diff options
Diffstat (limited to 'libs/libcurl/docs')
| -rw-r--r-- | libs/libcurl/docs/CHANGES | 9364 | ||||
| -rw-r--r-- | libs/libcurl/docs/THANKS | 85 |
2 files changed, 5469 insertions, 3980 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index 1653a55c98..d48ababb4f 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,6 +6,5379 @@ Changelog +Version 7.86.0 (26 Oct 2022) + +Daniel Stenberg (26 Oct 2022) +- RELEASE: synced + + The 7.86.0 release + +- THANKS: added from the 7.86.0 release + +Viktor Szakats (25 Oct 2022) +- noproxy: include netinet/in.h for htonl() + + Solve the Amiga build warning by including `netinet/in.h`. + + `krb5.c` and `socketpair.c` are using `htonl()` too. This header is + already included in those sources. + + Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 + + Reviewed-by: Daniel Stenberg + Closes #9787 + +Marc Hoersken (24 Oct 2022) +- CI: fix AppVeyor status failing for starting jobs + +Daniel Stenberg (24 Oct 2022) +- test445: verifies the protocols-over-http-proxy flaw and fix + +- http_proxy: restore the protocol pointer on error + + Reported-by: Trail of Bits + + Closes #9790 + +- multi: remove duplicate include of connect.h + + Reported-by: Martin Strunz + Fixes #9794 + Closes #9795 + +Daniel Gustafsson (24 Oct 2022) +- idn: fix typo in test description + + s/enabked/enabled/i + +Daniel Stenberg (24 Oct 2022) +- url: use IDN decoded names for HSTS checks + + Reported-by: Hiroki Kurosawa + + Closes #9791 + +- unit1614: fix disabled-proxy build + + Follow-up to 1e9a538e05c01 + + Closes #9792 + +Daniel Gustafsson (24 Oct 2022) +- cookies: optimize control character check + + When checking for invalid octets the strcspn() call will return the + position of the first found invalid char or the first NULL byte. + This means that we can check the indicated position in the search- + string saving a strlen() call. + + Closes: #9736 + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + +Daniel Stenberg (24 Oct 2022) +- netrc: replace fgets with Curl_get_line + + Make the parser only accept complete lines and avoid problems with + overly long lines. + + Reported-by: Hiroki Kurosawa + + Closes #9789 + +- RELEASE-NOTES: add "Planned upcoming removals include" + + URL: https://curl.se/mail/archive-2022-10/0001.html + + Suggested-by: Dan Fandrich + +Viktor Szakats (23 Oct 2022) +- ci: bump to gcc-11 for macos + + Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-macos-latest-are-now-running-on-macos-12/ + Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12-Readme.md + + Reviewed-by: Max Dymond + Closes #9785 + +- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip] + + - Reintroduce `CROSSPREFIX`: + + If set, we add it to the `CC` and `AR` values, and to the _default_ + value of `RC`, which is `windres`. This allows to control each of + these individidually, while also allowing to simplify configuration + via `CROSSPREFIX`. + + This variable worked differently earlier. Hopefully this new solution + hits a better compromise in usefulness/complexity/flexibility. + + Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50 + + - Enable warnings again: + + This time with an option to override it via `CFLAGS`. Warnings are + also enabled by default in CMake, `makefile.dj` and `makefile.amiga` + builds (not in autotools though). + + Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 + + Closes #9784 + +- noproxy: silence unused variable warnings with no ipv6 + + Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d + + Reviewed-by: Daniel Stenberg + Closes #9782 + +Daniel Stenberg (22 Oct 2022) +- test644: verify --xattr (with redirect) + +- tool_xattr: save the original URL, not the final redirected one + + Adjusted test 1621 accordingly. + + Reported-by: Viktor Szakats + Fixes #9766 + Closes #9768 + +- docs: make sure libcurl opts examples pass in long arguments + + Reported-by: Sergey + Fixes #9779 + Closes #9780 + +Marc Hoersken (21 Oct 2022) +- CI: fix AppVeyor job links only working for most recent build + + Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916 + Reported-by: Daniel Stenberg + + Follow up to #9769 + +Viktor Szakats (21 Oct 2022) +- noproxy: fix builds without AF_INET6 + + Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 + + Reviewed-by: Daniel Stenberg + + Closes #9778 + +Daniel Stenberg (21 Oct 2022) +- noproxy: support proxies specified using cidr notation + + For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly" + and not with string comparisons. + + Split out the noproxy checks and functionality into noproxy.c + + Added unit test 1614 to verify checking functions. + + Reported-by: Mathieu Carbonneaux + + Fixes #9773 + Fixes #5745 + Closes #9775 + +- urlapi: remove two variable assigns + + To please scan-build: + + urlapi.c:1163:9: warning: Value stored to 'qlen' is never read + qlen = Curl_dyn_len(&enc); + ^ ~~~~~~~~~~~~~~~~~~ + urlapi.c:1164:9: warning: Value stored to 'query' is never read + query = u->query = Curl_dyn_ptr(&enc); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Follow-up to 7d6cf06f571d57 + + Closes #9777 + +- [Jeremy Maitin-Shepard brought this change] + + cmake: improve usability of CMake build as a sub-project + + - Renames `uninstall` -> `curl_uninstall` + - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET + + Closes #9638 + +- [Don J Olmstead brought this change] + + easy_lock: check for HAVE_STDATOMIC_H as well + + The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h` + header is present. + + Closes #9755 + +- RELEASE-NOTES: synced + +- [Brad Harder brought this change] + + CURLMOPT_PIPELINING.3: dedup manpage xref + + Closes #9776 + +Marc Hoersken (20 Oct 2022) +- CI: report AppVeyor build status for each job + + Also give each job on AppVeyor CI a human-readable name. + + This aims to make job and therefore build failures more visible. + + Reviewed-by: Marcel Raad + Closes #9769 + +Viktor Szakats (20 Oct 2022) +- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip] + + Reviewed-by: Daniel Stenberg + + Closes #9771 + +- connect: fix builds without AF_INET6 + + Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9 + + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro + + Closes #9770 + +Daniel Stenberg (20 Oct 2022) +- test1105: adjust <data> to work with a hyper build + + Closes #9767 + +- urlapi: fix parsing URL without slash with CURLU_URLENCODE + + When CURLU_URLENCODE is set, the parser would mistreat the path + component if the URL was specified without a slash like in + http://local.test:80?-123 + + Extended test 1560 to reproduce and verify the fix. + + Reported-by: Trail of Bits + + Closes #9763 + +Marc Hoersken (19 Oct 2022) +- tests: avoid CreateThread if _beginthreadex is available + + CreateThread is not threadsafe if mixed with CRT calls. + _beginthreadex on the other hand can be mixed with CRT. + + Reviewed-by: Marcel Raad + Closes #9705 + +Jay Satiro (19 Oct 2022) +- [Joel Depooter brought this change] + + schannel: Don't reset recv/send function pointers on renegotiation + + These function pointers will have been set when the initial TLS + handshake was completed. If they are unchanged, there is no need to set + them again. If they have been changed, as is the case with HTTP/2, we + don't want to override that change. That would result in the + http22_recv/send functions being completely bypassed. + + Prior to this change a connection that uses Schannel with HTTP/2 would + fail on renegotiation with error "Received HTTP/0.9 when not allowed". + + Fixes https://github.com/curl/curl/issues/9451 + Closes https://github.com/curl/curl/pull/9756 + +Viktor Szakats (18 Oct 2022) +- hostip: guard PF_INET6 use + + Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code + for these. + + ``` + hostip.c: In function 'fetch_addr': + hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function) + pf = PF_INET6; + ^~~~~~~~ + ``` + + Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d + + Reviewed-by: Daniel Stenberg + + Closes #9760 + +- amiga: do not hardcode openssl/zlib into the os config [ci skip] + + Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead. + + This allows builds without openssl and/or zlib. E.g. with the + <https://github.com/bebbo/amiga-gcc> cross-compiler. + + Reviewed-by: Daniel Stenberg + + Closes #9762 + +- amigaos: add missing curl header [ci skip] + + Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and + conditional local code need them. + + Reviewed-by: Daniel Stenberg + + Closes #9761 + +Daniel Stenberg (18 Oct 2022) +- cmdline/docs: add a required 'multi' keyword for each option + + The keyword specifies how option works when specified multiple times: + + - single: the last provided value replaces the earlier ones + - append: it supports being provided multiple times + - boolean: on/off values + - mutex: flag-like option that disable anoter flag + + The 'gen.pl' script then outputs the proper and unified language for + each option's multi-use behavior in the generated man page. + + The multi: header is requires in each .d file and will cause build error + if missing or set to an unknown value. + + Closes #9759 + +- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk + + Closes #9757 + +- mprintf: reject two kinds of precision for the same argument + + An input like "%.*1$.9999d" would first use the precision taken as an + argument *and* then the precision specified in the string, which is + confusing and wrong. pass1 will now instead return error on this double + use. + + Adjusted unit test 1398 to verify + + Reported-by: Peter Goodman + + Closes #9754 + +- ftp: remove redundant if + + Reported-by: Trail of Bits + + Closes #9753 + +- tool_operate: more transfer cleanup after parallel transfer fail + + In some circumstances when doing parallel transfers, the + single_transfer_cleanup() would not be called and then 'inglob' could + leak. + + Test 496 verifies + + Reported-by: Trail of Bits + Closes #9749 + +- mqtt: spell out CONNECT in comments + + Instead of calling it 'CONN' in several comments, use the full and + correct protocol packet name. + + Suggested by Trail of Bits + + Closes #9751 + +- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST + + Not the deprecated CURLOPT_HTTPPOST option. + + Also added two see-alsos. + + Reported-by: Trail of Bits + Closes #9752 + +- RELEASE-NOTES: synced + +Jay Satiro (17 Oct 2022) +- ngtcp2: Fix build errors due to changes in ngtcp2 library + + ngtcp2/ngtcp2@b0d86f60 changed: + + - ngtcp2_conn_get_max_udp_payload_size => + ngtcp2_conn_get_max_tx_udp_payload_size + + - ngtcp2_conn_get_path_max_udp_payload_size => + ngtcp2_conn_get_path_max_tx_udp_payload_size + + ngtcp2/ngtcp2@ec59b873 changed: + + - 'early_data_rejected' member added to ng_callbacks. + + Assisted-by: Daniel Stenberg + Reported-by: jurisuk@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/9747 + Closes https://github.com/curl/curl/pull/9748 + +Daniel Stenberg (16 Oct 2022) +- curl_path: return error if given a NULL homedir + + Closes #9740 + +- libssh: if sftp_init fails, don't get the sftp error code + + This flow extracted the wrong code (sftp code instead of ssh code), and + the code is sometimes (erroneously) returned as zero anyway, so skip + getting it and set a generic error. + + Reported-by: David McLaughlin + Fixes #9737 + Closes #9740 + +- mqtt: return error for too long topic + + Closes #9744 + +- [Rickard Hallerbäck brought this change] + + tool_paramhlp: make the max argument a 'double' + + To fix compiler warnings "Implicit conversion from 'long' to 'double' + may lose precision" + + Closes #9700 + +Marc Hoersken (15 Oct 2022) +- [Philip Heiduck brought this change] + + cirrus-ci: add more macOS builds with m1 based on x86_64 builds + + Also refactor macOS builds to use task matrix. + + Assisted-by: Marc Hörsken + Closes #9565 + +Viktor Szakats (14 Oct 2022) +- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows + + `lib/config-win32.h` enables this configuration option unconditionally. + Make it apply to CMake builds as well. + + While here, delete a broken check for + `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with + the initial commit [1], but did not include the actual verification code + inside `CMake/CurlTests.c`, so it always failed. A later commit [2] + added a second test, for non-Windows platforms. + + Enabling this flag causes test 1056 to fail with CMake builds, as they + do with autotools builds. Let's apply the same solution and ignore the + results here as well. + + [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 + [2] aec7c5a87c8482b6ddffa352d7d220698652262e + + Reviewed-by: Daniel Stenberg + Assisted-by: Marcel Raad + + Closes #9726 + +- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows + + autotools enables this configuration option unconditionally for Windows + [^1]. Do the same in CMake. + + The above will make this work for all reasonably recent environments. + The logic present in `lib/config-win32.h` [^2] has the following + exceptions which we did not cover in this CMake update: + + - Builds targeting Windows 2000 and earlier + - MS Visual C++ 5.0 (1997) and earlier + + Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't + set, to avoid a broken build. We might want to handle that in the C + sources in a future commit. + + [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/m4/curl-functions.m4#L2067-L2070 + + [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/lib/config-win32.h#L511-L528 + + Closes #9727 + +- cmake: sync HAVE_SIGNAL detection with autotools + + `HAVE_SIGNAL` means the availability of the `signal()` function in + autotools, while in CMake it meant the availability of that function + _and_ the symbol `SIGALRM`. + + The latter is not available on Windows, but the function is, which means + on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not, + introducing a slight difference into the binaries. + + This patch syncs CMake behaviour with autotools to look for the function + only. + + The logic came with the initial commit adding CMake support to curl, so + the commit history doesn't reveal the reason behind it. In any case, + it's best to check the existence of `SIGALRM` directly in the source + before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and + `SIGALRM` missing. + + Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 + + Closes #9725 + +- cmake: delete duplicate HAVE_GETADDRINFO test + + A custom `HAVE_GETADDRINFO` check came with the initial CMake commit + [1]. A later commit [2] added a standard check for it as well. The + standard check run before the custom one, so CMake ignored the latter. + + The custom check was also non-portable, so this patch deletes it in + favor of the standard check. + + [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 + [2] aec7c5a87c8482b6ddffa352d7d220698652262e + + Closes #9731 + +Daniel Stenberg (14 Oct 2022) +- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros + + To make the code read more obvious + + Assisted-by: Jay Satiro + + Closes #9710 + +- [Christopher Sauer brought this change] + + docs/INSTALL: update Android Instructions for newer NDKs + + Closes #9732 + +- markdown-uppercase: ignore quoted sections + + Sections within the markdown ~~~ or ``` are now ignored. + + Closes #9733 + +- RELEASE-NOTES: synced + +- test8: update as cookies no longer can have "embedded" TABs in content + +- test1105: extend to verify TAB in name/content discarding cookies + +- cookie: reject cookie names or content with TAB characters + + TABs in name and content seem allowed by RFC 6265: "the algorithm strips + leading and trailing whitespace from the cookie name and value (but + maintains internal whitespace)" + + Cookies with TABs in the names are rejected by Firefox and Chrome. + + TABs in content are stripped out by Firefox, while Chrome discards the + whole cookie. + + TABs in cookies also cause issues in saved netscape cookie files. + + Reported-by: Trail of Bits + + URL: https://curl.se/mail/lib-2022-10/0032.html + URL: https://github.com/httpwg/http-extensions/issues/2262 + + Closes #9659 + +- curl/add_parallel_transfers: better error handling + + 1 - consider the transfer handled at once when in the function, to avoid + the same list entry to get added more than once in rare error + situations + + 2 - set the ERRORBUFFER for the handle first after it has been added + successfully + + Reported-by: Trail of Bits + + Closes #9729 + +- netrc: remove the two 'changed' arguments + + As no user of these functions used the returned content. + +- test495: verify URL encoded user name + netrc-optional + + Reproduced issue #9709 + +- netrc: use the URL-decoded user + + When the user name is provided in the URL it is URL encoded there, but + when used for authentication the encoded version should be used. + + Regression introduced after 7.83.0 + + Reported-by: Jonas Haag + Fixes #9709 + Closes #9715 + +- [Shaun Mirani brought this change] + + url: allow non-HTTPS HSTS-matching for debug builds + + Closes #9728 + +- test1275: remove the check of stderr + + To avoid the mysterious test failures on Windows, instead rely on the + error code returned on failure. + + Fixes #9716 + Closes #9723 + +Viktor Szakats (13 Oct 2022) +- lib: set more flags in config-win32.h + + The goal is to add any flag that affect the created binary, to get in + sync with the ones built with CMake and autotools. + + I took these flags from curl-for-win [0], where they've been tested with + mingw-w64 and proven to work well. + + This patch brings them to curl as follows: + + - Enable unconditionally those force-enabled via + `CMake/WindowsCache.cmake`: + + - `HAVE_SETJMP_H` + - `HAVE_STRING_H` + - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`) + + - Expand existing guards with mingw-w64: + + - `HAVE_STDBOOL_H` + - `HAVE_BOOL_T` + + - Enable Win32 API functions for Windows Vista and later: + + - `HAVE_INET_NTOP` + - `HAVE_INET_PTON` + + - Set sizes, if not already set: + + - `SIZEOF_OFF_T = 8` + - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set, + and using mingw-w64. + + - Add the remaining for mingw-w64 only. Feel free to expand as desired: + + - `HAVE_LIBGEN_H` + - `HAVE_FTRUNCATE` + - `HAVE_BASENAME` + - `HAVE_STRTOK_R` + + Future TODO: + + - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both + the `signal()` function and the `SIGALRM` macro are found. In + autotools and this header, it means the function only. For the + function alone, CMake uses `HAVE_SIGNAL_FUNC`. + + [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4dff0ca97a8c/curl-m32.sh#L53-L58 + + Reviewed-by: Daniel Stenberg + + Closes #9712 + +Daniel Stenberg (13 Oct 2022) +- tests: add tests/markdown-uppercase.pl to dist tarball + + Follow-up to aafb06c5928183d + + Closes #9722 + +- tool_paramhelp: asserts verify maximum sizes for string loading + + The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest + strings accepted when loading files into memory, but as the size is + later used as input to functions that take the size as 'int' as + argument, the sizes must not be larger than INT_MAX. + + These two new assert()s make the code error out if someone would bump + the sizes without this consideration. + + Reported-by Trail of Bits + + Closes #9719 + +- http: try parsing Retry-After: as a number first + + Since the date parser allows YYYYMMDD as a date format (due to it being + a bit too generic for parsing this particular header), a large integer + number could wrongly match that pattern and cause the parser to generate + a wrong value. + + No date format accepted for this header starts with a decimal number, so + by reversing the check and trying a number first we can deduct that if + that works, it was not a date. + + Reported-by Trail of Bits + + Closes #9718 + +- [Patrick Monnerat brought this change] + + doc: fix deprecation versions inconsistencies + + Ref: https://curl.se/mail/lib-2022-10/0026.html + + Closes #9711 + +- http_aws_sigv4: fix strlen() check + + The check was off-by-one leading to buffer overflow. + + Follow-up to 29c4aa00a16872 + + Detected by OSS-Fuzz + + Closes #9714 + +- curl/main_checkfds: check the fcntl return code better + + fcntl() can (in theory) return a non-zero number for success, so a + better test for error is checking for -1 explicitly. + + Follow-up to 41e1b30ea1b77e9ff + + Mentioned-by: Dominik Klemba + + Closes #9708 + +Viktor Szakats (12 Oct 2022) +- tidy-up: delete unused HAVE_STRUCT_POLLFD + + It was only defined in `lib/config-win32.h`, when building for Vista. + + It was only used in `select.h`, in a condition that also included a + check for `POLLIN` which is a superior choice for this detection and + which was already used by cmake and autotools builds. + + Delete both instances of this macro. + + Closes #9707 + +Daniel Stenberg (12 Oct 2022) +- test1275: verify upercase after period in markdown + + Script based on the #9474 pull-request logic, but implemented in perl. + + Updated docs/URL-SYNTAX.md accordingly. + + Suggested-by: Dan Fandrich + + Closes #9697 + +- [12932 brought this change] + + misc: nitpick grammar in comments/docs + + because the 'u' in URL is actually a consonant *sound* it is only + correct to write "a URL" + + sorry this is a bit nitpicky :P + + https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an + https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL + + Closes #9699 + +Viktor Szakats (11 Oct 2022) +- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip] + + This patch aimed to fix a regression [0], where `CC` initialization + moved beyond its first use. But, on closer inspection it turned out that + the `CC` initialization does not work as expected due to GNU Make + filling it with `cc` by default. So unless implicit values were + explicitly disabled via a GNU Make option, the default value of + `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit + value `cc` maps to `gcc` in (most/all?) MinGW envs. + + `AR` has the same issue, with a default value of `ar`. + + We could reintroduce a separate variable to fix this without ill + effects, but for simplicity and flexibility, it seems better to drop + support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and + require the caller to initialize `CC`, `AR` and `RC` to the full + (prefixed if necessary) names of these tools, as desired. + + We keep `RC ?= windres` because `RC` is empty by default. + + Also fix grammar in a comment. + + [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 + + Closes #9698 + +- smb: replace CURL_WIN32 with WIN32 + + PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the + `CURL_WIN32` macro, but that one is not defined here, while compiling + curl itself. This patch changes this to `WIN32`, assuming this was the + original intent. + + Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a + + Reviewed-by: Marcel Raad + + Closes #9701 + +Daniel Stenberg (11 Oct 2022) +- [Matthias Gatto brought this change] + + aws_sigv4: fix header computation + + Handle canonical headers and signed headers creation as explained here: + https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html + + The algo tells that signed and canonical must contain at last host and + x-amz-date. + + So we check whatever thoses are present in the curl http headers list. + If they are, we use the one enter by curl user, otherwise we generate + them. then we to lower, and remove space from each http headers plus + host and x-amz-date, then sort them all by alphabetical order. + + This patch also fix a bug with host header, which was ignoring the port. + + Closes #7966 + +Jay Satiro (11 Oct 2022) +- [Aftab Alam brought this change] + + README.md: link the curl logo to the website + + - Link the curl:// image to https://curl.se/ + + Closes https://github.com/curl/curl/pull/9675 + +- [Dustin Howett brought this change] + + schannel: when importing PFX, disable key persistence + + By default, the PFXImportCertStore API persists the key in the user's + key store (as though the certificate was being imported for permanent, + ongoing use.) + + The documentation specifies that keys that are not to be persisted + should be imported with the flag PKCS12_NO_PERSIST_KEY. + NOTE: this flag is only supported on versions of Windows newer than XP + and Server 2003. + + -- + + This is take 2 of the original fix. It extends the lifetime of the + client certificate store to that of the credential handle. The original + fix which landed in 70d010d and was later reverted in aec8d30 failed to + work properly because it did not do that. + + Minor changes were made to the schannel credential context to support + closing the client certificate store handle at the end of an SSL session. + + -- + + Reported-by: ShadowZzj@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/9300 + Supersedes https://github.com/curl/curl/pull/9363 + Closes https://github.com/curl/curl/pull/9460 + +Viktor Szakats (11 Oct 2022) +- Makefile.m32: support more options [ci skip] + + - Add support for these options: + `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl` + + Caveats: + - `-wolfssh` requires `-wolfssl`. + - `-wolfssl` cannot be used with OpenSSL backends in parallel. + - `-libssh` has build issues with BoringSSL and LibreSSL, and also + what looks like a world-writable-config vulnerability on Windows. + Consider it experimental. + - `-psl` requires `-idn2` and extra libs passed via + `LIBS=-liconv -lunistring`. + + - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly. + - Generalize MultiSSL detection. + - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01). + - Document more customization options. + + This brings over some configuration logic from `curl-for-win`. + + Closes #9680 + +- cmake: enable more detection on Windows + + Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection + on Windows, instead of having predefined values. + + With these features detected correctly, CMake Windows builds get closer + to the autotools and `config-win32.h` ones. + + This also fixes detecting `HAVE_FTRUNCATE` correctly, which required + `unistd.h`. + + Fixing `ftruncate()` in turn causes a build warning/error with legacy + MinGW/MSYS1 due to an offset type size mismatch. This env misses to + detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch + force-disables `HAVE_FTRUNCATE` for this platform. + + Reviewed-by: Daniel Stenberg + + Closes #9687 + +- autotools: allow unix sockets on Windows + + Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00a9149fb39239/curl-autotools.sh#L44-L47 + + On Windows this feature is present, but not the header used in the + detection logic. It also requires an elaborate enabler logic + (as seen in `lib/curl_setup.h`). Let's always allow it and let the + lib code deal with the details. + + Closes #9688 + +- cmake: add missing inet_ntop check + + This adds the missing half of the check, next to the other half + already present in `lib/curl_config.h.cmake`. + + Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler + warnings. + + Reviewed-by: Daniel Stenberg + + Closes #9689 + +Daniel Stenberg (11 Oct 2022) +- RELEASE-NOTES: synced + +- [bsergean on github brought this change] + + asyn-ares: set hint flags when calling ares_getaddrinfo + + The hint flag is ARES_AI_NUMERICSERV, and it will save a call to + getservbyname or getservbyname_r to set it. + + Closes #9694 + +- header.d: add category smtp and imap + + They were previously (erroneously) added manually to tool_listhelp.c + which would make them get removed again when the file is updated next + time, unless added correctly here in header.d + + Follow-up to 2437fac01 + + Closes #9690 + +- curl/get_url_file_name: use libcurl URL parser + + To avoid URL tricks, use the URL parser for this. + + This update changes curl's behavior slightly in that it will ignore the + possible query part from the URL and only use the file name from the + actual path from the URL. I consider it a bugfix. + + "curl -O localhost/name?giveme-giveme" will now save the output in the + local file named 'name' + + Updated test 1210 to verify + + Assisted-by: Jay Satiro + + Closes #9684 + +- [Martin Ågren brought this change] + + docs: fix grammar around needing pass phrase + + "You never needed a pass phrase" reads like it's about to be followed by + something like "until version so-and-so", but that is not what is + intended. Change to "You never need a pass phrase". There are two + instances of this text, so make sure to update both. + +- [Xiang Xiao brought this change] + + cmake: add the check of HAVE_SOCKETPAIR + + which is used by Curl_socketpair + + Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com> + + Closes #9686 + +- curl/add_file_name_to_url: use the libcurl URL parser + + instead of the custom error-prone parser, to extract and update the path + of the given URL + + Closes #9683 + +- single_transfer: use the libcurl URL parser when appending query parts + + Instead of doing "manual" error-prone parsing in another place. + + Used when --data contents is added to the URL query when -G is provided. + + Closes #9681 + +- ws: fix buffer pointer use in the callback loop + + Closes #9678 + +- [Petr Štetiar brought this change] + + curl-wolfssl.m4: error out if wolfSSL is not usable + + When I explicitly declare, that I would like to have curl built with + wolfSSL support using `--with-wolfssl` configure option, then I would + expect, that either I endup with curl having that support, for example + in form of https support or it wouldn't be available at all. + + Downstream projects like for example OpenWrt build curl wolfSSL variant + with `--with-wolfssl` already, but in certain corner cases it does fail: + + configure:25299: checking for wolfSSL_Init in -lwolfssl + configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip] + In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33, + from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35, + from target-x86_64_musl/usr/include/wolfssl/ssl.h:35, + from conftest.c:47: + target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory + #include <wolfssl/wolfcrypt/sp_int.h> + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + compilation terminated. + + and in the end thus produces curl without https support: + + curl: (1) Protocol "https" not supported or disabled in libcurl + + So fix it, by making the working wolfSSL mandatory and error out in + configure step when that's not the case: + + checking for wolfSSL_Init in -lwolfssl... no + configure: error: --with-wolfssl but wolfSSL was not found or doesn't work + + References: https://github.com/openwrt/packages/issues/19005 + References: https://github.com/openwrt/packages/issues/19547 + Signed-off-by: Petr Štetiar <ynezz@true.cz> + + Closes #9682 + +- tool_getparam: pass in the snprintf("%.