] until we figure out + what's wrong. - strlcat was added in commit db70cd28 in February 2001! + [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming + [2] https://github.com/curl/curl/pull/1692 - Bug: http://curl.haxx.se/bug/view.cgi?id=1192 - Reported by: Jeremy Huddleston + Closes https://github.com/curl/curl/pull/1725 -- Curl_FormBoundary: made static +Daniel Stenberg (4 Aug 2017) +- travis: BUILD_TYPE => T - As Curl_FormBoundary() is no longer used outside of this file (since - commit ad7291c1a9d), it is now renamed to formboundary() and is made - static. + (to make the full line appear nicer on travis web UI) -- ossl_seed: fix the last resort PRNG seeding +- travis: add osx build with darwinssl - Instead of just abusing the pseudo-randomizer from Curl_FormBoundary(), - this now uses Curl_ossl_random() to get entropy. + Closes #1706 -Steve Holme (13 Feb 2013) -- email: Tidy up before additional IMAP work +- darwin: silence compiler warnings - Replaced two explicit comparisons of CURLE_OK with boolean alternatives. + With a clang pragma and three type fixes - General tidy up of comments. + Fixes #1722 -- smtp: Removed duplicate pingpong structure initialisation - - The smtp_connect() function was setting the member variables of the - pingpong structure twice, once before calling Curl_pp_init() and once - after! +- BUILD.WINDOWS: mention buildconf.bat for builds off git + +- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument -Yang Tse (13 Feb 2013) -- move msvc IDE related files to 'vs' directory tree +- test130: verify comments in .netrc + +- [Gisle Vanem brought this change] + + netrc: skip lines starting with '#' - Use 'vs' directory tree given that 'vc' intended one clashes - with an already existing build target in file Makefile.dist. + Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html -Daniel Stenberg (13 Feb 2013) -- install-sh: updated to support multiple source files as arguments +Marcel Raad (3 Aug 2017) +- CMake: set MSVC warning level to 4 - Version 7.29.0 uses Makefiles generated with a newer version of the - autotools than the previous 7.28.1. These Makefiles try to install - e.g. header files by calling install-sh with multiple source files as - arguments. The bundled install-sh is to old and does not support this. + The MSVC warning level defaults to 3 in CMake. Change it to 4, which is + consistent with the Visual Studio and NMake builds. Disable level 4 + warning C4127 for the library and additionally C4306 for the test + servers to get a clean CURL_WERROR build as that warning is raised in + some macros in older Visual Studio versions. - The problem only occurs, if install-sh is actually being used, ie. the - platform install executable is to old or not usable. Example: Solaris - 10. + Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794 + Closes https://github.com/curl/curl/pull/1711 + +Daniel Stenberg (2 Aug 2017) +- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2 - The files install-sh and mkinstalldirs are now updated with the automake - 1.11.3 versions. A better fix might be to completely remove them from - git and force the files to be added/created during buildconf. + Reported-by: Viktor Szakats + +- CURLOPT_NETRC.3: mention the file name on windows - Bug: http://curl.haxx.se/bug/view.cgi?id=1195 - Reported by: Rainer Jung + ... and CURLOPT_NETRC_FILE(3). + +- travis: build osx with libressl too + +- travis: build osx with openssl too -Yang Tse (13 Feb 2013) -- move msvc IDE related files to 'vc' directory tree +- tests/server/util: fix curltime mistake from 4dee50b9c80f9 -- msvc IDE 'vc' directory tree preparation +Marcel Raad (1 Aug 2017) +- curl_threads: fix MSVC compiler warning + + Use LongToHandle to convert from long to HANDLE in the Win32 + implementation. + This should fix the following warning when compiling with + MSVC 11 (2012) in 64-bit mode: + lib\curl_threads.c(113): warning C4306: + 'type cast' : conversion from 'long' to 'HANDLE' of greater size + + Closes https://github.com/curl/curl/pull/1717 -Steve Holme (12 Feb 2013) -- imap: Corrected a whitespace issue from previous commit +Daniel Stenberg (1 Aug 2017) +- BUGS: improved phrasing about security bugs - Fixed a small whitespace issue that crept in there in commit - 508cdf4da4d7. + Reported-by: Max Dymond -- email: Another post optimisation of endofresp() tidy up +- BUGS: clarify how to report security related bugs -- sasl: Fixed null pointer reference when decoding empty digest challenge +- [Brad Spencer brought this change] + + multi: fix request timer management - Fixed a null pointer reference when an empty challenge is passed to the - Curl_sasl_create_digest_md5_message() function. + There are some bugs in how timers are managed for a single easy handle + that causes the wrong "next timeout" value to be reported to the + application