diff options
Diffstat (limited to 'libs/libcurl/docs')
| -rw-r--r-- | libs/libcurl/docs/CHANGES | 18739 | ||||
| -rw-r--r-- | libs/libcurl/docs/COPYING | 44 | ||||
| -rw-r--r-- | libs/libcurl/docs/THANKS | 5514 |
3 files changed, 12673 insertions, 11624 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index d48ababb4f..c5152c1398 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -1,8865 +1,9874 @@ - _ _ ____ _ - ___| | | | _ \| | - / __| | | | |_) | | - | (__| |_| | _ <| |___ - \___|\___/|_| \_\_____| - - Changelog - -Version 7.86.0 (26 Oct 2022) - -Daniel Stenberg (26 Oct 2022) -- RELEASE: synced - - The 7.86.0 release - -- THANKS: added from the 7.86.0 release - -Viktor Szakats (25 Oct 2022) -- noproxy: include netinet/in.h for htonl() - - Solve the Amiga build warning by including `netinet/in.h`. - - `krb5.c` and `socketpair.c` are using `htonl()` too. This header is - already included in those sources. - - Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 - - Reviewed-by: Daniel Stenberg - Closes #9787 - -Marc Hoersken (24 Oct 2022) -- CI: fix AppVeyor status failing for starting jobs - -Daniel Stenberg (24 Oct 2022) -- test445: verifies the protocols-over-http-proxy flaw and fix - -- http_proxy: restore the protocol pointer on error - - Reported-by: Trail of Bits - - Closes #9790 - -- multi: remove duplicate include of connect.h - - Reported-by: Martin Strunz - Fixes #9794 - Closes #9795 - -Daniel Gustafsson (24 Oct 2022) -- idn: fix typo in test description - - s/enabked/enabled/i - -Daniel Stenberg (24 Oct 2022) -- url: use IDN decoded names for HSTS checks - - Reported-by: Hiroki Kurosawa - - Closes #9791 - -- unit1614: fix disabled-proxy build - - Follow-up to 1e9a538e05c01 - - Closes #9792 - -Daniel Gustafsson (24 Oct 2022) -- cookies: optimize control character check - - When checking for invalid octets the strcspn() call will return the - position of the first found invalid char or the first NULL byte. - This means that we can check the indicated position in the search- - string saving a strlen() call. - - Closes: #9736 - Reviewed-by: Jay Satiro <raysatiro@yahoo.com> - -Daniel Stenberg (24 Oct 2022) -- netrc: replace fgets with Curl_get_line - - Make the parser only accept complete lines and avoid problems with - overly long lines. - - Reported-by: Hiroki Kurosawa - - Closes #9789 - -- RELEASE-NOTES: add "Planned upcoming removals include" - - URL: https://curl.se/mail/archive-2022-10/0001.html - - Suggested-by: Dan Fandrich - -Viktor Szakats (23 Oct 2022) -- ci: bump to gcc-11 for macos - - Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-macos-latest-are-now-running-on-macos-12/ - Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12-Readme.md - - Reviewed-by: Max Dymond - Closes #9785 - -- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip] - - - Reintroduce `CROSSPREFIX`: - - If set, we add it to the `CC` and `AR` values, and to the _default_ - value of `RC`, which is `windres`. This allows to control each of - these individidually, while also allowing to simplify configuration - via `CROSSPREFIX`. - - This variable worked differently earlier. Hopefully this new solution - hits a better compromise in usefulness/complexity/flexibility. - - Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50 - - - Enable warnings again: - - This time with an option to override it via `CFLAGS`. Warnings are - also enabled by default in CMake, `makefile.dj` and `makefile.amiga` - builds (not in autotools though). - - Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 - - Closes #9784 - -- noproxy: silence unused variable warnings with no ipv6 - - Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d - - Reviewed-by: Daniel Stenberg - Closes #9782 - -Daniel Stenberg (22 Oct 2022) -- test644: verify --xattr (with redirect) - -- tool_xattr: save the original URL, not the final redirected one - - Adjusted test 1621 accordingly. - - Reported-by: Viktor Szakats - Fixes #9766 - Closes #9768 - -- docs: make sure libcurl opts examples pass in long arguments - - Reported-by: Sergey - Fixes #9779 - Closes #9780 - -Marc Hoersken (21 Oct 2022) -- CI: fix AppVeyor job links only working for most recent build - - Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916 - Reported-by: Daniel Stenberg - - Follow up to #9769 - -Viktor Szakats (21 Oct 2022) -- noproxy: fix builds without AF_INET6 - - Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 - - Reviewed-by: Daniel Stenberg - - Closes #9778 - -Daniel Stenberg (21 Oct 2022) -- noproxy: support proxies specified using cidr notation - - For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly" - and not with string comparisons. - - Split out the noproxy checks and functionality into noproxy.c - - Added unit test 1614 to verify checking functions. - - Reported-by: Mathieu Carbonneaux - - Fixes #9773 - Fixes #5745 - Closes #9775 - -- urlapi: remove two variable assigns - - To please scan-build: - - urlapi.c:1163:9: warning: Value stored to 'qlen' is never read - qlen = Curl_dyn_len(&enc); - ^ ~~~~~~~~~~~~~~~~~~ - urlapi.c:1164:9: warning: Value stored to 'query' is never read - query = u->query = Curl_dyn_ptr(&enc); - ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Follow-up to 7d6cf06f571d57 - - Closes #9777 - -- [Jeremy Maitin-Shepard brought this change] - - cmake: improve usability of CMake build as a sub-project - - - Renames `uninstall` -> `curl_uninstall` - - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET - - Closes #9638 - -- [Don J Olmstead brought this change] - - easy_lock: check for HAVE_STDATOMIC_H as well - - The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h` - header is present. - - Closes #9755 - -- RELEASE-NOTES: synced - -- [Brad Harder brought this change] - - CURLMOPT_PIPELINING.3: dedup manpage xref - - Closes #9776 - -Marc Hoersken (20 Oct 2022) -- CI: report AppVeyor build status for each job - - Also give each job on AppVeyor CI a human-readable name. - - This aims to make job and therefore build failures more visible. - - Reviewed-by: Marcel Raad - Closes #9769 - -Viktor Szakats (20 Oct 2022) -- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip] - - Reviewed-by: Daniel Stenberg - - Closes #9771 - -- connect: fix builds without AF_INET6 - - Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9 - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #9770 - -Daniel Stenberg (20 Oct 2022) -- test1105: adjust <data> to work with a hyper build - - Closes #9767 - -- urlapi: fix parsing URL without slash with CURLU_URLENCODE - - When CURLU_URLENCODE is set, the parser would mistreat the path - component if the URL was specified without a slash like in - http://local.test:80?-123 - - Extended test 1560 to reproduce and verify the fix. - - Reported-by: Trail of Bits - - Closes #9763 - -Marc Hoersken (19 Oct 2022) -- tests: avoid CreateThread if _beginthreadex is available - - CreateThread is not threadsafe if mixed with CRT calls. - _beginthreadex on the other hand can be mixed with CRT. - - Reviewed-by: Marcel Raad - Closes #9705 - -Jay Satiro (19 Oct 2022) -- [Joel Depooter brought this change] - - schannel: Don't reset recv/send function pointers on renegotiation - - These function pointers will have been set when the initial TLS - handshake was completed. If they are unchanged, there is no need to set - them again. If they have been changed, as is the case with HTTP/2, we - don't want to override that change. That would result in the - http22_recv/send functions being completely bypassed. - - Prior to this change a connection that uses Schannel with HTTP/2 would - fail on renegotiation with error "Received HTTP/0.9 when not allowed". - - Fixes https://github.com/curl/curl/issues/9451 - Closes https://github.com/curl/curl/pull/9756 - -Viktor Szakats (18 Oct 2022) -- hostip: guard PF_INET6 use - - Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code - for these. - - ``` - hostip.c: In function 'fetch_addr': - hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function) - pf = PF_INET6; - ^~~~~~~~ - ``` - - Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d - - Reviewed-by: Daniel Stenberg - - Closes #9760 - -- amiga: do not hardcode openssl/zlib into the os config [ci skip] - - Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead. - - This allows builds without openssl and/or zlib. E.g. with the - <https://github.com/bebbo/amiga-gcc> cross-compiler. - - Reviewed-by: Daniel Stenberg - - Closes #9762 - -- amigaos: add missing curl header [ci skip] - - Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and - conditional local code need them. - - Reviewed-by: Daniel Stenberg - - Closes #9761 - -Daniel Stenberg (18 Oct 2022) -- cmdline/docs: add a required 'multi' keyword for each option - - The keyword specifies how option works when specified multiple times: - - - single: the last provided value replaces the earlier ones - - append: it supports being provided multiple times - - boolean: on/off values - - mutex: flag-like option that disable anoter flag - - The 'gen.pl' script then outputs the proper and unified language for - each option's multi-use behavior in the generated man page. - - The multi: header is requires in each .d file and will cause build error - if missing or set to an unknown value. - - Closes #9759 - -- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk - - Closes #9757 - -- mprintf: reject two kinds of precision for the same argument - - An input like "%.*1$.9999d" would first use the precision taken as an - argument *and* then the precision specified in the string, which is - confusing and wrong. pass1 will now instead return error on this double - use. - - Adjusted unit test 1398 to verify - - Reported-by: Peter Goodman - - Closes #9754 - -- ftp: remove redundant if - - Reported-by: Trail of Bits - - Closes #9753 - -- tool_operate: more transfer cleanup after parallel transfer fail - - In some circumstances when doing parallel transfers, the - single_transfer_cleanup() would not be called and then 'inglob' could - leak. - - Test 496 verifies - - Reported-by: Trail of Bits - Closes #9749 - -- mqtt: spell out CONNECT in comments - - Instead of calling it 'CONN' in several comments, use the full and - correct protocol packet name. - - Suggested by Trail of Bits - - Closes #9751 - -- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST - - Not the deprecated CURLOPT_HTTPPOST option. - - Also added two see-alsos. - - Reported-by: Trail of Bits - Closes #9752 - -- RELEASE-NOTES: synced - -Jay Satiro (17 Oct 2022) -- ngtcp2: Fix build errors due to changes in ngtcp2 library - - ngtcp2/ngtcp2@b0d86f60 changed: - - - ngtcp2_conn_get_max_udp_payload_size => - ngtcp2_conn_get_max_tx_udp_payload_size - - - ngtcp2_conn_get_path_max_udp_payload_size => - ngtcp2_conn_get_path_max_tx_udp_payload_size - - ngtcp2/ngtcp2@ec59b873 changed: - - - 'early_data_rejected' member added to ng_callbacks. - - Assisted-by: Daniel Stenberg - Reported-by: jurisuk@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9747 - Closes https://github.com/curl/curl/pull/9748 - -Daniel Stenberg (16 Oct 2022) -- curl_path: return error if given a NULL homedir - - Closes #9740 - -- libssh: if sftp_init fails, don't get the sftp error code - - This flow extracted the wrong code (sftp code instead of ssh code), and - the code is sometimes (erroneously) returned as zero anyway, so skip - getting it and set a generic error. - - Reported-by: David McLaughlin - Fixes #9737 - Closes #9740 - -- mqtt: return error for too long topic - - Closes #9744 - -- [Rickard Hallerbäck brought this change] - - tool_paramhlp: make the max argument a 'double' - - To fix compiler warnings "Implicit conversion from 'long' to 'double' - may lose precision" - - Closes #9700 - -Marc Hoersken (15 Oct 2022) -- [Philip Heiduck brought this change] - - cirrus-ci: add more macOS builds with m1 based on x86_64 builds - - Also refactor macOS builds to use task matrix. - - Assisted-by: Marc Hörsken - Closes #9565 - -Viktor Szakats (14 Oct 2022) -- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows - - `lib/config-win32.h` enables this configuration option unconditionally. - Make it apply to CMake builds as well. - - While here, delete a broken check for - `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with - the initial commit [1], but did not include the actual verification code - inside `CMake/CurlTests.c`, so it always failed. A later commit [2] - added a second test, for non-Windows platforms. - - Enabling this flag causes test 1056 to fail with CMake builds, as they - do with autotools builds. Let's apply the same solution and ignore the - results here as well. - - [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 - [2] aec7c5a87c8482b6ddffa352d7d220698652262e - - Reviewed-by: Daniel Stenberg - Assisted-by: Marcel Raad - - Closes #9726 - -- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows - - autotools enables this configuration option unconditionally for Windows - [^1]. Do the same in CMake. - - The above will make this work for all reasonably recent environments. - The logic present in `lib/config-win32.h` [^2] has the following - exceptions which we did not cover in this CMake update: - - - Builds targeting Windows 2000 and earlier - - MS Visual C++ 5.0 (1997) and earlier - - Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't - set, to avoid a broken build. We might want to handle that in the C - sources in a future commit. - - [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/m4/curl-functions.m4#L2067-L2070 - - [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/lib/config-win32.h#L511-L528 - - Closes #9727 - -- cmake: sync HAVE_SIGNAL detection with autotools - - `HAVE_SIGNAL` means the availability of the `signal()` function in - autotools, while in CMake it meant the availability of that function - _and_ the symbol `SIGALRM`. - - The latter is not available on Windows, but the function is, which means - on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not, - introducing a slight difference into the binaries. - - This patch syncs CMake behaviour with autotools to look for the function - only. - - The logic came with the initial commit adding CMake support to curl, so - the commit history doesn't reveal the reason behind it. In any case, - it's best to check the existence of `SIGALRM` directly in the source - before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and - `SIGALRM` missing. - - Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 - - Closes #9725 - -- cmake: delete duplicate HAVE_GETADDRINFO test - - A custom `HAVE_GETADDRINFO` check came with the initial CMake commit - [1]. A later commit [2] added a standard check for it as well. The - standard check run before the custom one, so CMake ignored the latter. - - The custom check was also non-portable, so this patch deletes it in - favor of the standard check. - - [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 - [2] aec7c5a87c8482b6ddffa352d7d220698652262e - - Closes #9731 - -Daniel Stenberg (14 Oct 2022) -- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros - - To make the code read more obvious - - Assisted-by: Jay Satiro - - Closes #9710 - -- [Christopher Sauer brought this change] - - docs/INSTALL: update Android Instructions for newer NDKs - - Closes #9732 - -- markdown-uppercase: ignore quoted sections - - Sections within the markdown ~~~ or ``` are now ignored. - - Closes #9733 - -- RELEASE-NOTES: synced - -- test8: update as cookies no longer can have "embedded" TABs in content - -- test1105: extend to verify TAB in name/content discarding cookies - -- cookie: reject cookie names or content with TAB characters - - TABs in name and content seem allowed by RFC 6265: "the algorithm strips - leading and trailing whitespace from the cookie name and value (but - maintains internal whitespace)" - - Cookies with TABs in the names are rejected by Firefox and Chrome. - - TABs in content are stripped out by Firefox, while Chrome discards the - whole cookie. - - TABs in cookies also cause issues in saved netscape cookie files. - - Reported-by: Trail of Bits - - URL: https://curl.se/mail/lib-2022-10/0032.html - URL: https://github.com/httpwg/http-extensions/issues/2262 - - Closes #9659 - -- curl/add_parallel_transfers: better error handling - - 1 - consider the transfer handled at once when in the function, to avoid - the same list entry to get added more than once in rare error - situations - - 2 - set the ERRORBUFFER for the handle first after it has been added - successfully - - Reported-by: Trail of Bits - - Closes #9729 - -- netrc: remove the two 'changed' arguments - - As no user of these functions used the returned content. - -- test495: verify URL encoded user name + netrc-optional - - Reproduced issue #9709 - -- netrc: use the URL-decoded user - - When the user name is provided in the URL it is URL encoded there, but - when used for authentication the encoded version should be used. - - Regression introduced after 7.83.0 - - Reported-by: Jonas Haag - Fixes #9709 - Closes #9715 - -- [Shaun Mirani brought this change] - - url: allow non-HTTPS HSTS-matching for debug builds - - Closes #9728 - -- test1275: remove the check of stderr - - To avoid the mysterious test failures on Windows, instead rely on the - error code returned on failure. - - Fixes #9716 - Closes #9723 - -Viktor Szakats (13 Oct 2022) -- lib: set more flags in config-win32.h - - The goal is to add any flag that affect the created binary, to get in - sync with the ones built with CMake and autotools. - - I took these flags from curl-for-win [0], where they've been tested with - mingw-w64 and proven to work well. - - This patch brings them to curl as follows: - - - Enable unconditionally those force-enabled via - `CMake/WindowsCache.cmake`: - - - `HAVE_SETJMP_H` - - `HAVE_STRING_H` - - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`) - - - Expand existing guards with mingw-w64: - - - `HAVE_STDBOOL_H` - - `HAVE_BOOL_T` - - - Enable Win32 API functions for Windows Vista and later: - - - `HAVE_INET_NTOP` - - `HAVE_INET_PTON` - - - Set sizes, if not already set: - - - `SIZEOF_OFF_T = 8` - - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set, - and using mingw-w64. - - - Add the remaining for mingw-w64 only. Feel free to expand as desired: - - - `HAVE_LIBGEN_H` - - `HAVE_FTRUNCATE` - - `HAVE_BASENAME` - - `HAVE_STRTOK_R` - - Future TODO: - - - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both - the `signal()` function and the `SIGALRM` macro are found. In - autotools and this header, it means the function only. For the - function alone, CMake uses `HAVE_SIGNAL_FUNC`. - - [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4dff0ca97a8c/curl-m32.sh#L53-L58 - - Reviewed-by: Daniel Stenberg - - Closes #9712 - -Daniel Stenberg (13 Oct 2022) -- tests: add tests/markdown-uppercase.pl to dist tarball - - Follow-up to aafb06c5928183d - - Closes #9722 - -- tool_paramhelp: asserts verify maximum sizes for string loading - - The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest - strings accepted when loading files into memory, but as the size is - later used as input to functions that take the size as 'int' as - argument, the sizes must not be larger than INT_MAX. - - These two new assert()s make the code error out if someone would bump - the sizes without this consideration. - - Reported-by Trail of Bits - - Closes #9719 - -- http: try parsing Retry-After: as a number first - - Since the date parser allows YYYYMMDD as a date format (due to it being - a bit too generic for parsing this particular header), a large integer - number could wrongly match that pattern and cause the parser to generate - a wrong value. - - No date format accepted for this header starts with a decimal number, so - by reversing the check and trying a number first we can deduct that if - that works, it was not a date. - - Reported-by Trail of Bits - - Closes #9718 - -- [Patrick Monnerat brought this change] - - doc: fix deprecation versions inconsistencies - - Ref: https://curl.se/mail/lib-2022-10/0026.html - - Closes #9711 - -- http_aws_sigv4: fix strlen() check - - The check was off-by-one leading to buffer overflow. - - Follow-up to 29c4aa00a16872 - - Detected by OSS-Fuzz - - Closes #9714 - -- curl/main_checkfds: check the fcntl return code better - - fcntl() can (in theory) return a non-zero number for success, so a - better test for error is checking for -1 explicitly. - - Follow-up to 41e1b30ea1b77e9ff - - Mentioned-by: Dominik Klemba - - Closes #9708 - -Viktor Szakats (12 Oct 2022) -- tidy-up: delete unused HAVE_STRUCT_POLLFD - - It was only defined in `lib/config-win32.h`, when building for Vista. - - It was only used in `select.h`, in a condition that also included a - check for `POLLIN` which is a superior choice for this detection and - which was already used by cmake and autotools builds. - - Delete both instances of this macro. - - Closes #9707 - -Daniel Stenberg (12 Oct 2022) -- test1275: verify upercase after period in markdown - - Script based on the #9474 pull-request logic, but implemented in perl. - - Updated docs/URL-SYNTAX.md accordingly. - - Suggested-by: Dan Fandrich - - Closes #9697 - -- [12932 brought this change] - - misc: nitpick grammar in comments/docs - - because the 'u' in URL is actually a consonant *sound* it is only - correct to write "a URL" - - sorry this is a bit nitpicky :P - - https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an - https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL - - Closes #9699 - -Viktor Szakats (11 Oct 2022) -- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip] - - This patch aimed to fix a regression [0], where `CC` initialization - moved beyond its first use. But, on closer inspection it turned out that - the `CC` initialization does not work as expected due to GNU Make - filling it with `cc` by default. So unless implicit values were - explicitly disabled via a GNU Make option, the default value of - `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit - value `cc` maps to `gcc` in (most/all?) MinGW envs. - - `AR` has the same issue, with a default value of `ar`. - - We could reintroduce a separate variable to fix this without ill - effects, but for simplicity and flexibility, it seems better to drop - support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and - require the caller to initialize `CC`, `AR` and `RC` to the full - (prefixed if necessary) names of these tools, as desired. - - We keep `RC ?= windres` because `RC` is empty by default. - - Also fix grammar in a comment. - - [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 - - Closes #9698 - -- smb: replace CURL_WIN32 with WIN32 - - PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the - `CURL_WIN32` macro, but that one is not defined here, while compiling - curl itself. This patch changes this to `WIN32`, assuming this was the - original intent. - - Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a - - Reviewed-by: Marcel Raad - - Closes #9701 - -Daniel Stenberg (11 Oct 2022) -- [Matthias Gatto brought this change] - - aws_sigv4: fix header computation - - Handle canonical headers and signed headers creation as explained here: - https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html - - The algo tells that signed and canonical must contain at last host and - x-amz-date. - - So we check whatever thoses are present in the curl http headers list. - If they are, we use the one enter by curl user, otherwise we generate - them. then we to lower, and remove space from each http headers plus - host and x-amz-date, then sort them all by alphabetical order. - - This patch also fix a bug with host header, which was ignoring the port. - - Closes #7966 - -Jay Satiro (11 Oct 2022) -- [Aftab Alam brought this change] - - README.md: link the curl logo to the website - - - Link the curl:// image to https://curl.se/ - - Closes https://github.com/curl/curl/pull/9675 - -- [Dustin Howett brought this change] - - schannel: when importing PFX, disable key persistence - - By default, the PFXImportCertStore API persists the key in the user's - key store (as though the certificate was being imported for permanent, - ongoing use.) - - The documentation specifies that keys that are not to be persisted - should be imported with the flag PKCS12_NO_PERSIST_KEY. - NOTE: this flag is only supported on versions of Windows newer than XP - and Server 2003. - - -- - - This is take 2 of the original fix. It extends the lifetime of the - client certificate store to that of the credential handle. The original - fix which landed in 70d010d and was later reverted in aec8d30 failed to - work properly because it did not do that. - - Minor changes were made to the schannel credential context to support - closing the client certificate store handle at the end of an SSL session. - - -- - - Reported-by: ShadowZzj@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9300 - Supersedes https://github.com/curl/curl/pull/9363 - Closes https://github.com/curl/curl/pull/9460 - -Viktor Szakats (11 Oct 2022) -- Makefile.m32: support more options [ci skip] - - - Add support for these options: - `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl` - - Caveats: - - `-wolfssh` requires `-wolfssl`. - - `-wolfssl` cannot be used with OpenSSL backends in parallel. - - `-libssh` has build issues with BoringSSL and LibreSSL, and also - what looks like a world-writable-config vulnerability on Windows. - Consider it experimental. - - `-psl` requires `-idn2` and extra libs passed via - `LIBS=-liconv -lunistring`. - - - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly. - - Generalize MultiSSL detection. - - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01). - - Document more customization options. - - This brings over some configuration logic from `curl-for-win`. - - Closes #9680 - -- cmake: enable more detection on Windows - - Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection - on Windows, instead of having predefined values. - - With these features detected correctly, CMake Windows builds get closer - to the autotools and `config-win32.h` ones. - - This also fixes detecting `HAVE_FTRUNCATE` correctly, which required - `unistd.h`. - - Fixing `ftruncate()` in turn causes a build warning/error with legacy - MinGW/MSYS1 due to an offset type size mismatch. This env misses to - detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch - force-disables `HAVE_FTRUNCATE` for this platform. - - Reviewed-by: Daniel Stenberg - - Closes #9687 - -- autotools: allow unix sockets on Windows - - Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00a9149fb39239/curl-autotools.sh#L44-L47 - - On Windows this feature is present, but not the header used in the - detection logic. It also requires an elaborate enabler logic - (as seen in `lib/curl_setup.h`). Let's always allow it and let the - lib code deal with the details. - - Closes #9688 - -- cmake: add missing inet_ntop check - - This adds the missing half of the check, next to the other half - already present in `lib/curl_config.h.cmake`. - - Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler - warnings. - - Reviewed-by: Daniel Stenberg - - Closes #9689 - -Daniel Stenberg (11 Oct 2022) -- RELEASE-NOTES: synced - -- [bsergean on github brought this change] - - asyn-ares: set hint flags when calling ares_getaddrinfo - - The hint flag is ARES_AI_NUMERICSERV, and it will save a call to - getservbyname or getservbyname_r to set it. - - Closes #9694 - -- header.d: add category smtp and imap - - They were previously (erroneously) added manually to tool_listhelp.c - which would make them get removed again when the file is updated next - time, unless added correctly here in header.d - - Follow-up to 2437fac01 - - Closes #9690 - -- curl/get_url_file_name: use libcurl URL parser - - To avoid URL tricks, use the URL parser for this. - - This update changes curl's behavior slightly in that it will ignore the - possible query part from the URL and only use the file name from the - actual path from the URL. I consider it a bugfix. - - "curl -O localhost/name?giveme-giveme" will now save the output in the - local file named 'name' - - Updated test 1210 to verify - - Assisted-by: Jay Satiro - - Closes #9684 - -- [Martin Ågren brought this change] - - docs: fix grammar around needing pass phrase - - "You never needed a pass phrase" reads like it's about to be followed by - something like "until version so-and-so", but that is not what is - intended. Change to "You never need a pass phrase". There are two - instances of this text, so make sure to update both. - -- [Xiang Xiao brought this change] - - cmake: add the check of HAVE_SOCKETPAIR - - which is used by Curl_socketpair - - Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com> - - Closes #9686 - -- curl/add_file_name_to_url: use the libcurl URL parser - - instead of the custom error-prone parser, to extract and update the path - of the given URL - - Closes #9683 - -- single_transfer: use the libcurl URL parser when appending query parts - - Instead of doing "manual" error-prone parsing in another place. - - Used when --data contents is added to the URL query when -G is provided. - - Closes #9681 - -- ws: fix buffer pointer use in the callback loop - - Closes #9678 - -- [Petr Štetiar brought this change] - - curl-wolfssl.m4: error out if wolfSSL is not usable - - When I explicitly declare, that I would like to have curl built with - wolfSSL support using `--with-wolfssl` configure option, then I would - expect, that either I endup with curl having that support, for example - in form of https support or it wouldn't be available at all. - - Downstream projects like for example OpenWrt build curl wolfSSL variant - with `--with-wolfssl` already, but in certain corner cases it does fail: - - configure:25299: checking for wolfSSL_Init in -lwolfssl - configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip] - In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33, - from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35, - from target-x86_64_musl/usr/include/wolfssl/ssl.h:35, - from conftest.c:47: - target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory - #include <wolfssl/wolfcrypt/sp_int.h> - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ - compilation terminated. - - and in the end thus produces curl without https support: - - curl: (1) Protocol "https" not supported or disabled in libcurl - - So fix it, by making the working wolfSSL mandatory and error out in - configure step when that's not the case: - - checking for wolfSSL_Init in -lwolfssl... no - configure: error: --with-wolfssl but wolfSSL was not found or doesn't work - - References: https://github.com/openwrt/packages/issues/19005 - References: https://github.com/openwrt/packages/issues/19547 - Signed-off-by: Petr Štetiar <ynezz@true.cz> - - Closes #9682 - -- tool_getparam: pass in the snprintf("%.*s") string length as 'int' - - Reported by Coverity CID 1515928 - - Closes #9679 - -- [Paul Seligman brought this change] - - ws: minor fixes for web sockets without the CONNECT_ONLY flag - - - Fixed an issue where is_in_callback was getting cleared when using web - sockets with debug logging enabled - - Ensure the handle is is_in_callback when calling out to fwrite_func - - Change the write vs. send_data decision to whether or not the handle - is in CONNECT_ONLY mode. - - Account for buflen not including the header length in curl_ws_send - - Closes #9665 - -Marc Hoersken (8 Oct 2022) -- CI/cirrus: merge existing macOS jobs into a job matrix - - Ref: #9627 - Reviewed-by: Philip H. - - Closes #9672 - -Daniel Stenberg (8 Oct 2022) -- strcase: add and use Curl_timestrcmp - - This is a strcmp() alternative function for comparing "secrets", - designed to take the same time no matter the content to not leak - match/non-match info to observers based on how fast it is. - - The time this function takes is only a function of the shortest input - string. - - Reported-by: Trail of Bits - - Closes #9658 - -- tool_getparam: split out data_urlencode() into its own function - - Closes #9673 - -- connect: fix Curl_updateconninfo for TRNSPRT_UNIX - - Reported-by: Vasiliy Ulyanov - Fixes #9664 - Closes #9670 - -- ws: fix Coverity complaints - - Coverity pointed out several flaws where variables remained - uninitialized after forks. - - Follow-up to e3f335148adc6742728f - - Closes #9666 - -Marc Hoersken (7 Oct 2022) -- CI/GHA: merge msh3 and openssl3 builds into linux workflow - - Continue work on merging all Linux workflows into one file. - - Follow up to #9501 - Closes #9646 - -Daniel Stenberg (7 Oct 2022) -- curl_ws_send.3: call the argument 'fragsize' - - Since WebSocket works with "fragments" not "frames" - - Closes #9668 - -- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type - - Follow-up to e3f335148adc6742728ff8 - - Closes #9669 - -- tool_main: exit at once if out of file descriptors - - If the main_checkfds function cannot create new file descriptors in an - attempt to detect of stdin, stdout or stderr are closed. - - Also changed the check to use fcntl() to check if the descriptors are - open, which avoids superfluously calling pipe() if they all already are. - - Follow-up to facfa19cdd4d0094 - - Reported-by: Trail of Bits - - Closes #9663 - -- websockets: remodeled API to support 63 bit frame sizes - - curl_ws_recv() now receives data to fill up the provided buffer, but can - return a partial fragment. The function now also get a pointer to a - curl_ws_frame struct with metadata that also mentions the offset and - total size of the fragment (of which you might be receiving a smaller - piece). This way, large incoming fragments will be "streamed" to the - application. When the curl_ws_frame struct field 'bytesleft' is 0, the - final fragment piece has been delivered. - - curl_ws_recv() was also adjusted to work with a buffer size smaller than - the fragment size. (Possibly needless to say as the fragment size can - now be 63 bit large). - - curl_ws_send() now supports sending a piece of a fragment, in a - streaming manner, in addition to sending the entire fragment in a single - call if it is small enough. To send a huge fragment, curl_ws_send() can - be used to send it in many small calls by first telling libcurl about - the total expected fragment size, and then send the payload in N number - of separate invokes and libcurl will stream those over the wire. - - The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it - has been extended with two new fields: *offset* and *bytesleft*. To help - describe the passed on data chunk when a fragment is delivered in many - smaller pieces. - - The documentation has been updated accordingly. - - Closes #9636 - -- [Patrick Monnerat brought this change] - - docs/examples: avoid deprecated options in examples where possible - - Example programs targeting a deprecated feature/option are commented with - a warning about it. - Other examples are adapted to not use deprecated options. - - Closes #9661 - -Viktor Szakats (6 Oct 2022) -- cmake: fix enabling websocket support - - Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77 - - Closes #9660 - -- tidy-up: delete parallel/unused feature flags - - Detecting headers and lib separately makes sense when headers come in - variations or with extra ones, but this wasn't the case here. These were - duplicate/parallel macros that we had to keep in sync with each other - for a working build. This patch leaves a single macro for each of these - dependencies: - - - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`. - - Also delete CMake logic making sure these two were in sync, along with - a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`. - - Also delete stray `HAVE_ZLIB` defines. - - There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch - retains it for compatibility and deprecates it. - - - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`. - - Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from - `winbuild/MakefileBuild.vc`, these have a role when building libssh2 - itself. And `CURL_USE_LIBSSH`, which had no use at all. - - Also delete stray `HAVE_LIBSSH2` defines. - - - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`. - - Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from - `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the - libssh2 line, and were not having any use. - - - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`. - - Reviewed-by: Daniel Stenberg - - Closes #9652 - -Daniel Stenberg (6 Oct 2022) -- netrc: compare user name case sensitively - - User name comparisions in netrc need to match the case. - - Closes #9657 - -- CURLOPT_COOKIEFILE: insist on "" for enable-without-file - - The former way that also suggested using a non-existing file to just - enable the cookie engine could lead to developers maybe a bit carelessly - guessing a file name that will not exist, and then in a future due to - circumstances, such a file could be made to exist and then accidentally - libcurl would read cookies not actually meant to. - - Reported-by: Trail of bits - - Closes #9654 - -- tests/Makefile: remove run time stats from ci-test - - The ci-test is the normal makefile target invoked in CI jobs. This has - been using the -r option to runtests.pl since a long time, but I find - that it mostly just adds many lines to the test output report without - anyone caring much about those stats. - - Remove it. - - Closes #9656 - -- [Patrick Monnerat brought this change] - - tool: reorganize function c_escape around a dynbuf - - This is a bit shorter and a lot safer. - - Substrings of unescaped characters are added by a single call to reduce - overhead. - - Extend test 1465 to handle more kind of escapes. - - Closes #9653 - -Jay Satiro (5 Oct 2022) -- CURLOPT_HTTPPOST.3: bolden the deprecation notice - - Ref: https://github.com/curl/curl/pull/9621 - - Closes https://github.com/curl/curl/pull/9637 - -Daniel Stenberg (5 Oct 2022) -- [John Bampton brought this change] - - misc: fix spelling in docs and comments - - also: remove outdated sentence - - Closes #9644 - -- [Patrick Monnerat brought this change] - - tool: avoid generating ambiguous escaped characters in --libcurl - - C string hexadecimal-escaped characters may have more than 2 digits. - This results in a wrong C compiler interpretation of a 2-digit escaped - character when followed by an hex digit character. - - The solution retained here is to represent such characters as 3-digit - octal escapes. - - Adjust and extend test 1465 for this case. - - Closes #9643 - -- configure: the ngtcp2 option should default to 'no' - - While still experimental. - - Bug: https://curl.se/mail/lib-2022-10/0007.html - Reported-by: Daniel Hallberg - - Closes #9650 - -- CURLOPT_MIMEPOST.3: add an (inline) example - - Reported-by: Jay Satiro - Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723 - - Closes #9649 - -Viktor Szakats (5 Oct 2022) -- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip] - - Exclude linker flags specifying depedency libs and libpaths, when - building against `libcurl.dll`. In such case these options are not - necessary (but may cause errors if not/wrongly configured.) - - Also move and reword a comment on `CPPFLAGS` to not apply to - `UNICODE` options. These are necessary for all build targets. - - Closes #9651 - -Jay Satiro (5 Oct 2022) -- runtests: fix uninitialized value on ignored tests - - - Don't show TESTFAIL message (ie tests failed which aren't ignored) if - only ignored tests failed. - - Before: - IGNORED: failed tests: 571 612 1056 - TESTDONE: 1214 tests out of 1217 reported OK: 99% - Use of uninitialized value $failed in concatenation (.) or string at - ./runtests.pl line 6290. - TESTFAIL: These test cases failed: - - After: - IGNORED: failed tests: 571 612 1056 - TESTDONE: 1214 tests out of 1217 reported OK: 99% - - Closes https://github.com/curl/curl/pull/9648 - -- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS - - - Correct the use of -all-static for static Windows CI builds. - - curl_LDFLAGS was removed from the makefile when metalink support was - removed. LDFLAGS=-all-static is passed to make only, because it is not a - valid option for configure compilation tests. - - Closes https://github.com/curl/curl/pull/9633 - -Viktor Szakats (4 Oct 2022) -- Makefile.m32: fix regression with tool_hugehelp [ci skip] - - In a recent commit I mistakenly deleted this logic, after seeing a - reference to a filename ending with `.cvs` and thinking it must have - been long gone. Turns out this is an existing file. Restore the rule - and the necessary `COPY` definitions with it. - - The restored logic is required for a successful build on a bare source - tree (as opposed to a source release tarball). - - Also shorten an existing condition similar to the one added in this - patch. - - Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6 - - Closes #9645 - -- Makefile.m32: deduplicate build rules [ci skip] - - After this patch, we reduce the three copies of most `Makefile.m32` - logic to one. This now resides in `lib/Makefile.m32`. It makes future - updates easier, the code shorter, with a small amount of added - complexity. - - `Makefile.m32` reduction: - - | | bytes | LOC total | blank | comment | code | - |-------------------|-------:|----------:|-------:|---------:|------:| - | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 | - | before this patch | 17601 | 625 | 62 | 106 | 457 | - | after this patch | 11680 | 392 | 52 | 104 | 236 | - - Details: - - - Change rules to create objects for the `v*` subdirs in the `lib` dir. - This allows to use a shared compile rule and assumes that filenames - are not (and will not be) colliding across these directories. - `Makefile.m32` now also stores a list of these subdirs. They are - changing rarely though. - - - Sync as much as possible between the three `Makefile.m32` scripts' - rules and their source/target sections. - - - After this patch `CPPFLAGS` are all applied to the `src` sources once - again. This matches the behaviour of cmake/autotools. Only zlib ones - are actually required there. - - - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate. - - - Change examples to link `libcurl.dll` by default. This makes building - trivial, even as a cross-build: - `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32` - To run them, you need to move/copy or add-to-path `libcurl.dll`. - You can select static mode via `CFG=-static`. - - - List more of the `Makefile.m32` config variables. - - - Drop `.rc` support from examples. It made it fragile without much - benefit. - - - Include a necessary system lib for the `externalsocket.c` example. - - - Exclude unnecessary systems libs when building in `-dyn` mode. - - Closes #9642 - -Daniel Stenberg (4 Oct 2022) -- RELEASE-NOTES: synced - -- CURLOPT_COOKIELIST.3: fix formatting mistake - - Also, updated manpage-syntax.pl to make it detect this error in test - 1173. - - Reported-by: ProceduralMan on github - Fixes #9639 - Closes #9640 - -- [Jay Satiro brought this change] - - connect: change verbose IPv6 address:port to [address]:port - - - Use brackets for the IPv6 address shown in verbose message when the - format is address:port so that it is less confusing. - - Before: Trying 2606:4700:4700::1111:443... - After: Trying [2606:4700:4700::1111]:443... - - Bug: https://curl.se/mail/archive-2022-02/0041.html - Reported-by: David Hu - - Closes #9635 - -Viktor Szakats (3 Oct 2022) -- Makefile.m32: major rework [ci skip] - - This patch overhauls `Makefile.m32` scripts, fixing a list of quirks, - making its behaviour and customization envvars align better with other - build systems, aiming for less code, that is easier to read, use and - maintain. - - Details: - - Rename customization envvars: - `CURL_CC` -> `CC` - `CURL_RC` -> `RC` - `CURL_AR` -> `AR` - `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB` - `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN` - - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used. - - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars. - - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in - favor of the above. - - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional - with `libssh2`. - - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and - examples. - - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel` - instead. - - Avoid late evaluation where not necessary (`=` -> `:=`). - - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix. - Instead, use the standard naming scheme by default: `libcurl.dll.a`. - The toolchain recognizes the name, and selects it automatically when - asking for a `-shared` vs. `-static` build. - - Stop applying `strip` to `libcurl.a`. Follow-up from - 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to - strip since then. - - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to - `CFLAGS` as desired. - - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL, - to avoid that vulnerability on Windows. - - Add `-lbrotlicommon` to `LIBS` when using `brotli`. - - Do not enable `-nghttp3` without `-ngtcp2`. - - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend. - You need to set the backend explicitly. This scales better and avoids - issues with certain combinations (e.g. `libssh2` + `wolfssl` with no - `schannel`). - - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via - `NGTCP2_LIBS`. - - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer - supported. - - Delete `SPNEGO` references. They were no-ops. - - Drop support for Win9x environments. - - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`. - - Support autotools/CMake `libssh2` builds by default. - - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and - examples. - - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the - long gone embedded one.) - - Stop static linking with c-ares by default. Add - `CPPFLAGS=-DCARES_STATICLIB` to enable it. - - Reorganize internal layout to avoid redundancy and emit clean diffs - between src/lib and example make files. - - Delete unused variables. - - Code cleanups/rework. - - Comment and indentation fixes. - - Closes #9632 - -- scripts/release-notes.pl: strip ci skip tag [ci skip] - - Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303ae97#commitcomment-85637701 - - Reviewed-by: Daniel Stenberg - - Closes #9634 - -- Makefile.m32: delete legacy component bits [ci skip] - - - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting - to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL. - - - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been - using a standard file layout since 1.1.0, so this seems unnecessary - now. - - - Drop special logic to enable Novell LDAP SDK support. - - - Drop special logic to enable OpenLDAP LDAP SDK support. This seems - to be distinct from native OpenLDAP, with support implemented inside - `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist - yet in curl. - - - Add `-lwldap32` only if there is no other LDAP library (either native - OpenLDAP, or SDKs above) present. - - - Update `doc/INSTALL.md` accordingly. - - After this patch, it's necessary to make configration changes when using - OpenSSL 1.0.2 or earlier, or the two LDAP SDKs. - - OpenSSL 1.0.2 and earlier: - ``` - export OPENSSL_INCLUDE = <path-to-openssl>/outinc - export OPENSSL_LIBPATH = <path-to-openssl>/out - export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32 - ``` - - Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`: - ``` - export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/inc -DCURL_HAS_NOVELL_LDAPSDK - export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib/mscvc -lldapsdk -lldapssl -lldapx - ``` - - OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`: - ``` - export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/include -DCURL_HAS_OPENLDAP_LDAPSDK - export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib -lldap -llber - ``` - - I haven't tested these scenarios, and in general we recommend using - a recent OpenSSL release. Also, WinLDAP (the Windows default) and - OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on - in curl. - - Closes #9631 - -Daniel Stenberg (2 Oct 2022) -- vauth/ntlm.h: make line shorter than 80 columns - - Follow-up from 265fbd937 - -Viktor Szakats (1 Oct 2022) -- docs: update sourceforge project links [ci skip] - - SourceForge projects can now choose between two hostnames, with .io and - .net ending. Both support HTTPS by default now. Opening the other variant - will perm-redirected to the one chosen by the project. - - The .io -> .net redirection is done insecurely. - - Let's update the URLs to point to the current canonical endpoints to - avoid any redirects. - - Closes #9630 - -Daniel Stenberg (1 Oct 2022) -- curl_url_set.3: document CURLU_APPENDQUERY proper - - Listed among the other supported flags. - - Reported-by: Robby Simpson - Fixes #9628 - Closes #9629 - -Viktor Szakats (1 Oct 2022) -- Makefile.m32: cleanups and fixes [ci skip] - - - Add `-lcrypt32` once, and add it always for simplicity. - - Delete broken link and reference to the pre-Vista WinIDN add-on. - MS no longer distribute it. - - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista. - - Sync `LIBCARES_PATH` default with the rest of dependencies. - - Delete version numbers from dependency path defaults. - - `libgsasl` package is now called `gsasl`. - - Delete `libexpat` and `libxml2` references. No longer used by curl. - - Delete `Edit the path below...` comments. We recommend to predefine - those envvars instead. - - `libcares.a` is not an internal dependency anymore. Stop using it as - such. - - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability. - - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`. - They were never used. - - Stop to `clean` some objects twice in `src/Makefile.m32`. - - Delete cvs-specific leftovers. - - Finish resource support in examples make file. - - Delete `-I<root>/lib` from examples make file. - - Fix copyright start year in examples make file. - - Delete duplicate `ftpuploadresume` input in examples make file. - - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path - defaults, variables names and other internal bits between the three - make files. - - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This - was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL` - envvar for the same effect. - - Fix linking `curl.exe` and examples to wrong static libs with - auto-detected OpenSSL 1.0.2 or earlier. - - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only. - - Add link to Novell LDAP SDK and use a relative default path. Latest - version is from 2016, linked to an outdated OpenSSL 1.0.1. - - Whitespace and comment cleanups. - - TODO in a next commit: - - Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell - LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the - necessary custom envvars to configure them. - - Closes #9616 - -Daniel Stenberg (30 Sep 2022) -- RELEASE-NOTES: synced - -- [Matt Holt brought this change] - - HTTP3.md: update Caddy example - - Closes #9623 - -- easy: fix the altsvc init for curl_easy_duphandle - - It was using the old #ifdef which nothing sets anymore - - Closes #9624 - -- GHA: build tests in a separate step from the running of them - - ... to make the output smaller for when you want to look at test - failures. - - Removed the examples build from msh3 - - Closes #9619 - -Viktor Szakats (29 Sep 2022) -- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference - - Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap - support. This is also the single mention of this constant in the source - tree and also in that commit. Based on these, it seems like an accident. - - Delete this reference. - - Reviewed-by: Daniel Stenberg - - Closes #9625 - -- docs: spelling nits - - - MingW -> MinGW (Minimalist GNU for Windows) - - f.e. -> e.g. - - some whitespace and punctuation. - - Reviewed-by: Daniel Stenberg - - Closes #9622 - -Daniel Stenberg (29 Sep 2022) -- [Philip Heiduck brought this change] - - cirrus-ci: add macOS build with m1 - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - - Closes #9565 - -- [Patrick Monnerat brought this change] - - lib: sanitize conditional exclusion around MIME - - The introduction of CURL_DISABLE_MIME came with some additional bugs: - - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled. - - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are - conditioned on HTTP, although also needed for SMTP and IMAP MIME mail - uploads. - - In addition, the CURLOPT_HTTPHEADER and --header documentation does not - mention their use for MIME mail. - - This commit fixes the problems above. - - Closes #9610 - -- [Thiago Suchorski brought this change] - - docs: minor grammar fixes - - Closes #9609 - -- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument - - Probably a copy and paste error from the lock function man page. - - Reported-by: Robby Simpson - Fixes #9612 - Closes #9613 - -- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five - - ... instead just list the supported encodings. - - Reported-by: ProceduralMan on github - Fixes #9614 - Closes #9615 - -Dan Fandrich (28 Sep 2022) -- tests: Remove a duplicated keyword - -- docs: document more server names for test files - -Daniel Stenberg (28 Sep 2022) -- altsvc: reject bad port numbers - - The existing code tried but did not properly reject alternative services - using negative or too large port numbers. - - With this fix, the logic now also flushes the old entries immediately - before adding a new one, making a following header with an illegal entry - not flush the already stored entry. - - Report from the ongoing source code audit by Trail of Bits. - - Adjusted test 356 to verify. - - Closes #9607 - -- functypes: provide the recv and send arg and return types - - This header is for providing the argument types for recv() and send() - when built to not use a dedicated config-[platfor].h file. - - Remove the slow brute-force checks from configure and cmake. - - This change also removes the use of the types for select, as they were - not used in code. - - Closes #9592 - -- urlapi: reject more bad characters from the host name field - - Extended test 1560 to verify - - Report from the ongoing source code audit by Trail of Bits. - - Closes #9608 - -- configure: deprecate builds with small curl_off_t - - If curl_off_t turns out to be smaller than 8 bytes, - --with-n64-deprecated needs to be used to allow the build to - continue. This is to highlight the fact that support for such builds is - going away next year. - - Also mentioned in DEPRECATED.md - - Closes #9605 - -- [Patrick Monnerat brought this change] - - http, vauth: always provide Curl_allow_auth_to_host() functionality - - This function is currently located in the lib/http.c module and is - therefore disabled by the CURL_DISABLE_HTTP conditional token. - - As it may be called by TLS backends, disabling HTTP results in an - undefined reference error at link time. - - Move this function to vauth/vauth.c to always provide it and rename it - as Curl_auth_allowed_to_host() to respect the vauth module naming - convention. - - Closes #9600 - -- ngtcp2: fix C89 compliance nit - -- openssl: make certinfo available for QUIC - - Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that - can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC - connections as well. - - The *certchain function was moved to the top of the file for this reason. - - Reported-by: Eloy Degen - Fixes #9584 - Closes #9597 - -- RELEASE-NOTES: synced - -- DEPRECATE.md: Support for systems without 64 bit data types - - Closes #9604 - -- [Patrick Monnerat brought this change] - - tests: skip mime/form tests when mime is not built-in - - Closes #9596 - -- url: rename function due to name-clash in Watt-32 - - Follow-up to 2481dbe5f4f58 and applies the change the way it was - intended. - -Viktor Szakats (26 Sep 2022) -- windows: adjust name of two internal public functions - - According to `docs/INTERNALS.md`, internal function names spanning source - files start with uppercase `Curl_`. Bring these two functions in - alignment with this. - - This also stops exporting them from `libcurl.dll` in autotools builds. - - Reviewed-by: Daniel Stenberg - - Closes #9598 - -Daniel Stenberg (26 Sep 2022) -- [Gisle Vanem brought this change] - - url: rename function due to name-clash in Watt-32 - - Since the commit 764c958c52edb427f39, there was a new function called - resolve_ip(). This clashes with an internal function in Watt-32. - - Closes #9585 - -Jay Satiro (26 Sep 2022) -- schannel: ban server ALPN change during recv renegotiation - - By the time schannel_recv is renegotiating the connection, libcurl has - already decided on a protocol and it is too late for the server to - select a protocol via ALPN except for the originally selected protocol. - - Ref: https://github.com/curl/curl/issues/9451 - - Closes https://github.com/curl/curl/pull/9463 - -Daniel Stenberg (26 Sep 2022) -- url: a zero-length userinfo part in the URL is still a (blank) user - - Adjusted test 1560 to verify - - Reported-by: Jay Satiro - - Fixes #9088 - Closes #9590 - -Viktor Szakats (25 Sep 2022) -- autotools: allow --enable-symbol-hiding with windows - - This local autotools logic was put in place in - 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for - Windows unconditionally. Testing reveals that it actually works with - tested toolchains (mingw-w64 and CI ones), so let's allow this build - feature on that platform. Bringing this in sync with CMake, which already - supported this. - - Reviewed-by: Jay Satiro - - Closes #9586 - -- autotools: reduce brute-force when detecting recv/send arg list - - autotools uses brute-force to detect `recv`/`send`/`select` argument - lists, by interating through _all_ argument type combinations on each - `./configure` run. This logic exists since - 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later - extended with Windows support. - - This results in a worst-case number of compile + link cycles as below: - - `recv`: 96 - - `send`: 192 - - `select`: 60 - Total: 348 (the number of curl C source files is 195, for comparison) - - Notice that e.g. curl-for-win autotools builds require two `./configure` - invocations, doubling these numbers. - - `recv` on Windows was especially unlucky because `SOCKET` (the correct - choice there) was listed _last_ in one of the outer trial loops. This - resulted in lengthy waits while autotools was trying all invalid - combinations first, wasting cycles, disk writes and slowing down - iteration. - - This patch reduces the amount of idle work by reordering the tests in - a way to succeed first on a well-known platform such as Windows, and - also on non-Windows by testing for POSIX prototypes first, on the - assumption that these are the most likely candidates these days. (We do - not touch `select`, where the order was already optimal for these - platforms.) - - For non-Windows, this means to try a return value of `ssize_t` first, - then `int`, reordering the buffer argument type to try `void *` first, - then `byte *`, and prefer the `const` flavor with `send`. If we are - here, also stop testing for `SOCKET` type in non-Windows builds. - - After the patch, detection on Windows is instantaneous. It should also be - faster on popular platforms such as Linux and BSD-based ones. - - If there are known-good variations for other platforms, they can also be - fast-tracked like above, given a way to check for that platform inside - the autotools logic. - - Reviewed-by: Daniel Stenberg - - Closes #9591 - -Daniel Stenberg (23 Sep 2022) -- TODO: Provide the error body from a CONNECT response - - Spellchecked-by: Jay Satiro - - Closes #9513 - Closes #9581 - -Viktor Szakats (23 Sep 2022) -- windows: autotools .rc warnings fixup - - Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing: - - - Warnings when running `autoreconf -fi`. - - - Warning when compiling .rc files: - libtool: compile: unable to infer tagged configuration - libtool: error: specify a tag with '--tag' - - Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057 - Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156 - - Suggested-by: Patrick Monnerat - Closes #9582 - -Daniel Stenberg (23 Sep 2022) -- [Randall S. Becker brought this change] - - curl_setup: disable use of FLOSS for 64-bit NonStop builds - - Older 32-bit builds currently need FLOSS. This dependency may be removed - in future OS releases. - - Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> - - Closes #9575 - -- [Patrick Monnerat brought this change] - - tool: remove dead code - - Add a debug assertion to verify protocols included/excluded in a set - are always tokenized. - - Follow-up to commit 677266c. - - Closes #9576 - -- [Patrick Monnerat brought this change] - - lib: prepare the incoming of additional protocols - - Move the curl_prot_t to its own conditional block. Introduce symbol - PROTO_TYPE_SMALL to control it. - - Fix a cast in a curl_prot_t assignment. - Remove an outdated comment. - - Follow-up to cd5ca80. - - Closes #9534 - -- msh3: change the static_assert to make the code C89 - -- bearssl: make it proper C89 compliant - -- curl-compilers.m4: for gcc + want warnings, set gnu89 standard - - To better verify that the code is C89 - - Closes #9542 - -- [Patrick Monnerat brought this change] - - lib517: fix C89 constant signedness - - In C89, positive integer literals that overflow an int but not an - unsigned int may be understood as a negative int. - - lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90 - {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 }, - ^ - - Closes #9572 - -- mprintf: use snprintf if available - - This is the single place in libcurl code