*s") string length as 'int' + + Reported by Coverity CID 1515928 + + Closes #9679 + +- [Paul Seligman brought this change] + + ws: minor fixes for web sockets without the CONNECT_ONLY flag + + - Fixed an issue where is_in_callback was getting cleared when using web + sockets with debug logging enabled + - Ensure the handle is is_in_callback when calling out to fwrite_func + - Change the write vs. send_data decision to whether or not the handle + is in CONNECT_ONLY mode. + - Account for buflen not including the header length in curl_ws_send + + Closes #9665 + +Marc Hoersken (8 Oct 2022) +- CI/cirrus: merge existing macOS jobs into a job matrix + + Ref: #9627 + Reviewed-by: Philip H. + + Closes #9672 + +Daniel Stenberg (8 Oct 2022) +- strcase: add and use Curl_timestrcmp + + This is a strcmp() alternative function for comparing "secrets", + designed to take the same time no matter the content to not leak + match/non-match info to observers based on how fast it is. + + The time this function takes is only a function of the shortest input + string. + + Reported-by: Trail of Bits + + Closes #9658 + +- tool_getparam: split out data_urlencode() into its own function + + Closes #9673 + +- connect: fix Curl_updateconninfo for TRNSPRT_UNIX + + Reported-by: Vasiliy Ulyanov + Fixes #9664 + Closes #9670 + +- ws: fix Coverity complaints + + Coverity pointed out several flaws where variables remained + uninitialized after forks. + + Follow-up to e3f335148adc6742728f + + Closes #9666 + +Marc Hoersken (7 Oct 2022) +- CI/GHA: merge msh3 and openssl3 builds into linux workflow + + Continue work on merging all Linux workflows into one file. + + Follow up to #9501 + Closes #9646 + +Daniel Stenberg (7 Oct 2022) +- curl_ws_send.3: call the argument 'fragsize' + + Since WebSocket works with "fragments" not "frames" + + Closes #9668 + +- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type + + Follow-up to e3f335148adc6742728ff8 + + Closes #9669 + +- tool_main: exit at once if out of file descriptors + + If the main_checkfds function cannot create new file descriptors in an + attempt to detect of stdin, stdout or stderr are closed. + + Also changed the check to use fcntl() to check if the descriptors are + open, which avoids superfluously calling pipe() if they all already are. + + Follow-up to facfa19cdd4d0094 + + Reported-by: Trail of Bits + + Closes #9663 + +- websockets: remodeled API to support 63 bit frame sizes + + curl_ws_recv() now receives data to fill up the provided buffer, but can + return a partial fragment. The function now also get a pointer to a + curl_ws_frame struct with metadata that also mentions the offset and + total size of the fragment (of which you might be receiving a smaller + piece). This way, large incoming fragments will be "streamed" to the + application. When the curl_ws_frame struct field 'bytesleft' is 0, the + final fragment piece has been delivered. + + curl_ws_recv() was also adjusted to work with a buffer size smaller than + the fragment size. (Possibly needless to say as the fragment size can + now be 63 bit large). + + curl_ws_send() now supports sending a piece of a fragment, in a + streaming manner, in addition to sending the entire fragment in a single + call if it is small enough. To send a huge fragment, curl_ws_send() can + be used to send it in many small calls by first telling libcurl about + the total expected fragment size, and then send the payload in N number + of separate invokes and libcurl will stream those over the wire. + + The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it + has been extended with two new fields: *offset* and *bytesleft*. To help + describe the passed on data chunk when a fragment is delivered in many + smaller pieces. + + The documentation has been updated accordingly. + + Closes #9636 + +- [Patrick Monnerat brought this change] + + docs/examples: avoid deprecated options in examples where possible + + Example programs targeting a deprecated feature/option are commented with + a warning about it. + Other examples are adapted to not use deprecated options. + + Closes #9661 + +Viktor Szakats (6 Oct 2022) +- cmake: fix enabling websocket support + + Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77 + + Closes #9660 + +- tidy-up: delete parallel/unused feature flags + + Detecting headers and lib separately makes sense when headers come in + variations or with extra ones, but this wasn't the case here. These were + duplicate/parallel macros that we had to keep in sync with each other + for a working build. This patch leaves a single macro for each of these + dependencies: + + - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`. + + Also delete CMake logic making sure these two were in sync, along with + a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`. + + Also delete stray `HAVE_ZLIB` defines. + + There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch + retains it for compatibility and deprecates it. + + - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`. + + Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from + `winbuild/MakefileBuild.vc`, these have a role when building libssh2 + itself. And `CURL_USE_LIBSSH`, which had no use at all. + + Also delete stray `HAVE_LIBSSH2` defines. + + - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`. + + Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from + `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the + libssh2 line, and were not having any use. + + - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`. + + Reviewed-by: Daniel Stenberg + + Closes #9652 + +Daniel Stenberg (6 Oct 2022) +- netrc: compare user name case sensitively + + User name comparisions in netrc need to match the case. + + Closes #9657 + +- CURLOPT_COOKIEFILE: insist on "" for enable-without-file + + The former way that also suggested using a non-existing file to just + enable the cookie engine could lead to developers maybe a bit carelessly + guessing a file name that will not exist, and then in a future due to + circumstances, such a file could be made to exist and then accidentally + libcurl would read cookies not actually meant to. + + Reported-by: Trail of bits + + Closes #9654 + +- tests/Makefile: remove run time stats from ci-test + + The ci-test is the normal makefile target invoked in CI jobs. This has + been using the -r option to runtests.pl since a long time, but I find + that it mostly just adds many lines to the test output report without + anyone caring much about those stats. + + Remove it. + + Closes #9656 + +- [Patrick Monnerat brought this change] + + tool: reorganize function c_escape around a dynbuf + + This is a bit shorter and a lot safer. + + Substrings of unescaped characters are added by a single call to reduce + overhead. + + Extend test 1465 to handle more kind of escapes. + + Closes #9653 + +Jay Satiro (5 Oct 2022) +- CURLOPT_HTTPPOST.3: bolden the deprecation notice + + Ref: https://github.com/curl/curl/pull/9621 + + Closes https://github.com/curl/curl/pull/9637 + +Daniel Stenberg (5 Oct 2022) +- [John Bampton brought this change] + + misc: fix spelling in docs and comments + + also: remove outdated sentence + + Closes #9644 + +- [Patrick Monnerat brought this change] + + tool: avoid generating ambiguous escaped characters in --libcurl + + C string hexadecimal-escaped characters may have more than 2 digits. + This results in a wrong C compiler interpretation of a 2-digit escaped + character when followed by an hex digit character. + + The solution retained here is to represent such characters as 3-digit + octal escapes. + + Adjust and extend test 1465 for this case. + + Closes #9643 + +- configure: the ngtcp2 option should default to 'no' + + While still experimental. + + Bug: https://curl.se/mail/lib-2022-10/0007.html + Reported-by: Daniel Hallberg + + Closes #9650 + +- CURLOPT_MIMEPOST.3: add an (inline) example + + Reported-by: Jay Satiro + Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723 + + Closes #9649 + +Viktor Szakats (5 Oct 2022) +- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip] + + Exclude linker flags specifying depedency libs and libpaths, when + building against `libcurl.dll`. In such case these options are not + necessary (but may cause errors if not/wrongly configured.) + + Also move and reword a comment on `CPPFLAGS` to not apply to + `UNICODE` options. These are necessary for all build targets. + + Closes #9651 + +Jay Satiro (5 Oct 2022) +- runtests: fix uninitialized value on ignored tests + + - Don't show TESTFAIL message (ie tests failed which aren't ignored) if + only ignored tests failed. + + Before: + IGNORED: failed tests: 571 612 1056 + TESTDONE: 1214 tests out of 1217 reported OK: 99% + Use of uninitialized value $failed in concatenation (.) or string at + ./runtests.pl line 6290. + TESTFAIL: These test cases failed: + + After: + IGNORED: failed tests: 571 612 1056 + TESTDONE: 1214 tests out of 1217 reported OK: 99% + + Closes https://github.com/curl/curl/pull/9648 + +- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS + + - Correct the use of -all-static for static Windows CI builds. + + curl_LDFLAGS was removed from the makefile when metalink support was + removed. LDFLAGS=-all-static is passed to make only, because it is not a + valid option for configure compilation tests. + + Closes https://github.com/curl/curl/pull/9633 + +Viktor Szakats (4 Oct 2022) +- Makefile.m32: fix regression with tool_hugehelp [ci skip] + + In a recent commit I mistakenly deleted this logic, after seeing a + reference to a filename ending with `.cvs` and thinking it must have + been long gone. Turns out this is an existing file. Restore the rule + and the necessary `COPY` definitions with it. + + The restored logic is required for a successful build on a bare source + tree (as opposed to a source release tarball). + + Also shorten an existing condition similar to the one added in this + patch. + + Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6 + + Closes #9645 + +- Makefile.m32: deduplicate build rules [ci skip] + + After this patch, we reduce the three copies of most `Makefile.m32` + logic to one. This now resides in `lib/Makefile.m32`. It makes future + updates easier, the code shorter, with a small amount of added + complexity. + + `Makefile.m32` reduction: + + | | bytes | LOC total | blank | comment | code | + |-------------------|-------:|----------:|-------:|---------:|------:| + | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 | + | before this patch | 17601 | 625 | 62 | 106 | 457 | + | after this patch | 11680 | 392 | 52 | 104 | 236 | + + Details: + + - Change rules to create objects for the `v*` subdirs in the `lib` dir. + This allows to use a shared compile rule and assumes that filenames + are not (and will not be) colliding across these directories. + `Makefile.m32` now also stores a list of these subdirs. They are + changing rarely though. + + - Sync as much as possible between the three `Makefile.m32` scripts' + rules and their source/target sections. + + - After this patch `CPPFLAGS` are all applied to the `src` sources once + again. This matches the behaviour of cmake/autotools. Only zlib ones + are actually required there. + + - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate. + + - Change examples to link `libcurl.dll` by default. This makes building + trivial, even as a cross-build: + `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32` + To run them, you need to move/copy or add-to-path `libcurl.dll`. + You can select static mode via `CFG=-static`. + + - List more of the `Makefile.m32` config variables. + + - Drop `.rc` support from examples. It made it fragile without much + benefit. + + - Include a necessary system lib for the `externalsocket.c` example. + + - Exclude unnecessary systems libs when building in `-dyn` mode. + + Closes #9642 + +Daniel Stenberg (4 Oct 2022) +- RELEASE-NOTES: synced + +- CURLOPT_COOKIELIST.3: fix formatting mistake + + Also, updated manpage-syntax.pl to make it detect this error in test + 1173. + + Reported-by: ProceduralMan on github + Fixes #9639 + Closes #9640 + +- [Jay Satiro brought this change] + + connect: change verbose IPv6 address:port to [address]:port + + - Use brackets for the IPv6 address shown in verbose message when the + format is address:port so that it is less confusing. + + Before: Trying 2606:4700:4700::1111:443... + After: Trying [2606:4700:4700::1111]:443... + + Bug: https://curl.se/mail/archive-2022-02/0041.html + Reported-by: David Hu + + Closes #9635 + +Viktor Szakats (3 Oct 2022) +- Makefile.m32: major rework [ci skip] + + This patch overhauls `Makefile.m32` scripts, fixing a list of quirks, + making its behaviour and customization envvars align better with other + build systems, aiming for less code, that is easier to read, use and + maintain. + + Details: + - Rename customization envvars: + `CURL_CC` -> `CC` + `CURL_RC` -> `RC` + `CURL_AR` -> `AR` + `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB` + `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN` + - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used. + - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars. + - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in + favor of the above. + - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional + with `libssh2`. + - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and + examples. + - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel` + instead. + - Avoid late evaluation where not necessary (`=` -> `:=`). + - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix. + Instead, use the standard naming scheme by default: `libcurl.dll.a`. + The toolchain recognizes the name, and selects it automatically when + asking for a `-shared` vs. `-static` build. + - Stop applying `strip` to `libcurl.a`. Follow-up from + 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to + strip since then. + - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to + `CFLAGS` as desired. + - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL, + to avoid that vulnerability on Windows. + - Add `-lbrotlicommon` to `LIBS` when using `brotli`. + - Do not enable `-nghttp3` without `-ngtcp2`. + - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend. + You need to set the backend explicitly. This scales better and avoids + issues with certain combinations (e.g. `libssh2` + `wolfssl` with no + `schannel`). + - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via + `NGTCP2_LIBS`. + - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer + supported. + - Delete `SPNEGO` references. They were no-ops. + - Drop support for Win9x environments. + - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`. + - Support autotools/CMake `libssh2` builds by default. + - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and + examples. + - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the + long gone embedded one.) + - Stop static linking with c-ares by default. Add + `CPPFLAGS=-DCARES_STATICLIB` to enable it. + - Reorganize internal layout to avoid redundancy and emit clean diffs + between src/lib and example make files. + - Delete unused variables. + - Code cleanups/rework. + - Comment and indentation fixes. + + Closes #9632 + +- scripts/release-notes.pl: strip ci skip tag [ci skip] + + Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303ae97#commitcomment-85637701 + + Reviewed-by: Daniel Stenberg + + Closes #9634 + +- Makefile.m32: delete legacy component bits [ci skip] + + - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting + to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL. + + - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been + using a standard file layout since 1.1.0, so this seems unnecessary + now. + + - Drop special logic to enable Novell LDAP SDK support. + + - Drop special logic to enable OpenLDAP LDAP SDK support. This seems + to be distinct from native OpenLDAP, with support implemented inside + `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist + yet in curl. + + - Add `-lwldap32` only if there is no other LDAP library (either native + OpenLDAP, or SDKs above) present. + + - Update `doc/INSTALL.md` accordingly. + + After this patch, it's necessary to make configration changes when using + OpenSSL 1.0.2 or earlier, or the two LDAP SDKs. + + OpenSSL 1.0.2 and earlier: + ``` + export OPENSSL_INCLUDE = <path-to-openssl>/outinc + export OPENSSL_LIBPATH = <path-to-openssl>/out + export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32 + ``` + + Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`: + ``` + export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/inc -DCURL_HAS_NOVELL_LDAPSDK + export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib/mscvc -lldapsdk -lldapssl -lldapx + ``` + + OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`: + ``` + export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/include -DCURL_HAS_OPENLDAP_LDAPSDK + export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib -lldap -llber + ``` + + I haven't tested these scenarios, and in general we recommend using + a recent OpenSSL release. Also, WinLDAP (the Windows default) and + OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on + in curl. + + Closes #9631 + +Daniel Stenberg (2 Oct 2022) +- vauth/ntlm.h: make line shorter than 80 columns + + Follow-up from 265fbd937 + +Viktor Szakats (1 Oct 2022) +- docs: update sourceforge project links [ci skip] + + SourceForge projects can now choose between two hostnames, with .io and + .net ending. Both support HTTPS by default now. Opening the other variant + will perm-redirected to the one chosen by the project. + + The .io -> .net redirection is done insecurely. + + Let's update the URLs to point to the current canonical endpoints to + avoid any redirects. + + Closes #9630 + +Daniel Stenberg (1 Oct 2022) +- curl_url_set.3: document CURLU_APPENDQUERY proper + + Listed among the other supported flags. + + Reported-by: Robby Simpson + Fixes #9628 + Closes #9629 + +Viktor Szakats (1 Oct 2022) +- Makefile.m32: cleanups and fixes [ci skip] + + - Add `-lcrypt32` once, and add it always for simplicity. + - Delete broken link and reference to the pre-Vista WinIDN add-on. + MS no longer distribute it. + - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista. + - Sync `LIBCARES_PATH` default with the rest of dependencies. + - Delete version numbers from dependency path defaults. + - `libgsasl` package is now called `gsasl`. + - Delete `libexpat` and `libxml2` references. No longer used by curl. + - Delete `Edit the path below...` comments. We recommend to predefine + those envvars instead. + - `libcares.a` is not an internal dependency anymore. Stop using it as + such. + - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability. + - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`. + They were never used. + - Stop to `clean` some objects twice in `src/Makefile.m32`. + - Delete cvs-specific leftovers. + - Finish resource support in examples make file. + - Delete `-I<root>/lib` from examples make file. + - Fix copyright start year in examples make file. + - Delete duplicate `ftpuploadresume` input in examples make file. + - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path + defaults, variables names and other internal bits between the three + make files. + - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This + was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL` + envvar for the same effect. + - Fix linking `curl.exe` and examples to wrong static libs with + auto-detected OpenSSL 1.0.2 or earlier. + - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only. + - Add link to Novell LDAP SDK and use a relative default path. Latest + version is from 2016, linked to an outdated OpenSSL 1.0.1. + - Whitespace and comment cleanups. + + TODO in a next commit: + + Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell + LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the + necessary custom envvars to configure them. + + Closes #9616 + +Daniel Stenberg (30 Sep 2022) +- RELEASE-NOTES: synced + +- [Matt Holt brought this change] + + HTTP3.md: update Caddy example + + Closes #9623 + +- easy: fix the altsvc init for curl_easy_duphandle + + It was using the old #ifdef which nothing sets anymore + + Closes #9624 + +- GHA: build tests in a separate step from the running of them + + ... to make the output smaller for when you want to look at test + failures. + + Removed the examples build from msh3 + + Closes #9619 + +Viktor Szakats (29 Sep 2022) +- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference + + Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap + support. This is also the single mention of this constant in the source + tree and also in that commit. Based on these, it seems like an accident. + + Delete this reference. + + Reviewed-by: Daniel Stenberg + + Closes #9625 + +- docs: spelling nits + + - MingW -> MinGW (Minimalist GNU for Windows) + - f.e. -> e.g. + - some whitespace and punctuation. + + Reviewed-by: Daniel Stenberg + + Closes #9622 + +Daniel Stenberg (29 Sep 2022) +- [Philip Heiduck brought this change] + + cirrus-ci: add macOS build with m1 + + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> + + Closes #9565 + +- [Patrick Monnerat brought this change] + + lib: sanitize conditional exclusion around MIME + + The introduction of CURL_DISABLE_MIME came with some additional bugs: + - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled. + - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are + conditioned on HTTP, although also needed for SMTP and IMAP MIME mail + uploads. + + In addition, the CURLOPT_HTTPHEADER and --header documentation does not + mention their use for MIME mail. + + This commit fixes the problems above. + + Closes #9610 + +- [Thiago Suchorski brought this change] + + docs: minor grammar fixes + + Closes #9609 + +- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument + + Probably a copy and paste error from the lock function man page. + + Reported-by: Robby Simpson + Fixes #9612 + Closes #9613 + +- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five + + ... instead just list the supported encodings. + + Reported-by: ProceduralMan on github + Fixes #9614 + Closes #9615 + +Dan Fandrich (28 Sep 2022) +- tests: Remove a duplicated keyword + +- docs: document more server names for test files + +Daniel Stenberg (28 Sep 2022) +- altsvc: reject bad port numbers + + The existing code tried but did not properly reject alternative services + using negative or too large port numbers. + + With this fix, the logic now also flushes the old entries immediately + before adding a new one, making a following header with an illegal entry + not flush the already stored entry. + + Report from the ongoing source code audit by Trail of Bits. + + Adjusted test 356 to verify. + + Closes #9607 + +- functypes: provide the recv and send arg and return types + + This header is for providing the argument types for recv() and send() + when built to not use a dedicated config-[platfor].h file. + + Remove the slow brute-force checks from configure and cmake. + + This change also removes the use of the types for select, as they were + not used in code. + + Closes #9592 + +- urlapi: reject more bad characters from the host name field + + Extended test 1560 to verify + + Report from the ongoing source code audit by Trail of Bits. + + Closes #9608 + +- configure: deprecate builds with small curl_off_t + + If curl_off_t turns out to be smaller than 8 bytes, + --with-n64-deprecated needs to be used to allow the build to + continue. This is to highlight the fact that support for such builds is + going away next year. + + Also mentioned in DEPRECATED.md + + Closes #9605 + +- [Patrick Monnerat brought this change] + + http, vauth: always provide Curl_allow_auth_to_host() functionality + + This function is currently located in the lib/http.c module and is + therefore disabled by the CURL_DISABLE_HTTP conditional token. + + As it may be called by TLS backends, disabling HTTP results in an + undefined reference error at link time. + + Move this function to vauth/vauth.c to always provide it and rename it + as Curl_auth_allowed_to_host() to respect the vauth module naming + convention. + + Closes #9600 + +- ngtcp2: fix C89 compliance nit + +- openssl: make certinfo available for QUIC + + Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that + can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC + connections as well. + + The *certchain function was moved to the top of the file for this reason. + + Reported-by: Eloy Degen + Fixes #9584 + Closes #9597 + +- RELEASE-NOTES: synced + +- DEPRECATE.md: Support for systems without 64 bit data types + + Closes #9604 + +- [Patrick Monnerat brought this change] + + tests: skip mime/form tests when mime is not built-in + + Closes #9596 + +- url: rename function due to name-clash in Watt-32 + + Follow-up to 2481dbe5f4f58 and applies the change the way it was + intended. + +Viktor Szakats (26 Sep 2022) +- windows: adjust name of two internal public functions + + According to `docs/INTERNALS.md`, internal function names spanning source + files start with uppercase `Curl_`. Bring these two functions in + alignment with this. + + This also stops exporting them from `libcurl.dll` in autotools builds. + + Reviewed-by: Daniel Stenberg + + Closes #9598 + +Daniel Stenberg (26 Sep 2022) +- [Gisle Vanem brought this change] + + url: rename function due to name-clash in Watt-32 + + Since the commit 764c958c52edb427f39, there was a new function called + resolve_ip(). This clashes with an internal function in Watt-32. + + Closes #9585 + +Jay Satiro (26 Sep 2022) +- schannel: ban server ALPN change during recv renegotiation + + By the time schannel_recv is renegotiating the connection, libcurl has + already decided on a protocol and it is too late for the server to + select a protocol via ALPN except for the originally selected protocol. + + Ref: https://github.com/curl/curl/issues/9451 + + Closes https://github.com/curl/curl/pull/9463 + +Daniel Stenberg (26 Sep 2022) +- url: a zero-length userinfo part in the URL is still a (blank) user + + Adjusted test 1560 to verify + + Reported-by: Jay Satiro + + Fixes #9088 + Closes #9590 + +Viktor Szakats (25 Sep 2022) +- autotools: allow --enable-symbol-hiding with windows + + This local autotools logic was put in place in + 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for + Windows unconditionally. Testing reveals that it actually works with + tested toolchains (mingw-w64 and CI ones), so let's allow this build + feature on that platform. Bringing this in sync with CMake, which already + supported this. + + Reviewed-by: Jay Satiro + + Closes #9586 + +- autotools: reduce brute-force when detecting recv/send arg list + + autotools uses brute-force to detect `recv`/`send`/`select` argument + lists, by interating through _all_ argument type combinations on each + `./configure` run. This logic exists since + 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later + extended with Windows support. + + This results in a worst-case number of compile + link cycles as below: + - `recv`: 96 + - `send`: 192 + - `select`: 60 + Total: 348 (the number of curl C source files is 195, for comparison) + + Notice that e.g. curl-for-win autotools builds require two `./configure` + invocations, doubling these numbers. + + `recv` on Windows was especially unlucky because `SOCKET` (the correct + choice there) was listed _last_ in one of the outer trial loops. This + resulted in lengthy waits while autotools was trying all invalid + combinations first, wasting cycles, disk writes and slowing down + iteration. + + This patch reduces the amount of idle work by reordering the tests in + a way to succeed first on a well-known platform such as Windows, and + also on non-Windows by testing for POSIX prototypes first, on the + assumption that these are the most likely candidates these days. (We do + not touch `select`, where the order was already optimal for these + platforms.) + + For non-Windows, this means to try a return value of `ssize_t` first, + then `int`, reordering the buffer argument type to try `void *` first, + then `byte *`, and prefer the `const` flavor with `send`. If we are + here, also stop testing for `SOCKET` type in non-Windows builds. + + After the patch, detection on Windows is instantaneous. It should also be + faster on popular platforms such as Linux and BSD-based ones. + + If there are known-good variations for other platforms, they can also be + fast-tracked like above, given a way to check for that platform inside + the autotools logic. + + Reviewed-by: Daniel Stenberg + + Closes #9591 + +Daniel Stenberg (23 Sep 2022) +- TODO: Provide the error body from a CONNECT response + + Spellchecked-by: Jay Satiro + + Closes #9513 + Closes #9581 + +Viktor Szakats (23 Sep 2022) +- windows: autotools .rc warnings fixup + + Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing: + + - Warnings when running `autoreconf -fi`. + + - Warning when compiling .rc files: + libtool: compile: unable to infer tagged configuration + libtool: error: specify a tag with '--tag' + + Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057 + Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156 + + Suggested-by: Patrick Monnerat + Closes #9582 + +Daniel Stenberg (23 Sep 2022) +- [Randall S. Becker brought this change] + + curl_setup: disable use of FLOSS for 64-bit NonStop builds + + Older 32-bit builds currently need FLOSS. This dependency may be removed + in future OS releases. + + Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> + + Closes #9575 + +- [Patrick Monnerat brought this change] + + tool: remove dead code + + Add a debug assertion to verify protocols included/excluded in a set + are always tokenized. + + Follow-up to commit 677266c. + + Closes #9576 + +- [Patrick Monnerat brought this change] + + lib: prepare the incoming of additional protocols + + Move the curl_prot_t to its own conditional block. Introduce symbol + PROTO_TYPE_SMALL to control it. + + Fix a cast in a curl_prot_t assignment. + Remove an outdated comment. + + Follow-up to cd5ca80. + + Closes #9534 + +- msh3: change the static_assert to make the code C89 + +- bearssl: make it proper C89 compliant + +- curl-compilers.m4: for gcc + want warnings, set gnu89 standard + + To better verify that the code is C89 + + Closes #9542 + +- [Patrick Monnerat brought this change] + + lib517: fix C89 constant signedness + + In C89, positive integer literals that overflow an int but not an + unsigned int may be understood as a negative int. + + lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90 + {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 }, + ^ + + Closes #9572 + +- mprintf: use snprintf if available + + This is the single place in libcurl code where it uses the "native" + s(n)printf() function. Used for writing floats. The use has been + reviewed and vetted and uses a HUGE target buffer, but switching to + snprintf() still makes this safer and removes build-time warnings. + + Reported-by: Philip Heiduck + + Fixes #9569 + Closes #9570 + +- docs: tag curl options better in man pages + + As it makes them links in the HTML versions. + + Verified by the extended test 1176 + +- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6 + +- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged + + ... as that makes them links to their corresponding man page. + + This script is used for test 1173. + + Closes #9574 + +- RELEASE-NOTES: synced + +- [Patrick Monnerat brought this change] + + tool: remove protocol count limitation + + Replace bit mask protocol sets by null-terminated arrays of protocol + tokens. These are the addresses of the protocol names returned by + curl_version_info(). + + Protocol names are sorted case-insensitively before output to satisfy CI + tests matches consistency. + + The protocol list returned by curl_version_info() is augmented with all + RTMP protocol variants. + + Test 1401 adjusted for new alpha ordered output. + + Closes #9546 + +- test972: verify the output without using external tool + + It seems too restrictive to assume and use an external tool to verify + the JSON. This now verifies the outut byte per byte. We could consider + building a local "JSON verifyer" in a future. + + Remove 'jsonlint' from the CI job. + + Reported-by: Marcel Raad + Fixes #9563 + Closes #9564 + +- hostip: lazily wait to figure out if IPv6 works until needed + + The check may take many milliseconds, so now it is performed once the + value is first needed. Also, this change makes sure that the value is + not used if the resolve is set to be IPv4-only. + + Closes #9553 + +- curl.h: fix mention of wrong error code in comment + + The same error and comment were also used and is now corrected in + CURLOPT_SSH_KEYFUNCTION.3 + +- symbol-scan.pl: scan and verify .3 man pages + + This script now also finds all .3 man pages in docs/include and + docs/include/opts, extracts all uses of CURL* symbols and verifies that all + symbols mentioned in docs are defined in public headers. + + A "global symbol" is one of those matching a known prefix and the script makes + an attempt to check all/most of them. Just using *all* symbols that match + CURL* proved matching a little too many other references as well and turned + difficult turning into something useful. + + Closes #9544 + +- symbols-in-versions: add missing LIBCURL* symbols + +- symbol-scan.pl: also check for LIBCURL* symbols + + Closes #9544 + +- docs/libcurl/symbols-in-versions: add several missing symbols + +- test1119: scan all public headers + + Previously this test only scanned a subset of the headers, which made us + accidentally miss symbols that were provided in the others. Now, the script + iterates over all headers present in include/curl. + + Closes #9544 + +- [Patrick Monnerat brought this change] + + examples/chkspeed: improve portability + + The example program chkspeed uses strncasecmp() which is not portable + across systems. Replace calls to this function by tests on characters. + + Closes #9562 + +- easy: fix the #include order + + The mentioned "last 3 includes" order should be respected. easy_lock.h should + be included before those three. + + Reported-by: Yuriy Chernyshov + Fixes #9560 + Closes #9561 + +- docs: spellfixes + + Pointed by the new CI job + +- GHA: spellcheck + + This spellchecker checks markdown files. For this reason this job + converts all man pages in the repository to markdown with pandoc before + the check runs. + + The perl script 'cleanspell' filters out details from the man page in + the process, to avoid the spellchecker trying to spellcheck things it + can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections + of libcurl man pages. + + The spell checker does not check words in sections that are within pre, + strong and em tags. + + 'spellcheck.words' is a custom word list with additional accepted words. + + Closes #9523 + +- connect: fix the wrong error message on connect failures + + The "Failed to connect to" message after a connection failure would + include the strerror message based on the presumed previous socket + error, but in times it seems that error number is not set when reaching + this code and therefore it would include the wrong error message. + + The strerror message is now removed from here and the curl_easy_strerror + error is used instead. + + Reported-by: Edoardo Lolletti + Fixes #9549 + Closes #9554 + +- httpput-postfields.c: shorten string for C89 compliance + + httpput-postfields.c:41:3: error: string length ‘522’ is greater than the length ‘509’ ISO C90 compilers are required to support [-Woverlength-strings] + 41 | "this chapter."; + | ^~~~~~~~~~~~~~~ + + Closes #9555 + +- ws: fix a C89 compliance nit + + Closes #9541 + +- [Patrick Monnerat brought this change] + + unit test 1655: make it C89-compliant + + Initializations performed in unit test 1655 use automatic variables in + aggregates and thus can only be computed at run-time. Using gcc in C89 + dialect mode produces warning messages like: + + unit1655.c:96:7: warning: initializer element is not computable at load time [-Wpedantic] + 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */ + | ^~~~~~~ + + Fix the problem by converting these automatic pointer variables to + static arrays. + + Closes #9551 + +- [Tobias Schaefer brought this change] + + curl_strequal.3: fix typo + + Closes #9548 + +- [Dmitry Karpov brought this change] + + resolve: make forced IPv4 resolve only use A queries + + This protects IPv4-only transfers from undesired bad IPv6-related side + effects and make IPv4 transfers in dual-stack libcurl behave the same + way as in IPv4 single-stack libcurl. + + Closes #9540 + +- RELEASE-NOTES: synced + +- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths + + Patched-by: Mark Itzcovitz + Bug: https://curl.se/mail/lib-2022-09/0038.html + + Closes #9536 + +- TODO: Reduce CA certificate bundle reparsing + + By adding some sort of cache. + + Reported-by: Michael Drake + Closes #9379 + Closes #9538 + +Marc Hoersken (19 Sep 2022) +- CI/GHA: cancel outdated CI runs on new PR changes + + Avoid letting outdated CI runs continue if a PR receives + new changes. Outside a PR we let them continue running + by tying the concurrency to the commit hash instead. + + Also only let one CodeQL or Hacktoberfest job run at a time. + + Other CI platforms we use have this build in, but GitHub + unfortunately neither by default nor with a simple option. + + This saves CI resources and therefore a little energy. + + Approved-by: Daniel Stenberg + Approved-by: Max Dymond + Closes #9533 + +Daniel Stenberg (19 Sep 2022) +- docs: fix proselint complaints + +- GHA: run proselint on markdown files + + Co-authored-by: Marc Hörsken + + Closes #9520 + +- lib: the number four in a sequence is the "fourth" + + Spelling is hard + + Closes #9535 + +- [John Bampton brought this change] + + misc: fix spelling in two source files + + Closes #9529 + +Viktor Szakats (18 Sep 2022) +- windows: add .rc support to autotools builds + + After this update autotools builds will compile and link `.rc` resources + to Windows executables. Bringing this feature on par with CMake and + Makefile.m32 builds. And also making it unnecessary to improvise these + steps manually, while monkey patching build files, e.g. [0]. + + You can customize the resource compiler via the `RC` envvar, and its + options via `RCFLAGS`. + + This harmless warning may appear throughout the build, even though the + autotools manual documents [1] `RC` as a valid tag, and it fails when + omitting one: + `libtool: error: ignoring unknown tag RC` + + [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce50baa1b84/curl-autotools.sh#L376-L382 + [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html + + Closes #9521 + +Marc Hoersken (18 Sep 2022) +- CI/linkcheck: only run if a Markdown file is changed + + This saves CI resources and therefore a little energy. + + Reviewed-by: Max Dymond + Closes #9531 + +- README.md: add GHA status badges for Linux and macOS builds + + This makes sense now that Linux builds are being consolidated. + + Approved-by: Daniel Stenberg + Closes #9530 + + [skip ci] + +Daniel Stenberg (17 Sep 2022) +- misc: null-terminate + + Make use of this term consistently. + + Closes #9527 + +Marc Hoersken (17 Sep 2022) +- CI/GHA: merge intel CC and more TLS libs into linux workflow + + Continue work on merging all Linux workflows into one file. + + Reviewed-by: Max Dymond + Follow up to #9501 + Closes #9514 + +Daniel Stenberg (17 Sep 2022) +- [Patrick Monnerat brought this change] + + lib1597: make it C89-compliant again + + Automatic variable addresses cannot be used in an initialisation + aggregate. + + Follow-up to 9d51329 + + Reported-by: Daniel Stenberg + Fixes: #9524 + Closes #9525 + +- tool_libinfo: silence "different 'const' qualifiers" in qsort() + + MSVC 15.0.30729.1 warned about it + + Follow-up to dd2a024323dcc + + Closes #9522 + +- [Patrick Monnerat brought this change] + + docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR. + + Disabled protocols are now handled as if they were unknown. + Also update the possible protocol list. + +- [Patrick Monnerat brought this change] + + cli tool: do not use disabled protocols + + As they are now rejected by the library, take care of not passing + disabled protocol names to CURLOPT_PROTOCOLS_STR and + CURLOPT_REDIR_PROTOCOLS_STR. + + Rather than using the CURLPROTO_* constants, dynamically assign protocol + numbers based on the order they are listed by curl_version_info(). + + New type proto_set_t implements prototype bit masks: it should therefore + be large enough to accomodate all library-enabled protocols. If not, + protocol numbers beyond the bit count of proto_set_t are recognized but + "inaccessible": when used, a warning is displayed and the value is + ignored. Should proto_set_t overflows, enabled protocols are reordered to + force those having a public CURLPROTO_* representation to be accessible. + + Code has been added to subordinate RTMP?