when a new minimum needs to be recomputed and that new + minimum should be an existing timer that isn't currently set for the + easy handle. When the application drives a set of easy handles via the + `curl_multi_socket_action()` API (for example), it gets told to wait the + wrong amount of time before the next call, which causes requests to + linger for a long time (or, it is my guess, possibly forever). - Bug: http://sourceforge.net/p/curl/bugs/1193/ - Reported by: Saran Neti + Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html -- email: Post optimisation of endofresp() tidy up +Jay Satiro (1 Aug 2017) +- curl_setup: Define CURL_NO_OLDIES for building libcurl + + .. to catch accidental use of deprecated error codes. - Removed unnecessary end of line check and return. + Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237 -Nick Zitzmann (12 Feb 2013) -- darwinssl: Fix send glitchiness with data > 32 or so KB +Daniel Stenberg (1 Aug 2017) +- [Jeremy Tan brought this change] + + configure: fix the check for IdnToUnicode - An ambiguity in the SSLWrite() documentation lead to a bad inference in the - code where we assumed SSLWrite() returned the amount of bytes written to - the socket, when that is not actually true; it returns the amount of data - that is buffered for writing to the socket if it returns errSSLWouldBlock. - Now darwinssl_send() returns CURLE_AGAIN if data is buffered but not written. + Fixes #1669 + Closes #1713 + +- http: fix response code parser to avoid integer overflow - Reference URL: http://curl.haxx.se/mail/lib-2013-02/0145.html + test 1429 and 1433 were updated to work with the stricter HTTP status line + parser. + + Closes #1714 + Reported-by: Brian Carpenter + +Jay Satiro (31 Jul 2017) +- [Dwarakanath Yadavalli brought this change] -Steve Holme (12 Feb 2013) -- pingpong.h: Fixed line length over 78 characters from b56c9eb48e3c + libcurl: Stop using error codes defined under CURL_NO_OLDIES + + Fixes https://github.com/curl/curl/issues/1688 + Closes https://github.com/curl/curl/pull/1712 -- pingpong: Optimised the endofresp() function +- include.d: clarify --include is only for response headers - Reworked the pp->endofresp() function so that the conndata, line and - line length are passed down to it just as with Curl_client_write() - rather than each implementation of the function having to query - these values. + Follow-up to 171f8de and de6de94. - Additionally changed the int return type to bool as this is more - representative of the function's usage. + Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851 + Reported-by: Daniel Stenberg + +Daniel Stenberg (30 Jul 2017) +- [Jason Juang brought this change] -- email: Post STARTLS capability code tidy up (Part Three) + cmake: support make uninstall - Corrected the order of the upgrade_tls() functions and moved the handler - upgrade and getsock() functions out from the middle of the state related - functions. + Closes #1674 -- email: Post STARTLS capability code tidy up (Part Two) +- RELEASE-NOTES: synced with 001701c47 + +Marcel Raad (29 Jul 2017) +- AppVeyor: now really use CURL_WERROR + + It was misspelled as CURL_ERROR in commit + 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4. - Corrected the order of the pop3_state_capa() / imap_state_capability() - and the pop3_state_capa_resp() / imap_state_capability_resp() functions - to match the execution order. + Closes https://github.com/curl/curl/pull/1686 -Daniel Stenberg (11 Feb 2013) -- [ulion brought this change] +Jay Satiro (29 Jul 2017) +- tool_help: clarify --include is only for response headers + + Follow-up to 171f8de. + + Ref: https://github.com/curl/curl/issues/1704 - SOCKS: fix socks proxy when noproxy matched +- splay: fix signed/unsigned mismatch warning - Test 1212 added to verify + Follow-up to 4dee50b. - Bug: http://curl.haxx.se/bug/view.cgi?id=1190 + Ref: https://github.com/curl/curl/pull/1693 -Steve Holme (11 Feb 2013) -- ntlm: Updated comments for the addition of SASL support to IMAP in v7.29 +Daniel Stenberg (28 Jul 2017) +- include.d: clarify that it concerns the response headers + + Reported-by: olesteban at github + Fixes #1704 + +- [Johannes Schindelin brought this change] -- RELEASE-NOTES: Updated following the recent imap/pop3/smtp changes + curl_rtmp: fix a compiler warning + + The headers of librtmp declare the socket as `int`, and on Windows, that + disagrees with curl_socket_t. + + Bug: #1652 + + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -Linus Nielsen Feltzing (10 Feb 2013) -- Fix NULL pointer reference when closing an unused multi handle. +- test1323: verify curlx_tvdiff -Steve Holme (10 Feb 2013) -- email: Post STARTLS capability code tidy up (Part One) +- timeval: struct curltime is a struct timeval replacement - Corrected the order of the CAPA / CAPABILITY state machine