where it uses the "native" - s(n)printf() function. Used for writing floats. The use has been - reviewed and vetted and uses a HUGE target buffer, but switching to - snprintf() still makes this safer and removes build-time warnings. - - Reported-by: Philip Heiduck - - Fixes #9569 - Closes #9570 - -- docs: tag curl options better in man pages - - As it makes them links in the HTML versions. - - Verified by the extended test 1176 - -- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6 - -- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged - - ... as that makes them links to their corresponding man page. - - This script is used for test 1173. - - Closes #9574 - -- RELEASE-NOTES: synced - -- [Patrick Monnerat brought this change] - - tool: remove protocol count limitation - - Replace bit mask protocol sets by null-terminated arrays of protocol - tokens. These are the addresses of the protocol names returned by - curl_version_info(). - - Protocol names are sorted case-insensitively before output to satisfy CI - tests matches consistency. - - The protocol list returned by curl_version_info() is augmented with all - RTMP protocol variants. - - Test 1401 adjusted for new alpha ordered output. - - Closes #9546 - -- test972: verify the output without using external tool - - It seems too restrictive to assume and use an external tool to verify - the JSON. This now verifies the outut byte per byte. We could consider - building a local "JSON verifyer" in a future. - - Remove 'jsonlint' from the CI job. - - Reported-by: Marcel Raad - Fixes #9563 - Closes #9564 - -- hostip: lazily wait to figure out if IPv6 works until needed - - The check may take many milliseconds, so now it is performed once the - value is first needed. Also, this change makes sure that the value is - not used if the resolve is set to be IPv4-only. - - Closes #9553 - -- curl.h: fix mention of wrong error code in comment - - The same error and comment were also used and is now corrected in - CURLOPT_SSH_KEYFUNCTION.3 - -- symbol-scan.pl: scan and verify .3 man pages - - This script now also finds all .3 man pages in docs/include and - docs/include/opts, extracts all uses of CURL* symbols and verifies that all - symbols mentioned in docs are defined in public headers. - - A "global symbol" is one of those matching a known prefix and the script makes - an attempt to check all/most of them. Just using *all* symbols that match - CURL* proved matching a little too many other references as well and turned - difficult turning into something useful. - - Closes #9544 - -- symbols-in-versions: add missing LIBCURL* symbols - -- symbol-scan.pl: also check for LIBCURL* symbols - - Closes #9544 - -- docs/libcurl/symbols-in-versions: add several missing symbols - -- test1119: scan all public headers - - Previously this test only scanned a subset of the headers, which made us - accidentally miss symbols that were provided in the others. Now, the script - iterates over all headers present in include/curl. - - Closes #9544 - -- [Patrick Monnerat brought this change] - - examples/chkspeed: improve portability - - The example program chkspeed uses strncasecmp() which is not portable - across systems. Replace calls to this function by tests on characters. - - Closes #9562 - -- easy: fix the #include order - - The mentioned "last 3 includes" order should be respected. easy_lock.h should - be included before those three. - - Reported-by: Yuriy Chernyshov - Fixes #9560 - Closes #9561 - -- docs: spellfixes - - Pointed by the new CI job - -- GHA: spellcheck - - This spellchecker checks markdown files. For this reason this job - converts all man pages in the repository to markdown with pandoc before - the check runs. - - The perl script 'cleanspell' filters out details from the man page in - the process, to avoid the spellchecker trying to spellcheck things it - can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections - of libcurl man pages. - - The spell checker does not check words in sections that are within pre, - strong and em tags. - - 'spellcheck.words' is a custom word list with additional accepted words. - - Closes #9523 - -- connect: fix the wrong error message on connect failures - - The "Failed to connect to" message after a connection failure would - include the strerror message based on the presumed previous socket - error, but in times it seems that error number is not set when reaching - this code and therefore it would include the wrong error message. - - The strerror message is now removed from here and the curl_easy_strerror - error is used instead. - - Reported-by: Edoardo Lolletti - Fixes #9549 - Closes #9554 - -- httpput-postfields.c: shorten string for C89 compliance - - httpput-postfields.c:41:3: error: string length ‘522’ is greater than the length ‘509’ ISO C90 compilers are required to support [-Woverlength-strings] - 41 | "this chapter."; - | ^~~~~~~~~~~~~~~ - - Closes #9555 - -- ws: fix a C89 compliance nit - - Closes #9541 - -- [Patrick Monnerat brought this change] - - unit test 1655: make it C89-compliant - - Initializations performed in unit test 1655 use automatic variables in - aggregates and thus can only be computed at run-time. Using gcc in C89 - dialect mode produces warning messages like: - - unit1655.c:96:7: warning: initializer element is not computable at load time [-Wpedantic] - 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */ - | ^~~~~~~ - - Fix the problem by converting these automatic pointer variables to - static arrays. - - Closes #9551 - -- [Tobias Schaefer brought this change] - - curl_strequal.3: fix typo - - Closes #9548 - -- [Dmitry Karpov brought this change] - - resolve: make forced IPv4 resolve only use A queries - - This protects IPv4-only transfers from undesired bad IPv6-related side - effects and make IPv4 transfers in dual-stack libcurl behave the same - way as in IPv4 single-stack libcurl. - - Closes #9540 - -- RELEASE-NOTES: synced - -- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths - - Patched-by: Mark Itzcovitz - Bug: https://curl.se/mail/lib-2022-09/0038.html - - Closes #9536 - -- TODO: Reduce CA certificate bundle reparsing - - By adding some sort of cache. - - Reported-by: Michael Drake - Closes #9379 - Closes #9538 - -Marc Hoersken (19 Sep 2022) -- CI/GHA: cancel outdated CI runs on new PR changes - - Avoid letting outdated CI runs continue if a PR receives - new changes. Outside a PR we let them continue running - by tying the concurrency to the commit hash instead. - - Also only let one CodeQL or Hacktoberfest job run at a time. - - Other CI platforms we use have this build in, but GitHub - unfortunately neither by default nor with a simple option. - - This saves CI resources and therefore a little energy. - - Approved-by: Daniel Stenberg - Approved-by: Max Dymond - Closes #9533 - -Daniel Stenberg (19 Sep 2022) -- docs: fix proselint complaints - -- GHA: run proselint on markdown files - - Co-authored-by: Marc Hörsken - - Closes #9520 - -- lib: the number four in a sequence is the "fourth" - - Spelling is hard - - Closes #9535 - -- [John Bampton brought this change] - - misc: fix spelling in two source files - - Closes #9529 - -Viktor Szakats (18 Sep 2022) -- windows: add .rc support to autotools builds - - After this update autotools builds will compile and link `.rc` resources - to Windows executables. Bringing this feature on par with CMake and - Makefile.m32 builds. And also making it unnecessary to improvise these - steps manually, while monkey patching build files, e.g. [0]. - - You can customize the resource compiler via the `RC` envvar, and its - options via `RCFLAGS`. - - This harmless warning may appear throughout the build, even though the - autotools manual documents [1] `RC` as a valid tag, and it fails when - omitting one: - `libtool: error: ignoring unknown tag RC` - - [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce50baa1b84/curl-autotools.sh#L376-L382 - [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html - - Closes #9521 - -Marc Hoersken (18 Sep 2022) -- CI/linkcheck: only run if a Markdown file is changed - - This saves CI resources and therefore a little energy. - - Reviewed-by: Max Dymond - Closes #9531 - -- README.md: add GHA status badges for Linux and macOS builds - - This makes sense now that Linux builds are being consolidated. - - Approved-by: Daniel Stenberg - Closes #9530 - - [skip ci] - -Daniel Stenberg (17 Sep 2022) -- misc: null-terminate - - Make use of this term consistently. - - Closes #9527 - -Marc Hoersken (17 Sep 2022) -- CI/GHA: merge intel CC and more TLS libs into linux workflow - - Continue work on merging all Linux workflows into one file. - - Reviewed-by: Max Dymond - Follow up to #9501 - Closes #9514 - -Daniel Stenberg (17 Sep 2022) -- [Patrick Monnerat brought this change] - - lib1597: make it C89-compliant again - - Automatic variable addresses cannot be used in an initialisation - aggregate. - - Follow-up to 9d51329 - - Reported-by: Daniel Stenberg - Fixes: #9524 - Closes #9525 - -- tool_libinfo: silence "different 'const' qualifiers" in qsort() - - MSVC 15.0.30729.1 warned about it - - Follow-up to dd2a024323dcc - - Closes #9522 - -- [Patrick Monnerat brought this change] - - docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR. - - Disabled protocols are now handled as if they were unknown. - Also update the possible protocol list. - -- [Patrick Monnerat brought this change] - - cli tool: do not use disabled protocols - - As they are now rejected by the library, take care of not passing - disabled protocol names to CURLOPT_PROTOCOLS_STR and - CURLOPT_REDIR_PROTOCOLS_STR. - - Rather than using the CURLPROTO_* constants, dynamically assign protocol - numbers based on the order they are listed by curl_version_info(). - - New type proto_set_t implements prototype bit masks: it should therefore - be large enough to accomodate all library-enabled protocols. If not, - protocol numbers beyond the bit count of proto_set_t are recognized but - "inaccessible": when used, a warning is displayed and the value is - ignored. Should proto_set_t overflows, enabled protocols are reordered to - force those having a public CURLPROTO_* representation to be accessible. - - Code has been added to subordinate RTMP?* protocols to the presence of - RTMP in the enabled protocol list, being returned by curl_version_info() - or not. - -- [Patrick Monnerat brought this change] - - setopt: use the handler table for protocol name to number conversions - - This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than - CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found. - - A new schemelen parameter is added to Curl_builtin_scheme() to support - this extended use. - - Note that disabled protocols are not recognized anymore. - - Tests adapted accordingly. - - Closes #9472 - -- altsvc: use 'h3' for h3 - - Since the official and real version has been out for a while now and servers - are deployed out there using it, there is no point in sticking to h3-29. - - Reported-by: ウさん - Fixes #9515 - Closes #9516 - -Jay Satiro (16 Sep 2022) -- [chemodax brought this change] - - winbuild: Use NMake batch-rules for compilation - - - Invoke cl compiler once for each group of .c files. - - This is significantly improves compilation time. For example in my - environment: 40 s --> 20 s. - - Prior to this change cl was invoked per .c file. - - Closes https://github.com/curl/curl/pull/9512 - -Daniel Stenberg (16 Sep 2022) -- ws: the infof() flags should be %zu - - Follow-up to e5e9e0c5e49ae0 - - Closes #9518 - -- curl: warn for --ssl use, considered insecure - - Closes #9519 - -- [Sergey Bronnikov brought this change] - - curl_escape.3: fix typo - - lengthf -> length - - Closes #9517 - -- mailmap: merge Philip Heiduck's two addresses into one - -- test1948: verify PUT + POST reusing the same handle - - Reproduced #9507, verifies the fix - -- setopt: when POST is set, reset the 'upload' field - - Reported-by: RobBotic1 on github - Fixes #9507 - Closes #9511 - -Marc Hoersken (15 Sep 2022) -- github: initial CODEOWNERS setup for CI configuration - - Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad - Reviewed-by: Max Dymond - - Closes #9505 - - [skip ci] - -- [Philip Heiduck brought this change] - - CI: optimize some more dependencies install - - Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan> - - Closes #9500 - -- CI/GHA: merge event-based and NSS into new linux workflow - - Continue work on merging all Linux workflows into one file. - - Follow up to #9501 - Closes #9506 - -Daniel Stenberg (15 Sep 2022) -- include/curl/websockets.h: add extern "C" for C++ - - Reported-by: n0name321 on github - Fixes #9509 - Closes #9510 - -- lib1560: extended to verify detect/reject of unknown schemes - - ... when no guessing is allowed. - -- urlapi: detect scheme better when not guessing - - When the parser is not allowed to guess scheme, it should consider the - word ending at the first colon to be the scheme, independently of number - of slashes. - - The parser now checks that the scheme is known before it counts slashes, - to improve the error messge for URLs with unknown schemes and maybe no - slashes. - - When following redirects, no scheme guessing is allowed and therefore - this change effectively prevents redirects to unknown schemes such as - "data". - - Fixes #9503 - -- strerror: improve two URL API error messages - -Marc Hoersken (14 Sep 2022) -- CI/GHA: merge bearssl and hyper into initial linux workflow - - Begin work on merging all Linux workflows into one file. - - Closes #9501 - -Daniel Stenberg (14 Sep 2022) -- RELEASE-NOTES: synced - -- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h - - Since the config file might also get included by the tool code at times. - This syncs with how other builds do it. - - Closes #9498 - -- tool_hugehelp: make hugehelp a blank macro when disabled - - Closes #9485 - -- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled - - ... to improve the output in this situation. Now it doesn't say "option - unknown" anymore. - - Closes #9485 - -- setopt: fix compiler warning - - Follow-up to cd5ca80f00d2 - - closes #9502 - -- [Philip Heiduck brought this change] - - CI: skip make, do make install at once for dependencies - - Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan> - - Closes #9477 - -- formdata: typecast the va_arg return value - - To avoid "enumerated type mixed with another type" warnings - - Follow-up from 0f52dd5fd5aa3592691a - - Closes #9499 - -- RELEASE-PROCEDURE.md: mention patch releases - - - When to make them and how to argue for them - - Refreshed the release date list - - Closes #9495 - -- urldata: use a curl_prot_t type for storing protocol bits - - This internal-use-only storage type can be bumped to a curl_off_t once - we need to use bit 32 as the previous 'unsigned int' can no longer hold - them all then. - - The websocket protocols take bit 30 and 31 so they are the last ones - that fit within 32 bits - but cannot properly be exported through APIs - since those use *signed* 32 bit types (long) in places. - - Closes #9481 - -- [zhanghu on xiaomi brought this change] - - formdata: fix warning: 'CURLformoption' is promoted to 'int' - - curl/lib/formdata.c: In function 'FormAdd': - curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' when passed through '...' - 249 | option = va_arg(params, CURLformoption); - | ^ - curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformoption' to 'va_arg') - curl/lib/formdata.c:249:31: note: if this code is reached, the program will abort - - Closes #9484 - -- CURLOPT_CONNECT_ONLY.3: for ws(s) as well - - and correct the version number for when that support comes. Even if it - is still experimental for WebSocket. - - Closes #9487 - -- tool_operate: avoid a few #ifdefs for disabled-libcurl builds - - By providing empty macros in the header file instead, the code gets - easier to read and yet is disabled on demand. - - Closes #9486 - -- [a1346054 on github brought this change] - - scripts: use `grep -E` instead of `egrep` - - egrep is deprecated - - Closes #9491 - -- [Hayden Roche brought this change] - - wolfSSL: fix session management bug. - - Prior to this commit, non-persistent pointers were being used to store - sessions. When a WOLFSSL object was then freed, that freed the session - it owned, and thus invalidated the pointer held in curl's cache. This - commit makes it so we get a persistent (deep copied) session pointer - that we then add to the cache. Accordingly, wolfssl_session_free, which - was previously a no-op, now needs to actually call SSL_SESSION_free. - - This bug was discovered by a wolfSSL customer. - - Closes #9492 - -- docs: use "WebSocket" in singular - - This is how the RFC calls the protocol. Also rename the file in docs/ to - WEBSOCKET.md in uppercase to match how we have done it for many other - protocol docs in similar fashion. - - Add the WebSocket docs to the tarball. - - Closes #9496 - -Marcel Raad (12 Sep 2022) -- ws: fix build without `USE_WEBSOCKETS` - - The curl.h include is required unconditionally. - -- ws: add missing curl.h include - - A conflict between commits 664249d0952 and e5839f4ee70 broke the build. - -Daniel Stenberg (12 Sep 2022) -- ws: fix an infof() call to use %uz for size_t output - - Detected by Coverity, CID 1514665. - - Closes #9480 - -Marcel Raad (12 Sep 2022) -- curl_setup: include only system.h instead of curl.h - - As done before commit 9506d01ee50. - - Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158 - Closes https://github.com/curl/curl/pull/9453 - -- lib: add missing limits.h includes - - Closes https://github.com/curl/curl/pull/9453 - -- lib and tests: add missing curl.h includes - - Closes https://github.com/curl/curl/pull/9453 - -- curl_setup: include curl.h after platform setup headers - - The platform setup headers might set definitions required for the - includes in curl.h. - - Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269 - Closes https://github.com/curl/curl/pull/9453 - -Daniel Stenberg (12 Sep 2022) -- [Benjamin Loison brought this change] - - docs: correct missing uppercase in Markdown files - - To detect these typos I used: - - ``` - clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | grep -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --color=always '\. [a-z]' | grep '\.md' - ``` - - Closes #9474 - -- tool_setopt: use better English in --libcurl source comments - - Like this: - - XYZ was set to an object pointer - ABC was set to a function pointer - - Closes #9475 - -- setopt: make protocol2num use a curl_off_t for the protocol bit - - ... since WSS does not fit within 32 bit. - - Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887 - Closes #9476 - -- RELEASE-NOTES: synced - -- configure: polish the grep -E message a bit further - - Suggested-by: Emanuele Torre - Closes #9473 - -- GHA: add a gcc-11 -O3 build using OpenSSL - - Since -O3 might trigger other warnings - - Closes #9454 - -- [Patrick Monnerat brought this change] - - content_encoding: use writer struct subclasses for different encodings - - The variable-sized encoding-specific storage of a struct contenc_writer - currently relies on void * alignment that may be insufficient with - regards to the specific storage fields, although having not caused any - problems yet. - - In addition, gcc 11.3 issues a warning on access to fields of partially - allocated structures that can occur when the specific storage size is 0: - - content_encoding.c: In function ‘Curl_build_unencoding_stack’: - content_encoding.c:980:21: warning: array subscript ‘struct contenc_writer[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bounds] - 980 | writer->handler = handler; - | ~~~~~~~~~~~~~~~~^~~~~~~~~ - In file included from content_encoding.c:49: - memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘curl_dbg_calloc’ - 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__, __FILE__) - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - content_encoding.c:977:60: note: in expansion of macro ‘calloc’ - 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1, sz); - - To solve both these problems, the current commit replaces the - contenc_writer/params structure pairs by "subclasses" of struct - contenc_writer. These are structures that contain a contenc_writer at - offset 0. Proper field alignment is therefore handled by the compiler and - full structure allocation is performed, silencing the warnings. - - Closes #9455 - -- configure: correct the wording when checking grep -E - - The check first checks that grep -E works, and only as a fallback tries - to find and use egrep. egrep is deprecated. - - This change only corrects the output wording, not the checks themselves. - - Closes #9471 - -Viktor Szakats (10 Sep 2022) -- websockets: sync prototypes in docs with implementation [ci skip] - - Docs for the new send/recv functions synced with the committed versions - of these. - - Closes #9470 - -Daniel Stenberg (10 Sep 2022) -- setopt: make protocols2num() work with websockets - - So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can - specify those as well. - - Reported-by: Patrick Monnerat - Bug: https://curl.se/mail/lib-2022-09/0016.html - Closes #9467 - -- curl/websockets.h: remove leftover bad typedef - - Just a leftover trace of a development thing that did not stay like - that. - - Reported-by: Marc Hörsken - Fixes #9465 - Cloes #9466 - -Marcel Raad (10 Sep 2022) -- [Orgad Shaneh brought this change] - - fix Cygwin/MSYS compilation - - _getpid is Windows API. On Cygwin variants it should remain getpid. - - Fixes #8220 - Closes #9255 - -Marc Hoersken (10 Sep 2022) -- GHA: prepare workflow merge by aligning structure again - - Closes #9413 - -Daniel Stenberg (9 Sep 2022) -- docs: the websockets symbols are added in 7.86.0 - - Nothing else - - Closes #9459 - -- tests/libtest/Makefile.inc: fixup merge conflict mistake - -- EXPERIMENTAL.md: add WebSockets - -- appveyor: enable websockets - -- cirrus: enable websockets in the windows builds - -- GHA: add websockets to macos, openssl3 and hyper builds - -- tests: add websockets tests - - - add websockets support to sws - - 2300: first very basic websockets test - - 2301: first libcurl test for ws (not working yet) - - 2302: use the ws callback - - 2303: test refused upgrade - -- curl_ws_meta: initial implementation - -- curl_ws_meta.3: added docs - -- ws: initial websockets support - - Closes #8995 - -- version: add ws + wss - -- libtest/lib1560: test basic websocket URL parsing - -- configure: add --enable-websockets - -- docs/WebSockets.md: docs - -- test415: verify Content-Length parser with control code + negative value - -- strtoofft: after space, there cannot be a control code - - With the change from ISSPACE() to ISBLANK() this function no longer - deals with (ignores) control codes the same way, which could lead to - this function returning unexpected values like in the case of - "Content-Length: \r-12354". - - Follow-up to 6f9fb7ec2d7cb389a0da5 - - Detected by OSS-fuzz - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140 - Assisted-by: Max Dymond - Closes #9458 - -- headers: reset the requests counter at transfer start - - If not, reusing an easy handle to do a subsequent transfer would - continue the counter from the previous invoke, which then would make use - of the header API difficult/impossible as the request counter - mismatched. - - Add libtest 1947 to verify. - - Reported-by: Andrew Lambert - Fixes #9424 - Closes #9447 - -Jay Satiro (8 Sep 2022) -- header: define public API functions as extern c - - Prior to this change linker errors would occur if curl_easy_header or - curl_easy_nextheader was called from a C++ unit. - - Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007 - Reported-by: Andrew Lambert - - Closes https://github.com/curl/curl/pull/9446 - -Daniel Stenberg (8 Sep 2022) -- http2: make nghttp2 less picky about field whitespace - - In nghttp2 1.49.0 it returns error on leading and trailing whitespace in - header fields according to language in the recently shipped RFC 9113. - - nghttp2 1.50.0 introduces an option to switch off this strict check and - this change enables this option by default which should make curl behave - more similar to how it did with nghttp2 1.48.0 and earlier. - - We might want to consider making this an option in the future. - - Closes #9448 - -- RELEASE-NOTES: synced - - And bump to 7.86.0 for the pending next release - -- [Michael Heimpold brought this change] - - ftp: ignore a 550 response to MDTM - - The 550 is overused as a return code for multiple error case, e.g. - file not found and/or insufficient permissions to access the file. - - So we cannot fail hard in this case. - - Adjust test 511 since we now fail later. - Add new test 3027 which check that when MDTM failed, but the file could - actually be retrieved, that in this case no filetime is provided. - - Reported-by: Michael Heimpold - Fixes #9357 - Closes #9387 - -- urlapi: leaner with fewer allocs - - Slightly faster with more robust code. Uses fewer and smaller mallocs. - - - remove two fields from the URL handle struct - - reduce copies and allocs - - use dynbuf buffers more instead of custom malloc + copies - - uses dynbuf to build the host name in reduces serial alloc+free within - the same function. - - move dedotdotify into urlapi.c and make it static, not strdup the input - and optimize it by checking for . and / before using strncmp - - remove a few strlen() calls - - add Curl_dyn_setlen() that can "trim" an existing dynbuf - - Closes #9408 - -Jay Satiro (7 Sep 2022) -- setup-win32: no longer define UNICODE/_UNICODE implicitly - - - If UNICODE or _UNICODE is defined but the other isn't then error - instead of implicitly defining it. - - As Marcel pointed out it is too late at this point to make such a define - because Windows headers may already be included, so likely it never - worked. We never noticed because build systems that can make Windows - Unicode builds always define both. If one is defined but not the other - then something went wrong during the build configuration. - - Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272 - Reported-by: Marcel Raad - - Closes https://github.com/curl/curl/pull/9384 - -Dan Fandrich (6 Sep 2022) -- tests: fix tag syntax errors in test files - -Marc Hoersken (6 Sep 2022) -- lib: add required Win32 setup definitions in setup-win32.h - - Assisted-by: Jay Satiro - Reviewed-by: Marcel Raad - - Follow up to #9312 - Closes #9375 - -Daniel Stenberg (6 Sep 2022) -- pingpong: extend the response reading error with errno - - To help diagnosing the cause of the problem. - - See #9380 - Closes #9443 - -- curl-compilers.m4: use -O2 as default optimize for clang - - Not -Os - - Closes #9444 - -- tool_operate: fix msnprintfing the error message - - Follow-up to 7be53774c41c59b47075fba - - Coverity CID 1513717 pointed out that we cannot use sizeof() on the - error buffer anymore. - - Closes #9440 - -- [Emanuele Torre brought this change] - - curl_ctype: add space around <= operator in ISSPACE macro - - Follow-up to f65f750 - - Closes #9441 - -- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies - - The 'protocols' listed were previously wrong. - - Reported-by: ProceduralMan on github - Fixes #9434 - Closes #9435 - -- curl_ctype: convert to macros-only - - This no longer provide functions, only macros. Runs faster and produces - smaller output. - - The biggest precaution this change brings: - - DO NOT use post/pre-increments when passing arguments to the macros. - - Closes #9429 - -- misc: ISSPACE() => ISBLANK() - - Instances of ISSPACE() use that should rather use ISBLANK(). I think - somewhat carelessly used because it sounds as if it checks for space or - whitespace, but also includes %0a to %0d. - - For parsing purposes, we should only accept what we must and not be - overly liberal. It leads to surprises and surprises lead to bad things. - - Closes #9432 - -- ctype: remove all use of <ctype.h>, use our own versions - - Except in the test servers. - - Closes #9433 - -Marc Hoersken (5 Sep 2022) -- cmake: skip superfluous hex2dec conversion using math expr - - CMake seems to be able to compare two hex values just fine. - Also make sure CURL_TARGET_WINDOWS_VERSION is respected. - - Assisted-by: Marcel Raad - Reviewed-by: Viktor Szakats - Reported-by: Keitagit-kun on github - - Follow up to #9312 - Fixes #9406 - Closes #9411 - -Daniel Stenberg (5 Sep 2022) -- curl_easy_pause.3: unpausing is as fast as possible - - Reported-by: ssdbest on github - Fixes #9410 - Closes #9430 - -- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols - - Except file. - - Reported-by: ProceduralMan on github - Fixes #9427 - Closes #9428 - -- NPN: remove support for and use of - - Next Protocol Negotiation is a TLS extension that was created and used - for agreeing to use the SPDY protocol (the precursor to HTTP/2) for - HTTPS. In the early days of HTTP/2, before the spec was finalized and - shipped, the protocol could be enabled using this extension with some - servers. - - curl supports the NPN extension with some TLS backends since then, with - a command line option `--npn` and in libcurl with - `CURLOPT_SSL_ENABLE_NPN`. - - HTTP/2 proper is made to use the ALPN (Application-Layer Protocol - Negotiation) extension and the NPN extension has no purposes - anymore. The HTTP/2 spec was published in May 2015. - - Today, use of NPN in the wild should be extremely rare and most likely - totally extinct. Chrome removed NPN support in Chrome 51, shipped in - June 2016. Removed in Firefox 53, April 2017. - - Closes #9307 - -- RELEASE-NOTES: synced - - and bump the tentative next release version to 7.85.1 - -- [Samuel Henrique brought this change] - - configure: fail if '--without-ssl' + explicit parameter for an ssl lib - - A side effect of a previous change to configure (576e507c78bdd2ec88) - exposed a non-critical issue that can happen if configure is called with - both '--without-ssl' and some parameter setting the use of a ssl library - (e.g. --with-gnutls). The configure script would end up assuming this is - a MultiSSL build, due to the way the case statement is written. - - I have changed the order of the variables in the string concatenation - for the case statement and also tweaked the options so that - --without-ssl never turns the build into a MultiSSL one and also clearly - stating that there are conflicting parameters if the user sets it like - described above. - - Closes #9414 - -- tests/certs/scripts: insert standard curl source headers - - ... including the SPDX-License-Identifier. - - These omissions were not detected by the RUEUSE CI job nor the copyright.pl - scanners because we have a general wildcard in .reuse/dep5 for - "tests/certs/*". - - Reported-by: Samuel Henrique - Fixes #9417 - Closes #9420 - -- [Samuel Henrique brought this change] - - docs: remove mentions of deprecated '--without-openssl' config parameter - - Closes #9415 - -- [Samuel Henrique brought this change] - - manpages: Fix spelling of "allows to" -> "allows one to" - - References: - https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual-page.tag - https://english.stackexchange.com/questions/60271/grammatical-complements-for-allow/60285#60285 - - Closes #9419 - -- [Samuel Henrique brought this change] - - CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes - - Lintian (on Debian) has been complaining about this for a while but - I didn't bother initially as the groff parser that we use is not - affected by this. - - But I have now noticed that the online manpage is affected by it: - https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html - - (I'm using double quotes for quoting-only down below) - - The section that should be parsed as "'\'" ends up being parsed as - "'´". - - This is due to roffit not parsing "'\\'" correctly, which is fine - as the "correct" way of writing "'\'" is "'\e'" instead. - - Note that this fix is not enough to fix the online manpage at - curl's website, as roffit seems to parse it wrongly either way. - - My intent is to at least fix the manpage so that roffit can - be changed to parse "'\e'" correctly (although I suggest making - roffit parse both ways correctly, since that's what groff does). - - More details at: - https://bugs.debian.org/966803 - https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a884cca7965c3/tags/a/acute-accent-in-manual-page.tag - - Closes #9418 - -- tool_operate: reduce errorbuffer allocs - - - parallel transfers: only alloc and keep errorbuffers in memory for - actual "live" transfers and not for the ones in the pending queue - - - serial transfers: reuse the same fixed buffer for all transfers, not - allocated at all. - - Closes #9394 - -Viktor Szakats (31 Aug 2022) -- misc: spelling fixes - - Found using codespell 2.2.1. - - Also delete the redundant protocol designator from an archive.org URL. - - Reviewed-by: Daniel Stenberg - Closes #9403 - -Daniel Stenberg (31 Aug 2022) -- tool_progress: remove 'Qd' from the parallel progress bar - - The "queued" value is no longer showing anything useful to the user. It - is an internal number of transfers waiting at that moment. - - Closes #9389 - -- tool_operate: prevent over-queuing in parallel mode - - When doing a huge amount of parallel transfers, we must not add them to - the per_transfer list frivolously since they all use memory after all. - This was previous done without really considering millions or billions - of transfers. Massive parallelism would use a lot of memory for no good - purpose. - - The queue is now limited to twice the paralleism number. - - This makes the 'Qd' value in the parallel progress meter mostly useless - for users, but works for now for us as a debug display. - - Reported-by: justchen1369 on github - Fixes #8933 - Closes #9389 - -Viktor Szakats (31 Aug 2022) -- cmake: fix original MinGW builds - - 1. Re-enable `HAVE_GETADDRINFO` detection on Windows - - Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic - that automatically assumed `getaddrinfo()` to be present for builds - with IPv6 enabled. As it turns out, certain toolchains (e.g. original - MinGW) by default target older Windows versions, and thus do not - support `getaddrinfo()` out of the box. The issue was masked for - a while by CMake builds forcing a newer Windows version, but that - logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761. - Since then, some CI builds started failing due to IPv6 enabled, - `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing. - - It also turns out that IPv6 works without `getaddrinfo()` since commit - 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So, - to resolve all this, we can now revert the initial commit, thus - restoring `getaddrinfo()` detection and support IPv6 regardless of its - outcome. - - Reported-by: Daniel Stenberg - - 2. Omit `bcrypt` with original MinGW - - Original (aka legacy/old) MinGW versions do not support `bcrypt` - (introduced with Vista). We already have logic to handle that in - `lib/rand.c` and autotools builds, where we do not call the - unsupported API and do not link `bcrypt`, respectively, when using - original MinGW. - - This patch ports that logic to CMake, fixing the link error: - `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: cannot find -lbcrypt` - - Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vle84cn4vle7s0#L508 - Regression since 76172511e7adcf720f4c77bd91f49278300ec97e - - Fixes #9214 - Fixes #9393 - Fixes #9395 - Closes #9396 - -Version 7.85.0 (31 Aug 2022) - -Daniel Stenberg (31 Aug 2022) -- RELEASE-NOTES: synced - - curl 7.85.0 release - -- THANKS: add contributors from the 7.85.0 release - -- getparam: correctly clean args - - Follow-up to bf7e887b2442783ab52 - - The previous fix for #9128 was incomplete and caused #9397. - - Fixes #9397 - Closes #9399 - -- zuul: remove the clang-tidy job - - Turns out we don't see the warnings, but the warnings right now are - plain ridiculous and unhelpful so we can just as well just kill this - job. - - Closes #9390 - -- cmake: set feature PSL if present - - ... make test 1014 pass when libpsl is used. - - Closes #9391 - -- lib530: simplify realloc failure exit path - - To make code analyzers happier - - Closes #9392 - -- [Orgad Shaneh brought this change] - - tests: add tests for netrc login/password combinations - - Covers the following PRs: - - - #9066 - - #9247 - - #9248 - - Closes #9256 - -- [Orgad Shaneh brought this change] - - url: really use the user provided in the url when netrc entry exists - - If the user is specified as part of the URL, and the same user exists - in .netrc, Authorization header was not sent at all. - - The user and password fields were assigned in conn->user and password - but the user was not assigned to data->state.aptr, which is the field - that is used in output_auth_headers and friends. - - Fix by assigning the user also to aptr. - - Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5. - - Fixes #9243 - -- [Orgad Shaneh brought this change] - - netrc: Use the password from lines without login - - If netrc entry has password with empty login, use it for any username. - - Example: - .netrc: - machine example.com password 123456 - - curl -vn http://user@example.com/ - - Fix it by initializing state_our_login to TRUE, and reset it only when - finding an entry with the same host and different login. - - Closes #9248 - -- [Jay Satiro brought this change] - - url: treat missing usernames in netrc as empty - - - If, after parsing netrc, there is a password with no username then - set a blank username. - - This used to be the case prior to 7d600ad (precedes 7.82). Note - parseurlandfillconn already does the same thing for URLs. - - Reported-by: Raivis <standsed@users.noreply.github.com> - Testing-by: Domen Kožar - - Fixes https://github.com/curl/curl/issues/8653 - Closes #9334 - Closes #9066 - -- test8: verify that "ctrl-byte cookies" are ignored - -- cookie: reject cookies with "control bytes" - - Rejects 0x01 - 0x1f (except 0x09) plus 0x7f - - Reported-by: Axel Chong - - Bug: https://curl.se/docs/CVE-2022-35252.html - - CVE-2022-35252 - - Closes #9381 - -- libssh: ignore deprecation warnings - - libssh 0.10.0 marks all SCP functions as "deprecated" which causes - compiler warnings and errors in our CI jobs and elsewhere. Ignore - deprecation warnings if 0.10.0 or later is found in the build. - - If they actually remove the functions at a later point, then someone can - deal with that pain and functionality break then. - - Fixes #9382 - Closes #9383 - -- Revert "schannel: when importing PFX, disable key persistence" - - This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692. - - Due to further reports in #9300 that indicate this commit might - introduce problems. - -- multi: use larger dns hash table for multi interface - - Have curl_multi_init() use a much larger DNS hash table than used for - the easy interface to scale and perform better when used with _many_ - host names. - - curl_share_init() sets an in-between size. - - Inspired-by: Ivan Tsybulin - See #9340 - Closes #9376 - -Marc Hoersken (28 Aug 2022) -- CI/runtests.pl: add param for dedicated curl to talk to APIs - - This should make it possible to also report test failures - if our freshly build curl binary is not fully functional. - - Reviewed-by: Daniel Stenberg - Closes #9360 - -Daniel Stenberg (27 Aug 2022) -- [Jacob Tolar brought this change] - - openssl: add cert path in error message - - Closes #9349 - -- [Jacob Tolar brought this change] - - cert.d: clarify that escape character works for file paths - - Closes #9349 - -- gha: move over ngtcp2-gnutls CI job from zuul - - Closes #9331 - -Marc Hoersken (26 Aug 2022) -- cmake: add detection of threadsafe feature - - Avoids failing test 1014 by replicating configure checks - for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests. - - Reviewed-by: Marcel Raad - - Follow up to #8680 - Closes #9312 - -Daniel Stenberg (26 Aug 2022) -- RELEASE-NOTES: synced - -Marc Hoersken (26 Aug 2022) -- CI/azure: align torture shallowness with GHA - - There 25 is used with FTP tests skipped, and 20 for FTP tests. - This should make torture tests stay within the 60min timeout. - - Reviewed-by: Daniel Stenberg - Closes #9371 - -- multi_wait: fix and improve Curl_poll error handling on Windows - - First check for errors and return CURLM_UNRECOVERABLE_POLL - before moving forward and waiting on socket readiness events. - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - - Reported-by: Daniel Stenberg - Ref: #9361 - - Follow up to #8961 - Closes #9372 - -- multi_wait: fix skipping to populate revents for extra_fds - - On Windows revents was not populated for extra_fds if - multi_wait had to wait due to the Curl_poll pre-check - not signalling any readiness. This commit fixes that. - - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro - - Closes #9361 - -- CI/appveyor: disable TLS in msys2-native autotools builds - - Schannel cannot be used from msys2-native Linux-emulated builds. - - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg - - Follow up to #9367 - Closes #9370 - -Jay Satiro (25 Aug 2022) -- tests: fix http2 tests to use CRLF headers - - Prior to this change some tests that rely on nghttpx proxy did not use - CRLF headers everywhere. A recent change in nghttp2, which updated its - version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to - use CRLF headers. - - Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 - - Fixes https://github.com/curl/curl/issues/9364 - Closes https://github.com/curl/curl/pull/9365 - -Daniel Stenberg (25 Aug 2022) -- [rcombs brought this change] - - multi: use a pipe instead of a socketpair on apple platforms - - Sockets may be shut down by the kernel when the app is moved to the - background, but pipes are not. - - Removed from KNOWN_BUGS - - Fixes #6132 - Closes #9368 - -- [Somnath Kundu brought this change] - - libssh2: provide symlink name in SFTP dir listing - - When reading the symbolic link name for a file, we need to add the file - name to base path name. - - Closes #9369 - -- configure: if asked to use TLS, fail if no TLS lib was detected - - Previously the configure script would just warn about this fact and - continue with TLS disabled build which is not always helpful. TLS should - be explicitly disabled if that is what the user wants. - - Closes #9367 - -- [Dustin Howett brought this change] - - schannel: when importing PFX, disable key persistence - - By default, the PFXImportCertStore API persists the key in the user's - key store (as though the certificate was being imported for permanent, - ongoing use.) - - The documentation specifies that keys that are not to be persisted - should be imported with the flag `PKCS12_NO_PERSIST_KEY`. - NOTE: this flag is only supported on versions of Windows newer than XP - and Server 2003. - - Fixes #9300 - Closes #9363 - -- unit1303: four tests should have TRUE for 'connecting' - - To match the comments. - - Reported-by: Wu Zheng - - See #9355 - Closes #9356 - -- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also - - Closes #9354 - -- [Fabian Fischer brought this change] - - HTTP3.md: add missing autoreconf command for building with wolfssl - - Closes #9353 - -- RELEASE-NOTES: synced - -- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer - - Ẃhen it has been used in the multi interface, it is otherwise left in - the connection cache, can't be reused and nothing will close them since - the easy handle loses the association with the multi handle and thus the - connection cache - until the multi handle is closed or it gets pruned - because the cache is full. - - Reported-by: Dominik Thalhammer - Fixes #9335 - Closes #9342 - -- docs/cmdline-opts: remove \& escapes from all .d files - - gen.pl escapes them itself now - -- docs/cmdline-opts/gen.pl: encode leading single and double quotes - - As "(aq" and "(dq" to prevent them from implying a meaning in the nroff - output. This removes the need for using \& escapes in the .d files' - description parts. - - Closes #9352 - -Marc Hoersken (23 Aug 2022) -- tests/server/sockfilt.c: avoid race condition without a mutex - - Avoid loosing any triggered handles by first aborting and joining - the waiting threads before evaluating the individual signal state. - - This removes the race condition and therefore need for a mutex. - - Closes #9023 - -Daniel Stenberg (22 Aug 2022) -- [Emil Engler brought this change] - - url: output the maximum when rejecting a url - - This commit changes the failf message to output the maximum length, when - curl refuses to process a URL because it is too long. - - See: #9317 - Closes: #9327 - -- [Chris Paulson-Ellis brought this change] - - configure: fix broken m4 syntax in TLS options - - Commit b589696f added lines to some shell within AC_ARG_WITH macros, but - inadvertently failed to move the final closing ). - - Quote the script section using braces. - - So, if these problems have been around for a while, how did I find them? - Only because I did a configure including these options: - - $ ./configure --with-openssl --without-rustls - SSL: enabled (OpenSSL) - - Closes #9344 - -- tests/data/CMakeLists: remove making the 'show' makefile target - - It is not used by runtests since 3c0f462 - - Closes #9333 - -- tests/data/Makefile: remove 'filecheck' target - - No practical use anymore since 3c0f4622cdfd6 - - Closes #9332 - -- libssh2: make atime/mtime date overflow return error - - Closes #9328 - -- libssh: make atime/mtime date overflow return error - - Closes #9328 - -- examples/curlx.c: remove - - This example is a bit convoluted to use as an example, combined with the - special license for it makes it unsuitable. - - Closes #9330 - -- [Tobias Nygren brought this change] - - curl.h: include <sys/select.h> on SunOS - - It is needed for fd_set to be visible to downstream consumers that use - <curl/multi.h>. Header is known to exist at least as far back as Solaris - 2.6. - - Closes #9329 - -- DEPRECATE.md: push the NSS deprecation date forward one year to 2023 - - URL: https://curl.se/mail/lib-2022-08/0016.html - -- libssh2: setting atime or mtime >32bit on 4-bytes-long systems - - Since the libssh2 API uses 'long' to store the timestamp, it cannot - transfer >32bit times on Windows and 32bit architecture builds. - - Avoid nasty surprises by instead not setting such time. - - Spotted by Coverity - - Closes #9325 - -- libssh: setting atime or mtime > 32bit is now just skipped - - The libssh API used caps the time to an unsigned 32bit variable. Avoid - nasty surprises by instead not setting such time. - - Spotted by Coverity. - - Closes #9324 - -Jay Satiro (16 Aug 2022) -- KNOWN_BUGS: Windows Unicode builds use homedir in current locale - - Bug: https://github.com/curl/curl/pull/7252 - Reported-by: dEajL3kA@users.noreply.github.com - - Ref: https://github.com/curl/curl/pull/7281 - - Closes https://github.com/curl/curl/pull/9305 - -Daniel Stenberg (16 Aug 2022) -- test399: switch it to use a config file instead - - ... as using a 65535 bytes host name in a URL does not fit on the - command line on some systems - like Windows. - - Reported-by: Marcel Raad - Fixes #9321 - Closes #9322 - -- RELEASE-NOTES: synced - -- asyn-ares: make a single alloc out of hostname + async data - - This saves one alloc per name resolve and simplifies the exit path. - - Closes #9310 - -- Curl_close: call Curl_resolver_cancel to avoid memory-leak - - There might be a pending (c-ares) resolve that isn't free'd up yet. - - Closes #9310 - -- asyn-thread: fix socket leak on OOM - - Closes #9310 - -- GHA: mv CI torture test from Zuul - - Closes #9310 - -- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL - - Closes #9318 - -- test399: verify check of too long host name - -- url: reject URLs with hostnames longer than 65535 bytes - - It *probably* causes other problems too since DNS can't resolve such - long names, but the SNI field in TLS is limited to 16 bits length. - - Closes #9317 - -- curl_multi_perform.3: minor language fix - - Closes #9316 - -- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC - - Follow-up to 8a13be227eede2 - - Closes #9315 - -- ngtcp2: remove leftover variable - - Mistake leftover from my edit before push. - - Follow-up from 8a13be227eede2601c2b3b - Reported-by: Viktor Szakats - Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167 - -Viktor Szakats (15 Aug 2022) -- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip] - - Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl` - was also enabled. `-ssl` meaning OpenSSL (and its forks). After - 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be - used together with wolfSSL. This patch adds the ability to enable - `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to - use it with wolfSSL or other, future TLS backends. - - Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2` - unconditionally. After this patch, this is no longer the case, and now - it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only - together with a compatible TLS backend. - - When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2 - library must be configured manually, e.g.: - `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl` - - (or via `NGTCP2_LIBS`) - - Closes #9314 - -Daniel Stenberg (15 Aug 2022) -- [Stefan Eissing brought this change] - - quic: add support via wolfSSL - - - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505 - - configure adapted to build against ngtcp2 wolfssl crypto lib - - quic code added for creation of WOLFSSL* instances - - Closes #9290 - -Marcel Raad (14 Aug 2022) -- [David Carlier brought this change] - - memdebug: add annotation attributes - - memory debug tracking annotates whether the returned pointer does not - `alias`, hints where the size required is, for Windows to be better - debugged via Visual Studio. - - Closes https://github.com/curl/curl/pull/9306 - -Daniel Stenberg (14 Aug 2022) -- GHA: move libressl CI from zuul to GitHub - - Closes #9309 - -- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel - - Closes #9161 - -- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel - - Closes #8741 - -- KNOWN_BUGS: libssh blocking and infinite loop problem - - Closes #8632 - -- RELEASE-NOTES: synced - -- msh3: fix the QUIC disconnect function - - And free request related memory better in 'done'. Fixes a memory-leak. - - Reported-by: Gisle Vanem - Fixes #8915 - Closes #9304 - -- connect: close the happy eyeballs loser connection when using QUIC - - Reviewed-by: Nick Banks - - Closes #9303 - -- [Emil Engler brought this change] - - refactor: split resolve_server() into functions - - This commit splits the branch-heavy resolve_server() function into - various sub-functions, in order to reduce the amount of nested - if/else-statements. - - Beside this, it also removes many else-sequences, by returning in the - previous if-statement. - - Closes #9283 - -- schannel: re-indent to use curl style better - - Only white space changes - - Closes #9301 - -- [Emanuele Torre brought this change] - - docs/cmdline-opts: fix example and categories for --form-escape - - The example was missing a "--form" argument - I also replaced "--form" with "-F" to shorten the line a bit since it - was already very long. - - And I also moved --form-escape from the "post" category to the "upload" - category (this is what I originally wanted to fix, before also noticing - the mistake in the example). - - Closes #9298 - -- [Nick Banks brought this change] - - HTTP3.md: update to msh3 v0.4.0 - - Closes #9297 - -- hostip: resolve *.localhost to 127.0.0.1/::1 - - Following the footsteps of other clients like Firefox/Chrome. RFC 6761 - says clients SHOULD do this. - - Add test 389 to verify. - - Reported-by: TheKnarf on github - Fixes #9192 - Closes #9296 - -Jay Satiro (11 Aug 2022) -- KNOWN_BUGS: long paths are not fully supported on Windows - - Bug: https://github.com/curl/curl/issues/8361 - Reported-by: Gisle Vanem - - Closes https://github.com/curl/curl/pull/9288 - -Daniel Stenberg (11 Aug 2022) -- config: remove the check for and use of SIZEOF_SHORT - - shorts are 2 bytes on all platforms curl runs and have ever run on. - - Closes #9291 - -- configure: introduce CURL_SIZEOF - - This is a rewrite of the previously used GPLv3+exception licensed - file. With this change, there is no more reference to GPL so we can - remove that from LICENSES/. - - Ref: #9220 - Closes #9291 - -- [Sean McArthur brought this change] - - hyper: customize test1274 to how hyper unfolds headers - - Closes #9217 - -- [Orgad Shaneh brought this change] - - curl-config: quote directories with potential space - - On Windows (at least with CMake), the default prefix is - C:/Program Files (x86)/CURL. - - Closes #9253 - -- [Oliver Roberts brought this change] - - amigaos: fix threaded resolver on AmigaOS 4.x - - Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime - feature detection and extra code to make it thread safe. - - Closes #9265 - -- [Emil Engler brought this change] - - imap: use ISALNUM() for alphanumeric checks - - This commit replaces a self-made character check for alphanumeric - characters within imap_is_bchar() with the ISALNUM() macro, as it is - reduces the size of the code and makes the performance better, due to - ASCII arithmetic. - - Closes #9289 - -- RELEASE-NOTES: synced - -- [Cering on github brought this change] - - connect: add quic connection information - - Fixes #9286 - Closes #9287 - -- [Philip Heiduck brought this change] - - cirrus/freebsd-ci: bootstrap the pip installer - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - - Closes #9213 - -- urldata: move smaller fields down in connectdata struct - - By (almost) sorting the struct fields in connectdata in a decending size - order, having the single char ones last, we reduce the number of holes - in the struct and thus the amount of storage needed. - - Closes #9280 - -- ldap: adapt to conn->port now being an 'int' - - Remove typecasts. Fix printf() formats. - - Follow-up from 764c6bd3bf. - Pointed out by Coverity CID 1507858. - - Closes #9281 - -- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS - - Closes #8264 - -- [Oliver Roberts brought this change] - - file: add handling of native AmigaOS paths - - On AmigaOS 4.x, handle native absolute paths, whilst blocking relative - paths. Also allow unix style paths if feature enabled at link time. - - Inspiration-from: Michael Trebilcock - - Closes #9259 - -- KNOWN_BUGS: cmake build is not thread-safe - - The cmake build does not check for and verify presence of a working - Atomic type, which then makes curl_global_init() to not build - thread-safe on non-Windows platforms. - - Closes https://github.com/curl/curl/issues/8973 - Closes https://github.com/curl/curl/pull/8982 - -- [Oliver Roberts brought this change] - - configure: fixup bsdsocket detection code for AmigaOS 4.x - - The code that detects bsdsocket.library for AmigaOS did not work - for AmigaOS 4.x. This has been fixed and also cleaned up a little - to reduce duplication. Wasn't technically necessary before, but is - required when building with AmiSSL instead of OpenSSL. - - Closes #9268 - -- [Oliver Roberts brought this change] - - tool: reintroduce set file comment code for AmigaOS - - Amiga specific code which put the URL in the file comment was perhaps - accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having - originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314. - Reworked to fit the code changes and added it back in. - - Reported-by: Michael Trebilcock - Originally-added-by: Chris Young - - Closes #9258 - -- urldata: make 'negnpn' use less storage - - The connectdata struct field 'negnpn' never holds a value larger than - 30, so an unsigned char saves 3 bytes struct space. - - Closes #9279 - -- urldata: make three *_proto struct fields smaller - - Use 'unsigned char' for storage instead of the enum, for three GSSAPI - related fields in the connectdata struct. - - Closes #9278 - -- connect: set socktype/protocol correctly - - So that an address used from the DNS cache that was previously used for - QUIC can be reused for TCP and vice versa. - - To make this possible, set conn->transport to "unix" for unix domain - connections ... and store the transport struct field in an unsigned char - to use less space. - - Reported-by: ウさん - Fixes #9274 - Closes #9276 - -- [Oliver Roberts brought this change] - - amissl: allow AmiSSL to be used with AmigaOS 4.x builds - - Enable AmiSSL to be used instead of static OpenSSL link libraries. - for AmigaOS 4.x, as it already is in the AmigaOS 3.x build. - - Closes #9269 - -- [opensignature on github brought this change] - - openssl: add details to "unable to set client certificate" error - - from: "curl: (58) unable to set client certificate" - - to: curl: (58) unable to set client certificate [error:0A00018F:SSL - routines::ee key too small] - - Closes #9228 - -- [Oliver Roberts brought this change] - - amissl: make AmiSSL v5 a minimum requirement - - AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0. - Support for previous OpenSSL 1.1.x versions has been dropped, so - makes sense to enforce v5 as the minimum requirement. This also - allows all the AmiSSL stub workarounds to be removed as they are - now provided in a link library in the AmiSSL SDK. - - Closes #9267 - -- [Oliver Roberts brought this change] - - configure: -pthread not available on AmigaOS 4.x - - The most recent GCC builds for AmigaOS 4.x do not allow -pthread and - exit with an error. Instead, need to explictly specify -lpthread. - - Closes #9266 - -- digest: pass over leading spaces in qop values - - When parsing the "qop=" parameter of the digest authentication, and the - value is provided within quotes, the list of values can have leading - white space which the parser previously did not handle correctly. - - Add test case 388 to verify. - - Reported-by: vlubart on github - Fixes #9264 - Closes #9270 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: reject broken header with session protocol but without qop - - Closes #9077 - -- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples - - Reported-by: jvvprasad78 on github - Assisted-by: Jay Satiro - Fixes #9239 - Closes #9241 - -- [Fabian Keil brought this change] - - test44[2-4]: add '--resolve' to the keywords - - ... so the tests can be automatically skipped when - using an external proxy like Privoxy. - - Closes #9250 - -- RELEASE-NOTES: synced - -- CURLOPT_CONNECT_ONLY.3: clarify multi API use - - Reported-by: Maxim Ivanov - Fixes #9244 - Closes #9262 - -- [Andrew Lambert brought this change] - - curl_easy_header: Add CURLH_PSEUDO to sanity check - - Fixes #9235 - Closes #9236 - -- [Emil Engler brought this change] - - docs: add dns category to --resolve - - This commit adds the dns category to the --resolve command line option, - because it can be interpreted as both: a low-level connection option and - an option related to the resolving of a hostname. - - It is also not common for dns options to belong to the connection - category and vice versa. --ipv4 and --ipv6 are both good examples. - - Closes #9229 - -Jay Satiro (2 Aug 2022) -- [Wyatt O'Day brought this change] - - schannel: Add TLS 1.3 support - - - Support TLS 1.3 as the default max TLS version for Windows Server 2022 - and Windows 11. - - - Support specifying TLS 1.3 ciphers via existing option - CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers). - - Closes https://github.com/curl/curl/pull/8419 - -Daniel Stenberg (2 Aug 2022) -- [Emil Engler brought this change] - - cmdline-opts/gen.pl: improve performance - - On some systems, the gen.pl script takes nearly two minutes for the - generation of the main-page, which is a completely unacceptable time. - - The slow performance has two causes: - 1. Use of a regex locale operator - 2. Useless invokations of loops - - The commit addresses the first issue by replacing the "\W" wiht - [^a-zA-Z0-9_], which is, according to regex101.com, functionally - equivalent to the previous operation, except that it is obviously - limited to ASCII only, which is fine, as the curl project is - English-only anyway. - - The second issue is being addressed by only running the loop if the line - contains a "--" in it. The loop may be completeley removed in the - future. - - Co-authored-by: Emanuele Torre <torreemanuele6@gmail.com> - - See #8299 - Fixes #9230 - Closes #9232 - -- docs/cmdline: mark fail and fail-with-body as mutually exclusive - - Reported-by: Andreas Sommer - Fixes #9221 - Closes #9222 - -- [Nao Yonashiro brought this change] - - quiche: fix build failure - - Reviewed-by: Alessandro Ghedini - Closes #9223 - -Viktor Szakats (2 Aug 2022) -- configure.ac: drop references to deleted functions - - follow-up from 4d73854462f30948acab12984b611e9e33ee41e6 - - Reported-by: Oliver Roberts - Fixes #9238 - Closes #9240 - -Daniel Stenberg (28 Jul 2022) -- [Sean McArthur brought this change] - - hyper: enable obs-folded multiline headers - - Closes #9216 - -- connect: revert the use of IP*_RECVERR - - The options were added in #6341 and d13179d, but cause problems: Lots of - POLLIN event occurs but recvfrom read nothing. - - Reported-by: Tatsuhiro Tsujikawa - Fixes #9209 - Closes #9215 - -- [Marco Kamner brought this change] - - docs: remove him/her/he/she from documentation - - Closes #9208 - -- RELEASE-NOTES: synced - -- tool_getparam: make --doh-url "" switch it off - - A possible future addition could be to parse the URL first too to verify - that it is valid before trying to use it. - - Assisted-by: Jay Satiro - Closes #9207 - -- mailmap: add rzrymiak on github - -Jay Satiro (26 Jul 2022) -- ngtcp2: Fix build error due to change in nghttp3 prototypes - - ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and - nghttp3_conn_shutdown_stream_write return from int to void. - - Reported-by: jurisuk@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9204 - Closes https://github.com/curl/curl/pull/9200 - -Daniel Stenberg (26 Jul 2022) -- [rzrymiak on github brought this change] - - BUGS.md: improve language - - Closes #9205 - -- [Philip Heiduck brought this change] - - cirrus.yml: replace py38-pip with py39-pip - - Reported-by: Jay Satiro - Fixes #9201 - Closes #9202 - -- tool_getparam: fix cleanarg() for unicode builds - - Use the correct type, and make cleanarg an empty macro if the cleaning - ability is absent. - - Fixes #9195 - Closes #9196 - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - -Marc Hoersken (25 Jul 2022) -- test3026: add support for Windows using native Win32 threads - - Reviewed-by: Viktor Szakats - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - - Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690 - Closes #9012 - -Jay Satiro (25 Jul 2022) -- [Evgeny Grin (Karlson2k) brought this change] - - digest: fix memory leak, fix not quoted 'opaque' - - Fix leak regression introduced by 3a6fe0c. - - Closes https://github.com/curl/curl/pull/9199 - -Daniel Stenberg (23 Jul 2022) -- tests: several enumerated type cleanups - - To please icc - - Closes #9179 - -- tool_paramhlp: fix "enumerated type mixed with another type" - - Warning by icc - - Closes #9179 - -- tool_writeout: fix enumerated type mixed with another type - - Closes #9179 - -- tool_cfgable: make 'synthetic_error' a plain bool - - The specific reason was not used. - - Closes #9179 - -- tool_paramhlp: make check_protocol return ParameterError - - "enumerated type mixed with another type" - - Closes #9179 - -- tool_formparse: fix variable may be used before its value is set - - Warning by icc - - Closes #9179 - -- sendf: skip storing HTTP headers if HTTP disabled - - Closes #9179 - -- url: enumerated type mixed with another type - - Follow-up to 1c58e7ae99ce2030213f28b - - Closes #9179 - -- urldata: change second proxytype field to unsigned char to match - - To avoid "enumerated type mixed with another type" - - Closes #9179 - -- http: typecast the httpreq assignment to avoid icc compiler warning - - error #188: enumerated type mixed with another type - - Closes #9179 - -- urldata: make state.httpreq an unsigned char - - To match set.method used for the same purpose. - - Closes #9179 - -- splay: avoid using -1 in unsigned variable - - To fix icc compiler warning integer conversion resulted in a change of sign - - Closes #9179 - -- sendf: store the header type in an usigned char to avoid icc warnings - - Closes #9179 - -- multi: fix the return code from Curl_pgrsDone() - - It does not return a CURLcode. Detected by the icc compiler warning - "enumerated type mixed with another type" - - Closes #9179 - -- sendf: make Curl_debug a void function - - As virtually no called checked the return code, and those that did - wrongly treated it as a CURLcode. Detected by the icc compiler warning: - enumerated type mixed with another type - - Closes #9179 - -- http_chunks: remove an assign + typecast - - As it caused icc to complain: "pointer cast involving 64-bit pointed-to - type" - - Closes #9179 - -- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend - - To fix the icc warning enumerated type mixed with another type - - Closes #9179 - -- curl-compilers.m4: make icc use -diag* options and disable two warnings - - -wd and -we are deprecated and are now -diag-disable and -diag-error - - Disable warning 1024 and 2259 - - Closes #9179 - -- [Matthew Thompson brought this change] - - GHA: add two Intel compiler CI jobs - - Closes #9179 - -- [Daniel Katz brought this change] - - curl-functions.m4: check whether atomics can link rather than just compile - - Some build toolchains support C11 atomics (i.e., _Atomic types), but - will not link the associated atomics runtime unless a flag is passed. In - such an environment, linking an application with libcurl.a can fail due - to undefined symbols for atomic load/store functions. - - I encountered this behavior when upgrading curl to 7.84.0 and attempting - to build with Solaris Studio 12.6. Solaris provides the flag - -xatomic=[gcc | studio], allowing users to link to one of two atomics - runtime implementations. However, if the user does not provide this - flag, then neither runtime is linked. This led to builds failing in CI. - - Closes #9190 - -- [Rosen Penev brought this change] - - curl-wolfssl.m4: add options header when building test code - - Needed for certain configurations of wolfSSL. Otherwise, missing header - error may occur. - - Tested with OpenWrt. - - Closes #9187 - -- ftp: use a correct expire ID for timer expiry - - This was an accurate error pointed out by the icc warning: enumerated - type mixed with another type - - Ref: #9179 - Closes #9184 - -- sendf: fix paused header writes since after the header API - - Regression since d1e4a67 - - Reported-by: Sergey Ogryzkov - Fixes #9180 - Closes #9182 - -- mprintf: fix *dyn_vprintf() when out-of-memory - - Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory - leak otherwise. - - Closes #9185 - -- curl-confopts: remove leftover AC_REQUIREs - - configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_defun'd - configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but not m4_defun'd - - follow-up from 4d73854462f30 - - Closes #9183 - -- file: fix icc enumerated type mixed with another type warning - - Ref: #9179 - Closes #9181 - -Viktor Szakats (19 Jul 2022) -- tidy-up: delete unused build configuration macros - - Most of them feature guards: - - - `CURL_INCLUDES_SYS_UIO` [1] - - `HAVE_ALLOCA_H` [2] - - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f8734dd0fb1bdc) - - `HAVE_DLFCN_H` - - `HAVE_DLOPEN` - - `HAVE_DOPRNT` - - `HAVE_FCNTL` - - `HAVE_GETHOSTBYNAME` [3] - - `HAVE_GETOPT_H` - - `HAVE_GETPASS` - - `HAVE_GETPROTOBYNAME` - - `HAVE_GETSERVBYNAME` - - `HAVE_IDN_FREE*` - - `HAVE_INET_ADDR` - - `HAVE_IOCTL` - - `HAVE_KRB4` - - `HAVE_KRB_GET_OUR_IP_FOR_REALM` - - `HAVE_KRB_H` - - `HAVE_LDAPSSL_H` - - `HAVE_LDAP_INIT_FD` - - `HAVE_LIBDL` - - `HAVE_LIBNSL` - - `HAVE_LIBRESOLV*` - - `HAVE_LIBUCB` - - `HAVE_LL` - - `HAVE_LOCALTIME_R` - - `HAVE_MALLOC_H` - - `HAVE_MEMCPY` - - `HAVE_MEMORY_H` - - `HAVE_NETINET_IF_ETHER_H` - - `HAVE_NI_WITHSCOPEID` - - `HAVE_OPENSSL_CRYPTO_H` - - `HAVE_OPENSSL_ERR_H` - - `HAVE_OPENSSL_PEM_H` - - `HAVE_OPENSSL_PKCS12_H` - - `HAVE_OPENSSL_RAND_H` - - `HAVE_OPENSSL_RSA_H` - - `HAVE_OPENSSL_SSL_H` - - `HAVE_OPENSSL_X509_H` - - `HAVE_PEM_H` - - `HAVE_POLL` - - `HAVE_RAND_SCREEN` - - `HAVE_RAND_STATUS` - - `HAVE_RECVFROM` - - `HAVE_SETSOCKOPT` - - `HAVE_SETVBUF` - - `HAVE_SIZEOF_LONG_DOUBLE` - - `HAVE_SOCKIO_H` - - `HAVE_SOCK_OPTS` - - `HAVE_STDIO_H` - - `HAVE_STRCASESTR` - - `HAVE_STRFTIME` - - `HAVE_STRLCAT` - - `HAVE_STRNCMPI` - - `HAVE_STRNICMP` - - `HAVE_STRSTR` - - `HAVE_STRUCT_IN6_ADDR` - - `HAVE_TLD_H` - - `HAVE_TLD_STRERROR` - - `HAVE_UNAME` - - `HAVE_USLEEP` - - `HAVE_WINBER_H` - - `HAVE_WRITEV` - - `HAVE_X509_H` - - `LT_OBJDIR` - - `NEED_BASENAME_PROTO` - - `NOT_NEED_LIBNSL` - - `OPENSSL_NO_KRB5` - - `RECVFROM_TYPE*` - - `SIZEOF_LONG_DOUBLE` - - `STRERROR_R_TYPE_ARG3` - - `USE_YASSLEMUL` - - `_USRDLL` (from CMake) [4] - - [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might - also be deleted. - - [2] Related comment can possibly be deleted in - `packages/vms/generate_config_vms_h_curl.com`. - - [3] There are more instances of this in autotools, but I did not dare to - touch those. Looked like it's used to detect socket support. - - [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to - force linking MFC components statically to the DLL. `libcurl.dll` - does not use MFC, so we can delete this define. - Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-to-mfc - - Script that can help finding unused settings like above: - ```shell - - autoheader configure.ac # generate lib/curl_config.h.in - - { - grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCache.cmake | sed -E 's|set\(||g' - grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h | sed -E 's|#define +||g' - grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake | sed -E 's|#cmakedefine +||g' - grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in | sed -E 's|#undef +||g' - } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do - c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cmake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^configure\.ac)')" - if [ "${c}" = '0' ]; then - echo "${def}" - fi - done - ``` - - Reviewed-by: Daniel Stenberg - Closes #9044 - -Daniel Stenberg (19 Jul 2022) -- RELEASE-NOTES: synced - -- cookie: treat a blank domain in Set-Cookie: as non-existing - - This matches what RFC 6265 section 5.2.3 says. - - Extended test 31 to verify. - - Fixes #9164 - Reported-by: Gwen Shapira - Closes #9177 - -- [Patrick Monnerat brought this change] - - base64: base64url encoding has no padding - - See RFC4648 section 5 and RFC7540 section 3.2.1. - - Suppress generation of '=' padding of base64url encoding. This is - accomplished by considering the string beginning at offset 64 in the - character table as the padding: this is "=" for base64, "" for base64url. - - Also use strchr() to replace character search loops where possible. - - Suppress erroneous comments about empty encoding results. - - Adjust unit test 1302 to unpadded base64url encoding and add tests for - empty results. - - Closes #9139 - -- easyoptions: fix icc warning - - easyoptions.c(360): error #188: enumerated type mixed with another type - - Ref: #9156 - Reported-by: Matthew Thompson - Closes #9176 - -- [lwthiker brought this change] - - h2h3: fix overriding the 'TE: Trailers' header - - A 'TE: Trailers' header is explicitly replaced by 'te: trailers' - (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or - HTTP/3 headers. However, this is then replaced again by the original - value due to a bug, resulting in the uppercased version being sent. Some - HTTP/2 servers reject the whole HTTP/2 stream when this is the case. - - Closes #9170 - -- lib3026: reduce the number of threads to 100 - - Down from 1000, to make it run and work in more systems. - - Fixes #9172 - Reported-by: Érico Nogueira Rolim - Closes #9173 - -- doh: move doh related struct definitions to doh.h - - and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compiler warning: - - doh.c(924): error #188: enumerated type mixed with another type - - Reported-by: Matthew Thompson - Ref #9156 - Closes #9174 - -Viktor Szakats (17 Jul 2022) -- Makefile.m32: stop trying to build libcares.a [ci skip] - - Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in - `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in - 2007 [1]. The commit message doesn't specifically address this particular - change. This logic comes from the times when c-ares was part of the curl - source tree, hence the special treatment. - - This feature creates problems when building c-ares first, using CMake - and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32` - is missing in such case. A sub-build for c-ares is undesired also when - c-ares had already been build via its own `Makefile.m32`. - - To avoid the sub-build, this patch deletes its Makefile rule. After this - patch `libcares.a` needs to be manually built before using it in - `Makefile.m32`. Aligning it with the rest of dependencies. - - [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31 - - Reviewed-by: Daniel Stenberg - Closes #9169 - -Daniel Stenberg (17 Jul 2022) -- curl: writeout: fix repeated header outputs - - The function stored a terminating zero into the buffer for convenience, - but when on repeated calls that would cause problems. Starting now, the - passed in buffer is not modified. - - Reported-by: highmtworks on github - Fixes #9150 - Closes #9152 - -- curl_multi_timeout.3: clarify usage - - Fixes #9155 - Closes #9157 - Reported-by: jvvprasad78 on github - -- mprintf: make dprintf_formatf never return negative - - This function no longer returns a negative value if the formatting - string is bad since the return value would sometimes be propagated as a - return code from the mprintf* functions and they are documented to - return the length of the output. Which cannot be negative. - - Fixes #9149 - Closes #9151 - Reported-by: yiyuaner on github - -Viktor Szakats (17 Jul 2022) -- trace: 0x7F character is non-printable - - `0x7F` is `DEL`, a non-printable symbol, so print it as - `UNPRINTABLE_CHAR`. - - Reported-by: MasterInQuestion on github - Fixes #9162 - Closes #9166 - -- doh: use https protocol by default - - The only allowed protocol is https, so it makes sense to use that - by default if not passed explicitly by the user. - - Reported-by: MasterInQuestion on github - Reviewed-by: Jay Satiro - Fixes #9163 - Closes #9165 - -- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel - - Same issue as here [1], but this time when building curl with BoringSSL - for Windows with LDAP(S) or Schannel support enabled. - - Apply the same fix [2] for these source files as well. - - This can also be fixed by moving `#include "urldata.h"` _before_ - including `winldap.h` and `schnlsp.h` respectively. This seems like - a cleaner fix, though I'm not sure why it works and if it has any - downside. - - [1] https://github.com/curl/curl/issues/5669 - [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029ab9 - - Co-authored-by: Jay Satiro - Closes #9110 - -Daniel Stenberg (13 Jul 2022) -- asyn-thread: make getaddrinfo_complete return CURLcode - - ... as the only caller that cares about what it returns assumes that - anyway. This caused icc to warn: - - asyn-thread.c(505): error #188: enumerated type mixed with another type - result = getaddrinfo_complete(data); - - Repoorted-by: Matthew Thompson - Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076 - Closes #9146 - -- easy_lock: fix build with icc - - The Intel compiler tries to look like GCC *and* clang *and* it lies in - its __has_builtin() function (returns true when it should return false), - so override it. - - Reported-by: Matthew Thompson - Fixes #9081 - Closes #9144 - -- configure: fix --disable-headers-api - - Reported-by: Michał Antoniak - Fixes #9134 - Closes #9143 - -- test3026: require 'threadsafe' - - Reported-by: Sukanya Hanumanthu - Fixes #9141 - Closes #9142 - -- [Even Rouault brought this change] - - CMake: link curl to its dependencies with PRIVATE - - The current PUBLIC visibility causes issues for downstream users. - Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986 - - Reviewed-by: Jakub Zakrzewski - Closes #9125 - -- [Even Rouault brought this change] - - CMake: remove APPEND in export(TARGETS) - - When running cmake several times, new content was appended to already - existing generated files, which is not appropriate - - Reviewed-by: Jakub Zakrzewski - Closes #9124 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks - - Closes #9135 - -- RELEASE-NOTES: synced - -Viktor Szakats (11 Jul 2022) -- build: improve OS string in CMake and `config-win32.h` - - This patch makes CMake fill the "OS string" with the value of - `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet, - the same we can pass to `./configure` via `--host=`. - - For non-CMake, non-autotools, Windows builds, this patch adds the ability - to override the default `OS` value in `lib/config-win32.h`. - - With these its possible to get the same OS string across the three build - systems. - - This patch supersedes the earlier, partial, CMake-only solution: - 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the - `CURL_OS_SUFFIX` CMake option. - - Reviewed-by: Jay Satiro - Closes #9117 - -- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip] - - They allow to override the hardcoded values for the `windres` and `strip` - tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables. - - `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and - `CURL_CC=clang` set on current latest debian:unstable or earlier, where - `llvm-windres` is missing, and a `CURL_RC=<triplet>-windres` fixes it. - Hopefully this will be fixed in the llvm package. FWIW `llvm-windres` - does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw. - - Reviewed-by: Daniel Stenberg - Closes #9132 - -Daniel Stenberg (10 Jul 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data - - Fixes #9122 - Closes #9123 - -- [Xiaoke Wang brought this change] - - tool_operate: better cleanup of easy handle in exit path - - Closes #9114 - -- [Xiaoke Wang brought this change] - - getinfo: return better error on NULL as first argument - - Closes #9114 - -- tool_getparam: repair cleanarg - - Regression since 9e5669f. - - Make sure the "cleaning" of command line arguments is done on the - original argv[] pointers. As a bonus, it also exits better on out of - memory error. - - Reported-by: Litter White - Fixes #9128 - Closes #9130 - -Jay Satiro (10 Jul 2022) -- docs: explain curl_easy_escape/unescape curl handle is ignored - - 26101421 (precedes 7.82.0) removed character conversion support used by - very old legacy operating systems and since then the curl handle passed - to curl_easy_escape/unescape is always ignored. - - Bug: https://github.com/curl/curl/discussions/9115 - Reported-by: Ted Lyngmo - - Closes https://github.com/curl/curl/pull/9121 - -Viktor Szakats (8 Jul 2022) -- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL - - BoringSSL doesn't keep a version number, and doesn't self-identify itself - via any other revision number via its own headers. We can identify - BoringSSL revisions by their commit hash. This hash is typically known by - the builder. This patch adds a way to pass this hash to libcurl, so that - it can display in the curl version string: - - For example: - - `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"` - - ``` - curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) zlib/1.2.12 [...] - Release-Date: 2022-06-27 - Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 [...] - Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos [...] - ``` - - The setting is optional, and if not passed, BoringSSL will appear without - a version number, like before this patch. - - Closes #9113 - -Jay Satiro (8 Jul 2022) -- escape: remove outdated comment - - Bug: https://github.com/curl/curl/discussions/9115 - Reported-by: Ted Lyngmo - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Fix missing initialization of nghttp3_nv.flags - - Closes https://github.com/curl/curl/pull/9118 - -Daniel Stenberg (6 Jul 2022) -- [Brad Forschinger brought this change] - - netrc.d: remove spurious quote - - Closes #9111 - -Viktor Szakats (6 Jul 2022) -- Makefile.m32: add `NGTCP2_LIBS` option [ci skip] - - Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL. - Add `NGTCP2_LIBS` envvar to override them with a custom list, - making it possible to use BoringSSL, or any other backend. - - Closes #9109 - -Jay Satiro (6 Jul 2022) -- [Evgeny Grin (Karlson2k) brought this change] - - digest: fix missing increment of 'nc' value for auth-int - - - Increment nc regardless of qop type. - - Prior to this change nc was only incremented for qop type auth even - though libcurl sends nc with any qop. - - Closes https://github.com/curl/curl/pull/9090 - -Daniel Stenberg (5 Jul 2022) -- RELEASE-NOTES: synced - - Bumped to 7.85.0 - -- urldata: reduce size of four ftp related members - - ftp_filemethod, ftpsslauth and ftp_ccc are now uchars - - accepttimeout is now unsigned int - almost 50 days ought to be enough - for this value. - - Closes #9106 - -- urldata: reduce three type-members from int to uchar - - - timecondition - - proxytype - - method - - ... previously used their enum type in the struct, which made them - unnecesarily large. - - Closes #9105 - -- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name - - Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the - other way around. - - Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias - but since the option is for more protocols than FTP the more "correct" - version of the option is the "server" one so now we switch. - - Closes #9104 - -- urldata: make 'ftp_create_missing_dirs' a uchar - - It only ever holds the values 0-2. - - Closes #9103 - -- [Don J Olmstead brought this change] - - cmake: support ngtcp2 boringssl backend - - Update the ngtcp2 find module to detect the boringssl backend. Determine - if the underlying OpenSSL implementation is BoringSSL and if so use that - as the ngtcp2 backend. - - Reviewed-by: Jakub Zakrzewski - Closes #9065 - -- urldata: change 4 timeouts to unsigned int from long - - They're not used for that long times anyway, 32 bit milliseconds is long - enough. - - Closes #9101 - -- urldata: make 'use_netrc' a uchar - - Closes #9102 - -- urldata: make 'buffer_size' an unsigned int - - It is already capped at READBUFFER_MAX which fits easily in 32 bits. - - Closes #9098 - -- urldata: remove the unused 'rtspversion' struct member - - Closes #9100 - -- urldata: make 'use_port' an usigned short - - ... instead of a long. It is already enforced to not attempt to set any - value outside of 16 bits unsigned. - - Closes #9099 - -- urldata: store dns cache timeout in an int - - 68 years ought to be enough for most. - - Closes #9097 - -- curl: proto2num: make sure obuf is inited - - Detected by Coverity. CID 1507052. - - Closes #9096 - -- cookie: use %zu to infof() for size_t values - - Detected by Coverity. CID 1507051 - Closes #9095 - -Viktor Szakats (4 Jul 2022) -- makefile.m32: add support for custom ARCH [ci skip] - - When building curl for target platform other than x64 and x86, it is now - possible to pass `ARCH=custom`, that will omit all hardcoded logic for - setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be - customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly - added one for the resource compiler: `CURL_RCFLAG_EXTRAS`. - - This makes it possible to use `makefile.m32` to build for ARM64 for - example. - - Reviewed-by: Daniel Stenberg - Closes #9092 - -- cmake: do not force Windows target versions - - The goal of this patch is to avoid CMake forcing specific Windows - versions and rely on toolchain defaults or manual selection instead. - This gives back control to the user. This also brings CMake closer to - how autotools and `Makefile.m32` behaves in this regard. - - - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did - nothing else than fixing the Windows build target to Vista. This also - happened when the toolchain did not have Vista support (e.g. original - MinGW), breaking such builds. - - In other environments it did not make a user-facing difference, - because libcurl has its own pton() implementation, so it works well - with or without Vista's inet_pton(). - - This patch drops this setting. inet_pton() is now used whenever - building for Vista or newer, either when requested manually or by - default with modern toolchains (e.g. mingw-w64). Older envs will fall - back to curl's pton(). - - Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604 - Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155 - - - When the user did no select a Windows target version manually, stop - explicitly targeting Windows XP, and instead use the toolchain default. - - This may pose an issue with old toolchains defaulting to pre-XP - targets. In such case you must manually target Windows XP via: - `-DCURL_TARGET_WINDOWS_VERSION=0x0501` - or - `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501` - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - Closes #9046 - -- windows: improve random source - - - Use the Windows API to seed the fallback random generator. - - This ensures to always have a random seed, even when libcurl is built - with a vtls backend lacking a random generator API, such as rustls - (experimental), GSKit and certain mbedTLS builds, or, when libcurl is - built without a TLS backend. We reuse the Windows-specific random - function from the Schannel backend. - - - Implement support for `BCryptGenRandom()` [1] on Windows, as a - replacement for the deprecated `CryptGenRandom()` [2] function. - - It is used as the secure random generator for Schannel, and also to - provide entropy for libcurl's fallback random generator. The new - function is supported on Vista and newer via its `bcrypt.dll`. It is - used automatically when building for supported versions. It also works - in UWP apps (the old function did not). - - - Clear entropy buffer before calling the Windows random generator. - - This avoids using arbitrary application memory as entropy (with - `CryptGenRandom()`) and makes sure to return in a predictable state - when an API call fails. - - [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom - [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom - - Closes #9027 - -Daniel Stenberg (4 Jul 2022) -- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR - - ... as replacements for deprecated CURLOPT_PROTOCOLS and - CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the - 32 bit limit the old ones are facing. - - CURLINFO_PROTCOOL is now deprecated. - - The curl tool is updated to use the new options. - - Added test 1597 to verify the libcurl protocol parser. - - Closes #8992 - -- digest: simplify a switch() to a simple if - -- digest: provide a special bit for "sess" algos - - Also shortened the names and moved them to the .c file since they are - private for this source file only. Also made them #defines instead of - enum. - - Closes #9079 - -Jay Satiro (4 Jul 2022) -- [Thomas Weißschuh brought this change] - - select: do not return fatal error on EINTR from poll() - - The same was done for select() in 5912da25 but poll() was missed. - - Bug: https://bugs.archlinux.org/task/75201 - Reported-by: Alexandre Bury (gyscos at archlinux) - - Ref: https://github.com/curl/curl/issues/8921 - Ref: https://github.com/curl/curl/pull/8961 - Ref: https://github.com/curl/curl/commit/5912da25#r77584294 - - Closes https://github.com/curl/curl/pull/9091 - -- [Kai Pastor brought this change] - - cmake: fix build for mingw cross compile - - - Change normaliz lib name to all lowercase. - - This is from a standing patch in vcpkg: - Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross - builds from Linux), the spelling must match exactly. - - Closes https://github.com/curl/curl/pull/9084 - -- easy_lock: fix build for mingw - - - Define SRWLOCK symbols missing in some mingw environments. - - Closes https://github.com/curl/curl/pull/8997 - -Daniel Stenberg (2 Jul 2022) -- tool_progress: avoid division by zero in parallel progress meter - - Reported-by: Brian Carpenter - Fixes #9082 - Closes #9083 - -- http_aws_sigv4.c: remove two unusued includes - - Closes #9080 - -- .mailmap: additional edit - - Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git - logs even when using old email. - -- RELEASE-NOTES: synced - - bumped to 7.84.1 - -- [Evgeny Grin (Karlson2k) brought this change] - - .mailmap: updated - -- [Evgeny Grin (Karlson2k) brought this change] - - THANKS: merged two entries for Evgeny Grin - - Also updated THANKS-filter file - - Closes #9076 - -- [Jilayne Lovejoy brought this change] - - lib/curl_path.c: add ISC to license expression - - THe text of the ISC license is in this file, so the SPDX license - expression should be updated - - Closes #9073 - -- [Sean McArthur brought this change] - - hyper: use wakers for curl pause/resume - - Closes #9070 - -Viktor Szakats (30 Jun 2022) -- Makefile.m32: do not set the libcurl.rc debug flag [ci skip] - - Delete `-DDEBUGBUILD=0` windres option. This was likely meant to - disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled - it instead. Delete this unnecessary option and thus sync up with - how CMake compiles libcurl.rc by default. - - Reviewed-by: Jay Satiro - Closes #9069 - -Daniel Stenberg (29 Jun 2022) -- curl.h: CURLE_CONV_FAILED is obsoleted - - The last use was removed in 7.82.0. Updated some docs too to reflect the - current error code situation. - - Closes #9067 - -- curl: output warning when a cookie is dropped due to size - - Dropped from the request, that is. - - Closes #9064 - -- curl_mime_data.3: polish the wording - - Closes #9063 - -- configure: check for the stdatomic.h header in configure - - ... and only set HAVE_ATOMIC if that header exists since we use - typedefes set in it. - - Reported-by: Ryan Schmidt - Fixes #9059 - Closes #9060 - -- easy_lock: fix the #ifdef conditional for ia32_pause - - To work better with new and old clang compilers. - - Reported-by: Ryan Schmidt - Assisted-by: Joshua Root - - Fixes #9058 - Closes #9062 - -- easy_lock: switch to using atomic_int instead of bool - - To work with more compilers without requiring separate libs to - link. Like with gcc-12 for RISC-V on Linux. - - Reported-by: Adam Sampson - Fixes #9055 - Closes #9061 - -- [vvb2060 brought this change] - - ngtcp2: fix incompatible function pointer types - - Closes #9056 - -- [vvb2060 brought this change] - - easy_lock.h: use __asm__ instead of asm to fix build - - Closes #9056 - -- [Samuel Henrique brought this change] - - libcurl-security.3: fix typo on macro "SH_" - - During the packaging of the latest curl release for Debian, Lintian - warned me about a typo which causes the section name "Secrets in memory" - to not be rendered in the manpage due to "SH_" not being recognized as a - header. - - Closes #9057 - -- easy_lock.h: include sched.h if available to fix build - - Patched-by: Harry Sintonen - - Closes #9054 - -Version 7.84.0 (27 Jun 2022) - -Daniel Stenberg (27 Jun 2022) -- RELEASE-NOTES: synced - - Version 7.84.0 release - -- THANKS: contributors from 7.84.0 release notes - -- hsts: use Curl_fopen() - -- altsvc: use Curl_fopen() - -- fopen: add Curl_fopen() for better overwriting of files - - Bug: https://curl.se/docs/CVE-2022-32207.html - CVE-2022-32207 - Reported-by: Harry Sintonen - Closes #9050 - -- test444: test many received Set-Cookie: - - The amount of sent cookies in the test is limited to 80 because hyper - has its own strict limits in how many headers it allows to be received - which triggers at some point beyond this number. - -- test442/443: test cookie caps - - 442 - verify that only 150 cookies are sent - 443 - verify that the cookie: header remains less than 8K in size - -- cookie: apply limits - - - Send no more than 150 cookies per request - - Cap the max length used for a cookie: header to 8K - - Cap the max number of received Set-Cookie: headers to 50 - - Bug: https://curl.se/docs/CVE-2022-32205.html - CVE-2022-32205 - Reported-by: Harry Sintonen - Closes #9048 - -- test387: verify rejection of compression chain attack - -- content_encoding: return error on too many compression steps - - The max allowed steps is arbitrarily set to 5. - - Bug: https://curl.se/docs/CVE-2022-32206.html - CVE-2022-32206 - Reported-by: Harry Sintonen - Closes #9049 - -- krb5: return error properly on decode errors - - Bug: https://curl.se/docs/CVE-2022-32208.html - CVE-2022-32208 - Reported-by: Harry Sintonen - Closes #9051 - -- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro - - clang 14 warns about its use. It is being deprecated by the working - group for the programming language C: "The macro ATOMIC_VAR_INIT is - basically useless for the purpose for which it was designed" - - Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm - - Reported-by: Tatsuhiro Tsujikawa - Fixes #9041 - Closes #9042 - -- [Stefan Eissing brought this change] - - ngtcp2: avoid supplying 0 length `msg_control` to sendmsg() - - Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control - buffer is provided in sengmsg(), even though msg_controllen was set to - 0. - - Initialize msg.msg_controllen just as needed and also perform the size - assertion only when needed. - - Closes #9039 - -- [Tom Eccles brought this change] - - ftp: restore protocol state after http proxy CONNECT - - connect_init() (lib/http_proxy.c) swaps out the protocol state while - working on the proxy connection, this is then restored by - Curl_connect_done() after the connection completes. - - ftp_do_more() extracted the protocol state pointer to a local variable - at the start of the function then calls Curl_proxy_connect(). If the proxy - connection completes, Curl_proxy_connect() will call Curl_connect_done() - (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp - protocol state instead of the http proxy protocol state, but the local - variable in ftp_do_more still pointed to the old value. - - Ultimately this meant that the state worked on by ftp_do_more() was the - http proxy state not the ftp state initialised by ftp_connect(), but - subsequent calls to any ftp_ function would use the original state. - - For my use-case, the visible consequence was that ftp->downloadsize was - never set and so downloaded data was never returned to the application. - - This commit updates the ftp protocol state pointer in ftp_do_more() after - Curl_proxy_connect() returns, ensuring that the correct state pointer is - used. - - Fixes #8737 - Closes #9043 - -Jay Satiro (23 Jun 2022) -- THANKS: add contributor missing from aea8ac1 - - aea8ac1 fixed #8980 which was reported by Sgharat on github, but that - info was not included in the commit message. - -- curl_setup: include _mingw.h - - Prior to this change _mingw.h needed to be included in each unit before - evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It - is included only in some mingw headers (eg stdio.h) and not others - (eg windows.h) so it's better to explicitly include it once. - - Closes https://github.com/curl/curl/pull/9036 - -Viktor Szakats (22 Jun 2022) -- rand: stop detecting /dev/urandom in cross-builds - - - Prevent CMake to auto-detect /dev/urandom when cross-building. - Before this patch, it would detect it in a cross-build scenario on *nix - hosts with this device present. This was a problem for example with - Windows builds, but it could affect any target system with this device - missing. This also syncs detection behaviour with autotools, which also - skips it for cross-builds. - - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's - fallback random number generator on Windows. Windows does not have the - concept of reading a random stream from a filename, nor any guaranteed - non-world-writable path on disk. With this, a manual misconfiguration or - an overeager auto-detection can no longer result in a user-controllable - seed source. - - Reviewed-by: Daniel Stenberg - Closes #9038 - -Daniel Stenberg (22 Jun 2022) -- [Emanuele Torre brought this change] - - ci: avoid `cmake -Hpath` - - This is an undocumented option similar to the `-Spath' option introduced - in cmake 3.13. - Replace all instances of `-Hpath' with `-Spath' in macos workflow. - Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul - scripts since it runs an older version of cmake. - - Fixes #9008 - Closes #9014 - -- INTERNALS: bring back the "Library symbols" section - - Most contents was moved, but this text should remain here. - - Follow-up to: d324ac8 - Reported-by: Viktor Szakats - Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326 - Closes #9037 - -Viktor Szakats (22 Jun 2022) -- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] - - Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows - XP when the `-ipv6` option is selected. Maybe this was added to support - pre-XP Windows versions (?). These days libcurl builds fine for both XP - and post-XP versions with IPv6 support enabled. The relevance of pre-XP - version is also low by now. Other build methods also do not impose such - limitation for a similar configuration. So, drop this hard-wired - `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default - Windows version set by the compiler. This is Vista for recent MinGW - versions. - - Old behaviour can be restored by setting this envvar: - export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501 - - [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7 - - Closes #9035 - -Daniel Stenberg (21 Jun 2022) -- CONTRIBUTE: mention how we maintain REUSE compliance - - for copyright and license information of all files stored in git - - Closes #9032 - -- CURLOPT_ALTSVC.3: document the file format - - Closes #9033 - -Jay Satiro (21 Jun 2022) -- runtests: add "threadsafe" to detected features - - Follow-up to recent commits which added thread-safety support. - - Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782 - Reported-by: Marc Hörsken - - Closes https://github.com/curl/curl/pull/9030 - -Daniel Stenberg (20 Jun 2022) -- easy: remove dead code - - Follow-up from 5912da253b64d - - Detected by Coverity (CID 1506519) - - Closes #9029 - -- [Glenn Strauss brought this change] - - transfer: upload performance; avoid tiny send - - Append to the upload buffer when only small amount remains in buffer - rather than performing a separate tiny send to empty buffer. - - Avoid degenerative upload behavior which might cause curl to send mostly - 1-byte DATA frames after exhausing the h2 send window size - - Related discussion: https://github.com/nghttp2/nghttp2/issues/1722 - - Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> - Closes #8965 - -- [Steve Holme brought this change] - - projects: fix third-party SSL library build paths for Visual Studio - - The paths used by the build batch files were inconsistent with those in - the Visual Studio project files. - - Closes #8991 - -- [Pierrick Charron brought this change] - - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts - - As per the documentation : - - > Setting a part to a NULL pointer will effectively remove that - > part's contents from the CURLU handle. - - But currently clearing CURLUPART_URL does nothing and returns - CURLUE_OK. This change will clear all parts of the URL at once. - - Closes #9028 - -- [Philip Heiduck brought this change] - - CI: bump FreeBSD 13.0 to 13.1 - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - Closes #8815 - -- RELEASE-NOTES: synced - - and updated release date in RELEASE-PROCEDURE.md - -- [divinity76 brought this change] - - CURLOPT_HTTPHEADER.3: improve comment in example - - Closes #9025 - -Marc Hoersken (16 Jun 2022) -- CI/azure: reduce flakiness by retrying install/prepare steps - - Closes #9010 - -- CI/cirrus: align Windows timeout with Azure CI at 120 minutes - - Closes #9009 - -Jay Satiro (16 Jun 2022) -- vtls: make curl_global_sslset thread-safe - - .. and update some docs to explain curl_global_* is now thread-safe. - - Follow-up to 23af112 which made curl_global_init/cleanup thread-safe. - - Closes https://github.com/curl/curl/pull/9016 - -- curl_easy_pause.3: remove explanation of progress function - - - Remove misleading text that says progress function "gets called at - least once per second, even if the connection is paused." - - The progress function behavior is more nuanced and the user is better - served reading the progress function doc rather than attempt to explain - it in the curl_easy_pause doc. - - The progress function can only be called at least once per second if an - appropriate multi transfer function is called (eg curl_multi_perform) in - that time. For a paused transfer there may not be such a call. Rather - than explain this in detail in the curl_easy_pause doc, rely on the user - reading the CURLOPT_PROGRESSFUNCTION doc. - - Ref: https://github.com/curl/curl/issues/8983 - - Closes https://github.com/curl/curl/pull/9015 - -Daniel Stenberg (15 Jun 2022) -- libssh: skip the fake-close when libssh does the right thing - - Starting in libssh 0.10.0 ssh_disconnect() will no longer close our - socket. Instead it will be kept alive as we want it, and it is our - responsibility to close it later. - - Ref: #8718 - Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240 - Closes #9021 - -- configure: warn about rustls being experimental - - Right now a dozen test cases are disabled because they don't work with - rustls. - - Closes #9019 - -- runtests: skip starting the ssh server if user name is lacking - - Because the ssh server startup script *requires* a user name there's no - point in invoking it if no name was found. - - Reported-by: Ricardo M. Correia - Ref: #9007 - Closes #9013 - -- copyright.pl: parse and use .reuse/dep5 for skips - - Also scan skipped files to be able to find superfluous ignores, shown with -v. - - Closes #9006 - -- reuse/dep5: adjusted to parse better - - ... adjusted a few files to contain copyright and license info. - - Closes #9006 - -- buildconf.bat: update copyright year range - - Closes #9006 - -- README.md: use the common "Copyright" style formatting - - Closes #9006 - -- reuse: move license info from .mailmap.license to .reuse/dep5 - - Closes #9006 - -- README.md: add a REUSE badge - - Closes #9004 - -- .reuse/dep5: remove recursive docs ignore, only skip markdown files - - ... and some additional non-markdown individual files in docs/ - - Closes #9005 - -- docs/cmdline-opts: add copyright and license identifier to each file - - gen.pl now insists on C: and SPDX-License-Identifier: fields to be - present in all files. - - Closes #9002 - -- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md - - Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that - file broke site functionality. - - Closes #9001 - -- bug_report.md: revert the REUSE template to see if it works again - -Viktor Szakats (13 Jun 2022) -- version: rename threadsafe-init to threadsafe - - Referring to Daniel's article [1], making the init function thread-safe - was the last bit to make libcurl thread-safe as a whole. So the name of - the feature may as well be the more concise 'threadsafe', also telling - the story that libcurl is now fully thread-safe, not just its init - function. Chances are high that libcurl wants to remain so in the - future, so there is little likelihood of ever needing any other distinct - `threadsafe-<name>` feature flags. - - For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to - `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's - thread safety documentation. - - [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/ - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - Closes #8989 - -Daniel Stenberg (13 Jun 2022) -- test3026: disable on win32 - - ... as it's not likely to have working pthreads - - Closes #8996 - -- GHA: shorten the reuse CI job name - - "REUSE compliance / check" should be good enough - - Closes #9000 - -- misc: add missing SPDX-License-Identifier info - - For some reason the REUSE CI job did not find these. - - Closes #8999 - -- copyright: verify SPDX-License-Identifier presence as well - -- easy_lock: add SPDX license identifier - - Closes #8998 - -- mailmap: Max Mehl - -- [Max Mehl brought this change] - - git: ignore large commit making the curl REUSE compliant - -- [Max Mehl brought this change] - - copyright: make repository REUSE compliant - - Add licensing and copyright information for all files in this repository. This - either happens in the file itself as a comment header or in the file - `.reuse/dep5`. - - This commit also adds a Github workflow to check pull requests and adapts - copyright.pl to the changes. - - Closes #8869 - -- curl_url_set.3: clarify by default using known schemes only - - Closes #8994 - -- scripts/copyright.pl: ignore leading spaces - -Viktor Szakats (10 Jun 2022) -- ngtcp2: fix typo in preprocessor condition - - Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7 - - Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185 - Reported-by: Emil Engler - Closes #8987 - -Daniel Stenberg (10 Jun 2022) -- RELEASE-NOTES: synced - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: build without sendmsg - - Closes #8981 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: use handshake helper funcs to simplify TLS handshake integration - - Closes #8968 - -- test390: verify --parallel - - Closes #8985 - -- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set - - Triggered by a bug report from Adam Light: - https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly - a misunderstanding of how CURLINFO_EFFECTIVE_URL works. - - Closes #8971 - -- url: URL encode the path when extracted, if spaces were set - -- urlapi: support CURLU_URLENCODE for curl_url_get() - -- server/sws: support spaces in the HTTP request path - -- tests/getpart: fix getpartattr to work with "data" and "data2" - -- select: return error from "lethal" poll/select errors - - Adds two new error codes: CURLE_UNRECOVERABLE_POLL and - CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces. - - Reported-by: Harry Sintonen - Fixes #8921 - Closes #8961 - -- test3026: add missing control file - - Follow-up from 2ed101256414ea5 - - Makes the test run, makes 'make dist' work - - This single test takes 24-25 seconds on my machine (with valgrind). For - this reason I tag it with a "slow" keyword. - - Closes #8976 - -- runtests: fix skipping tests not done event-based - - ... and call timestampskippedevents() to avoid the flood of - uninitialized variable warnings. - - Closes #8977 - -- transfer: maintain --path-as-is after redirects - - Reported-by: Marcus T - Fixes #8974 - Closes #8975 - -- test391: verify --path-as-is with redirect - -Jay Satiro (8 Jun 2022) -- curl_global_init.3: Separate the Windows loader lock warning - - This is a slight correction of the parent commit which implied the - loader lock warning only applied if not thread-safe. In fact the loader - lock warning applies either way. - - Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030 - -Daniel Stenberg (8 Jun 2022) -- curl_global_init.3: this is now (usually) thread-safe - - Follow-up to 23af112f5556 - - Closes #8972 - -Jay Satiro (8 Jun 2022) -- [Haxatron brought this change] - - libcurl-security.3: Document CRLF header injection - - - Document that user input to header options is not sanitized, which - could result in CRLF used to modify the request in a way other than - what was intended. - - Ref: https://hackerone.com/reports/1589877 - Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545 - - Closes https://github.com/curl/curl/pull/8964 - -- CURLOPT_RANGE.3: remove ranged upload advice - - The e-mail link in the advice contains instructions that are prone to - error. We need an example that works and can demonstrate how to properly - perform a ranged upload, and then we can refer to that example instead. - - Bug: https://github.com/curl/curl/issues/8969 - Reported-by: Simon Berger - - Closes https://github.com/curl/curl/pull/8970 - -Daniel Stenberg (7 Jun 2022) -- [Thomas Guillem brought this change] - - curl_version_info: add CURL_VERSION_THREADSAFE_INIT - - This flag can be used to make sure that curl_global_init() is - thread-safe. - - This can be useful for libraries that can't control what other - dependencies are doing with Curl. - - Closes #8680 - -- [Thomas Guillem brought this change] - - lib: make curl_global_init() threadsafe when possible - - Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and - curl_global_cleanup(). - - Closes #8680 - -- RELEASE-NOTES: synced - -- [Fabian Keil brought this change] - - test414: add the '--resolve' keyword - - ... so the test can be automatically skipped when - using an external proxy like Privoxy. - - Closes #8959 - -- [Fabian Keil brought this change] - - test{440,441,493,977}: add "HTTP proxy" keywords - - ... so the tests can be automatically skipped when - using an external proxy like Privoxy. - - Closes #8959 - -- [Fabian Keil brought this change] - - runtests.pl: add the --repeat parameter to the --help output - - Closes #8959 - -- [Fabian Keil brought this change] - - test 2081: add a valid reply for the second request - - ... so the test works when using a HTTP proxy like - Privoxy that sends an error message if the server - doesn't send data. - - Closes #8959 - -- [Fabian Keil brought this change] - - test 675: add missing CR so the test passes when run through Privoxy - - Closes #8959 - -- ftp: when failing to do a secure GSSAPI login, fail hard - - ... instead of switching to cleartext. For the sake of security. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1590102 - Closes #8963 - -- http2: reject overly many push-promise headers - - Getting more than a thousand of them is rather a sign of some kind of - attack. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1589847 - Closes #8962 - -- [Fabian Keil brought this change] - - misc: spelling improvements - - Closes #8956 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix assertion failure on EMSGSIZE - - Closes #8958 - -- easy/transfer: fix cookie-disabled build - - Follow-up from 45de940cebf6a - Reported-by: Marcel Raad - Fixes #8953 - Closes #8954 - -- examples/crawler.c: use the curl license - - With permission from Jeroen Ooms - - URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731 - Closes #8950 - -- speed-limit/time.d: mention these affect transfers in either direction - - Reported-by: Ladar Levison - Fixes #8948 - Closes #8951 - -- scripts/copyright.pl: fix the exclusion to not ignore man pages - - Ref: #8869 - Closes #8952 - -- examples: remove fopen.c and rtsp.c - - To simplify the license situation, as they were the only files in the - source tree using these specific BSD-3 clause licenses. - - For an fopen style API, we recommend instead going - https://github.com/curl/fcurl - - Ref: #8869 - Closes #8949 - -- [Wolf Vollprecht brought this change] - - netrc: check %USERPROFILE% as well on Windows - - Closes #8855 - -- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish - -- [michael musset brought this change] - - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - - The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check - wether or not the connection should continue. - - The host key is passed in argument with a custom handle for the - application. - - It overrides CURLOPT_SSH_KNOWNHOSTS - - Closes #7959 - -- docs/CONTRIBUTE.md: document the 'needs-votes' concept - - A pull request sent to the project might get labeled `needs-votes` by a - project maintainer. This label means that in addition to meeting all - other checks and qualifications this pull request must also receive - proven support/thumbs-ups from more community members to be considered - for merging. - - Closes #8910 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: tolerate missing "realm" - - Server headers may not define "realm", avoid NULL pointer dereference - in such cases. - - Closes #8912 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: added detection of more syntax error in server headers - - Invalid headers should not be processed otherwise they may create - a security risk. - - Closes #8912 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: unquote realm and nonce before processing - - RFC 7616 (and 2617) requires values to be "unquoted" before used for - digest calculations. The only place where unquoting can be done - correctly is header parsing function (realm="DOMAIN\\host" and - realm=DOMAN\\host are different realms). - - This commit adds unquoting (de-escaping) of all values during header - parsing and quoting of the values during header forming. This approach - should be most straightforward and easy to read/maintain as all values - are processed in the same way as required by RFC. - - Closes #8912 - -- headers: handle unfold of space-cleansed headers - - Detected by OSS-fuzz - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767 - - Updated test 1274 - - Closes #8947 - -- lib: make more protocol specific struct fields #ifdefed - - ... so that they don't take up space if the protocols are disabled in - the build. - - Closes #8944 - -- DISABLED: disable 1021 for hyper again - - due to flakiness in the CI builds - -- urldata: store tcp_keepidle and tcp_keepintvl as ints - - They can't be set larger than INT_MAX in the setsocket API calls. - - Also document the max values in their respective man pages. - - Closes #8940 - -- urldata: reduce size of a few struct fields - - When the values are never larger than 32 bit, ints are better than longs. - - Closes #8940 - -- urldata: remove three unused booleans from struct UserDefined - - - is_fwrite_set - - free_referer - - strip_path_slash - - Closes #8940 - -- remote-name.d: mention --output-dir - - plus add two see-alsos - - Closes #8945 - -Jay Satiro (1 Jun 2022) -- configure: skip libidn2 detection when winidn is used - - Prior to this change --with-winidn could be overridden by libidn2 - detection. - - Closes https://github.com/curl/curl/pull/8934 - -Daniel Stenberg (31 May 2022) -- CURLOPT_FILETIME.3: fix the protocols this works with - -- test681: verify --no-remote-name - - Follow-up to 83ee5c428d960 (from #8931) - - Closes #8942 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: enable Linux GSO - - Enable Linux GSO in ngtcp2 QUIC. In order to recover from the - EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write, - packet buffer is now held by struct quicsocket. GSO write might fail in - runtime depending on NIC. Disable GSO if sendmsg returns EIO. - - Closes #8909 - -- CURLOPT_PORT.3: We discourage using this option - - Closes #8941 - -- RELEASE-NOTES: synced - -- headers_push: error out if a folded header has no previous header - - As that would indicate an illegal header. The fuzzer reached the assert - in unfold_value() proving that this case can happen. - - Follow-up to c9b60f005358a364 - - Closes #8939 - -- [Boris Verkhovskiy brought this change] - - curl: re-enable --no-remote-name - - Closes #8931 - -- test680: require 'http' since it uses such a URL - - Follow-up to d1b376c03524 - -- CURLOPT_NETRC.3: document the .netrc file format - -- test680: verify rejection of malformatted .netrc quoted password - -- test679: verify netrc quoted string - -- netrc: support quoted strings - - The .netrc parser now accepts strings within double-quotes in order to - deal with for example passwords containing white space - which - previously was not possible. - - A password that starts with a double-quote also ends with one, and - double-quotes themselves are escaped with backslashes, like \". It also - supports \n, \r and \t for newline, carriage return and tabs - respectively. - - If the password does not start with a double quote, it will end at first - white space and no escaping is performed. - - WARNING: this change is not entirely backwards compatible. If anyone - previously used a double-quote as the first letter of their password, - the parser will now get it differently compared to before. This is - highly unfortunate but hard to avoid. - - Reported-by: ImpatientHippo on GitHub - Fixes #8908 - Closes #8937 - -- curl_getdate.3: document that some illegal dates pass through - - Closes #8938 - -- CI: remove configure --enable-headers-api flags - -- headers api: remove EXPERIMENTAL tag - - Closes #8900 - -Daniel Gustafsson (30 May 2022) -- cookies: fix documentation comment - - Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but - missed updating the documentation comment at the head of the file. - -Daniel Stenberg (30 May 2022) -- [Marc Hoersken brought this change] - - tests/data/test1940: use binary mode for expected stdout - - The generated stdout data is written in binary mode with [LF] - line endings, therefore we also need to do a binary comparison. - - Assisted-by: Jay Satiro - Assisted-by: Daniel Stenberg - - Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84 - Fixes #8920 - Closes #8936 - -- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation - - Spell out the multi-TLS situation. - - Reported-by: Dan Fandrich - Fixes #8926 - Closes #8932 - -Jay Satiro (28 May 2022) -- [JustAnotherArchivist brought this change] - - tool_getparam: fix --parallel-max maximum value constraint - - - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to - default value. - - Previously, --parallel-max 300 would use 300 concurrent transfers, but - --parallel-max 301 would unexpectedly use only 50. This change clamps - higher values to the maximum (ie --parallel-max 301 would use 300). - - Closes https://github.com/curl/curl/pull/8930 - -Daniel Stenberg (27 May 2022) -- curl.1: add a few see also --tls-max - - Closes #8929 - -Viktor Szakats (26 May 2022) -- cmake: do not add libcurl.rc to the static libcurl library - - Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855 - - Reviewed-By: Karlson2k@users.noreply.github.com - Closes #8923 - -- cmake: support adding a suffix to the OS value - - CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS - string appearing in the --version output after the curl version number, - for example: - - 'curl 7.83.1 (Windows)' - - This patchs adds the ability to pass a suffix that is appended to this - value. It's useful to add CPU info or other platform details, - for example: - - 'curl 7.83.1 (Windows-x64)' - - Closes #8919 - -- cmake: enable curl.rc for all Windows targets - - Before this patch, it was only enabled for MSVC. This syncs this - configuration with libcurl.rc, which was already included with - every Windows compiler. - - Closes #8918 - -- cmake: fix detecting libidn2 - - Without this patch, libidn2 detection doesn't even seem to be - attempted. With this patch, cmake can be configured to pick it - up and enable it. Necessary configuration remains manual and - differs from most other dependencies. - - If you are aware of a better fix, we're glad hearing about it - in a new Issue. - - Closes #8917 - -- version: allow stricmp() for sorting the feature list - - In CMakeLists.txt there is an attempt to detect `stricmp()`, and in - certain cases, this attempt is the only successful one to detect a - case-insensitive comparison function. `HAVE_STRICMP` is defined as - a result, but this macro wasn't used anywhere in the source. This - patch makes use of it as an alternative when alpha-sorting the - `--version` feature list. - - Reviewed-by: Daniel Stenberg - Closes #8916 - -Daniel Stenberg (25 May 2022) -- DISABLED: add six tests that fail with hyper - - 1117 1274 1940 1941 1942 1943 - -- c-hyper: mark status line as status for Curl_client_write() - - To make sure the headers API can filter it out as not a regular header. - - Reported-by: Gisle Vanem - Fixes #8894 - Closes #8914 - -Marc Hoersken (25 May 2022) -- tests/data/test1501: kill ftp server after slow LIST response - - This test is contributing to flakiness on the Windows CI runs. - Killing the ftp server after the test run like other slowness - tests already do may help resolve or reduce the flakiness. - - Closes #8907 - -Daniel Stenberg (25 May 2022) -- headers: fix the unfold realloc to use proper new size - - Previously it didn't take the old name length into acount - - Follow-up to: c9b60f005358a364 - Closes #8913 - -Marc Hoersken (25 May 2022) -- GHA: align all install, configure and build steps again - - First step towards more unified build steps on GitHub Actions. - - Closes #8873 - -- CI/azure: remove obsolete strategy for single builds - - This shortens these CI job names on GitHub even more. - Follow up to #8906 which also increased their timeout. - - Closes #8911 - -- CI/azure: shorten names of Windows CI jobs - - Suggested-by: Daniel Stenberg - Closes #8906 - -Daniel Stenberg (24 May 2022) -- http: restore header folding behavior - - Folded header lines will now get passed through like before. The headers - API is adapted and will provide the content unfolded. - - Added test 1274 and extended test 1940 to verify. - - Reported-by: Petr Pisar - Fixes #8844 - Closes #8899 - -Viktor Szakats (24 May 2022) -- Makefile.m32: delete obsolete options, improve -On [ci skip] - - - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now. - - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and - I used this with VxWorks in another project, but otherwise this isn't - necessary anymore as a default. If a target still needs it, it can be - added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing` - - bump up default optimization level to `-O3` (from `-O2`), and also rearrange - option order so the default can now be overridden via - `CURL_CFLAG_EXTRAS`. - - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS` - (strip debug info). They were working against each other. Now, if someone - needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g` - - Closes #8904 - -Daniel Gustafsson (24 May 2022) -- ntlm: fix one more hostname test fallout - - This fixup was missed in commit 5a41abef6dca19. - - Closes: #8901 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- doh: remove UNITTEST macro definition - - The UNITTEST macro is defined by curl_setup.h so there is no use in - carry a local copy of the logic. - - Closes: #8902 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (24 May 2022) -- cookie: fix false positive "potentially uninitialized local variable" - - Reviewed-by: Daniel Gustafsson - Closes #8903 - -- curl: add --rate to set max request rate per time unit - - --rate "12/m" - for 12 per minute or - --rate "5/h" - for 5 per hour - - Removed from TODO - - Closes #8671 - -- [Jay Satiro brought this change] - - max-time.d: clarify max-time sets max transfer time - - Prior to this change the doc said --max-time set the maximum time of the - 'whole operation' which is not accurate. The option maps to - CURLOPT_TIMEOUT_MS which sets maximum transfer time. - - For example, the maximum time on a transfer is reset if the transfer is - retried (--retry). - - Reported-by: Nuru@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/8877 - Closes #8879 - -- GHA/hyper: enable debug in the build - -- hyper: use 'alt-used' - - Makes test 412+413 work - - Closes #8898 - -- RELEASE-NOTES: synced - -- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl - - Closes #8888 - -- links: update dead links - - The wiki pages are gone, remove and link to more long-living docs. - - Closes #8897 - -- ntlm: (void) typecast msnprintf() where we ignore return code - - Follow-up to 5a41abef6, to please Coverity - -Daniel Gustafsson (22 May 2022) -- ntlm: copy NTLM_HOSTNAME to host buffer - - Commit 709ae2454f43 added a fake hostname to avoid leaking the local - hostname, but omitted copying it to the host buffer. Fix by copying - and adjust the test fallout. - - Closes: #8895 - Fixes: #8893 - Reported-by: Patrick Monnerat <patrick@monnerat.net> - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- configure: use the SED value to invoke sed - - Rather than assuming sed in PATH, use the resolved $SED variable - like in all other invocations of sed in configure. - - Closes: #8891 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> - -Daniel Stenberg (20 May 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Allow curl to send larger UDP datagrams - - Allow curl to send larger UDP datagram if Path MTU Discovery finds the - availability of larger path MTU. To make it work and not to send - fragmented packet, we need to set DF bit. That makes send(2) fail with - EMSGSIZE if UDP datagram is too large. In that case, just let it be - lost. This patch enables DF bit for Linux only. - - Closes #8883 - -- libcurl-security.3: add "Secrets in memory" - - Closes #8881 - -- tests: update NTLM tests to use new host name - - Also drop the debug requirement, remove the setenv sections, remove - prechecks and add NTLM to the top keywords. - - Closes #8889 - -- ntlm: provide a fixed fake host name - - The NTLM protocol includes providing the local host name, but apparently - other implementations already provide a fixed fake name instead to avoid - leaking the real local name. - - The exact name used is 'WORKSTATION', because Firefox uses that. - - The change is written to allow someone to "back-pedal" fairly easy in - case of need. - - Reported-by: Carlo Alberto - Fixes #8859 - Closes #8889 - -Daniel Gustafsson (20 May 2022) -- KNOWN_BUGS: fix typo in problem description - - s/TSL/TLS/ - -- FEATURES: remove yassl as TLS library for NTLM - - yassl was added in commit 9d904ee41b880b but is no longer available - and is thus not a library to use for NTLM. This aligns the FEATURES - doc with the FAQ. - - Closes: #8886 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- FEATURES: reorder footnotes - - The empty left-behind footnote confused the website rendering into - creating a nested emoty list, making the resulting page look quite - odd. Remove and re-order the remaining ones to avoid a gap in the - sequence. - - Closes: #8886 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- FAQ: remove opinionated sentence on NTLM - - curl is a tool that support many different things, and it doesn't - really seem like our job to tell other what to use (as they might - not have much say in the matter even). Also tidy up wording. - - Closes: #8886 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Viktor Szakats (20 May 2022) -- log2changes: do not indent empty lines [ci skip] - - This will omit two spaces of indentation from lines with no content, - thus avoiding 'spaces @ EOL'. - - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Closes #8887 - -Daniel Stenberg (19 May 2022) -- wolfssl: correct the failf() message when a handle can't be made - - Closes #8885 - -Viktor Szakats (19 May 2022) -- Makefile.m32: delete two obsolete OpenSSL options [ci skip] - - - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or - LibreSSL 3.5.x, yet it collides with the latter, which defines - it unconditionally, resulting in this warning: - ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_NO_KRB5' macro redefined [-Wmacro-redefined] - It was originally added to curl in 2004. - - - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or - LibreSSL back to at least 2.5.5. Originally added in the same - commit as the above, in 2004. - - Closes #8884 - -Daniel Stenberg (19 May 2022) -- RELEASE-NOTES: synced - - bump to 7.84.0 - -- [Christian Weisgerber via curl-library brought this change] - - Makefile.am: fix portability issues - - Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that - there is a portability issue in curl's top-level Makefile.am. - - $< can only be used in rules that deal with .SUFFIXES. Its use - for general prerequisites is a GNU make extension. - - $< could be replaced by $?, but I think in an autotools context, - something like this is better: - - Bug: https://curl.se/mail/lib-2022-05/0024.html - Closes #8861 - -- [Balakrishnan Balasubramanian brought this change] - - socks: support unix sockets for socks proxy - - Usage: - curl -x "socks5h://localhost/run/tor/socks" "https://example.com" - - Updated runtests.pl to run a socksd server listening on unix socket - - Added tests test1467 test1468 - - Added documentation for proxy command line option and socks proxy - options - - Closes #8668 - -- [Vincent Torri brought this change] - - cmake: add libpsl support - - Fixes #8865 - Closes #8867 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: extend QUIC transport parameters buffer - - Extend QUIC transport parameters buffer because 64 bytes are too - short for the ever increasing parameters. - - Closes #8872 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data - - Closes #8871 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: send appropriate connection close error code - - Closes #8870 - -- test1561: adjusted for the cookie fix - -- test414: verify secure cookie domain overlay - -- [Harry Sintonen brought this change] - - cookie: address secure domain overlay - - Bug: https://hackerone.com/reports/1560324 - Co-authored-by: Daniel Stenberg - Closes #8840 - -- [Frank Gevaerts brought this change] - - strcase: some optimisations - - Lookup tables for toupper() and tolower() make Curl_strcasecompare() - about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit - early then also allows simplifying the check at the end, for another - 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7 - times faster. - - Note that these optimisation assume ASCII. The original - Curl_raw_toupper() and raw_tolower() look like they already made that - assumption. - - Closes #8875 - -- BUG-BOUNTY.md: mention the audit exception - - Dedicated - paid for - security audits that are performed in - collaboration with curl developers are not eligible for bounties. - - (plus I changed the sub-titles to use ## instead of # in the markdown) - - Closes #8880 - -- lib/vssh/wolfssh.h: removed - - Unused header file - - Reported-by: Illarion Taev - Fixes #8863 - Closes #8866 - -- [Elms brought this change] - - wolfSSL: explicitly use compatibility layer - - This change removes adding an include `$prefix/wolfssl` or similar to - allow for openssl include aliasing. Include paths of `wolfssl/openssl/` - are used to explicitly use wolfSSL includes. This fixes cmake builds as - well as avoiding potentially using openSSL headers since include path - order is not guaranteed. - - Closes #8864 - -- curl: deprecate --random-file and --egd-file - - As libcurl no longer has any functionality for them, the tool now does - nothing with them. - - Closes #8670 - -- opts: deprecate RANDOM_FILE and EGDSOCKET - - These two options were only ever used for the OpenSSL backend for - versions before 1.1.0. They were never used for other backends and they - are not used with recent OpenSSL versions. They were never used much by - applications. - - The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time - for ancient EOL OpenSSL versions. - - Closes #8670 - -- [Harry Sintonen brought this change] - - bindlocal: don't use a random port if port number would wrap - - Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port - 65535 the code would fall back to random port rather than giving up. - - Closes #8862 - -Daniel Gustafsson (16 May 2022) -- transfer: Fix potential NULL pointer dereference - - Commit 0ef54abf5208 accidentally used the conn variable before the - assertion for it being NULL. Fix by moving the assignment which use - conn to after the assertion. - - Closes: #8857 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- docs: clarify data replacement policy for MIME API - - The API documentation for the MIME functions specify that the parts - can be set twice, with the last call winning. While true, the user - can set the parts n times for n > 2, reword to specify multiple API - calls instead. - - Closes: #8860 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (16 May 2022) -- [vvb2060 on github brought this change] - - ngtcp2: support boringssl crypto backend - - Closes #8789 - -- [Tatsuhiro Tsujikawa brought this change] - - quic: add Curl_quic_idle - - Add Curl_quic_idle which is called when no HTTP level read or write is - performed. It is a good place to handle timer expiry for QUIC transport - (.e.g, retransmission). - - Closes #8698 - -- [Gregor Jasny brought this change] - - mprintf: ignore clang non-literal format string - - Closes #8740 - -- [Nick Zitzmann brought this change] - - sectransp: check for a function defined when __BLOCKS__ is undefined - - SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it - requires Grand Central Dispatch to be supported by the compiler, and - some third-party macOS compilers do not support Grand Central Dispatch. - SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't - adversely affect anything. - - Fixes #8846 - Reported-by: Egor Pugin - Closes #8854 - -Daniel Gustafsson (16 May 2022) -- test412/413: Use version macro for User-Agent - - Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test - output file which breaks when curlver is updated. Shift to using - the %VERSION macro instead. - - Closes: #8856 - -- macos9: remove partial support - - The support for compiling on Mac OS 9 hasn't been modified since 2001 - and has no active maintainer or packager, so it's time to remove it as - it's incredibly unlikely to work. If a maintainer re-emerges it can be - resurrected from Git history. - - Closes: #8836 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (16 May 2022) -- test1635: verify --fail-with-body with --retry - - Almost a dupe of 1634 - - Closes #8847 - -- tool_operate: make sure --fail-with-body works with --retry - - ... in the same way --fail already does. - - Reported-by: Jakub Bochenski - Fixes #8845 - Closes #8847 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types - - Closes #8851 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Fix alert_read_func return value - - Closes #8852 - -- [Harry Sintonen brought this change] - - Curl_parsenetrc: don't access local pwbuf outside of scope - - Accessing local variables outside of the scope is forbidden and - depending on the compiler can result in the value being - overwritten. Fixed by moving the pwbuf to be in scope. - - Closes #8850 - -- RELEASE-NOTES: synced - - and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon) - -- [Frazer Smith brought this change] - - ci: update github actions - - - bump actions/checkout from 2 to 3 - - bump actions/upload-artifact from 1 to 3 - - bump github/codeql-actions from 1 to 2 - - use version tag for actions/checkout - - Closes #8843 - -- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix - -- url: free old conn better on reuse - - Make use of conn_free() better and avoid duplicate code. - - Reported-by: Andrea Pappacoda - Fixes #8841 - Closes #8842 - -Jay Satiro (14 May 2022) -- FAQ: Clarify Windows double quote usage - - - Windows command prompt doesn't use literal quoting via single quotes. - - - Windows command prompt inner double quotes are escaped with a - backslash. - - - Windows powershell does use single quotes but curl is not a powershell - script so the arguments may not be passed on correctly. - - - Windows powershell inner double quotes seems can be passed to curl if - the outer quotes are double quotes and an escape of backslash-backtick - is used. - - Command prompt example: - - ~~~ - getargs -v -d "\"a\"" - - argv[0]: getargs - argv[1]: -v - argv[2]: -d - argv[3]: "a" - ~~~ - - Ref: https://github.com/curl/curl/issues/8818 - Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c - - Reported-by: KotlinIsland@users.noreply.github.com - - Closes https://github.com/curl/curl/pull/8823 - -Daniel Stenberg (12 May 2022) -- github/workflows/nss: apt update first - - Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found" - - Closes #8837 - -- page-footer: mention exit code zero too - - Success (zero) is also an "exit code" worth mentioning. - - Closes #8833 - -Daniel Gustafsson (12 May 2022) -- gssapi: initialize gss_buffer_desc strings - - Explicitly initialize gss_buffer_desc strings such that a call to - freeing resources will succeed even if no data has been allocated - to it. - - Reported-by: Jay Satiro <raysatiro@yahoo.com> - -- gssapi: improve handling of errors from gss_display_status - - In case gss_display_status() returns an error, avoid trying to add - it to the buffer as the message may well be a NULL pointer. - - Originally this fix comes from a discussion in issue #8816. - - Closes: #8832 - Reviewed-by: Jay Satiro <raysatiro@yahoo.com> - -Jay Satiro (12 May 2022) -- [steini2000 brought this change] - - http2: always debug print stream id in decimal with %u - - Prior to this change the stream id shown could be hex or decimal which - was inconsistent and confusing. - - Closes https://github.com/curl/curl/pull/8808 - -Kamil Dudka (11 May 2022) -- url: remove redundant #ifdefs in allocate_conn() - - No change in behavior intended by this commit. - -Daniel Stenberg (11 May 2022) -- [Fabian Keil brought this change] - - tests 266, 116 and 1540: add a small write delay - - This makes it more likely that the trailer is received - seperately from the last-chunk. - - curl doesn't seem to care about this but it makes the tests - more useful when testing external proxies like Privoxy. - -- [Fabian Keil brought this change] - - tests 1117,1238,1523: adjust writedelay servercmds - - ... so the delays are the same now that the unit - is in milliseconds. - -- [Fabian Keil brought this change] - - tests/server/sws.c: change the HTTP writedelay unit to milliseconds - - This allows to use write delays for large responses without - resulting in the test taking an unreasonable amount of time. - - In many cases delaying writes by a whole second or more isn't - necessary for the desired effect. - - Closes #8827 - -Daniel Gustafsson (11 May 2022) -- aws-sigv4: fix potentional NULL pointer arithmetic - - We need to check if the strchr() call returns NULL (due to missing - char) before we use the returned value in arithmetic. There is no - live bug here, but fixing it before it can become for hygiene. - - Closes: #8814 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (11 May 2022) -- quiche: support ca-fallback - - Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl - - Removed from KNOWN_BUGS - - Fixes #8696 - Closes #8830 - -Daniel Gustafsson (11 May 2022) -- x509asn1: mark msnprintf return as unchecked - - We have lots of unchecked msnprintf calls, and this particular msnprintf - call isn't more interesting than the others, but this one yields a Coverity - warning so let's implicitly silence it. Going over the other invocations - is probably a worthwhile project, but for now let's keep the static - analyzers happy. - - Closes: #8831 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Version 7.83.1 (11 May 2022) - -Daniel Stenberg (11 May 2022) -- RELEASE-NOTES: synced - - curl 7.83.1 release - -- THANKS: added contributors from 7.83.1 - -- zuul: fix the ngtcp2-gnutls build - - Add packages and tweak the configure options. - - Use the GnuTLS 3.7.4 branch (not main). - - Closes #8829 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: add ca-fallback support for OpenSSL backend - - Closes #8828 - -- url: check SSH config match on connection reuse - - CVE-2022-27782 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27782.html - Closes #8825 - -- tls: check more TLS details for connection reuse - - CVE-2022-27782 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27782.html - Closes #8825 - -- cookies: make bad_domain() not consider a trailing dot fine - - The check for a dot in the domain must not consider a single trailing - dot to be fine, as then TLD + trailing dot is fine and curl will accept - setting cookies for it. - - CVE-2022-27779 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-27779.html - Closes #8820 - -- test977: reproduce ability to set cookie on TLD - - When PSL is not enabled - -- scripts/contributors.sh: correct the copyright range - -- docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates - -- test379: verify --remove-on-error with --no-clobber - -- post_per_transfer: remove the updated file name - - When --remove-on-error is used with --no-clobber, it might have an - updated file name to remove. - - Bug: https://curl.se/docs/CVE-2022-27778.html - - CVE-2022-27778 - - Reported-by: Harry Sintonen - - Closes #8824 - -- hsts: ignore trailing dots when comparing hosts names - - CVE-2022-30115 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-30115.html - Closes #8821 - -- test440/441: verify HSTS with trailing dots - -- libtest/lib1560: verify the host name percent decode fix - -- urlapi: reject percent-decoding host name into separator bytes - - CVE-2022-27780 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-27780.html - Closes #8826 - -- nss: return error if seemingly stuck in a cert loop - - CVE-2022-27781 - - Reported-by: Florian Kohnhäuser - Bug: https://curl.se/docs/CVE-2022-27781.html - Closes #8822 - -- test412/413: verify alt-svc with trailing dots - -- altsvc: fix host name matching for trailing dots - - Closes #8819 - -- [Garrett Squire brought this change] - - hyper: fix test 357 - - This change fixes the hyper API such that PUT requests that receive a - 417 response can retry without the Expect header. - - Closes #8811 - -- [Harry Sintonen brought this change] - - sectransp: bail out if SSLSetPeerDomainName fails - - Before the code would just warn about SSLSetPeerDomainName() errors. - - Closes #8798 - -- http_proxy/hyper: handle closed connections - - Enable test 1021 for hyper builds. - - Patched-by: Prithvi MK - Fixes #8700 - Closes #8806 - -- KNOWN_BUGS: timeout when reusing a http3 connection - - Closes #8764 - -- KNOWN_BUGS: configure --with-ca-fallback is not supported by h3 - - Closes #8696 - -- [Ryan Schmidt brought this change] - - Makefile: fix "make ca-firefox" - - Closes #8804 - -Daniel Gustafsson (5 May 2022) -- tests: fix markdown formatting in README - - The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be - escaped to not mean start of italic formatting. This is consistent - with docs/RELEASE-PROCEDURE.md. - - Closes: #8802 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (5 May 2022) -- TODO: expand on "Expose tried IP addresses that failed" - - Ref: #8794 - -Daniel Gustafsson (5 May 2022) -- [Fabian Keil brought this change] - - tests/server: declare variable 'reqlogfile' static - - Silences the warning: - - CC socksd-socksd.o - socksd.c:143:13: warning: no previous extern declaration for - non-static variable 'reqlogfile' [-Wmissing-variable-declarations] - const char *reqlogfile = DEFAULT_REQFILE; - ^ - socksd.c:143:7: note: declare 'static' if the variable is not - intended to be used outside of this translation unit - const char *reqlogfile = DEFAULT_REQFILE; - ^ - 1 warning generated. - - ... when compiling with clang 13. - - Closes: #8799 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION - - Commit 980a47b42 added support for ignoring session cookies, but it - was never added to the documentation. - - Closes: #8795 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (5 May 2022) -- docs/THANKS: remove name duplicate - -- [Philip Heiduck brought this change] - - .mailmap: update - - Closes #8800 - -Jay Satiro (5 May 2022) -- mbedtls: fix some error messages - - Prior to this change some of the error messages misidentified the - function that failed. - -Daniel Stenberg (5 May 2022) -- RELEASE-NOTES: synced - -- [Sergey Markelov brought this change] - - x509asn1: make do_pubkey handle EC public keys - - Closes #8757 - -- [Harry Sintonen brought this change] - - mbedtls: bail out if rng init fails - - There was a failf() call but no actual error return. - - Closes #8796 - -- [Sergey Markelov brought this change] - - urlapi: address (harmless) UndefinedBehavior sanitizer warning - - `while(i--)` causes runtime error: unsigned integer overflow: 0 - 1 - cannot be represented in type 'size_t' (aka 'unsigned long') - - Closes #8797 - -- [Fabian Keil brought this change] - - test{898,974,976}: add 'HTTP proxy' keywords - - ... so the tests can be automatically skipped when - testing external HTTP proxies like Privoxy. - - Closes #8791 - -- [Harry Sintonen brought this change] - - gskit_connect_step1: fixed bogus setsockopt calls - - setsockopt takes a reference to value, not value. With the current - code this just leads to -1 return value with errno EFAULT. - - Closes #8793 - -- CURLOPT_SSH_AUTH_TYPES.3: fix the default - - The default is all possible methods. - - Closes #8792 - -- CURLOPT_DOH_URL.3: mention the known bug - - It is mostly duplicating info from KNOWN_BUGS but make it easier to find - for users of this option. - - Closes #8790 - -- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well - - Reviewed-By: Daniel Gustafsson - Closes #8788 - -- docs/SECURITY-PROCESS.md: "Visible command line arguments" - -- SECURITY-PROCESS: mention "URL inconsistencies" - - ... as common problems that are *not* vulns. - -Daniel Gustafsson (2 May 2022) -- contributors: strip off final comma - - The final row of contributors should not end with a comma as it's the - end of the list. - - Closes: #8785 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (2 May 2022) -- [Philip Heiduck brought this change] - - misc: use "autoreconf -fi" instead buildconf - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - Closes #8777 - -Daniel Gustafsson (2 May 2022) -- [Philip Heiduck brought this change] - - cirrus: Use pip for Python packages on FreeBSD - - Using pip instead of easy_install is more in line with how other - CI images are being maintained. - - Closes: #8783 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- [Philip Heiduck brought this change] - - cirrus: Update to FreeBSD 12.3 - - Closes: #8783 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- tool_getparam: simplify conditional statement - - param_place cannot be NULL here since we immediately efter this block - perform arithmetic on it (and use it in order to get here) so there is - little reason to check. - - Closes: #8786 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- RELEASE-NOTES: synced - -- gskit: remove unused function set_callback - - This function has been unused since the initial commit of the GSKit - backend in 0eba02fd4. The motivation for the code was getting the - whole certificate chain: the only place where the latter is available - is as a callback parameter. Unfortunately it is not possible to pass - a user pointer to this callback, which precludes the possibility to - associate the cert chain with a data/conn structure. - - For further information, search for pgsk_cert_validation_callback on: - https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm - - As the upstream library never added a parameter like that to the API, - we give up the wait and remove the dead code. - - Closes: #8782 - Reviewed-by: Patrick Monnerat <patrick@monnerat.net> - -- curl: free resource in error path - - If the new filename cannot be generated due to memory pressure, free - the allocated aname on the way out to avoid a small leak. - - Closes: #8770 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- curl: guard against size_t wraparound in no-clobber code - - When generating the new filename, make sure we aren't overflowing the - size_t limit when calculating the new length. This is mostly academic - but good code hygeine nonetheless. - - Closes: #8771 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (30 Apr 2022) -- gha: build msh3 - - Closes #8779 - -- scripts/cijobs.pl: try "current branch" first then "master" - -- [Yusuke Nakamura brought this change] - - msh3: get msh3 version from MsH3Version - - Closes #8762 - -- [Yusuke Nakamura brought this change] - - msh3: psss remote_port to MsH3ConnectionOpen - - MsH3 supported additional "Port" parameter to connect not hosted on - 443 port QUIC website. - - * https://github.com/nibanks/msh3/releases/tag/v0.3.0 - * https://github.com/nibanks/msh3/pull/37 - - Closes #8762 - -- [Christian Weisgerber brought this change] - - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl - - SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3, - released five years ago. - - Bug: https://curl.se/mail/lib-2022-04/0059.html - Closes #8773 - -- http: move Curl_allow_auth_to_host() - - It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef - - Reported-by: Michael Olbrich - Fixes #8772 - Closes #8775 - -Daniel Gustafsson (29 Apr 2022) -- msh3: print boolean value as text representation - - Print the boolean value as its string representation instead of with - %hhu which isn't a format we typically use. - - Closes: #8763 - Reviewed-by: Nick Banks <nibanks@microsoft.com> - -Daniel Stenberg (29 Apr 2022) -- data/test376: set a proper name - -- GHA/mbedtls: enabled nghttp2 in the build - - Closes #8767 - -- mbedtls: fix compile when h2-enabled - - Fixes #8766 - Reported-by: LigH-de on github - Closes #8768 - -- RELEASE-NOTES: synced - - bumped curlver to 7.83.1-dev - -- SECURITY-PROCESS: extended - - Also clarify BUG-BOUNTY.md with IBB details. - - Closes #8754 - -- [Adam Rosenfield brought this change] - - conn: fix typo 'connnection' -> 'connection' in two function names - - Closes #8759 - -Version 7.83.0 (27 Apr 2022) - -Daniel Stenberg (27 Apr 2022) -- RELEASE-NOTES: synced - - The 7.83.0 release - -- docs/THANKS: contributors from 7.83.0 - -- test 898/974/976: require proxy to run - - Fixes #8755 - Reported-by: Marc Hörsken - Closes #8756 - -- gnutls: don't leak the SRP credentials in redirects - - Follow-up to 620ea21410030 and 139a54ed0a172a - - Reported-by: Harry Sintonen - Closes #8752 - -- CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS - - Closes #8753 - -- openssl: don't leak the SRP credentials in redirects either - - Follow-up to 620ea21410030 - - Reported-by: Harry Sintonen - Closes #8751 - -- [Liam Warfield brought this change] - - hyper: fix tests 580 and 581 for hyper - - Hyper now has the ability to preserve header order. This commit adds a - few lines setting the connection options for this feature. - - Related to issue #8617 - Closes #8707 - -- conncache: remove name arg from Curl_conncache_find_bundle - - To simplify, and also since the returned name is not the full actual - name used for the check. The port number and zone id is also involved, - so just showing the name is misleading. - - Closes #8750 - -- tests: verify the fix for CVE-2022-27774 - - - Test 973 redirects from HTTP to FTP, clear auth - - Test 974 redirects from HTTP to HTTP different port, clear auth - - Test 975 redirects from HTTP to FTP, permitted to keep auth - - Test 976 redirects from HTTP to HTTP different port, permitted to keep - auth - -- transfer: redirects to other protocols or ports clear auth - - ... unless explicitly permitted. - - Bug: https://curl.se/docs/CVE-2022-27774.html - Reported-by: Harry Sintonen - Closes #8748 - -- connect: store "conn_remote_port" in the info struct - - To make it available after the connection ended. - -- cookie.d: clarify when cookies are always sent - -- test898: verify the fix for CVE-2022-27776 - - Do not pass on Authorization headers on redirects to another port - -- http: avoid auth/cookie on redirects same host diff port - - CVE-2022-27776 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27776.html - Closes #8749 - -- libssh2: make the md5 comparison fail if wrong length - - Making it just skip the check unless exactly 32 is too brittle. Even if - the docs says it needs to be exactly 32, it is be safer to make the - comparison fail here instead. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1549461 - Closes #8745 - -- conncache: include the zone id in the "bundle" hashkey - - Make connections to two separate IPv6 zone ids create separate - connections. - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27775.html - Closes #8747 - -- [Patrick Monnerat brought this change] - - url: check sasl additional parameters for connection reuse. - - Also move static function safecmp() as non-static Curl_safecmp() since - its purpose is needed at several places. - - Bug: https://curl.se/docs/CVE-2022-22576.html - - CVE-2022-22576 - - Closes #8746 - -- libssh2: compare sha256 strings case sensitively - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1549435 - Closes #8744 - -- tool_getparam: error out on missing -K file - - Add test 411 to verify. - - Reported-by: Median Median Stride - Bug: https://hackerone.com/reports/1542881 - Closes #8731 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: deal with sub-millisecond timeout - - Closes #8738 - -- misc: update copyright year ranges - -- c_escape: escape '?' in generated --libcurl code - - In order to avoid the risk of it being used in an accidental trigraph in - the generated code. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1548535 - Closes #8742 - -- [Philip Heiduck brought this change] - - mlc: curl.zuul.vexxhost.dev is reachable again - - remove it from ignorelist for linkcheck - - Closes #8736 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: avoid busy loop in low CWND situation - - Closes #8739 - -- TODO: telnet - exit immediately upon connection if stdin is /dev/null - - Suggested-by: Robin A. Meade - URL: https://curl.se/mail/archive-2022-04/0027.html - -- [Kushal Das brought this change] - - docs: updates spellings with full words - - Closes #8730 - -- tests/FILEFORMAT.md: spellfix - -Daniel Gustafsson (21 Apr 2022) -- misc: fix typos - - Fix a few random typos is comments and workflow names. - -- macos: fix .plist installation into framework - - The copy command introduced in e498a9b1f had leftover '>' from the - previous sed command it replaced, which broke its syntax. Fix by - removing. - - Reported-by: Emanuele Torre <torreemanuele6@gmail.com> - -Daniel Stenberg (21 Apr 2022) -- [Christopher Degawa brought this change] - - Makefile: fix ca-bundle due to mk-ca-bundle.pl being moved - - The script was moved in 8e22fc68e7dda43e9f but the lines that called it - was not changed to reflect it's new position - - Signed-off-by: Christopher Degawa <ccom@randomderp.com> - - Closes #8728 - -Daniel Gustafsson (20 Apr 2022) -- macos: set .plist version in autoconf - - Set the libcurl version in libcurl.plist like how libcurl.vers is - created. - - Closes: #8692 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Reviewed-by: Nick Zitzmann <nickzman@gmail.com> - -- cookies: Improve errorhandling for reading cookiefile - - The existing programming had some issues with errorhandling for reading - the cookie file. If the file failed to open, we would silently ignore it - and continue as if there was no file (or stdin) passed. In this case, we - would also call fclose() on the NULL FILE pointer, which is undefined - behavior. Fix by ensuring that the FILE pointer is set before calling - fclose on it, and issue a warning in case the file cannot be opened. - Erroring out on nonexisting file would break backwards compatibility of - very old behavior so we can't really go there. - - Closes: #8699 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Reviewed-by: Jay Satiro <raysatiro@yahoo.com> - -Daniel Stenberg (20 Apr 2022) -- libcurl-tutorial.3: spellfix and minor polish - -- CURLINFO_PRIMARY_PORT.3: spellfix - - Reported-by: Patrick Monnerat - -- [Jay Dommaschk brought this change] - - libssh: fix double close - - libssh closes the socket in ssh_diconnect() so make sure that libcurl - does not also close it. - - Fixes #8708 - Closes #8718 - -Jay Satiro (20 Apr 2022) -- [Gisle Vanem brought this change] - - unit1620: call global_init before calling Curl_open - - Curl_open calls the resolver init and on Windows if the resolver backend - is c-ares then the Windows sockets library (winsock) must already have - been initialized (via global init). - - Ref: https://github.com/curl/curl/pull/8540#issuecomment-1059771800 - - Closes https://github.com/curl/curl/pull/8719 - -Daniel Stenberg (19 Apr 2022) -- CURLINFO_PRIMARY_PORT.3: clarify which port this is - - As it was not entirely clear previously. - - Closes #8725 - -- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation - - Include details about Authentication headers. - - Reported-by: Brad Spencer - Fixes #8724 - Closes #8726 - -- .github/workflows/macos.yml: add a libssh job with c-ares - - ... to enable the memdebug system - - Closes #8720 - -- RELEASE-NOTES: synced - -Jay Satiro (17 Apr 2022) -- [Gisle Vanem brought this change] - - docs/HTTP3.md: fix typo - - also fix msh3 section formatting - - Ref: https://github.com/curl/curl/commit/37492ebb#r70980087 - -Marc Hoersken (17 Apr 2022) -- timediff.[ch]: add curlx helper functions for timeval conversions - - Also move timediff_t definitions from timeval.h to timediff.h and - then make timeval.h include the new standalone-capable timediff.h. - - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - - Supersedes #5888 - Closes #8595 - -Daniel Stenberg (17 Apr 2022) -- [Balakrishnan Balasubramanian brought this change] - - tests: refactor server/socksd.c to support --unix-socket - - Closes #8687 - -- [Emanuele Torre brought this change] - - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) - - This loop was using the number of bytes read from the file as condition - to keep reading. - - From Linux's fread(3) man page: - > On success, fread() and fwrite() return the number of items read or - > written. This number equals the number of bytes transferred only when - > size is 1. If an error occurs, or the end of the file is reached, the - > return value is a short item count (or zero). - > - > The file position indicator for the stream is advanced by the number - > of bytes successfully read or written. - > - > fread() does not distinguish between end-of-file and error, and - > callers must use feof(3) and ferror(3) to determine which occurred. - - This means that nread!=0 doesn't make much sense as an end condition for - the loop: nread==0 doesn't necessarily mean that EOF has been reached or - an error has occured (but that is usually the case) and nread!=0 doesn't - necessarily mean that EOF has not been reached or that no read errors - have occured. feof(3) and ferror(3) should be uses when using fread(3). - - Currently curl has to performs an extra fread(3) call to get a return - value equal to 0 to stop looping. - - This usually "works" (even though nread==0 shouldn't be interpreted as - EOF) if stdin is a pipe because EOF usually marks the "real" end of the - stream, so the extra fread(3) call will return immediately and the extra - read syscall won't be noticeable: - - bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 | - > tail -n 5 - read(0, "a\n", 4096) = 2 - read(0, "", 4096) = 0 - read(0, "", 4096) = 0 - http://0x0.st/oRs.txt - +++ exited with 0 +++ - bash-5.1$ - - But this doesn't work if curl is reading from stdin, stdin is a - terminal, and the EOF is being emulated using a shell with ^D. Two - consecutive ^D will be required in this case to actually make curl stop - reading: - - bash-5.1$ curl -F file=@- 0x0.st - a - ^D^D - http://0x0.st/oRs.txt - bash-5.1$ - - A possible workaround to this issue is to use a program that handles EOF - correctly to indirectly send data to curl's stdin: - - bash-5.1$ cat - | curl -F file=@- 0x0.st - a - ^D - http://0x0.st/oRs.txt - bash-5.1$ - - This patch makes curl handle EOF properly when using fread(3) in - file2memory() so that the workaround is not necessary. - - Since curl was previously ignoring read errors caused by this fread(3), - ferror(3) is also used in the condition of the loop: read errors and EOF - will have the same meaning; this is done to somewhat preserve the old - behaviour instead of making the command fail when a read error occurs. - - Closes #8701 - -- gen.pl: change wording for mutexed options - - Instead of saying "This option overrides NNN", now say "This option is - mutually exclusive to NNN" in the generated man page ouput, as the - option does not in all cases actually override the others but they are - always mutually exclusive. - - Ref: #8704 - Closes #8716 - -- curl: error out if -T and -d are used for the same URL - - As one implies PUT and the other POST, both cannot be used - simultaneously. - - Add test 378 to verify. - - Reported-by: Boris Verkhovskiy - Fixes #8704 - Closes #8715 - -- lib: remove exclamation marks - - ... from infof() and failf() calls. Make them less attention seeking. - - Closes #8713 - -- fail.d: tweak the description - - Reviewed-by: Daniel Gustafsson - Suggested-by: Robert Charles Muir - Ref: https://twitter.com/rcmuir/status/1514915401574010887 - - Closes #8714 - -Daniel Gustafsson (15 Apr 2022) -- docs: Fix missing semicolon in example code - - Multiple share examples were missing a semicolon on the line defining - the CURLSHcode variable. - - Closes: #8697 - Reported-by: Michael Kaufmann <mail@michael-kaufmann.ch> - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- infof: consistent capitalization of warning messages - - Ensure that all infof calls with a warning message are capitalized - in the same way. At some point we should probably set up a style- - guide for infof but until then let's aim for a little consistenncy - where we can. - - Closes: #8711 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- RELEASE-NOTES: synced - -- [Matteo Baccan brought this change] - - perl: removed a double semicolon at end of line - - Remove double semicolons at end of line in Perl code. - - Closes: #8709 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- curl_easy_header: fix typos in documentation - - Closes: #8694 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Marcel Raad (11 Apr 2022) -- appveyor: add Cygwin build - - Closes https://github.com/curl/curl/pull/8693 - -- appveyor: only add MSYS2 to PATH where required - - Closes https://github.com/curl/curl/pull/8693 - -Daniel Stenberg (10 Apr 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix memory leak - - Closes #8691 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: remove remote_addr which is not used in a meaningful way - - Closes #8689 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: enlarge H3_SEND_SIZE - - Make h3_SEND_SIZE larger because current value (20KiB) is too small - for the high latency environment. - - Closes #8690 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix HTTP/3 upload stall and avoid busy loop - - This commit fixes HTTP/3 upload stall if upload data is larger than - H3_SEND_SIZE. Only check writability of socket if a stream is - writable to avoid busy loop when QUIC flow control window is filled - up, or upload buffer is full. - - Closes #8688 - -- [Nick Banks brought this change] - - msh3: add support for QUIC and HTTP/3 using msh3 - - Considered experimental, as the other HTTP/3 backends. - - Closes #8517 - -- TODO: "SFTP with SCP://" - -- GHA: move bearssl jobs over from zuul - - Closes #8684 - -- data/DISABLED: disable test 313 on bearssl builds - - Closes #8684 - -- runtests: add 'bearssl' as testable feature - - Closes #8684 - -- GHA: add openssl3 jobs moved over from zuul - - Closes #8683 - -- schannel: remove dead code that will never run - - As the condition can't ever evaluate true - - Reported-by: Andrey Alifanov - Ref: #8675 - Closes #8677 - -- connecache: remove duplicate connc->closure_handle check - - The superfluous extra check could cause analyzer false positives - and doesn't serve any purpose. - - Closes #8676 - -- [Michał Antoniak brought this change] - - mbedtls: remove server_fd from backend - - Closes #8682 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: use token when detecting :status header field - - Closes #8679 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: make curl 1ms faster - - Pass 0 for an already expired timer. - - Closes #8678 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix QUIC_IDLE_TIMEOUT - - QUIC_IDLE_TIMEOUT should be of type ngtcp2_duration which is - nanoseconds resolution. - - Closes #8678 - -- English: use American spelling consistently - - Authorization, Initialization, Organization etc. - - Closes #8673 - -Daniel Gustafsson (5 Apr 2022) -- [Sascha Zengler brought this change] - - BUGS: Fix incorrect punctuation - - Closes #8672 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -Daniel Stenberg (4 Apr 2022) -- tool_listhelp.c: uppercase URL - -- RELEASE-NOTES: synced - -- http: streamclose "already downloaded" - - Instead of connclose()ing, since when HTTP/2 is used it doesn't need to - close the connection as stopping the current transfer is enough. - - Reported-by: Evangelos Foutras - Closes #8665 - -Jay Satiro (1 Apr 2022) -- ftp: fix error message for partial file upload - - - Show the count of bytes written on partial file upload. - - Prior to this change the error message mistakenly showed the count of - bytes read, not written. - - Bug: https://github.com/curl/curl/discussions/8637 - Reported-by: Taras Kushnir - - Closes https://github.com/curl/curl/pull/8649 - -Daniel Stenberg (1 Apr 2022) -- http: correct the header error message to say colon - - Not semicolon - - Reported-by: Gisle Vanem - Ref: #8666 - Closes #8667 - -- lib: #ifdef on USE_HTTP2 better - - ... as nghttp2 might not be the library that provides HTTP/2 support. - - Closes #8661 - -- [Michał Antoniak brought this change] - - mbedtls: remove 'protocols' array from backend when ALPN is not used - - Closes #8663 - -- http2: RST the stream if we stop it on our own will - - For the "simulated 304" case the done-call isn't considered "premature" - but since the server didn't close the stream it needs to be reset to - stop delivering data. - - Closes #8664 - -- http: close the stream (not connection) on time condition abort - - Closes #8664 - -- http2: handle DONE called for the paused stream - - As it could otherwise stall all streams on the connection - - Reported-by: Evangelos Foutras - Fixes #8626 - Closes #8664 - -- tls: make mbedtls and NSS check for h2, not nghttp2 - - This makes them able to also negotiate HTTP/2 even when built to use - hyper for h2. - - Closes #8656 - -- tests/libtest/lib670.c: fixup the copyright year range - - follow-up to b54e18640ea4b7 - -- [Leandro Coutinho brought this change] - - lib670: avoid double check result - - Closes #8660 - -- vtls: use a generic "ALPN, server accepted" message - - Closes #8657 - -- vtls: use a backend standard message for "ALPN: offers %s" - - I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the - infof() call also needs a string argument: the ALPN ID. - - Closes #8657 - -- [Christian Schmitz brought this change] - - strcase.h: add comment about the return code - - Tool often we run into expecting this to work like strcmp, but it - returns 1 instead of 0 for match. - - Closes #8658 - -- vtls: provide a unified APLN-disagree string for all backends - - Also rephrase to make it sound less dangerous: - - "ALPN: server did not agree on a protocol. Uses default." - - Reported-by: Nick Coghlan - Fixes #8643 - Closes #8651 - -- projects/README: converted to markdown - - Closes #8652 - -- misc: spelling fixes - - Mostly in comments but also in the -w documentation for headers_json. - - Closes #8647 - -- KNOW_BUGS: HTTP3/Transfer closed with n bytes remaining to read - - "HTTP/3 does not support client certs" considered fixed, at least with - the ngtcp2 backend. - - Closes #8523 - -- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs - - Also add to quote.d. Add to TODO as something to add in a future. - - Reported-by: anon00000000 on github - Closes #8602 - Closes #8648 - -- RELEASE-NOTES: synced - -- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood - - This leaves the CURLE_RECV_ERROR error code for explicit failure to - receive network data and allows users to better separate the problems. - - Ref #8356 - Reported-by: Rianov Viacheslav - Closes #8506 - -- docs: lots of minor language polish - - Mostly based on recent language decisions from "everything curl": - - - remove contractions (isn't => is not) - - *an* HTTP (consistency) - - runtime (no hyphen) - - backend (no hyphen) - - URL is uppercase - - Closes #8646 - -Jay Satiro (29 Mar 2022) -- projects: Update VC version names for VS2017, VS2022 - - - Rename VC15 -> VC14.10, VC17 -> VC14.30. - - The projects directory that holds the pre-generated Visual Studio - project files uses VC<ver> to indicate the MSVC version. At some point - support for Visual Studio 2017 (Visual Studio version 15 which uses MSVC - 14.10) was added as VC15. Visual Studio 2022 (Visual Studio version 17 - which uses MSVC 14.30) project files were recently added and followed - that same format using VC17. - - There is no such MSVC version (yet) as VC15 or VC17. - - For VS 2017 for example, the name we use is correct as either VS17, - VS2017, VC14.10. I opted for the latter since we use VC for earlier - versions (eg VC10, VC12, etc). - - Ref: https://github.com/curl/curl/pull/8438#issuecomment-1037070192 - - Closes https://github.com/curl/curl/pull/8447 - -Daniel Stenberg (29 Mar 2022) -- mqtt: better handling of TCP disconnect mid-message - - Reported-by: Jenny Heino - Bug: https://hackerone.com/reports/1521610 - Closes #8644 - -- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL - -- [Ian Blanes brought this change] - - docs/DYNBUF: clarify documentation for Curl_dyn_ptr and Curl_dyn_uptr - - Closes #8606 - -- [Ian Blanes brought this change] - - curl: fix segmentation fault for empty output file names. - - Function glob_match_url set *result to NULL when called with filename = - "", producing an indirect NULL pointer dereference. - - Closes #8606 - -- TODO: Read keys from ~/.ssh/id_ecdsa, id_ed25519 - - It would be nice to expand the list of key locations curl uses for the - newer key types supported by libssh2. - - Closes #8586 - -- ngtcp2: update to work after recent ngtcp2 updates - - Assisted-by: Tatsuhiro Tsujikawa - Reported-by: jurisuk on github - Fixes #8638 - Closes #8639 - -- [Farzin brought this change] - - CURLOPT_PROGRESSFUNCTION.3: fix typo in example - - Closes #8636 - -- curl/header_json: output the header names in lowercase - - To better allow json[“header”]. - - Reported-by: Peter Korsgaard - Bug: https://daniel.haxx.se/blog/2022/03/24/easier-header-picking-with-curl/comment-page-1/#comment-25878 - Closes #8633 - -- RELEASE-NOTES: synced - -- headers.h: make Curl_headers_push() be CURLE_OK when not built - - ... to avoid errors when the function isn't there. - - Reported-by: Marcel Raad - Fixes #8627 - Closes #8628 - -- scripts: move three scripts from lib/ to scripts/ - - Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't - particularly belong in lib/ - - Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying - those files in the root Makefile.am - - Closes #8625 - -Marc Hoersken (23 Mar 2022) -- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 - - curl_setup.h automatically defines WIN32 if just _WIN32 is defined. - - Therefore make sure curl_setup.h is included through warnless.h. - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #8594 - -- tests/server/util.h: align WIN32 condition with util.c - - There is no need to test for both _WIN32 and WIN32 as curl_setup.h - automatically defines the later if the first one is defined. - - Also tests/server/util.c is only checking for WIN32 arouund the - implementation of win32_perror, so just defining _WIN32 - would not be sufficient for a successful compilation. - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #8594 - -Daniel Stenberg (22 Mar 2022) -- [Philip Heiduck brought this change] - - firefox-db2pem.sh: make the shell script safer - - Reported by lift - - Closes #8616 - -Jay Satiro (22 Mar 2022) -- gtls: fix build for disabled TLS-SRP - - Prior to this change if, at build time, the GnuTLS backend was found to - have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl - via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. - - Bug: https://curl.se/mail/lib-2022-03/0046.html - Reported-by: Robert Brose - - Closes https://github.com/curl/curl/pull/8604 - -- winbuild: Add a Visual Studio example to the README - - - Add an example that explains in detail how the user can add libcurl to - their Visual Studio project. - - Ref: https://github.com/curl/curl/issues/8591 - - Closes https://github.com/curl/curl/pull/8592 - -- docs/opts: Mention Schannel client cert type is P12 - - Schannel backend code behaves same as Secure Transport, it expects a P12 - certificate file or the name of a certificate already in the user's OS - key store. Also, both backends ignore CURLOPT_SSLKEY (tool: --key) - because they expect the private key to already be available from the - keystore or P12 certificate. - - Ref: https://github.com/curl/curl/discussions/8581#discussioncomment-2337260 - - Closes https://github.com/curl/curl/pull/8587 - -Daniel Stenberg (22 Mar 2022) -- lib1945: fix compiler warning 4706 on MSVC - - Follow-up from d1e4a677340c - - Closes #8623 - -- [Philip Heiduck brought this change] - - ci/event-based.yml: improve impacket install - - skip python3-pip - install impacket with library module - - Closes #8621 - -- test1459: disable for oldlibssh - - This test with libssh 0.9.3 works fine on github but fails on circleci. - Might as well disable this test for oldlibssh installations. - - Closes #8622 - -- test1135: sync with recent API updates - - This test verifies that the order of functions in public headers remain - the same but hasn't been updated to care for recently added header - files. The order is important for some few platforms - or VERSIONINFO - needs to updated. - - This fix also updates VERSIONINFO to be sure. - - Closes #8620 - -- curl_easy_nextheader.3: fix two typos - - Reported-by: Timothe Litt - Bug: https://curl.se/mail/lib-2022-03/0060.html - -- options: remove mistaken space before paren in prototype - -- cirrus: add --enable-headers-api for some windows builds - -- GHA: --enable-headers-api in all workflows - -- lib: make the headers API depend on --enable-headers-api - -- configure: add --enable-headers-api to enable the headers API - - Defaults to disabled while labeled EXPERIMENTAL. - - Make all the headers API tests require 'headers-api' to run. - -- test1671: verify -w '%{header_json} - -- test1670: verify -w %header{} - -- curl: add %{header_json} support in -w handling - - Outputs all response headers as a JSON object. - -- curl: add %header{name} support in -w handling - - Outputs the response header 'name' - -- header api: add curl_easy_header and curl_easy_nextheader - - Add test 1940 to 1946 to verify. - - Closes #8593 - -- test1459: remove the different exit code for oldlibssh - - When using libssh/0.9.3/openssl/zlib, we seem to be getting the "right" - error code. - - Closes #8490 - -- libssh: unstick SFTP transfers when done event-based - - Test 604 and 606 (at least). - - Closes #8490 - -- gha: move the event-based test over from Zuul - - Switched libssh2 to libssh - - Closes #8490 - -- RELEASE-NOTES: synced - -- http: return error on colon-less HTTP headers - - It's a protocol violation and accepting them leads to no good. - - Add test case 398 to verify - - Closes #8610 - -- test718: edited slightly to return better HTTP - - Since hyper is picky and won't play ball otherwise. - - Bug: https://github.com/hyperium/hyper/issues/2783 - Reported-by: Daniel Valenzuela - Closes #8614 - -- hyper: no h2c support - - Make tests require h2c feature present to run, and only set h2c if - nghttp2 is used in the build. Hyper does not support it. - - Remove those tests from DISABLED - - Fixes #8605 - Closes #8613 - -- configure: bump the copyright year range int the generated output - -- [Andreas Falkenhahn brought this change] - - BINDINGS.md: add Hollywood binding - - Closes #8609 - -- HISTORY: add some 2022 data - -- scripts/copyright.pl: ignore the new mlc_config.json file - -- [Philip Heiduck brought this change] - - mlc_config.json: add file to ignore known troublesome URLs - - This is the config file for the CI markdown link checker and lets us - filter URLs that are known to cause problems. Like - https://curl.zuul.vexxhost.dev/ for now. - - Closes #8597 - -- [Philip Heiduck brought this change] - - winbuild/README.md: fixup dead link - - Closes #8597 - -Jay Satiro (18 Mar 2022) -- rtsp: don't let CSeq error override earlier errors - - - When done, if an error has already occurred then don't check the - sequence numbers for mismatch. - - A sequence number may not have been received if an error occurred. - - Prior to this change a sequence mismatch error would override earlier - errors. For example, a server that returns nothing would cause error - CURLE_GOT_NOTHING in Curl_http_done which was then overridden by - CURLE_RTSP_CSEQ_ERROR in rtsp_done. - - Closes https://github.com/curl/curl/pull/8525 - -- lib: fix some misuse of curlx_convert_wchar_to_UTF8 - - curlx_convert_wchar_to_UTF8 must be freed by curlx_unicodefree, but - prior to this change some uses mistakenly called free. - - I've reviewed all other uses of curlx_convert_wchar_to_UTF8 and - curlx_convert_UTF8_to_wchar. - - Ref: https://github.com/curl/curl/commit/1d5d0ae - - Closes https://github.com/curl/curl/pull/8521 - -- mk-ca-bundle.pl: Use stricter logic to process the certificates - - .. and bump version to 1.29. - - This change makes the script properly ignore unknown blocks and - otherwise fail when Mozilla changes the certdata format in ways we - don't expect. Though this is less flexible behavior it makes it far less - likely that an invalid certificate can slip through. - - Prior to this change the state machine did not always properly reset, - and it was possible that a certificate marked as invalid could then - later be marked as valid when there was conflicting trust info or - an unknown block was erroneously processed as part of the certificate. - - Ref: https://github.com/curl/curl/pull/7801#pullrequestreview-768384569 - - Closes https://github.com/curl/curl/pull/8411 - -Marcel Raad (17 Mar 2022) -- test375: fix line endings on Windows - - Closes https://github.com/curl/curl/pull/8599 - -Daniel Stenberg (17 Mar 2022) -- http: reject header contents with nul bytes - - They are not allowed by the protocol and allowing them risk that curl - misbehaves somewhere where C functions are used but won't work on the - full contents. Further, they are not supported by hyper and they cause - problems for the new coming headers API work. - - Updated test 262 to verify and enabled it for hyper as well - - Closes #8601 - -- [Philip Heiduck brought this change] - - CI: Do not use buildconf. Instead, just use: autoreconf -fi - - Closes #8596 - -- RELEASE-NOTES: synced - -Jay Satiro (14 Mar 2022) -- libssh: Improve fix for missing SSH_S_ stat macros - - - If building libcurl against an old libssh version missing SSH_S_IFMT - and SSH_S_IFLNK then use the values from a supported version. - - Prior to this change if libssh did not define SSH_S_IFMT and SSH_S_IFLNK - then S_IFMT and S_IFLNK, respectively, were used instead. The problem - with that is the user's S_ stat macros don't have the same values across - platforms. For example Windows has values different from Linux. - - Follow-up to 7b0fd39. - - Ref: https://github.com/curl/curl/pull/8511#discussion_r815292391 - Ref: https://github.com/curl/curl/pull/8574 - - Closes https://github.com/curl/curl/pull/8588 - -Marc Hoersken (13 Mar 2022) -- tool and tests: force flush of all buffers at end of program - - On Windows data can be lost in buffers in case of abnormal program - termination, especially in process chains as seen due to flaky tests. - Therefore flushing all buffers manually should avoid this data loss. - - In the curl tool we play the safe game by only flushing write buffers, - but in the testsuite where we manage all buffers, we flush everything. - - This should drastically reduce Windows CI and testsuite flakiness. - - Reviewed-by: Daniel Stenberg - - Supersedes #7833 and #6064 - Closes #8516 - -Daniel Stenberg (12 Mar 2022) -- [Jan Venekamp brought this change] - - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - - Closes #8478 - -- [Jan Venekamp brought this change] - - BearSSL: add CURLOPT_SSL_CIPHER_LIST support - - Closes #8477 - -Dan Fandrich (11 Mar 2022) -- tool_cb_hdr: Turn the Location: into a terminal hyperlink - - This turns even relative URLs into clickable hyperlinks in a supported - terminal when --styled-output is enabled. Many terminals already turn - URLs into clickable links but there is not enough information in a - relative URL to do this automatically otherwise. - -- keepalive-time.d: It takes many probes to detect brokenness - -Daniel Stenberg (11 Mar 2022) -- [HexTheDragon brought this change] - - curl: add --no-clobber - - Does not overwrite output files if they already exist - - Closes #7708 - Co-authored-by: Daniel Stenberg - -- RELEASE-NOTES: synced - - also bump next pending version to become 7.83.0 - -- [Jean-Philippe Menil brought this change] - - openssl: check SSL_get_peer_cert_chain return value - - Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com> - Closes #8579 - -- [Jay Satiro brought this change] - - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl - - mk-ca-bundle.vbs is a Windows-specific script for Mozilla certificate - extraction, similar to mk-ca-bundle.pl which runs on any platform. The - vbs version has not been maintained while the perl version has been - maintained with improvements and security fixes. I don't think it's - worth the work to maintain both versions. Windows users should be able - to use mk-ca-bundle.pl without any problems, as long as they have perl. - - Closes #8412 - -- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype - - Copy and paste error - - Reported-by: Francisco Olarte - Fixes #8573 - Closes #8577 - -- remove-on-error.d: typo - - Reported-by: Colin Leroy - Bug: https://github.com/curl/curl/pull/8503#pullrequestreview-906520081 - -- curl: add --remove-on-error - - If a transfer returns an error, using this option makes curl remove the - leftover downloded (partial) local file before exiting. - - Added test 376 to verify - - Closes #8503 - -- libssh: fix build with old libssh versions - - ... that don't have the SSH_S_* defines. Spotted on a machine using - libssh 0.7.3 - - Closes #8574 - -- hyper: fix status_line() return code - - Detected while working on #7708 that happened to trigger an error here - with a new test case. - - Closes #8572 - -- [Alejandro R. Sedeño brought this change] - - configure.ac: move -pthread CFLAGS setting back where it used to be - - The fix for #8276 proposed in #8374 set `CFLAGS="$CFLAGS -pthead"` - earlier than it used to be set, applying it in cases where it should not - have been applied. - - This moves the AIX XLC check to a new `case $host in` block inside of - the `if test "$USE_THREADS_POSIX" != "1"` block, where `CFLAGS="$CFLAGS - -pthead"` used to happen. - - Fixes #8541 - Closes #8542 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: add client certificate authentication for OpenSSL - - Closes #8522 - -- tool_operate: fix a scan-build warning - - ... and avoid the temp storing of the return code in a diff variable. - - Closes #8565 - -- test375: verify that --proxy errors out if proxy is disabled in the build - - Closes #8565 - -- curl: error out when options need features not present in libcurl - - Trying to use a proxy when libcurl was built with proxy support disabled - should make curl error out properly. - - Remove knowledge of disabled features from the tool code and instead - make it properly respond to what libcurl returns. Update all tests to - properly require the necessary features to be present/absent so that the - test suite can still be run even with libcurl builds with disabled - features. - - Ref: https://curl.se/mail/archive-2022-03/0013.html - Closes #8565 - -- ngtcp2: disconnect the QUIC connection proper - - Reported-by: mehatzri on github - Reviewed-by: Tatsuhiro Tsujikawa - Fixes #8534 - closes #8569 - -Dan Fandrich (9 Mar 2022) -- test386: Fix an incorrect test markup tag - -Daniel Stenberg (9 Mar 2022) -- [Don J Olmstead brought this change] - - nonblock: restore setsockopt method to curlx_nonblock - - The implementation using setsockopt was removed when BeOS support was - purged. However this functionality wasn't BeOS specific, it is still - used by for example Orbis OS (Playstation 4/5 OS). - - Closes #8562 - -- openssl: fix CN check error code - - Due to a missing 'else' this returns error too easily. - - Regressed in: d15692ebb - - Reported-by: Kristoffer Gleditsch - Fixes #8559 - Closes #8560 - -- [Frank Meier brought this change] - - connect: make Curl_getconnectinfo work with conn cache from share handle - - Closes #8524 + _ _ ____ _
+ ___| | | | _ \| |
+ / __| | | | |_) | |
+ | (__| |_| | _ <| |___
+ \___|\___/|_| \_\_____|
+
+ Changelog
+
+Version 7.87.0 (21 Dec 2022)
+
+Daniel Stenberg (21 Dec 2022)
+
+- RELEASE-NOTES: synced
+
+ The curl 7.87.0 release
+
+- THANKS: 40 new contributors from 7.87.0
+
+- http: fix the ::1 comparison for IPv6 localhost for cookies
+
+ When checking if there is a "secure context", which it is if the
+ connection is to localhost even if the protocol is HTTP, the comparison
+ for ::1 was done incorrectly and included brackets.