* protocols to the presence of + RTMP in the enabled protocol list, being returned by curl_version_info() + or not. + +- [Patrick Monnerat brought this change] + + setopt: use the handler table for protocol name to number conversions + + This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than + CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found. + + A new schemelen parameter is added to Curl_builtin_scheme() to support + this extended use. + + Note that disabled protocols are not recognized anymore. + + Tests adapted accordingly. + + Closes #9472 + +- altsvc: use 'h3' for h3 + + Since the official and real version has been out for a while now and servers + are deployed out there using it, there is no point in sticking to h3-29. + + Reported-by: ウさん + Fixes #9515 + Closes #9516 + +Jay Satiro (16 Sep 2022) +- [chemodax brought this change] + + winbuild: Use NMake batch-rules for compilation + + - Invoke cl compiler once for each group of .c files. + + This is significantly improves compilation time. For example in my + environment: 40 s --> 20 s. + + Prior to this change cl was invoked per .c file. + + Closes https://github.com/curl/curl/pull/9512 + +Daniel Stenberg (16 Sep 2022) +- ws: the infof() flags should be %zu + + Follow-up to e5e9e0c5e49ae0 + + Closes #9518 + +- curl: warn for --ssl use, considered insecure + + Closes #9519 + +- [Sergey Bronnikov brought this change] + + curl_escape.3: fix typo + + lengthf -> length + + Closes #9517 + +- mailmap: merge Philip Heiduck's two addresses into one + +- test1948: verify PUT + POST reusing the same handle + + Reproduced #9507, verifies the fix + +- setopt: when POST is set, reset the 'upload' field + + Reported-by: RobBotic1 on github + Fixes #9507 + Closes #9511 + +Marc Hoersken (15 Sep 2022) +- github: initial CODEOWNERS setup for CI configuration + + Reviewed-by: Daniel Stenberg + Reviewed-by: Marcel Raad + Reviewed-by: Max Dymond + + Closes #9505 + + [skip ci] + +- [Philip Heiduck brought this change] + + CI: optimize some more dependencies install + + Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan> + + Closes #9500 + +- CI/GHA: merge event-based and NSS into new linux workflow + + Continue work on merging all Linux workflows into one file. + + Follow up to #9501 + Closes #9506 + +Daniel Stenberg (15 Sep 2022) +- include/curl/websockets.h: add extern "C" for C++ + + Reported-by: n0name321 on github + Fixes #9509 + Closes #9510 + +- lib1560: extended to verify detect/reject of unknown schemes + + ... when no guessing is allowed. + +- urlapi: detect scheme better when not guessing + + When the parser is not allowed to guess scheme, it should consider the + word ending at the first colon to be the scheme, independently of number + of slashes. + + The parser now checks that the scheme is known before it counts slashes, + to improve the error messge for URLs with unknown schemes and maybe no + slashes. + + When following redirects, no scheme guessing is allowed and therefore + this change effectively prevents redirects to unknown schemes such as + "data". + + Fixes #9503 + +- strerror: improve two URL API error messages + +Marc Hoersken (14 Sep 2022) +- CI/GHA: merge bearssl and hyper into initial linux workflow + + Begin work on merging all Linux workflows into one file. + + Closes #9501 + +Daniel Stenberg (14 Sep 2022) +- RELEASE-NOTES: synced + +- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h + + Since the config file might also get included by the tool code at times. + This syncs with how other builds do it. + + Closes #9498 + +- tool_hugehelp: make hugehelp a blank macro when disabled + + Closes #9485 + +- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled + + ... to improve the output in this situation. Now it doesn't say "option + unknown" anymore. + + Closes #9485 + +- setopt: fix compiler warning + + Follow-up to cd5ca80f00d2 + + closes #9502 + +- [Philip Heiduck brought this change] + + CI: skip make, do make install at once for dependencies + + Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan> + + Closes #9477 + +- formdata: typecast the va_arg return value + + To avoid "enumerated type mixed with another type" warnings + + Follow-up from 0f52dd5fd5aa3592691a + + Closes #9499 + +- RELEASE-PROCEDURE.md: mention patch releases + + - When to make them and how to argue for them + - Refreshed the release date list + + Closes #9495 + +- urldata: use a curl_prot_t type for storing protocol bits + + This internal-use-only storage type can be bumped to a curl_off_t once + we need to use bit 32 as the previous 'unsigned int' can no longer hold + them all then. + + The websocket protocols take bit 30 and 31 so they are the last ones + that fit within 32 bits - but cannot properly be exported through APIs + since those use *signed* 32 bit types (long) in places. + + Closes #9481 + +- [zhanghu on xiaomi brought this change] + + formdata: fix warning: 'CURLformoption' is promoted to 'int' + + curl/lib/formdata.c: In function 'FormAdd': + curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' when passed through '...' + 249 | option = va_arg(params, CURLformoption); + | ^ + curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformoption' to 'va_arg') + curl/lib/formdata.c:249:31: note: if this code is reached, the program will abort + + Closes #9484 + +- CURLOPT_CONNECT_ONLY.3: for ws(s) as well + + and correct the version number for when that support comes. Even if it + is still experimental for WebSocket. + + Closes #9487 + +- tool_operate: avoid a few #ifdefs for disabled-libcurl builds + + By providing empty macros in the header file instead, the code gets + easier to read and yet is disabled on demand. + + Closes #9486 + +- [a1346054 on github brought this change] + + scripts: use `grep -E` instead of `egrep` + + egrep is deprecated + + Closes #9491 + +- [Hayden Roche brought this change] + + wolfSSL: fix session management bug. + + Prior to this commit, non-persistent pointers were being used to store + sessions. When a WOLFSSL object was then freed, that freed the session + it owned, and thus invalidated the pointer held in curl's cache. This + commit makes it so we get a persistent (deep copied) session pointer + that we then add to the cache. Accordingly, wolfssl_session_free, which + was previously a no-op, now needs to actually call SSL_SESSION_free. + + This bug was discovered by a wolfSSL customer. + + Closes #9492 + +- docs: use "WebSocket" in singular + + This is how the RFC calls the protocol. Also rename the file in docs/ to + WEBSOCKET.md in uppercase to match how we have done it for many other + protocol docs in similar fashion. + + Add the WebSocket docs to the tarball. + + Closes #9496 + +Marcel Raad (12 Sep 2022) +- ws: fix build without `USE_WEBSOCKETS` + + The curl.h include is required unconditionally. + +- ws: add missing curl.h include + + A conflict between commits 664249d0952 and e5839f4ee70 broke the build. + +Daniel Stenberg (12 Sep 2022) +- ws: fix an infof() call to use %uz for size_t output + + Detected by Coverity, CID 1514665. + + Closes #9480 + +Marcel Raad (12 Sep 2022) +- curl_setup: include only system.h instead of curl.h + + As done before commit 9506d01ee50. + + Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158 + Closes https://github.com/curl/curl/pull/9453 + +- lib: add missing limits.h includes + + Closes https://github.com/curl/curl/pull/9453 + +- lib and tests: add missing curl.h includes + + Closes https://github.com/curl/curl/pull/9453 + +- curl_setup: include curl.h after platform setup headers + + The platform setup headers might set definitions required for the + includes in curl.h. + + Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269 + Closes https://github.com/curl/curl/pull/9453 + +Daniel Stenberg (12 Sep 2022) +- [Benjamin Loison brought this change] + + docs: correct missing uppercase in Markdown files + + To detect these typos I used: + + ``` + clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | grep -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --color=always '\. [a-z]' | grep '\.md' + ``` + + Closes #9474 + +- tool_setopt: use better English in --libcurl source comments + + Like this: + + XYZ was set to an object pointer + ABC was set to a function pointer + + Closes #9475 + +- setopt: make protocol2num use a curl_off_t for the protocol bit + + ... since WSS does not fit within 32 bit. + + Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887 + Closes #9476 + +- RELEASE-NOTES: synced + +- configure: polish the grep -E message a bit further + + Suggested-by: Emanuele Torre + Closes #9473 + +- GHA: add a gcc-11 -O3 build using OpenSSL + + Since -O3 might trigger other warnings + + Closes #9454 + +- [Patrick Monnerat brought this change] + + content_encoding: use writer struct subclasses for different encodings + + The variable-sized encoding-specific storage of a struct contenc_writer + currently relies on void * alignment that may be insufficient with + regards to the specific storage fields, although having not caused any + problems yet. + + In addition, gcc 11.3 issues a warning on access to fields of partially + allocated structures that can occur when the specific storage size is 0: + + content_encoding.c: In function ‘Curl_build_unencoding_stack’: + content_encoding.c:980:21: warning: array subscript ‘struct contenc_writer[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bounds] + 980 | writer->handler = handler; + | ~~~~~~~~~~~~~~~~^~~~~~~~~ + In file included from content_encoding.c:49: + memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘curl_dbg_calloc’ + 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__, __FILE__) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + content_encoding.c:977:60: note: in expansion of macro ‘calloc’ + 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1, sz); + + To solve both these problems, the current commit replaces the + contenc_writer/params structure pairs by "subclasses" of struct + contenc_writer. These are structures that contain a contenc_writer at + offset 0. Proper field alignment is therefore handled by the compiler and + full structure allocation is performed, silencing the warnings. + + Closes #9455 + +- configure: correct the wording when checking grep -E + + The check first checks that grep -E works, and only as a fallback tries + to find and use egrep. egrep is deprecated. + + This change only corrects the output wording, not the checks themselves. + + Closes #9471 + +Viktor Szakats (10 Sep 2022) +- websockets: sync prototypes in docs with implementation [ci skip] + + Docs for the new send/recv functions synced with the committed versions + of these. + + Closes #9470 + +Daniel Stenberg (10 Sep 2022) +- setopt: make protocols2num() work with websockets + + So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can + specify those as well. + + Reported-by: Patrick Monnerat + Bug: https://curl.se/mail/lib-2022-09/0016.html + Closes #9467 + +- curl/websockets.h: remove leftover bad typedef + + Just a leftover trace of a development thing that did not stay like + that. + + Reported-by: Marc Hörsken + Fixes #9465 + Cloes #9466 + +Marcel Raad (10 Sep 2022) +- [Orgad Shaneh brought this change] + + fix Cygwin/MSYS compilation + + _getpid is Windows API. On Cygwin variants it should remain getpid. + + Fixes #8220 + Closes #9255 + +Marc Hoersken (10 Sep 2022) +- GHA: prepare workflow merge by aligning structure again + + Closes #9413 + +Daniel Stenberg (9 Sep 2022) +- docs: the websockets symbols are added in 7.86.0 + + Nothing else + + Closes #9459 + +- tests/libtest/Makefile.inc: fixup merge conflict mistake + +- EXPERIMENTAL.md: add WebSockets + +- appveyor: enable websockets + +- cirrus: enable websockets in the windows builds + +- GHA: add websockets to macos, openssl3 and hyper builds + +- tests: add websockets tests + + - add websockets support to sws + - 2300: first very basic websockets test + - 2301: first libcurl test for ws (not working yet) + - 2302: use the ws callback + - 2303: test refused upgrade + +- curl_ws_meta: initial implementation + +- curl_ws_meta.3: added docs + +- ws: initial websockets support + + Closes #8995 + +- version: add ws + wss + +- libtest/lib1560: test basic websocket URL parsing + +- configure: add --enable-websockets + +- docs/WebSockets.md: docs + +- test415: verify Content-Length parser with control code + negative value + +- strtoofft: after space, there cannot be a control code + + With the change from ISSPACE() to ISBLANK() this function no longer + deals with (ignores) control codes the same way, which could lead to + this function returning unexpected values like in the case of + "Content-Length: \r-12354". + + Follow-up to 6f9fb7ec2d7cb389a0da5 + + Detected by OSS-fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140 + Assisted-by: Max Dymond + Closes #9458 + +- headers: reset the requests counter at transfer start + + If not, reusing an easy handle to do a subsequent transfer would + continue the counter from the previous invoke, which then would make use + of the header API difficult/impossible as the request counter + mismatched. + + Add libtest 1947 to verify. + + Reported-by: Andrew Lambert + Fixes #9424 + Closes #9447 + +Jay Satiro (8 Sep 2022) +- header: define public API functions as extern c + + Prior to this change linker errors would occur if curl_easy_header or + curl_easy_nextheader was called from a C++ unit. + + Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007 + Reported-by: Andrew Lambert + + Closes https://github.com/curl/curl/pull/9446 + +Daniel Stenberg (8 Sep 2022) +- http2: make nghttp2 less picky about field whitespace + + In nghttp2 1.49.0 it returns error on leading and trailing whitespace in + header fields according to language in the recently shipped RFC 9113. + + nghttp2 1.50.0 introduces an option to switch off this strict check and + this change enables this option by default which should make curl behave + more similar to how it did with nghttp2 1.48.0 and earlier. + + We might want to consider making this an option in the future. + + Closes #9448 + +- RELEASE-NOTES: synced + + And bump to 7.86.0 for the pending next release + +- [Michael Heimpold brought this change] + + ftp: ignore a 550 response to MDTM + + The 550 is overused as a return code for multiple error case, e.g. + file not found and/or insufficient permissions to access the file. + + So we cannot fail hard in this case. + + Adjust test 511 since we now fail later. + Add new test 3027 which check that when MDTM failed, but the file could + actually be retrieved, that in this case no filetime is provided. + + Reported-by: Michael Heimpold + Fixes #9357 + Closes #9387 + +- urlapi: leaner with fewer allocs + + Slightly faster with more robust code. Uses fewer and smaller mallocs. + + - remove two fields from the URL handle struct + - reduce copies and allocs + - use dynbuf buffers more instead of custom malloc + copies + - uses dynbuf to build the host name in reduces serial alloc+free within + the same function. + - move dedotdotify into urlapi.c and make it static, not strdup the input + and optimize it by checking for . and / before using strncmp + - remove a few strlen() calls + - add Curl_dyn_setlen() that can "trim" an existing dynbuf + + Closes #9408 + +Jay Satiro (7 Sep 2022) +- setup-win32: no longer define UNICODE/_UNICODE implicitly + + - If UNICODE or _UNICODE is defined but the other isn't then error + instead of implicitly defining it. + + As Marcel pointed out it is too late at this point to make such a define + because Windows headers may already be included, so likely it never + worked. We never noticed because build systems that can make Windows + Unicode builds always define both. If one is defined but not the other + then something went wrong during the build configuration. + + Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272 + Reported-by: Marcel Raad + + Closes https://github.com/curl/curl/pull/9384 + +Dan Fandrich (6 Sep 2022) +- tests: fix tag syntax errors in test files + +Marc Hoersken (6 Sep 2022) +- lib: add required Win32 setup definitions in setup-win32.h + + Assisted-by: Jay Satiro + Reviewed-by: Marcel Raad + + Follow up to #9312 + Closes #9375 + +Daniel Stenberg (6 Sep 2022) +- pingpong: extend the response reading error with errno + + To help diagnosing the cause of the problem. + + See #9380 + Closes #9443 + +- curl-compilers.m4: use -O2 as default optimize for clang + + Not -Os + + Closes #9444 + +- tool_operate: fix msnprintfing the error message + + Follow-up to 7be53774c41c59b47075fba + + Coverity CID 1513717 pointed out that we cannot use sizeof() on the + error buffer anymore. + + Closes #9440 + +- [Emanuele Torre brought this change] + + curl_ctype: add space around <= operator in ISSPACE macro + + Follow-up to f65f750 + + Closes #9441 + +- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies + + The 'protocols' listed were previously wrong. + + Reported-by: ProceduralMan on github + Fixes #9434 + Closes #9435 + +- curl_ctype: convert to macros-only + + This no longer provide functions, only macros. Runs faster and produces + smaller output. + + The biggest precaution this change brings: + + DO NOT use post/pre-increments when passing arguments to the macros. + + Closes #9429 + +- misc: ISSPACE() => ISBLANK() + + Instances of ISSPACE() use that should rather use ISBLANK(). I think + somewhat carelessly used because it sounds as if it checks for space or + whitespace, but also includes %0a to %0d. + + For parsing purposes, we should only accept what we must and not be + overly liberal. It leads to surprises and surprises lead to bad things. + + Closes #9432 + +- ctype: remove all use of <ctype.h>, use our own versions + + Except in the test servers. + + Closes #9433 + +Marc Hoersken (5 Sep 2022) +- cmake: skip superfluous hex2dec conversion using math expr + + CMake seems to be able to compare two hex values just fine. + Also make sure CURL_TARGET_WINDOWS_VERSION is respected. + + Assisted-by: Marcel Raad + Reviewed-by: Viktor Szakats + Reported-by: Keitagit-kun on github + + Follow up to #9312 + Fixes #9406 + Closes #9411 + +Daniel Stenberg (5 Sep 2022) +- curl_easy_pause.3: unpausing is as fast as possible + + Reported-by: ssdbest on github + Fixes #9410 + Closes #9430 + +- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols + + Except file. + + Reported-by: ProceduralMan on github + Fixes #9427 + Closes #9428 + +- NPN: remove support for and use of + + Next Protocol Negotiation is a TLS extension that was created and used + for agreeing to use the SPDY protocol (the precursor to HTTP/2) for + HTTPS. In the early days of HTTP/2, before the spec was finalized and + shipped, the protocol could be enabled using this extension with some + servers. + + curl supports the NPN extension with some TLS backends since then, with + a command line option `--npn` and in libcurl with + `CURLOPT_SSL_ENABLE_NPN`. + + HTTP/2 proper is made to use the ALPN (Application-Layer Protocol + Negotiation) extension and the NPN extension has no purposes + anymore. The HTTP/2 spec was published in May 2015. + + Today, use of NPN in the wild should be extremely rare and most likely + totally extinct. Chrome removed NPN support in Chrome 51, shipped in + June 2016. Removed in Firefox 53, April 2017. + + Closes #9307 + +- RELEASE-NOTES: synced + + and bump the tentative next release version to 7.85.1 + +- [Samuel Henrique brought this change] + + configure: fail if '--without-ssl' + explicit parameter for an ssl lib + + A side effect of a previous change to configure (576e507c78bdd2ec88) + exposed a non-critical issue that can happen if configure is called with + both '--without-ssl' and some parameter setting the use of a ssl library + (e.g. --with-gnutls). The configure script would end up assuming this is + a MultiSSL build, due to the way the case statement is written. + + I have changed the order of the variables in the string concatenation + for the case statement and also tweaked the options so that + --without-ssl never turns the build into a MultiSSL one and also clearly + stating that there are conflicting parameters if the user sets it like + described above. + + Closes #9414 + +- tests/certs/scripts: insert standard curl source headers + + ... including the SPDX-License-Identifier. + + These omissions were not detected by the RUEUSE CI job nor the copyright.pl + scanners because we have a general wildcard in .reuse/dep5 for + "tests/certs/*". + + Reported-by: Samuel Henrique + Fixes #9417 + Closes #9420 + +- [Samuel Henrique brought this change] + + docs: remove mentions of deprecated '--without-openssl' config parameter + + Closes #9415 + +- [Samuel Henrique brought this change] + + manpages: Fix spelling of "allows to" -> "allows one to" + + References: + https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual-page.tag + https://english.stackexchange.com/questions/60271/grammatical-complements-for-allow/60285#60285 + + Closes #9419 + +- [Samuel Henrique brought this change] + + CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes + + Lintian (on Debian) has been complaining about this for a while but + I didn't bother initially as the groff parser that we use is not + affected by this. + + But I have now noticed that the online manpage is affected by it: + https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html + + (I'm using double quotes for quoting-only down below) + + The section that should be parsed as "'\'" ends up being parsed as + "'´". + + This is due to roffit not parsing "'\\'" correctly, which is fine + as the "correct" way of writing "'\'" is "'\e'" instead. + + Note that this fix is not enough to fix the online manpage at + curl's website, as roffit seems to parse it wrongly either way. + + My intent is to at least fix the manpage so that roffit can + be changed to parse "'\e'" correctly (although I suggest making + roffit parse both ways correctly, since that's what groff does). + + More details at: + https://bugs.debian.org/966803 + https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a884cca7965c3/tags/a/acute-accent-in-manual-page.tag + + Closes #9418 + +- tool_operate: reduce errorbuffer allocs + + - parallel transfers: only alloc and keep errorbuffers in memory for + actual "live" transfers and not for the ones in the pending queue + + - serial transfers: reuse the same fixed buffer for all transfers, not + allocated at all. + + Closes #9394 + +Viktor Szakats (31 Aug 2022) +- misc: spelling fixes + + Found using codespell 2.2.1. + + Also delete the redundant protocol designator from an archive.org URL. + + Reviewed-by: Daniel Stenberg + Closes #9403 + +Daniel Stenberg (31 Aug 2022) +- tool_progress: remove 'Qd' from the parallel progress bar + + The "queued" value is no longer showing anything useful to the user. It + is an internal number of transfers waiting at that moment. + + Closes #9389 + +- tool_operate: prevent over-queuing in parallel mode + + When doing a huge amount of parallel transfers, we must not add them to + the per_transfer list frivolously since they all use memory after all. + This was previous done without really considering millions or billions + of transfers. Massive parallelism would use a lot of memory for no good + purpose. + + The queue is now limited to twice the paralleism number. + + This makes the 'Qd' value in the parallel progress meter mostly useless + for users, but works for now for us as a debug display. + + Reported-by: justchen1369 on github + Fixes #8933 + Closes #9389 + +Viktor Szakats (31 Aug 2022) +- cmake: fix original MinGW builds + + 1. Re-enable `HAVE_GETADDRINFO` detection on Windows + + Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic + that automatically assumed `getaddrinfo()` to be present for builds + with IPv6 enabled. As it turns out, certain toolchains (e.g. original + MinGW) by default target older Windows versions, and thus do not + support `getaddrinfo()` out of the box. The issue was masked for + a while by CMake builds forcing a newer Windows version, but that + logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761. + Since then, some CI builds started failing due to IPv6 enabled, + `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing. + + It also turns out that IPv6 works without `getaddrinfo()` since commit + 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So, + to resolve all this, we can now revert the initial commit, thus + restoring `getaddrinfo()` detection and support IPv6 regardless of its + outcome. + + Reported-by: Daniel Stenberg + + 2. Omit `bcrypt` with original MinGW + + Original (aka legacy/old) MinGW versions do not support `bcrypt` + (introduced with Vista). We already have logic to handle that in + `lib/rand.c` and autotools builds, where we do not call the + unsupported API and do not link `bcrypt`, respectively, when using + original MinGW. + + This patch ports that logic to CMake, fixing the link error: + `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: cannot find -lbcrypt` + + Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vle84cn4vle7s0#L508 + Regression since 76172511e7adcf720f4c77bd91f49278300ec97e + + Fixes #9214 + Fixes #9393 + Fixes #9395 + Closes #9396 + +Version 7.85.0 (31 Aug 2022) + +Daniel Stenberg (31 Aug 2022) +- RELEASE-NOTES: synced + + curl 7.85.0 release + +- THANKS: add contributors from the 7.85.0 release + +- getparam: correctly clean args + + Follow-up to bf7e887b2442783ab52 + + The previous fix for #9128 was incomplete and caused #9397. + + Fixes #9397 + Closes #9399 + +- zuul: remove the clang-tidy job + + Turns out we don't see the warnings, but the warnings right now are + plain ridiculous and unhelpful so we can just as well just kill this + job. + + Closes #9390 + +- cmake: set feature PSL if present + + ... make test 1014 pass when libpsl is used. + + Closes #9391 + +- lib530: simplify realloc failure exit path + + To make code analyzers happier + + Closes #9392 + +- [Orgad Shaneh brought this change] + + tests: add tests for netrc login/password combinations + + Covers the following PRs: + + - #9066 + - #9247 + - #9248 + + Closes #9256 + +- [Orgad Shaneh brought this change] + + url: really use the user provided in the url when netrc entry exists + + If the user is specified as part of the URL, and the same user exists + in .netrc, Authorization header was not sent at all. + + The user and password fields were assigned in conn->user and password + but the user was not assigned to data->state.aptr, which is the field + that is used in output_auth_headers and friends. + + Fix by assigning the user also to aptr. + + Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5. + + Fixes #9243 + +- [Orgad Shaneh brought this change] + + netrc: Use the password from lines without login + + If netrc entry has password with empty login, use it for any username. + + Example: + .netrc: + machine example.com password 123456 + + curl -vn http://user@example.com/ + + Fix it by initializing state_our_login to TRUE, and reset it only when + finding an entry with the same host and different login. + + Closes #9248 + +- [Jay Satiro brought this change] + + url: treat missing usernames in netrc as empty + + - If, after parsing netrc, there is a password with no username then + set a blank username. + + This used to be the case prior to 7d600ad (precedes 7.82). Note + parseurlandfillconn already does the same thing for URLs. + + Reported-by: Raivis <standsed@users.noreply.github.com> + Testing-by: Domen Kožar + + Fixes https://github.com/curl/curl/issues/8653 + Closes #9334 + Closes #9066 + +- test8: verify that "ctrl-byte cookies" are ignored + +- cookie: reject cookies with "control bytes" + + Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + + Reported-by: Axel Chong + + Bug: https://curl.se/docs/CVE-2022-35252.html + + CVE-2022-35252 + + Closes #9381 + +- libssh: ignore deprecation warnings + + libssh 0.10.0 marks all SCP functions as "deprecated" which causes + compiler warnings and errors in our CI jobs and elsewhere. Ignore + deprecation warnings if 0.10.0 or later is found in the build. + + If they actually remove the functions at a later point, then someone can + deal with that pain and functionality break then. + + Fixes #9382 + Closes #9383 + +- Revert "schannel: when importing PFX, disable key persistence" + + This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692. + + Due to further reports in #9300 that indicate this commit might + introduce problems. + +- multi: use larger dns hash table for multi interface + + Have curl_multi_init() use a much larger DNS hash table than used for + the easy interface to scale and perform better when used with _many_ + host names. + + curl_share_init() sets an in-between size. + + Inspired-by: Ivan Tsybulin + See #9340 + Closes #9376 + +Marc Hoersken (28 Aug 2022) +- CI/runtests.pl: add param for dedicated curl to talk to APIs + + This should make it possible to also report test failures + if our freshly build curl binary is not fully functional. + + Reviewed-by: Daniel Stenberg + Closes #9360 + +Daniel Stenberg (27 Aug 2022) +- [Jacob Tolar brought this change] + + openssl: add cert path in error message + + Closes #9349 + +- [Jacob Tolar brought this change] + + cert.d: clarify that escape character works for file paths + + Closes #9349 + +- gha: move over ngtcp2-gnutls CI job from zuul + + Closes #9331 + +Marc Hoersken (26 Aug 2022) +- cmake: add detection of threadsafe feature + + Avoids failing test 1014 by replicating configure checks + for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests. + + Reviewed-by: Marcel Raad + + Follow up to #8680 + Closes #9312 + +Daniel Stenberg (26 Aug 2022) +- RELEASE-NOTES: synced + +Marc Hoersken (26 Aug 2022) +- CI/azure: align torture shallowness with GHA + + There 25 is used with FTP tests skipped, and 20 for FTP tests. + This should make torture tests stay within the 60min timeout. + + Reviewed-by: Daniel Stenberg + Closes #9371 + +- multi_wait: fix and improve Curl_poll error handling on Windows + + First check for errors and return CURLM_UNRECOVERABLE_POLL + before moving forward and waiting on socket readiness events. + + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + + Reported-by: Daniel Stenberg + Ref: #9361 + + Follow up to #8961 + Closes #9372 + +- multi_wait: fix skipping to populate revents for extra_fds + + On Windows revents was not populated for extra_fds if + multi_wait had to wait due to the Curl_poll pre-check + not signalling any readiness. This commit fixes that. + + Reviewed-by: Marcel Raad + Reviewed-by: Jay Satiro + + Closes #9361 + +- CI/appveyor: disable TLS in msys2-native autotools builds + + Schannel cannot be used from msys2-native Linux-emulated builds. + + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg + + Follow up to #9367 + Closes #9370 + +Jay Satiro (25 Aug 2022) +- tests: fix http2 tests to use CRLF headers + + Prior to this change some tests that rely on nghttpx proxy did not use + CRLF headers everywhere. A recent change in nghttp2, which updated its + version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to + use CRLF headers. + + Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 + + Fixes https://github.com/curl/curl/issues/9364 + Closes https://github.com/curl/curl/pull/9365 + +Daniel Stenberg (25 Aug 2022) +- [rcombs brought this change] + + multi: use a pipe instead of a socketpair on apple platforms + + Sockets may be shut down by the kernel when the app is moved to the + background, but pipes are not. + + Removed from KNOWN_BUGS + + Fixes #6132 + Closes #9368 + +- [Somnath Kundu brought this change] + + libssh2: provide symlink name in SFTP dir listing + + When reading the symbolic link name for a file, we need to add the file + name to base path name. + + Closes #9369 + +- configure: if asked to use TLS, fail if no TLS lib was detected + + Previously the configure script would just warn about this fact and + continue with TLS disabled build which is not always helpful. TLS should + be explicitly disabled if that is what the user wants. + + Closes #9367 + +- [Dustin Howett brought this change] + + schannel: when importing PFX, disable key persistence + + By default, the PFXImportCertStore API persists the key in the user's + key store (as though the certificate was being imported for permanent, + ongoing use.) + + The documentation specifies that keys that are not to be persisted + should be imported with the flag `PKCS12_NO_PERSIST_KEY`. + NOTE: this flag is only supported on versions of Windows newer than XP + and Server 2003. + + Fixes #9300 + Closes #9363 + +- unit1303: four tests should have TRUE for 'connecting' + + To match the comments. + + Reported-by: Wu Zheng + + See #9355 + Closes #9356 + +- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also + + Closes #9354 + +- [Fabian Fischer brought this change] + + HTTP3.md: add missing autoreconf command for building with wolfssl + + Closes #9353 + +- RELEASE-NOTES: synced + +- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer + + Ẃhen it has been used in the multi interface, it is otherwise left in + the connection cache, can't be reused and nothing will close them since + the easy handle loses the association with the multi handle and thus the + connection cache - until the multi handle is closed or it gets pruned + because the cache is full. + + Reported-by: Dominik Thalhammer + Fixes #9335 + Closes #9342 + +- docs/cmdline-opts: remove \& escapes from all .d files + + gen.pl escapes them itself now + +- docs/cmdline-opts/gen.pl: encode leading single and double quotes + + As "(aq" and "(dq" to prevent them from implying a meaning in the nroff + output. This removes the need for using \& escapes in the .d files' + description parts. + + Closes #9352 + +Marc Hoersken (23 Aug 2022) +- tests/server/sockfilt.c: avoid race condition without a mutex + + Avoid loosing any triggered handles by first aborting and joining + the waiting threads before evaluating the individual signal state. + + This removes the race condition and therefore need for a mutex. + + Closes #9023 + +Daniel Stenberg (22 Aug 2022) +- [Emil Engler brought this change] + + url: output the maximum when rejecting a url + + This commit changes the failf message to output the maximum length, when + curl refuses to process a URL because it is too long. + + See: #9317 + Closes: #9327 + +- [Chris Paulson-Ellis brought this change] + + configure: fix broken m4 syntax in TLS options + + Commit b589696f added lines to some shell within AC_ARG_WITH macros, but + inadvertently failed to move the final closing ). + + Quote the script section using braces. + + So, if these problems have been around for a while, how did I find them? + Only because I did a configure including these options: + + $ ./configure --with-openssl --without-rustls + SSL: enabled (OpenSSL) + + Closes #9344 + +- tests/data/CMakeLists: remove making the 'show' makefile target + + It is not used by runtests since 3c0f462 + + Closes #9333 + +- tests/data/Makefile: remove 'filecheck' target + + No practical use anymore since 3c0f4622cdfd6 + + Closes #9332 + +- libssh2: make atime/mtime date overflow return error + + Closes #9328 + +- libssh: make atime/mtime date overflow return error + + Closes #9328 + +- examples/curlx.c: remove + + This example is a bit convoluted to use as an example, combined with the + special license for it makes it unsuitable. + + Closes #9330 + +- [Tobias Nygren brought this change] + + curl.h: include <sys/select.h> on SunOS + + It is needed for fd_set to be visible to downstream consumers that use + <curl/multi.h>. Header is known to exist at least as far back as Solaris + 2.6. + + Closes #9329 + +- DEPRECATE.md: push the NSS deprecation date forward one year to 2023 + + URL: https://curl.se/mail/lib-2022-08/0016.html + +- libssh2: setting atime or mtime >32bit on 4-bytes-long systems + + Since the libssh2 API uses 'long' to store the timestamp, it cannot + transfer >32bit times on Windows and 32bit architecture builds. + + Avoid nasty surprises by instead not setting such time. + + Spotted by Coverity + + Closes #9325 + +- libssh: setting atime or mtime > 32bit is now just skipped + + The libssh API used caps the time to an unsigned 32bit variable. Avoid + nasty surprises by instead not setting such time. + + Spotted by Coverity. + + Closes #9324 + +Jay Satiro (16 Aug 2022) +- KNOWN_BUGS: Windows Unicode builds use homedir in current locale + + Bug: https://github.com/curl/curl/pull/7252 + Reported-by: dEajL3kA@users.noreply.github.com + + Ref: https://github.com/curl/curl/pull/7281 + + Closes https://github.com/curl/curl/pull/9305 + +Daniel Stenberg (16 Aug 2022) +- test399: switch it to use a config file instead + + ... as using a 65535 bytes host name in a URL does not fit on the + command line on some systems - like Windows. + + Reported-by: Marcel Raad + Fixes #9321 + Closes #9322 + +- RELEASE-NOTES: synced + +- asyn-ares: make a single alloc out of hostname + async data + + This saves one alloc per name resolve and simplifies the exit path. + + Closes #9310 + +- Curl_close: call Curl_resolver_cancel to avoid memory-leak + + There might be a pending (c-ares) resolve that isn't free'd up yet. + + Closes #9310 + +- asyn-thread: fix socket leak on OOM + + Closes #9310 + +- GHA: mv CI torture test from Zuul + + Closes #9310 + +- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL + + Closes #9318 + +- test399: verify check of too long host name + +- url: reject URLs with hostnames longer than 65535 bytes + + It *probably* causes other problems too since DNS can't resolve such + long names, but the SNI field in TLS is limited to 16 bits length. + + Closes #9317 + +- curl_multi_perform.3: minor language fix + + Closes #9316 + +- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC + + Follow-up to 8a13be227eede2 + + Closes #9315 + +- ngtcp2: remove leftover variable + + Mistake leftover from my edit before push. + + Follow-up from 8a13be227eede2601c2b3b + Reported-by: Viktor Szakats + Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167 + +Viktor Szakats (15 Aug 2022) +- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip] + + Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl` + was also enabled. `-ssl` meaning OpenSSL (and its forks). After + 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be + used together with wolfSSL. This patch adds the ability to enable + `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to + use it with wolfSSL or other, future TLS backends. + + Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2` + unconditionally. After this patch, this is no longer the case, and now + it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only + together with a compatible TLS backend. + + When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2 + library must be configured manually, e.g.: + `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl` + + (or via `NGTCP2_LIBS`) + + Closes #9314 + +Daniel Stenberg (15 Aug 2022) +- [Stefan Eissing brought this change] + + quic: add support via wolfSSL + + - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505 + - configure adapted to build against ngtcp2 wolfssl crypto lib + - quic code added for creation of WOLFSSL* instances + + Closes #9290 + +Marcel Raad (14 Aug 2022) +- [David Carlier brought this change] + + memdebug: add annotation attributes + + memory debug tracking annotates whether the returned pointer does not + `alias`, hints where the size required is, for Windows to be better + debugged via Visual Studio. + + Closes https://github.com/curl/curl/pull/9306 + +Daniel Stenberg (14 Aug 2022) +- GHA: move libressl CI from zuul to GitHub + + Closes #9309 + +- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel + + Closes #9161 + +- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel + + Closes #8741 + +- KNOWN_BUGS: libssh blocking and infinite loop problem + + Closes #8632 + +- RELEASE-NOTES: synced + +- msh3: fix the QUIC disconnect function + + And free request related memory better in 'done'. Fixes a memory-leak. + + Reported-by: Gisle Vanem + Fixes #8915 + Closes #9304 + +- connect: close the happy eyeballs loser connection when using QUIC + + Reviewed-by: Nick Banks + + Closes #9303 + +- [Emil Engler brought this change] + + refactor: split resolve_server() into functions + + This commit splits the branch-heavy resolve_server() function into + various sub-functions, in order to reduce the amount of nested + if/else-statements. + + Beside this, it also removes many else-sequences, by returning in the + previous if-statement. + + Closes #9283 + +- schannel: re-indent to use curl style better + + Only white space changes + + Closes #9301 + +- [Emanuele Torre brought this change] + + docs/cmdline-opts: fix example and categories for --form-escape + + The example was missing a "--form" argument + I also replaced "--form" with "-F" to shorten the line a bit since it + was already very long. + + And I also moved --form-escape from the "post" category to the "upload" + category (this is what I originally wanted to fix, before also noticing + the mistake in the example). + + Closes #9298 + +- [Nick Banks brought this change] + + HTTP3.md: update to msh3 v0.4.0 + + Closes #9297 + +- hostip: resolve *.localhost to 127.0.0.1/::1 + + Following the footsteps of other clients like Firefox/Chrome. RFC 6761 + says clients SHOULD do this. + + Add test 389 to verify. + + Reported-by: TheKnarf on github + Fixes #9192 + Closes #9296 + +Jay Satiro (11 Aug 2022) +- KNOWN_BUGS: long paths are not fully supported on Windows + + Bug: https://github.com/curl/curl/issues/8361 + Reported-by: Gisle Vanem + + Closes https://github.com/curl/curl/pull/9288 + +Daniel Stenberg (11 Aug 2022) +- config: remove the check for and use of SIZEOF_SHORT + + shorts are 2 bytes on all platforms curl runs and have ever run on. + + Closes #9291 + +- configure: introduce CURL_SIZEOF + + This is a rewrite of the previously used GPLv3+exception licensed + file. With this change, there is no more reference to GPL so we can + remove that from LICENSES/. + + Ref: #9220 + Closes #9291 + +- [Sean McArthur brought this change] + + hyper: customize test1274 to how hyper unfolds headers + + Closes #9217 + +- [Orgad Shaneh brought this change] + + curl-config: quote directories with potential space + + On Windows (at least with CMake), the default prefix is + C:/Program Files (x86)/CURL. + + Closes #9253 + +- [Oliver Roberts brought this change] + + amigaos: fix threaded resolver on AmigaOS 4.x + + Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime + feature detection and extra code to make it thread safe. + + Closes #9265 + +- [Emil Engler brought this change] + + imap: use ISALNUM() for alphanumeric checks + + This commit replaces a self-made character check for alphanumeric + characters within imap_is_bchar() with the ISALNUM() macro, as it is + reduces the size of the code and makes the performance better, due to + ASCII arithmetic. + + Closes #9289 + +- RELEASE-NOTES: synced + +- [Cering on github brought this change] + + connect: add quic connection information + + Fixes #9286 + Closes #9287 + +- [Philip Heiduck brought this change] + + cirrus/freebsd-ci: bootstrap the pip installer + + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> + + Closes #9213 + +- urldata: move smaller fields down in connectdata struct + + By (almost) sorting the struct fields in connectdata in a decending size + order, having the single char ones last, we reduce the number of holes + in the struct and thus the amount of storage needed. + + Closes #9280 + +- ldap: adapt to conn->port now being an 'int' + + Remove typecasts. Fix printf() formats. + + Follow-up from 764c6bd3bf. + Pointed out by Coverity CID 1507858. + + Closes #9281 + +- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS + + Closes #8264 + +- [Oliver Roberts brought this change] + + file: add handling of native AmigaOS paths + + On AmigaOS 4.x, handle native absolute paths, whilst blocking relative + paths. Also allow unix style paths if feature enabled at link time. + + Inspiration-from: Michael Trebilcock + + Closes #9259 + +- KNOWN_BUGS: cmake build is not thread-safe + + The cmake build does not check for and verify presence of a working + Atomic type, which then makes curl_global_init() to not build + thread-safe on non-Windows platforms. + + Closes https://github.com/curl/curl/issues/8973 + Closes https://github.com/curl/curl/pull/8982 + +- [Oliver Roberts brought this change] + + configure: fixup bsdsocket detection code for AmigaOS 4.x + + The code that detects bsdsocket.library for AmigaOS did not work + for AmigaOS 4.x. This has been fixed and also cleaned up a little + to reduce duplication. Wasn't technically necessary before, but is + required when building with AmiSSL instead of OpenSSL. + + Closes #9268 + +- [Oliver Roberts brought this change] + + tool: reintroduce set file comment code for AmigaOS + + Amiga specific code which put the URL in the file comment was perhaps + accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having + originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314. + Reworked to fit the code changes and added it back in. + + Reported-by: Michael Trebilcock + Originally-added-by: Chris Young + + Closes #9258 + +- urldata: make 'negnpn' use less storage + + The connectdata struct field 'negnpn' never holds a value larger than + 30, so an unsigned char saves 3 bytes struct space. + + Closes #9279 + +- urldata: make three *_proto struct fields smaller + + Use 'unsigned char' for storage instead of the enum, for three GSSAPI + related fields in the connectdata struct. + + Closes #9278 + +- connect: set socktype/protocol correctly + + So that an address used from the DNS cache that was previously used for + QUIC can be reused for TCP and vice versa. + + To make this possible, set conn->transport to "unix" for unix domain + connections ... and store the transport struct field in an unsigned char + to use less space. + + Reported-by: ウさん + Fixes #9274 + Closes #9276 + +- [Oliver Roberts brought this change] + + amissl: allow AmiSSL to be used with AmigaOS 4.x builds + + Enable AmiSSL to be used instead of static OpenSSL link libraries. + for AmigaOS 4.x, as it already is in the AmigaOS 3.x build. + + Closes #9269 + +- [opensignature on github brought this change] + + openssl: add details to "unable to set client certificate" error + + from: "curl: (58) unable to set client certificate" + + to: curl: (58) unable to set client certificate [error:0A00018F:SSL + routines::ee key too small] + + Closes #9228 + +- [Oliver Roberts brought this change] + + amissl: make AmiSSL v5 a minimum requirement + + AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0. + Support for previous OpenSSL 1.1.x versions has been dropped, so + makes sense to enforce v5 as the minimum requirement. This also + allows all the AmiSSL stub workarounds to be removed as they are + now provided in a link library in the AmiSSL SDK. + + Closes #9267 + +- [Oliver Roberts brought this change] + + configure: -pthread not available on AmigaOS 4.x + + The most recent GCC builds for AmigaOS 4.x do not allow -pthread and + exit with an error. Instead, need to explictly specify -lpthread. + + Closes #9266 + +- digest: pass over leading spaces in qop values + + When parsing the "qop=" parameter of the digest authentication, and the + value is provided within quotes, the list of values can have leading + white space which the parser previously did not handle correctly. + + Add test case 388 to verify. + + Reported-by: vlubart on github + Fixes #9264 + Closes #9270 + +- [Evgeny Grin (Karlson2k) brought this change] + + digest: reject broken header with session protocol but without qop + + Closes #9077 + +- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples + + Reported-by: jvvprasad78 on github + Assisted-by: Jay Satiro + Fixes #9239 + Closes #9241 + +- [Fabian Keil brought this change] + + test44[2-4]: add '--resolve' to the keywords + + ... so the tests can be automatically skipped when + using an external proxy like Privoxy. + + Closes #9250 + +- RELEASE-NOTES: synced + +- CURLOPT_CONNECT_ONLY.3: clarify multi API use + + Reported-by: Maxim Ivanov + Fixes #9244 + Closes #9262 + +- [Andrew Lambert brought this change] + + curl_easy_header: Add CURLH_PSEUDO to sanity check + + Fixes #9235 + Closes #9236 + +- [Emil Engler brought this change] + + docs: add dns category to --resolve + + This commit adds the dns category to the --resolve command line option, + because it can be interpreted as both: a low-level connection option and + an option related to the resolving of a hostname. + + It is also not common for dns options to belong to the connection + category and vice versa. --ipv4 and --ipv6 are both good examples. + + Closes #9229 + +Jay Satiro (2 Aug 2022) +- [Wyatt O'Day brought this change] + + schannel: Add TLS 1.3 support + + - Support TLS 1.3 as the default max TLS version for Windows Server 2022 + and Windows 11. + + - Support specifying TLS 1.3 ciphers via existing option + CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers). + + Closes https://github.com/curl/curl/pull/8419 + +Daniel Stenberg (2 Aug 2022) +- [Emil Engler brought this change] + + cmdline-opts/gen.pl: improve performance + + On some systems, the gen.pl script takes nearly two minutes for the + generation of the main-page, which is a completely unacceptable time. + + The slow performance has two causes: + 1. Use of a regex locale operator + 2. Useless invokations of loops + + The commit addresses the first issue by replacing the "\W" wiht + [^a-zA-Z0-9_], which is, according to regex101.com, functionally + equivalent to the previous operation, except that it is obviously + limited to ASCII only, which is fine, as the curl project is + English-only anyway. + + The second issue is being addressed by only running the loop if the line + contains a "--" in it. The loop may be completeley removed in the + future. + + Co-authored-by: Emanuele Torre <torreemanuele6@gmail.com> + + See #8299 + Fixes #9230 + Closes #9232 + +- docs/cmdline: mark fail and fail-with-body as mutually exclusive + + Reported-by: Andreas Sommer + Fixes #9221 + Closes #9222 + +- [Nao Yonashiro brought this change] + + quiche: fix build failure + + Reviewed-by: Alessandro Ghedini + Closes #9223 + +Viktor Szakats (2 Aug 2022) +- configure.ac: drop references to deleted functions + + follow-up from 4d73854462f30948acab12984b611e9e33ee41e6 + + Reported-by: Oliver Roberts + Fixes #9238 + Closes #9240 + +Daniel Stenberg (28 Jul 2022) +- [Sean McArthur brought this change] + + hyper: enable obs-folded multiline headers + + Closes #9216 + +- connect: revert the use of IP*_RECVERR + + The options were added in #6341 and d13179d, but cause problems: Lots of + POLLIN event occurs but recvfrom read nothing. + + Reported-by: Tatsuhiro Tsujikawa + Fixes #9209 + Closes #9215 + +- [Marco Kamner brought this change] + + docs: remove him/her/he/she from documentation + + Closes #9208 + +- RELEASE-NOTES: synced + +- tool_getparam: make --doh-url "" switch it off + + A possible future addition could be to parse the URL first too to verify + that it is valid before trying to use it. + + Assisted-by: Jay Satiro + Closes #9207 + +- mailmap: add rzrymiak on github + +Jay Satiro (26 Jul 2022) +- ngtcp2: Fix build error due to change in nghttp3 prototypes + + ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and + nghttp3_conn_shutdown_stream_write return from int to void. + + Reported-by: jurisuk@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/9204 + Closes https://github.com/curl/curl/pull/9200 + +Daniel Stenberg (26 Jul 2022) +- [rzrymiak on github brought this change] + + BUGS.md: improve language + + Closes #9205 + +- [Philip Heiduck brought this change] + + cirrus.yml: replace py38-pip with py39-pip + + Reported-by: Jay Satiro + Fixes #9201 + Closes #9202 + +- tool_getparam: fix cleanarg() for unicode builds + + Use the correct type, and make cleanarg an empty macro if the cleaning + ability is absent. + + Fixes #9195 + Closes #9196 + + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + +Marc Hoersken (25 Jul 2022) +- test3026: add support for Windows using native Win32 threads + + Reviewed-by: Viktor Szakats + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg + + Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690 + Closes #9012 + +Jay Satiro (25 Jul 2022) +- [Evgeny Grin (Karlson2k) brought this change] + + digest: fix memory leak, fix not quoted 'opaque' + + Fix leak regression introduced by 3a6fe0c. + + Closes https://github.com/curl/curl/pull/9199 + +Daniel Stenberg (23 Jul 2022) +- tests: several enumerated type cleanups + + To please icc + + Closes #9179 + +- tool_paramhlp: fix "enumerated type mixed with another type" + + Warning by icc + + Closes #9179 + +- tool_writeout: fix enumerated type mixed with another type + + Closes #9179 + +- tool_cfgable: make 'synthetic_error' a plain bool + + The specific reason was not used. + + Closes #9179 + +- tool_paramhlp: make check_protocol return ParameterError + + "enumerated type mixed with another type" + + Closes #9179 + +- tool_formparse: fix variable may be used before its value is set + + Warning by icc + + Closes #9179 + +- sendf: skip storing HTTP headers if HTTP disabled + + Closes #9179 + +- url: enumerated type mixed with another type + + Follow-up to 1c58e7ae99ce2030213f28b + + Closes #9179 + +- urldata: change second proxytype field to unsigned char to match + + To avoid "enumerated type mixed with another type" + + Closes #9179 + +- http: typecast the httpreq assignment to avoid icc compiler warning + + error #188: enumerated type mixed with another type + + Closes #9179 + +- urldata: make state.httpreq an unsigned char + + To match set.method used for the same purpose. + + Closes #9179 + +- splay: avoid using -1 in unsigned variable + + To fix icc compiler warning integer conversion resulted in a change of sign + + Closes #9179 + +- sendf: store the header type in an usigned char to avoid icc warnings + + Closes #9179 + +- multi: fix the return code from Curl_pgrsDone() + + It does not return a CURLcode. Detected by the icc compiler warning + "enumerated type mixed with another type" + + Closes #9179 + +- sendf: make Curl_debug a void function + + As virtually no called checked the return code, and those that did + wrongly treated it as a CURLcode. Detected by the icc compiler warning: + enumerated type mixed with another type + + Closes #9179 + +- http_chunks: remove an assign + typecast + + As it caused icc to complain: "pointer cast involving 64-bit pointed-to + type" + + Closes #9179 + +- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend + + To fix the icc warning enumerated type mixed with another type + + Closes #9179 + +- curl-compilers.m4: make icc use -diag* options and disable two warnings + + -wd and -we are deprecated and are now -diag-disable and -diag-error + + Disable warning 1024 and 2259 + + Closes #9179 + +- [Matthew Thompson brought this change] + + GHA: add two Intel compiler CI jobs + + Closes #9179 + +- [Daniel Katz brought this change] + + curl-functions.m4: check whether atomics can link rather than just compile + + Some build toolchains support C11 atomics (i.e., _Atomic types), but + will not link the associated atomics runtime unless a flag is passed. In + such an environment, linking an application with libcurl.a can fail due + to undefined symbols for atomic load/store functions. + + I encountered this behavior when upgrading curl to 7.84.0 and attempting + to build with Solaris Studio 12.6. Solaris provides the flag + -xatomic=[gcc | studio], allowing users to link to one of two atomics + runtime implementations. However, if the user does not provide this + flag, then neither runtime is linked. This led to builds failing in CI. + + Closes #9190 + +- [Rosen Penev brought this change] + + curl-wolfssl.m4: add options header when building test code + + Needed for certain configurations of wolfSSL. Otherwise, missing header + error may occur. + + Tested with OpenWrt. + + Closes #9187 + +- ftp: use a correct expire ID for timer expiry + + This was an accurate error pointed out by the icc warning: enumerated + type mixed with another type + + Ref: #9179 + Closes #9184 + +- sendf: fix paused header writes since after the header API + + Regression since d1e4a67 + + Reported-by: Sergey Ogryzkov + Fixes #9180 + Closes #9182 + +- mprintf: fix *dyn_vprintf() when out-of-memory + + Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory + leak otherwise. + + Closes #9185 + +- curl-confopts: remove leftover AC_REQUIREs + + configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_defun'd + configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but not m4_defun'd + + follow-up from 4d73854462f30 + + Closes #9183 + +- file: fix icc enumerated type mixed with another type warning + + Ref: #9179 + Closes #9181 + +Viktor Szakats (19 Jul 2022) +- tidy-up: delete unused build configuration macros + + Most of them feature guards: + + - `CURL_INCLUDES_SYS_UIO` [1] + - `HAVE_ALLOCA_H` [2] + - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f8734dd0fb1bdc) + - `HAVE_DLFCN_H` + - `HAVE_DLOPEN` + - `HAVE_DOPRNT` + - `HAVE_FCNTL` + - `HAVE_GETHOSTBYNAME` [3] + - `HAVE_GETOPT_H` + - `HAVE_GETPASS` + - `HAVE_GETPROTOBYNAME` + - `HAVE_GETSERVBYNAME` + - `HAVE_IDN_FREE*` + - `HAVE_INET_ADDR` + - `HAVE_IOCTL` + - `HAVE_KRB4` + - `HAVE_KRB_GET_OUR_IP_FOR_REALM` + - `HAVE_KRB_H` + - `HAVE_LDAPSSL_H` + - `HAVE_LDAP_INIT_FD` + - `HAVE_LIBDL` + - `HAVE_LIBNSL` + - `HAVE_LIBRESOLV*` + - `HAVE_LIBUCB` + - `HAVE_LL` + - `HAVE_LOCALTIME_R` + - `HAVE_MALLOC_H` + - `HAVE_MEMCPY` + - `HAVE_MEMORY_H` + - `HAVE_NETINET_IF_ETHER_H` + - `HAVE_NI_WITHSCOPEID` + - `HAVE_OPENSSL_CRYPTO_H` + - `HAVE_OPENSSL_ERR_H` + - `HAVE_OPENSSL_PEM_H` + - `HAVE_OPENSSL_PKCS12_H` + - `HAVE_OPENSSL_RAND_H` + - `HAVE_OPENSSL_RSA_H` + - `HAVE_OPENSSL_SSL_H` + - `HAVE_OPENSSL_X509_H` + - `HAVE_PEM_H` + - `HAVE_POLL` + - `HAVE_RAND_SCREEN` + - `HAVE_RAND_STATUS` + - `HAVE_RECVFROM` + - `HAVE_SETSOCKOPT` + - `HAVE_SETVBUF` + - `HAVE_SIZEOF_LONG_DOUBLE` + - `HAVE_SOCKIO_H` + - `HAVE_SOCK_OPTS` + - `HAVE_STDIO_H` + - `HAVE_STRCASESTR` + - `HAVE_STRFTIME` + - `HAVE_STRLCAT` + - `HAVE_STRNCMPI` + - `HAVE_STRNICMP` + - `HAVE_STRSTR` + - `HAVE_STRUCT_IN6_ADDR` + - `HAVE_TLD_H` + - `HAVE_TLD_STRERROR` + - `HAVE_UNAME` + - `HAVE_USLEEP` + - `HAVE_WINBER_H` + - `HAVE_WRITEV` + - `HAVE_X509_H` + - `LT_OBJDIR` + - `NEED_BASENAME_PROTO` + - `NOT_NEED_LIBNSL` + - `OPENSSL_NO_KRB5` + - `RECVFROM_TYPE*` + - `SIZEOF_LONG_DOUBLE` + - `STRERROR_R_TYPE_ARG3` + - `USE_YASSLEMUL` + - `_USRDLL` (from CMake) [4] + + [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might + also be deleted. + + [2] Related comment can possibly be deleted in + `packages/vms/generate_config_vms_h_curl.com`. + + [3] There are more instances of this in autotools, but I did not dare to + touch those. Looked like it's used to detect socket support. + + [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to + force linking MFC components statically to the DLL. `libcurl.dll` + does not use MFC, so we can delete this define. + Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-to-mfc + + Script that can help finding unused settings like above: + ```shell + + autoheader configure.ac # generate lib/curl_config.h.in + + { + grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCache.cmake | sed -E 's|set\(||g' + grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h | sed -E 's|#define +||g' + grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake | sed -E 's|#cmakedefine +||g' + grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in | sed -E 's|#undef +||g' + } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do + c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cmake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^configure\.ac)')" + if [ "${c}" = '0' ]; then + echo "${def}" + fi + done + ``` + + Reviewed-by: Daniel Stenberg + Closes #9044 + +Daniel Stenberg (19 Jul 2022) +- RELEASE-NOTES: synced + +- cookie: treat a blank domain in Set-Cookie: as non-existing + + This matches what RFC 6265 section 5.2.3 says. + + Extended test 31 to verify. + + Fixes #9164 + Reported-by: Gwen Shapira + Closes #9177 + +- [Patrick Monnerat brought this change] + + base64: base64url encoding has no padding + + See RFC4648 section 5 and RFC7540 section 3.2.1. + + Suppress generation of '=' padding of base64url encoding. This is + accomplished by considering the string beginning at offset 64 in the + character table as the padding: this is "=" for base64, "" for base64url. + + Also use strchr() to replace character search loops where possible. + + Suppress erroneous comments about empty encoding results. + + Adjust unit test 1302 to unpadded base64url encoding and add tests for + empty results. + + Closes #9139 + +- easyoptions: fix icc warning + + easyoptions.c(360): error #188: enumerated type mixed with another type + + Ref: #9156 + Reported-by: Matthew Thompson + Closes #9176 + +- [lwthiker brought this change] + + h2h3: fix overriding the 'TE: Trailers' header + + A 'TE: Trailers' header is explicitly replaced by 'te: trailers' + (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or + HTTP/3 headers. However, this is then replaced again by the original + value due to a bug, resulting in the uppercased version being sent. Some + HTTP/2 servers reject the whole HTTP/2 stream when this is the case. + + Closes #9170 + +- lib3026: reduce the number of threads to 100 + + Down from 1000, to make it run and work in more systems. + + Fixes #9172 + Reported-by: Érico Nogueira Rolim + Closes #9173 + +- doh: move doh related struct definitions to doh.h + + and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compiler warning: + + doh.c(924): error #188: enumerated type mixed with another type + + Reported-by: Matthew Thompson + Ref #9156 + Closes #9174 + +Viktor Szakats (17 Jul 2022) +- Makefile.m32: stop trying to build libcares.a [ci skip] + + Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in + `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in + 2007 [1]. The commit message doesn't specifically address this particular + change. This logic comes from the times when c-ares was part of the curl + source tree, hence the special treatment. + + This feature creates problems when building c-ares first, using CMake + and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32` + is missing in such case. A sub-build for c-ares is undesired also when + c-ares had already been build via its own `Makefile.m32`. + + To avoid the sub-build, this patch deletes its Makefile rule. After this + patch `libcares.a` needs to be manually built before using it in + `Makefile.m32`. Aligning it with the rest of dependencies. + + [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31 + + Reviewed-by: Daniel Stenberg + Closes #9169 + +Daniel Stenberg (17 Jul 2022) +- curl: writeout: fix repeated header outputs + + The function stored a terminating zero into the buffer for convenience, + but when on repeated calls that would cause