diff options
Diffstat (limited to 'libs/libcurl/docs/CHANGES')
| -rw-r--r-- | libs/libcurl/docs/CHANGES | 548 |
1 files changed, 282 insertions, 266 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index 762a865fe1..62dce2ee97 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,6 +6,288 @@ Changelog +Version 7.76.1 (14 Apr 2021) + +Daniel Stenberg (14 Apr 2021) +- RELEASE-NOTES: synced + + curl 7.76.1 release + +- THANKS: add names from 7.76.1 + +- misc: update copyright year ranges to match latest updates + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Use ALPN h3-29 for now + + Fixes #6864 + Cloes #6886 + +Jay Satiro (11 Apr 2021) +- TODO: remove 18.22 --fail-with-body + + --fail-with-body was added in 8a964cb (precedes curl-7_76_0). + +Daniel Stenberg (10 Apr 2021) +- [Jürgen Gmach brought this change] + + src/tool_vms.c: remove duplicated word in comment + + Closes #6881 + +- configure: fix CURL_DARWIN_CFLAGS use + + The macro name change was not completely done. + + Follow-up to 5d2c384452543c + Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187 + Reported-by: Marcel Raad + Closes #6878 + +- [Anthony Shaw brought this change] + + github/workflow: add "security-extended" to codeql-analysis.yml + + Extends the CodeQL code scan. + + Closes #6815 + +- [Jochem Broekhoff brought this change] + + examples/hiperfifo.c: check event_initialized before delete + + If event_del is called with the event struct (still) zeroed out, a + segmentation fault may occur. event_initialized checks whether the + event struct is nonzero. + + Closes #6876 + +- [Patrick Monnerat brought this change] + + ntlm: fix negotiated flags usage + + According to Microsoft document MS-NLMP, current flags usage is not + accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of + extended security in an NTLM authentication message and NTLM version 2 + cannot be negotiated within the protocol. + + The solution implemented here is: if the extended security flag is set, + prefer using NTLM version 2 (as a server featuring extended security + should also support version 2). If version 2 has been disabled at + compile time, use extended security. + + Tests involving NTLM are adjusted to this new behavior. + + Fixes #6813 + Closes #6849 + +- [Patrick Monnerat brought this change] + + ntlm: support version 2 on 32-bit platforms + + Closes #6849 + +- [Patrick Monnerat brought this change] + + curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION + + ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the + whole NTLM. + + Closes #6849 + +- lib: remove unused HAVE_INET_NTOA_R* defines + + Closes #6867 + +- [Michael Forney brought this change] + + configure: include <time.h> unconditionally + + In 2682e5f5, several instances of AC_HEADER_TIME were removed since + it is a deprecated autoconf macro. However, this was the macro that + defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h> + can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still + used in the configure test body and since it is no longer defined, + <time.h> is *not* included on systems that have <sys/time.h>. + + In particular, at least on musl libc and glibc, <sys/time.h> does + not implicitly include <time.h> and does not declare clock_gettime, + gmtime_r, or localtime_r. This causes configure to fail to detect + those functions. + + The AC_HEADER_TIME macro deprecation text says + + > All current systems provide time.h; it need not be checked for. + > Not all systems provide sys/time.h, but those that do, all allow + > you to include it and time.h simultaneously. + + So, to fix this issue, simply include <time.h> unconditionally when + testing for time-related functions and in libcurl, and don't bother + checking for it. + + Closes #6859 + +- [Michael Forney brought this change] + + configure: remove use of RETSIGTYPE + + This was previously defined by the obsolete AC_TYPE_SIGNAL macro, + which was removed in 2682e5f5. The deprecation text says + + > Your code may safely assume C89 semantics that RETSIGTYPE is void. + + So, remove it and just use void instead. + + Closes #6861 + +- [Muhammed Yavuz Nuzumlalı brought this change] + + install: add instructions for Apple Darwin platforms + + Closes #6860 + +- [Muhammed Yavuz Nuzumlalı brought this change] + + configure: disable min version set for Darwin + + Fixes #6838 + Closes #6860 + +- [David Hu brought this change] + + docs/HTTP3.md: update the build instruction using gnutls + + In ngtcp2 the `with-gnutls` option is disabled by default, which will + cause `curl` unable to be `make` because of lacking the libraries + needed. + + Closes #6857 + +- RELEASE-NOTES: synced + +- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers + + ... and not values. + + Reported-by: locpyl-tidnyd on github + Fixes #6818 + Closes #6819 + +- ngtcp2+gnutls: clear credentials when freed + + ... to avoid double-free. + + Reported-by: Kenneth Davidson + Fixes #6824 + Closes #6856 + +Jay Satiro (5 Apr 2021) +- [Cherish98 brought this change] + + tool_progress: Fix progress meter in parallel mode + + Make sure the total amount of DL/UL bytes are counted before the + transfer finalizes. Otherwise if a transfer finishes too quick, its + total numbers are not added, and results in a DL%/UL% that goes above + 100%. + + Detail: + + progress_meter() is called periodically, and it may not catch a + transfer's total bytes if the value was unknown during the last call, + and the transfer is finished and deleted (i.e., lost) during the next + call. + + Closes https://github.com/curl/curl/pull/6840 + +- [Emil Engler brought this change] + + libssh: get rid of PATH_MAX + + This removes the last occurrence of PATH_MAX inside our libssh + implementation by calculating the path length from the string length of + the two components. + + Closes #6829 + +Daniel Stenberg (5 Apr 2021) +- http_proxy: only loop on 407 + close if we have credentials + + ... to fix the retry-loop. + + Add test 718 to verify. + + Reported-by: Daniel Kurečka + Fixes #6828 + Closes #6850 + +- h2: allow 100 streams by default + + instead of 13, before the server has told how many streams it + accepts. The server can always reject new streams anyway if we go above + what it accepts. + + Ref: #6826 + Closes #6852 + +- [Luke Granger-Brown brought this change] + + file: support GETing directories again + + After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an + expected_size for directories. This has the upshot that when we compare + even an empty Range with the available size, we fail. + + This brings back the previous behaviour, which was to succeed, but with + empty content. This also removes the "Accept-ranges: bytes" header, + which is nonsensical on directories. + + Adds test 3016 + Fixes #6845 + Closes #6846 + +- RELEASE-NOTES: synced + + and bumped to 7.76.1 + +- TLS: fix HTTP/2 selection + + for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and + wolfSSL... + + Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0) + Reported-by: Kenneth Davidson + Reported-by: romamik om github + Fixes #6825 + Closes #6827 + +Jay Satiro (2 Apr 2021) +- hostip: Fix for builds that disable all asynchronous DNS + + - Define Curl_resolver_error function only when USE_CURL_ASYNC. + + Prior to this change building curl without an asynchronous resolver + backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is + also asynchronous but independent of resolver backend) would cause a + build error since Curl_resolver_error is called by and evaluates + variables only available in asynchronous builds. + + Reported-by: Benbuck Nason + + Fixes https://github.com/curl/curl/issues/6831 + Closes https://github.com/curl/curl/pull/6832 + +Daniel Stenberg (31 Mar 2021) +- [Gilles Vollant brought this change] + + openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY + + Reported-by: Christian Schmitz + Fixes #6816 + Closes #6820 + Version 7.76.0 (31 Mar 2021) Daniel Stenberg (31 Mar 2021) @@ -7394,269 +7676,3 @@ Daniel Stenberg (28 Jul 2020) Reviewed-by: Nicolas Sterchele Closes #5732 - -- transfer: fix data_pending for builds with both h2 and h3 enabled - - Closes #5734 - -- curl_multi_setopt: fix compiler warning "result is always false" - - On systems with 32 bit long the expression is always false. Avoid - the warning. - - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/61a08508f6a458fe21bbb18cd2a9bac2f039452b#commitcomment-40941232 - Closes #5736 - -- curl: improve the existing file check with -J - - Previously a file that isn't user-readable but is user-writable would - not be properly avoided and would get overwritten. - - Reported-by: BrumBrum on hackerone - Assisted-by: Jay Satiro - Bug: https://hackerone.com/reports/926638 - Closes #5731 - -- [Jonathan Nieder brought this change] - - multi: update comment to say easyp list is linear - - Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1, - 2013-08-02), the easy handle list is not circular but ends with - ->next pointing to NULL. - - Reported-by: Masaya Suzuki <masayasuzuki@google.com> - Closes #5737 - -- CURLOPT_NOBODY.3: fix the syntax for referring to options - - As test 1140 fails otherwise! - - Follow-up to e1bac81cc815 - -- ngtcp2: store address in sockaddr_storage - - Reported-by: Tatsuhiro Tsujikawa - Closes #5733 - -- CURLOPT_NOBODY.3: clarify what setting to 0 means - - ... and mention that HTTP with other methods than HEAD might get a body and - there's no option available to stop that. - - Closes #5729 - -- setopt: unset NOBODY switches to GET if still HEAD - - Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented - action but before 7.71.0 that used to switch back to GET and with this - change (assuming the method is still set to HEAD) this behavior is - brought back. - - Reported-by: causal-agent on github - Fixes #5725 - Closes #5728 - -- [Ehren Bendler brought this change] - - configure: cleanup wolfssl + pkg-config conflicts when cross compiling. - - Also choose a different wolfSSL function to test for NTLM support. - - Fixes #5605 - Closes #5682 - -- configure: show zstd "no" in summary when built without it - - Reported-by: Marc Hörsken - Fixes #5720 - Closes #5730 - -- quiche: handle calling disconnect twice - - Reported-by: lilongyan-huawei on github - Fixes #5726 - Closes #5727 - -- [Nicolas Sterchele brought this change] - - getinfo: reset retry-after value in initinfo - - - Avoid re-using retry_after value from preceding request - - Add libtest 3010 to verify - - Reported-by: joey-l-us on github - Fixes #5661 - Closes #5672 - -Marcel Raad (27 Jul 2020) -- WIN32: stop forcing narrow-character API - - Except where the results are only used for character output. - getenv is not touched because it's part of the public API, and having - it return UTF-8 instead of ANSI would be a breaking change. - - Fixes https://github.com/curl/curl/issues/5658 - Fixes https://github.com/curl/curl/issues/5712 - Closes https://github.com/curl/curl/pull/5718 - -Jay Satiro (27 Jul 2020) -- [Tobias Stoeckmann brought this change] - - mprintf: Fix stack overflows - - Stack overflows can occur with precisions for integers and floats. - - Proof of concepts: - - curl_mprintf("%d, %.