+
+ Reported-by: BratSinot on github
+
+ Fixes #10120
+ Closes #10121
+
+Philip Heiduck (19 Dec 2022)
+
+- CI/spell: actions/checkout@v2 > actions/checkout@v3
+
+Daniel Stenberg (19 Dec 2022)
+
+- smb/telnet: do not free the protocol struct in *_done()
+
+ It is managed by the generic layer.
+
+ Reported-by: Trail of Bits
+
+ Closes #10112
+
+- http: use the IDN decoded name in HSTS checks
+
+ Otherwise it stores the info HSTS into the persistent cache for the IDN
+ name which will not match when the HSTS status is later checked for
+ using the decoded name.
+
+ Reported-by: Hiroki Kurosawa
+
+ Closes #10111
+
+- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"
+
+ Closes #10106
+
+Xì Gà (16 Dec 2022)
+
+- socks: fix username max size is 255 (0xFF)
+
+ Closes #10105
+
+ Reviewed-by: Daniel Gustafsson
+
+Daniel Stenberg (16 Dec 2022)
+
+- limit-rate.d: see also --rate
+
+- lib1560: add some basic IDN host name tests
+
+ Closes #10094
+
+- idn: rename the files to idn.[ch] and hold all IDN functions
+
+ Closes #10094
+
+- idn: remove Curl_win32_ascii_to_idn
+
+ It was not used. Introduce a new IDN header for the prototype(s).
+
+ Closes #10094
+
+- RELEASE-NOTES: synced
+
+- curl_url_get.3: remove spurious backtick
+
+ Put there by mistake.
+
+ Follow-up from 9a8564a92
+
+ Closes #10101
+
+- socks: fix infof() flag for outputing a char
+
+ It used to be a 'long', %lu is no longer correct.
+
+ Follow-up to 57d2d9b6bed33d
+ Detected by Coverity CID 1517663
+
+ Closes #10100
+
+- ssl-reqd.d: clarify that this is for upgrading connections only
+
+ Closes #10093
+
+- curl_url_set.3: document CURLU_DISALLOW_USER
+
+ Closes #10099
+
+- cmake: set the soname on the shared library
+
+ Set SONAME and VERSION for platforms we think this works on. Remove
+ issue from KNOWN_BUGS.
+
+ Assisted-by: Jakub Zakrzewski
+
+ Closes #10023
+
+- tool_paramhlp: free the proto strings on exit
+
+ And also make sure that repeated use of the options free the previous
+ string before it stores a new.
+
+ Follow-up from e6f8445edef8e7996d
+
+ Closes #10098
+
+- tool_cfgable: free the ssl_ec_curves on exit
+
+ Follow-up to ede125b7b
+
+ Closes #10097
+
+- urlapi: reject more bad letters from the host name: &+()
+
+ Follow-up from eb0167ff7d31d3a5
+
+ Extend test 1560 to verify
+
+ Closes #10096
+
+- altsvc: fix rejection of negative port numbers
+
+ Follow-up to ac612dfeee95
+
+ strtoul() accepts a leading minus so better make sure there is none
+
+ Extended test 356 somewhat to use a huge negative 64 bit number that
+ otherwise becomes a low positive number.
+
+ Closes #10095
+
+- lib: use size_t or int etc instead of longs
+
+ Since long is not using a consistent data size in curl builds, making it
+ often "waste" 32 bits.
+
+ Closes #10088
+
+- azure: use "unversioned" clang and clang-tools for scanbuild job
+
+ To make it less fragile
+
+ Closes #10092
+
+Daniel Gustafsson (14 Dec 2022)
+
+- x509asn1: avoid freeing unallocated pointers
+
+ When utf8asn1str fails there is no allocation returned, so freeing
+ the return pointer in **to is at best a no-op and at worst a double-
+ free bug waiting to happen. The current coding isn't hiding any such
+ bugs but to future proof, avoid freeing the return value pointer iff
+ the function failed.
+
+ Closes: #10087
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Emil Engler (13 Dec 2022)
+
+- curl_url_set.3: fix typo
+
+ Closes: #10089
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Daniel Stenberg (13 Dec 2022)
+
+- test2304: verify websocket handling when connection is closed
+
+- server/sws: if asked to close connection, skip the websocket handling
+
+- ws: if no connection is around, return error
+
+ - curl_ws_send returns CURLE_SEND_ERROR if data->conn is gone
+
+ - curl_ws_recv returns CURLE_GOT_NOTHING on connection close
+
+ - curl_ws_recv.3: mention new return code for connection close + example
+ embryo
+
+ Closes #10084
+
+Emil Engler (13 Dec 2022)
+
+- docs: extend the dump-header documentation
+
+ This commit extends the documentation of the --dump-header command-line
+ option to reflect the behavior introduced in 8b1e5df7.
+
+ See #10079
+ Closes #10085
+
+Daniel Stenberg (12 Dec 2022)
+
+- RELEASE-NOTES: synced
+
+- styled-output.d: this option does not work on Windows
+
+ Reported-by: u20221022 on github
+
+ Fixes #10082
+ Closes #10083
+
+Emil Engler (12 Dec 2022)
+
+- tool: determine the correct fopen option for -D
+
+ This commit fixes a bug in the dump-header feature regarding the
+ determination of the second fopen(3) option.
+
+ Reported-by: u20221022 on github
+
+ See #4753
+ See #4762
+ Fixes #10074
+ Closes #10079
+
+Christian Schmitz (11 Dec 2022)
+
+- docs/curl_ws_send: Fixed typo in websocket docs
+
+ Replace as with is in relevant sentences.
+
+ Closes: #10081
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Prithvi MK (11 Dec 2022)
+
+- c-hyper: fix multi-request mechanism
+
+ It makes test 565 run fine.
+
+ Fixes #8896
+ Closes #10080
+ Assisted-by: Daniel Stenberg
+
+Andy Alt (11 Dec 2022)
+
+- page-header: grammar improvement (display transfer rate)
+
+ Closes #10068
+
+- docs/DEPRECATE.md: grammar improvement and sp correction
+
+ The main thing I wanted to do was fix the spelling of "spent", but I
+ think this rewording improves the flow of the paragraph.
+
+ Closes #10067
+
+Boris Verkhovskiy (11 Dec 2022)
+
+- tool_cfgable: make socks5_gssapi_nec a boolean
+
+ Closes #10078
+
+Frank Gevaerts (9 Dec 2022)
+
+- contributors.sh: actually use $CURLWWW instead of just setting it.
+
+ The script was all set up for flexibility where curl-www is elsewhere in
+ the filesystem, but then hard-coded ../curl-www anyway...
+
+ Closes #10064
+
+Daniel Stenberg (9 Dec 2022)
+
+- KNOWN_BUGS: remove items not considered bugs any more
+
+ - CURL_GLOBAL_SSL
+
+ This option was changed in libcurl 7.57.0 and clearly it has not caused
+ too many issues and a lot of time has passed.
+
+ - Store TLS context per transfer instead of per connection
+
+ This is a possible future optimization. One that is much less important
+ and interesting since the added support for CA caching.
+
+ - Microsoft telnet server
+
+ This bug was filed in May 2007 against curl 7.16.1 and we have not
+ received further reports.
+
+ - active FTP over a SOCKS
+
+ Actually, proxies in general is not working with active FTP mode. This
+ is now added in proxy documentation.
+
+ - DICT responses show the underlying protocol
+
+ curl still does this, but since this is now an established behavior
+ since forever we cannot change it easily and adding an option for it
+ seems crazy as this protocol is not so little its not worth it. Let's
+ just live with it.
+
+ - Secure Transport disabling hostname validation also disables SNI
+
+ This is an already documented restriction in Secure Transport.
+
+ - CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
+
+ The curl_formadd() function is marked and documented as deprecated. No
+ point in collecting bugs for it. It should not be used further.
+
+ - STARTTRANSFER time is wrong for HTTP POSTs
+
+ After close source code inspection I cannot see how this is true or that
+ there is any special treatment for different HTTP methods. We also have
+ not received many further reports on this, making me strongly suspect
+ that this is no (longer an) issue.
+
+ - multipart formposts file name encoding
+
+ The once proposed RFC 5987-encoding is since RFC 7578 documented as MUST
+ NOT be used. The since then implemented MIME API allows the user to set
+ the name on their own and can thus provide it encoded as it wants.
+
+ - DoH is not used for all name resolves when enabled
+
+ It is questionable if users actually want to use DoH for interface and
+ FTP port name resolving. This restriction is now documented and we
+ advice users against using name resolving at all for these functions.
+
+ Closes #10043
+
+- CURLOPT_COOKIEFILE.3: advice => advise
+
+ Closes #10063
+
+ Reviewed-by: Daniel Gustafsson
+
+Daniel Gustafsson (9 Dec 2022)
+
+- curl.h: reword comment to not use deprecated option
+
+ CURLOPT_INFILE was replaced by CURLOPT_READDATA in 7.9.7, reword the
+ comment mentioning it to make code grepping easier as well as improve
+ the documentation.
+
+ Closes: #10062
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Ryan Schmidt (9 Dec 2022)
+
+- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
+
+ Change "__MWERKS__" to "macintosh". When this block was originally added
+ in 3ac6929 it was probably intended to handle classic Mac OS since the
+ previous classic Mac OS build procedure for curl (which was removed in
+ bf327a9) used Metrowerks CodeWarrior.
+
+ But there are other classic Mac OS compilers, such as the MPW compilers,
+ that were not handled by this case. For classic Mac OS,
+ CURL_TYPEOF_CURL_SOCKLEN_T needs to match what's provided by the
+ third-party GUSI library, which does not vary by compiler.
+
+ Meanwhile CodeWarrior works on platforms other than classic Mac OS, and
+ they may need different definitions. Separate blocks could be added
+ later for any of those platforms that curl doesn't already support.
+
+ Closes #10049
+
+- vms: remove SIZEOF_SHORT
+
+ The rest of SIZEOF_SHORT was removed in d48dd15.
+
+ See #9291
+ Closes #10061
+
+Daniel Gustafsson (8 Dec 2022)
+
+- tool_formparse: avoid clobbering on function params
+
+ While perfectly legal to do, clobbering function parameters and using
+ them as local variables is confusing at best and rarely improves code
+ readability. Fix by using a local variable instead, no functionality
+ is changed.
+
+ This also renames the parameter from data to mime_data since the term
+ data is (soft) reserved for the easy handle struct.
+
+ Closes: #10046
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- noproxy: guard against empty hostnames in noproxy check
+
+ When checking for a noproxy setting we need to ensure that we get
+ a hostname passed in. If there is no hostname then there cannot be
+ a matching noproxy rule for it by definition.
+
+ Closes: #10057
+ Reported-by: Geeknik Labs
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (8 Dec 2022)
+
+- c-hyper: CONNECT respones are not server responses
+
+ Together with d31915a8dbbd it makes test 265 run fine.
+
+ Fixes #8853
+ Assisted-by: Prithvi MK
+ Assisted-by: Sean McArthur
+ Closes #10060
+
+- test265: Use "connection: keep-alive" response header
+
+ When it answers as HTTP/1.0, so that clients (hyper) knows properly that
+ the connection remains intact.
+
+- RELEASE-NOTES: synced
+
+Stefan Eissing (8 Dec 2022)
+
+- cfilter: improve SSL connection checks
+
+ - fixes `Curl_ssl_cf_get_ssl()` to detect also the first filter instance
+ as ssl (refs #10053)
+
+ - replaces `Curl_ssl_use()` with the correct `Curl_conn_is_ssl()`
+
+ Closes #10054
+ Fixes #10053
+
+ Reported-by: Patrick Monnerat
+
+Daniel Stenberg (8 Dec 2022)
+
+- runtests: silence nghttpx errors
+
+ Also, move the output of the nghttpx_h3 info to the general "Env:" line
+ in the test output header.
+
+ Reported-by: Marcel Raad
+ Ref: https://github.com/curl/curl/commit/ca15b7512e8d1199e55fbaa206ef01e64b8f
+ 147d#commitcomment-92015094
+ Closes #10044
+
+Ryan Schmidt (7 Dec 2022)
+
+- config-mac: define HAVE_SYS_IOCTL_H
+
+ This is needed to compile nonblock.c on classic Mac OS with Grand
+ Unified Socket Interface (GUSI) because nonblock.c uses FIONBIO which is
+ defined in <sys/filio.h> which is included by <sys/ioctl.h>.
+
+ Ref: https://sourceforge.net/projects/gusi/
+
+ Closes https://github.com/curl/curl/pull/10042
+
+Philip Heiduck (7 Dec 2022)
+
+- CI: Change FreeBSD image from 12.3 to 12.4
+
+ Ref: https://www.phoronix.com/news/FreeBSD-12.4-Released
+
+ Closes https://github.com/curl/curl/pull/10051
+
+Ryan Schmidt (7 Dec 2022)
+
+- test1421: fix typo
+
+ Closes https://github.com/curl/curl/pull/10055
+
+Jay Satiro (7 Dec 2022)
+
+- build: assume errno.h is always available
+
+ - Remove errno.h detection from all build configurations.
+
+ errno.h is a standard header according to C89.
+
+ Closes https://github.com/curl/curl/pull/9986
+
+- build: assume assert.h is always available
+
+ - Remove assert.h detection from all build configurations.
+
+ assert.h is a standard header according to C89.
+
+ I had proposed this several years ago as part of a larger change that
+ was abandoned.
+
+ Ref: https://github.com/curl/curl/issues/1237#issuecomment-277500720
+
+ Closes https://github.com/curl/curl/pull/9985
+
+Philip Heiduck (7 Dec 2022)
+
+- CI: LGTM.com will be shut down in December 2022
+
+ Closes #10052
+
+Daniel Stenberg (6 Dec 2022)
+
+- mailmap: Andy Alt
+
+Andy Alt (6 Dec 2022)
+
+- misc: Fix incorrect spelling
+
+ Fix various uses of connnect by replacing them with connect.
+
+ Closes: #10045
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Stefan Eissing (6 Dec 2022)
+
+- wolfssl: remove special BIO return code handling
+
+ - rely solely on the retry flag in BIO, similar to OpenSSL vtls
+ implementation.
+
+ Ref: https://github.com/curl/curl/pull/10021#issuecomment-1336147053
+
+ Closes #10033
+
+Daniel Stenberg (6 Dec 2022)
+
+- openssl: return -1 on error in the BIO callbacks
+
+ BIO_read and BIO_write return negative numbers on error, including
+ retryable ones. A regression from 55807e6. Both branches should be
+ returning -1.
+
+ The APIs are patterned after POSIX read and write which, similarly,
+ return -1 on errors, not zero, with EAGAIN treated as an error.
+
+ Bug: https://github.com/curl/curl/issues/10013#issuecomment-1335308146
+ Reported-by: David Benjamin
+ Closes #10021
+
+Ryan Schmidt (6 Dec 2022)
+
+- config-mac: remove HAVE_SYS_SELECT_H
+
+ When compiling for classic Mac OS with GUSI, there is no sys/select.h.
+ GUSI provides the "select" function prototype in sys/time.h.
+
+ Closes #10039
+
+- setup: do not require __MRC__ defined for Mac OS 9 builds
+
+ Partially reverts "somewhat protect Mac OS X users from using Mac OS 9
+ config file", commit 62519bfe059251af2914199f284c736553ff0489.
+
+ Do things that are specific to classic Mac OS (i.e. include config-mac.h
+ in curl_setup.h and rename "main" to "curl_main" in tool_setup.h) when
+ only "macintosh" is defined. Remove the additional condition that
+ "__MRC__" should be defined since that would only be true with the MPW
+ MrC compiler which prevents the use of other reasonable compilers like
+ the MPW SC compiler and especially the Metrowerks CodeWarrior compilers.
+ "macintosh" is only defined by classic Mac OS compilers so this change
+ should not affect users of Mac OS X / OS X / macOS / any other OS.
+
+ Closes #10037
+
+- curl.h: name all public function parameters
+
+ Most public function parameters already have names; this adds those
+ that were missing.
+
+ Closes #10036
+
+Andy Alt (6 Dec 2022)
+
+- docs/examples: spell correction ('Retrieve')
+
+ Closes #10040
+
+Daniel Stenberg (6 Dec 2022)
+
+- unit1302: slightly extended
+
+ To test more base64 decoding
+
+- base64: faster base64 decoding
+
+ - by using a lookup table instead of strchr()
+ - by doing full quantums first, then padding
+
+ Closes #10032
+
+Michael Musset (6 Dec 2022)
+
+- libssh2: return error when ssh_hostkeyfunc returns error
+
+ return CURLE_PEER_FAILED_VERIFICATION if verification with the callback
+ return a result different than CURLKHMATCH_OK
+
+ Closes #10034
+
+Viktor Szakats (5 Dec 2022)
+
+- Makefile.mk: improve a GNU Make hack [ci skip]
+
+ Replace the hack of using `$() ` to represent a single space. The new
+ method silences the `--warn-undefined-variables` debug warning and it's
+ also a better-known form of solving this problem.
+
+ Reviewed-by: Jay Satiro
+ Closes #10031
+
+Daniel Stenberg (5 Dec 2022)
+
+- tests/unit/.gitignore: ignore all unit + 4 digits files
+
+- base64: encode without using snprintf
+
+ For speed. In some tests, this approch is 29 times faster!
+
+ Closes #10026
+
+- base64: better alloc size
+
+ The previous algorithm allocated more bytes than necessary.
+
+ Suggested-by: xtonik on github
+ Fixes #10024
+ Closes #10025
+
+Ryan Schmidt (5 Dec 2022)
+
+- config-mac: fix typo: size_T -> size_t
+
+ Both MPW and CodeWarrior compilers complained about this.
+
+ Closes #10029
+
+Daniel Stenberg (3 Dec 2022)
+
+- RELEASE-NOTES: synced
+
+Jakub Zakrzewski (2 Dec 2022)
+
+- CMake: fix build with `CURL_USE_GSSAPI`
+
+ CMAKE_*_LINKER_FLAGS must be a string but GSS_LINKER_FLAGS is a list, so
+ we need to replace semicolons with spaces when setting those.
+
+ Fixes #9017
+ Closes #1022
+
+Max Dymond (2 Dec 2022)
+
+- ci: Reuse fuzzing snippet from curl-fuzzer project
+
+Diogo Teles Sant'Anna (2 Dec 2022)
+
+- GHA: clarify workflows permissions, set least possible privilege
+
+ Set top-level permissions to None on all workflows, setting per-job
+ permissions. This avoids that new jobs inherit unwanted permissions.
+
+ Discussion: https://curl.se/mail/lib-2022-11/0028.html
+
+ Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
+
+ Closes #9928
+
+Viktor Szakats (2 Dec 2022)
+
+- Makefile.mk: address minor issues
+
+ - Fix `NROFF` auto-detection with certain shell/make-build combinations:
+
+ When a non-MSYS2 GNU Make runs inside an MSYS2 shell, Make executes
+ the detection command as-is via `CreateProcess()`. It fails because
+ `command` is an `sh` built-in. Ensure to explicitly invoke the shell.
+
+ - Initialize user-customizable variables:
+
+ Silences a list of warnings when running GNU Make with the option
+ `--warn-undefined-variables`. Another benefit is that it's now easy
+ to look up all user-customizable `Makefile.mk` variables by grepping
+ for ` ?=` in the curl source tree.
+
+ Suggested-by: Gisle Vanem
+ Ref: https://github.com/curl/curl/pull/9764#issuecomment-1330674433
+
+ - Fix `MKDIR` invocation:
+
+ Avoid a warning and potential issue in envs without forward-slash
+ support.
+
+ Closes #10000
+
+Rob de Wit (2 Dec 2022)
+
+- curl_get_line: allow last line without newline char
+
+ improve backwards compatibility
+
+ Test 3200 verifies
+
+ Closes #9973
+
+Daniel Stenberg (2 Dec 2022)
+
+- cookie: open cookie jar as a binary file
+
+ On Windows there is a difference and for text files, ^Z means end of
+ file which is not desirable.
+
+ Ref: #9973
+ Closes #10017
+
+- runtests: only do CRLF replacements for hyper if it is HTTP
+
+ Closes #10016
+
+Stefan Eissing (1 Dec 2022)
+
+- openssl: fix for BoringSSL BIO result interpretation mixups
+
+ Reported-by: Robin Marx
+ Fixes #10013
+ Closes #10015
+
+Max Dymond (1 Dec 2022)
+
+- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
+
+Daniel Stenberg (1 Dec 2022)
+
+- runtests: do CRLF replacements per section only
+
+ The `crlf="yes"` attribute and "hyper mode" are now only applied on a
+ subset of dedicated sections: data, datacheck, stdout and protocol.
+
+ Updated test 2500 accordingly.
+
+ Also made test1 use crlf="yes" for <protocol>, mostly because it is
+ often used as a template test case. Going forward, using this attribute
+ we should be able to write test cases using linefeeds only and avoid
+ mixed line ending encodings.
+
+ Follow-up to ca15b7512e8d11
+
+ Fixes #10009
+ Closes #10010
+
+Stefan Eissing (1 Dec 2022)
+
+- gnutls: use common gnutls init and verify code for ngtcp2
+
+ Closes #10007
+
+Baitinq on github (1 Dec 2022)
+
+- aws_sigv4: fix typos in aws_sigv4.c
+
+ Closes #10008
+
+Kenneth Myhra (30 Nov 2022)
+
+- curl.h: include <sys/select.h> on SerenityOS
+
+ Closes #10006
+
+Daniel Stenberg (30 Nov 2022)
+
+- openssl: prefix errors with '[lib]/[version]: '
+
+ To help users understand where this (cryptic) error message comes from.
+
+ Suggested-by: Philip Sanetra
+ Ref: #10002
+ Closes #10004
+
+Stefan Eissing (30 Nov 2022)
+
+- tests: add HTTP/3 test case, custom location for proper nghttpx
+
+ - adding support for HTTP/3 test cases via a nghttpx server that is
+ build with ngtcp2 and nghttp3.
+ - test2500 is the first test case, performing a simple GET.
+ - nghttpx is checked for support and the 'feature' nghttpx-h3
+ is set accordingly. test2500 will only run, when supported.
+ - a specific nghttpx location can be given in the environment
+ variable NGHTTPX or via the configure option
+ --with-test-nghttpx=<path>
+
+ Extend NGHTTPX config to H2 tests as well
+
+ * use $ENV{NGHTTPX} and the configured default also in http2 server starts
+ * always provide the empty test/nghttpx.conf to nghttpx. as it defaults to
+ reading /etc/nghttpx/nghttpx.conf otherwise.
+
+ Added nghttpx to CI ngtcp2 jobs to run h3 tests.
+
+ Closes #9031
+
+Daniel Stenberg (30 Nov 2022)
+
+- RELEASE-NOTES: synced
+
+ Removed duplicate after contributors.sh fix: 9967c10b6daa1
+
+- scripts/contributors.sh: strip one OR MORE leading spaces
+
+ From names found credited in commit logs
+
+- RELEASE-NOTES: synced
+
+- openssl/mbedtls: use %d for outputing port with failf (int)
+
+ Coverity CID 1517100
+
+ Also, remove some int typecasts in vtls.c for the port number
+
+ Closes #10001
+
+- KNOWN_BUGS: remove "Multi perform hangs waiting for threaded resolver"
+
+ We now offer a way to avoid that hang, using CURLOPT_QUICK_EXIT.
+
+ Follow-up to 49798cac832ab1 fixed via #9147
+
+ Closes #9999
+
+- KNOWN_BUGS: remove "--interface for ipv6 binds to unusable IP address"
+
+ Since years back the "if2ip" function verifies that it binds to a local IPv6
+ address that uses the same scope as the remote address.
+
+ This is not a bug.
+
+ Fixes #686
+ Closes #9998
+
+- test1276: verify lib/optiontable.pl
+
+ Checks that it generates an output identical to the file.
+
+- lib/optiontable.pl: adapt to CURLOPTDEPRECATED()
+
+ Follow-up from 6967571bf20624bc
+
+ Reported-by: Gisle Vanem
+
+ Fixes #9992
+ Closes #9993
+
+- docs/INSTALL.md: list OSes and CPUs quoted
+
+ to make them skip spellcheck. Also added a new CPU.
+
+ Follow-up to 4506cbf7f24a2a
+
+ Closes #9997
+
+Ikko Ashimine (28 Nov 2022)
+
+- vtls: fix typo in vtls_int.h
+
+ paramter -> parameter
+
+ Closes: #9996
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Daniel Stenberg (28 Nov 2022)
+
+- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
+
+ As OpenSSL's include files are all included using <openssl/*.h> in curl
+ source code, we just risk that existing openssl files will "shadow"
+ include files without path if that path is provided.
+
+ Fixes #9989
+ Closes #9988
+
+- INSTALL: update operating systems and CPU archs
+
+ Update after recent runs on Twitter/Mastodon and my blog
+
+ Closes #9994
+
+Stefan Eissing (28 Nov 2022)
+
+- tls: backends use connection filters for IO, enabling HTTPS-proxy
+
+ - OpenSSL (and compatible)
+ - BearSSL
+ - gnutls
+ - mbedtls
+ - rustls
+ - schannel
+ - secure-transport
+ - wolfSSL (v5.0.0 and newer)
+
+ This leaves only the following without HTTPS-proxy support:
+ - gskit
+ - nss
+ - wolfSSL (versions earlier than v5.0.0)
+
+ Closes #9962
+
+Daniel Stenberg (28 Nov 2022)
+
+- include/curl/curl.h: bump the deprecated requirements to gcc 6.1
+
+ Reported-by: Michael Kaufmann
+ Fixes #9917
+ Closes #9987
+
+Patrick Monnerat (28 Nov 2022)
+
+- mime: relax easy/mime structures binding
+
+ Deprecation and removal of codeset conversion support from the library
+ have released the strict need for an early binding of mime structures to
+ an easy handle (https://github.com/curl/curl/commit/2610142).
+
+ This constraint currently forces to create the handle before the mime
+ structure and the latter cannot be attached to another handle once
+ created (see https://curl.se/mail/lib-2022-08/0027.html).
+
+ This commit removes the handle pointers from the mime structures
+ allowing more flexibility on their use.
+
+ When an easy handle is duplicated, bound mime structures must however
+ still be duplicated too as their components hold send-time dynamic
+ information.
+
+ Closes #9927
+
+fractal-access (26 Nov 2022)
+
+- test416: verify growing FTP file support
+
+ Added setting: RETRSIZE [size] in the <servercmd> section. When set this
+ will cause the test FTP server to return the size set (rather than the
+ actual size) in the acknowledgement from a RETR request.
+
+ Closes #9772
+
+- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
+
+ When using the option CURLOPT_IGNORE_CONTENT_LENGTH (set.ignorecl in
+ code) to support growing files in FTP, the code should ignore the
+ initial size it gets from the server as this will not be the final size
+ of the file. This is done in ftp_state_quote() to prevent a size request
+ being issued in the initial sequence. However, in a later call to
+ ftp_state_get_resp() the code attempts to get the size of the content
+ again if it doesn't already have it, by parsing the response from the
+ RETR request. This fix prevents this parsing of the response to get the
+ size when the set.ignorecl option is set. This should maintain the size
+ value as -1, unknown, in this situation.
+
+ Closes #9772
+
+Stefan Eissing (26 Nov 2022)
+
+- cfilter: re-add `conn` as parameter to cfilter setup methods
+
+ - `Curl_ssl_get_config()` now returns the first config if no SSL proxy
+ filter is active
+
+ - socket filter starts connection only on first invocation of its
+ connect method
+
+ Fixes #9982
+ Closes #9983
+
+Daniel Stenberg (26 Nov 2022)
+
+- KNOWN_BUGS: remove five FTP related issues
+
+ - "FTP with CONNECT and slow server"
+
+ I believe this is not a problem these days.
+
+ - "FTP with NULs in URL parts"
+
+ The FTP protocol does not support them properly anyway.
+
+ - remove "FTP and empty path parts in the URL"
+
+ I don't think this has ever been reported as a real problem but was only
+ a hypothetical one.
+
+ - "Premature transfer end but healthy control channel"
+
+ This is not a bug, this is an optimization that *could* be performed but is
+ not an actual problem.
+
+ - "FTP without or slow 220 response"
+
+ Instead add to the documentation of the connect timeout that the
+ connection is considered complete at TCP/TLS/QUIC layer.
+
+ Closes #9979
+
+Stefan Eissing (26 Nov 2022)
+
+- tests: add authorityInfoAccess to generated certs
+
+ Generate stunnel.pem as well
+
+ Closes #9980
+
+Daniel Stenberg (25 Nov 2022)
+
+- runtests: --no-debuginfod now disables DEBUGINFOD_URLS
+
+ Prior to this change, DEBUGINFOD_URLS was always disabled by runtests
+ due to a report of it slowing down tests. However, some setups need it
+ to fetch debug symbols, and if it is disabled on those systems then curl
+ tests with valgrind will fail.
+
+ Reported-by: Mark Gaiser
+
+ Ref: #8805
+ Closes #9950
+
+Casey Bodley (25 Nov 2022)
+
+- test/aws_sigv4: test cases for content-sha256
+
+ 1956 adds the sha256 value corresponding to an empty buffer
+ 1957 adds an arbitrary value and confirms that the signature differs from 195
+ 6
+ 1958 adds whitespace to 1957 and confirms that the signature matches 1957
+ 1959 adds a value longer than 'char sha_hex[65]' in Curl_output_aws_sigv4()
+
+ Signed-off-by: Casey Bodley <cbodley@redhat.com>
+
+ Closes #9804
+
+- aws_sigv4: consult x-%s-content-sha256 for payload hash
+
+ `Curl_output_aws_sigv4()` doesn't always have the whole payload in
+ memory to generate a real payload hash. this commit allows the user to
+ pass in a header like `x-amz-content-sha256` to provide their desired
+ payload hash
+
+ some services like s3 require this header, and may support other values
+ like s3's `UNSIGNED-PAYLOAD` and `STREAMING-AWS4-HMAC-SHA256-PAYLOAD`
+ with special semantics. servers use this header's value as the payload
+ hash during signature validation, so it must match what the client uses
+ to generate the signature
+
+ CURLOPT_AWS_SIGV4.3 now describes the content-sha256 interaction
+
+ Signed-off-by: Casey Bodley <cbodley@redhat.com>
+
+ Closes #9804
+
+Philip Heiduck (25 Nov 2022)
+
+- GHA: NSS use clang instead of clang-9
+
+ Closes #9978
+
+Daniel Stenberg (25 Nov 2022)
+
+- RELEASE-NOTES: synced
+
+- tool_operate: override the numeric locale and set "C" by force
+
+ Makes curl always use dot as decimal separator for options,
+ independently of what the locale says. Makes scripts and command lines
+ portable.
+
+ Updated docs accordingly.
+
+ Reported-by: Daniel Faust
+
+ Fixes #9969
+ Closes #9972
+
+- test1662: verify formpost, 301 redirect, no rewind possible
+
+ Reproduces #9735 and verifies the subsequent fix. The original issue
+ uses a pipe that cannot be rewound, but this test case instead sets a
+ callback without rewind ability to get roughly the same properties but
+ being a much more portable test.
+
+- lib: rewind BEFORE request instead of AFTER previous
+
+ This makes a big difference for cases when the rewind is not actually
+ necessary to perofm (for example HTTP response code 301 converts to GET)
+ and therefore the rewind can be avoided. In particular for situations
+ when that rewind fails, for example when reading from a pipe or similar.
+
+ Reported-by: Ali Utku Selen
+
+ Fixes #9735
+ Closes #9958
+
+- vtls: repair build with disabled proxy
+
+ Closes #9974
+
+Daniel Gustafsson (23 Nov 2022)
+
+- packaging: remove traces of deleted files
+
+ Commit a8861b6cc removed packages/DOS but left a few traces of it
+ which broke the distcheck CI. Remove all traces.
+
+ Closes: #9971
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- openssl: silence compiler warning when not using IPv6
+
+ In non-IPv6 builds the conn parameter is unused, and compilers which
+ run with "-Werror=unused-parameter" (or similar) warnings turned on
+ fails to build. Below is an excerpt from a CI job:
+
+ vtls/openssl.c: In function ‘Curl_ossl_verifyhost’:
+ vtls/openssl.c:2016:75: error: unused parameter ‘conn’ [-Werror=unused-
+ parameter]
+ 2016 | CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connec
+ tdata *conn,
+ | ~~~~~~~~~~~~~
+ ~~~~~~~^~~~
+
+ Closes: #9970
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- netware: remove leftover traces
+
+ Commit 3b16575ae938dec2a29454631a12aa52b6ab9c67 removed support for
+ building on Novell Netware, but a few leftover traces remained. This
+ removes the last bits.
+
+ Closes: #9966
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Ryan Schmidt (23 Nov 2022)
+
+- curl_endian: remove Curl_write64_le from header
+
+ The actual function was already removed in 4331c6dc.
+
+ See #7280
+ Closes #9968
+
+Daniel Stenberg (22 Nov 2022)
+
+- docs: add more "SEE ALSO" links to CA related pages
+
+ Closes #9959
+
+- examples: update descriptions
+
+ Make them not say "this is an example showing..." and instead just say
+ what the example shows.
+
+ Closes #9960
+
+Stefan Eissing (22 Nov 2022)
+
+- vtls: localization of state data in filters
+
+ - almost all backend calls pass the Curl_cfilter intance instead of
+ connectdata+sockindex
+ - ssl_connect_data is remove from struct connectdata and made internal
+ to vtls
+ - ssl_connect_data is allocated in the added filter, kept at cf->ctx
+
+ - added function to let a ssl filter access its ssl_primary_config and
+ ssl_config_data this selects the propert subfields in conn and data,
+ for filters added as plain or proxy
+ - adjusted all backends to use the changed api
+ - adjusted all backends to access config data via the exposed
+ functions, no longer using conn or data directly
+
+ cfilter renames for clear purpose:
+
+ - methods `Curl_conn_*(data, conn, sockindex)` work on the complete
+ filter chain at `sockindex` and connection `conn`.
+ - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter
+ instance.
+ - methods `Curl_conn_cf()` work on/with filter instances at a
+ connection.
+ - rebased and resolved some naming conflicts
+ - hostname validation (und session lookup) on SECONDARY use the same
+ name as on FIRST (again).
+
+ new debug macros and removing connectdata from function signatures where not
+ needed.
+
+ adapting schannel for new Curl_read_plain paramter.
+
+ Closes #9919
+
+Daniel Stenberg (22 Nov 2022)
+
+- examples/10-at-a-time: fix possible skipped final transfers
+
+ Prior to this change if curl_multi_perform returned 0 running handles
+ and then all remaining transfers were added, then the perform loop would
+ end immediately without performing those transfers.
+
+ Reported-by: Mikhail Kuznetsov
+
+ Fixes https://github.com/curl/curl/issues/9953
+ Closes https://github.com/curl/curl/pull/9954
+
+Viktor Szakats (22 Nov 2022)
+
+- Makefile.mk: portable Makefile.m32
+
+ Update bare GNU Make `Makefile.m32` to:
+
+ - Move objects into a subdirectory.
+ - Add support for MS-DOS. Tested with DJGPP.
+ - Add support for Watt-32 (on MS-DOS).
+ - Add support for AmigaOS.
+ - Rename `Makefile.m32` to `Makefile.mk`
+ - Replace `ARCH` with `TRIPLET`.
+ - Build `tool_hugehelp.c` proper (when tools are available).
+ - Drop MS-DOS compatibility macro `USE_ZLIB` (replaced by `HAVE_LIBZ`)
+ - Add support for `ZLIB_LIBS` to override `-lz`.
+ - Omit object files when building examples.
+ - Default `CC` to `gcc` once again, for convenience. (Caveat: compiler
+ name `cc` cannot be set now.)
+ - Set `-DCURL_NO_OLDIES` for examples, like autotools does.
+ - Delete `makefile.dj` files. Notice the configuration details and
+ defaults are not retained with the new method.
+ - Delete `makefile.amiga` files. A successful build needs a few custom
+ options. We're also not retaining all build details from the existing
+ Amiga make files.
+ - Rename `Makefile.m32` to `Makefile.mk` to reflect that they are not
+ Windows/MinGW32-specific anymore.
+ - Add support for new `CFG` options: `-map`, `-debug`, `-trackmem`
+ - Set `-DNDEBUG` by default.
+ - Allow using `-DOS=...` in all `lib/config-*.h` headers, syncing this
+ with `config-win32.h`.
+ - Look for zlib parts in `ZLIB_PATH/include` and `ZLIB_PATH/lib`
+ instead of bare `ZLIB_PATH`.
+
+ Note that existing build configurations for MS-DOS and AmigaOS likely
+ become incompatible with this change.
+
+ Example AmigaOS configuration:
+ ```
+ export CROSSPREFIX=/opt/amiga/bin/m68k-amigaos-
+ export CC=gcc
+ export CPPFLAGS='-DHAVE_PROTO_BSDSOCKET_H'
+ export CFLAGS='-mcrt=clib2'
+ export LDFLAGS="${CFLAGS}"
+ export LIBS='-lnet -lm'
+ make -C lib -f Makefile.mk
+ make -C src -f Makefile.mk
+ ```
+
+ Example MS-DOS configuration:
+ ```
+ export CROSSPREFIX=/opt/djgpp/bin/i586-pc-msdosdjgpp-
+ export WATT_PATH=/opt/djgpp/net/watt
+ export ZLIB_PATH=/opt/djgpp
+ export OPENSSL_PATH=/opt/djgpp
+ export OPENSSL_LIBS='-lssl -lcrypt'
+ export CFG=-zlib-ssl
+ make -C lib -f Makefile.mk
+ make -C src -f Makefile.mk
+ ```
+
+ Closes #9764
+
+Stefan Eissing (22 Nov 2022)
+
+- cfiler: filter types have flags indicating what they do
+
+ - Adding Curl_conn_is_ip_connected() to check if network connectivity
+ has been reached
+
+ - having ftp wait for network connectivity before proceeding with
+ transfers.
+
+ Fixes test failures 1631 and 1632 with hyper.
+
+ Closes #9952
+
+Daniel Stenberg (21 Nov 2022)
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (20 Nov 2022)
+
+- sendf: change Curl_read_plain to wrap Curl_recv_plain (take 2)
+
+ Prior to this change Curl_read_plain would attempt to read the
+ socket directly. On Windows that's a problem because recv data may be
+ cached by libcurl and that data is only drained using Curl_recv_plain.
+
+ Rather than rewrite Curl_read_plain to handle cached recv data, I
+ changed it to wrap Curl_recv_plain, in much the same way that
+ Curl_write_plain already wraps Curl_send_plain.
+
+ Curl_read_plain -> Curl_recv_plain
+ Curl_write_plain -> Curl_send_plain
+
+ This fixes a bug in the schannel backend where decryption of arbitrary
+ TLS records fails because cached recv data is never drained. We send
+ data (TLS records formed by Schannel) using Curl_write_plain, which
+ calls Curl_send_plain, and that may do a recv-before-send
+ ("pre-receive") to cache received data. The code calls Curl_read_plain
+ to read data (TLS records from the server), which prior to this change
+ did not call Curl_recv_plain and therefore cached recv data wasn't
+ retrieved, resulting in malformed TLS records and decryption failure
+ (SEC_E_DECRYPT_FAILURE).
+
+ The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
+ to the issue and PR for more information.
+
+ --
+
+ This is take 2 of the original fix. It preserves the original behavior
+ of Curl_read_plain to write 0 to the bytes read parameter on error,
+ since apparently some callers expect that (SOCKS tests were hanging).
+ The original fix which landed in 12e1def5 and was later reverted in
+ 18383fbf failed to work properly because it did not do that.
+
+ Also, it changes Curl_write_plain the same way to complement
+ Curl_read_plain, and it changes Curl_send_plain to return -1 instead of
+ 0 on CURLE_AGAIN to complement Curl_recv_plain.
+
+ Behavior on error with these changes:
+
+ Curl_recv_plain returns -1 and *code receives error code.
+ Curl_send_plain returns -1 and *code receives error code.
+ Curl_read_plain returns error code and *n (bytes read) receives 0.
+ Curl_write_plain returns error code and *written receives 0.
+
+ --
+
+ Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361
+
+ Assisted-by: Joel Depooter
+ Reported-by: Egor Pugin
+
+ Fixes https://github.com/curl/curl/issues/9431
+ Closes https://github.com/curl/curl/pull/9949
+
+Sean McArthur (19 Nov 2022)
+
+- hyper: classify headers as CONNECT and 1XX
+
+ Closes #9947
+
+Stefan Eissing (19 Nov 2022)
+
+- ftp: fix "AUTH TLS" on primary conn and for SSL in PASV second conn
+
+ Follow-up to dafdb20a26d0c89
+
+ Reported-by: Anthony Hu
+ Closes #9948
+
+Jay Satiro (19 Nov 2022)
+
+- CURLOPT_POST.3: Explain setting to 0 changes request type
+
+ Bug: https://github.com/curl/curl/issues/9849
+ Reported-by: MonkeybreadSoftware@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/9942
+
+Daniel Stenberg (19 Nov 2022)
+
+- docs/INSTALL.md: expand on static builds
+
+ Remove from KNOWN_BUGS
+
+ Closes #9944
+
+Stefan Eissing (19 Nov 2022)
+
+- http: restore h3 to working condition after connection filter introduction
+
+ Follow-up to dafdb20a26d0c
+
+ HTTP/3 needs a special filter chain, since it does the TLS handling
+ itself. This PR adds special setup handling in the HTTP protocol handler
+ that takes are of it.
+
+ When a handler, in its setup method, installs filters, the default
+ behaviour for managing the filter chain is overridden.
+
+ Reported-by: Karthikdasari0423 on github
+
+ Fixes #9931
+ Closes #9945
+
+Daniel Stenberg (18 Nov 2022)
+
+- urldata: change port num storage to int and unsigned short
+
+ Instead of long.
+
+ Closes #9946
+
+- Revert "sendf: change Curl_read_plain to wrap Curl_recv_plain"
+
+ This reverts commit 12e1def51a75392df62e65490416007d7e68dab9.
+
+ It introduced SOCKS proxy fails, like test 700 never ending.
+
+ Reopens #9431
+
+- HTTP-COOKIES.md: update the 6265bis link to draft-11
+
+ Closes #9940
+
+- docs/WEBSOCKET.md: explain the URL use
+
+ Fixes #9936
+ Closes #9941
+
+Jay Satiro (18 Nov 2022)
+
+- sendf: change Curl_read_plain to wrap Curl_recv_plain
+
+ Prior to this change Curl_read_plain would attempt to read the
+ socket directly. On Windows that's a problem because recv data may be
+ cached by libcurl and that data is only drained using Curl_recv_plain.
+
+ Rather than rewrite Curl_read_plain to handle cached recv data, I
+ changed it to wrap Curl_recv_plain, in much the same way that
+ Curl_write_plain already wraps Curl_send_plain.
+
+ Curl_read_plain -> Curl_recv_plain
+ Curl_write_plain -> Curl_send_plain
+
+ This fixes a bug in the schannel backend where decryption of arbitrary
+ TLS records fails because cached recv data is never drained. We send
+ data (TLS records formed by Schannel) using Curl_write_plain, which
+ calls Curl_send_plain, and that may do a recv-before-send
+ ("pre-receive") to cache received data. The code calls Curl_read_plain
+ to read data (TLS records from the server), which prior to this change
+ did not call Curl_recv_plain and therefore cached recv data wasn't
+ retrieved, resulting in malformed TLS records and decryption failure
+ (SEC_E_DECRYPT_FAILURE).
+
+ The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
+ to the issue and PR for more information.
+
+ Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361
+
+ Assisted-by: Joel Depooter
+ Reported-by: Egor Pugin
+
+ Fixes https://github.com/curl/curl/issues/9431
+ Closes https://github.com/curl/curl/pull/9904
+
+- test3026: reduce runtime in legacy mingw builds
+
+ - Load Windows system libraries secur32 and iphlpapi beforehand, so
+ that libcurl's repeated global init/cleanup only increases/decreases
+ the library's refcount rather than causing it to load/unload.
+
+ Assisted-by: Marc Hoersken
+
+ Closes https://github.com/curl/curl/pull/9412
+
+Daniel Stenberg (18 Nov 2022)
+
+- url: move back the IDN conversion of proxy names
+
+ Regression: in commit 53bcf55 we moved the IDN conversion calls to
+ happen before the HSTS checks. But the HSTS checks are only done on the
+ server host name, not the proxy names. By moving the proxy name IDN
+ conversions, we accidentally broke the verbose output showing the proxy
+ name.
+
+ This change moves back the IDN conversions for the proxy names to the
+ place in the code path they were before 53bcf55.
+
+ Reported-by: Andy Stamp
+ Fixes #9937
+ Closes #9939
+
+Alexandre Ferrieux (18 Nov 2022)
+
+- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
+
+ Fixes #2975
+ Closes #9147
+
+Daniel Stenberg (17 Nov 2022)
+
+- HTTP-COOKIES.md: mention that http://localhost is a secure context
+
+ Reported-by: Trail of Bits
+
+ Closes #9938
+
+- lib: parse numbers with fixed known base 10
+
+ ... instead of using 0 argument that allows decimal, hex or octal when
+ the number is documented and assumed to use base 10.
+
+ Closes #9933
+
+- RELEASE-NOTES: synced
+
+- scripts/delta: adapt to curl.h changes for the opt counter
+
+- cookie: expire cookies at once when max-age is negative
+
+ Update test 329 to verify
+
+ Reported-by: godmar on github
+ Fixes #9930
+ Closes #9932
+
+Stefan Eissing (17 Nov 2022)
+
+- proxy: haproxy filter is only available when PROXY and HTTP are
+
+ Closes #9935
+
+Daniel Stenberg (16 Nov 2022)
+
+- OtherTests.cmake: check for cross-compile, not for toolchain
+
+ Build systems like vcpkg alway sets `CMAKE_TOOLCHAIN_FILE` so it should
+ not be used as a sign that this is a cross-compile.
+
+ Also indented the function correctly.
+
+ Reported-by: Philip Chan
+ Fixes #9921
+ Closes #9923
+
+- ntlm: improve comment for encrypt_des
+
+ Reported-by: Andrei Rybak
+ Fixes #9903
+ Closes #9925
+
+- include/curl/curl.h: bump the deprecated requirements to gcc 5.3
+
+ Reported-by: Stephan Guilloux
+ Fixes #9917
+ Closes #9918
+
+Stefan Eissing (15 Nov 2022)
+
+- proxy: refactor haproxy protocol handling as connection filter
+
+ Closes #9893
+
+Patrick Monnerat (15 Nov 2022)
+
+- lib: feature deprecation warnings in gcc >= 4.3
+
+ Add a deprecated attribute to functions and enum values that should not
+ be used anymore.
+ This uses a gcc 4.3 dialect, thus is only available for this version of
+ gcc and newer. Note that the _Pragma() keyword is introduced by C99, but
+ is available as part of the gcc dialect even when compiling in C89 mode.
+
+ It is still possible to disable deprecation at a calling module compile
+ time by defining CURL_DISABLE_DEPRECATION.
+
+ Gcc type checking macros are made aware of possible deprecations.
+
+ Some testing support Perl programs are adapted to the extended
+ declaration syntax.
+
+ Several test and unit test C programs intentionally use deprecated
+ functions/options and are annotated to not generate a warning.
+
+ New test 1222 checks the deprecation status in doc and header files.
+
+ Closes #9667
+
+Daniel Stenberg (15 Nov 2022)
+
+- log2changes.pl: wrap long lines at 80 columns
+
+ Also, only use author names in the output.
+
+ Fixes #9896
+ Reported-by: John Sherrill
+ Closes #9897
+
+- cfilters: use %zu for outputting size_t
+
+ Detected by Coverity CID 1516894
+
+ Closes #9907
+
+- Curl_closesocket: avoid using 'conn' if NULL
+
+ ... in debug-only code.
+
+ Reported by Coverity CID 1516896
+
+ Closes #9907
+
+- url: only acknowledge fresh_reuse for non-followed transfers
+
+ ... to make sure NTLM auth sticks to the connection it needs, as
+ verified by 2032.
+
+ Follow-up to fa0b9227616e
+
+ Assisted-by: Stefan Eissing
+ Closes #9905
+
+- netrc.d: provide mutext info
+
+ Reported-by: xianghongai on github
+ Fixes #9899
+ Closes #9901
+
+- cmdline-opts/page-footer: remove long option nroff formatting
+
+ As gen.pl adds them
+
+- nroff-scan.pl: detect double highlights
+
+- cmdline-opts/gen.pl: fix the linkifier
+
+ Improved logic for finding existing --options in text and replacing with
+ the full version with nroff syntax. This also makes the web version link
+ options better.
+
+ Reported-by: xianghongai on github
+ Fixes #9899
+ Closes #9902
+
+Patrick Monnerat (14 Nov 2022)
+
+- tool: use feature names instead of bit mask, when possible
+
+ If the run-time libcurl is too old to support feature names, the name
+ array is created locally from the bit masks. This is the only sequence
+ left that uses feature bit masks.
+
+ Closes #9583
+
+- docs: curl_version_info is not thread-safe before libcurl initialization
+
+ Closes #9583
+
+- version: add a feature names array to curl_version_info_data
+
+ Field feature_names contains a null-terminated sorted array of feature
+ names. Bitmask field features is deprecated.
+
+ Documentation is updated. Test 1177 and tests/version-scan.pl updated to
+ match new documentation format and extended to check feature names too.
+
+ Closes #9583
+
+Stefan Eissing (14 Nov 2022)
+
+- negtelnetserver.py: have it call its close() method
+
+ Closes #9894
+
+Nathan Moinvaziri (13 Nov 2022)
+
+- ntlm: silence ubsan warning about copying from null target_info pointer.
+
+ runtime error: null pointer passed as argument 2, which is declared to
+ never be null
+
+ Closes #9898
+
+Daniel Stenberg (12 Nov 2022)
+
+- RELEASE-NOTES: synced
+
+Stefan Eissing (12 Nov 2022)
+
+- Websocket: fixes for partial frames and buffer updates.
+
+ - buffers updated correctly when handling partial frames
+ - callbacks no longer invoked for incomplete payload data of 0 length
+ - curl_ws_recv no longer returns with 0 length partial payload
+
+ Closes #9890
+
+Daniel Stenberg (12 Nov 2022)
+
+- tool_operate: provide better errmsg for -G with bad URL
+
+ If the URL that -G would try to add a query to could not be parsed, it would
+ display
+
+ curl: (27) Out of memory
+
+ It now instead shows:
+
+ curl: (2) Could not parse the URL, failed to set query
+
+ Reported-by: Alex Xu
+ Fixes #9889
+ Closes #9892
+
+- vtls: fix build without proxy support
+
+ Follow-up to dafdb20a26d0c890
+
+ Closes #9895
+
+- tool_getparam: make --no-get work as the opposite of --get
+
+ ... as documented.
+
+ Closes #9891
+
+- http: mark it 'this_is_a_follow' in the Location: logic
+
+ To make regular auth "reloads" to not count as redirects.
+
+ Verified by test 3101
+
+ Fixes #9885
+ Closes #9887
+
+Viktor Szakats (11 Nov 2022)
+
+- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
+
+ The previously set default value of 8 (64-bit) is only correct for
+ mingw-w64 and only when we set `_FILE_OFFSET_BITS` to 64 (the default
+ when building curl). For MSVC, old MinGW and other Windows compilers,
+ the correct value is 4 (32-bit). Adjust condition accordingly. Also
+ drop the manual override option.
+
+ Regression in 7.86.0 (from 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6)
+
+ Bug: https://github.com/curl/curl/pull/9712#issuecomment-1307330551
+
+ Reported-by: Peter Piekarski
+ Reviewed-by: Jay Satiro
+
+ Closes #9872
+
+Daniel Stenberg (11 Nov 2022)
+
+- lib: remove bad set.opt_no_body assignments
+
+ This struct field MUST remain what the application set it to, so that
+ handle reuse and handle duplication work.
+
+ Instead, the request state bit 'no_body' is introduced for code flows
+ that need to change this in run-time.