problems. Starting now, the + passed in buffer is not modified. + + Reported-by: highmtworks on github + Fixes #9150 + Closes #9152 + +- curl_multi_timeout.3: clarify usage + + Fixes #9155 + Closes #9157 + Reported-by: jvvprasad78 on github + +- mprintf: make dprintf_formatf never return negative + + This function no longer returns a negative value if the formatting + string is bad since the return value would sometimes be propagated as a + return code from the mprintf* functions and they are documented to + return the length of the output. Which cannot be negative. + + Fixes #9149 + Closes #9151 + Reported-by: yiyuaner on github + +Viktor Szakats (17 Jul 2022) +- trace: 0x7F character is non-printable + + `0x7F` is `DEL`, a non-printable symbol, so print it as + `UNPRINTABLE_CHAR`. + + Reported-by: MasterInQuestion on github + Fixes #9162 + Closes #9166 + +- doh: use https protocol by default + + The only allowed protocol is https, so it makes sense to use that + by default if not passed explicitly by the user. + + Reported-by: MasterInQuestion on github + Reviewed-by: Jay Satiro + Fixes #9163 + Closes #9165 + +- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel + + Same issue as here [1], but this time when building curl with BoringSSL + for Windows with LDAP(S) or Schannel support enabled. + + Apply the same fix [2] for these source files as well. + + This can also be fixed by moving `#include "urldata.h"` _before_ + including `winldap.h` and `schnlsp.h` respectively. This seems like + a cleaner fix, though I'm not sure why it works and if it has any + downside. + + [1] https://github.com/curl/curl/issues/5669 + [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029ab9 + + Co-authored-by: Jay Satiro + Closes #9110 + +Daniel Stenberg (13 Jul 2022) +- asyn-thread: make getaddrinfo_complete return CURLcode + + ... as the only caller that cares about what it returns assumes that + anyway. This caused icc to warn: + + asyn-thread.c(505): error #188: enumerated type mixed with another type + result = getaddrinfo_complete(data); + + Repoorted-by: Matthew Thompson + Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076 + Closes #9146 + +- easy_lock: fix build with icc + + The Intel compiler tries to look like GCC *and* clang *and* it lies in + its __has_builtin() function (returns true when it should return false), + so override it. + + Reported-by: Matthew Thompson + Fixes #9081 + Closes #9144 + +- configure: fix --disable-headers-api + + Reported-by: Michał Antoniak + Fixes #9134 + Closes #9143 + +- test3026: require 'threadsafe' + + Reported-by: Sukanya Hanumanthu + Fixes #9141 + Closes #9142 + +- [Even Rouault brought this change] + + CMake: link curl to its dependencies with PRIVATE + + The current PUBLIC visibility causes issues for downstream users. + Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986 + + Reviewed-by: Jakub Zakrzewski + Closes #9125 + +- [Even Rouault brought this change] + + CMake: remove APPEND in export(TARGETS) + + When running cmake several times, new content was appended to already + existing generated files, which is not appropriate + + Reviewed-by: Jakub Zakrzewski + Closes #9124 + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks + + Closes #9135 + +- RELEASE-NOTES: synced + +Viktor Szakats (11 Jul 2022) +- build: improve OS string in CMake and `config-win32.h` + + This patch makes CMake fill the "OS string" with the value of + `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet, + the same we can pass to `./configure` via `--host=`. + + For non-CMake, non-autotools, Windows builds, this patch adds the ability + to override the default `OS` value in `lib/config-win32.h`. + + With these its possible to get the same OS string across the three build + systems. + + This patch supersedes the earlier, partial, CMake-only solution: + 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the + `CURL_OS_SUFFIX` CMake option. + + Reviewed-by: Jay Satiro + Closes #9117 + +- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip] + + They allow to override the hardcoded values for the `windres` and `strip` + tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables. + + `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and + `CURL_CC=clang` set on current latest debian:unstable or earlier, where + `llvm-windres` is missing, and a `CURL_RC=<triplet>-windres` fixes it. + Hopefully this will be fixed in the llvm package. FWIW `llvm-windres` + does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw. + + Reviewed-by: Daniel Stenberg + Closes #9132 + +Daniel Stenberg (10 Jul 2022) +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: fix stall or busy loop on STOP_SENDING with upload data + + Fixes #9122 + Closes #9123 + +- [Xiaoke Wang brought this change] + + tool_operate: better cleanup of easy handle in exit path + + Closes #9114 + +- [Xiaoke Wang brought this change] + + getinfo: return better error on NULL as first argument + + Closes #9114 + +- tool_getparam: repair cleanarg + + Regression since 9e5669f. + + Make sure the "cleaning" of command line arguments is done on the + original argv[] pointers. As a bonus, it also exits better on out of + memory error. + + Reported-by: Litter White + Fixes #9128 + Closes #9130 + +Jay Satiro (10 Jul 2022) +- docs: explain curl_easy_escape/unescape curl handle is ignored + + 26101421 (precedes 7.82.0) removed character conversion support used by + very old legacy operating systems and since then the curl handle passed + to curl_easy_escape/unescape is always ignored. + + Bug: https://github.com/curl/curl/discussions/9115 + Reported-by: Ted Lyngmo + + Closes https://github.com/curl/curl/pull/9121 + +Viktor Szakats (8 Jul 2022) +- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL + + BoringSSL doesn't keep a version number, and doesn't self-identify itself + via any other revision number via its own headers. We can identify + BoringSSL revisions by their commit hash. This hash is typically known by + the builder. This patch adds a way to pass this hash to libcurl, so that + it can display in the curl version string: + + For example: + + `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"` + + ``` + curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) zlib/1.2.12 [...] + Release-Date: 2022-06-27 + Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 [...] + Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos [...] + ``` + + The setting is optional, and if not passed, BoringSSL will appear without + a version number, like before this patch. + + Closes #9113 + +Jay Satiro (8 Jul 2022) +- escape: remove outdated comment + + Bug: https://github.com/curl/curl/discussions/9115 + Reported-by: Ted Lyngmo + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Fix missing initialization of nghttp3_nv.flags + + Closes https://github.com/curl/curl/pull/9118 + +Daniel Stenberg (6 Jul 2022) +- [Brad Forschinger brought this change] + + netrc.d: remove spurious quote + + Closes #9111 + +Viktor Szakats (6 Jul 2022) +- Makefile.m32: add `NGTCP2_LIBS` option [ci skip] + + Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL. + Add `NGTCP2_LIBS` envvar to override them with a custom list, + making it possible to use BoringSSL, or any other backend. + + Closes #9109 + +Jay Satiro (6 Jul 2022) +- [Evgeny Grin (Karlson2k) brought this change] + + digest: fix missing increment of 'nc' value for auth-int + + - Increment nc regardless of qop type. + + Prior to this change nc was only incremented for qop type auth even + though libcurl sends nc with any qop. + + Closes https://github.com/curl/curl/pull/9090 + +Daniel Stenberg (5 Jul 2022) +- RELEASE-NOTES: synced + + Bumped to 7.85.0 + +- urldata: reduce size of four ftp related members + + ftp_filemethod, ftpsslauth and ftp_ccc are now uchars + + accepttimeout is now unsigned int - almost 50 days ought to be enough + for this value. + + Closes #9106 + +- urldata: reduce three type-members from int to uchar + + - timecondition + - proxytype + - method + + ... previously used their enum type in the struct, which made them + unnecesarily large. + + Closes #9105 + +- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name + + Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the + other way around. + + Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias + but since the option is for more protocols than FTP the more "correct" + version of the option is the "server" one so now we switch. + + Closes #9104 + +- urldata: make 'ftp_create_missing_dirs' a uchar + + It only ever holds the values 0-2. + + Closes #9103 + +- [Don J Olmstead brought this change] + + cmake: support ngtcp2 boringssl backend + + Update the ngtcp2 find module to detect the boringssl backend. Determine + if the underlying OpenSSL implementation is BoringSSL and if so use that + as the ngtcp2 backend. + + Reviewed-by: Jakub Zakrzewski + Closes #9065 + +- urldata: change 4 timeouts to unsigned int from long + + They're not used for that long times anyway, 32 bit milliseconds is long + enough. + + Closes #9101 + +- urldata: make 'use_netrc' a uchar + + Closes #9102 + +- urldata: make 'buffer_size' an unsigned int + + It is already capped at READBUFFER_MAX which fits easily in 32 bits. + + Closes #9098 + +- urldata: remove the unused 'rtspversion' struct member + + Closes #9100 + +- urldata: make 'use_port' an usigned short + + ... instead of a long. It is already enforced to not attempt to set any + value outside of 16 bits unsigned. + + Closes #9099 + +- urldata: store dns cache timeout in an int + + 68 years ought to be enough for most. + + Closes #9097 + +- curl: proto2num: make sure obuf is inited + + Detected by Coverity. CID 1507052. + + Closes #9096 + +- cookie: use %zu to infof() for size_t values + + Detected by Coverity. CID 1507051 + Closes #9095 + +Viktor Szakats (4 Jul 2022) +- makefile.m32: add support for custom ARCH [ci skip] + + When building curl for target platform other than x64 and x86, it is now + possible to pass `ARCH=custom`, that will omit all hardcoded logic for + setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be + customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly + added one for the resource compiler: `CURL_RCFLAG_EXTRAS`. + + This makes it possible to use `makefile.m32` to build for ARM64 for + example. + + Reviewed-by: Daniel Stenberg + Closes #9092 + +- cmake: do not force Windows target versions + + The goal of this patch is to avoid CMake forcing specific Windows + versions and rely on toolchain defaults or manual selection instead. + This gives back control to the user. This also brings CMake closer to + how autotools and `Makefile.m32` behaves in this regard. + + - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did + nothing else than fixing the Windows build target to Vista. This also + happened when the toolchain did not have Vista support (e.g. original + MinGW), breaking such builds. + + In other environments it did not make a user-facing difference, + because libcurl has its own pton() implementation, so it works well + with or without Vista's inet_pton(). + + This patch drops this setting. inet_pton() is now used whenever + building for Vista or newer, either when requested manually or by + default with modern toolchains (e.g. mingw-w64). Older envs will fall + back to curl's pton(). + + Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604 + Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155 + + - When the user did no select a Windows target version manually, stop + explicitly targeting Windows XP, and instead use the toolchain default. + + This may pose an issue with old toolchains defaulting to pre-XP + targets. In such case you must manually target Windows XP via: + `-DCURL_TARGET_WINDOWS_VERSION=0x0501` + or + `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501` + + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + Closes #9046 + +- windows: improve random source + + - Use the Windows API to seed the fallback random generator. + + This ensures to always have a random seed, even when libcurl is built + with a vtls backend lacking a random generator API, such as rustls + (experimental), GSKit and certain mbedTLS builds, or, when libcurl is + built without a TLS backend. We reuse the Windows-specific random + function from the Schannel backend. + + - Implement support for `BCryptGenRandom()` [1] on Windows, as a + replacement for the deprecated `CryptGenRandom()` [2] function. + + It is used as the secure random generator for Schannel, and also to + provide entropy for libcurl's fallback random generator. The new + function is supported on Vista and newer via its `bcrypt.dll`. It is + used automatically when building for supported versions. It also works + in UWP apps (the old function did not). + + - Clear entropy buffer before calling the Windows random generator. + + This avoids using arbitrary application memory as entropy (with + `CryptGenRandom()`) and makes sure to return in a predictable state + when an API call fails. + + [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom + [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom + + Closes #9027 + +Daniel Stenberg (4 Jul 2022) +- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR + + ... as replacements for deprecated CURLOPT_PROTOCOLS and + CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the + 32 bit limit the old ones are facing. + + CURLINFO_PROTCOOL is now deprecated. + + The curl tool is updated to use the new options. + + Added test 1597 to verify the libcurl protocol parser. + + Closes #8992 + +- digest: simplify a switch() to a simple if + +- digest: provide a special bit for "sess" algos + + Also shortened the names and moved them to the .c file since they are + private for this source file only. Also made them #defines instead of + enum. + + Closes #9079 + +Jay Satiro (4 Jul 2022) +- [Thomas Weißschuh brought this change] + + select: do not return fatal error on EINTR from poll() + + The same was done for select() in 5912da25 but poll() was missed. + + Bug: https://bugs.archlinux.org/task/75201 + Reported-by: Alexandre Bury (gyscos at archlinux) + + Ref: https://github.com/curl/curl/issues/8921 + Ref: https://github.com/curl/curl/pull/8961 + Ref: https://github.com/curl/curl/commit/5912da25#r77584294 + + Closes https://github.com/curl/curl/pull/9091 + +- [Kai Pastor brought this change] + + cmake: fix build for mingw cross compile + + - Change normaliz lib name to all lowercase. + + This is from a standing patch in vcpkg: + Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross + builds from Linux), the spelling must match exactly. + + Closes https://github.com/curl/curl/pull/9084 + +- easy_lock: fix build for mingw + + - Define SRWLOCK symbols missing in some mingw environments. + + Closes https://github.com/curl/curl/pull/8997 + +Daniel Stenberg (2 Jul 2022) +- tool_progress: avoid division by zero in parallel progress meter + + Reported-by: Brian Carpenter + Fixes #9082 + Closes #9083 + +- http_aws_sigv4.c: remove two unusued includes + + Closes #9080 + +- .mailmap: additional edit + + Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git + logs even when using old email. + +- RELEASE-NOTES: synced + + bumped to 7.84.1 + +- [Evgeny Grin (Karlson2k) brought this change] + + .mailmap: updated + +- [Evgeny Grin (Karlson2k) brought this change] + + THANKS: merged two entries for Evgeny Grin + + Also updated THANKS-filter file + + Closes #9076 + +- [Jilayne Lovejoy brought this change] + + lib/curl_path.c: add ISC to license expression + + THe text of the ISC license is in this file, so the SPDX license + expression should be updated + + Closes #9073 + +- [Sean McArthur brought this change] + + hyper: use wakers for curl pause/resume + + Closes #9070 + +Viktor Szakats (30 Jun 2022) +- Makefile.m32: do not set the libcurl.rc debug flag [ci skip] + + Delete `-DDEBUGBUILD=0` windres option. This was likely meant to + disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled + it instead. Delete this unnecessary option and thus sync up with + how CMake compiles libcurl.rc by default. + + Reviewed-by: Jay Satiro + Closes #9069 + +Daniel Stenberg (29 Jun 2022) +- curl.h: CURLE_CONV_FAILED is obsoleted + + The last use was removed in 7.82.0. Updated some docs too to reflect the + current error code situation. + + Closes #9067 + +- curl: output warning when a cookie is dropped due to size + + Dropped from the request, that is. + + Closes #9064 + +- curl_mime_data.3: polish the wording + + Closes #9063 + +- configure: check for the stdatomic.h header in configure + + ... and only set HAVE_ATOMIC if that header exists since we use + typedefes set in it. + + Reported-by: Ryan Schmidt + Fixes #9059 + Closes #9060 + +- easy_lock: fix the #ifdef conditional for ia32_pause + + To work better with new and old clang compilers. + + Reported-by: Ryan Schmidt + Assisted-by: Joshua Root + + Fixes #9058 + Closes #9062 + +- easy_lock: switch to using atomic_int instead of bool + + To work with more compilers without requiring separate libs to + link. Like with gcc-12 for RISC-V on Linux. + + Reported-by: Adam Sampson + Fixes #9055 + Closes #9061 + +- [vvb2060 brought this change] + + ngtcp2: fix incompatible function pointer types + + Closes #9056 + +- [vvb2060 brought this change] + + easy_lock.h: use __asm__ instead of asm to fix build + + Closes #9056 + +- [Samuel Henrique brought this change] + + libcurl-security.3: fix typo on macro "SH_" + + During the packaging of the latest curl release for Debian, Lintian + warned me about a typo which causes the section name "Secrets in memory" + to not be rendered in the manpage due to "SH_" not being recognized as a + header. + + Closes #9057 + +- easy_lock.h: include sched.h if available to fix build + + Patched-by: Harry Sintonen + + Closes #9054 + Version 7.84.0 (27 Jun 2022) Daniel Stenberg (27 Jun 2022) @@ -265,7 +5638,7 @@ Daniel Stenberg (20 Jun 2022) Closes #9028 -- [Philip H brought this change] +- [Philip Heiduck brought this change] CI: bump FreeBSD 13.0 to 13.1 @@ -748,7 +6121,7 @@ Daniel Stenberg (7 Jun 2022) Closes #8910 -- [Evgeny Grin brought this change] +- [Evgeny Grin (Karlson2k) brought this change] digest: tolerate missing "realm" @@ -757,7 +6130,7 @@ Daniel Stenberg (7 Jun 2022) Closes #8912 -- [Evgeny Grin brought this change] +- [Evgeny Grin (Karlson2k) brought this change] digest: added detection of more syntax error in server headers @@ -766,7 +6139,7 @@ Daniel Stenberg (7 Jun 2022) Closes #8912 -- [Evgeny Grin brought this change] +- [Evgeny Grin (Karlson2k) brought this change] digest: unquote realm and nonce before processing @@ -1924,7 +7297,7 @@ Daniel Gustafsson (5 May 2022) Daniel Stenberg (5 May 2022) - docs/THANKS: remove name duplicate -- [Philip H brought this change] +- [Philip Heiduck brought this change] .mailmap: update @@ -2014,7 +7387,7 @@ Daniel Gustafsson (2 May 2022) Reviewed-by: Daniel Stenberg <daniel@haxx.se> Daniel Stenberg (2 May 2022) -- [Philip H brought this change] +- [Philip Heiduck brought this change] misc: use "autoreconf -fi" instead buildconf @@ -2022,7 +7395,7 @@ Daniel Stenberg (2 May 2022) Closes #8777 Daniel Gustafsson (2 May 2022) -- [Philip H brought this change] +- [Philip Heiduck brought this change] cirrus: Use pip for Python packages on FreeBSD @@ -2032,7 +7405,7 @@ Daniel Gustafsson (2 May 2022) Closes: #8783 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> -- [Philip H brought this change] +- [Philip Heiduck brought this change] cirrus: Update to FreeBSD 12.3 @@ -2314,7 +7687,7 @@ Daniel Stenberg (27 Apr 2022) Bug: https://hackerone.com/reports/1548535 Closes #8742 -- [Philip H brought this change] +- [Philip Heiduck brought this change] mlc: curl.zuul.vexxhost.dev is reachable again @@ -3024,7 +8397,7 @@ Marc Hoersken (23 Mar 2022) Closes #8594 Daniel Stenberg (22 Mar 2022) -- [Philip H brought this change] +- [Philip Heiduck brought this change] firefox-db2pem.sh: make the shell script safer @@ -3072,7 +8445,7 @@ Daniel Stenberg (22 Mar 2022) Closes #8623 -- [Philip H brought this change] +- [Philip Heiduck brought this change] ci/event-based.yml: improve impacket install @@ -3195,7 +8568,7 @@ Daniel Stenberg (22 Mar 2022) - scripts/copyright.pl: ignore the new mlc_config.json file -- [Philip H brought this change] +- [Philip Heiduck brought this change] mlc_config.json: add file to ignore known troublesome URLs @@ -3205,7 +8578,7 @@ Daniel Stenberg (22 Mar 2022) Closes #8597 -- [Philip H brought this change] +- [Philip Heiduck brought this change] winbuild/README.md: fixup dead link @@ -3273,7 +8646,7 @@ Daniel Stenberg (17 Mar 2022) Closes #8601 -- [Philip H brought this change] +- [Philip Heiduck brought this change] CI: Do not use buildconf. Instead, just use: autoreconf -fi @@ -3490,3966 +8863,3 @@ Daniel Stenberg (9 Mar 2022) connect: make Curl_getconnectinfo work with conn cache from share handle Closes #8524 - -- [lwthiker brought this change] - - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL - - The CURLOPT_SSL_EC_CURVES option (used by the '--curves' flag) in - libcurl was ignored when compiling with BoringSSL because - HAVE_SSL_CTX_SET_EC_CURVES was explicitly disabled if BoringSSL was - detected. However, this feature is supported in BoringSSL since - 5fd1807d. This commit enables it, and also reduces the required minimal - OpenSSL version to 1.0.2 as per OpenSSL's official documentation. - - Fixes #8553 - Closes #8556 - -- [Samuel Henrique brought this change] - - json.d: fix typo (overriden -> overridden) - - Closes #8557 - -- wolfssl: fix compiler error without IPv6 - - Reported-by: Joseph Chen - Fixes #8550 - Closes #8552 - -- RELEASE-NOTES: synced - - and bump pending version to 7.82.1 - -- [Paul Howarth brought this change] - - runtests: make 'oldlibssh' be before 0.9.4 - - The 'oldlibssh' feature indicates that the error code returned by libssh - for a broken known_hosts file should be 67 rather than 60 (test1459). - This feature was added as part of #8444 with 'oldlibssh' mapping to - libssh versions prior to 0.9.6, and then refined as part of #8511 to map - to versions prior to 0.9.5. - - In Red Hat Enterprise Linux 8.5 there is a patched version of libssh - version 0.9.4 (https://git.centos.org/rpms/libssh/blob/c8/f/SOURCES) in - which test1459 fails because it returns the "new" value rather than the - "old" one. It's plausible that one of the patches is responsible for - this rather than the underlying code but I don't think so. - - This change therefore drops the 'oldlibssh' version check to map to - libssh versions older than 0.9.4, which fixes builds on RHEL-8. - - Closes #8548 - -- ipv4/6.d: clarify that they are about using IP addresses - - ... they may still *resolve* other families, but not use those - addresses. - - Ref: #8530 - Closes #8543 - -- [r-a-sattarov brought this change] - - curl/system.h: update ifdef condition for MCST-LCC compiler - - in mcst-lcc compiler => 1.25 added a new macro definition to determine - compiler - - Closes #8546 - -Marc Hoersken (6 Mar 2022) -- CI: install Python package impacket to run SMB test 1451 - - Install Python package impacket in relevant CI workflows. - - Follow up to #7935 - Supersedes #7940 - Closes #8544 - -Daniel Stenberg (5 Mar 2022) -- [Michał Antoniak brought this change] - - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined - - Closes #8539 - -- docs/HYPER.md: updated to reflect current hyper build needs - -- GHA: build hyper with nightly rustc - - Closes #8545 - -Version 7.82.0 (5 Mar 2022) - -Daniel Stenberg (5 Mar 2022) -- RELEASE-NOTES: synced - - The 7.82.0 release - -- THANKS: updates from the 7.82.0 release notes - -- misc: update copyright year ranges - -Jay Satiro (5 Mar 2022) -- unit1610: init SSL library before calling SHA256 functions - - The SSL library must be initialized (via global initialization) because - libcurl's SHA256 functions may call SHA256 functions in the SSL library. - - Reported-by: Gisle Vanem - - Fixes https://github.com/curl/curl/issues/8538 - Closes https://github.com/curl/curl/pull/8540 - -- examples/curlx: support building with OpenSSL 1.1.0+ - - - Access members of X509_STORE_CTX in OpenSSL 1.1.0+ by using API - functions. - - The X509_STORE_CTX struct has been opaque since OpenSSL 1.1.0. - - Ref: https://curl.se/mail/lib-2022-03/0004.html - - Closes https://github.com/curl/curl/pull/8529 - -- h2h3: fix typo - - Bug: https://github.com/curl/curl/issues/8381#issuecomment-1055440241 - Reported-by: Michael Kaufmann - -- [Farzin brought this change] - - CURLOPT_XFERINFOFUNCTION.3: fix example struct assignment - - Closes https://github.com/curl/curl/pull/8519 - -Daniel Stenberg (26 Feb 2022) -- azure-pipelines: add a build on Windows with libssh - - Closes #8511 - -- runtests: make 'oldlibssh' be before 0.9.5 - - Closes #8511 - -- libssh: fix include files and defines use for Windows builds - - Reported-by: 梦终无痕 - Bug: https://curl.se/mail/lib-2022-02/0131.html - Closes #8511 - -- RELEASE-NOTES: synced - -- [illusory-dream brought this change] - - winbuild: add parameter WITH_SSH - - For building with libssh - Closes #8514 - -- configure: change output for cross-compiled alt-svc support - - It said 'no', while it actually is 'yes' - - Closes #8512 - -- gha: add a macOS CI job with libssh - - Closes #8513 - -- TODO: remove "Bring back libssh tests on Travis" - - The job was added to Circle CI in d8ddd0e7536 - -- TODO: remove "better persistency for HTTP/1.0" - - Let's not bother. - -- TODO: remove "Option to ignore private IP" - - ... as curl ignores the IP entirely by default these days. - -- TODO: remove "hardcode the "localhost" addresses" - - This is implmented since 1a0ebf6632f88 - -- TODO: 1.24 was a dupe of 1.1 - -- TODO: remove "Typesafe curl_easy_setopt()" - - I don't consider this a serious TODO item - -- KNOWN_BUGS: remove "Uploading HTTP/3 files gets interrupted" - - This works now - -- KNOWN_BUGS: remove "HTTP/3 multipart POST with quiche fails" - - It works now - -- quiche: remove two leftover debug infof() outputs - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Reset dynbuf when it is fully drained - - Reported-by: vl409 on github - Fixes #7351 - Closes #8504 - -- [Stewart Gebbie brought this change] - - hostip: avoid unused parameter error in Curl_resolv_check - - When built without DNS-over-HTTP and without asynchronous resolvers, - neither the dns nor the data parameters are used. - - That is Curl_resolv_check appears to call - Curl_resolver_is_resolved(data, dns). But, - with CURL_DISABLE_DOH without CURLRES_ASYNCH, the call is actually - elided via a macro definition. - - This fix resolves the resultant: "unused parameter 'data'" error. - - Closes #8505 - -- http2: move two infof calls to debug-h2-only - - and remove a superflous one - - Ref: https://github.com/curl/curl/discussions/8498 - Closes #8502 - -- [Jean-Philippe Menil brought this change] - - quiche: fix upload for bigger content-length - - Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com> - Closes #8421 - -Jay Satiro (23 Feb 2022) -- [Farzin brought this change] - - CURLOPT_PROGRESSFUNCTION.3: fix example struct assignment - - Closes https://github.com/curl/curl/pull/8500 - -Daniel Stenberg (22 Feb 2022) -- [Rob Boeckermann brought this change] - - OS400/README: clarify compilation steps - - Closes #8494 - -- [Rob Boeckermann brought this change] - - OS400: fix typos in rpg include file - - This resolves issues compiling rpg code that includes the curl header - file. - - Closes #8494 - -- [Michał Antoniak brought this change] - - vtls: fix socket check conditions - - fix condition to check the second socket during associate and - disassociate connection - - Closes #8493 - -- libssh2: don't typecast socket to int for libssh2_session_handshake - - Since libssh2_socket_t uses SOCKET on windows which can be larger than - int. - - Closes #8492 - -- RELEASE-NOTES: fix typo and make one desc shorter - -- RELEASE-NOTES: synced - -- CURLOPT_XFERINFOFUNCTION.3: fix typo in example - - Reported-by: coralw on github - Fixes #8487 - Closes #8488 - -- README: disable linkchecks for the sponsor links - - Closes #8489 - -Jay Satiro (21 Feb 2022) -- openssl: check if sessionid flag is enabled before retrieving session - - Ideally, Curl_ssl_getsessionid should not be called unless sessionid - caching is enabled. There is a debug assertion in the function to help - ensure that. Therefore, the pattern in all vtls is basically: - - if(primary.sessionid) {lock(); Curl_ssl_getsessionid(...); unlock();} - - There was one instance in openssl.c where sessionid was not checked - beforehand and this change fixes that. - - Prior to this change an assertion would occur in openssl debug builds - during connection stage if session caching was disabled. - - Reported-by: Jim Beveridge - - Fixes https://github.com/curl/curl/issues/8472 - Closes https://github.com/curl/curl/pull/8484 - -- multi: allow user callbacks to call curl_multi_assign - - Several years ago a change was made to block user callbacks from calling - back into the API when not supported (recursive calls). One of the calls - blocked was curl_multi_assign. Recently the blocking was extended to the - multi interface API, however curl_multi_assign may need to be called - from within those user callbacks (eg CURLMOPT_SOCKETFUNCTION). - - I can't think of any callback where it would be unsafe to call - curl_multi_assign so I removed the restriction entirely. - - Reported-by: Michael Wallner - - Ref: https://github.com/curl/curl/commit/b46cfbc - Ref: https://github.com/curl/curl/commit/340bb19 - - Fixes https://github.com/curl/curl/issues/8480 - Closes https://github.com/curl/curl/pull/8483 - -Daniel Stenberg (21 Feb 2022) -- [Michał Antoniak brought this change] - - ssl: reduce allocated space for ssl backend when FTP is disabled - - Add assert() for the backend pointer in many places - - Closes #8471 - -- [Michał Antoniak brought this change] - - checkprefix: remove strlen calls - - Closes #8481 - -Jay Satiro (20 Feb 2022) -- [1337vt brought this change] - - curl.h: fix typo - - Closes https://github.com/curl/curl/pull/8482 - -- [Jan Venekamp brought this change] - - sectransp: mark a 3DES cipher as weak - - - Change TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA strength to weak. - - All other 3DES ciphers are already marked as weak. - - Closes https://github.com/curl/curl/pull/8479 - -- [Jan Venekamp brought this change] - - bearssl: fix EXC_BAD_ACCESS on incomplete CA cert - - - Do not create trust anchor object for a CA certificate until after it - is processed. - - Prior to this change the object was created at state BR_PEM_BEGIN_OBJ - (certificate processing begin state). An incomplete certificate (for - example missing a newline at the end) never reaches BR_PEM_END_OBJ - (certificate processing end state) and therefore the trust anchor data - was not set in those objects, which caused EXC_BAD_ACCESS. - - Ref: https://github.com/curl/curl/pull/8106 - - Closes https://github.com/curl/curl/pull/8476 - -- [Jan Venekamp brought this change] - - bearssl: fix connect error on expired cert and no verify - - - When peer verification is disabled use the x509_decode engine instead - of the x509_minimal engine to parse and extract the public key from - the first cert of the chain. - - Prior to this change in such a case no key was extracted and that caused - CURLE_SSL_CONNECT_ERROR. The x509_minimal engine will stop parsing if - any validity check fails but the x509_decode won't. - - Ref: https://github.com/curl/curl/pull/8106 - - Closes https://github.com/curl/curl/pull/8475 - -- [Jan Venekamp brought this change] - - bearssl: fix session resumption (session id) - - Prior to this change br_ssl_client_reset was mistakenly called with - resume_session param set to 0, which disabled session resumption. - - Ref: https://github.com/curl/curl/pull/8106 - - Closes https://github.com/curl/curl/pull/8474 - -Daniel Stenberg (18 Feb 2022) -- [Michał Antoniak brought this change] - - openssl: fix build for version < 1.1.0 - - Closes #8470 - -- [Joel Depooter brought this change] - - schannel: move the algIds array out of schannel.h - - This array is only used by the SCHANNEL_CRED struct in the - schannel_acquire_credential_handle function. It can therefore be kept as - a local variable. This is a minor update to - bbb71507b7bab52002f9b1e0880bed6a32834511. - - This change also updates the NUM_CIPHERS value to accurately count the - number of ciphers options listed in schannel.c, which is 47 instead of - 45. It is unlikely that anyone tries to set all 47 values, but if they - had tried, the last two would not have been set. - - Closes #8469 - -- [Alejandro R. Sedeño brought this change] - - configure.ac: use user-specified gssapi dir when using pkg-config - - Using the system pkg-config path in the face of a user-specified - library path is asking to link the wrong library. - - Reported-by: Michael Kaufmann - Fixes #8289 - Closes #8456 - -- [Kevin Adler brought this change] - - os400: Add link to QADRT devkit to README.OS400 - - Closes #8455 - -- [Kevin Adler brought this change] - - os400: Add function wrapper for system command - - The wrapper will exit if the system command failed instead of blindly - continuing on. - - In addition, only copy docs which exist, since now the copy failure will - cause the build to stop. - - Closes #8455 - -- [Kevin Adler brought this change] - - os400: Default build to target current release - - V6R1M0 is not available as a target release since IBM i 7.2. To keep - from having to keep this up to date in git, default to the current - release. Users can configure this to whatever release they want to - actually build for. - - Closes #8455 - -- docs/INTERNALS.md: clean up, refer to the book - - The explanatory