constants to - match the execution order. + ... to make all libcurl internals able to use the same data types for + the struct members. The timeval struct differs subtly on several + platforms so it makes it cumbersome to use everywhere. + + Ref: #1652 + Closes #1693 -- imap: Fixed memory leak following commit f6010d9a0359 +- darwinssl: fix variable type mistake (regression) + + ... which made --tlsv1.2 not work because it would blank the max tls + version variable. + + Reported-by: Nick Miyake + Bug: #1703 -- smtp: Added support for the STARTTLS capability (Part Two) +- multi: mention integer overflow risk if using > 500 million sockets + + Reported-by: ovidiu-benea@users.noreply.github.com - Added honoring of the tls_supported flag when starting a TLS upgrade - rather than unconditionally attempting it. If the use_ssl flag is set - to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the - connection will continue to authenticate. If this flag is set to - CURLUSESSL_ALL then the connection will complete with a failure as it - did previously. + Closes #1675 + Closes #1683 -- pop3: Added support for the STLS capability (Part Three) +- checksrc: escape open brace in regex - Added honoring of the tls_supported flag when starting a TLS upgrade - rather than unconditionally attempting it. If the use_ssl flag is set - to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the - connection will continue to authenticate. If this flag is set to - CURLUSESSL_ALL then the connection will complete with a failure as it - did previously. + ... to silence warning. -- imap: Added support for the STARTTLS capability (Part Three) +Kamil Dudka (20 Jul 2017) +- nss: fix a possible use-after-free in SelectClientCert() - Added honoring of the tls_supported flag when starting a TLS upgrade - rather than unconditionally attempting it. If the use_ssl flag is set - to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the - connection will continue to authenticate. If this flag is set to - CURLUSESSL_ALL then the connection will complete with a failure as it - did previously. + ... causing a SIGSEGV in showit() in case the handle used to initiate + the connection has already been freed. + + This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803. + + Reported-by: Rob Sanders + Bug: https://bugzilla.redhat.com/1436158 -Daniel Stenberg (10 Feb 2013) -- [Alessandro Ghedini brought this change] +- nss: unify the coding style of nss_send() and nss_recv() + + No changes in behavior intended by this commit. - htmltitle: fix suggested build command +Marcel Raad (18 Jul 2017) +- tests/server/resolve.c: fix deprecation warning + + MSVC warns that gethostbyname is deprecated. Always use getaddrinfo + instead to fix this when IPv6 is enabled, also for IPv4 resolves. This + is also consistent with what libcurl does. + + Closes https://github.com/curl/curl/pull/1682 -Steve Holme (10 Feb 2013) -- pop3: Added support for the STLS capability (Part Two) +Jay Satiro (17 Jul 2017) +- darwinssl: fix pinnedpubkey build error - Added sending of initial CAPA command before STLS is sent. This allows - for the detection of the capability before trying to upgrade the - connection. + - s/SessionHandle/Curl_easy/ + + Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670 + Reported-by: Gisle Vanem -- imap: Added support for the STARTTLS capability (Part Two) +Marcel Raad (16 Jul 2017) +- rtspd: fix GCC warning after MSVC warning fix + + Older GCC warns: + /tests/server/rtspd.c:1194:10: warning: missing braces around + initializer [-Wmissing-braces] - Added sending of initial CAPABILITY command before STARTTLS is sent. - This allows for the detection of the capability before trying to - upgrade the connection. + Fix this by using memset instead of an initializer. -- smtp: Added support for the STLS capability (Part One) +- libtest: fix MSVC warning C4706 - Introduced detection of the STARTTLS capability, in order to add support - for TLS upgrades without unconditionally sending the STARTTLS command. + With warning level 4, MSVC warns about assignments within conditional + expressions. Change the while loop to a do-while loop to fix this. This + change is also consistent with CODE_STYLE.md. -- pop3: Added support for the STLS capability (Part One) +- sockfilt: suppress conversion warning with explicit cast - Introduced detection of the STLS capability, in order to add support - for TLS upgrades without unconditionally sending the STLS command. + MSVC warns when implicitly casting -1 to unsigned long. -- imap: Added support for the STARTTLS capability (Part One) +- rtspd: fix MSVC level 4 warning - Introduced detection of the STARTTLS capability, in order to add support - for TLS upgrades without unconditionally sending the STARTTLS command. + warning C4701: potentially uninitialized local variable 'req' used |