+
+ Closes #9888
+
+Stefan Eissing (11 Nov 2022)
+
+- lib: connection filters (cfilter) addition to curl:
+
+ - general construct/destroy in connectdata
+ - default implementations of callback functions
+ - connect: cfilters for connect and accept
+ - socks: cfilter for socks proxying
+ - http_proxy: cfilter for http proxy tunneling
+ - vtls: cfilters for primary and proxy ssl
+ - change in general handling of data/conn
+ - Curl_cfilter_setup() sets up filter chain based on data settings,
+ if none are installed by the protocol handler setup
+ - Curl_cfilter_connect() boot straps filters into `connected` status,
+ used by handlers and multi to reach further stages
+ - Curl_cfilter_is_connected() to check if a conn is connected,
+ e.g. all filters have done their work
+ - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE
+ indicators for multi select to work
+ - Curl_cfilter_data_pending() asks filters if the have incoming
+ data pending for recv
+ - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks
+ installed in conn->recv/conn->send for io handling
+ - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters
+ and addition/removal of a `data` from their connection
+ - adding vtl functions to prevent use of Curl_ssl globals directly
+ in other parts of the code.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9855
+
+- curl-rustls.m4: on macOS, rustls also needs the Security framework
+
+ Closes #9883
+
+Daniel Stenberg (10 Nov 2022)
+
+- rtsp: only store first_host once
+
+ Suggested-by: Erik Janssen
+ URL: https://github.com/curl/curl/pull/9870#issuecomment-1309499744
+ Closes #9882
+
+Fata Nugraha (10 Nov 2022)
+
+- test3028: verify PROXY
+
+- http: do not send PROXY more than once
+
+ Unlike `CONNECT`, currently we don't keep track whether `PROXY` is
+ already sent or not. This causes `PROXY` header to be sent twice during
+ `MSTATE_TUNNELING` and `MSTATE_PROTOCONNECT`.
+
+ Closes #9878
+ Fixes #9442
+
+Jay Satiro (10 Nov 2022)
+
+- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
+
+ Prior to this change if the user wanted to signal an error from their
+ write callbacks they would have to use logic to return a value different
+ from the number of bytes (nmemb) passed to the callback. Also, the
+ inclination of some users has been to just return 0 to signal error,
+ which is incorrect as that may be the number of bytes passed to the
+ callback.
+
+ To remedy this the user can now return CURL_WRITEFUNC_ERROR instead.
+
+ Ref: https://github.com/curl/curl/issues/9873
+
+ Closes https://github.com/curl/curl/pull/9874
+
+Daniel Stenberg (9 Nov 2022)
+
+- Revert "GHA: add scorecard.yml"
+
+ This reverts commit ca76c79b34f9d90105674a2151bf228ff7b13bef.
+
+- GHA: add scorecard.yml
+
+ add a "scorecard" scanner job
+
+Lorenzo Miniero (9 Nov 2022)
+
+- test3100: RTSP Basic authentication
+
+ Closes #9449
+
+Daniel Stenberg (9 Nov 2022)
+
+- rtsp: fix RTSP auth
+
+ Verified with test 3100
+
+ Fixes #4750
+ Closes #9870
+
+- KNOWN_BUGS: remove eight entries
+
+ - 1.2 Multiple methods in a single WWW-Authenticate: header
+
+ This is not considered a bug anymore but a restriction and one that we
+ keep because we have NEVER gotten this reported by users in the wild and
+ because of this I consider this a fringe edge case we don't need to
+ support.
+
+ - 1.6 Unnecessary close when 401 received waiting for 100
+
+ This is not a bug, but possibly an optimization that *can* be done.
+
+ - 1.7 Deflate error after all content was received
+
+ This is not a curl bug. This happens due to broken servers.
+
+ - 2.1 CURLINFO_SSL_VERIFYRESULT has limited support
+
+ This is not a bug. This is just the nature of the implementation.
+
+ - 2.2 DER in keychain
+
+ This is not a bug.
+
+ - 5.7 Visual Studio project gaps
+
+ This is not a bug.
+
+ - 15.14 cmake build is not thread-safe
+
+ Fixed in 109e9730ee5e2b
+
+ - 11.3 Disconnects do not do verbose
+
+ This is not a bug.
+
+ Closes #9871
+
+Hirotaka Tagawa (9 Nov 2022)
+
+- headers: add endif comments
+
+ Closes #9853
+
+Daniel Stenberg (8 Nov 2022)
+
+- test1221: verify --url-query
+
+- curl: add --url-query
+
+ This option adds a piece of data, usually a name + value pair, to the
+ end of the URL query part. The syntax is identical to that used for
+ --data-urlencode with one extension:
+
+ If the argument starts with a '+' (plus), the rest of the string is
+ provided as-is unencoded.
+
+ This allows users to "build" query parts with options and URL encoding
+ even when not doing GET requests, which the already provided option -G
+ (--get) is limited to.
+
+ This idea was born in a Twitter thread.
+
+ Closes #9691
+
+- maketgz: set the right version in lib/libcurl.plist
+
+ Follow-up to e498a9b1fe5964a18eb2a3a99dc52
+
+ Make sure the tarball gets a version of the libcurl.plist file that is
+ updated with the new version string.
+
+ Reported-by: jvreelanda on github
+ Fixes #9866
+ Closes #9867
+
+- RELEASE-NOTES: synced
+
+ Bumped version to 7.87.0
+
+Michael Drake (8 Nov 2022)
+
+- curl.h: add CURLOPT_CA_CACHE_TIMEOUT option
+
+ Adds a new option to control the maximum time that a cached
+ certificate store may be retained for.
+
+ Currently only the OpenSSL backend implements support for
+ caching certificate stores.
+
+ Closes #9620
+
+- openssl: reduce CA certificate bundle reparsing by caching
+
+ Closes #9620
+
+Rose (8 Nov 2022)
+
+- lib: fix some type mismatches and remove unneeded typecasts
+
+ Many of these castings are unneeded if we change the variables to work
+ better with each other.
+
+ Ref: https://github.com/curl/curl/pull/9823
+
+ Closes https://github.com/curl/curl/pull/9835
+
+Daniel Stenberg (8 Nov 2022)
+
+- cookie: compare cookie prefixes case insensitively
+
+ Adapted to language in rfc6265bis draft-11.
+
+ Closes #9863
+
+ Reviewed-by: Daniel Gustafsson
+
+- tool_operate: when aborting, make sure there is a non-NULL error buffer
+
+ To store custom errors in. Or SIGSEGVs will follow.
+
+ Reported-by: Trail of Bits
+ Closes #9865
+
+- WEBSOCKET.md: fix broken link
+
+ Reported-by: Felipe Gasper
+ Bug: https://curl.se/mail/lib-2022-10/0097.html
+ Closes #9864
+
+- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
+
+ Reported-by: Oskar Sigvardsson
+
+ Bug: https://curl.se/mail/lib-2022-11/0016.html
+
+ Closes #9862
+
+Stefan Eissing (7 Nov 2022)
+
+- websockets: fix handling of partial frames
+
+ buffer used and send length calculations are fixed when a partial
+ websocket frame has been received.
+
+ Closes #9861
+
+Daniel Stenberg (7 Nov 2022)
+
+- mailmap: unify Stefan Eissing
+
+Stefan Eissing (7 Nov 2022)
+
+- hyper: fix handling of hyper_task's when reusing the same address
+
+ Fixes #9840
+ Closes #9860
+
+Jay Satiro (7 Nov 2022)
+
+- ws: return CURLE_NOT_BUILT_IN when websockets not built in
+
+ - Change curl_ws_recv & curl_ws_send to return CURLE_NOT_BUILT_IN when
+ websockets support is not built in.
+
+ Prior to this change they returned CURLE_OK.
+
+ Closes #9851
+
+Daniel Stenberg (7 Nov 2022)
+
+- noproxy: tailmatch like in 7.85.0 and earlier
+
+ A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work
+ differently than before. This restores the logic to how it used to work:
+
+ All names listed in NO_PROXY are tailmatched against the used domain
+ name, if the lengths are identical it needs a full match.
+
+ Update the docs, update test 1614.
+
+ Reported-by: Stuart Henderson
+ Fixes #9842
+ Closes #9858
+
+- configure: require fork for NTLM-WB
+
+ Reported-by: ウさん
+
+ Fixes #9847
+ Closes #9856
+
+- docs/EARLY-RELEASE.md: how to determine an early release
+
+ URL: https://curl.se/mail/lib-2022-10/0079.html
+
+ Closes #9820
+
+- RELEASE-NOTES: synced
+
+Zespre Schmidt (3 Nov 2022)
+
+- docs: add missing parameters for --retry flag
+
+ Closes #9848
+
+Adam Averay (3 Nov 2022)
+
+- libcurl-errors.3: remove duplicate word
+
+ Closes #9846
+
+Eric Vigeant (3 Nov 2022)
+
+- cur_path: do not add '/' if homedir ends with one
+
+ When using SFTP and a path relative to the user home, do not add a
+ trailing '/' to the user home dir if it already ends with one.
+
+ Closes #9844
+
+Viktor Szakats (1 Nov 2022)
+
+- windows: fail early with a missing windres in autotools
+
+ `windres` is not always auto-detected by autotools when building for
+ Windows. When this happened, the build failed with a confusing error due
+ to the empty `RC` command:
+
+ ```
+ /bin/bash ../libtool --tag=RC --mode=compile -I../include -DCURL_EMBED_MANIF
+ EST -i curl.rc -o curl.o
+ [...]
+ Usage: /sandbox/curl/libtool [OPTION]... [MODE-ARG]...
+ Try 'libtool --help' for more information.
+ libtool: error: unrecognised option: '-I../include'
+ ```
+
+ Improve this by verifying if `RC` is set, and fail with a clear error
+ otherwise.
+
+ Follow-up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057
+
+ Ref: https://curl.se/mail/lib-2022-10/0049.html
+ Reported-by: Thomas Glanzmann
+ Closes #9781
+
+- lib: sync guard for Curl_getaddrinfo_ex() definition and use
+
+ `Curl_getaddrinfo_ex()` gets _defined_ with `HAVE_GETADDRINFO` set. But,
+ `hostip4.c` _used_ it with `HAVE_GETADDRINFO_THREADSAFE` set alone. It
+ meant a build with the latter, but without the former flag could result
+ in calling this function but not defining it, and failing to link.
+
+ Patch this by adding an extra check for `HAVE_GETATTRINFO` around the
+ call.
+
+ Before this patch, build systems prevented this condition. Now they
+ don't need to.
+
+ While here, simplify the related CMake logic on Windows by setting
+ `HAVE_GETADDRINFO_THREADSAFE` to the detection result of
+ `HAVE_GETADDRINFO`. This expresses the following intent clearer than
+ the previous patch and keeps the logic in a single block of code:
+ When we have `getaddrinfo()` on Windows, it's always threadsafe.
+
+ Follow-up to 67d88626d44ec04b9e11dca4cfbf62cd29fe9781
+
+ Reviewed-by: Jay Satiro
+ Closes #9734
+
+- tidy-up: process.h detection and use
+
+ This patch aims to cleanup the use of `process.h` header and the macro
+ `HAVE_PROCESS_H` associated with it.
+
+ - `process.h` is always available on Windows. In curl, it is required
+ only for `_beginthreadex()` in `lib/curl_threads.c`.
+
+ - `process.h` is also available in MS-DOS. In curl, its only use was in
+ `lib/smb.c` for `getpid()`. But `getpid()` is in fact declared by
+ `unistd.h`, which is always enabled via `lib/config-dos.h`. So the
+ header is not necessary.
+
+ - `HAVE_PROCESS_H` was detected by CMake, forced to 1 on Windows and
+ left to real detection for other platforms.
+ It was also set to always-on in `lib/config-win32.h` and
+ `lib/config-dos.h`.
+ In autotools builds, there was no detection and the macro was never
+ set.
+
+ Based on these observations, in this patch we:
+
+ - Rework Windows `getpid` logic in `lib/smb.c` to always use the
+ equivalent direct Win32 API function `GetCurrentProcessId()`, as we
+ already did for Windows UWP apps. This makes `process.h` unnecessary
+ here on Windows.
+
+ - Stop #including `process.h` into files where it was not necessary.
+ This is everywhere, except `lib/curl_threads.c`.
+
+ > Strangely enough, `lib/curl_threads.c` compiled fine with autotools
+ > because `process.h` is also indirecty included via `unistd.h`. This
+ > might have been broken in autotools MSVC builds, where the latter
+ > header is missing.
+
+ - Delete all remaining `HAVE_PROCESS_H` feature guards, for they were
+ unnecessary.
+
+ - Delete `HAVE_PROCESS_H` detection from CMake and predefined values
+ from `lib/config-*.h` headers.
+
+ Reviewed-by: Jay Satiro
+ Closes #9703
+
+Daniel Stenberg (1 Nov 2022)
+
+- lib1301: unit103 turned into a libtest
+
+ It is not a unit test so moved over to libtests.
+
+- strcase: use curl_str(n)equal for case insensitive matches
+
+ No point in having two entry points for the same functions.
+
+ Also merged the *safe* function treatment into these so that they can
+ also be used when one or both pointers are NULL.
+
+ Closes #9837
+
+- README.md: remove badges and xmas-tree garnish
+
+ URL: https://curl.se/mail/lib-2022-10/0050.html
+
+ Closes #9833
+
+Patrick Monnerat (1 Nov 2022)
+
+- gen.pl: do not generate CURLHELP bitmask lines > 79 characters
+
+ If a command line option is in many help categories, there is a risk
+ that CURLHELP bitmask source lines generated for listhelp are longer
+ than 79 characters.
+
+ This change takes care of folding such long lines.
+
+ Cloes #9834
+
+Marc Hoersken (30 Oct 2022)
+
+- CI/cirrus: remove superfluous double-quotes and sudo
+
+ Follow up to #9565 and #9677
+ Closes #9738
+
+- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
+
+ Ref: #9738
+
+Daniel Stenberg (30 Oct 2022)
+
+- style: use space after comment start and before comment end
+
+ /* like this */
+
+ /*not this*/
+
+ checksrc is updated accordingly
+
+ Closes #9828
+
+Patrick Schlangen (30 Oct 2022)
+
+- docs: remove performance note in CURLOPT_SSL_VERIFYPEER
+
+ This note became obsolete since PR #7892 (see also discussion in the PR
+ comments).
+
+ Closes #9832
+
+Daniel Stenberg (30 Oct 2022)
+
+- tests/server: make use of strcasecompare from lib/
+
+ ... instead of having a second private implementation.
+
+ Idea triggered by #9830
+
+ Closes #9831
+
+- curl: timeout in the read callback
+
+ The read callback can timeout if there's nothing to read within the
+ given maximum period. Example use case is when doing "curl -m 3
+ telnet://example.com" or anything else that expects input on stdin or
+ similar that otherwise would "hang" until something happens and then not
+ respect the timeout.
+
+ This fixes KNOWN_BUG 8.1, first filed in July 2009.
+
+ Bug: https://sourceforge.net/p/curl/bugs/846/
+
+ Closes #9815
+
+- noproxy: fix tail-matching
+
+ Also ignore trailing dots in both host name and comparison pattern.
+
+ Regression in 7.86.0 (from 1e9a538e05c0)
+
+ Extended test 1614 to verify better.
+
+ Reported-by: Henning Schild
+ Fixes #9821
+ Closes #9822
+
+- docs: explain the noproxy CIDR notation support
+
+ Follow-up to 1e9a538e05c0107c
+
+ Closes #9818
+
+Jon Rumsey (27 Oct 2022)
+
+- os400: use platform socklen_t in Curl_getnameinfo_a
+
+ Curl_getnameinfo_a() is prototyped before including curl.h as an
+ ASCII'fied wrapper for getnameinfo(), which itself is prototyped with
+ socklen_t arguments, so this should use the platform socklen_t and not
+ curl_socklen_t too.
+
+ Update setup-os400.h
+
+ Fixes #9811
+ Closes #9812
+
+Daniel Stenberg (27 Oct 2022)
+
+- noproxy: also match with adjacent comma
+
+ If the host name is an IP address and the noproxy string contained that
+ IP address with a following comma, it would erroneously not match.
+
+ Extended test 1614 to verify this combo as well.
+
+ Reported-by: Henning Schild
+
+ Fixes #9813
+ Closes #9814
+
+Randall S. Becker (27 Oct 2022)
+
+- build: fix for NonStop
+
+ - Include arpa/inet.h in all units where htonl is called.
+
+ Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
+
+ Closes https://github.com/curl/curl/pull/9816
+
+- system.h: support 64-bit curl_off_t for NonStop 32-bit
+
+ - Correctly define curl_off_t on NonStop (ie __TANDEM) ia64 and x86 for
+ 32-bit builds.
+
+ Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
+
+ Closes https://github.com/curl/curl/pull/9817
+
+Daniel Stenberg (27 Oct 2022)
+
+- spellcheck.words: remove 'github' as an accepted word
+
+ Prefer the properly cased version: GitHub
+
+ Use markdown for links and GitHub in text.
+
+ Closes #9810
+
+Ayesh Karunaratne (27 Oct 2022)
+
+- misc: typo and grammar fixes
+
+ - Replace `Github` with `GitHub`.
+ - Replace `windows` with `Windows`
+ - Replace `advice` with `advise` where a verb is used.
+ - A few fixes on removing repeated words.
+ - Replace `a HTTP` with `an HTTP`
+
+ Closes #9802
+
+Viktor Szakats (27 Oct 2022)
+
+- windows: fix linking .rc to shared curl with autotools
+
+ `./configure --enable-shared --disable-static` fails when trying to link
+ a shared `curl.exe`, due to `libtool` magically changing the output
+ filename of `windres` to one that it doesn't find when linking:
+
+ ```
+ /bin/sh ../libtool --tag=RC --mode=compile windres -I../../curl/include -DCUR
+ L_EMBED_MANIFEST -i ../../curl/src/curl.rc -o curl.o
+ libtool: compile: windres -I../../curl/include -DCURL_EMBED_MANIFEST -i ../.
+ ./curl/src/curl.rc -o .libs/curl.o
+ [...]
+ CCLD curl.exe
+ clang: error: no such file or directory: 'curl.o'
+ ```
+
+ Let's resolve this by skipping `libtool` and calling `windres` directly
+ when building `src` (aka `curl.exe`). Leave `lib` unchanged, as it does
+ need the `libtool` magic. This solution is compatible with building
+ a static `curl.exe`.
+
+ This build scenario is not CI-tested.
+
+ While here, delete an obsolete comment about a permanent `libtool`
+ warning that we've resolved earlier.
+
+ Regression from 6de7322c03d5b4d91576a7d9fc893e03cc9d1057
+
+ Reported-by: Christoph Reiter
+ Fixes #9803
+ Closes #9805
+
+- cmake: really enable warnings with clang
+
+ Even though `PICKY_COMPILER=ON` is the default, warnings were not
+ enabled when using llvm/clang, because `CMAKE_COMPILER_IS_CLANG` was
+ always false (in my tests at least).
+
+ This is the single use of this variable in curl, and in a different
+ place we already use `CMAKE_C_COMPILER_ID MATCHES "Clang"`, which works
+ as expected, so change the condition to use that instead.
+
+ Also fix the warnings uncovered by the above:
+
+ - lib: add casts to silence clang warnings
+
+ - schannel: add casts to silence clang warnings in ALPN code
+
+ Assuming the code is correct, solve the warnings with a cast.
+ This particular build case isn't CI tested.
+
+ There is a chance the warning is relevant for some platforms, perhaps
+ Windows 32-bit ARM7.
+
+ Closes #9783
+
+Joel Depooter (26 Oct 2022)
+
+- sendf: remove unnecessary if condition
+
+ At this point, the psnd->buffer will always exist. We have already
+ allocated a new buffer if one did not previously exist, and returned
+ from the function if the allocation failed.
+
+ Closes #9801
+
+Viktor Szakats (26 Oct 2022)
+
+- winidn: drop WANT_IDN_PROTOTYPES
+
+ `WANT_IDN_PROTOTYPES` was necessary to avoid using a header that came
+ via an optional package. MS stopped distributing this package some
+ years ago and the winidn definitions are part of standard headers (via
+ `windows.h`) since Vista.
+
+ Auto-detect Vista inside `lib/idn_win32.c` and enable the manual
+ definitions if building for an older Windows.
+
+ This allows to delete this manual knob from all build-systems.
+
+ Also drop the `_SAL_VERSION` sub-case:
+
+ Our manual definitions are now only enabled with old systems. We assume
+ that code analysis is not run on such systems, allowing us to delete the
+ SAL-friendly flavour of these.
+
+ Reviewed-by: Jay Satiro
+ Closes #9793
+
+Daniel Stenberg (26 Oct 2022)
+
+- misc: remove duplicated include files
+
+ Closes #9796
+
+- scripts/checksrc.pl: detect duplicated include files
+
+ After an idea by Dan Fandrich in #9794
+
+ Closes #9796
+
+- RELEASE-NOTES: synced
+
+ And bumped version to 7.86.1 for now
+
+- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
+
+ The removal is brief or long, don't assume.
+
+ Reported-by: Luca Niccoli
+
+ Fixes #9799
+ Closes #9800
+
+Version 7.86.0 (26 Oct 2022)
+
+Daniel Stenberg (26 Oct 2022)
+
+- RELEASE: synced
+
+ The 7.86.0 release
+
+- THANKS: added from the 7.86.0 release
+
+Viktor Szakats (25 Oct 2022)
+
+- noproxy: include netinet/in.h for htonl()
+
+ Solve the Amiga build warning by including `netinet/in.h`.
+
+ `krb5.c` and `socketpair.c` are using `htonl()` too. This header is
+ already included in those sources.
+
+ Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9787
+
+Marc Hoersken (24 Oct 2022)
+
+- CI: fix AppVeyor status failing for starting jobs
+
+Daniel Stenberg (24 Oct 2022)
+
+- test445: verifies the protocols-over-http-proxy flaw and fix
+
+- http_proxy: restore the protocol pointer on error
+
+ Reported-by: Trail of Bits
+
+ Closes #9790
+
+- multi: remove duplicate include of connect.h
+
+ Reported-by: Martin Strunz
+ Fixes #9794
+ Closes #9795
+
+Daniel Gustafsson (24 Oct 2022)
+
+- idn: fix typo in test description
+
+ s/enabked/enabled/i
+
+Daniel Stenberg (24 Oct 2022)
+
+- url: use IDN decoded names for HSTS checks
+
+ Reported-by: Hiroki Kurosawa
+
+ Closes #9791
+
+- unit1614: fix disabled-proxy build
+
+ Follow-up to 1e9a538e05c01
+
+ Closes #9792
+
+Daniel Gustafsson (24 Oct 2022)
+
+- cookies: optimize control character check
+
+ When checking for invalid octets the strcspn() call will return the
+ position of the first found invalid char or the first NULL byte.
+ This means that we can check the indicated position in the search-
+ string saving a strlen() call.
+
+ Closes: #9736
+ Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+
+Daniel Stenberg (24 Oct 2022)
+
+- netrc: replace fgets with Curl_get_line
+
+ Make the parser only accept complete lines and avoid problems with
+ overly long lines.
+
+ Reported-by: Hiroki Kurosawa
+
+ Closes #9789
+
+- RELEASE-NOTES: add "Planned upcoming removals include"
+
+ URL: https://curl.se/mail/archive-2022-10/0001.html
+
+ Suggested-by: Dan Fandrich
+
+Viktor Szakats (23 Oct 2022)
+
+- ci: bump to gcc-11 for macos
+
+ Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-
+ macos-latest-are-now-running-on-macos-12/
+ Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12
+ -Readme.md
+
+ Reviewed-by: Max Dymond
+ Closes #9785
+
+- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip]
+
+ - Reintroduce `CROSSPREFIX`:
+
+ If set, we add it to the `CC` and `AR` values, and to the _default_
+ value of `RC`, which is `windres`. This allows to control each of
+ these individidually, while also allowing to simplify configuration
+ via `CROSSPREFIX`.
+
+ This variable worked differently earlier. Hopefully this new solution
+ hits a better compromise in usefulness/complexity/flexibility.
+
+ Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50
+
+ - Enable warnings again:
+
+ This time with an option to override it via `CFLAGS`. Warnings are
+ also enabled by default in CMake, `makefile.dj` and `makefile.amiga`
+ builds (not in autotools though).
+
+ Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3
+
+ Closes #9784
+
+- noproxy: silence unused variable warnings with no ipv6
+
+ Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9782
+
+Daniel Stenberg (22 Oct 2022)
+
+- test644: verify --xattr (with redirect)
+
+- tool_xattr: save the original URL, not the final redirected one
+
+ Adjusted test 1621 accordingly.
+
+ Reported-by: Viktor Szakats
+ Fixes #9766
+ Closes #9768
+
+- docs: make sure libcurl opts examples pass in long arguments
+
+ Reported-by: Sergey
+ Fixes #9779
+ Closes #9780
+
+Marc Hoersken (21 Oct 2022)
+
+- CI: fix AppVeyor job links only working for most recent build
+
+ Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916
+ Reported-by: Daniel Stenberg
+
+ Follow up to #9769
+
+Viktor Szakats (21 Oct 2022)
+
+- noproxy: fix builds without AF_INET6
+
+ Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9778
+
+Daniel Stenberg (21 Oct 2022)
+
+- noproxy: support proxies specified using cidr notation
+
+ For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly"
+ and not with string comparisons.
+
+ Split out the noproxy checks and functionality into noproxy.c
+
+ Added unit test 1614 to verify checking functions.
+
+ Reported-by: Mathieu Carbonneaux
+
+ Fixes #9773
+ Fixes #5745
+ Closes #9775
+
+- urlapi: remove two variable assigns
+
+ To please scan-build:
+
+ urlapi.c:1163:9: warning: Value stored to 'qlen' is never read
+ qlen = Curl_dyn_len(&enc);
+ ^ ~~~~~~~~~~~~~~~~~~
+ urlapi.c:1164:9: warning: Value stored to 'query' is never read
+ query = u->query = Curl_dyn_ptr(&enc);
+ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ Follow-up to 7d6cf06f571d57
+
+ Closes #9777
+
+Jeremy Maitin-Shepard (21 Oct 2022)
+
+- cmake: improve usability of CMake build as a sub-project
+
+ - Renames `uninstall` -> `curl_uninstall`
+ - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET
+
+ Closes #9638
+
+Don J Olmstead (21 Oct 2022)
+
+- easy_lock: check for HAVE_STDATOMIC_H as well
+
+ The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h`
+ header is present.
+
+ Closes #9755
+
+Daniel Stenberg (21 Oct 2022)
+
+- RELEASE-NOTES: synced
+
+Brad Harder (20 Oct 2022)
+
+- CURLMOPT_PIPELINING.3: dedup manpage xref
+
+ Closes #9776
+
+Marc Hoersken (20 Oct 2022)
+
+- CI: report AppVeyor build status for each job
+
+ Also give each job on AppVeyor CI a human-readable name.
+
+ This aims to make job and therefore build failures more visible.
+
+ Reviewed-by: Marcel Raad
+ Closes #9769
+
+Viktor Szakats (20 Oct 2022)
+
+- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip]
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9771
+
+- connect: fix builds without AF_INET6
+
+ Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Jay Satiro
+
+ Closes #9770
+
+Daniel Stenberg (20 Oct 2022)
+
+- test1105: adjust <data> to work with a hyper build
+
+ Closes #9767
+
+- urlapi: fix parsing URL without slash with CURLU_URLENCODE
+
+ When CURLU_URLENCODE is set, the parser would mistreat the path
+ component if the URL was specified without a slash like in
+ http://local.test:80?-123
+
+ Extended test 1560 to reproduce and verify the fix.
+
+ Reported-by: Trail of Bits
+
+ Closes #9763
+
+Marc Hoersken (19 Oct 2022)
+
+- tests: avoid CreateThread if _beginthreadex is available
+
+ CreateThread is not threadsafe if mixed with CRT calls.
+ _beginthreadex on the other hand can be mixed with CRT.
+
+ Reviewed-by: Marcel Raad
+ Closes #9705
+
+Joel Depooter (19 Oct 2022)
+
+- schannel: Don't reset recv/send function pointers on renegotiation
+
+ These function pointers will have been set when the initial TLS
+ handshake was completed. If they are unchanged, there is no need to set
+ them again. If they have been changed, as is the case with HTTP/2, we
+ don't want to override that change. That would result in the
+ http22_recv/send functions being completely bypassed.
+
+ Prior to this change a connection that uses Schannel with HTTP/2 would
+ fail on renegotiation with error "Received HTTP/0.9 when not allowed".
+
+ Fixes https://github.com/curl/curl/issues/9451
+ Closes https://github.com/curl/curl/pull/9756
+
+Viktor Szakats (18 Oct 2022)
+
+- hostip: guard PF_INET6 use
+
+ Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code
+ for these.
+
+ ```
+ hostip.c: In function 'fetch_addr':
+ hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function)
+ pf = PF_INET6;
+ ^~~~~~~~
+ ```
+
+ Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9760
+
+- amiga: do not hardcode openssl/zlib into the os config [ci skip]
+
+ Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead.
+
+ This allows builds without openssl and/or zlib. E.g. with the
+ <https://github.com/bebbo/amiga-gcc> cross-compiler.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9762
+
+- amigaos: add missing curl header [ci skip]
+
+ Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and
+ conditional local code need them.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9761
+
+Daniel Stenberg (18 Oct 2022)
+
+- cmdline/docs: add a required 'multi' keyword for each option
+
+ The keyword specifies how option works when specified multiple times:
+
+ - single: the last provided value replaces the earlier ones
+ - append: it supports being provided multiple times
+ - boolean: on/off values
+ - mutex: flag-like option that disable anoter flag
+
+ The 'gen.pl' script then outputs the proper and unified language for
+ each option's multi-use behavior in the generated man page.
+
+ The multi: header is requires in each .d file and will cause build error
+ if missing or set to an unknown value.
+
+ Closes #9759
+
+- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk
+
+ Closes #9757
+
+- mprintf: reject two kinds of precision for the same argument
+
+ An input like "%.*1$.9999d" would first use the precision taken as an
+ argument *and* then the precision specified in the string, which is
+ confusing and wrong. pass1 will now instead return error on this double
+ use.
+
+ Adjusted unit test 1398 to verify
+
+ Reported-by: Peter Goodman
+
+ Closes #9754
+
+- ftp: remove redundant if
+
+ Reported-by: Trail of Bits
+
+ Closes #9753
+
+- tool_operate: more transfer cleanup after parallel transfer fail
+
+ In some circumstances when doing parallel transfers, the
+ single_transfer_cleanup() would not be called and then 'inglob' could
+ leak.
+
+ Test 496 verifies
+
+ Reported-by: Trail of Bits
+ Closes #9749
+
+- mqtt: spell out CONNECT in comments
+
+ Instead of calling it 'CONN' in several comments, use the full and
+ correct protocol packet name.
+
+ Suggested by Trail of Bits
+
+ Closes #9751
+
+- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST
+
+ Not the deprecated CURLOPT_HTTPPOST option.
+
+ Also added two see-alsos.
+
+ Reported-by: Trail of Bits
+ Closes #9752
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (17 Oct 2022)
+
+- ngtcp2: Fix build errors due to changes in ngtcp2 library
+
+ ngtcp2/ngtcp2@b0d86f60 changed:
+
+ - ngtcp2_conn_get_max_udp_payload_size =>
+ ngtcp2_conn_get_max_tx_udp_payload_size
+
+ - ngtcp2_conn_get_path_max_udp_payload_size =>
+ ngtcp2_conn_get_path_max_tx_udp_payload_size
+
+ ngtcp2/ngtcp2@ec59b873 changed:
+
+ - 'early_data_rejected' member added to ng_callbacks.
+
+ Assisted-by: Daniel Stenberg
+ Reported-by: jurisuk@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9747
+ Closes https://github.com/curl/curl/pull/9748
+
+Daniel Stenberg (16 Oct 2022)
+
+- curl_path: return error if given a NULL homedir
+
+ Closes #9740
+
+- libssh: if sftp_init fails, don't get the sftp error code
+
+ This flow extracted the wrong code (sftp code instead of ssh code), and
+ the code is sometimes (erroneously) returned as zero anyway, so skip
+ getting it and set a generic error.
+
+ Reported-by: David McLaughlin
+ Fixes #9737
+ Closes #9740
+
+- mqtt: return error for too long topic
+
+ Closes #9744
+
+Rickard Hallerbäck (16 Oct 2022)
+
+- tool_paramhlp: make the max argument a 'double'
+
+ To fix compiler warnings "Implicit conversion from 'long' to 'double'
+ may lose precision"
+
+ Closes #9700
+
+Philip Heiduck (15 Oct 2022)
+
+- cirrus-ci: add more macOS builds with m1 based on x86_64 builds
+
+ Also refactor macOS builds to use task matrix.
+
+ Assisted-by: Marc Hörsken
+ Closes #9565
+
+Viktor Szakats (14 Oct 2022)
+
+- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows
+
+ `lib/config-win32.h` enables this configuration option unconditionally.
+ Make it apply to CMake builds as well.
+
+ While here, delete a broken check for
+ `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with
+ the initial commit [1], but did not include the actual verification code
+ inside `CMake/CurlTests.c`, so it always failed. A later commit [2]
+ added a second test, for non-Windows platforms.
+
+ Enabling this flag causes test 1056 to fail with CMake builds, as they
+ do with autotools builds. Let's apply the same solution and ignore the
+ results here as well.
+
+ [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
+ [2] aec7c5a87c8482b6ddffa352d7d220698652262e
+
+ Reviewed-by: Daniel Stenberg
+ Assisted-by: Marcel Raad
+
+ Closes #9726
+
+- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows
+
+ autotools enables this configuration option unconditionally for Windows
+ [^1]. Do the same in CMake.
+
+ The above will make this work for all reasonably recent environments.
+ The logic present in `lib/config-win32.h` [^2] has the following
+ exceptions which we did not cover in this CMake update:
+
+ - Builds targeting Windows 2000 and earlier
+ - MS Visual C++ 5.0 (1997) and earlier
+
+ Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't
+ set, to avoid a broken build. We might want to handle that in the C
+ sources in a future commit.
+
+ [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a5
+ 1f6/m4/curl-functions.m4#L2067-L2070
+
+ [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a5
+ 1f6/lib/config-win32.h#L511-L528
+
+ Closes #9727
+
+- cmake: sync HAVE_SIGNAL detection with autotools
+
+ `HAVE_SIGNAL` means the availability of the `signal()` function in
+ autotools, while in CMake it meant the availability of that function
+ _and_ the symbol `SIGALRM`.
+
+ The latter is not available on Windows, but the function is, which means
+ on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not,
+ introducing a slight difference into the binaries.
+
+ This patch syncs CMake behaviour with autotools to look for the function
+ only.
+
+ The logic came with the initial commit adding CMake support to curl, so
+ the commit history doesn't reveal the reason behind it. In any case,
+ it's best to check the existence of `SIGALRM` directly in the source
+ before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and
+ `SIGALRM` missing.
+
+ Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6
+
+ Closes #9725
+
+- cmake: delete duplicate HAVE_GETADDRINFO test
+
+ A custom `HAVE_GETADDRINFO` check came with the initial CMake commit
+ [1]. A later commit [2] added a standard check for it as well. The
+ standard check run before the custom one, so CMake ignored the latter.
+
+ The custom check was also non-portable, so this patch deletes it in
+ favor of the standard check.
+
+ [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
+ [2] aec7c5a87c8482b6ddffa352d7d220698652262e
+
+ Closes #9731
+
+Daniel Stenberg (14 Oct 2022)
+
+- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros
+
+ To make the code read more obvious
+
+ Assisted-by: Jay Satiro
+
+ Closes #9710
+
+Christopher Sauer (14 Oct 2022)
+
+- docs/INSTALL: update Android Instructions for newer NDKs
+
+ Closes #9732
+
+Daniel Stenberg (14 Oct 2022)
+
+- markdown-uppercase: ignore quoted sections
+
+ Sections within the markdown ~~~ or ``` are now ignored.
+
+ Closes #9733
+
+- RELEASE-NOTES: synced
+
+- test8: update as cookies no longer can have "embedded" TABs in content
+
+- test1105: extend to verify TAB in name/content discarding cookies
+
+- cookie: reject cookie names or content with TAB characters
+
+ TABs in name and content seem allowed by RFC 6265: "the algorithm strips
+ leading and trailing whitespace from the cookie name and value (but
+ maintains internal whitespace)"
+
+ Cookies with TABs in the names are rejected by Firefox and Chrome.
+
+ TABs in content are stripped out by Firefox, while Chrome discards the
+ whole cookie.
+
+ TABs in cookies also cause issues in saved netscape cookie files.
+
+ Reported-by: Trail of Bits
+
+ URL: https://curl.se/mail/lib-2022-10/0032.html
+ URL: https://github.com/httpwg/http-extensions/issues/2262
+
+ Closes #9659
+
+- curl/add_parallel_transfers: better error handling
+
+ 1 - consider the transfer handled at once when in the function, to avoid
+ the same list entry to get added more than once in rare error
+ situations
+
+ 2 - set the ERRORBUFFER for the handle first after it has been added
+ successfully
+
+ Reported-by: Trail of Bits
+
+ Closes #9729
+
+- netrc: remove the two 'changed' arguments
+
+ As no user of these functions used the returned content.
+
+- test495: verify URL encoded user name + netrc-optional
+
+ Reproduced issue #9709
+
+- netrc: use the URL-decoded user
+
+ When the user name is provided in the URL it is URL encoded there, but
+ when used for authentication the encoded version should be used.
+
+ Regression introduced after 7.83.0
+
+ Reported-by: Jonas Haag
+ Fixes #9709
+ Closes #9715
+
+Shaun Mirani (13 Oct 2022)
+
+- url: allow non-HTTPS HSTS-matching for debug builds
+
+ Closes #9728
+
+Daniel Stenberg (13 Oct 2022)
+
+- test1275: remove the check of stderr
+
+ To avoid the mysterious test failures on Windows, instead rely on the
+ error code returned on failure.
+
+ Fixes #9716
+ Closes #9723
+
+Viktor Szakats (13 Oct 2022)
+
+- lib: set more flags in config-win32.h
+
+ The goal is to add any flag that affect the created binary, to get in
+ sync with the ones built with CMake and autotools.
+
+ I took these flags from curl-for-win [0], where they've been tested with
+ mingw-w64 and proven to work well.
+
+ This patch brings them to curl as follows:
+
+ - Enable unconditionally those force-enabled via
+ `CMake/WindowsCache.cmake`:
+
+ - `HAVE_SETJMP_H`
+ - `HAVE_STRING_H`
+ - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`)
+
+ - Expand existing guards with mingw-w64:
+
+ - `HAVE_STDBOOL_H`
+ - `HAVE_BOOL_T`
+
+ - Enable Win32 API functions for Windows Vista and later:
+
+ - `HAVE_INET_NTOP`
+ - `HAVE_INET_PTON`
+
+ - Set sizes, if not already set:
+
+ - `SIZEOF_OFF_T = 8`
+ - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set,
+ and using mingw-w64.
+
+ - Add the remaining for mingw-w64 only. Feel free to expand as desired:
+
+ - `HAVE_LIBGEN_H`
+ - `HAVE_FTRUNCATE`
+ - `HAVE_BASENAME`
+ - `HAVE_STRTOK_R`
+
+ Future TODO:
+
+ - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both
+ the `signal()` function and the `SIGALRM` macro are found. In
+ autotools and this header, it means the function only. For the
+ function alone, CMake uses `HAVE_SIGNAL_FUNC`.
+
+ [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4df
+ f0ca97a8c/curl-m32.sh#L53-L58
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9712
+
+Daniel Stenberg (13 Oct 2022)
+
+- tests: add tests/markdown-uppercase.pl to dist tarball
+
+ Follow-up to aafb06c5928183d
+
+ Closes #9722
+
+- tool_paramhelp: asserts verify maximum sizes for string loading
+
+ The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest
+ strings accepted when loading files into memory, but as the size is
+ later used as input to functions that take the size as 'int' as
+ argument, the sizes must not be larger than INT_MAX.
+
+ These two new assert()s make the code error out if someone would bump
+ the sizes without this consideration.
+
+ Reported-by Trail of Bits
+
+ Closes #9719
+
+- http: try parsing Retry-After: as a number first
+
+ Since the date parser allows YYYYMMDD as a date format (due to it being
+ a bit too generic for parsing this particular header), a large integer
+ number could wrongly match that pattern and cause the parser to generate
+ a wrong value.
+
+ No date format accepted for this header starts with a decimal number, so
+ by reversing the check and trying a number first we can deduct that if
+ that works, it was not a date.
+
+ Reported-by Trail of Bits
+
+ Closes #9718
+
+Patrick Monnerat (13 Oct 2022)
+
+- doc: fix deprecation versions inconsistencies
+
+ Ref: https://curl.se/mail/lib-2022-10/0026.html
+
+ Closes #9711
+
+Daniel Stenberg (13 Oct 2022)
+
+- http_aws_sigv4: fix strlen() check
+
+ The check was off-by-one leading to buffer overflow.
+
+ Follow-up to 29c4aa00a16872
+
+ Detected by OSS-Fuzz
+
+ Closes #9714
+
+- curl/main_checkfds: check the fcntl return code better
+
+ fcntl() can (in theory) return a non-zero number for success, so a
+ better test for error is checking for -1 explicitly.
+
+ Follow-up to 41e1b30ea1b77e9ff
+
+ Mentioned-by: Dominik Klemba
+
+ Closes #9708
+
+Viktor Szakats (12 Oct 2022)
+
+- tidy-up: delete unused HAVE_STRUCT_POLLFD
+
+ It was only defined in `lib/config-win32.h`, when building for Vista.
+
+ It was only used in `select.h`, in a condition that also included a
+ check for `POLLIN` which is a superior choice for this detection and
+ which was already used by cmake and autotools builds.
+
+ Delete both instances of this macro.
+
+ Closes #9707
+
+Daniel Stenberg (12 Oct 2022)
+
+- test1275: verify upercase after period in markdown
+
+ Script based on the #9474 pull-request logic, but implemented in perl.
+
+ Updated docs/URL-SYNTAX.md accordingly.
+
+ Suggested-by: Dan Fandrich
+
+ Closes #9697
+
+12932 (12 Oct 2022)
+
+- misc: nitpick grammar in comments/docs
+
+ because the 'u' in URL is actually a consonant *sound* it is only
+ correct to write "a URL"
+
+ sorry this is a bit nitpicky :P
+
+ https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an
+ https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL
+
+ Closes #9699
+
+Viktor Szakats (11 Oct 2022)
+
+- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip]
+
+ This patch aimed to fix a regression [0], where `CC` initialization
+ moved beyond its first use. But, on closer inspection it turned out that
+ the `CC` initialization does not work as expected due to GNU Make
+ filling it with `cc` by default. So unless implicit values were
+ explicitly disabled via a GNU Make option, the default value of
+ `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit
+ value `cc` maps to `gcc` in (most/all?) MinGW envs.
+
+ `AR` has the same issue, with a default value of `ar`.
+
+ We could reintroduce a separate variable to fix this without ill
+ effects, but for simplicity and flexibility, it seems better to drop
+ support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and
+ require the caller to initialize `CC`, `AR` and `RC` to the full
+ (prefixed if necessary) names of these tools, as desired.
+
+ We keep `RC ?= windres` because `RC` is empty by default.
+
+ Also fix grammar in a comment.
+
+ [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3
+
+ Closes #9698
+
+- smb: replace CURL_WIN32 with WIN32
+
+ PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the
+ `CURL_WIN32` macro, but that one is not defined here, while compiling
+ curl itself. This patch changes this to `WIN32`, assuming this was the
+ original intent.
+
+ Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a
+
+ Reviewed-by: Marcel Raad
+
+ Closes #9701
+
+Matthias Gatto (11 Oct 2022)
+
+- aws_sigv4: fix header computation
+
+ Handle canonical headers and signed headers creation as explained here:
+ https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.
+ html
+
+ The algo tells that signed and canonical must contain at last host and
+ x-amz-date.
+
+ So we check whatever thoses are present in the curl http headers list.
+ If they are, we use the one enter by curl user, otherwise we generate
+ them. then we to lower, and remove space from each http headers plus
+ host and x-amz-date, then sort them all by alphabetical order.
+
+ This patch also fix a bug with host header, which was ignoring the port.
+
+ Closes #7966
+
+Aftab Alam (11 Oct 2022)
+
+- README.md: link the curl logo to the website
+
+ - Link the curl:// image to https://curl.se/
+
+ Closes https://github.com/curl/curl/pull/9675
+
+Dustin Howett (11 Oct 2022)
+
+- schannel: when importing PFX, disable key persistence
+
+ By default, the PFXImportCertStore API persists the key in the user's
+ key store (as though the certificate was being imported for permanent,
+ ongoing use.)
+
+ The documentation specifies that keys that are not to be persisted
+ should be imported with the flag PKCS12_NO_PERSIST_KEY.
+ NOTE: this flag is only supported on versions of Windows newer than XP
+ and Server 2003.
+
+ --
+
+ This is take 2 of the original fix. It extends the lifetime of the
+ client certificate store to that of the credential handle. The original
+ fix which landed in 70d010d and was later reverted in aec8d30 failed to
+ work properly because it did not do that.
+
+ Minor changes were made to the schannel credential context to support
+ closing the client certificate store handle at the end of an SSL session.
+
+ --
+
+ Reported-by: ShadowZzj@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9300
+ Supersedes https://github.com/curl/curl/pull/9363
+ Closes https://github.com/curl/curl/pull/9460
+
+Viktor Szakats (11 Oct 2022)
+
+- Makefile.m32: support more options [ci skip]
+
+ - Add support for these options:
+ `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl`
+
+ Caveats:
+ - `-wolfssh` requires `-wolfssl`.
+ - `-wolfssl` cannot be used with OpenSSL backends in parallel.
+ - `-libssh` has build issues with BoringSSL and LibreSSL, and also
+ what looks like a world-writable-config vulnerability on Windows.
+ Consider it experimental.
+ - `-psl` requires `-idn2` and extra libs passed via
+ `LIBS=-liconv -lunistring`.
+
+ - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly.
+ - Generalize MultiSSL detection.
+ - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01).
+ - Document more customization options.
+
+ This brings over some configuration logic from `curl-for-win`.
+
+ Closes #9680
+
+- cmake: enable more detection on Windows
+
+ Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection
+ on Windows, instead of having predefined values.
+
+ With these features detected correctly, CMake Windows builds get closer
+ to the autotools and `config-win32.h` ones.
+
+ This also fixes detecting `HAVE_FTRUNCATE` correctly, which required
+ `unistd.h`.
+
+ Fixing `ftruncate()` in turn causes a build warning/error with legacy
+ MinGW/MSYS1 due to an offset type size mismatch. This env misses to
+ detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch
+ force-disables `HAVE_FTRUNCATE` for this platform.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9687
+
+- autotools: allow unix sockets on Windows
+
+ Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00
+ a9149fb39239/curl-autotools.sh#L44-L47
+
+ On Windows this feature is present, but not the header used in the
+ detection logic. It also requires an elaborate enabler logic
+ (as seen in `lib/curl_setup.h`). Let's always allow it and let the
+ lib code deal with the details.
+
+ Closes #9688
+
+- cmake: add missing inet_ntop check
+
+ This adds the missing half of the check, next to the other half
+ already present in `lib/curl_config.h.cmake`.
+
+ Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler
+ warnings.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9689
+
+Daniel Stenberg (11 Oct 2022)
+
+- RELEASE-NOTES: synced
+
+bsergean on github (11 Oct 2022)
+
+- asyn-ares: set hint flags when calling ares_getaddrinfo
+
+ The hint flag is ARES_AI_NUMERICSERV, and it will save a call to
+ getservbyname or getservbyname_r to set it.
+
+ Closes #9694
+
+Daniel Stenberg (11 Oct 2022)
+
+- header.d: add category smtp and imap
+
+ They were previously (erroneously) added manually to tool_listhelp.c
+ which would make them get removed again when the file is updated next
+ time, unless added correctly here in header.d
+
+ Follow-up to 2437fac01
+
+ Closes #9690
+
+- curl/get_url_file_name: use libcurl URL parser
+
+ To avoid URL tricks, use the URL parser for this.
+
+ This update changes curl's behavior slightly in that it will ignore the
+ possible query part from the URL and only use the file name from the
+ actual path from the URL. I consider it a bugfix.
+
+ "curl -O localhost/name?giveme-giveme" will now save the output in the
+ local file named 'name'
+
+ Updated test 1210 to verify
+
+ Assisted-by: Jay Satiro
+
+ Closes #9684
+
+Martin Ågren (11 Oct 2022)
+
+- docs: fix grammar around needing pass phrase
+
+ "You never needed a pass phrase" reads like it's about to be followed by
+ something like "until version so-and-so", but that is not what is
+ intended. Change to "You never need a pass phrase". There are two
+ instances of this text, so make sure to update both.
+
+Xiang Xiao (10 Oct 2022)
+
+- cmake: add the check of HAVE_SOCKETPAIR
+
+ which is used by Curl_socketpair
+
+ Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
+
+ Closes #9686
+
+Daniel Stenberg (10 Oct 2022)
+
+- curl/add_file_name_to_url: use the libcurl URL parser
+
+ instead of the custom error-prone parser, to extract and update the path
+ of the given URL
+
+ Closes #9683
+
+- single_transfer: use the libcurl URL parser when appending query parts
+
+ Instead of doing "manual" error-prone parsing in another place.
+
+ Used when --data contents is added to the URL query when -G is provided.
+
+ Closes #9681
+
+- ws: fix buffer pointer use in the callback loop
+
+ Closes #9678
+
+Petr Štetiar (10 Oct 2022)
+
+- curl-wolfssl.m4: error out if wolfSSL is not usable
+
+ When I explicitly declare, that I would like to have curl built with
+ wolfSSL support using `--with-wolfssl` configure option, then I would
+ expect, that either I endup with curl having that support, for example
+ in form of https support or it wouldn't be available at all.
+
+ Downstream projects like for example OpenWrt build curl wolfSSL variant
+ with `--with-wolfssl` already, but in certain corner cases it does fail:
+
+ configure:25299: checking for wolfSSL_Init in -lwolfssl
+ configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
+ In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.
+ h:33,
+ from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_
+ public.h:35,
+ from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
+ from conftest.c:47:
+ target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal err
+ or: wolfssl/wolfcrypt/sp_int.h: No such file or directory
+ #include <wolfssl/wolfcrypt/sp_int.h>
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ compilation terminated.
+
+ and in the end thus produces curl without https support:
+
+ curl: (1) Protocol "https" not supported or disabled in libcurl
+
+ So fix it, by making the working wolfSSL mandatory and error out in
+ configure step when that's not the case:
+
+ checking for wolfSSL_Init in -lwolfssl... no
+ configure: error: --with-wolfssl but wolfSSL was not found or doesn't work
+
+ References: https://github.com/openwrt/packages/issues/19005
+ References: https://github.com/openwrt/packages/issues/19547
+ Signed-off-by: Petr Štetiar <ynezz@true.cz>
+
+ Closes #9682
+
+Daniel Stenberg (10 Oct 2022)
+
+- tool_getparam: pass in the snprintf("%.*s") string length as 'int'
+
+ Reported by Coverity CID 1515928
+
+ Closes #9679
+
+Paul Seligman (9 Oct 2022)
+
+- ws: minor fixes for web sockets without the CONNECT_ONLY flag
+
+ - Fixed an issue where is_in_callback was getting cleared when using web
+ sockets with debug logging enabled
+ - Ensure the handle is is_in_callback when calling out to fwrite_func
+ - Change the write vs. send_data decision to whether or not the handle
+ is in CONNECT_ONLY mode.
+ - Account for buflen not including the header length in curl_ws_send
+
+ Closes #9665
+
+Marc Hoersken (8 Oct 2022)
+
+- CI/cirrus: merge existing macOS jobs into a job matrix
+
+ Ref: #9627
+ Reviewed-by: Philip H.
+
+ Closes #9672
+
+Daniel Stenberg (8 Oct 2022)
+
+- strcase: add and use Curl_timestrcmp
+
+ This is a strcmp() alternative function for comparing "secrets",
+ designed to take the same time no matter the content to not leak
+ match/non-match info to observers based on how fast it is.
+
+ The time this function takes is only a function of the shortest input
+ string.
+
+ Reported-by: Trail of Bits
+
+ Closes #9658
+
+- tool_getparam: split out data_urlencode() into its own function
+
+ Closes #9673
+
+- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
+
+ Reported-by: Vasiliy Ulyanov
+ Fixes #9664
+ Closes #9670
+
+- ws: fix Coverity complaints
+
+ Coverity pointed out several flaws where variables remained
+ uninitialized after forks.
+
+ Follow-up to e3f335148adc6742728f
+
+ Closes #9666
+
+Marc Hoersken (7 Oct 2022)
+
+- CI/GHA: merge msh3 and openssl3 builds into linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Follow up to #9501
+ Closes #9646
+
+Daniel Stenberg (7 Oct 2022)
+
+- curl_ws_send.3: call the argument 'fragsize'
+
+ Since WebSocket works with "fragments" not "frames"
+
+ Closes #9668
+
+- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type
+
+ Follow-up to e3f335148adc6742728ff8
+
+ Closes #9669
+
+- tool_main: exit at once if out of file descriptors
+
+ If the main_checkfds function cannot create new file descriptors in an
+ attempt to detect of stdin, stdout or stderr are closed.
+
+ Also changed the check to use fcntl() to check if the descriptors are
+ open, which avoids superfluously calling pipe() if they all already are.
+
+ Follow-up to facfa19cdd4d0094
+
+ Reported-by: Trail of Bits
+
+ Closes #9663
+
+- websockets: remodeled API to support 63 bit frame sizes
+
+ curl_ws_recv() now receives data to fill up the provided buffer, but can
+ return a partial fragment. The function now also get a pointer to a
+ curl_ws_frame struct with metadata that also mentions the offset and
+ total size of the fragment (of which you might be receiving a smaller
+ piece). This way, large incoming fragments will be "streamed" to the
+ application. When the curl_ws_frame struct field 'bytesleft' is 0, the
+ final fragment piece has been delivered.
+
+ curl_ws_recv() was also adjusted to work with a buffer size smaller than
+ the fragment size. (Possibly needless to say as the fragment size can
+ now be 63 bit large).
+
+ curl_ws_send() now supports sending a piece of a fragment, in a
+ streaming manner, in addition to sending the entire fragment in a single
+ call if it is small enough. To send a huge fragment, curl_ws_send() can
+ be used to send it in many small calls by first telling libcurl about
+ the total expected fragment size, and then send the payload in N number
+ of separate invokes and libcurl will stream those over the wire.
+
+ The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it
+ has been extended with two new fields: *offset* and *bytesleft*. To help
+ describe the passed on data chunk when a fragment is delivered in many
+ smaller pieces.
+
+ The documentation has been updated accordingly.
+
+ Closes #9636
+
+Patrick Monnerat (7 Oct 2022)
+
+- docs/examples: avoid deprecated options in examples where possible
+
+ Example programs targeting a deprecated feature/option are commented with
+ a warning about it.
+ Other examples are adapted to not use deprecated options.