parts are now in the everything curl book (which can - also use images etc). This document now refers to that resource and only - leaves listings of supported versions of libs, tools and operating - systems. See https://everything.curl.dev/internals - - Closes #8467 - -Marcel Raad (17 Feb 2022) -- des: fix compile break for OpenSSL without DES - - When `USE_OPENSSL` was defined but OpenSSL had no DES support and a - different crypto library was used for that, `Curl_des_set_odd_parity` - was called but not defined. This could for example happen on Windows - and macOS when using OpenSSL v3 with deprecated features disabled. - - Use the same condition for the function definition as used at the - caller side, but leaving out the OpenSSL part to avoid including - OpenSSL headers. - - Closes https://github.com/curl/curl/pull/8459 - -Daniel Stenberg (17 Feb 2022) -- RELEASE-NOTES: synced - -- docs/DEPRECATE: remove NPN support in August 2022 - - Closes #8458 - -- ftp: provide error message for control bytes in path - - Closes #8460 - -- http: fix "unused parameter ‘conn’" warning - - Follow-up from 7d600ad1c395 - - Spotted on appveyor - - Closes #8465 - -Jay Satiro (17 Feb 2022) -- [Alejandro R. Sedeño brought this change] - - sha256: Fix minimum OpenSSL version - - - Change the minimum OpenSSL version for using their SHA256 - implementation from 0.9.7 to 0.9.8. - - EVP_sha256() does not appear in the OpenSSL source before 0.9.7h, and - does not get built by default until 0.9.8, so trying to use it for all - 0.9.7 is wrong, and before 0.9.8 is unreliable. - - Closes https://github.com/curl/curl/pull/8464 - -Daniel Stenberg (16 Feb 2022) -- KNOWN_BUGS: remove "slow connect to localhost on Windows" - - localhost is not resolved anymore since 1a0ebf6632f88 - -- KNOWN_BUGS: remove "HTTP/3 download is 5x times slower than HTTP/2" - - It's not actually a bug. More like room for improvement. - -- KNOWN_BUGS: remove "HTTP/3 download with quiche halts after a while" - - Follow-up to 96f85a0fef694 - -- KNOWN_BUGS: remove "pulseUI vpn" as a problem - - We haven't heard about this for a long time and rumours have it they - might have fixed it. - -- urldata: remove conn->bits.user_passwd - - The authentication status should be told by the transfer and not the - connection. - - Reported-by: John H. Ayad - Fixes #8449 - Closes #8451 - -- [Kevin Adler brought this change] - - gskit: Convert to using Curl_poll - - As mentioned in 32766cb, gskit was the last user of Curl_select which is - now gone. Convert to using Curl_poll to allow build to work on IBM i. - - Closes #8454 - -- [Kevin Adler brought this change] - - gskit: Fix initialization of Curl_ssl_gskit struct - - In c30bf22, Curl_ssl_getsock was factored out in to a member of - struct Curl_ssl but the gskit initialization was not updated to reflect - this new member. - - Closes #8454 - -- [Kevin Adler brought this change] - - gskit: Fix errors from Curl_strerror refactor - - 2f0bb864c1 replaced sterror with Curl_strerror, but the strerror buffer - shadows the set_buffer "buffer" parameter. To keep consistency with the - other functions that use Curl_strerror, rename the parameter. - - In addition, strerror.h is needed for the definition of STRERROR_LEN. - - Closes #8454 - -Marcel Raad (15 Feb 2022) -- ntlm: remove unused feature defines - - They're not used anymore and always supported. - - Closes https://github.com/curl/curl/pull/8453 - -Daniel Stenberg (15 Feb 2022) -- [Kantanat Wannapaka brought this change] - - README.md: fix link and layout - - replace <a></a> tags and <img></img> tags - - Closes #8448 - -- KNOWN_BUGS: fix typo "libpsl" - -Jay Satiro (14 Feb 2022) -- h2h3: fix compiler warning due to function prototype mismatch - - - Add missing const qualifier in Curl_pseudo_headers declaration. - -Daniel Stenberg (14 Feb 2022) -- [Stefan Eissing brought this change] - - urlapi: handle "redirects" smarter - - - avoid one malloc when setting a new url via curl_url_set() - and CURLUPART_URL. - - extract common pattern into a new static function. - - Closes #8450 - -- cijobs: pick up circleci configure lines better - -- circleci: add a job using wolfSSH - - Build only, no tests. - - Closes #8445 - -- scripts/ciconfig.pl: show used options not available - -- circleci: add a job using libssh - - Closes #8444 - -- runtests: set 'oldlibssh' for libssh versions before 0.9.6 - - ... and make test 1459 check for the different return code then. - - Closes #8444 - -Jay Satiro (13 Feb 2022) -- Makefile.am: Generate VS 2022 projects - - Follow-up to f13d4d0 which added VS 2022 project support. - - Ref: https://github.com/curl/curl/pull/8438 - -- [Daniel Stenberg brought this change] - - projects: remove support for MSVC before VC10 (Visual Studio 2010) - - - Remove Visual Studio project files for VC6, VC7, VC7.1, VC8 and VC9. - - Those versions are too old to be maintained any longer. - - Closes https://github.com/curl/curl/pull/8442 - -- [Stav Nir brought this change] - - projects: add support for Visual Studio 17 (2022) - - Closes https://github.com/curl/curl/pull/8438 - -Daniel Stenberg (13 Feb 2022) -- RELEASE-NOTES: synced - -- connect: follow-up fix the copyright year - -- [Michał Antoniak brought this change] - - misc: remove unused data when IPv6 is not supported - - Closes #8430 - -- scripts/ciconfig: show CI job config info - - Closes #8446 - -- quiche: handle stream reset - - A stream reset now causes a CURLE_PARTIAL_FILE error. I'm not convinced - this is the right action nor the right error code. - - Reported-by: Lucas Pardue - Fixes #8437 - Closes #8440 - -- mime: use a define instead of the magic number 24 - - MIME_BOUNDARY_DASHES is now the number of leading dashes in the - generated boundary string. - - Closes #8441 - -- [Henrik Holst brought this change] - - hostcheck: reduce strlen calls on chained certificates - - Closes #8428 - -- [Patrick Monnerat brought this change] - - mime: some more strlen() call removals. - - Closes #8423 - -- scripts/cijobs.pl: detect zuul cmake jobs better - -- url: exclude zonefrom_url when no ipv6 is available - - Closes #8439 - -- if2ip: make Curl_ipv6_scope a blank macro when IPv6-disabled - - Closes #8439 - -- [Henrik Holst brought this change] - - mprintf: remove strlen calls on empty strings in dprintf_formatf - - Turns out that in dprintf_formatf we did a strlen on empty strings, a - bit strange is how common this actually is, 24 alone when doing a simple - GET from https://curl.se - - Closes #8427 - -- wolfssl: return CURLE_AGAIN for the SSL_ERROR_NONE case - - Closes #8431 - -- wolfssl: when SSL_read() returns zero, check the error - - Returning zero indicates end of connection, so if there's no data read - but the connection is alive, it needs to return -1 with CURLE_AGAIN. - - Closes #8431 - -- quiche: after leaving h3_recving state, poll again - - This could otherwise easily leave libcurl "hanging" after the entire - transfer is done but without noticing the end-of-transfer signal. - - Assisted-by: Lucas Pardue - Closes #8436 - -- quiche: when *recv_body() returns data, drain it before polling again - - Assisted-by: Lucas Pardue - - Closes #8429 - -- [gaoxingwang on github brought this change] - - configure: fix '--enable-code-coverage' typo - - Fixes #8425 - Closes #8426 - -- lib/h2h3: #ifdef on ENABLE_QUIC, not the wrong define - - Otherwise the build fails when H3 is enabled but the build doesn't - include nghttp2. - - Closes #8424 - -- hostcheck: pass in pattern length too, to avoid a strlen call - - Removes one strlen() call per SAN name in a cert-check. - - Closes #8418 - -- [Henrik Holst brought this change] - - misc: remove strlen for Curl_checkheaders + Curl_checkProxyheaders - - Closes #8409 - -- configure: requires --with-nss-deprecated to build with NSS - - Add deprecation plans to docs/DEPRECATE.md - - Closes #8395 - -- mqtt: free 'sendleftovers' in disconnect - - Fix a memory-leak - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43646 - Closes #8415 - -- [Patrick Monnerat brought this change] - - openldap: pass string length arguments to client_write() - - This uses the new STRCONST() macro and saves 2 strlen() calls on short - string constants per LDIF output line. - - Closes #8404 - -- [Henrik Holst brought this change] - - misc: reduce strlen() calls with Curl_dyn_add() - - Use STRCONST() to switch from Curl_dyn_add() to Curl_dyn_addn() for - string literals. - - Closes #8398 - -- http2: fix the array copy to nghttp2_nv - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44517 - Follow-up to 9f985a11e794 - Closes #8414 - -- RELEASE-NOTES: synced - -- scripts/cijobs.pl: output data about all currect CI jobs - - This script parses the config files for all the CI services currently in - use and output the information in a uniform way. The idea is that the - output from this script should be possible to massage into informational - tables or graphs to help us visualize what they are all testing and NOT - testing. - - Closes #8408 - -- maketgz: return error if 'make dist' fails - - To better detect this problem in CI jobs - - Reported-by: Marcel Raad - Bug: https://curl.se/mail/lib-2022-02/0070.html - Closes #8402 - -- h2h3: pass correct argument types to infof() - - Detected by Coverity. CID 1497993 - - Closes #8401 - -- lib/Makefile: remove config-tpf.h from the dist - - Follow-up from da15443dddea2bfb. Missed before because the 'distcheck' - CI job was not working as intended. - - Reported-by: Marcel Raad - Bug: https://curl.se/mail/lib-2022-02/0070.html - Closes #8403 - -- configure: remove support for "embedded ares" - - In March 2010 (commit 4259d2df7dd) we removed the embedded 'ares' - directory from the curl source tree but we have since supported - especially detecting and using that build directory. The time has come - to remove that kludge and ask users to specify the c-ares dir correctly - with --enable-ares. - - Closes #8397 - -- [Sebastian Sterk brought this change] - - github/workflows/mbedtls: fix indent & remove unnecessary line breaks - - Closes #8399 - -- CI: move the NSS job from zuul to GHA - - Closes #8396 - -- tests/unit/Makefile.am: add NSS_LIBS to build with NSS fine - - Closes #8396 - -Marcel Raad (7 Feb 2022) -- curl-openssl: fix SRP check for OpenSSL 3.0 - - When OpenSSL 3.0 is built with `--api=3.0` and `no-deprecated`, the SRP - functions exist in the library, but are disabled for user code. Check - if they are actually usable instead of only if they exist. Also, check - for the functions actually required for TLS-SRP. - - TLS-SRP support is still enabled if OpenSSL is configured with just - `--api=3.0` or with `--api=1.1.1 no-deprecated`. - - Closes https://github.com/curl/curl/pull/8394 - -Daniel Stenberg (7 Feb 2022) -- [Henrik Holst brought this change] - - http: make Curl_compareheader() take string length arguments too - - Also add STRCONST, a macro that returns a string literal and it's length - for functions that take "string,len" - - Removes unnecesary calls to strlen(). - - Closes #8391 - -- vquic/vquic.h: removed the unused H3 psuedo defines - -- ngtcp2: use Curl_pseudo_headers - -- quiche: use Curl_pseudo_headers - -- http2: use Curl_pseudo_headers - -- h2h3: added Curl_pseudo_headers() - - For use with both http2 and http3 requests. - -- ngtcp2/quiche: make :scheme possible to set - -- http2: allow CURLOPT_HTTPHEADER change ":scheme" - - The only h2 psuedo header that wasn't previously possible to change by a - user. This change also makes it impossible to send a HTTP/1 header that - starts with a colon, which I don't think anyone does anyway. - - The other pseudo headers are possible to change indirectly by doing the - rightly crafted request. - - Reported-by: siddharthchhabrap on github - Fixes #8381 - Closes #8393 - -- h2/h3: provide and refer to pseudo headers as defines - - ... and do sizeof() on the defines to use constants better. - - Closes #8389 - -- [Michał Antoniak brought this change] - - smb: passing a socket for writing and reading data instead of FIRSTSOCKET - - Closes #8383 - -- x509asn1: toggle off functions not needed for diff tls backends - - ... and clean the header file from private defines/structs (move to C - file) and unused function prototypes. - - Closes #8386 - -- lib: move hostcheck and x509sn1 sources to vtls/ - - ... since they are used strictly by TLS code. - - Closes #8386 - -Marcel Raad (4 Feb 2022) -- version_win32: fix warning for `CURL_WINDOWS_APP` - - The build version is not supported by the UWP code. - - Closes https://github.com/curl/curl/pull/8385 - -Daniel Stenberg (4 Feb 2022) -- tests/disable-scan.pl: properly detect multiple symbols per line - - Test 1165 would fail on some systems because it didn't detect - CURL_DISABLE_* symbols that were used to the right of another one on the - same line! The script would only detect and extract the first one. - - Reported-by: Marcel Raad - Fixes #8384 - Closes #8388 - -Jay Satiro (4 Feb 2022) -- config.d: Clarify _curlrc filename is still valid on Windows - - Recent changes added support for filename .curlrc on Windows, and - when it's not found curl falls back on the original Windows filename - _curlrc. _curlrc was removed from the doc, however it is still valid. - - Closes https://github.com/curl/curl/pull/8382 - -Daniel Stenberg (4 Feb 2022) -- lib: remove support for CURL_DOES_CONVERSIONS - - TPF was the only user and support for that was dropped. - - Closes #8378 - -- TPF: drop support - - There has been no TPF related changes done since September 2010 (commit - 7e1a45e224e57) and since this is a platform that is relatively different - than many others (== needs attention), I draw the conclusion that this - build is broken since a long time. - - Closes #8378 - -- scripts/delta: check the file delta for current branch - - ... also polish the output style a little bit - -Jay Satiro (3 Feb 2022) -- [Fabian Keil brought this change] - - runtests.pl: tolerate test directories without Makefile.inc - - Silences the following warnings when using a Makefile.inc-free - TESTDIR using the "-o" argument: - - readline() on closed filehandle D at ./runtests.pl line 592. - Use of uninitialized value $disttests in pattern match (m//) at - ./runtests.pl line 3602. - - Closes https://github.com/curl/curl/pull/8379 - -Daniel Stenberg (3 Feb 2022) -- [Henrik Holst brought this change] - - setopt: do bounds-check before strdup - - Curl_setstropt() allocated memory for the string before checking if the - string was within bounds. The bounds check should be done first. - - Closes #8377 - -- [Michał Antoniak brought this change] - - mbedtls: enable use of mbedtls without filesystem functions support - - Closes #8376 - -- [Bernhard Walle brought this change] - - configure: support specification of a nghttp2 library path - - This enables using --with-nghttp2=<dir> on systems without pkg-config. - - Closes #8375 - -- scripts/release-notes.pl: remove leftover debug output - -- RELEASE-NOTES: synced - -- scripts/release-notes.pl: fix number extraction for full URLs - -- [Leah Neukirchen brought this change] - - scripts/completion.pl: improve zsh completion - - - Detect all spellings of <file>, <file name> etc as well as <path>. - - Only complete directories for <dir>. - - Complete URLs for <URL>. - - Complete --request and --ftp-method. - - Closes #8363 - -- [Davide Cassioli brought this change] - - configure: use correct CFLAGS for threaded resolver with xlC on AIX - - Fixes #8276 - Closes #8374 - -- mailmap: Henrik Holst - -Jay Satiro (2 Feb 2022) -- build: fix ngtcp2 crypto library detection - - - Change library link check for ngtcp2_crypto_{gnutls,openssl} to - to use function ngtcp2_crypto_recv_client_initial_cb instead of - ngtcp2_crypto_ctx_initial. - - The latter function is no longer external since two days ago in - ngtcp2/ngtcp2@533451f. curl HTTP/3 CI builds have been failing since - then because they would not link to the ngtcp2 crypto library. - - Ref: https://github.com/ngtcp2/ngtcp2/pull/356 - - Closes https://github.com/curl/curl/pull/8372 - -- [Henrik Holst brought this change] - - urlapi: remove an unnecessary call to strlen - - - Use strcpy instead of strlen+memcpy to copy the url path. - - Ref: https://curl.se/mail/lib-2022-02/0006.html - - Closes https://github.com/curl/curl/pull/8370 - -Daniel Stenberg (1 Feb 2022) -- scripts/copyright.pl: fix for handling removed files better - -- vxworks: drop support - - No changes or fixes in vxworks related code since 2009 leads me to - believe that this doesn't work anymore. - - Closes #8362 - -- [Henrik Holst brought this change] - - base64: remove an unnecessary call to strlen - - Closes #8369 - -- tool_getparam: initial --json support - - Adds these test cases: - - 383 - simple single command line option - 384 - reading it from stdin - 385 - getting two --json options on command line - 386 - --next works after --json - - Closes #8314 - -- [Bjarni Ingi Gislason brought this change] - - curl_getdate.3: remove pointless .PP line - - mandoc: WARNING: skipping paragraph macro: PP empty - - Reported-by: Samuel Henrique - Closes #8365 - -- [Sebastian Sterk brought this change] - - multi: grammar fix in comment - - After 'must', the verb is used without 'to'. Correct: "must" or "have - to" - - Closes #8368 - -- openldap: fix compiler warning when built without SSL support - - openldap.c:841:52: error: unused parameter ‘data’ [-Werror=unused-parameter] - - Closes #8367 - -- [Samuel Henrique brought this change] - - CURLSHOPT_LOCKFUNC.3: fix typo "relased" -> "released" - - Found when packaging 7.81.0 for Debian. - - Closes #8364 - -- netware: remove support - - There are no current users and no Netware related changes done in the - code for over 13 years is a clear sign this is abandoned. - - Closes #8358 - -- CI: move two jobs from Zuul to Circle CI - - - openssl-no-verbose - - openssl-no-proxy - - Closes #8359 - -- cirlceci: also run a c-ares job on arm with debug enabled - - Closes #8357 - -- ci: move the OpenSSL + c-ares job from Zuul to Circle CI - - Closes #8357 - -- mailmap: Jan-Piet Mens - -- [luminixinc on github brought this change] - - multi: remember connection_id before returning connection to pool - - Fix a bug that does not require a new CVE as discussed on hackerone.com. - Previously `connection_id` was accessed after returning connection to - the shared pool. - - Bug: https://hackerone.com/reports/1463013 - Closes #8355 - -Jay Satiro (31 Jan 2022) -- write-out.d: Fix num_headers formatting - -- [Jan-Piet Mens brought this change] - - docs: capitalize the name 'Netscape' - - Closes https://github.com/curl/curl/pull/8354 - -Daniel Stenberg (30 Jan 2022) -- RELEASE-NOTES: synced - -- [Antoine Pietri brought this change] - - docs: grammar proofread, typo fixes - - (Partially automated) proofread of most of the documentation, leading to - various typo fixes. - - Closes #8353 - -- urldata: CONN_IS_PROXIED replaces bits.close when proxy can be disabled - - To remove run-time checks for such builds. - - Closes #8350 - -- setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds - - Closes #8350 - -- conncache: make conncache_add_bundle return the pointer - - Simplifies the logic a little and avoids a ternary operator. - - Ref: #8346 - Closes #8349 - -- mailmap: neutric on github - -Jay Satiro (30 Jan 2022) -- [neutric on github brought this change] - - docs/TheArtOfHttpScripting: fix example POST URL - - Closes https://github.com/curl/curl/pull/8352 - -Daniel Stenberg (28 Jan 2022) -- nss: handshake callback during shutdown has no conn->bundle - - The callback gets called because of the call to PR_Recv() done to - attempt to avoid RST on the TCP connection. The conn->bundle pointer is - already cleared at this point so avoid dereferencing it. - - Reported-by: Eric Musser - Fixes #8341 - Closes #8342 - -- [Michał Antoniak brought this change] - - mbedtls: remove #include <mbedtls/certs.h> - - mbedtls/certs.h file contains only certificates example (all definitions - is beginning by mbedtls_test_*). None of them is used so we can avoid - include the file. - - Closes #8343 - -- [Michał Antoniak brought this change] - - mbedtls: enable use of mbedtls without CRL support - - Closes #8344 - -- [Bernhard Walle brought this change] - - configure: set CURL_LIBRARY_PATH for nghttp2 - - To execute the test program, we might need the library path so that the - lib is found at runtime. - - Closes #8340 - -Jay Satiro (28 Jan 2022) -- schannel: restore debug message in schannel_connect_step2 - - This is a follow-up to recent commit 2218c3a which removed the debug - message to avoid an unused variable warning. The message has been - reworked to avoid the warning. - - Ref: https://github.com/curl/curl/pull/8320#issuecomment-1022957904 - - Closes https://github.com/curl/curl/pull/8336 - -- test3021: disable all msys2 path transformation - - - Disable all MSYS2 path transformation in test3021 and test3022. - - Prior to this change path transformation in those tests was disabled - only for arguments that start with forward slashes. However arguments - that are in base64 contain forward slashes at any position and caused - unwanted translations. - - == Info: Denied establishing ssh session: mismatch sha256 fingerprint. - Remote +/EYG2YDzDGm6yiwepEMSuExgRRMoTi8Di1UN3kixZw= is not equal to - +C:/msys64/EYG2YDzDGm6yiwepEMSuExgRRMoTi8Di1UN3kixZw - - In the above example an argument containing a base64 sha256 fingerprint - was passed to curl after MSYS2 translated +/ into +C:/msys64/, and then - the fingerprint didn't match what was expected. - - Ref: https://www.msys2.org/wiki/Porting/ - - Fixes https://github.com/curl/curl/issues/8084 - Closes https://github.com/curl/curl/pull/8325 - -Daniel Stenberg (27 Jan 2022) -- CI: move scan-build job from Zuul to Azure Pipelines - - Closes #8338 - -Marcel Raad (27 Jan 2022) -- openssl: fix `ctx_option_t` for OpenSSL v3+ - - The options have been changed to `uint64_t` in - https://github.com/openssl/openssl/commit/56bd17830f2d5855b533d923d4e0649d3ed61d11. - - Closes https://github.com/curl/curl/pull/8331 - -Daniel Stenberg (27 Jan 2022) -- CI: move 'distcheck' job from zuul to azure pipelines - - Assisted-by: Kushal Das - - Closes #8334 - -- vtls: pass on the right SNI name - - The TLS backends convert the host name to SNI name and need to use that. - This involves cutting off any trailing dot and lowercasing. - - Co-authored-by: Jay Satiro - Closes #8320 - -- url: revert the removal of trailing dot from host name - - Reverts 5de8d84098db1bd24e (May 2014, shipped in 7.37.0) and the - follow-up changes done afterward. - - Keep the dot in names for everything except the SNI to make curl behave - more similar to current browsers. This means 'name' and 'name.' send the - same SNI for different 'Host:' headers. - - Updated test 1322 accordingly - - Fixes #8290 - Reported-by: Charles Cazabon - Closes #8320 - -- [neutric on github brought this change] - - docs/TheArtOfHttpScripting: fix capitalization - - Closes #8333 - -- tests/memanalyze.pl: also count and show "total allocations" - - This is the total number of bytes allocated, increasing for new - allocations and never reduced when freed. The existing "Maximum - allocated" is the high water mark. - - Closes #8330 - -- mailmap: spellfix githuh => github - -- RELEASE-NOTES: synced - -- hostcheck: fixed to not touch used input strings - - Avoids the need to clone the strings before check, thus avoiding - mallocs, which for cases where there are many SAN names in a cert could - end up numerous. - - Closes #8321 - -- ngtcp2: adapt to changed end of headers callback proto - - Closes #8322 - -- [Xiaoke Wang brought this change] - - openssl: check SSL_get_ex_data to prevent potential NULL dereference - - Closes #8268 - -Jay Satiro (23 Jan 2022) -- md5: check md5_init_func return value - - Prior to this change the md5_init_func (my_md5_init) return value was - ignored. - - Closes https://github.com/curl/curl/pull/8319 - -- md5: refactor for standard compliance - - - Wrap OpenSSL / wolfSSL MD5 functions instead of taking their function - addresses during static initialization. - - Depending on how curl was built the old way may have used a dllimport - function address during static initialization, which is not standard - compliant, resulting in Visual Studio warning C4232 (nonstandard - extension). Instead the function pointers now point to the wrappers - which call the MD5 functions. - - This change only affects OpenSSL and wolfSSL because calls to other SSL - libraries' md5 functions were already wrapped. Also sha256.c already - does this for all SSL libraries. - - Ref: https://github.com/curl/curl/pull/8298 - - Closes https://github.com/curl/curl/pull/8318 - -Daniel Stenberg (21 Jan 2022) -- [Lucas Pardue brought this change] - - docs: update IETF links to use datatracker - - The tools.ietf.org domain has been deprecated a while now, with the - links being redirected to datatracker.ietf.org. - - Rather than make people eat that redirect time, this change switches the - URL to a more canonical source. - - Closes #8317 - -- [Harry Sarson brought this change] - - CI: test building wolfssl with --enable-opensslextra - - Closes #8315 - -- [Harry Sarson brought this change] - - misc: allow curl to build with wolfssl --enable-opensslextra - - put all #include of openssl files behind wolfssl ifdefs so that we can - use the wolfssl/ prefixed include paths. Without these curl only builds - when wolfssl is built with enable-all. - - Fixes #8292 - Closes #8315 - -- [Lucas Pardue brought this change] - - quiche: change qlog file extension to `.sqlog` - - quiche has just switched it's qlog serialization format to JSON-SEQ by - default . The spec says this SHOULD use `.sqlog` extension. - - I believe ngtcp2 also supports JSON-SEQ by default as of - https://github.com/ngtcp2/ngtcp2/commit/9baf06fc3f352a1d062b6953ae1de22cae30639d - - Let's update curl so that tools know what format we are using! - - Closes #8316 - -Jay Satiro (21 Jan 2022) -- projects: Fix Visual Studio wolfSSL configurations - - - Change build-wolfssl.bat to disable SSLv3, enable TLSv1.3, enable - wolfSSL_DES_ecb_encrypt (needed by NTLM) and enable alt cert chains. - - - Disable warning C4214 'bit field types other than int'. - - - Add include directory wolfssl\wolfssl. - - wolfSSL offers OpenSSL API compatibility that libcurl uses, and some - recent change in libcurl included an include file for wolfSSL like - openssl/foo.h, which has a path like wolfssl\wolfssl\openssl\foo.h. - - The include directory issue was reported in #8292 but it's currently - unclear whether this type of change is needed for other build systems. - - Bug: https://github.com/curl/curl/issues/8292 - Reported-by: Harry Sarson - - Closes https://github.com/curl/curl/pull/8298 - -Daniel Stenberg (21 Jan 2022) -- openssl: return error if TLS 1.3 is requested when not supported - - Previously curl would just silently ignore it if the necessary defines - are not present at build-time. - - Reported-by: Stefan Eissing - Fixes #8309 - Closes #8310 - -- TODO: Passing NOTIFY option to CURLOPT_MAIL_RCPT - - Closes #8232 - -- [Philip H brought this change] - - workflows/wolfssl: install impacket - - needed Python Package for SMB tests - - Closes #8307 - -- url: make Curl_disconnect return void - - 1. The function would only ever return CURLE_OK anyway - 2. Only one caller actually used the return code - 3. Most callers did (void)Curl_disconnect() - - Closes #8303 - -- docs: document HTTP/2 not insisting on TLS 1.2 - - Both for --http2 and CURLOPT_HTTP_VERSION. - - Reported-by: jhoyla on github - Fixes #8235 - Closes #8300 - -- cmdline-opts/gen.pl: fix option matching to improve references - - Previously it could mistakenly match partial names when there are - options that start with the same prefix, leading to the wrong references - used. - - Closes #8299 - -- TODO: Less memory massaging with Schannel - -- [Patrick Monnerat brought this change] - - runtests.pl: disable debuginfod - - Valgrind and gdb implement this feature: as this highly slows down tests, - disable it. - - Closes #8291 - -- RELEASE-NOTES: synced - -- CURLMOPT_TIMERFUNCTION/DATA.3: fix the examples - - ... to not call libcurl recursively back. - - Closes #8286 - -- multi: set in_callback for multi interface callbacks - - This makes most libcurl functions return error if called from within a - callback using the same multi handle. For example timer or socket - callbacks calling curl_multi_socket_action. - - Reported-by: updatede on github - Fixes #8282 - Closes #8286 - -- docs/HISTORY.md: mention alt-svc and HSTS - -- misc: remove the final watcom references - - Follow-up to bbf8cae44dedc495e6 - - We removed support for the watcom builds files back in September - 2020. This removes all remaining watcom references and ifdefs. - - Closes #8287 - -- misc: remove BeOS code and references - - There has not been a mention of this OS in any commit since December - 2004 (58f4af7973e3d2). The OS is also long gone. - - Closes #8288 - -- tool_getparam: DNS options that need c-ares now fail without it - - Just silently accepting the options and then not having any effect is - not good. - - Ref: #8283 - Closes #8285 - -- curl: remove "separators" (when using globbed URLs) - - Unless muted (with -s) When doing globbing, curl would output mime-like - separators between the separate transfers. This is not documented - anywhere, surprises users and clobbers the output. Gone now. - - Updated test 18 and 1235 - - Reported-by: jonny112 on github - Bug: https://github.com/curl/curl/discussions/8257 - Closes #8278 - -Jay Satiro (15 Jan 2022) -- [Niels Martignène brought this change] - - mbedtls: fix CURLOPT_SSLCERT_BLOB (again) - - - Increase the buffer length passed to mbedtls_x509_crt_parse to account - for the null byte appended to the temporary blob. - - Follow-up to 867ad1c which uses a null terminated copy of the - certificate blob, because mbedtls_x509_crt_parse requires PEM data - to be null terminated. - - Ref: https://github.com/curl/curl/commit/867ad1c#r63439893 - Ref: https://github.com/curl/curl/pull/8146 - - Closes https://github.com/curl/curl/pull/8260 - -Daniel Stenberg (15 Jan 2022) -- [Alessandro Ghedini brought this change] - - quiche: verify the server cert on connect - - Similarly to c148f0f551f9bea0e3d0, make quiche correctly acknowledge - `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST`. - - Fixes #8173 - Closes #8275 - -- [Ikko Ashimine brought this change] - - checksrc: fix typo in comment - - enfore -> enforce - - Closes #8281 - -- curl-openssl: remove the OpenSSL headers and library versions check - - It is more work to maintain that check than the (any?) benefit it - brings. - - Fixes #8279 - Reported-by: Satadru Pramanik - Closes #8280 - -- mqtt: free any leftover when done - - Oss-fuzz found an issue when the "sendleftovers" pointer could leak memory. - Fix this by always freeing it (if still assigned) in the done function. - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43515 - Closes #8274 - -- formdata: avoid size_t => long typecast overflows - - Typically a problem for platforms with 32 bit long and 64 bit size_t - - Reported-by: Fabian Yamaguchi - Bug: https://hackerone.com/reports/1444539 - Closes #8272 - -- RELEASE-NOTES: synced - - bump next release to become 7.82.0 - -Marcel Raad (13 Jan 2022) -- build: enable -Warith-conversion - - This makes the behavior consistent between GCC 10 and earlier versions. - - Closes https://github.com/curl/curl/pull/8271 - -- build: fix -Wenum-conversion handling - - Don't enable that warning when warnings are disabled. - Also add it to CMake. - - Closes https://github.com/curl/curl/pull/8271 - -- appveyor: use VS 2017 image for the autotools builds - - The newer images don't have all required MSYS2 packages. - - Fixes https://github.com/curl/curl/issues/8248 - Closes https://github.com/curl/curl/pull/8265 - -- appveyor: update images from VS 2019 to 2022 - - Closes https://github.com/curl/curl/pull/8265 - -Daniel Stenberg (12 Jan 2022) -- [Michał Antoniak brought this change] - - mbedtls: return CURLcode result instead of a mbedtls error code - - ... when a certificate fails to be loaded from a blob - - Closes #8266 - -- curl_multi_socket.3: remove callback and typical usage descriptions - - 1. The callback is better described in the option for setting it. Having - it in a single place reduces the risk that one of them is wrong. - - 2. The "typical usage" is wrong since the functions described in this - man page are both deprecated so they cannot be used in any "typical" way - anymore. - - Closes #8262 - -- curl-functions.m4: revert DYLD_LIBRARY_PATH tricks in CURL_RUN_IFELSE - - Mostly reverts ba0657c343f, but now instead just run the plain macro on - darwin. The approach as used on other platforms is simply not necessary - on macOS. - - Fixes #8229 - Reported-by: Ryan Schmidt - Closes #8247 - -- [Patrick Monnerat brought this change] - - openldap: implement SASL authentication - - As credentials can be quite different depending on the mechanism used, - there are no default mechanisms for LDAP and simple bind with a DN is - then used. - - The caller has to provide mechanism(s) using CURLOPT_LOGIN_OPTIONS to - enable SASL authentication and disable simple bind. - - Closes #8152 - -Jay Satiro (10 Jan 2022) -- [Cameron Will brought this change] - - CURLOPT_RESOLVE.3: change example port to 443 - - 83cc966 changed documentation from using http to https. However, - CURLOPT_RESOLVE being set to port 80 in the documentation means that it - isn't valid for the new URL. Update to 443. - - Closes https://github.com/curl/curl/pull/8258 - -Daniel Stenberg (10 Jan 2022) -- [Fabian Keil brought this change] - - test374: gif data without new line at the end - - Closes #8239 - -- [Fabian Keil brought