*1$d", 500, 1); - - curl_mprintf("%d, %+0500.*1$f", 500, 1); - - Ideally, compile with -fsanitize=address which makes this undefined - behavior a bit more defined for debug purposes. - - The format strings are valid. The overflows occur due to invalid - arguments. If these arguments are variables with contents controlled - by an attacker, the function's stack can be corrupted. - - Also see CVE-2016-9586 which partially fixed the float aspect. - - Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> - - Closes https://github.com/curl/curl/pull/5722 - -- [Tobias Stoeckmann brought this change] - - mprintf: Fix dollar string handling - - Verify that specified parameters are in range. If parameters are too - large, fail early on and avoid out of boundary accesses. - - Also do not read behind boundaries of illegal format strings. - - These are defensive measures since it is expected that format strings - are well-formed. Format strings should not be modifiable by user - input due to possible generic format string attacks. - - Closes https://github.com/curl/curl/pull/5722 - -Daniel Stenberg (26 Jul 2020) -- ntlm: free target_info before (re-)malloc - - OSS-Fuzz found a way this could get called again with the pointer still - pointing to a malloc'ed memory, leading to a leak. - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379 - - Closes #5724 - -Marcel Raad (26 Jul 2020) -- CI/macos: set minimum macOS version - - This enables some deprecation warnings. - Previously, autotools defaulted to 10.8. - - Closes https://github.com/curl/curl/pull/5723 - -Daniel Stenberg (26 Jul 2020) -- RELEASE-NOTES: synced - -Marcel Raad (25 Jul 2020) -- CI/macos: enable warnings as errors for CMake builds - - Closes https://github.com/curl/curl/pull/5716 - -- CMake: fix test for warning suppressions - - GCC doesn't warn for unknown `-Wno-` options, except if there are other - warnings or errors [0]. This was problematic with `CURL_WERROR` as that - warning-as-error cannot be suppressed. Notably, this always happened - with `-Wno-pedantic-ms-format` when not targeting Windows. So test for - the positive form of the warning instead, which should always result in - a diagnostic if unknown. - - [0] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html - - Closes https://github.com/curl/curl/pull/5714 - -Jay Satiro (23 Jul 2020) -- curl.h: update CURLINFO_LASTONE - - CURLINFO_LASTONE should have been updated when - CURLINFO_EFFECTIVE_METHOD was added. - - Reported-by: xwxbug@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/5711 - -Marc Hoersken (22 Jul 2020) -- CI/azure: unconditionally enable warnings-as-errors with autotools - - Reviewed-by: Marcel Raad - - Follow up to #5694 - Closes #5706 - -Marcel Raad (21 Jul 2020) -- doh: remove redundant cast - - Closes https://github.com/curl/curl/pull/5704 - -- CI/macos: unconditionally enable warnings-as-errors with autotools - - Previously, warnings were only visible in the output for most jobs. - - Closes https://github.com/curl/curl/pull/5694 - -- util: silence conversion warnings - - timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might - be a 64-bit integer. This is the case when building for recent macOS - versions, for example. Just treat tv_usec as an int, which should - hopefully always be sufficient on systems with - `HAVE_CLOCK_GETTIME_MONOTONIC`. - - Closes https://github.com/curl/curl/pull/5695 - -- md(4|5): don't use deprecated macOS functions - - They are marked as deprecated for -mmacosx-version-min >= 10.15, - which might result in warnings-as-errors. - - Closes https://github.com/curl/curl/pull/5695 - -Daniel Stenberg (18 Jul 2020) -- strdup: remove the odd strlen check - - It confuses code analyzers with its use of -1 for unsigned value. Also, - a check that's not normally used in strdup() code - and not necessary. - - Closes #5697 - -- [Alessandro Ghedini brought this change] - - travis: update quiche builds for new boringssl layout - - This is required after https://github.com/cloudflare/quiche/pull/593 - moved BoringSSL around slightly. - - This also means that Go is not needed to build BoringSSL anymore (the - one provided by quiche anyway). - - Closes #5691 - -Marcel Raad (17 Jul 2020) -- configure: allow disabling warnings - - When using `--enable-warnings`, it was not possible to disable warnings - via CFLAGS that got explicitly enabled. Now warnings are not enabled - anymore if they are explicitly disabled (or enabled) in CFLAGS. This - works for at least GCC, clang, and TCC as they have corresponding - `-Wno-` options for every warning. - - Closes https://github.com/curl/curl/pull/5689 - -Daniel Stenberg (16 Jul 2020) -- ngtcp2: adjust to recent sockaddr updates - - Closes #5690 |