+
+ Closes #9661
+
+Viktor Szakats (6 Oct 2022)
+
+- cmake: fix enabling websocket support
+
+ Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77
+
+ Closes #9660
+
+- tidy-up: delete parallel/unused feature flags
+
+ Detecting headers and lib separately makes sense when headers come in
+ variations or with extra ones, but this wasn't the case here. These were
+ duplicate/parallel macros that we had to keep in sync with each other
+ for a working build. This patch leaves a single macro for each of these
+ dependencies:
+
+ - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`.
+
+ Also delete CMake logic making sure these two were in sync, along with
+ a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`.
+
+ Also delete stray `HAVE_ZLIB` defines.
+
+ There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch
+ retains it for compatibility and deprecates it.
+
+ - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`.
+
+ Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from
+ `winbuild/MakefileBuild.vc`, these have a role when building libssh2
+ itself. And `CURL_USE_LIBSSH`, which had no use at all.
+
+ Also delete stray `HAVE_LIBSSH2` defines.
+
+ - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`.
+
+ Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from
+ `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the
+ libssh2 line, and were not having any use.
+
+ - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9652
+
+Daniel Stenberg (6 Oct 2022)
+
+- netrc: compare user name case sensitively
+
+ User name comparisions in netrc need to match the case.
+
+ Closes #9657
+
+- CURLOPT_COOKIEFILE: insist on "" for enable-without-file
+
+ The former way that also suggested using a non-existing file to just
+ enable the cookie engine could lead to developers maybe a bit carelessly
+ guessing a file name that will not exist, and then in a future due to
+ circumstances, such a file could be made to exist and then accidentally
+ libcurl would read cookies not actually meant to.
+
+ Reported-by: Trail of bits
+
+ Closes #9654
+
+- tests/Makefile: remove run time stats from ci-test
+
+ The ci-test is the normal makefile target invoked in CI jobs. This has
+ been using the -r option to runtests.pl since a long time, but I find
+ that it mostly just adds many lines to the test output report without
+ anyone caring much about those stats.
+
+ Remove it.
+
+ Closes #9656
+
+Patrick Monnerat (6 Oct 2022)
+
+- tool: reorganize function c_escape around a dynbuf
+
+ This is a bit shorter and a lot safer.
+
+ Substrings of unescaped characters are added by a single call to reduce
+ overhead.
+
+ Extend test 1465 to handle more kind of escapes.
+
+ Closes #9653
+
+Jay Satiro (5 Oct 2022)
+
+- CURLOPT_HTTPPOST.3: bolden the deprecation notice
+
+ Ref: https://github.com/curl/curl/pull/9621
+
+ Closes https://github.com/curl/curl/pull/9637
+
+John Bampton (5 Oct 2022)
+
+- misc: fix spelling in docs and comments
+
+ also: remove outdated sentence
+
+ Closes #9644
+
+Patrick Monnerat (5 Oct 2022)
+
+- tool: avoid generating ambiguous escaped characters in --libcurl
+
+ C string hexadecimal-escaped characters may have more than 2 digits.
+ This results in a wrong C compiler interpretation of a 2-digit escaped
+ character when followed by an hex digit character.
+
+ The solution retained here is to represent such characters as 3-digit
+ octal escapes.
+
+ Adjust and extend test 1465 for this case.
+
+ Closes #9643
+
+Daniel Stenberg (5 Oct 2022)
+
+- configure: the ngtcp2 option should default to 'no'
+
+ While still experimental.
+
+ Bug: https://curl.se/mail/lib-2022-10/0007.html
+ Reported-by: Daniel Hallberg
+
+ Closes #9650
+
+- CURLOPT_MIMEPOST.3: add an (inline) example
+
+ Reported-by: Jay Satiro
+ Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723
+
+ Closes #9649
+
+Viktor Szakats (5 Oct 2022)
+
+- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip]
+
+ Exclude linker flags specifying depedency libs and libpaths, when
+ building against `libcurl.dll`. In such case these options are not
+ necessary (but may cause errors if not/wrongly configured.)
+
+ Also move and reword a comment on `CPPFLAGS` to not apply to
+ `UNICODE` options. These are necessary for all build targets.
+
+ Closes #9651
+
+Jay Satiro (5 Oct 2022)
+
+- runtests: fix uninitialized value on ignored tests
+
+ - Don't show TESTFAIL message (ie tests failed which aren't ignored) if
+ only ignored tests failed.
+
+ Before:
+ IGNORED: failed tests: 571 612 1056
+ TESTDONE: 1214 tests out of 1217 reported OK: 99%
+ Use of uninitialized value $failed in concatenation (.) or string at
+ ./runtests.pl line 6290.
+ TESTFAIL: These test cases failed:
+
+ After:
+ IGNORED: failed tests: 571 612 1056
+ TESTDONE: 1214 tests out of 1217 reported OK: 99%
+
+ Closes https://github.com/curl/curl/pull/9648
+
+- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS
+
+ - Correct the use of -all-static for static Windows CI builds.
+
+ curl_LDFLAGS was removed from the makefile when metalink support was
+ removed. LDFLAGS=-all-static is passed to make only, because it is not a
+ valid option for configure compilation tests.
+
+ Closes https://github.com/curl/curl/pull/9633
+
+Viktor Szakats (4 Oct 2022)
+
+- Makefile.m32: fix regression with tool_hugehelp [ci skip]
+
+ In a recent commit I mistakenly deleted this logic, after seeing a
+ reference to a filename ending with `.cvs` and thinking it must have
+ been long gone. Turns out this is an existing file. Restore the rule
+ and the necessary `COPY` definitions with it.
+
+ The restored logic is required for a successful build on a bare source
+ tree (as opposed to a source release tarball).
+
+ Also shorten an existing condition similar to the one added in this
+ patch.
+
+ Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6
+
+ Closes #9645
+
+- Makefile.m32: deduplicate build rules [ci skip]
+
+ After this patch, we reduce the three copies of most `Makefile.m32`
+ logic to one. This now resides in `lib/Makefile.m32`. It makes future
+ updates easier, the code shorter, with a small amount of added
+ complexity.
+
+ `Makefile.m32` reduction:
+
+ | | bytes | LOC total | blank | comment | code |
+ |-------------------|-------:|----------:|-------:|---------:|------:|
+ | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 |
+ | before this patch | 17601 | 625 | 62 | 106 | 457 |
+ | after this patch | 11680 | 392 | 52 | 104 | 236 |
+
+ Details:
+
+ - Change rules to create objects for the `v*` subdirs in the `lib` dir.
+ This allows to use a shared compile rule and assumes that filenames
+ are not (and will not be) colliding across these directories.
+ `Makefile.m32` now also stores a list of these subdirs. They are
+ changing rarely though.
+
+ - Sync as much as possible between the three `Makefile.m32` scripts'
+ rules and their source/target sections.
+
+ - After this patch `CPPFLAGS` are all applied to the `src` sources once
+ again. This matches the behaviour of cmake/autotools. Only zlib ones
+ are actually required there.
+
+ - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate.
+
+ - Change examples to link `libcurl.dll` by default. This makes building
+ trivial, even as a cross-build:
+ `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32`
+ To run them, you need to move/copy or add-to-path `libcurl.dll`.
+ You can select static mode via `CFG=-static`.
+
+ - List more of the `Makefile.m32` config variables.
+
+ - Drop `.rc` support from examples. It made it fragile without much
+ benefit.
+
+ - Include a necessary system lib for the `externalsocket.c` example.
+
+ - Exclude unnecessary systems libs when building in `-dyn` mode.
+
+ Closes #9642
+
+Daniel Stenberg (4 Oct 2022)
+
+- RELEASE-NOTES: synced
+
+- CURLOPT_COOKIELIST.3: fix formatting mistake
+
+ Also, updated manpage-syntax.pl to make it detect this error in test
+ 1173.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9639
+ Closes #9640
+
+Jay Satiro (4 Oct 2022)
+
+- connect: change verbose IPv6 address:port to [address]:port
+
+ - Use brackets for the IPv6 address shown in verbose message when the
+ format is address:port so that it is less confusing.
+
+ Before: Trying 2606:4700:4700::1111:443...
+ After: Trying [2606:4700:4700::1111]:443...
+
+ Bug: https://curl.se/mail/archive-2022-02/0041.html
+ Reported-by: David Hu
+
+ Closes #9635
+
+Viktor Szakats (3 Oct 2022)
+
+- Makefile.m32: major rework [ci skip]
+
+ This patch overhauls `Makefile.m32` scripts, fixing a list of quirks,
+ making its behaviour and customization envvars align better with other
+ build systems, aiming for less code, that is easier to read, use and
+ maintain.
+
+ Details:
+ - Rename customization envvars:
+ `CURL_CC` -> `CC`
+ `CURL_RC` -> `RC`
+ `CURL_AR` -> `AR`
+ `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB`
+ `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN`
+ - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used.
+ - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars.
+ - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in
+ favor of the above.
+ - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional
+ with `libssh2`.
+ - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and
+ examples.
+ - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel`
+ instead.
+ - Avoid late evaluation where not necessary (`=` -> `:=`).
+ - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix.
+ Instead, use the standard naming scheme by default: `libcurl.dll.a`.
+ The toolchain recognizes the name, and selects it automatically when
+ asking for a `-shared` vs. `-static` build.
+ - Stop applying `strip` to `libcurl.a`. Follow-up from
+ 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to
+ strip since then.
+ - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to
+ `CFLAGS` as desired.
+ - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL,
+ to avoid that vulnerability on Windows.
+ - Add `-lbrotlicommon` to `LIBS` when using `brotli`.
+ - Do not enable `-nghttp3` without `-ngtcp2`.
+ - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend.
+ You need to set the backend explicitly. This scales better and avoids
+ issues with certain combinations (e.g. `libssh2` + `wolfssl` with no
+ `schannel`).
+ - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via
+ `NGTCP2_LIBS`.
+ - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer
+ supported.
+ - Delete `SPNEGO` references. They were no-ops.
+ - Drop support for Win9x environments.
+ - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`.
+ - Support autotools/CMake `libssh2` builds by default.
+ - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and
+ examples.
+ - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the
+ long gone embedded one.)
+ - Stop static linking with c-ares by default. Add
+ `CPPFLAGS=-DCARES_STATICLIB` to enable it.
+ - Reorganize internal layout to avoid redundancy and emit clean diffs
+ between src/lib and example make files.
+ - Delete unused variables.
+ - Code cleanups/rework.
+ - Comment and indentation fixes.
+
+ Closes #9632
+
+- scripts/release-notes.pl: strip ci skip tag [ci skip]
+
+ Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303
+ ae97#commitcomment-85637701
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9634
+
+- Makefile.m32: delete legacy component bits [ci skip]
+
+ - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting
+ to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL.
+
+ - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been
+ using a standard file layout since 1.1.0, so this seems unnecessary
+ now.
+
+ - Drop special logic to enable Novell LDAP SDK support.
+
+ - Drop special logic to enable OpenLDAP LDAP SDK support. This seems
+ to be distinct from native OpenLDAP, with support implemented inside
+ `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist
+ yet in curl.
+
+ - Add `-lwldap32` only if there is no other LDAP library (either native
+ OpenLDAP, or SDKs above) present.
+
+ - Update `doc/INSTALL.md` accordingly.
+
+ After this patch, it's necessary to make configration changes when using
+ OpenSSL 1.0.2 or earlier, or the two LDAP SDKs.
+
+ OpenSSL 1.0.2 and earlier:
+ ```
+ export OPENSSL_INCLUDE = <path-to-openssl>/outinc
+ export OPENSSL_LIBPATH = <path-to-openssl>/out
+ export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32
+ ```
+
+ Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`:
+ ```
+ export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/inc -DCURL_HAS_NOVELL_LDAPSDK
+ export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib/mscvc -lldapsdk -lldapssl -ll
+ dapx
+ ```
+
+ OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`:
+ ```
+ export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/include -DCURL_HAS_OPENLDAP_LDAPSD
+ K
+ export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib -lldap -llber
+ ```
+
+ I haven't tested these scenarios, and in general we recommend using
+ a recent OpenSSL release. Also, WinLDAP (the Windows default) and
+ OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on
+ in curl.
+
+ Closes #9631
+
+Daniel Stenberg (2 Oct 2022)
+
+- vauth/ntlm.h: make line shorter than 80 columns
+
+ Follow-up from 265fbd937
+
+Viktor Szakats (1 Oct 2022)
+
+- docs: update sourceforge project links [ci skip]
+
+ SourceForge projects can now choose between two hostnames, with .io and
+ .net ending. Both support HTTPS by default now. Opening the other variant
+ will perm-redirected to the one chosen by the project.
+
+ The .io -> .net redirection is done insecurely.
+
+ Let's update the URLs to point to the current canonical endpoints to
+ avoid any redirects.
+
+ Closes #9630
+
+Daniel Stenberg (1 Oct 2022)
+
+- curl_url_set.3: document CURLU_APPENDQUERY proper
+
+ Listed among the other supported flags.
+
+ Reported-by: Robby Simpson
+ Fixes #9628
+ Closes #9629
+
+Viktor Szakats (1 Oct 2022)
+
+- Makefile.m32: cleanups and fixes [ci skip]
+
+ - Add `-lcrypt32` once, and add it always for simplicity.
+ - Delete broken link and reference to the pre-Vista WinIDN add-on.
+ MS no longer distribute it.
+ - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista.
+ - Sync `LIBCARES_PATH` default with the rest of dependencies.
+ - Delete version numbers from dependency path defaults.
+ - `libgsasl` package is now called `gsasl`.
+ - Delete `libexpat` and `libxml2` references. No longer used by curl.
+ - Delete `Edit the path below...` comments. We recommend to predefine
+ those envvars instead.
+ - `libcares.a` is not an internal dependency anymore. Stop using it as
+ such.
+ - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability.
+ - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`.
+ They were never used.
+ - Stop to `clean` some objects twice in `src/Makefile.m32`.
+ - Delete cvs-specific leftovers.
+ - Finish resource support in examples make file.
+ - Delete `-I<root>/lib` from examples make file.
+ - Fix copyright start year in examples make file.
+ - Delete duplicate `ftpuploadresume` input in examples make file.
+ - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path
+ defaults, variables names and other internal bits between the three
+ make files.
+ - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This
+ was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL`
+ envvar for the same effect.
+ - Fix linking `curl.exe` and examples to wrong static libs with
+ auto-detected OpenSSL 1.0.2 or earlier.
+ - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only.
+ - Add link to Novell LDAP SDK and use a relative default path. Latest
+ version is from 2016, linked to an outdated OpenSSL 1.0.1.
+ - Whitespace and comment cleanups.
+
+ TODO in a next commit:
+
+ Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell
+ LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the
+ necessary custom envvars to configure them.
+
+ Closes #9616
+
+Daniel Stenberg (30 Sep 2022)
+
+- RELEASE-NOTES: synced
+
+Matt Holt (30 Sep 2022)
+
+- HTTP3.md: update Caddy example
+
+ Closes #9623
+
+Daniel Stenberg (30 Sep 2022)
+
+- easy: fix the altsvc init for curl_easy_duphandle
+
+ It was using the old #ifdef which nothing sets anymore
+
+ Closes #9624
+
+- GHA: build tests in a separate step from the running of them
+
+ ... to make the output smaller for when you want to look at test
+ failures.
+
+ Removed the examples build from msh3
+
+ Closes #9619
+
+Viktor Szakats (29 Sep 2022)
+
+- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference
+
+ Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap
+ support. This is also the single mention of this constant in the source
+ tree and also in that commit. Based on these, it seems like an accident.
+
+ Delete this reference.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9625
+
+- docs: spelling nits
+
+ - MingW -> MinGW (Minimalist GNU for Windows)
+ - f.e. -> e.g.
+ - some whitespace and punctuation.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9622
+
+Philip Heiduck (29 Sep 2022)
+
+- cirrus-ci: add macOS build with m1
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+
+ Closes #9565
+
+Patrick Monnerat (29 Sep 2022)
+
+- lib: sanitize conditional exclusion around MIME
+
+ The introduction of CURL_DISABLE_MIME came with some additional bugs:
+ - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled.
+ - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are
+ conditioned on HTTP, although also needed for SMTP and IMAP MIME mail
+ uploads.
+
+ In addition, the CURLOPT_HTTPHEADER and --header documentation does not
+ mention their use for MIME mail.
+
+ This commit fixes the problems above.
+
+ Closes #9610
+
+Thiago Suchorski (29 Sep 2022)
+
+- docs: minor grammar fixes
+
+ Closes #9609
+
+Daniel Stenberg (28 Sep 2022)
+
+- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument
+
+ Probably a copy and paste error from the lock function man page.
+
+ Reported-by: Robby Simpson
+ Fixes #9612
+ Closes #9613
+
+- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five
+
+ ... instead just list the supported encodings.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9614
+ Closes #9615
+
+Dan Fandrich (28 Sep 2022)
+
+- tests: Remove a duplicated keyword
+
+- docs: document more server names for test files
+
+Daniel Stenberg (28 Sep 2022)
+
+- altsvc: reject bad port numbers
+
+ The existing code tried but did not properly reject alternative services
+ using negative or too large port numbers.
+
+ With this fix, the logic now also flushes the old entries immediately
+ before adding a new one, making a following header with an illegal entry
+ not flush the already stored entry.
+
+ Report from the ongoing source code audit by Trail of Bits.
+
+ Adjusted test 356 to verify.
+
+ Closes #9607
+
+- functypes: provide the recv and send arg and return types
+
+ This header is for providing the argument types for recv() and send()
+ when built to not use a dedicated config-[platfor].h file.
+
+ Remove the slow brute-force checks from configure and cmake.
+
+ This change also removes the use of the types for select, as they were
+ not used in code.
+
+ Closes #9592
+
+- urlapi: reject more bad characters from the host name field
+
+ Extended test 1560 to verify
+
+ Report from the ongoing source code audit by Trail of Bits.
+
+ Closes #9608
+
+- configure: deprecate builds with small curl_off_t
+
+ If curl_off_t turns out to be smaller than 8 bytes,
+ --with-n64-deprecated needs to be used to allow the build to
+ continue. This is to highlight the fact that support for such builds is
+ going away next year.
+
+ Also mentioned in DEPRECATED.md
+
+ Closes #9605
+
+Patrick Monnerat (27 Sep 2022)
+
+- http, vauth: always provide Curl_allow_auth_to_host() functionality
+
+ This function is currently located in the lib/http.c module and is
+ therefore disabled by the CURL_DISABLE_HTTP conditional token.
+
+ As it may be called by TLS backends, disabling HTTP results in an
+ undefined reference error at link time.
+
+ Move this function to vauth/vauth.c to always provide it and rename it
+ as Curl_auth_allowed_to_host() to respect the vauth module naming
+ convention.
+
+ Closes #9600
+
+Daniel Stenberg (27 Sep 2022)
+
+- ngtcp2: fix C89 compliance nit
+
+- openssl: make certinfo available for QUIC
+
+ Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that
+ can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC
+ connections as well.
+
+ The *certchain function was moved to the top of the file for this reason.
+
+ Reported-by: Eloy Degen
+ Fixes #9584
+ Closes #9597
+
+- RELEASE-NOTES: synced
+
+- DEPRECATE.md: Support for systems without 64 bit data types
+
+ Closes #9604
+
+Patrick Monnerat (27 Sep 2022)
+
+- tests: skip mime/form tests when mime is not built-in
+
+ Closes #9596
+
+Daniel Stenberg (27 Sep 2022)
+
+- url: rename function due to name-clash in Watt-32
+
+ Follow-up to 2481dbe5f4f58 and applies the change the way it was
+ intended.
+
+Viktor Szakats (26 Sep 2022)
+
+- windows: adjust name of two internal public functions
+
+ According to `docs/INTERNALS.md`, internal function names spanning source
+ files start with uppercase `Curl_`. Bring these two functions in
+ alignment with this.
+
+ This also stops exporting them from `libcurl.dll` in autotools builds.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9598
+
+Gisle Vanem (26 Sep 2022)
+
+- url: rename function due to name-clash in Watt-32
+
+ Since the commit 764c958c52edb427f39, there was a new function called
+ resolve_ip(). This clashes with an internal function in Watt-32.
+
+ Closes #9585
+
+Jay Satiro (26 Sep 2022)
+
+- schannel: ban server ALPN change during recv renegotiation
+
+ By the time schannel_recv is renegotiating the connection, libcurl has
+ already decided on a protocol and it is too late for the server to
+ select a protocol via ALPN except for the originally selected protocol.
+
+ Ref: https://github.com/curl/curl/issues/9451
+
+ Closes https://github.com/curl/curl/pull/9463
+
+Daniel Stenberg (26 Sep 2022)
+
+- url: a zero-length userinfo part in the URL is still a (blank) user
+
+ Adjusted test 1560 to verify
+
+ Reported-by: Jay Satiro
+
+ Fixes #9088
+ Closes #9590
+
+Viktor Szakats (25 Sep 2022)
+
+- autotools: allow --enable-symbol-hiding with windows
+
+ This local autotools logic was put in place in
+ 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for
+ Windows unconditionally. Testing reveals that it actually works with
+ tested toolchains (mingw-w64 and CI ones), so let's allow this build
+ feature on that platform. Bringing this in sync with CMake, which already
+ supported this.
+
+ Reviewed-by: Jay Satiro
+
+ Closes #9586
+
+- autotools: reduce brute-force when detecting recv/send arg list
+
+ autotools uses brute-force to detect `recv`/`send`/`select` argument
+ lists, by interating through _all_ argument type combinations on each
+ `./configure` run. This logic exists since
+ 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later
+ extended with Windows support.
+
+ This results in a worst-case number of compile + link cycles as below:
+ - `recv`: 96
+ - `send`: 192
+ - `select`: 60
+ Total: 348 (the number of curl C source files is 195, for comparison)
+
+ Notice that e.g. curl-for-win autotools builds require two `./configure`
+ invocations, doubling these numbers.
+
+ `recv` on Windows was especially unlucky because `SOCKET` (the correct
+ choice there) was listed _last_ in one of the outer trial loops. This
+ resulted in lengthy waits while autotools was trying all invalid
+ combinations first, wasting cycles, disk writes and slowing down
+ iteration.
+
+ This patch reduces the amount of idle work by reordering the tests in
+ a way to succeed first on a well-known platform such as Windows, and
+ also on non-Windows by testing for POSIX prototypes first, on the
+ assumption that these are the most likely candidates these days. (We do
+ not touch `select`, where the order was already optimal for these
+ platforms.)
+
+ For non-Windows, this means to try a return value of `ssize_t` first,
+ then `int`, reordering the buffer argument type to try `void *` first,
+ then `byte *`, and prefer the `const` flavor with `send`. If we are
+ here, also stop testing for `SOCKET` type in non-Windows builds.
+
+ After the patch, detection on Windows is instantaneous. It should also be
+ faster on popular platforms such as Linux and BSD-based ones.
+
+ If there are known-good variations for other platforms, they can also be
+ fast-tracked like above, given a way to check for that platform inside
+ the autotools logic.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9591
+
+Daniel Stenberg (23 Sep 2022)
+
+- TODO: Provide the error body from a CONNECT response
+
+ Spellchecked-by: Jay Satiro
+
+ Closes #9513
+ Closes #9581
+
+Viktor Szakats (23 Sep 2022)
+
+- windows: autotools .rc warnings fixup
+
+ Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing:
+
+ - Warnings when running `autoreconf -fi`.
+
+ - Warning when compiling .rc files:
+ libtool: compile: unable to infer tagged configuration
+ libtool: error: specify a tag with '--tag'
+
+ Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057
+ Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156
+
+ Suggested-by: Patrick Monnerat
+ Closes #9582
+
+Randall S. Becker (23 Sep 2022)
+
+- curl_setup: disable use of FLOSS for 64-bit NonStop builds
+
+ Older 32-bit builds currently need FLOSS. This dependency may be removed
+ in future OS releases.
+
+ Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
+
+ Closes #9575
+
+Patrick Monnerat (23 Sep 2022)
+
+- tool: remove dead code
+
+ Add a debug assertion to verify protocols included/excluded in a set
+ are always tokenized.
+
+ Follow-up to commit 677266c.
+
+ Closes #9576
+
+- lib: prepare the incoming of additional protocols
+
+ Move the curl_prot_t to its own conditional block. Introduce symbol
+ PROTO_TYPE_SMALL to control it.
+
+ Fix a cast in a curl_prot_t assignment.
+ Remove an outdated comment.
+
+ Follow-up to cd5ca80.
+
+ Closes #9534
+
+Daniel Stenberg (23 Sep 2022)
+
+- msh3: change the static_assert to make the code C89
+
+- bearssl: make it proper C89 compliant
+
+- curl-compilers.m4: for gcc + want warnings, set gnu89 standard
+
+ To better verify that the code is C89
+
+ Closes #9542
+
+Patrick Monnerat (22 Sep 2022)
+
+- lib517: fix C89 constant signedness
+
+ In C89, positive integer literals that overflow an int but not an
+ unsigned int may be understood as a negative int.
+
+ lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90
+ {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 },
+ ^
+
+ Closes #9572
+
+Daniel Stenberg (22 Sep 2022)
+
+- mprintf: use snprintf if available
+
+ This is the single place in libcurl code where it uses the "native"
+ s(n)printf() function. Used for writing floats. The use has been
+ reviewed and vetted and uses a HUGE target buffer, but switching to
+ snprintf() still makes this safer and removes build-time warnings.
+
+ Reported-by: Philip Heiduck
+
+ Fixes #9569
+ Closes #9570
+
+- docs: tag curl options better in man pages
+
+ As it makes them links in the HTML versions.
+
+ Verified by the extended test 1176
+
+- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6
+
+- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged
+
+ ... as that makes them links to their corresponding man page.
+
+ This script is used for test 1173.
+
+ Closes #9574
+
+- RELEASE-NOTES: synced
+
+Patrick Monnerat (22 Sep 2022)
+
+- tool: remove protocol count limitation
+
+ Replace bit mask protocol sets by null-terminated arrays of protocol
+ tokens. These are the addresses of the protocol names returned by
+ curl_version_info().
+
+ Protocol names are sorted case-insensitively before output to satisfy CI
+ tests matches consistency.
+
+ The protocol list returned by curl_version_info() is augmented with all
+ RTMP protocol variants.
+
+ Test 1401 adjusted for new alpha ordered output.
+
+ Closes #9546
+
+Daniel Stenberg (22 Sep 2022)
+
+- test972: verify the output without using external tool
+
+ It seems too restrictive to assume and use an external tool to verify
+ the JSON. This now verifies the outut byte per byte. We could consider
+ building a local "JSON verifyer" in a future.
+
+ Remove 'jsonlint' from the CI job.
+
+ Reported-by: Marcel Raad
+ Fixes #9563
+ Closes #9564
+
+- hostip: lazily wait to figure out if IPv6 works until needed
+
+ The check may take many milliseconds, so now it is performed once the
+ value is first needed. Also, this change makes sure that the value is
+ not used if the resolve is set to be IPv4-only.
+
+ Closes #9553
+
+- curl.h: fix mention of wrong error code in comment
+
+ The same error and comment were also used and is now corrected in
+ CURLOPT_SSH_KEYFUNCTION.3
+
+- symbol-scan.pl: scan and verify .3 man pages
+
+ This script now also finds all .3 man pages in docs/include and
+ docs/include/opts, extracts all uses of CURL* symbols and verifies that all
+ symbols mentioned in docs are defined in public headers.
+
+ A "global symbol" is one of those matching a known prefix and the script make
+ s
+ an attempt to check all/most of them. Just using *all* symbols that match
+ CURL* proved matching a little too many other references as well and turned
+ difficult turning into something useful.
+
+ Closes #9544
+
+- symbols-in-versions: add missing LIBCURL* symbols
+
+- symbol-scan.pl: also check for LIBCURL* symbols
+
+ Closes #9544
+
+- docs/libcurl/symbols-in-versions: add several missing symbols
+
+- test1119: scan all public headers
+
+ Previously this test only scanned a subset of the headers, which made us
+ accidentally miss symbols that were provided in the others. Now, the script
+ iterates over all headers present in include/curl.
+
+ Closes #9544
+
+Patrick Monnerat (21 Sep 2022)
+
+- examples/chkspeed: improve portability
+
+ The example program chkspeed uses strncasecmp() which is not portable
+ across systems. Replace calls to this function by tests on characters.
+
+ Closes #9562
+
+Daniel Stenberg (21 Sep 2022)
+
+- easy: fix the #include order
+
+ The mentioned "last 3 includes" order should be respected. easy_lock.h should
+ be included before those three.
+
+ Reported-by: Yuriy Chernyshov
+ Fixes #9560
+ Closes #9561
+
+- docs: spellfixes
+
+ Pointed by the new CI job
+
+- GHA: spellcheck
+
+ This spellchecker checks markdown files. For this reason this job
+ converts all man pages in the repository to markdown with pandoc before
+ the check runs.
+
+ The perl script 'cleanspell' filters out details from the man page in
+ the process, to avoid the spellchecker trying to spellcheck things it
+ can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections
+ of libcurl man pages.
+
+ The spell checker does not check words in sections that are within pre,
+ strong and em tags.
+
+ 'spellcheck.words' is a custom word list with additional accepted words.
+
+ Closes #9523
+
+- connect: fix the wrong error message on connect failures
+
+ The "Failed to connect to" message after a connection failure would
+ include the strerror message based on the presumed previous socket
+ error, but in times it seems that error number is not set when reaching
+ this code and therefore it would include the wrong error message.
+
+ The strerror message is now removed from here and the curl_easy_strerror
+ error is used instead.
+
+ Reported-by: Edoardo Lolletti
+ Fixes #9549
+ Closes #9554
+
+- httpput-postfields.c: shorten string for C89 compliance
+
+ httpput-postfields.c:41:3: error: string length ‘522’ is greater than the
+ length ‘509’ ISO C90 compilers are required to support [-Woverlength-str
+ ings]
+ 41 | "this chapter.";
+ | ^~~~~~~~~~~~~~~
+
+ Closes #9555
+
+- ws: fix a C89 compliance nit
+
+ Closes #9541
+
+Patrick Monnerat (21 Sep 2022)
+
+- unit test 1655: make it C89-compliant
+
+ Initializations performed in unit test 1655 use automatic variables in
+ aggregates and thus can only be computed at run-time. Using gcc in C89
+ dialect mode produces warning messages like:
+
+ unit1655.c:96:7: warning: initializer element is not computable at load time
+ [-Wpedantic]
+ 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */
+ | ^~~~~~~
+
+ Fix the problem by converting these automatic pointer variables to
+ static arrays.
+
+ Closes #9551
+
+Tobias Schaefer (20 Sep 2022)
+
+- curl_strequal.3: fix typo
+
+ Closes #9548
+
+Dmitry Karpov (20 Sep 2022)
+
+- resolve: make forced IPv4 resolve only use A queries
+
+ This protects IPv4-only transfers from undesired bad IPv6-related side
+ effects and make IPv4 transfers in dual-stack libcurl behave the same
+ way as in IPv4 single-stack libcurl.
+
+ Closes #9540
+
+Daniel Stenberg (20 Sep 2022)
+
+- RELEASE-NOTES: synced
+
+- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths
+
+ Patched-by: Mark Itzcovitz
+ Bug: https://curl.se/mail/lib-2022-09/0038.html
+
+ Closes #9536
+
+- TODO: Reduce CA certificate bundle reparsing
+
+ By adding some sort of cache.
+
+ Reported-by: Michael Drake
+ Closes #9379
+ Closes #9538
+
+Marc Hoersken (19 Sep 2022)
+
+- CI/GHA: cancel outdated CI runs on new PR changes
+
+ Avoid letting outdated CI runs continue if a PR receives
+ new changes. Outside a PR we let them continue running
+ by tying the concurrency to the commit hash instead.
+
+ Also only let one CodeQL or Hacktoberfest job run at a time.
+
+ Other CI platforms we use have this build in, but GitHub
+ unfortunately neither by default nor with a simple option.
+
+ This saves CI resources and therefore a little energy.
+
+ Approved-by: Daniel Stenberg
+ Approved-by: Max Dymond
+ Closes #9533
+
+Daniel Stenberg (19 Sep 2022)
+
+- docs: fix proselint complaints
+
+- GHA: run proselint on markdown files
+
+ Co-authored-by: Marc Hörsken
+
+ Closes #9520
+
+- lib: the number four in a sequence is the "fourth"
+
+ Spelling is hard
+
+ Closes #9535
+
+John Bampton (19 Sep 2022)
+
+- misc: fix spelling in two source files
+
+ Closes #9529
+
+Viktor Szakats (18 Sep 2022)
+
+- windows: add .rc support to autotools builds
+
+ After this update autotools builds will compile and link `.rc` resources
+ to Windows executables. Bringing this feature on par with CMake and
+ Makefile.m32 builds. And also making it unnecessary to improvise these
+ steps manually, while monkey patching build files, e.g. [0].
+
+ You can customize the resource compiler via the `RC` envvar, and its
+ options via `RCFLAGS`.
+
+ This harmless warning may appear throughout the build, even though the
+ autotools manual documents [1] `RC` as a valid tag, and it fails when
+ omitting one:
+ `libtool: error: ignoring unknown tag RC`
+
+ [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce
+ 50baa1b84/curl-autotools.sh#L376-L382
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html
+
+ Closes #9521
+
+Marc Hoersken (18 Sep 2022)
+
+- CI/linkcheck: only run if a Markdown file is changed
+
+ This saves CI resources and therefore a little energy.
+
+ Reviewed-by: Max Dymond
+ Closes #9531
+
+- README.md: add GHA status badges for Linux and macOS builds
+
+ This makes sense now that Linux builds are being consolidated.
+
+ Approved-by: Daniel Stenberg
+ Closes #9530
+
+ [skip ci]
+
+Daniel Stenberg (17 Sep 2022)
+
+- misc: null-terminate
+
+ Make use of this term consistently.
+
+ Closes #9527
+
+Marc Hoersken (17 Sep 2022)
+
+- CI/GHA: merge intel CC and more TLS libs into linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Reviewed-by: Max Dymond
+ Follow up to #9501
+ Closes #9514
+
+Patrick Monnerat (17 Sep 2022)
+
+- lib1597: make it C89-compliant again
+
+ Automatic variable addresses cannot be used in an initialisation
+ aggregate.
+
+ Follow-up to 9d51329
+
+ Reported-by: Daniel Stenberg
+ Fixes: #9524
+ Closes #9525
+
+Daniel Stenberg (17 Sep 2022)
+
+- tool_libinfo: silence "different 'const' qualifiers" in qsort()
+
+ MSVC 15.0.30729.1 warned about it
+
+ Follow-up to dd2a024323dcc
+
+ Closes #9522
+
+Patrick Monnerat (16 Sep 2022)
+
+- docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.
+
+ Disabled protocols are now handled as if they were unknown.
+ Also update the possible protocol list.
+
+- cli tool: do not use disabled protocols
+
+ As they are now rejected by the library, take care of not passing
+ disabled protocol names to CURLOPT_PROTOCOLS_STR and
+ CURLOPT_REDIR_PROTOCOLS_STR.
+
+ Rather than using the CURLPROTO_* constants, dynamically assign protocol
+ numbers based on the order they are listed by curl_version_info().
+
+ New type proto_set_t implements prototype bit masks: it should therefore
+ be large enough to accomodate all library-enabled protocols. If not,
+ protocol numbers beyond the bit count of proto_set_t are recognized but
+ "inaccessible": when used, a warning is displayed and the value is
+ ignored. Should proto_set_t overflows, enabled protocols are reordered to
+ force those having a public CURLPROTO_* representation to be accessible.
+
+ Code has been added to subordinate RTMP?* protocols to the presence of
+ RTMP in the enabled protocol list, being returned by curl_version_info()
+ or not.
+
+- setopt: use the handler table for protocol name to number conversions
+
+ This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than
+ CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found.
+
+ A new schemelen parameter is added to Curl_builtin_scheme() to support
+ this extended use.
+
+ Note that disabled protocols are not recognized anymore.
+
+ Tests adapted accordingly.
+
+ Closes #9472
+
+Daniel Stenberg (16 Sep 2022)
+
+- altsvc: use 'h3' for h3
+
+ Since the official and real version has been out for a while now and servers
+ are deployed out there using it, there is no point in sticking to h3-29.
+
+ Reported-by: ウさん
+ Fixes #9515
+ Closes #9516
+
+chemodax (16 Sep 2022)
+
+- winbuild: Use NMake batch-rules for compilation
+
+ - Invoke cl compiler once for each group of .c files.
+
+ This is significantly improves compilation time. For example in my
+ environment: 40 s --> 20 s.
+
+ Prior to this change cl was invoked per .c file.
+
+ Closes https://github.com/curl/curl/pull/9512
+
+Daniel Stenberg (16 Sep 2022)
+
+- ws: the infof() flags should be %zu
+
+ Follow-up to e5e9e0c5e49ae0
+
+ Closes #9518
+
+- curl: warn for --ssl use, considered insecure
+
+ Closes #9519
+
+Sergey Bronnikov (16 Sep 2022)
+
+- curl_escape.3: fix typo
+
+ lengthf -> length
+
+ Closes #9517
+
+Daniel Stenberg (16 Sep 2022)
+
+- mailmap: merge Philip Heiduck's two addresses into one
+
+- test1948: verify PUT + POST reusing the same handle
+
+ Reproduced #9507, verifies the fix
+
+- setopt: when POST is set, reset the 'upload' field
+
+ Reported-by: RobBotic1 on github
+ Fixes #9507
+ Closes #9511
+
+Marc Hoersken (15 Sep 2022)
+
+- github: initial CODEOWNERS setup for CI configuration
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Max Dymond
+
+ Closes #9505
+
+ [skip ci]
+
+Philip Heiduck (15 Sep 2022)
+
+- CI: optimize some more dependencies install
+
+ Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan>
+
+ Closes #9500
+
+Marc Hoersken (15 Sep 2022)
+
+- CI/GHA: merge event-based and NSS into new linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Follow up to #9501
+ Closes #9506
+
+Daniel Stenberg (15 Sep 2022)
+
+- include/curl/websockets.h: add extern "C" for C++
+
+ Reported-by: n0name321 on github
+ Fixes #9509
+ Closes #9510
+
+- lib1560: extended to verify detect/reject of unknown schemes
+
+ ... when no guessing is allowed.
+
+- urlapi: detect scheme better when not guessing
+
+ When the parser is not allowed to guess scheme, it should consider the
+ word ending at the first colon to be the scheme, independently of number
+ of slashes.
+
+ The parser now checks that the scheme is known before it counts slashes,
+ to improve the error messge for URLs with unknown schemes and maybe no
+ slashes.
+
+ When following redirects, no scheme guessing is allowed and therefore
+ this change effectively prevents redirects to unknown schemes such as
+ "data".
+
+ Fixes #9503
+
+- strerror: improve two URL API error messages
+
+Marc Hoersken (14 Sep 2022)
+
+- CI/GHA: merge bearssl and hyper into initial linux workflow
+
+ Begin work on merging all Linux workflows into one file.
+
+ Closes #9501
+
+Daniel Stenberg (14 Sep 2022)
+
+- RELEASE-NOTES: synced
+
+- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h
+
+ Since the config file might also get included by the tool code at times.
+ This syncs with how other builds do it.
+
+ Closes #9498
+
+- tool_hugehelp: make hugehelp a blank macro when disabled
+
+ Closes #9485
+
+- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
+
+ ... to improve the output in this situation. Now it doesn't say "option
+ unknown" anymore.
+
+ Closes #9485
+
+- setopt: fix compiler warning
+
+ Follow-up to cd5ca80f00d2
+
+ closes #9502
+
+Philip Heiduck (13 Sep 2022)
+
+- CI: skip make, do make install at once for dependencies
+
+ Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan>
+
+ Closes #9477
+
+Daniel Stenberg (13 Sep 2022)
+
+- formdata: typecast the va_arg return value
+
+ To avoid "enumerated type mixed with another type" warnings
+
+ Follow-up from 0f52dd5fd5aa3592691a
+
+ Closes #9499
+
+- RELEASE-PROCEDURE.md: mention patch releases
+
+ - When to make them and how to argue for them
+ - Refreshed the release date list
+
+ Closes #9495
+
+- urldata: use a curl_prot_t type for storing protocol bits
+
+ This internal-use-only storage type can be bumped to a curl_off_t once
+ we need to use bit 32 as the previous 'unsigned int' can no longer hold
+ them all then.
+
+ The websocket protocols take bit 30 and 31 so they are the last ones
+ that fit within 32 bits - but cannot properly be exported through APIs
+ since those use *signed* 32 bit types (long) in places.
+
+ Closes #9481
+
+zhanghu on xiaomi (13 Sep 2022)
+
+- formdata: fix warning: 'CURLformoption' is promoted to 'int'
+
+ curl/lib/formdata.c: In function 'FormAdd':
+ curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' wh
+ en passed through '...'
+ 249 | option = va_arg(params, CURLformoption);
+ | ^
+ curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformopti
+ on' to 'va_arg')
+ curl/lib/formdata.c:249:31: note: if this code is reached, the program will a
+ bort
+
+ Closes #9484
+
+Daniel Stenberg (13 Sep 2022)
+
+- CURLOPT_CONNECT_ONLY.3: for ws(s) as well
+
+ and correct the version number for when that support comes. Even if it
+ is still experimental for WebSocket.
+
+ Closes #9487
+
+- tool_operate: avoid a few #ifdefs for disabled-libcurl builds
+
+ By providing empty macros in the header file instead, the code gets
+ easier to read and yet is disabled on demand.
+
+ Closes #9486
+
+a1346054 on github (13 Sep 2022)
+
+- scripts: use `grep -E` instead of `egrep`
+
+ egrep is deprecated
+
+ Closes #9491
+
+Hayden Roche (13 Sep 2022)
+
+- wolfSSL: fix session management bug.
+
+ Prior to this commit, non-persistent pointers were being used to store
+ sessions. When a WOLFSSL object was then freed, that freed the session
+ it owned, and thus invalidated the pointer held in curl's cache. This
+ commit makes it so we get a persistent (deep copied) session pointer
+ that we then add to the cache. Accordingly, wolfssl_session_free, which
+ was previously a no-op, now needs to actually call SSL_SESSION_free.
+
+ This bug was discovered by a wolfSSL customer.
+
+ Closes #9492
+
+Daniel Stenberg (13 Sep 2022)
+
+- docs: use "WebSocket" in singular
+
+ This is how the RFC calls the protocol. Also rename the file in docs/ to
+ WEBSOCKET.md in uppercase to match how we have done it for many other
+ protocol docs in similar fashion.
+
+ Add the WebSocket docs to the tarball.
+
+ Closes #9496
+
+Marcel Raad (12 Sep 2022)
+
+- ws: fix build without `USE_WEBSOCKETS`
+
+ The curl.h include is required unconditionally.
+
+- ws: add missing curl.h include
+
+ A conflict between commits 664249d0952 and e5839f4ee70 broke the build.
+
+Daniel Stenberg (12 Sep 2022)
+
+- ws: fix an infof() call to use %uz for size_t output
+
+ Detected by Coverity, CID 1514665.
+
+ Closes #9480
+
+Marcel Raad (12 Sep 2022)
+
+- curl_setup: include only system.h instead of curl.h
+
+ As done before commit 9506d01ee50.
+
+ Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158
+ Closes https://github.com/curl/curl/pull/9453
+
+- lib: add missing limits.h includes
+
+ Closes https://github.com/curl/curl/pull/9453
+
+- lib and tests: add missing curl.h includes
+
+ Closes https://github.com/curl/curl/pull/9453
+
+- curl_setup: include curl.h after platform setup headers
+
+ The platform setup headers might set definitions required for the
+ includes in curl.h.
+
+ Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269
+ Closes https://github.com/curl/curl/pull/9453
+
+Benjamin Loison (12 Sep 2022)
+
+- docs: correct missing uppercase in Markdown files
+
+ To detect these typos I used:
+
+ ```
+ clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [
+ a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | gre
+ p -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --col
+ or=always '\. [a-z]' | grep '\.md'
+ ```
+
+ Closes #9474
+
+Daniel Stenberg (12 Sep 2022)
+
+- tool_setopt: use better English in --libcurl source comments
+
+ Like this:
+
+ XYZ was set to an object pointer
+ ABC was set to a function pointer
+
+ Closes #9475
+
+- setopt: make protocol2num use a curl_off_t for the protocol bit
+
+ ... since WSS does not fit within 32 bit.
+
+ Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887
+ Closes #9476
+
+- RELEASE-NOTES: synced
+
+- configure: polish the grep -E message a bit further
+
+ Suggested-by: Emanuele Torre
+ Closes #9473
+
+- GHA: add a gcc-11 -O3 build using OpenSSL
+
+ Since -O3 might trigger other warnings
+
+ Closes #9454
+
+Patrick Monnerat (11 Sep 2022)
+
+- content_encoding: use writer struct subclasses for different encodings
+
+ The variable-sized encoding-specific storage of a struct contenc_writer
+ currently relies on void * alignment that may be insufficient with
+ regards to the specific storage fields, although having not caused any
+ problems yet.
+
+ In addition, gcc 11.3 issues a warning on access to fields of partially
+ allocated structures that can occur when the specific storage size is 0:
+
+ content_encoding.c: In function ‘Curl_build_unencoding_stack’:
+ content_encoding.c:980:21: warning: array subscript ‘struct contenc_write
+ r[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bo
+ unds]
+ 980 | writer->handler = handler;
+ | ~~~~~~~~~~~~~~~~^~~~~~~~~
+ In file included from content_encoding.c:49:
+ memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘c
+ url_dbg_calloc’
+ 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__,
+ __FILE__)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~~~~~~~~~~
+ content_encoding.c:977:60: note: in expansion of macro ‘calloc’
+ 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1
+ , sz);
+
+ To solve both these problems, the current commit replaces the
+ contenc_writer/params structure pairs by "subclasses" of struct
+ contenc_writer. These are structures that contain a contenc_writer at
+ offset 0. Proper field alignment is therefore handled by the compiler and
+ full structure allocation is performed, silencing the warnings.
+
+ Closes #9455
+
+Daniel Stenberg (11 Sep 2022)
+
+- configure: correct the wording when checking grep -E
+
+ The check first checks that grep -E works, and only as a fallback tries
+ to find and use egrep. egrep is deprecated.
+
+ This change only corrects the output wording, not the checks themselves.
+
+ Closes #9471
+
+Viktor Szakats (10 Sep 2022)
+
+- websockets: sync prototypes in docs with implementation [ci skip]
+
+ Docs for the new send/recv functions synced with the committed versions
+ of these.
+
+ Closes #9470
+
+Daniel Stenberg (10 Sep 2022)
+
+- setopt: make protocols2num() work with websockets
+
+ So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can
+ specify those as well.
+
+ Reported-by: Patrick Monnerat
+ Bug: https://curl.se/mail/lib-2022-09/0016.html
+ Closes #9467
+
+- curl/websockets.h: remove leftover bad typedef
+
+ Just a leftover trace of a development thing that did not stay like
+ that.
+
+ Reported-by: Marc Hörsken
+ Fixes #9465
+ Cloes #9466
+
+Orgad Shaneh (10 Sep 2022)
+
+- fix Cygwin/MSYS compilation
+
+ _getpid is Windows API. On Cygwin variants it should remain getpid.
+
+ Fixes #8220
+ Closes #9255
+
+Marc Hoersken (10 Sep 2022)
+
+- GHA: prepare workflow merge by aligning structure again
+
+ Closes #9413
+
+Daniel Stenberg (9 Sep 2022)
+
+- docs: the websockets symbols are added in 7.86.0
+
+ Nothing else
+
+ Closes #9459
+
+- tests/libtest/Makefile.inc: fixup merge conflict mistake
+
+- EXPERIMENTAL.md: add WebSockets
+
+- appveyor: enable websockets
+
+- cirrus: enable websockets in the windows builds
+
+- GHA: add websockets to macos, openssl3 and hyper builds
+
+- tests: add websockets tests
+
+ - add websockets support to sws
+ - 2300: first very basic websockets test
+ - 2301: first libcurl test for ws (not working yet)
+ - 2302: use the ws callback
+ - 2303: test refused upgrade
+
+- curl_ws_meta: initial implementation
+
+- curl_ws_meta.3: added docs
+
+- ws: initial websockets support
+
+ Closes #8995
+
+- version: add ws + wss
+
+- libtest/lib1560: test basic websocket URL parsing
+
+- configure: add --enable-websockets
+
+- docs/WebSockets.md: docs
+
+- test415: verify Content-Length parser with control code + negative value
+
+- strtoofft: after space, there cannot be a control code
+
+ With the change from ISSPACE() to ISBLANK() this function no longer
+ deals with (ignores) control codes the same way, which could lead to
+ this function returning unexpected values like in the case of
+ "Content-Length: \r-12354".
+
+ Follow-up to 6f9fb7ec2d7cb389a0da5
+
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140
+ Assisted-by: Max Dymond
+ Closes #9458
+
+- headers: reset the requests counter at transfer start
+
+ If not, reusing an easy handle to do a subsequent transfer would
+ continue the counter from the previous invoke, which then would make use
+ of the header API difficult/impossible as the request counter
+ mismatched.
+
+ Add libtest 1947 to verify.
+
+ Reported-by: Andrew Lambert
+ Fixes #9424
+ Closes #9447
+
+Jay Satiro (8 Sep 2022)
+
+- header: define public API functions as extern c
+
+ Prior to this change linker errors would occur if curl_easy_header or
+ curl_easy_nextheader was called from a C++ unit.
+
+ Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007
+ Reported-by: Andrew Lambert
+
+ Closes https://github.com/curl/curl/pull/9446
+
+Daniel Stenberg (8 Sep 2022)
+
+- http2: make nghttp2 less picky about field whitespace
+
+ In nghttp2 1.49.0 it returns error on leading and trailing whitespace in
+ header fields according to language in the recently shipped RFC 9113.
+
+ nghttp2 1.50.0 introduces an option to switch off this strict check and
+ this change enables this option by default which should make curl behave
+ more similar to how it did with nghttp2 1.48.0 and earlier.
+
+ We might want to consider making this an option in the future.
+
+ Closes #9448
+
+- RELEASE-NOTES: synced
+
+ And bump to 7.86.0 for the pending next release
+
+Michael Heimpold (7 Sep 2022)
+
+- ftp: ignore a 550 response to MDTM
+
+ The 550 is overused as a return code for multiple error case, e.g.
+ file not found and/or insufficient permissions to access the file.
+
+ So we cannot fail hard in this case.
+
+ Adjust test 511 since we now fail later.
+ Add new test 3027 which check that when MDTM failed, but the file could
+ actually be retrieved, that in this case no filetime is provided.
+
+ Reported-by: Michael Heimpold
+ Fixes #9357
+ Closes #9387
+
+Daniel Stenberg (7 Sep 2022)
+
+- urlapi: leaner with fewer allocs
+
+ Slightly faster with more robust code. Uses fewer and smaller mallocs.
+
+ - remove two fields from the URL handle struct
+ - reduce copies and allocs
+ - use dynbuf buffers more instead of custom malloc + copies
+ - uses dynbuf to build the host name in reduces serial alloc+free within
+ the same function.
+ - move dedotdotify into urlapi.c and make it static, not strdup the input
+ and optimize it by checking for . and / before using strncmp
+ - remove a few strlen() calls
+ - add Curl_dyn_setlen() that can "trim" an existing dynbuf
+
+ Closes #9408
+
+Jay Satiro (7 Sep 2022)
+
+- setup-win32: no longer define UNICODE/_UNICODE implicitly
+
+ - If UNICODE or _UNICODE is defined but the other isn't then error
+ instead of implicitly defining it.
+
+ As Marcel pointed out it is too late at this point to make such a define
+ because Windows headers may already be included, so likely it never
+ worked. We never noticed because build systems that can make Windows
+ Unicode builds always define both. If one is defined but not the other
+ then something went wrong during the build configuration.
+
+ Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272
+ Reported-by: Marcel Raad
+
+ Closes https://github.com/curl/curl/pull/9384
+
+Dan Fandrich (6 Sep 2022)
+
+- tests: fix tag syntax errors in test files
+
+Marc Hoersken (6 Sep 2022)
+
+- lib: add required Win32 setup definitions in setup-win32.h
+
+ Assisted-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+ Follow up to #9312
+ Closes #9375
+
+Daniel Stenberg (6 Sep 2022)
+
+- pingpong: extend the response reading error with errno
+
+ To help diagnosing the cause of the problem.
+
+ See #9380
+ Closes #9443
+
+- curl-compilers.m4: use -O2 as default optimize for clang
+
+ Not -Os
+
+ Closes #9444
+
+- tool_operate: fix msnprintfing the error message
+
+ Follow-up to 7be53774c41c59b47075fba
+
+ Coverity CID 1513717 pointed out that we cannot use sizeof() on the
+ error buffer anymore.
+
+ Closes #9440
+
+Emanuele Torre (6 Sep 2022)
+
+- curl_ctype: add space around <= operator in ISSPACE macro
+
+ Follow-up to f65f750
+
+ Closes #9441
+
+Daniel Stenberg (6 Sep 2022)
+
+- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies
+
+ The 'protocols' listed were previously wrong.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9434
+ Closes #9435
+
+- curl_ctype: convert to macros-only
+
+ This no longer provide functions, only macros. Runs faster and produces
+ smaller output.
+
+ The biggest precaution this change brings:
+
+ DO NOT use post/pre-increments when passing arguments to the macros.
+
+ Closes #9429
+
+- misc: ISSPACE() => ISBLANK()
+
+ Instances of ISSPACE() use that should rather use ISBLANK(). I think
+ somewhat carelessly used because it sounds as if it checks for space or
+ whitespace, but also includes %0a to %0d.
+
+ For parsing purposes, we should only accept what we must and not be
+ overly liberal. It leads to surprises and surprises lead to bad things.
+
+ Closes #9432
+
+- ctype: remove all use of <ctype.h>, use our own versions
+
+ Except in the test servers.
+
+ Closes #9433
+
+Marc Hoersken (5 Sep 2022)
+
+- cmake: skip superfluous hex2dec conversion using math expr
+
+ CMake seems to be able to compare two hex values just fine.
+ Also make sure CURL_TARGET_WINDOWS_VERSION is respected.
+
+ Assisted-by: Marcel Raad
+ Reviewed-by: Viktor Szakats
+ Reported-by: Keitagit-kun on github
+
+ Follow up to #9312
+ Fixes #9406
+ Closes #9411
+
+Daniel Stenberg (5 Sep 2022)
+
+- curl_easy_pause.3: unpausing is as fast as possible
+
+ Reported-by: ssdbest on github
+ Fixes #9410
+ Closes #9430
+
+- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols
+
+ Except file.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9427
+ Closes #9428
+
+- NPN: remove support for and use of
+
+ Next Protocol Negotiation is a TLS extension that was created and used
+ for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
+ HTTPS. In the early days of HTTP/2, before the spec was finalized and
+ shipped, the protocol could be enabled using this extension with some
+ servers.