this change] - - runtests.pl: support the nonewline attribute for the data part - - Added to FILEFORMAT - - Closes #8239 - -- [Patrick Monnerat brought this change] - - curl tool: erase some more sensitive command line arguments - - As the ps command may reveal sensitive command line info, obfuscate - options --tlsuser, --tlspasswd, --proxy-tlsuser, --proxy-tlspassword and - --oauth2-bearer arguments. - - Reported-by: Stephen Boost <s.booth@epcc.ed.ac.uk> - - Closes #7964 - -- mesalink: remove support - - Mesalink has ceased development. We can no longer encourage use of it. - It seems to be continued under the name TabbySSL, but no attempts have - (yet) been to make curl support it. - - Fixes #8188 - Closes #8191 - -- ldap: return CURLE_URL_MALFORMAT for bad URL - - For consistency, use the same return code for URL malformats, - independently of what scheme that is used. Previously this would return - CURLE_LDAP_INVALID_URL, but starting now that error cannot be returned. - - Closes #8170 - -- docs/cmdline-opts: add "mutexed" options for more http versions - - Update four http version man page sections. - - Closes #8254 - -- [Stephen M. Coakley brought this change] - - rustls: add CURLOPT_CAINFO_BLOB support - - Add support for `CURLOPT_CAINFO_BLOB` `CURLOPT_PROXY_CAINFO_BLOB` to the - rustls TLS backend. Multiple certificates in a single PEM string are - supported just like OpenSSL does with this option. - - This is compatible at least with rustls-ffi 0.8+ which is our new - minimum version anyway. - - I was able to build and run this on Windows, pulling trusted certs from - the system and then add them to rustls by setting - `CURLOPT_CAINFO_BLOB`. Handy! - - Closes #8255 - -- scripts/copyright.pl: ignore missing files - -- RELEASE-NOTES: synced - -- data/DISABLED: disable test 313 for wolfssl builds - - It was previously disabled only in the CI jobs yaml - - Closes #8252 - -- runtests: make 'wolfssl' a testable feature - - Closes #8252 - -- GHA: install stunnel in the medbtls + wolfssl CI jobs - - Closes #8252 - -- CI: move the rustls CI job to GHA from Zuul - - Closes #8251 - -- DISABLE: disable a dozen tests in the rustls build - - Disables tests that don't yet work with the rustls backend. - - Fixes #8004 - Closes #8250 - -- runtests: make 'rustls' a testable feature - -- remote-header-name.d: clarify - - - it strips off the path from the server provided name - - it saves in current directory or --output-dir - - Ref: https://curl.se/mail/archive-2022-01/0032.html - Closes #8249 - -- url: given a user in the URL, find pwd for that user in netrc - - Add test 380 and 381 to verify, edited test 133 - - Reported-by: Manfred Schwarb - Fixes #8241 - Closes #8243 - -- [Niels Martignène brought this change] - - mbedtls: Fix ssl_init error with mbedTLS 3.1.0+ - - Since mbedTLS 3.1.0, mbedtls_ssl_setup() fails if the provided - config struct is not valid. - - mbedtls_ssl_config_defaults() needs to be called before the config - struct is passed to mbedtls_ssl_setup(). - - Closes #8238 - -- [Filip Lundgren brought this change] - - cmake: fix iOS CMake project generation error - - Closes #8244 - -- ngtcp2: fix declaration of ‘result’ shadows a previous local - - Follow-up to 8fbd6feddfa587cfd3 - - Closes #8245 - -- openssl.h: avoid including OpenSSL headers here - - ... by instead using the struct version of the typedef'ed pointer. To - fix build errors when both Schannel and OpenSSL are enabled. - - Fixes #8240 - Reported-by: Jan Ehrhardt - Closes #8246 - -- curl_url_set.3: mention when CURLU_ALLOW_SPACE was added - -- tool_findfile: free mem properly - - Follow-up to 764e4f066d5 - - Closes #8242 - -- tool_findfile: check ~/.config/curlrc too - - ... after the initial checks for .curlrc and if XDG_CONFIG_HOME is not - set, use $HOME and $CURL_HOME to check if ~/.config/curlrc is present. - - Add test 436 to verify - - Reported-by: Sandro Jaeckel - Fixes #8208 - Closes #8213 - -- runtests: allow client/file to specify multiple directories - - ... and make sure to mkdir them all - -- scripts/copyright.pl: support many provided file names on the cmdline - -- [Fabian Keil brought this change] - - tests/FILEFORMAT.md: fix typo - -- [Fabian Keil brought this change] - - Add test373: multiple chunks with binary zeros - -- [Fabian Keil brought this change] - - Add test372: binary zero in data element - -- [Fabian Keil brought this change] - - tests/server/getpart.c: properly deal with binary data containing NUL bytes - -- [Fabian Keil brought this change] - - runtests.pl: properly print the test if it contains binary zeros - -- mailmap: Xiaoke Wang - -- openssl: copyright year update - - Follow-up to 30aea2b1ede - -- scripts/copyright.pl: hush unless -v (for verbose) is used - -- [Xiaoke Wang brought this change] - - openssl: check the return value of BIO_new_mem_buf() - - Closes #8233 - -- examples/multi-app.c: call curl_multi_remove_handle as well - - Fixes #8234 - Reported-by: Melroy van den Berg - Closes #8236 - -- COPYING: bump copyright year range - -- RELEASE-NOTES: synced - - and bump curlver after release - -- docs: fix mandoc -T lint formatting complaints - - Closes #8228 - -- next.d. remove .fi/.nf as they are handled by gen.pl - - Closes #8228 - -- gen.pl: terminate "example" sections better - - If the example (section that is prefixed with spaces) ends the - description gen.pl would previously miss to output the terminating .fi - - Closes #8228 - -- [Satadru Pramanik brought this change] - - curl-functions.m4: fix LIBRARY_PATH adjustment to avoid eval - - $$ usage in a m4 file introduces the PID in linux. - Instead, just duplicate previous working code with a case switch. - - Fixes #8229 - Closes #8230 - -Version 7.81.0 (5 Jan 2022) - -Daniel Stenberg (5 Jan 2022) -- RELEASE-NOTES: synced - - curl 7.81.0 release - -- THANKS: add names from 7.81.0 release - -- curl_multi_init.3: fix the copyright year range - -- test719-721: require "proxy" feature present to run - - Bug: https://github.com/curl/curl/pull/8223#issuecomment-1005188696 - Reported-by: Marc Hörsken - - Closes #8226 - -- test719: require ipv6 support to run - - Follow-up to effd2bd7ba2a5fd244 - Reported-by: Marc Hörsken - Bug: https://github.com/curl/curl/pull/8217#issuecomment-1004681145 - - Closes #8223 - -- test719-721: verify SOCKS details - - Using the new verify/socks details - -- runtests: add verify/socks check - - If used, this data is compared with the data in log/socksd-request.log - which the socksd server logs. - - Added to FILEFORMAT.md - -- server/socksd: log atyp + address in a separate log - - To allow the test suite to verify that the right data arrived - -- socks5: use appropriate ATYP for numerical IP address host names - - When not resolving the address locallly (known as socks5h). - - Add test 719 and 720 to verify. - - Reported-by: Peter Piekarski - Fixes #8216 - Closes #8217 - -Jay Satiro (3 Jan 2022) -- curl_multi_init.3: fix EXAMPLE formatting - -Daniel Stenberg (3 Jan 2022) -- RELEASE-NOTES: synced - -- libtest: avoid "assignment within conditional expression" - - In lib530, lib540 and lib582 - - Closes #8218 - -- ftp: disable warning 4706 in MSVC - - Follow-up to 21248e052d - - Disabling "assignment within conditional expression" for MSVC needs to - be done before the function starts, for it to take effect. - - Closes #8218 - -- tool_operate: warn if too many output arguments were found - - More output instructions than URLs is likely a user error. - - Add test case 371 to verify - - Closes #8210 - -- .github/workflows/mbedtls.yml: bump to mbedtls 3.1.0 - - Closes #8215 - -- zuul: remove the mbedtls jobs - - Now running as github workflows - - Closes #8215 - -- github/workflows: add mbedtls and mbedtls-clang - - Closes #8215 - -- [Valentin Richter brought this change] - - mbedtls: fix private member designations for v3.1.0 - - "As a last resort, you can access the field foo of a structure bar by - writing bar.MBEDTLS_PRIVATE(foo). Note that you do so at your own risk, - since such code is likely to break in a future minor version of Mbed - TLS." - - https://github.com/ARMmbed/mbedtls/blob/f2d1199edc5834df4297f247f213e614f7782d1d/docs/3.0-migration-guide.md - - That future minor version is v3.1.0. I set the >= to == for the version - checks because v3.1.0 is a release, and I am not sure when the private - designation was reverted after v3.0.0. - - Closes #8214 - -- [Valentin Richter brought this change] - - cmake: prevent dev warning due to mismatched arg - - -- curl version=[7.81.0-DEV] - CMake Warning (dev) at /usr/share/cmake-3.22.1/Modules/FindPackageHandleStandardArgs.cmake:438 (message): - The package name passed to `find_package_handle_standard_args` (MBEDTLS) - does not match the name of the calling package (MbedTLS). This can lead to - problems in calling code that expects `find_package` result variables - (e.g., `_FOUND`) to follow a certain pattern. - Call Stack (most recent call first): - deps/curl/CMake/FindMbedTLS.cmake:31 (find_package_handle_standard_args) - deps/curl/CMakeLists.txt:473 (find_package) - This warning is for project developers. Use -Wno-dev to suppress it. - - Closes #8207 - -- urlapi: if possible, shorten given numerical IPv6 addresses - - Extended test 1560 to verify - - Closes #8206 - -- [Michał Antoniak brought this change] - - url: reduce ssl backend count for CURL_DISABLE_PROXY builds - - Closes #8212 - -- KNOWN_BUGS: "Trying local ports fails on Windows" - - Reported-by: gclinch on github - Closes #8112 - -- misc: update copyright year range - -- zuul: remove the wolfssl even more - - Follow-up to 1914465cf180d32b3d - -- examples/multi-single.c: remove WAITMS() - - As it isn't used. - - Reported-by: Melroy van den Berg - Fixes #8200 - Closes #8201 - -- gtls: add gnutls include for the session type - - Follow-up to 8fbd6feddfa5 to make it build more universally - -- m4/curl-compilers: tell clang -Wno-pointer-bool-conversion - - To hush compiler warnings we don't care for: error: address of function - 'X' will always evaluate to 'true' - - Fixes #8197 - Closes #8198 - -- http_proxy: don't close the socket (too early) - - ... and double-check in the OpenSSL shutdown that the socket is actually - still there before it is used. - - Fixes #8193 - Closes #8195 - - Reported-by: Leszek Kubik - -- ngtcp2: verify the server certificate for the gnutls case - - Closes #8178 - -- ngtcp2: verify the server cert on connect (quictls) - - Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and - `CURLOPT_SSL_VERIFYHOST`. - - The name check now uses a function from lib/vtls/openssl.c which will - need attention for when TLS is not done by OpenSSL or is disabled while - QUIC is enabled. - - Possibly the servercert() function in openssl.c should be adjusted to be - able to use for both regular TLS and QUIC. - - Ref: #8173 - Closes #8178 - -- zuul: remove the wolfssl build - -- github workflow: add wolfssl - - Closes #8196 - -- [Nicolas Sterchele brought this change] - - zuul: fix quiche build pointing to wrong Cargo - - Fixes #8184 - Closes #8189 - -- checksrc: detect more kinds of NULL comparisons we avoid - - Co-authored-by: Jay Satiro - Closes #8180 - -- RELEASE-NOTES: synced - -- mesalink: remove the BACKEND define kludge - - Closes #8183 - -- schannel: remove the BACKEND define kludge - - Closes #8182 - -- gtls: check return code for gnutls_alpn_set_protocols - - Closes #8181 - -- [Stefan Huber brought this change] - - README: label the link to the support document - - Closes #8185 - -- docs/HTTP3: describe how to setup a h3 reverse-proxy for testing - - Assisted-by: Matt Holt - - Closes #8177 - -- libcurl-multi.3: "SOCKS proxy handshakes" are not blocking - - Since 4a4b63daaa0 - -- [Vladimir Panteleev brought this change] - - tests: Add test for CURLOPT_HTTP200ALIASES - -- [Vladimir Panteleev brought this change] - - http: Fix CURLOPT_HTTP200ALIASES - - The httpcode < 100 check was also triggered when none of the fields were - parsed, thus making the if(!nc) block unreachable. - - Closes #8171 - -- RELEASE-NOTES: synced - -- language: "email" - - Missed three occurrences. - - Follow-up to 7a92f86 - -- nss:set_cipher don't clobber the cipher list - - The string is set by the user and needs to remain intact for proper - connection reuse etc. - - Reported-by: Eric Musser - Fixes #8160 - Closes #8161 - -- misc: s/e-mail/email - - Consistency is king. Following the lead in everything curl. - - Closes #8159 - -- [Tobias Nießen brought this change] - - docs: fix typo in OpenSSL 3 build instructions - - Closes #8162 - -- linkcheck.yml: add CI job that checks markdown links - - Closes #8158 - -- RELEASE-PROCEDURE.md: remove ICAL link and old release dates - -- BINDINGS.md: "markdown-link-check-disable" - - It feels a bit unfortunate to litter an ugly tag for this functionality, - but if we get link scans of all markdown files, this might be worth the - price. - -- docs: fix dead links, remove ECH.md - -Jay Satiro (16 Dec 2021) -- openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+ - - Prior to this change OpenSSL_version was only detected in configure - builds. For other builds the old version parsing code was used which - would result in incorrect versioning for OpenSSL 3: - - Before: - - curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.0a zlib/1.2.11 - WinIDN libssh2/1.9.0 - - After: - - curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.1 zlib/1.2.11 - WinIDN libssh2/1.9.0 - - Reported-by: lllaffer@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/8154 - Closes https://github.com/curl/curl/pull/8155 - -Daniel Stenberg (16 Dec 2021) -- [James Fuller brought this change] - - docs: add known bugs list to HTTP3.md - - Closes #8156 - -Dan Fandrich (15 Dec 2021) -- BINDINGS: add one from Everything curl and update a link - -- libcurl-security.3: mention address and URL mitigations - - The new CURLOPT_PREREQFUNCTION callback is another way to sanitize - addresses. - Using the curl_url API is a way to mitigate against attacks relying on - URL parsing differences. - -Daniel Stenberg (15 Dec 2021) -- RELEASE-NOTES: synced - -- x509asn1: return early on errors - - Overhaul to make sure functions that detect errors bail out early with - error rather than trying to continue and risk hiding the problem. - - Closes #8147 - -- [Patrick Monnerat brought this change] - - openldap: several minor improvements - - - Early check proper LDAP URL syntax. Reject URLs with a userinfo part. - - Use dynamic memory for ldap_init_fd() URL rather than a - stack-allocated buffer. - - Never chase referrals: supporting it would require additional parallel - connections and alternate authentication credentials. - - Do not wait 1 microsecond while polling/reading query response data. - - Store last received server code for retrieval with CURLINFO_RESPONSE_CODE. - - Closes #8140 - -- [Michał Antoniak brought this change] - - misc: remove unused doh flags when CURL_DISABLE_DOH is defined - - Closes #8148 - -- mbedtls: fix CURLOPT_SSLCERT_BLOB - - The memory passed to mbedTLS for this needs to be null terminated. - - Reported-by: Florian Van Heghe - Closes #8146 - -- asyn-ares: ares_getaddrinfo needs no happy eyeballs timer - - Closes #8142 - -- mailmap: add Yongkang Huang - - From #8141 - -- [Yongkang Huang brought this change] - - check ssl_config when re-use proxy connection - -- mbedtls: do a separate malloc for ca_info_blob - - Since the mbedTLS API requires the data to the null terminated. - - Follow-up to 456c53730d21b1fad0c7f72c1817 - - Fixes #8139 - Closes #8145 - -Marc Hoersken (14 Dec 2021) -- CI: build examples for additional code verification - - Some CIs already build them, let's do it on more of them. - - Reviewed-by: Daniel Stenberg - - Follow up to #7690 and 77311f420a541a0de5b3014e0e40ff8b4205d4af - Replaces #7591 - Closes #7922 - -- docs/examples: workaround broken -Wno-pedantic-ms-format - - Avoid CURL_FORMAT_CURL_OFF_T by using unsigned long instead. - Improve size_t to long conversion in imap-append.c example. - - Ref: https://github.com/curl/curl/issues/6079 - Ref: https://github.com/curl/curl/pull/6082 - Assisted-by: Jay Satiro - Reviewed-by: Daniel Stenberg - - Preparation of #7922 - -- tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256 - - Ref: https://www.msys2.org/wiki/Porting/#filesystem-namespaces - - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro - - Fixes #8084 - Closes #8138 - -Daniel Stenberg (13 Dec 2021) -- [Patrick Monnerat brought this change] - - openldap: simplify ldif generation code - - and take care of zero-length values, avoiding conversion to base64 - and/or trailing spaces. - - Closes #8136 - -- example/progressfunc: remove code for old libcurls - - 7.61.0 is over three years old now, remove all #ifdefs for handling - ancient libcurl versions so that the example gets easier to read and - understand - - Closes #8137 - -- [Xiaoke Wang brought this change] - - sha256/md5: return errors when init fails - - Closes #8133 - -- TODO: 13.3 Defeat TLS fingerprinting - - Closes #8119 - -- RELEASE-NOTES: synced - -- [Patrick Monnerat brought this change] - - openldap: process search query response messages one by one - - Upon receiving large result sets, this reduces memory consumption and - allows starting to output results while the transfer is still in - progress. - - Closes #8101 - -- hash: lazy-alloc the table in Curl_hash_add() - - This makes Curl_hash_init() infallible which saves error paths. - - Closes #8132 - -- multi: cleanup the socket hash when destroying it - - Since each socket hash entry may themselves have a hash table in them, - the destroying of the socket hash needs to make sure all the subhashes - are also correctly destroyed to avoid leaking memory. - - Fixes #8129 - Closes #8131 - -- test1156: fixup the stdout check for Windows - - It is not text mode. - - Follow-up to 6f73e68d182 - - Closes #8134 - -- test1528: enable for hyper - - Closes #8128 - -- test1527: enable for hyper - - Closes #8128 - -- test1526: enable for hyper - - Closes #8128 - -- test1525: slightly tweaked for hyper - - Closes #8128 - -- test1156: enable for hyper - - Minor reorg of the lib1156 code and it works fine for hyper. - - Closes #8127 - -- test661: enable for hyper - - Closes #8126 - -- docs: fix proselint nits - - - remove a lot of exclamation marks - - use consistent spaces (1, not 2) - - use better words at some places - - Closes #8123 - -- [RekGRpth brought this change] - - BINDINGS.md: add cURL client for PostgreSQL - - Closes #8125 - -- [RekGRpth brought this change] - - CURLSHOPT_USERDATA.3: fix copy-paste mistake - - Closes #8124 - -- docs: fix minor nroff format nits - - Repairs test 1140 - - Follow-up to 436cdf82041 - -- docs/URL-SYNTAX.md: space is not fine in a given URL - -- curl_multi_perform/socket_action.3: clarify what errors mean - - An error returned from one of these funtions mean that ALL still ongoing - transfers are to be considered failed. - - Ref: #8114 - Closes #8120 - -- libcurl-errors.3: add CURLM_ABORTED_BY_CALLBACK - - Follow-up to #8089 (2b3dd01) - - Closes #8116 - -- hash: add asserts to help detect bad usage - - For example trying to add entries after the hash has been "cleaned up" - - Closes #8115 - -- lib530: abort on curl_multi errors - - This makes torture tests run more proper. - - Also add an assert to trap situations where it would end up with no - sockets to wait for. - - Closes #8121 - -- FAQ: we never pronounced it "see URL", we say "kurl" - -- RELEASE-NOTES: synced - -- CURLOPT_RESOLVE.3: minor polish - - Minor rephrasing for some explanations. - - Put the format strings in stand-alone lines with .nf/.fi to be easier to spot. - - Move "added in" to AVAILABILITY - - Closed #8110 - -- test1556: adjust for hyper - - Closes #8105 - -- test1554: adjust for hyper - - Closes #8104 - -- retry-all-errors.d: make the example complete - - ... as it needs --retry too to work - -- TODO: 5.7 Require HTTP version X or higher - - Closes #7980 - -- CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL - - This is the exact same limitation already documented for - CURLOPT_WRITEDATA but should be clarified here. It also has a different - work-around. - - Reported-by: Stephane Pellegrino - Bug: https://github.com/curl/curl/issues/8102 - Closes #8103 - -- multi: handle errors returned from socket/timer callbacks - - The callbacks were partially documented to support this. Now the - behavior is documented and returning error from either of these - callbacks will effectively kill all currently ongoing transfers. - - Added test 530 to verify - - Reported-by: Marcelo Juchem - Fixes #8083 - Closes #8089 - -- http2:set_transfer_url() return early on OOM - - If curl_url() returns NULL this should return early to avoid mistakes - - even if right now the subsequent function invokes are all OK. - - Coverity (wrongly) pointed out this as a NULL deref. - - Closes #8100 - -- tool_parsecfg: use correct free() call to free memory - - Detected by Coverity. CID 1494642. - Follow-up from 2be1aa619bca - - Closes #8099 - -- tool_operate: fix potential memory-leak - - A 'CURLU *' would leak if url_proto() is called with no URL. - - Detected by Coverity. CID 1494643. - Follow-up to 18270893abdb19 - Closes #8098 - -- [Patrick Monnerat brought this change] - - openldap: implement STARTTLS - - As this introduces use of CURLOPT_USE_SSL option for LDAP, also check - this option in ldap.c as it is not supported by this backend. - - Closes #8065 - -- [Jun Tseng brought this change] - - curl_easy_unescape.3: call curl_easy_cleanup in example - - Closes #8097 - -- [Jun Tseng brought this change] - - curl_easy_escape.3: call curl_easy_cleanup in example - - Closes #8097 - -- tool_listhelp: sync - - Follow-up to 172068b76f - -- [Damien Walsh brought this change] - - request.d: refer to 'method' rather than 'command' - - Closes #8094 - -- RELEASE-NOTES: synced - -- writeout: fix %{http_version} for HTTP/3 - - Output "3" properly when HTTP/3 was used. - - Reported-by: Bernat Mut - Fixes #8072 - Closes #8092 - -- urlapi: accept port number zero - - This is a regression since 7.62.0 (fb30ac5a2d). - - Updated test 1560 accordingly - - Reported-by: Brad Fitzpatrick - Fixes #8090 - Closes #8091 - -- [Mark Dodgson brought this change] - - lift: ignore is a deprecated config option, use ignoreRules - - Closes #8082 - -- [Alessandro Ghedini brought this change] - - HTTP3: update quiche build instructions - - The repo repo was re-organized a bit, so the build instructions need to - be updated. - - Closes #8076 - -- CURLMOPT_TIMERFUNCTION.3: call it expire time, not interval - - Since we say it is a non-repating timer - -- [Florian Van Heghe brought this change] - - mbedTLS: include NULL byte in blob data length for CURLOPT_CAINFO_BLOB - - Fixes #8079 - Closes #8081 - -Jay Satiro (2 Dec 2021) -- [Wyatt O'Day brought this change] - - version_win32: Check build number and platform id - - Prior to this change the build number was not checked during version - comparison, and the platform id was supposed to be checked but wasn't. - - Checking the build number is required for enabling "evergreen" - Windows 10/11 features (like TLS 1.3). - - Ref: https://github.com/curl/curl/pull/7784 - - Closes https://github.com/curl/curl/pull/7824 - Closes https://github.com/curl/curl/pull/7867 - -- libssh2: fix error message for sha256 mismatch - - - On mismatch error show sha256 fingerprint in base64 format. - - Prior to this change the fingerprint was mistakenly printed in binary. - -Daniel Stenberg (1 Dec 2021) -- [Xiaoke Wang brought this change] - - openssl: check the return value of BIO_new() - - Closes #8078 - -Dan Fandrich (30 Nov 2021) -- docs: Update the Reducing Size section - - Add many more options that can reduce the size of the binary that were - added since the last update. Update the sample minimal binary size for - version 7.80.0. - -- tests: Add some missing keywords to tests - - These are needed to skip some tests when configure options have disabled - certain features. - -Daniel Stenberg (30 Nov 2021) -- [Florian Van Heghe brought this change] - - mbedTLS: add support for CURLOPT_CAINFO_BLOB - - Closes #8071 - -- [Glenn Strauss brought this change] - - digest: compute user:realm:pass digest w/o userhash - - https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4 - ... the client MUST calculate a hash of the username after - any other hash calculation ... - - Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> - Closes #8066 - -- config.d: update documentation to match the path search - - Assisted-by: Jay Satiro - -- tool_findfile: search for a file in the homedir - - The homedir() function is now renamed into findfile() and iterates over - all the environment variables trying to access the file in question - until it finds it. Last resort is then getpwuid() if - available. Previously it would first try to find a home directory and if - that was set, insist on checking only that directory for the file. This - now returns the full file name it finds. - - The Windows specific checks are now done differently too and in this - order: - - 1 - %USERPROFILE% - 2 - %APPDATA% - 3 - %USERPROFILE%\\Application Data - - The windows order is modified to match how the Windows 10 ssh tool works - when it searches for .ssh/known_hosts. - - Reported-by: jeffrson on github - Co-authored-by: Jay Satiro - Fixes #8033 - Closes #8035 - -- docs: consistent manpage SYNOPSIS - - Make all libcurl related options use .nf (no fill) for the SYNOPSIS - section - for consistent look. roffit then renders that section using - <pre> (monospace font) in html for the website. - - Extended manpage-syntax (test 1173) with a basic check for it. - - Closes #8062 - -- RELEASE-NOTES: synced - -- [Patrick Monnerat brought this change] - - openldap: handle connect phase with a state machine - - Closes #8054 - -- docs: address proselint nits - - - avoid exclamation marks - - use consistent number of spaces after periods: one - - avoid clichés - - avoid using 'very' - - Closes #8060 - -- [Bruno Baguette brought this change] - - FAQ: typo fix : "yout" ➤ "your" - - Closes #8059 - -- [Bruno Baguette brought this change] - - docs/INSTALL.md: typo fix : added missing "get" verb - - Closes #8058 - -- insecure.d: detail its use for SFTP and SCP as well - - Closes #8056 - -Viktor Szakats (25 Nov 2021) -- Makefile.m32: rename -winssl option to -schannel and tidy up - - - accept `-schannel` as an alternative to `CFG` option `-winssl` - (latter still accepted, but deprecated) - - rename internal variable `WINSSL` to `SCHANNEL` - - make the `CFG` option evaluation shorter, without repeating the option - name - - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg - Closes #8053 - -Daniel Stenberg (25 Nov 2021) -- KNOWN_BUGS: 5.6 make distclean loops forever - - Reported-by: David Bohman - Closes #7716 - -- KNOWN_BUGS: add one, remove one - - - 5.10 SMB tests fail with Python 2 - - Just use python 3. - - + 5.10 curl hangs on SMB upload over stdin - - Closes #7896 - -- urlapi: provide more detailed return codes - - Previously, the return code CURLUE_MALFORMED_INPUT was used for almost - 30 different URL format violations. This made it hard for users to - understand why a particular URL was not acceptable. Since the API cannot - point out a specific position within the URL for the problem, this now - instead introduces a number of additional and more fine-grained error - codes to allow the API to return more exactly in what "part" or section - of the URL a problem was detected. - - Also bug-fixes curl_url_get() with CURLUPART_ZONEID, which previously - returned CURLUE_OK even if no zoneid existed. - - Test cases in 1560 have been adjusted and extended. Tests 1538 and 1559 - have been updated. - - Updated libcurl-errors.3 and curl_url_strerror() accordingly. - - Closes #8049 - -- urlapi: make Curl_is_absolute_url always use MAX_SCHEME_LEN - - Instad of having all callers pass in the maximum length, always use - it. The passed in length is instead used only as the length of the - target buffer for to storing the scheme name in, if used. - - Added the scheme max length restriction to the curl_url_set.3 man page. - - Follow-up to 45bcb2eaa78c79 - - Closes #8047 - -- [Jay Satiro brought this change] - - cmake: warn on use of the now deprecated symbols - - Follow-up to 9108da2c26d - - Closes #8052 - -- [Kevin Burke brought this change] - - tests/CI.md: add more information on CI environments - - Fixes #8012 - Closes #8022 - -- cmake: private identifiers use CURL_ instead of CMAKE_ prefix - - Since the 'CMAKE_' prefix is reserved for cmake's own private use. - Ref: https://cmake.org/cmake/help/latest/manual/cmake-variables.7.html - - Reported-by: Boris Rasin - Fixes #7988 - Closes #8044 - -- urlapi: reject short file URLs - - file URLs that are 6 bytes or shorter are not complete. Return - CURLUE_MALFORMED_INPUT for those. Extended test 1560 to verify. - - Triggered by #8041 - Closes #8042 - -- curl: improve error message for --head with -J - - ... it now focuses on the "output of headers" combined with the - --remote-header-name option, as that is actually the problem. Both - --head and --include can output headers. - - Reported-by: nimaje on github - Fixes #7987 - Closes #8045 - -- RELEASE-NOTES: synced - -- [Stefan Eissing brought this change] - - urlapi: cleanup scheme parsing - - Makea Curl_is_absolute_url() always leave a defined 'buf' and avoids - copying on urls that do not start with a scheme. - - Closes #8043 - -- tool_operate: only set SSH related libcurl options for SSH URLs - - For example, this avoids trying to find and set the known_hosts file (or - warn for its absence) if SFTP or SCP are not used. - - Closes #8040 - -- [Jacob Hoffman-Andrews brought this change] - - rustls: remove comment about checking handshaking - - The comment is incorrect in two ways: - - It says the check needs to be last, but the check is actually first. - - is_handshaking actually starts out true. - - Closes #8038 - -Marcel Raad (20 Nov 2021) -- openssl: use non-deprecated API to read key parameters - - With OpenSSL 3.0, the parameters are read directly from the `EVP_PKEY` - using `EVP_PKEY_get_bn_param`. - - Closes https://github.com/curl/curl/pull/7893 - -- openssl: reduce code duplication - - `BN_print`'s `BIGNUM` parameter has been `const` since OpenSSL 0.9.4. - - Closes https://github.com/curl/curl/pull/7893 - -- openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable - - The flag has been deprecated without replacement in OpenSSL 3.0. - - Closes https://github.com/curl/curl/pull/7893 - -- openssl: remove usage of deprecated `SSL_get_peer_certificate` - - The function name was changed to `SSL_get1_peer_certificate` in OpenSSL - 3.0. - - Closes https://github.com/curl/curl/pull/7893 - -Daniel Stenberg (19 Nov 2021) -- page-footer: fix typo - - Closes #8036 - -- http: enable haproxy support for hyper backend - - This is done by having native code do the haproxy header output before - hyper issues its request. The little downside with this approach is that - we need the entire Curl_buffer_send() function built, which is otherwise - not used for hyper builds. - - If hyper ends up getting native support for the haproxy protocols we can - backpedal on this. - - Enables test 1455 and 1456 - - Closes #8034 - -- [Bernhard Walle brought this change] - - configure: fix runtime-lib detection on macOS - - With a non-standard installation of openssl we get this error: - - checking run-time libs availability... failed - configure: error: one or more libs available at link-time are not available run-time. Libs used at link-time: -lnghttp2 -lssl -lcrypto -lssl -lcrypto -lz - - There's already code to set LD_LIBRARY_PATH on Linux, so set - DYLD_LIBRARY_PATH equivalent on macOS. - - Closes #8028 - -- [Don J Olmstead brought this change] - - cmake: don't set _USRDLL on a static Windows build - - Closes #8030 - -- page-footer: document more environment variables - - ... that curl might use. - - Closes #8027 - -- netrc.d: edit the .netrc example to look nicer - - Works nicely thanks to d1828b470f43d - - Closes #8025 - -- tftp: mark protocol as not possible to do over CONNECT - - ... and make connect_init() refusing trying to tunnel protocols marked - as not working. Avoids a double-free. - - Reported-by: Even Rouault - Fixes #8018 - Closes #8020 - -- docs/cmdline-opts: do not say "protocols: all" - - Remove the lines saying "protocols: all". It makes the output in the - manpage look funny, and the expectation is probably by default that if - not anything is mentioned about protocols the option apply to them all. - - Closes #8021 - -- curl.1: require "see also" for every documented option - - gen.pl now generates a warning if the "See Also" field is not filled in for a - command line option - - All command line options now provide one or more related options. 167 - "See alsos" added! - - Closes #8019 - -- insecure.d: expand and clarify - - Closes #8017 - -- gen.pl: improve example output format - - Treat consecutive lines that start with a space to be "examples". They - are output enclosed by .nf and .fi - - Updated form.d to use this new fanciness - - Closes #8016 - -- Revert "form-escape.d: double the back-slashes for proper man page output" - - This reverts commit a2d8eac04a4eb1d5a98cf24b4e5cec5cec565d27. - - silly me, it was intended to be one backslash! - -- form-escape.d: double the back-slashes for proper man page output - -- page-footer: add a mention of how to report bugs to the man page - -- RELEASE-NOTES: synced - - and bump to 7.81.0-DEV - -- [Patrick Monnerat brought this change] - - mime: use percent-escaping for multipart form field and file names - - Until now, form field and file names where escaped using the - backslash-escaping algorithm defined for multipart mails. This commit - replaces this with the percent-escaping method for URLs. - - As this may introduce incompatibilities with server-side applications, a - new libcurl option CURLOPT_MIME_OPTIONS with bitmask - CURLMIMEOPT_FORMESCAPE is introduced to revert to legacy use of - backslash-escaping. This is controlled by new cli tool option - --form-escape. - - New tests and documentation are provided for this feature. - - Reported by: Ryan Sleevi - Fixes #7789 - Closes #7805 - -- [Kevin Burke brought this change] - - zuul.d: update rustls-ffi to version 0.8.2 - - This version fixes errors with ALPN negotiation in rustls, which is - necessary for HTTP/2 support. For more information see the rustls-ffi - changelog. - - Closes #8013 - -- configure: better diagnostics if hyper is built wrong - - If hyper is indeed present in the specified directory but couldn't be - used to find the correct symbol, then offer a different error message to - better help the user understand the issue. - - Suggested-by: Jacob Hoffman-Andrews - Fixes #8001 - Closes #8005 - -- test1939: require proxy support to run - - Follow-up to f0b7099a10d1a - - Closes #8011 - -- test302[12]: run only with the libssh2 backend - - ... as the others don't support --hostpubsha256 - - Reported-by: Paul Howarth - Fixes #8009 - Closes #8010 - -- runtests: make the SSH library a testable feature - - libssh2, libssh and wolfssh - -- [Jacob Hoffman-Andrews brought this change] - - rustls: read of zero bytes might be okay - - When we're reading out plaintext from rustls' internal buffers, we might - get a read of zero bytes (meaning a clean TCP close, including - close_notify). However, we shouldn't return immediately when that - happens, since we may have already copied out some plaintext bytes. - Break out of the loop when we get a read of zero bytes, and figure out - which path we're dealing with. - - Acked-by: Kevin Burke - - Closes #8003 - -- [Jacob Hoffman-Andrews brought this change] - - rustls: remove incorrect EOF check - - The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify. - From the CHANGELOG: - - > Handling of unclean close and the close_notify TLS alert. Mirroring - > upstream changes, a rustls_connection now tracks TCP closed state like - > so: rustls_connection_read_tls considers a 0-length read from its - > callback to mean "TCP stream was closed by peer." If that happens - > before the peer sent close_notify, rustls_connection_read will return - > RUSTLS_RESULT_UNEXPECTED_EOF once the available plaintext bytes are - > exhausted. This is useful to protect against truncation attacks. Note: - > some TLS implementations don't send close_notify. If you are already - > getting length information from your protocol (e.g. Content-Length in - > HTTP) you may choose to ignore UNEXPECTED_EOF so long as the number of - > plaintext bytes was as expected. - - That means we don't need to check for unclean EOF in `cr_recv()`, - because `process_new_packets()` will give us an error if appropriate. - - Closes #8003 - -- lib1939: make it endure torture tests - - Follow-up to f0b7099a10d1a - - Closes #8007 - -- azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper - - The configure line would previously depend on a configure mistake using - --without-openssl that is fixed and now this configure line needs - adjusting to use --without-ssl. - - Follow-up to b589696f0312d - - Closes #8006 - -- [Jacob Hoffman-Andrews brought this change] - - configure: add -lm to configure for rustls build. - - Note: The list of libraries that rustc tells us we need to include is - longer, but also includes some more platform-specific libraries that I - am not sure how to effectively incorporate. Adding just -lm seems to - solve an immediate problem, so I'm adding just that. - - Closes #8002 - -- curl_share_setopt.3: refer to CURLSHOPT_USERDATA(3) properly - -- curl_share_setopt.3: split out options into their own manpages - - CURLSHOPT_LOCKFUNC.3 - CURLSHOPT_SHARE.3 - CURLSHOPT_UNLOCKFUNC.3 - CURLSHOPT_UNSHARE.3 - CURLSHOPT_USERDATA.3 - - Closes #7998 - -- http_proxy: make Curl_connect_done() work for proxy disabled builds - - ... by making it an empty macro then. - - Follow-up to f0b7099a10d1a - Reported-by: Vincent Grande - Fixes #7995 - Closes #7996 - -- Curl_connect_done: handle being called twice - - Follow-up to f0b7099a10d1a7c - - When torture testing 1021, it turns out the Curl_connect_done function - might be called twice and that previously then wrongly cleared the HTTP - pointer in the second invoke. - - Closes #7999 - -- [Stan Hu brought this change] - - configure: don't enable TLS when --without-* flags are used - - Previously specifying `--without-gnutls` would unexpectedly attempt to - compile with GnuTLS, effectively interpreting this as - `--with-gnutls`. This caused a significant amount of confusion when - `libcurl` was built with SSL disabled since GnuTLS wasn't present. - - 68d89f24 dropped the `--without-*` options from the configure help, but - `AC_ARG_WITH` still defines these flags automatically. As - https://www.gnu.org/software/autoconf/manual/autoconf-2.60/html_node/External-Software.html - describes, the `action-if-given` is called when the user specifies - `--with-*` or `--without-*` options. - - To prevent this confusion, we make the `--without` flag do the right - thing by ignoring the value if it set to "no". - - Closes #7994 - -- [Rikard Falkeborn brought this change] - - docs/checksrc: Add documentation for STRERROR - - Closes #7991 - -- vtls/rustls: adapt to the updated rustls_version proto - - Closes #7956 - -- [Kevin Burke brought this change] - - vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY - - Previously we'd return CURLE_READ_ERROR if we received this, instead - of triggering the error handling logic that's present in the next if - block down. - - After this change, curl requests to https://go.googlesource.com using - HTTP/2 complete successfully. - - Fixes #7949 - Closes #7948 - -- [Kevin Burke brought this change] - - zuul: update build environment for rustls-ffi 0.8.0 - -- [Kevin Burke brought this change] - - vtls/rustls: update to compile with rustls-ffi v0.8.0 - - Some method names, as well as the generated library name, were changed - in a recent refactoring. - - Further, change the default configuration instructions to check for - Hyper in either "target/debug" or "target/release" - the latter - contains an optimized build configuration. - - Fixes #7947 - Closes #7948 - -- RELEASE-NOTES: synced - - and bump the version to 7.80.1 - -- multi: shut down CONNECT in Curl_detach_connnection - - ... to prevent a lingering pointer that would lead to a double-free. - - Added test 1939 to verify. - - Reported-by: Stephen M. Coakley - Fixes #7982 - Closes #7986 - -- curl_easy_cleanup.3: remove from multi handle first - - Easy handles that are used by the multi interface should be removed from - the multi handle before they are cleaned up. - - Reported-by: Stephen M. Coakley - Ref: #7982 - Closes #7983 - -- url.c: fix the SIGPIPE comment for Curl_close - - Closes #7984 - -Version 7.80.0 (10 Nov 2021) - -Daniel Stenberg (10 Nov 2021) -- RELEASE-NOTES: synced - - for curl 7.80.0 - -- THANKS: add contributors from the 7.80.0 cycle - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: advertise h3 as well as h3-29 - - Advertise h3 as well as h3-29 since some servers out there require h3 - for QUIC v1. - - Closes #7979 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: use QUIC v1 consistently - - Since we switched to v1 quic_transport_parameters codepoint in #7960 - with quictls, lets use QUIC v1 consistently. - - Closes #7979 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: compile with the latest nghttp3 - - Closes #7978 - -Marc Hoersken (9 Nov 2021) -- tests: add Schannel-specific tests and disable unsupported ones - - Adds Schannel variants of SSLpinning tests that include the option - --ssl-revoke-best-effort to ignore certificate revocation check - failures which is required due to our custom test CA certificate. - - Disable the original variants if the Schannel backend is enabled. - - Also skip all IDN tests which are broken while using an msys shell. - - This is a step to simplify test exclusions for Windows and MinGW. - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg - Closes #7968 - -Daniel Stenberg (8 Nov 2021) -- docs: NAME fixes in easy option man pages - - Closes #7975 - -- [Roger Young brought this change] - - ftp: make the MKD retry to retry once per directory - - Reported-by: Roger Young - Fixes #7967 - Closes #7976 - -- tool_operate: reorder code to avoid compiler warning - - tool_operate.c(889) : warning C4701: potentially uninitialized local - variable 'per' use - - Follow-up to cc71d352651a0d95 - Reported-by: Marc Hörsken - Bug: https://github.com/curl/curl/pull/7922#issuecomment-963042676 - Closes #7971 - -- curl_easy_perform.3: add a para about recv and send data - - Reported-by: Godwin Stewart - Fixes #7973 - Closes #7974 - -- tool_operate: fclose stream only if fopened - - Fixes torture test failures - Follow-up to cc71d352651 - - Closes #7972 - -- libcurl-easy.3: language polish - -- limit-rate.d: this is average over several seconds - - Closes #7970 - -- docs: reduce/avoid English contractions - - You're => You are - Hasn't => Has not - Doesn't => Does not - Don't => Do not - You'll => You will - etc - - Closes #7930 - -- tool_operate: fix torture leaks with etags - - Spotted by torture testing 343 344 345 347. - - Follow-up from cc71d352651a0 - Pointed-out-by: Dan Fandrich - - Closes #7969 - -- [Amaury Denoyelle brought this change] - - ngtcp2: support latest QUIC TLS RFC9001 - - QUIC Transport Parameters Extension has been changed between draft-29 - and latest RFC9001. Most notably, its identifier has been updated from - 0xffa5 to 0x0039. The version is selected through the QUIC TLS library - via the legacy codepoint. - - Disable the usage of legacy codepoint in curl to switch to latest - RFC9001. This is required to be able to keep up with latest QUIC - implementations. - - Acked-by: Tatsuhiro Tsujikawa - Closes #7960 - -- test1173: make manpage-syntax.pl spot \n errors in examples - -- man pages: fix backslash-n in examples - - ... to be proper backslash-backslash-n sequences to render nicely in man - and on website. - - Follow-up to 24155569d8a - Reported-by: Sergey Markelov - - Fixes https://github.com/curl/curl-www/issues/163 - Closes #7962 - -- scripts/release-notes.pl: use out of repo links verbatim in refs - -- tool_operate: a failed etag save now only fails that transfer - - When failing to create the output file for saving an etag, only fail - that particular single transfer and allow others to follow. - - In a serial transfer setup, if no transfer at all is done due to them - all being skipped because of this error, curl will output an error - message and return exit code 26. - - Added test 369 and 370 to verify. - - Reported-by: Earnestly on github - Ref: #7942 - Closes #7945 - -- [Kevin Burke brought this change] - - .github: retry macos "brew install" command on failure - - Previously we saw errors attempting to run "brew install", see - https://github.com/curl/curl/runs/4095721123?check_suite_focus=true for - an example, since this command is idempotent, it is safe to run again. - - Closes #7955 - -- CURLOPT_ALTSVC_CTRL.3: mention conn reuse is preferred - - Ref: https://github.com/curl/curl/discussions/7954 - - Closes #7957 - -- RELEASE-NOTES: synced - -- zuul: pin the quiche build to use an older cmake-rs - - The latest cmake-rs assumes cmake's --parallel works. That was added in - cmake 3.12, but a lot of our CI builds run on Ubuntu Bionic which only - has cmake 3.10. - - Fixes #7927 - Closes #7952 - -- [Marc Hoersken brought this change] - - Revert "src/tool_filetime: disable -Wformat on mingw for this file" - - This reverts commit 7c88fe375b15c44d77bccc9ab733b8069d228e6f. - - Follow up to #6535 as the pragma is obsolete with warnf - - Closes #7941 - -Jay Satiro (2 Nov 2021) -- schannel: fix memory leak due to failed SSL connection - - - Call schannel_shutdown if the SSL connection fails. - - Prior to this change schannel_shutdown (which shuts down the SSL - connection as well as memory cleanup) was not called when the SSL - connection failed (eg due to failed handshake). - - Co-authored-by: Gisle Vanem - - Fixes https://github.com/curl/curl/issues/7877 - Closes https://github.com/curl/curl/pull/7878 - -Daniel Stenberg (2 Nov 2021) -- Curl_updateconninfo: store addresses for QUIC connections too - - So that CURLINFO_PRIMARY_IP etc work for HTTP/3 like for other HTTP - versions. - - Reported-by: Jerome Mao - Fixes #7939 - Closes #7944 - -- [Sergio Durigan Junior brought this change] - - curl.1: fix typos in the manpage - - s/transfering/transferring/ - s/transfered/transferred/ - - Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net> - Closes #7937 - -Marc Hoersken (1 Nov 2021) -- tests/smbserver.py: fix compatibility with impacket 0.9.23+ - - impacket now performs sanity checks if the requested and to - be served file path actually is inside the real share path. - - Ref: https://github.com/SecureAuthCorp/impacket/pull/1066 - - Fixes #7924 - Closes #7935 - -Daniel Stenberg (1 Nov 2021) -- docs: reduce use of "very" - - "Very" should be avoided in most texts. If intensifiers are needed, try - find better words instead. - - Closes #7936 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: specify the missing required callback functions - - Closes #7929 - -- CURLOPT_[PROXY]_SSL_CIPHER_LIST.3: bold instead of quote - - Bold the example ciphers instead of using single quotes, which then also - avoids the problem of how to use single quotes when first in a line. - - Also rephrased the pages a little. - - Reported-by: Sergio Durigan Junior - Ref: #7928 - Closes #7934 - -- gen.pl: replace leading single quotes with \(aq - - ... and allow single quotes to be used "normally" in the .d files. - - Makes the output curl.1 use better nroff. - - Reported-by: Sergio Durigan Junior - Ref: #7928 - Closes #7933 - -Marc Hoersken (1 Nov 2021) -- tests: kill some test servers afterwards to avoid locked logfiles - - Reviewed-by: Daniel Stenberg - Closes #7925 - -Daniel Stenberg (1 Nov 2021) -- smooth-gtk-thread.c: enhance the mutex lock use - - Reported-by: ryancaicse on github - Fixes #7926 - Closes #7931 - -Marc Hoersken (31 Oct 2021) -- CI/runtests.pl: restore -u flag, but remove it from CI runs - - This makes it possible to use -u again for local testing, - but removes the flag from CI config files and make targets. - - Reviewed-by: Daniel Stenberg - - Partially reverts #7841 - Closes #7921 - -Daniel Stenberg (29 Oct 2021) -- [Jonathan Cardoso Machado brought this change] - - CURLOPT_HSTSWRITEFUNCTION.3: using CURLOPT_HSTS_CTRL is required - - Closes #7923 - -- [Axel Morawietz brought this change] - - imap: display quota information - - Show response to "GETQUOTAROOT INBOX" command. - - Closes #6973 - -- RELEASE-NOTES: synced - -- [Boris Rasin brought this change] - - cmake: fix error getting LOCATION property on non-imported target - - Closes #7885 - -- [Xiaoke Wang brought this change] - - url: check the return value of curl_url() - - Closes #7917 - -- [Roy Li brought this change] - - configure.ac: replace krb5-config with pkg-config - - The rationale is that custom *-config tools don't work well when - cross-compiling or using sysroots (such as when using Yocto project) and - require custom fixing for each of them; pkg-config on the other hand - works similarly everywhere. - - Signed-off-by: Roy Li <rongqing.li@windriver.com> - Signed-off-by: Alexander Kanavin <alex@linutronix.de> - - Closes #7916 - -- test1160: edited to work with hyper - - Closes #7912 - -- data/DISABLED: enable tests that now work with hyper - - Closes #7911 - -- test559: add 'HTTP' in keywords - - Makes it run fine with hyper - - Closes #7911 - -- test552: updated to work with hyper - - Closes #7911 - -Marc Hoersken (27 Oct 2021) -- github: fix incomplete permission to label PRs for Hacktoberfest - - Unfortunately the GitHub API requires a token with write permission - for both issues and pull-requests to edit labels on even just PRs. - - Follow up to #7897 - -Daniel Stenberg (27 Oct 2021) -- opt-manpages: use 'Added in' instead of 'Since' - - Closes #7913 - -Marc Hoersken (27 Oct 2021) -- github: fix missing permission to label PRs for Hacktoberfest - - Follow up to #7897 - - Test references to see if permissions are now sufficient: - - Closes #7832 - Closes #7897 - -- CI: more use of test-ci make target and verbose output - - Replace test-nonflaky with test-ci and enable verbose output - in all remaining CIs except Zuul which is customized a lot. - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Follow up to #7785 - Closes #7832 - -- github: add support for Hacktoberfest using labels - - Automatically add hacktoberfest-accepted label to PRs opened between - September 30th and November 1st once a commit with a close reference - to it is pushed onto the master branch. - - With this workflow we can participate in Hacktoberfest while not - relying on GitHub to identify PRs as merged due to our rebasing. - - Requires hacktoberfest-accepted labels to exist for PRs on the - participating repository. Also requires hacktoberfest topic on - the participating repository to avoid applying to forked repos. - - Reviewed-by: Daniel Stenberg - - Fixes #7865 - Closes #7897 - -Daniel Stenberg (27 Oct 2021) -- http: reject HTTP response codes < 100 - - ... which then also includes negative ones as test 1430 uses. - - This makes native + hyper backend act identically on this and therefore - test 1430 can now be enabled when building with hyper. Adjust test 1431 - as well. - - Closes #7909 - -- [Kerem Kat brought this change] - - docs: fix typo in CURLOPT_TRAILERFUNCTION example - - Closes #7910 - -- docs/HYPER: remove some remaining issues, add HTTP/0.9 limitation - -- configure: when hyper is selected, deselect nghttp2 - - Closes #7908 - -- [Patrick Monnerat brought this change] - - sendf: accept zero-length data in Curl_client_write() - - Historically, Curl_client_write() used a length value of 0 as a marker - for a null-terminated data string. This feature has been removed in - commit f4b85d2. To detect leftover uses of the feature, a DEBUGASSERT - statement rejecting a length with value 0 was introduced, effectively - precluding use of this function with zero-length data. - - The current commit removes the DEBUGASSERT and makes the function to - return immediately if length is 0. - - A direct effect is to fix trying to output a zero-length distinguished - name in openldap. - - Another DEBUGASSERT statement is also rephrased for better readability. - - Closes #7898 - -- hyper: disable test 1294 since hyper doesn't allow such crazy headers - - Closes #7905 - -- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work - - Verified by the enabled test 1288 - - Closes #7905 - -- test1287: make work on hyper - - Closes #7905 - -- test1266/1267: disabled on hyper: no HTTP/0.9 support - - Closes #7905 - -Viktor Szakats (25 Oct 2021) -- Makefile.m32: fix to not require OpenSSL with -libssh2 or -rtmp options - - Previously, -libssh2/-rtmp options assumed that OpenSSL is also enabled - (and then failed with an error when not finding expected OpenSSL headers), - but this isn't necessarly true, e.g. when building both libssh2 and curl - against Schannel. This patch makes sure to only enable the OpenSSL backend - with -libssh2/-rtmp, when there was no SSL option explicitly selected. - - - Re-implement the logic as a single block of script. - - Also fix an indentation while there. - - Assisted-by: Jay Satiro - - Closes #7895 - -Daniel Stenberg (25 Oct 2021) -- docs: consistent use of "Added in" - - Make them all say "Added in [version]" without using 'curl' or 'libcurl' - in that phrase. - -- man pages: require all to use the same section header order - - This is the same order we already enforce among the options' man pages: - consistency is good. Add lots of previously missing examples. - - Adjust the manpage-syntax script for this purpose, used in test 1173. - - Closes #7904 - -- [David Hu brought this change] - - docs/HTTP3: improve build instructions - - 1. If writing to a system path if the command is not prefixed with - `sudo` it will cause a permission denied error - - 2. The patched OpenSSL branch has been updated to `openssl-3.0.0+quic` - to match upstream OpenSSL version. - - 3. We should not disable GnuTLS docs. - - Updated some commands about `make install` - - Closes #7842 - -- [Ricardo Martins brought this change] - - CMake: restore support for SecureTransport on iOS - - Restore support for building curl for iOS with SecureTransport enabled. - - Closes #7501 - -- tests: enable more tests with hyper - - Adjusted 1144, 1164 and 1176. - - Closes #7900 - -- docs: provide "RETURN VALUE" section for more func manpages - - Three were missing, one used a non-standard name for the header. - - Closes #7902 - -Jay Satiro (25 Oct 2021) -- curl_multi_socket_action.3: add a "RETURN VALUE" section - - .. because it may not be immediately clear to the user what - curl_multi_socket_action returns. - - Ref: https://curl.se/mail/lib-2021-10/0035.html - - Closes https://github.com/curl/curl/pull/7901 - -Daniel Stenberg (24 Oct 2021) -- RELEASE-NOTES: synced - -- [Samuel Henrique brought this change] - - tests: use python3 in test 1451 - - This is a continuation of commit ec91b5a69000bea0794bbb3 in which - changing this test was missed. There are no other python2 leftovers - now. - - Based on a Debian patch originally written by Alessandro Ghedini - <ghedo@debian.org> - - Closes #7899 - -- [Eddie Lumpkin brought this change] - - lib: fixing comment spelling typos in lib files - - Closes #7894 - Signed-off-by: ewlumpkin <ewlumpkin@gmail.com> - -- openssl: if verifypeer is not requested, skip the CA loading - - It was previously done mostly to show a match/non-match in the verbose - output even when verification was not asked for. This change skips the - loading of the CA certs unless verifypeer is set to save memory and CPU. - - Closes #7892 - -- curl-confopts.m4: remove --enable/disable-hidden-symbols - - These configure options have been saying "deprecated" since 9e24b9c7af - (April 2012). It was about time we remove them. - - Closes #7891 - -- c-hyper: don't abort CONNECT responses early when auth-in-progress - - ... and make sure to stop ignoring the body once the CONNECT is done. - - This should make test 206 work proper again and not be flaky. - - Closes #7889 - -- hyper: does not support disabling CURLOPT_HTTP_TRANSFER_DECODING - - Simply because hyper doesn't have this ability. Mentioned in docs now. - - Skip test 326 then - - Closes #7889 - -- test262: don't attempt with hyper - - This test verifies that curl works with binary zeroes in HTTP response - headers and hyper refuses such. They're not kosher http. - - Closes #7889 - -- c-hyper: make test 217 run - - Closes #7889 - -- DISABLED: enable test 209+213 for hyper - - Follow-up to 823d3ab855c - - Closes #7889 - -- test207: accept a different error code for hyper - - It returns HYPERE_UNEXPECTED_EOF for this case which we convert to the - somewhat generic CURLE_RECV_ERROR. - - Closes #7889 diff --git a/libs/libcurl/docs/THANKS b/libs/libcurl/docs/THANKS index b9f6eee256..b898341c95 100644 --- a/libs/libcurl/docs/THANKS +++ b/libs/libcurl/docs/THANKS @@ -6,6 +6,7 @@ 0xee on github 0xflotus on github +12932 on github 1337vt on github 1ocalhost on github 3dyd on github @@ -39,7 +40,9 @@ Adrian Peniak Adrian Schuur Adriano Meirelles afrind on github +Aftab Alam ahodesuka on github +ajak in #curl Ajit Dhumale Akhil Kedia Aki Koskinen @@ -100,6 +103,7 @@ Alexander Sinditskiy Alexander Traud Alexander V. Tikhonov Alexander Zhuravlev +Alexandre Bury Alexandre Pion Alexey Borzov Alexey Eremikhin @@ -144,6 +148,7 @@ Andreas Rieke Andreas Roth Andreas Schneider Andreas Schuldei +Andreas Sommer Andreas Streichardt Andreas Wurf Andrei Benea @@ -273,6 +278,7 @@ Benjamin Gerard Benjamin Gilbert Benjamin Johnson Benjamin Kircher +Benjamin Loison Benjamin Riefenstahl Benjamin Ritcey Benjamin Sergeant @@ -321,6 +327,7 @@ Boris Rasin Boris Verkhovskiy Brad Burdick Brad Fitzpatrick +Brad Forschinger Brad Harder Brad Hards Brad King @@ -357,6 +364,7 @@ Bruno Thomsen Bryan Henderson Bryan Kemp bsammon on github +bsergean on github Bubu on github buzo-ffm on github bxac on github @@ -386,6 +394,7 @@ Catalin Patulea causal-agent on github cbartl on github cclauss on github +Cering on github Cesar Eduardo Barros Chad Monroe Chandrakant Bagul @@ -434,6 +443,7 @@ Christopher Head Christopher Palow Christopher R. Palmer Christopher Reid +Christopher Sauer Christopher Stone Chungtsun Li Ciprian Badescu @@ -515,10 +525,12 @@ Daniel Carpenter Daniel Cater Daniel Egger Daniel Gustafsson +Daniel Hallberg Daniel Hwang Daniel Jeliński Daniel Johnson Daniel Kahn Gillmor +Daniel Katz Daniel Krügler Daniel Kurečka Daniel Lee Hwang @@ -557,6 +569,7 @@ David Binderman David Blaikie David Bohman David Byron +David Carlier David Cohen David Cook David Demelier @@ -579,6 +592,7 @@ David LeBlanc David Lopes David Lord David McCreedy +David McLaughlin David Odin David Phillips David Rosenstrauch @@ -651,9 +665,12 @@ Dmitry S. Baikov Dmitry Wagin dnivras on github Dolbneff A.V +Domen Kožar Domenico Andreoli Dominick Meglio Dominik Hölzl +Dominik Klemba +Dominik Thalhammer Dominique Leuenberger Don J Olmstead Dongliang Mu @@ -675,6 +692,7 @@ Duane Cathey Duncan Mac-Vicar Prett Duncan Wilcox Dustin Boswell +Dustin Howett Dusty Mabe Duy Phan Thanh Dwarakanath Yadavalli @@ -692,6 +710,7 @@ Eddie Lumpkin Edgaras Janušauskas Edin Kadribasic Edmond Yu +Edoardo Lolletti Eduard Bloch Edward Kimmel Edward Rudd @@ -711,6 +730,7 @@ Elliot Saba Ellis Pritchard Elmira A Semenova Elms +Eloy Degen elsamuko on github emanruse on github Emanuele Bovisio @@ -719,6 +739,7 @@ Emil Engler Emil Lerner Emil Romanus Emiliano Ida +Emilio López Emmanuel Tychon Enrico Scholz Enrik Berkhan @@ -763,11 +784,12 @@ Evan Jordan Evangelos Foutras Even Rouault Evert Pot -Evgeny Grin +Evgeny Grin (Karlson2k) Evgeny Turnaev eXeC64 on github Eygene Ryabinkin Eylem Ugurel +Fabian Fischer Fabian Frank Fabian Hiernaux Fabian Keil @@ -913,6 +935,7 @@ Gustaf Hui Gustavo Grieco Guy Poizat GwanYeong Kim +Gwen Shapira Gwenole Beauchesne Gökhan Şengün Götz Babin-Ebell @@ -958,7 +981,9 @@ Henry Roeland Herve Amblard HexTheDragon Hidemoto Nakada +highmtworks on github Himanshu Gupta +Hiroki Kurosawa Ho-chi Chen Hoi-Ho Chan Hongli Lai @@ -1017,6 +1042,7 @@ Isaiah Norton Ishan SinghLevett Ithubg on github Ivan Avdeev +Ivan Tsybulin IvanoG on github Ivo Bellin Salarin iz8mbw on github @@ -1029,6 +1055,7 @@ Jacob Barthelmeh Jacob Hoffman-Andrews Jacob Meuser Jacob Moshenko +Jacob Tolar Jactry Zeng Jad Chamcham Jaime Fullaondo @@ -1143,6 +1170,7 @@ Jesse Tan jethrogb on github jhoyla on github Jie He +Jilayne Lovejoy Jim Beveridge Jim Drash Jim Freeman @@ -1179,6 +1207,7 @@ Johannes G. Kristinsson Johannes Lesr Johannes Schindelin John A. Bristor +John Bampton John Bradshaw John Butterfield John Coffey @@ -1226,6 +1255,7 @@ Jon Travis Jon Turner Jon Wilkes Jonas Forsman +Jonas Haag Jonas Minnberg Jonas Schnelli Jonas Vautherin @@ -1251,6 +1281,7 @@ Josh Kapell Josh Soref joshhe on github Joshua Kwan +Joshua Root Joshua Swink Josie Huddleston Josip Medved @@ -1282,12 +1313,14 @@ Junho Choi Jurij Smakov jurisuk on github Juro Bystricky +justchen1369 on github Justin Clift Justin Ehlert Justin Fletcher Justin Karneges Justin Maggard jveazey on github +jvvprasad78 on github jzinn on github János Fekete Jérémy Rocher @@ -1299,6 +1332,7 @@ ka7 on github Kael1117 on github Kai Engert Kai Noda +Kai Pastor Kai Sommerfeld Kai-Uwe Rommel Kalle Vahlman @@ -1310,7 +1344,6 @@ Kantanat Wannapaka Kari Pahula Karl Chen Karl Moerder -Karlson2k on github Karol Pietrzak Kartik Mahajan Kaspar Brand @@ -1319,9 +1352,11 @@ Katsuhiko YOSHIDA Kazuho Oku Kees Cook Kees Dekker +Keitagit-kun on github Keith MacDonald Keith McGuigan Keith Mok +Kelly Kaoudis Ken Brown Ken Hirsch Ken Rastatter @@ -1440,6 +1475,7 @@ Linus Nielsen Feltzing Linus Nordberg Lior Kaplan Lisa Xu +Litter White Liviu Chircu Liza Alenchery lllaffer on github @@ -1474,6 +1510,7 @@ Luo Jinghua Luong Dinh Dung Luz Paz Luật Nguyễn +lwthiker on github Lyman Epp Lyndon Hill M.R.T on github @@ -1513,6 +1550,7 @@ Marcin Gryszkalis Marcin Konicki Marco Deckel Marco G. Salvagno +Marco Kamner Marco Maggi Marcos Diazr Marcus Hoffmann @@ -1528,6 +1566,7 @@ Mark Davies Mark Dodgson Mark Hamilton Mark Incley +Mark Itzcovitz Mark Karpeles Mark Lentczner Mark Nottingham @@ -1567,8 +1606,10 @@ Martin Lemke Martin Skinner Martin Staael Martin Storsjö +Martin Strunz Martin V Martin Vejnár +Martin Ågren Marty Kuhrt Maruko Masaya Suzuki @@ -1576,9 +1617,11 @@ masbug on github Massimiliano Fantuzzi Massimiliano Ziccardi Massimo Callegari +MasterInQuestion on github Mateusz Loskot Mathias Axelsson Mathias Gumz +Mathieu Carbonneaux Mathieu Legare Matias N. Goldberg Mats Lidell @@ -1599,6 +1642,7 @@ Matthew Blain Matthew Clarke Matthew Hall Matthew Kerwin +Matthew Thompson Matthew Whitehead Matthias Bolte Matthias Gatto @@ -1641,10 +1685,12 @@ Michael Calmer Michael Cronenworth Michael Curtis Michael Day +Michael Drake Michael Felt Michael Forney Michael Gmelin Michael Goffioul +Michael Heimpold Michael Hordijk Michael Jahn Michael Jerris @@ -1667,6 +1713,7 @@ Michael Smith Michael Stapelberg Michael Steuer Michael Stillwell +Michael Trebilcock Michael Vittiglio Michael Wallner Michal Bonino @@ -1734,8 +1781,10 @@ Muhammed Yavuz Nuzumlalı Murugan Balraj Muz Dima Myk Taylor +n0name321 on github Nach M. S. Nagai H +Nao Yonashiro naost3rn on github Nate Prewitt Nathan Coulter @@ -1823,12 +1872,14 @@ Oli Kingshott Oliver Gondža Oliver Graute Oliver Kuckertz +Oliver Roberts Oliver Schindler Oliver Urbann Olivier Berger Olivier Brunel Omar Ramadan omau on github +opensignature on github Orange Tsai Oren Souroujon Oren Tirosh @@ -1884,6 +1935,7 @@ Paul Nolan Paul Oliver Paul Querna Paul Saab +Paul Seligman Paul Vixie Paulo Roberto Tomasi Pavel Cenek @@ -1914,6 +1966,7 @@ Peter Bray Peter Forret Peter Frühberger Peter Gal +Peter Goodman Peter Heuchert Peter Hjalmarsson Peter Korsgaard @@ -1940,6 +1993,7 @@ Petr Bahula Petr Novak Petr Pisar Petr Voytsik +Petr Štetiar Phil Blundell Phil Crump Phil E. Taylor @@ -1948,7 +2002,7 @@ Phil Lisiecki Phil Pellouchoud Philip Craig Philip Gladstone -Philip H +Philip Heiduck Philip Langdale Philip Prindeville Philipp Klaus Krause @@ -1975,7 +2029,9 @@ Pramod Sharma Prash Dush Praveen Pvs Prithvi MK +privetryan on github Priyanka Shah +ProceduralMan on github Przemysław Tomaszewski pszemus on github puckipedia on github @@ -2094,6 +2150,8 @@ Rob Jones Rob Sanders Rob Stanzel Rob Ward +RobBotic1 on github +Robby Simpson Robert A. Monat Robert B. Harris Robert Brose @@ -2141,6 +2199,7 @@ Ron Eldor Ron Parker Ron Zapp Ronnie Mose +Rosen Penev Rosimildo da Silva Ross Burton Roy Bellingan @@ -2165,6 +2224,7 @@ Ryan Sleevi Ryan Winograd ryancaicse on github Ryuichi KAWAMATA +rzrymiak on github Rémy Léone S. Moonesamy Sai Ram Kunala @@ -2220,6 +2280,7 @@ Sebastian Sterk Senthil Raja Velu Sergei Kuzmin Sergei Nikulov +Sergey Bronnikov Sergey Markelov Sergey Ogryzkov Sergey Tatarincev @@ -2237,6 +2298,7 @@ Sevan Janiyan Sgharat on github Sh Diao Shachaf Ben-Kiki +ShadowZzj on github Shailesh Kapse Shankar Jadhavar Shao Shuchao @@ -2244,6 +2306,7 @@ Sharad Gupta Shard Sharon Brizinov Shaun Jackman +Shaun Mirani Shawn Landden Shawn Poulson Shikha Sharma @@ -2278,6 +2341,7 @@ Spezifant on github Spiridonoff A.V Spoon Man Spork Schivago +ssdbest on github sspiri on github sstruchtrup on github Stadler Stephan @@ -2342,6 +2406,7 @@ Stian Soiland-Reyes Stoned Elipot stootill on github Stuart Henderson +Sukanya Hanumanthu SumatraPeter on github Sune Ahlgren Sunny Bean @@ -2369,6 +2434,7 @@ tarek112 on github Tatsuhiro Tsujikawa tawmoto on github tbugfinder on github +Ted Lyngmo Teemu Yli-Elsila Temprimus Terri Oda @@ -2376,8 +2442,10 @@ Terry Wu thanhchungbtc on github The Infinnovation team TheAssassin on github +TheKnarf on github Theodore Dubois therealhirudo on github +Thiago Suchorski tholin on github Thomas Bouzerar Thomas Braun @@ -2396,6 +2464,7 @@ Thomas Schwinge Thomas Tonino Thomas van Hesteren Thomas Vegas +Thomas Weißschuh Thorsten Schöning Tiit Pikma Till Maas @@ -2434,8 +2503,10 @@ Tobias Hintze Tobias Lindgren Tobias Markus Tobias Nießen +Tobias Nygren Tobias Nyholm Tobias Rundström +Tobias Schaefer Tobias Stoeckmann Toby Peterson Todd A Ouska @@ -2487,6 +2558,7 @@ Toshio Kuratomi Toshiyuki Maezawa tpaukrt on github Traian Nicolescu +Trail of Bits Travis Burtrum Travis Obenhaus Trivikram Kamat @@ -2516,6 +2588,7 @@ Valerii Zapodovnikov vanillajonathan on github Varnavas Papaioannou Vasiliy Faronov +Vasiliy Ulyanov Vasily Lobaskin Vasy Okhin Venkat Akella @@ -2548,6 +2621,7 @@ Vladimir Lazarenko Vladimir Panteleev Vladimir Varlamov Vlastimil Ovčáčík +vlubart on github Vojtech Janota Vojtech Minarik Vojtěch Král @@ -2586,6 +2660,7 @@ Wojciech Zwiefka Wolf Vollprecht Wouter Van Rooy Wu Yongzheng +Wu Zheng Wyatt O'Day Wyatt OʼDay x2018 on github @@ -2612,6 +2687,7 @@ ygthien on github Yi Huang Yiming Jing Yingwei Liu +yiyuaner on github Ymir1711 on github Yonggang Luo Yongkang Huang @@ -2622,6 +2698,7 @@ Yu Xin Yukihiro Kawada Yun SangHo Yuri Slobodyanyuk +Yuriy Chernyshov Yuriy Sosov Yusuke Nakamura Yves Arrouye @@ -2635,6 +2712,7 @@ zelinchen on github Zenju on github Zero King Zhang Xiuhua +zhanghu on xiaomi Zhao Yisha Zhaoyang Wu Zhibiao Wu @@ -2646,6 +2724,7 @@ Zvi Har'El zzq1015 on github Ádler Jonas Gross Érico Nogueira +Érico Nogueira Rolim İsmail Dönmez Łukasz Domeradzki Štefan Kremeň |