+
+ curl supports the NPN extension with some TLS backends since then, with
+ a command line option `--npn` and in libcurl with
+ `CURLOPT_SSL_ENABLE_NPN`.
+
+ HTTP/2 proper is made to use the ALPN (Application-Layer Protocol
+ Negotiation) extension and the NPN extension has no purposes
+ anymore. The HTTP/2 spec was published in May 2015.
+
+ Today, use of NPN in the wild should be extremely rare and most likely
+ totally extinct. Chrome removed NPN support in Chrome 51, shipped in
+ June 2016. Removed in Firefox 53, April 2017.
+
+ Closes #9307
+
+- RELEASE-NOTES: synced
+
+ and bump the tentative next release version to 7.85.1
+
+Samuel Henrique (4 Sep 2022)
+
+- configure: fail if '--without-ssl' + explicit parameter for an ssl lib
+
+ A side effect of a previous change to configure (576e507c78bdd2ec88)
+ exposed a non-critical issue that can happen if configure is called with
+ both '--without-ssl' and some parameter setting the use of a ssl library
+ (e.g. --with-gnutls). The configure script would end up assuming this is
+ a MultiSSL build, due to the way the case statement is written.
+
+ I have changed the order of the variables in the string concatenation
+ for the case statement and also tweaked the options so that
+ --without-ssl never turns the build into a MultiSSL one and also clearly
+ stating that there are conflicting parameters if the user sets it like
+ described above.
+
+ Closes #9414
+
+Daniel Stenberg (4 Sep 2022)
+
+- tests/certs/scripts: insert standard curl source headers
+
+ ... including the SPDX-License-Identifier.
+
+ These omissions were not detected by the RUEUSE CI job nor the copyright.pl
+ scanners because we have a general wildcard in .reuse/dep5 for
+ "tests/certs/*".
+
+ Reported-by: Samuel Henrique
+ Fixes #9417
+ Closes #9420
+
+Samuel Henrique (2 Sep 2022)
+
+- docs: remove mentions of deprecated '--without-openssl' config parameter
+
+ Closes #9415
+
+- manpages: Fix spelling of "allows to" -> "allows one to"
+
+ References:
+ https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual
+ -page.tag
+ https://english.stackexchange.com/questions/60271/grammatical-complements-fo
+ r-allow/60285#60285
+
+ Closes #9419
+
+- CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes
+
+ Lintian (on Debian) has been complaining about this for a while but
+ I didn't bother initially as the groff parser that we use is not
+ affected by this.
+
+ But I have now noticed that the online manpage is affected by it:
+ https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html
+
+ (I'm using double quotes for quoting-only down below)
+
+ The section that should be parsed as "'\'" ends up being parsed as
+ "'´".
+
+ This is due to roffit not parsing "'\\'" correctly, which is fine
+ as the "correct" way of writing "'\'" is "'\e'" instead.
+
+ Note that this fix is not enough to fix the online manpage at
+ curl's website, as roffit seems to parse it wrongly either way.
+
+ My intent is to at least fix the manpage so that roffit can
+ be changed to parse "'\e'" correctly (although I suggest making
+ roffit parse both ways correctly, since that's what groff does).
+
+ More details at:
+ https://bugs.debian.org/966803
+ https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a
+ 884cca7965c3/tags/a/acute-accent-in-manual-page.tag
+
+ Closes #9418
+
+Daniel Stenberg (1 Sep 2022)
+
+- tool_operate: reduce errorbuffer allocs
+
+ - parallel transfers: only alloc and keep errorbuffers in memory for
+ actual "live" transfers and not for the ones in the pending queue
+
+ - serial transfers: reuse the same fixed buffer for all transfers, not
+ allocated at all.
+
+ Closes #9394
+
+Viktor Szakats (31 Aug 2022)
+
+- misc: spelling fixes
+
+ Found using codespell 2.2.1.
+
+ Also delete the redundant protocol designator from an archive.org URL.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9403
+
+Daniel Stenberg (31 Aug 2022)
+
+- tool_progress: remove 'Qd' from the parallel progress bar
+
+ The "queued" value is no longer showing anything useful to the user. It
+ is an internal number of transfers waiting at that moment.
+
+ Closes #9389
+
+- tool_operate: prevent over-queuing in parallel mode
+
+ When doing a huge amount of parallel transfers, we must not add them to
+ the per_transfer list frivolously since they all use memory after all.
+ This was previous done without really considering millions or billions
+ of transfers. Massive parallelism would use a lot of memory for no good
+ purpose.
+
+ The queue is now limited to twice the paralleism number.
+
+ This makes the 'Qd' value in the parallel progress meter mostly useless
+ for users, but works for now for us as a debug display.
+
+ Reported-by: justchen1369 on github
+ Fixes #8933
+ Closes #9389
+
+Viktor Szakats (31 Aug 2022)
+
+- cmake: fix original MinGW builds
+
+ 1. Re-enable `HAVE_GETADDRINFO` detection on Windows
+
+ Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic
+ that automatically assumed `getaddrinfo()` to be present for builds
+ with IPv6 enabled. As it turns out, certain toolchains (e.g. original
+ MinGW) by default target older Windows versions, and thus do not
+ support `getaddrinfo()` out of the box. The issue was masked for
+ a while by CMake builds forcing a newer Windows version, but that
+ logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761.
+ Since then, some CI builds started failing due to IPv6 enabled,
+ `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing.
+
+ It also turns out that IPv6 works without `getaddrinfo()` since commit
+ 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So,
+ to resolve all this, we can now revert the initial commit, thus
+ restoring `getaddrinfo()` detection and support IPv6 regardless of its
+ outcome.
+
+ Reported-by: Daniel Stenberg
+
+ 2. Omit `bcrypt` with original MinGW
+
+ Original (aka legacy/old) MinGW versions do not support `bcrypt`
+ (introduced with Vista). We already have logic to handle that in
+ `lib/rand.c` and autotools builds, where we do not call the
+ unsupported API and do not link `bcrypt`, respectively, when using
+ original MinGW.
+
+ This patch ports that logic to CMake, fixing the link error:
+ `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: can
+ not find -lbcrypt`
+
+ Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vl
+ e84cn4vle7s0#L508
+ Regression since 76172511e7adcf720f4c77bd91f49278300ec97e
+
+ Fixes #9214
+ Fixes #9393
+ Fixes #9395
+ Closes #9396
+
+Version 7.85.0 (31 Aug 2022)
+
+Daniel Stenberg (31 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+ curl 7.85.0 release
+
+- THANKS: add contributors from the 7.85.0 release
+
+- getparam: correctly clean args
+
+ Follow-up to bf7e887b2442783ab52
+
+ The previous fix for #9128 was incomplete and caused #9397.
+
+ Fixes #9397
+ Closes #9399
+
+- zuul: remove the clang-tidy job
+
+ Turns out we don't see the warnings, but the warnings right now are
+ plain ridiculous and unhelpful so we can just as well just kill this
+ job.
+
+ Closes #9390
+
+- cmake: set feature PSL if present
+
+ ... make test 1014 pass when libpsl is used.
+
+ Closes #9391
+
+- lib530: simplify realloc failure exit path
+
+ To make code analyzers happier
+
+ Closes #9392
+
+Orgad Shaneh (29 Aug 2022)
+
+- tests: add tests for netrc login/password combinations
+
+ Covers the following PRs:
+
+ - #9066
+ - #9247
+ - #9248
+
+ Closes #9256
+
+- url: really use the user provided in the url when netrc entry exists
+
+ If the user is specified as part of the URL, and the same user exists
+ in .netrc, Authorization header was not sent at all.
+
+ The user and password fields were assigned in conn->user and password
+ but the user was not assigned to data->state.aptr, which is the field
+ that is used in output_auth_headers and friends.
+
+ Fix by assigning the user also to aptr.
+
+ Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5.
+
+ Fixes #9243
+
+- netrc: Use the password from lines without login
+
+ If netrc entry has password with empty login, use it for any username.
+
+ Example:
+ .netrc:
+ machine example.com password 123456
+
+ curl -vn http://user@example.com/
+
+ Fix it by initializing state_our_login to TRUE, and reset it only when
+ finding an entry with the same host and different login.
+
+ Closes #9248
+
+Jay Satiro (29 Aug 2022)
+
+- url: treat missing usernames in netrc as empty
+
+ - If, after parsing netrc, there is a password with no username then
+ set a blank username.
+
+ This used to be the case prior to 7d600ad (precedes 7.82). Note
+ parseurlandfillconn already does the same thing for URLs.
+
+ Reported-by: Raivis <standsed@users.noreply.github.com>
+ Testing-by: Domen Kožar
+
+ Fixes https://github.com/curl/curl/issues/8653
+ Closes #9334
+ Closes #9066
+
+Daniel Stenberg (29 Aug 2022)
+
+- test8: verify that "ctrl-byte cookies" are ignored
+
+- cookie: reject cookies with "control bytes"
+
+ Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+ Reported-by: Axel Chong
+
+ Bug: https://curl.se/docs/CVE-2022-35252.html
+
+ CVE-2022-35252
+
+ Closes #9381
+
+- libssh: ignore deprecation warnings
+
+ libssh 0.10.0 marks all SCP functions as "deprecated" which causes
+ compiler warnings and errors in our CI jobs and elsewhere. Ignore
+ deprecation warnings if 0.10.0 or later is found in the build.
+
+ If they actually remove the functions at a later point, then someone can
+ deal with that pain and functionality break then.
+
+ Fixes #9382
+ Closes #9383
+
+- Revert "schannel: when importing PFX, disable key persistence"
+
+ This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692.
+
+ Due to further reports in #9300 that indicate this commit might
+ introduce problems.
+
+- multi: use larger dns hash table for multi interface
+
+ Have curl_multi_init() use a much larger DNS hash table than used for
+ the easy interface to scale and perform better when used with _many_
+ host names.
+
+ curl_share_init() sets an in-between size.
+
+ Inspired-by: Ivan Tsybulin
+ See #9340
+ Closes #9376
+
+Marc Hoersken (28 Aug 2022)
+
+- CI/runtests.pl: add param for dedicated curl to talk to APIs
+
+ This should make it possible to also report test failures
+ if our freshly build curl binary is not fully functional.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9360
+
+Jacob Tolar (27 Aug 2022)
+
+- openssl: add cert path in error message
+
+ Closes #9349
+
+- cert.d: clarify that escape character works for file paths
+
+ Closes #9349
+
+Daniel Stenberg (27 Aug 2022)
+
+- gha: move over ngtcp2-gnutls CI job from zuul
+
+ Closes #9331
+
+Marc Hoersken (26 Aug 2022)
+
+- cmake: add detection of threadsafe feature
+
+ Avoids failing test 1014 by replicating configure checks
+ for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests.
+
+ Reviewed-by: Marcel Raad
+
+ Follow up to #8680
+ Closes #9312
+
+Daniel Stenberg (26 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+Marc Hoersken (26 Aug 2022)
+
+- CI/azure: align torture shallowness with GHA
+
+ There 25 is used with FTP tests skipped, and 20 for FTP tests.
+ This should make torture tests stay within the 60min timeout.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9371
+
+- multi_wait: fix and improve Curl_poll error handling on Windows
+
+ First check for errors and return CURLM_UNRECOVERABLE_POLL
+ before moving forward and waiting on socket readiness events.
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+ Reported-by: Daniel Stenberg
+ Ref: #9361
+
+ Follow up to #8961
+ Closes #9372
+
+- multi_wait: fix skipping to populate revents for extra_fds
+
+ On Windows revents was not populated for extra_fds if
+ multi_wait had to wait due to the Curl_poll pre-check
+ not signalling any readiness. This commit fixes that.
+
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Jay Satiro
+
+ Closes #9361
+
+- CI/appveyor: disable TLS in msys2-native autotools builds
+
+ Schannel cannot be used from msys2-native Linux-emulated builds.
+
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Daniel Stenberg
+
+ Follow up to #9367
+ Closes #9370
+
+Jay Satiro (25 Aug 2022)
+
+- tests: fix http2 tests to use CRLF headers
+
+ Prior to this change some tests that rely on nghttpx proxy did not use
+ CRLF headers everywhere. A recent change in nghttp2, which updated its
+ version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to
+ use CRLF headers.
+
+ Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8
+
+ Fixes https://github.com/curl/curl/issues/9364
+ Closes https://github.com/curl/curl/pull/9365
+
+rcombs (25 Aug 2022)
+
+- multi: use a pipe instead of a socketpair on apple platforms
+
+ Sockets may be shut down by the kernel when the app is moved to the
+ background, but pipes are not.
+
+ Removed from KNOWN_BUGS
+
+ Fixes #6132
+ Closes #9368
+
+Somnath Kundu (25 Aug 2022)
+
+- libssh2: provide symlink name in SFTP dir listing
+
+ When reading the symbolic link name for a file, we need to add the file
+ name to base path name.
+
+ Closes #9369
+
+Daniel Stenberg (25 Aug 2022)
+
+- configure: if asked to use TLS, fail if no TLS lib was detected
+
+ Previously the configure script would just warn about this fact and
+ continue with TLS disabled build which is not always helpful. TLS should
+ be explicitly disabled if that is what the user wants.
+
+ Closes #9367
+
+Dustin Howett (25 Aug 2022)
+
+- schannel: when importing PFX, disable key persistence
+
+ By default, the PFXImportCertStore API persists the key in the user's
+ key store (as though the certificate was being imported for permanent,
+ ongoing use.)
+
+ The documentation specifies that keys that are not to be persisted
+ should be imported with the flag `PKCS12_NO_PERSIST_KEY`.
+ NOTE: this flag is only supported on versions of Windows newer than XP
+ and Server 2003.
+
+ Fixes #9300
+ Closes #9363
+
+Daniel Stenberg (23 Aug 2022)
+
+- unit1303: four tests should have TRUE for 'connecting'
+
+ To match the comments.
+
+ Reported-by: Wu Zheng
+
+ See #9355
+ Closes #9356
+
+- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also
+
+ Closes #9354
+
+Fabian Fischer (23 Aug 2022)
+
+- HTTP3.md: add missing autoreconf command for building with wolfssl
+
+ Closes #9353
+
+Daniel Stenberg (23 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
+
+ Ẃhen it has been used in the multi interface, it is otherwise left in
+ the connection cache, can't be reused and nothing will close them since
+ the easy handle loses the association with the multi handle and thus the
+ connection cache - until the multi handle is closed or it gets pruned
+ because the cache is full.
+
+ Reported-by: Dominik Thalhammer
+ Fixes #9335
+ Closes #9342
+
+- docs/cmdline-opts: remove \& escapes from all .d files
+
+ gen.pl escapes them itself now
+
+- docs/cmdline-opts/gen.pl: encode leading single and double quotes
+
+ As "(aq" and "(dq" to prevent them from implying a meaning in the nroff
+ output. This removes the need for using \& escapes in the .d files'
+ description parts.
+
+ Closes #9352
+
+Marc Hoersken (23 Aug 2022)
+
+- tests/server/sockfilt.c: avoid race condition without a mutex
+
+ Avoid loosing any triggered handles by first aborting and joining
+ the waiting threads before evaluating the individual signal state.
+
+ This removes the race condition and therefore need for a mutex.
+
+ Closes #9023
+
+Emil Engler (22 Aug 2022)
+
+- url: output the maximum when rejecting a url
+
+ This commit changes the failf message to output the maximum length, when
+ curl refuses to process a URL because it is too long.
+
+ See: #9317
+ Closes: #9327
+
+Chris Paulson-Ellis (22 Aug 2022)
+
+- configure: fix broken m4 syntax in TLS options
+
+ Commit b589696f added lines to some shell within AC_ARG_WITH macros, but
+ inadvertently failed to move the final closing ).
+
+ Quote the script section using braces.
+
+ So, if these problems have been around for a while, how did I find them?
+ Only because I did a configure including these options:
+
+ $ ./configure --with-openssl --without-rustls
+ SSL: enabled (OpenSSL)
+
+ Closes #9344
+
+Daniel Stenberg (18 Aug 2022)
+
+- tests/data/CMakeLists: remove making the 'show' makefile target
+
+ It is not used by runtests since 3c0f462
+
+ Closes #9333
+
+- tests/data/Makefile: remove 'filecheck' target
+
+ No practical use anymore since 3c0f4622cdfd6
+
+ Closes #9332
+
+- libssh2: make atime/mtime date overflow return error
+
+ Closes #9328
+
+- libssh: make atime/mtime date overflow return error
+
+ Closes #9328
+
+- examples/curlx.c: remove
+
+ This example is a bit convoluted to use as an example, combined with the
+ special license for it makes it unsuitable.
+
+ Closes #9330
+
+Tobias Nygren (17 Aug 2022)
+
+- curl.h: include <sys/select.h> on SunOS
+
+ It is needed for fd_set to be visible to downstream consumers that use
+ <curl/multi.h>. Header is known to exist at least as far back as Solaris
+ 2.6.
+
+ Closes #9329
+
+Daniel Stenberg (17 Aug 2022)
+
+- DEPRECATE.md: push the NSS deprecation date forward one year to 2023
+
+ URL: https://curl.se/mail/lib-2022-08/0016.html
+
+- libssh2: setting atime or mtime >32bit on 4-bytes-long systems
+
+ Since the libssh2 API uses 'long' to store the timestamp, it cannot
+ transfer >32bit times on Windows and 32bit architecture builds.
+
+ Avoid nasty surprises by instead not setting such time.
+
+ Spotted by Coverity
+
+ Closes #9325
+
+- libssh: setting atime or mtime > 32bit is now just skipped
+
+ The libssh API used caps the time to an unsigned 32bit variable. Avoid
+ nasty surprises by instead not setting such time.
+
+ Spotted by Coverity.
+
+ Closes #9324
+
+Jay Satiro (16 Aug 2022)
+
+- KNOWN_BUGS: Windows Unicode builds use homedir in current locale
+
+ Bug: https://github.com/curl/curl/pull/7252
+ Reported-by: dEajL3kA@users.noreply.github.com
+
+ Ref: https://github.com/curl/curl/pull/7281
+
+ Closes https://github.com/curl/curl/pull/9305
+
+Daniel Stenberg (16 Aug 2022)
+
+- test399: switch it to use a config file instead
+
+ ... as using a 65535 bytes host name in a URL does not fit on the
+ command line on some systems - like Windows.
+
+ Reported-by: Marcel Raad
+ Fixes #9321
+ Closes #9322
+
+- RELEASE-NOTES: synced
+
+- asyn-ares: make a single alloc out of hostname + async data
+
+ This saves one alloc per name resolve and simplifies the exit path.
+
+ Closes #9310
+
+- Curl_close: call Curl_resolver_cancel to avoid memory-leak
+
+ There might be a pending (c-ares) resolve that isn't free'd up yet.
+
+ Closes #9310
+
+- asyn-thread: fix socket leak on OOM
+
+ Closes #9310
+
+- GHA: mv CI torture test from Zuul
+
+ Closes #9310
+
+- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL
+
+ Closes #9318
+
+- test399: verify check of too long host name
+
+- url: reject URLs with hostnames longer than 65535 bytes
+
+ It *probably* causes other problems too since DNS can't resolve such
+ long names, but the SNI field in TLS is limited to 16 bits length.
+
+ Closes #9317
+
+- curl_multi_perform.3: minor language fix
+
+ Closes #9316
+
+- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC
+
+ Follow-up to 8a13be227eede2
+
+ Closes #9315
+
+- ngtcp2: remove leftover variable
+
+ Mistake leftover from my edit before push.
+
+ Follow-up from 8a13be227eede2601c2b3b
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167
+
+Viktor Szakats (15 Aug 2022)
+
+- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip]
+
+ Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl`
+ was also enabled. `-ssl` meaning OpenSSL (and its forks). After
+ 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be
+ used together with wolfSSL. This patch adds the ability to enable
+ `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to
+ use it with wolfSSL or other, future TLS backends.
+
+ Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2`
+ unconditionally. After this patch, this is no longer the case, and now
+ it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only
+ together with a compatible TLS backend.
+
+ When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2
+ library must be configured manually, e.g.:
+ `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl`
+
+ (or via `NGTCP2_LIBS`)
+
+ Closes #9314
+
+Stefan Eissing (15 Aug 2022)
+
+- quic: add support via wolfSSL
+
+ - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505
+ - configure adapted to build against ngtcp2 wolfssl crypto lib
+ - quic code added for creation of WOLFSSL* instances
+
+ Closes #9290
+
+David Carlier (14 Aug 2022)
+
+- memdebug: add annotation attributes
+
+ memory debug tracking annotates whether the returned pointer does not
+ `alias`, hints where the size required is, for Windows to be better
+ debugged via Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/9306
+
+Daniel Stenberg (14 Aug 2022)
+
+- GHA: move libressl CI from zuul to GitHub
+
+ Closes #9309
+
+- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel
+
+ Closes #9161
+
+- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel
+
+ Closes #8741
+
+- KNOWN_BUGS: libssh blocking and infinite loop problem
+
+ Closes #8632
+
+- RELEASE-NOTES: synced
+
+- msh3: fix the QUIC disconnect function
+
+ And free request related memory better in 'done'. Fixes a memory-leak.
+
+ Reported-by: Gisle Vanem
+ Fixes #8915
+ Closes #9304
+
+- connect: close the happy eyeballs loser connection when using QUIC
+
+ Reviewed-by: Nick Banks
+
+ Closes #9303
+
+Emil Engler (12 Aug 2022)
+
+- refactor: split resolve_server() into functions
+
+ This commit splits the branch-heavy resolve_server() function into
+ various sub-functions, in order to reduce the amount of nested
+ if/else-statements.
+
+ Beside this, it also removes many else-sequences, by returning in the
+ previous if-statement.
+
+ Closes #9283
+
+Daniel Stenberg (12 Aug 2022)
+
+- schannel: re-indent to use curl style better
+
+ Only white space changes
+
+ Closes #9301
+
+Emanuele Torre (12 Aug 2022)
+
+- docs/cmdline-opts: fix example and categories for --form-escape
+
+ The example was missing a "--form" argument
+ I also replaced "--form" with "-F" to shorten the line a bit since it
+ was already very long.
+
+ And I also moved --form-escape from the "post" category to the "upload"
+ category (this is what I originally wanted to fix, before also noticing
+ the mistake in the example).
+
+ Closes #9298
+
+Nick Banks (11 Aug 2022)
+
+- HTTP3.md: update to msh3 v0.4.0
+
+ Closes #9297
+
+Daniel Stenberg (11 Aug 2022)
+
+- hostip: resolve *.localhost to 127.0.0.1/::1
+
+ Following the footsteps of other clients like Firefox/Chrome. RFC 6761
+ says clients SHOULD do this.
+
+ Add test 389 to verify.
+
+ Reported-by: TheKnarf on github
+ Fixes #9192
+ Closes #9296
+
+Jay Satiro (11 Aug 2022)
+
+- KNOWN_BUGS: long paths are not fully supported on Windows
+
+ Bug: https://github.com/curl/curl/issues/8361
+ Reported-by: Gisle Vanem
+
+ Closes https://github.com/curl/curl/pull/9288
+
+Daniel Stenberg (11 Aug 2022)
+
+- config: remove the check for and use of SIZEOF_SHORT
+
+ shorts are 2 bytes on all platforms curl runs and have ever run on.
+
+ Closes #9291
+
+- configure: introduce CURL_SIZEOF
+
+ This is a rewrite of the previously used GPLv3+exception licensed
+ file. With this change, there is no more reference to GPL so we can
+ remove that from LICENSES/.
+
+ Ref: #9220
+ Closes #9291
+
+Sean McArthur (10 Aug 2022)
+
+- hyper: customize test1274 to how hyper unfolds headers
+
+ Closes #9217
+
+Orgad Shaneh (10 Aug 2022)
+
+- curl-config: quote directories with potential space
+
+ On Windows (at least with CMake), the default prefix is
+ C:/Program Files (x86)/CURL.
+
+ Closes #9253
+
+Oliver Roberts (10 Aug 2022)
+
+- amigaos: fix threaded resolver on AmigaOS 4.x
+
+ Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime
+ feature detection and extra code to make it thread safe.
+
+ Closes #9265
+
+Emil Engler (10 Aug 2022)
+
+- imap: use ISALNUM() for alphanumeric checks
+
+ This commit replaces a self-made character check for alphanumeric
+ characters within imap_is_bchar() with the ISALNUM() macro, as it is
+ reduces the size of the code and makes the performance better, due to
+ ASCII arithmetic.
+
+ Closes #9289
+
+Daniel Stenberg (10 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+Cering on github (10 Aug 2022)
+
+- connect: add quic connection information
+
+ Fixes #9286
+ Closes #9287
+
+Philip Heiduck (8 Aug 2022)
+
+- cirrus/freebsd-ci: bootstrap the pip installer
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+
+ Closes #9213
+
+Daniel Stenberg (8 Aug 2022)
+
+- urldata: move smaller fields down in connectdata struct
+
+ By (almost) sorting the struct fields in connectdata in a decending size
+ order, having the single char ones last, we reduce the number of holes
+ in the struct and thus the amount of storage needed.
+
+ Closes #9280
+
+- ldap: adapt to conn->port now being an 'int'
+
+ Remove typecasts. Fix printf() formats.
+
+ Follow-up from 764c6bd3bf.
+ Pointed out by Coverity CID 1507858.
+
+ Closes #9281
+
+- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS
+
+ Closes #8264
+
+Oliver Roberts (8 Aug 2022)
+
+- file: add handling of native AmigaOS paths
+
+ On AmigaOS 4.x, handle native absolute paths, whilst blocking relative
+ paths. Also allow unix style paths if feature enabled at link time.
+
+ Inspiration-from: Michael Trebilcock
+
+ Closes #9259
+
+Daniel Stenberg (8 Aug 2022)
+
+- KNOWN_BUGS: cmake build is not thread-safe
+
+ The cmake build does not check for and verify presence of a working
+ Atomic type, which then makes curl_global_init() to not build
+ thread-safe on non-Windows platforms.
+
+ Closes https://github.com/curl/curl/issues/8973
+ Closes https://github.com/curl/curl/pull/8982
+
+Oliver Roberts (8 Aug 2022)
+
+- configure: fixup bsdsocket detection code for AmigaOS 4.x
+
+ The code that detects bsdsocket.library for AmigaOS did not work
+ for AmigaOS 4.x. This has been fixed and also cleaned up a little
+ to reduce duplication. Wasn't technically necessary before, but is
+ required when building with AmiSSL instead of OpenSSL.
+
+ Closes #9268
+
+- tool: reintroduce set file comment code for AmigaOS
+
+ Amiga specific code which put the URL in the file comment was perhaps
+ accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having
+ originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314.
+ Reworked to fit the code changes and added it back in.
+
+ Reported-by: Michael Trebilcock
+ Originally-added-by: Chris Young
+
+ Closes #9258
+
+Daniel Stenberg (8 Aug 2022)
+
+- urldata: make 'negnpn' use less storage
+
+ The connectdata struct field 'negnpn' never holds a value larger than
+ 30, so an unsigned char saves 3 bytes struct space.
+
+ Closes #9279
+
+- urldata: make three *_proto struct fields smaller
+
+ Use 'unsigned char' for storage instead of the enum, for three GSSAPI
+ related fields in the connectdata struct.
+
+ Closes #9278
+
+- connect: set socktype/protocol correctly
+
+ So that an address used from the DNS cache that was previously used for
+ QUIC can be reused for TCP and vice versa.
+
+ To make this possible, set conn->transport to "unix" for unix domain
+ connections ... and store the transport struct field in an unsigned char
+ to use less space.
+
+ Reported-by: ウさん
+ Fixes #9274
+ Closes #9276
+
+Oliver Roberts (8 Aug 2022)
+
+- amissl: allow AmiSSL to be used with AmigaOS 4.x builds
+
+ Enable AmiSSL to be used instead of static OpenSSL link libraries.
+ for AmigaOS 4.x, as it already is in the AmigaOS 3.x build.
+
+ Closes #9269
+
+opensignature on github (8 Aug 2022)
+
+- openssl: add details to "unable to set client certificate" error
+
+ from: "curl: (58) unable to set client certificate"
+
+ to: curl: (58) unable to set client certificate [error:0A00018F:SSL
+ routines::ee key too small]
+
+ Closes #9228
+
+Oliver Roberts (8 Aug 2022)
+
+- amissl: make AmiSSL v5 a minimum requirement
+
+ AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0.
+ Support for previous OpenSSL 1.1.x versions has been dropped, so
+ makes sense to enforce v5 as the minimum requirement. This also
+ allows all the AmiSSL stub workarounds to be removed as they are
+ now provided in a link library in the AmiSSL SDK.
+
+ Closes #9267
+
+- configure: -pthread not available on AmigaOS 4.x
+
+ The most recent GCC builds for AmigaOS 4.x do not allow -pthread and
+ exit with an error. Instead, need to explictly specify -lpthread.
+
+ Closes #9266
+
+Daniel Stenberg (8 Aug 2022)
+
+- digest: pass over leading spaces in qop values
+
+ When parsing the "qop=" parameter of the digest authentication, and the
+ value is provided within quotes, the list of values can have leading
+ white space which the parser previously did not handle correctly.
+
+ Add test case 388 to verify.
+
+ Reported-by: vlubart on github
+ Fixes #9264
+ Closes #9270
+
+Evgeny Grin (Karlson2k) (7 Aug 2022)
+
+- digest: reject broken header with session protocol but without qop
+
+ Closes #9077
+
+Daniel Stenberg (7 Aug 2022)
+
+- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples
+
+ Reported-by: jvvprasad78 on github
+ Assisted-by: Jay Satiro
+ Fixes #9239
+ Closes #9241
+
+Fabian Keil (7 Aug 2022)
+
+- test44[2-4]: add '--resolve' to the keywords
+
+ ... so the tests can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #9250
+
+Daniel Stenberg (7 Aug 2022)
+
+- RELEASE-NOTES: synced
+
+- CURLOPT_CONNECT_ONLY.3: clarify multi API use
+
+ Reported-by: Maxim Ivanov
+ Fixes #9244
+ Closes #9262
+
+Andrew Lambert (6 Aug 2022)
+
+- curl_easy_header: Add CURLH_PSEUDO to sanity check
+
+ Fixes #9235
+ Closes #9236
+
+Emil Engler (6 Aug 2022)
+
+- docs: add dns category to --resolve
+
+ This commit adds the dns category to the --resolve command line option,
+ because it can be interpreted as both: a low-level connection option and
+ an option related to the resolving of a hostname.
+
+ It is also not common for dns options to belong to the connection
+ category and vice versa. --ipv4 and --ipv6 are both good examples.
+
+ Closes #9229
+
+Wyatt O'Day (2 Aug 2022)
+
+- schannel: Add TLS 1.3 support
+
+ - Support TLS 1.3 as the default max TLS version for Windows Server 2022
+ and Windows 11.
+
+ - Support specifying TLS 1.3 ciphers via existing option
+ CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers).
+
+ Closes https://github.com/curl/curl/pull/8419
+
+Emil Engler (2 Aug 2022)
+
+- cmdline-opts/gen.pl: improve performance
+
+ On some systems, the gen.pl script takes nearly two minutes for the
+ generation of the main-page, which is a completely unacceptable time.
+
+ The slow performance has two causes:
+ 1. Use of a regex locale operator
+ 2. Useless invokations of loops
+
+ The commit addresses the first issue by replacing the "\W" wiht
+ [^a-zA-Z0-9_], which is, according to regex101.com, functionally
+ equivalent to the previous operation, except that it is obviously
+ limited to ASCII only, which is fine, as the curl project is
+ English-only anyway.
+
+ The second issue is being addressed by only running the loop if the line
+ contains a "--" in it. The loop may be completeley removed in the
+ future.
+
+ Co-authored-by: Emanuele Torre <torreemanuele6@gmail.com>
+
+ See #8299
+ Fixes #9230
+ Closes #9232
+
+Daniel Stenberg (2 Aug 2022)
+
+- docs/cmdline: mark fail and fail-with-body as mutually exclusive
+
+ Reported-by: Andreas Sommer
+ Fixes #9221
+ Closes #9222
+
+Nao Yonashiro (2 Aug 2022)
+
+- quiche: fix build failure
+
+ Reviewed-by: Alessandro Ghedini
+ Closes #9223
+
+Viktor Szakats (2 Aug 2022)
+
+- configure.ac: drop references to deleted functions
+
+ follow-up from 4d73854462f30948acab12984b611e9e33ee41e6
+
+ Reported-by: Oliver Roberts
+ Fixes #9238
+ Closes #9240
+
+Sean McArthur (28 Jul 2022)
+
+- hyper: enable obs-folded multiline headers
+
+ Closes #9216
+
+Daniel Stenberg (28 Jul 2022)
+
+- connect: revert the use of IP*_RECVERR
+
+ The options were added in #6341 and d13179d, but cause problems: Lots of
+ POLLIN event occurs but recvfrom read nothing.
+
+ Reported-by: Tatsuhiro Tsujikawa
+ Fixes #9209
+ Closes #9215
+
+Marco Kamner (27 Jul 2022)
+
+- docs: remove him/her/he/she from documentation
+
+ Closes #9208
+
+Daniel Stenberg (27 Jul 2022)
+
+- RELEASE-NOTES: synced
+
+- tool_getparam: make --doh-url "" switch it off
+
+ A possible future addition could be to parse the URL first too to verify
+ that it is valid before trying to use it.
+
+ Assisted-by: Jay Satiro
+ Closes #9207
+
+- mailmap: add rzrymiak on github
+
+Jay Satiro (26 Jul 2022)
+
+- ngtcp2: Fix build error due to change in nghttp3 prototypes
+
+ ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and
+ nghttp3_conn_shutdown_stream_write return from int to void.
+
+ Reported-by: jurisuk@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9204
+ Closes https://github.com/curl/curl/pull/9200
+
+rzrymiak on github (26 Jul 2022)
+
+- BUGS.md: improve language
+
+ Closes #9205
+
+Philip Heiduck (26 Jul 2022)
+
+- cirrus.yml: replace py38-pip with py39-pip
+
+ Reported-by: Jay Satiro
+ Fixes #9201
+ Closes #9202
+
+Daniel Stenberg (25 Jul 2022)
+
+- tool_getparam: fix cleanarg() for unicode builds
+
+ Use the correct type, and make cleanarg an empty macro if the cleaning
+ ability is absent.
+
+ Fixes #9195
+ Closes #9196
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+Marc Hoersken (25 Jul 2022)
+
+- test3026: add support for Windows using native Win32 threads
+
+ Reviewed-by: Viktor Szakats
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Daniel Stenberg
+
+ Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690
+ Closes #9012
+
+Evgeny Grin (Karlson2k) (25 Jul 2022)
+
+- digest: fix memory leak, fix not quoted 'opaque'
+
+ Fix leak regression introduced by 3a6fe0c.
+
+ Closes https://github.com/curl/curl/pull/9199
+
+Daniel Stenberg (23 Jul 2022)
+
+- tests: several enumerated type cleanups
+
+ To please icc
+
+ Closes #9179
+
+- tool_paramhlp: fix "enumerated type mixed with another type"
+
+ Warning by icc
+
+ Closes #9179
+
+- tool_writeout: fix enumerated type mixed with another type
+
+ Closes #9179
+
+- tool_cfgable: make 'synthetic_error' a plain bool
+
+ The specific reason was not used.
+
+ Closes #9179
+
+- tool_paramhlp: make check_protocol return ParameterError
+
+ "enumerated type mixed with another type"
+
+ Closes #9179
+
+- tool_formparse: fix variable may be used before its value is set
+
+ Warning by icc
+
+ Closes #9179
+
+- sendf: skip storing HTTP headers if HTTP disabled
+
+ Closes #9179
+
+- url: enumerated type mixed with another type
+
+ Follow-up to 1c58e7ae99ce2030213f28b
+
+ Closes #9179
+
+- urldata: change second proxytype field to unsigned char to match
+
+ To avoid "enumerated type mixed with another type"
+
+ Closes #9179
+
+- http: typecast the httpreq assignment to avoid icc compiler warning
+
+ error #188: enumerated type mixed with another type
+
+ Closes #9179
+
+- urldata: make state.httpreq an unsigned char
+
+ To match set.method used for the same purpose.
+
+ Closes #9179
+
+- splay: avoid using -1 in unsigned variable
+
+ To fix icc compiler warning integer conversion resulted in a change of sign
+
+ Closes #9179
+
+- sendf: store the header type in an usigned char to avoid icc warnings
+
+ Closes #9179
+
+- multi: fix the return code from Curl_pgrsDone()
+
+ It does not return a CURLcode. Detected by the icc compiler warning
+ "enumerated type mixed with another type"
+
+ Closes #9179
+
+- sendf: make Curl_debug a void function
+
+ As virtually no called checked the return code, and those that did
+ wrongly treated it as a CURLcode. Detected by the icc compiler warning:
+ enumerated type mixed with another type
+
+ Closes #9179
+
+- http_chunks: remove an assign + typecast
+
+ As it caused icc to complain: "pointer cast involving 64-bit pointed-to
+ type"
+
+ Closes #9179
+
+- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
+
+ To fix the icc warning enumerated type mixed with another type
+
+ Closes #9179
+
+- curl-compilers.m4: make icc use -diag* options and disable two warnings
+
+ -wd and -we are deprecated and are now -diag-disable and -diag-error
+
+ Disable warning 1024 and 2259
+
+ Closes #9179
+
+Matthew Thompson (23 Jul 2022)
+
+- GHA: add two Intel compiler CI jobs
+
+ Closes #9179
+
+Daniel Katz (21 Jul 2022)
+
+- curl-functions.m4: check whether atomics can link rather than just compile
+
+ Some build toolchains support C11 atomics (i.e., _Atomic types), but
+ will not link the associated atomics runtime unless a flag is passed. In
+ such an environment, linking an application with libcurl.a can fail due
+ to undefined symbols for atomic load/store functions.
+
+ I encountered this behavior when upgrading curl to 7.84.0 and attempting
+ to build with Solaris Studio 12.6. Solaris provides the flag
+ -xatomic=[gcc | studio], allowing users to link to one of two atomics
+ runtime implementations. However, if the user does not provide this
+ flag, then neither runtime is linked. This led to builds failing in CI.
+
+ Closes #9190
+
+Rosen Penev (20 Jul 2022)
+
+- curl-wolfssl.m4: add options header when building test code
+
+ Needed for certain configurations of wolfSSL. Otherwise, missing header
+ error may occur.
+
+ Tested with OpenWrt.
+
+ Closes #9187
+
+Daniel Stenberg (20 Jul 2022)
+
+- ftp: use a correct expire ID for timer expiry
+
+ This was an accurate error pointed out by the icc warning: enumerated
+ type mixed with another type
+
+ Ref: #9179
+ Closes #9184
+
+- sendf: fix paused header writes since after the header API
+
+ Regression since d1e4a67
+
+ Reported-by: Sergey Ogryzkov
+ Fixes #9180
+ Closes #9182
+
+- mprintf: fix *dyn_vprintf() when out-of-memory
+
+ Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory
+ leak otherwise.
+
+ Closes #9185
+
+- curl-confopts: remove leftover AC_REQUIREs
+
+ configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_
+ defun'd
+ configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but no
+ t m4_defun'd
+
+ follow-up from 4d73854462f30
+
+ Closes #9183
+
+- file: fix icc enumerated type mixed with another type warning
+
+ Ref: #9179
+ Closes #9181
+
+Viktor Szakats (19 Jul 2022)
+
+- tidy-up: delete unused build configuration macros
+
+ Most of them feature guards:
+
+ - `CURL_INCLUDES_SYS_UIO` [1]
+ - `HAVE_ALLOCA_H` [2]
+ - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f
+ 8734dd0fb1bdc)
+ - `HAVE_DLFCN_H`
+ - `HAVE_DLOPEN`
+ - `HAVE_DOPRNT`
+ - `HAVE_FCNTL`
+ - `HAVE_GETHOSTBYNAME` [3]
+ - `HAVE_GETOPT_H`
+ - `HAVE_GETPASS`
+ - `HAVE_GETPROTOBYNAME`
+ - `HAVE_GETSERVBYNAME`
+ - `HAVE_IDN_FREE*`
+ - `HAVE_INET_ADDR`
+ - `HAVE_IOCTL`
+ - `HAVE_KRB4`
+ - `HAVE_KRB_GET_OUR_IP_FOR_REALM`
+ - `HAVE_KRB_H`
+ - `HAVE_LDAPSSL_H`
+ - `HAVE_LDAP_INIT_FD`
+ - `HAVE_LIBDL`
+ - `HAVE_LIBNSL`
+ - `HAVE_LIBRESOLV*`
+ - `HAVE_LIBUCB`
+ - `HAVE_LL`
+ - `HAVE_LOCALTIME_R`
+ - `HAVE_MALLOC_H`
+ - `HAVE_MEMCPY`
+ - `HAVE_MEMORY_H`
+ - `HAVE_NETINET_IF_ETHER_H`
+ - `HAVE_NI_WITHSCOPEID`
+ - `HAVE_OPENSSL_CRYPTO_H`
+ - `HAVE_OPENSSL_ERR_H`
+ - `HAVE_OPENSSL_PEM_H`
+ - `HAVE_OPENSSL_PKCS12_H`
+ - `HAVE_OPENSSL_RAND_H`
+ - `HAVE_OPENSSL_RSA_H`
+ - `HAVE_OPENSSL_SSL_H`
+ - `HAVE_OPENSSL_X509_H`
+ - `HAVE_PEM_H`
+ - `HAVE_POLL`
+ - `HAVE_RAND_SCREEN`
+ - `HAVE_RAND_STATUS`
+ - `HAVE_RECVFROM`
+ - `HAVE_SETSOCKOPT`
+ - `HAVE_SETVBUF`
+ - `HAVE_SIZEOF_LONG_DOUBLE`
+ - `HAVE_SOCKIO_H`
+ - `HAVE_SOCK_OPTS`
+ - `HAVE_STDIO_H`
+ - `HAVE_STRCASESTR`
+ - `HAVE_STRFTIME`
+ - `HAVE_STRLCAT`
+ - `HAVE_STRNCMPI`
+ - `HAVE_STRNICMP`
+ - `HAVE_STRSTR`
+ - `HAVE_STRUCT_IN6_ADDR`
+ - `HAVE_TLD_H`
+ - `HAVE_TLD_STRERROR`
+ - `HAVE_UNAME`
+ - `HAVE_USLEEP`
+ - `HAVE_WINBER_H`
+ - `HAVE_WRITEV`
+ - `HAVE_X509_H`
+ - `LT_OBJDIR`
+ - `NEED_BASENAME_PROTO`
+ - `NOT_NEED_LIBNSL`
+ - `OPENSSL_NO_KRB5`
+ - `RECVFROM_TYPE*`
+ - `SIZEOF_LONG_DOUBLE`
+ - `STRERROR_R_TYPE_ARG3`
+ - `USE_YASSLEMUL`
+ - `_USRDLL` (from CMake) [4]
+
+ [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might
+ also be deleted.
+
+ [2] Related comment can possibly be deleted in
+ `packages/vms/generate_config_vms_h_curl.com`.
+
+ [3] There are more instances of this in autotools, but I did not dare to
+ touch those. Looked like it's used to detect socket support.
+
+ [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to
+ force linking MFC components statically to the DLL. `libcurl.dll`
+ does not use MFC, so we can delete this define.
+ Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-
+ to-mfc
+
+ Script that can help finding unused settings like above:
+ ```shell
+
+ autoheader configure.ac # generate lib/curl_config.h.in
+
+ {
+ grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCac
+ he.cmake | sed -E 's|set\(||g'
+ grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h
+ | sed -E 's|#define +||g'
+ grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake
+ | sed -E 's|#cmakedefine +||g'
+ grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in
+ | sed -E 's|#undef +||g'
+ } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do
+ c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|
+ ^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cm
+ ake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^config
+ ure\.ac)')"
+ if [ "${c}" = '0' ]; then
+ echo "${def}"
+ fi
+ done
+ ```
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9044
+
+Daniel Stenberg (19 Jul 2022)
+
+- RELEASE-NOTES: synced
+
+- cookie: treat a blank domain in Set-Cookie: as non-existing
+
+ This matches what RFC 6265 section 5.2.3 says.
+
+ Extended test 31 to verify.
+
+ Fixes #9164
+ Reported-by: Gwen Shapira
+ Closes #9177
+
+Patrick Monnerat (19 Jul 2022)
+
+- base64: base64url encoding has no padding
+
+ See RFC4648 section 5 and RFC7540 section 3.2.1.
+
+ Suppress generation of '=' padding of base64url encoding. This is
+ accomplished by considering the string beginning at offset 64 in the
+ character table as the padding: this is "=" for base64, "" for base64url.
+
+ Also use strchr() to replace character search loops where possible.
+
+ Suppress erroneous comments about empty encoding results.
+
+ Adjust unit test 1302 to unpadded base64url encoding and add tests for
+ empty results.
+
+ Closes #9139
+
+Daniel Stenberg (19 Jul 2022)
+
+- easyoptions: fix icc warning
+
+ easyoptions.c(360): error #188: enumerated type mixed with another type
+
+ Ref: #9156
+ Reported-by: Matthew Thompson
+ Closes #9176
+
+lwthiker (19 Jul 2022)
+
+- h2h3: fix overriding the 'TE: Trailers' header
+
+ A 'TE: Trailers' header is explicitly replaced by 'te: trailers'
+ (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or
+ HTTP/3 headers. However, this is then replaced again by the original
+ value due to a bug, resulting in the uppercased version being sent. Some
+ HTTP/2 servers reject the whole HTTP/2 stream when this is the case.
+
+ Closes #9170
+
+Daniel Stenberg (18 Jul 2022)
+
+- lib3026: reduce the number of threads to 100
+
+ Down from 1000, to make it run and work in more systems.
+
+ Fixes #9172
+ Reported-by: Érico Nogueira Rolim
+ Closes #9173
+
+- doh: move doh related struct definitions to doh.h
+
+ and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compil
+ er warning:
+
+ doh.c(924): error #188: enumerated type mixed with another type
+
+ Reported-by: Matthew Thompson
+ Ref #9156
+ Closes #9174
+
+Viktor Szakats (17 Jul 2022)
+
+- Makefile.m32: stop trying to build libcares.a [ci skip]
+
+ Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in
+ `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in
+ 2007 [1]. The commit message doesn't specifically address this particular
+ change. This logic comes from the times when c-ares was part of the curl
+ source tree, hence the special treatment.
+
+ This feature creates problems when building c-ares first, using CMake
+ and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32`
+ is missing in such case. A sub-build for c-ares is undesired also when
+ c-ares had already been build via its own `Makefile.m32`.
+
+ To avoid the sub-build, this patch deletes its Makefile rule. After this
+ patch `libcares.a` needs to be manually built before using it in
+ `Makefile.m32`. Aligning it with the rest of dependencies.
+
+ [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9169
+
+Daniel Stenberg (17 Jul 2022)
+
+- curl: writeout: fix repeated header outputs
+
+ The function stored a terminating zero into the buffer for convenience,
+ but when on repeated calls that would cause problems. Starting now, the
+ passed in buffer is not modified.
+
+ Reported-by: highmtworks on github
+ Fixes #9150
+ Closes #9152
+
+- curl_multi_timeout.3: clarify usage
+
+ Fixes #9155
+ Closes #9157
+ Reported-by: jvvprasad78 on github
+
+- mprintf: make dprintf_formatf never return negative
+
+ This function no longer returns a negative value if the formatting
+ string is bad since the return value would sometimes be propagated as a
+ return code from the mprintf* functions and they are documented to
+ return the length of the output. Which cannot be negative.
+
+ Fixes #9149
+ Closes #9151
+ Reported-by: yiyuaner on github
+
+Viktor Szakats (17 Jul 2022)
+
+- trace: 0x7F character is non-printable
+
+ `0x7F` is `DEL`, a non-printable symbol, so print it as
+ `UNPRINTABLE_CHAR`.
+
+ Reported-by: MasterInQuestion on github
+ Fixes #9162
+ Closes #9166
+
+- doh: use https protocol by default
+
+ The only allowed protocol is https, so it makes sense to use that
+ by default if not passed explicitly by the user.
+
+ Reported-by: MasterInQuestion on github
+ Reviewed-by: Jay Satiro
+ Fixes #9163
+ Closes #9165
+
+- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
+
+ Same issue as here [1], but this time when building curl with BoringSSL
+ for Windows with LDAP(S) or Schannel support enabled.
+
+ Apply the same fix [2] for these source files as well.
+
+ This can also be fixed by moving `#include "urldata.h"` _before_
+ including `winldap.h` and `schnlsp.h` respectively. This seems like
+ a cleaner fix, though I'm not sure why it works and if it has any
+ downside.
+
+ [1] https://github.com/curl/curl/issues/5669
+ [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029
+ ab9
+
+ Co-authored-by: Jay Satiro
+ Closes #9110
+
+Daniel Stenberg (13 Jul 2022)
+
+- asyn-thread: make getaddrinfo_complete return CURLcode
+
+ ... as the only caller that cares about what it returns assumes that
+ anyway. This caused icc to warn:
+
+ asyn-thread.c(505): error #188: enumerated type mixed with another type
+ result = getaddrinfo_complete(data);
+
+ Repoorted-by: Matthew Thompson
+ Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076
+ Closes #9146
+
+- easy_lock: fix build with icc
+
+ The Intel compiler tries to look like GCC *and* clang *and* it lies in
+ its __has_builtin() function (returns true when it should return false),
+ so override it.
+
+ Reported-by: Matthew Thompson
+ Fixes #9081
+ Closes #9144
+
+- configure: fix --disable-headers-api
+
+ Reported-by: Michał Antoniak
+ Fixes #9134
+ Closes #9143
+
+- test3026: require 'threadsafe'
+
+ Reported-by: Sukanya Hanumanthu
+ Fixes #9141
+ Closes #9142
+
+Even Rouault (12 Jul 2022)
+
+- CMake: link curl to its dependencies with PRIVATE
+
+ The current PUBLIC visibility causes issues for downstream users.
+ Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9125
+
+- CMake: remove APPEND in export(TARGETS)
+
+ When running cmake several times, new content was appended to already
+ existing generated files, which is not appropriate
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9124
+
+Tatsuhiro Tsujikawa (12 Jul 2022)
+
+- ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
+
+ Closes #9135
+
+Daniel Stenberg (11 Jul 2022)
+
+- RELEASE-NOTES: synced
+
+Viktor Szakats (11 Jul 2022)
+
+- build: improve OS string in CMake and `config-win32.h`
+
+ This patch makes CMake fill the "OS string" with the value of
+ `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet,
+ the same we can pass to `./configure` via `--host=`.
+
+ For non-CMake, non-autotools, Windows builds, this patch adds the ability
+ to override the default `OS` value in `lib/config-win32.h`.
+
+ With these its possible to get the same OS string across the three build
+ systems.
+
+ This patch supersedes the earlier, partial, CMake-only solution:
+ 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the
+ `CURL_OS_SUFFIX` CMake option.
+
+ Reviewed-by: Jay Satiro
+ Closes #9117
+
+- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip]
+
+ They allow to override the hardcoded values for the `windres` and `strip`
+ tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables.
+
+ `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and
+ `CURL_CC=clang` set on current latest debian:unstable or earlier, where
+ `llvm-windres` is missing, and a `CURL_RC=<triplet>-windres` fixes it.
+ Hopefully this will be fixed in the llvm package. FWIW `llvm-windres`
+ does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9132
+
+Tatsuhiro Tsujikawa (10 Jul 2022)
+
+- ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
+
+ Fixes #9122
+ Closes #9123
+
+Xiaoke Wang (10 Jul 2022)
+
+- tool_operate: better cleanup of easy handle in exit path
+
+ Closes #9114
+
+- getinfo: return better error on NULL as first argument
+
+ Closes #9114
+
+Daniel Stenberg (10 Jul 2022)
+
+- tool_getparam: repair cleanarg
+
+ Regression since 9e5669f.
+
+ Make sure the "cleaning" of command line arguments is done on the
+ original argv[] pointers. As a bonus, it also exits better on out of
+ memory error.
+
+ Reported-by: Litter White
+ Fixes #9128
+ Closes #9130
+
+Jay Satiro (10 Jul 2022)
+
+- docs: explain curl_easy_escape/unescape curl handle is ignored
+
+ 26101421 (precedes 7.82.0) removed character conversion support used by
+ very old legacy operating systems and since then the curl handle passed
+ to curl_easy_escape/unescape is always ignored.
+
+ Bug: https://github.com/curl/curl/discussions/9115
+ Reported-by: Ted Lyngmo
+
+ Closes https://github.com/curl/curl/pull/9121
+
+Viktor Szakats (8 Jul 2022)
+
+- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL
+
+ BoringSSL doesn't keep a version number, and doesn't self-identify itself
+ via any other revision number via its own headers. We can identify
+ BoringSSL revisions by their commit hash. This hash is typically known by
+ the builder. This patch adds a way to pass this hash to libcurl, so that
+ it can display in the curl version string:
+
+ For example:
+
+ `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"`
+
+ ```
+ curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel)
+ zlib/1.2.12 [...]
+ Release-Date: 2022-06-27
+ Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps
+ mqtt pop3 [...]
+ Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv
+ 6 Kerberos [...]
+ ```
+
+ The setting is optional, and if not passed, BoringSSL will appear without
+ a version number, like before this patch.
+
+ Closes #9113
+
+Jay Satiro (8 Jul 2022)
+
+- escape: remove outdated comment
+
+ Bug: https://github.com/curl/curl/discussions/9115
+ Reported-by: Ted Lyngmo
+
+Tatsuhiro Tsujikawa (8 Jul 2022)
+
+- ngtcp2: Fix missing initialization of nghttp3_nv.flags
+
+ Closes https://github.com/curl/curl/pull/9118
+
+Brad Forschinger (6 Jul 2022)
+
+- netrc.d: remove spurious quote
+
+ Closes #9111
+
+Viktor Szakats (6 Jul 2022)
+
+- Makefile.m32: add `NGTCP2_LIBS` option [ci skip]
+
+ Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL.
+ Add `NGTCP2_LIBS` envvar to override them with a custom list,
+ making it possible to use BoringSSL, or any other backend.
+
+ Closes #9109
+
+Evgeny Grin (Karlson2k) (6 Jul 2022)
+
+- digest: fix missing increment of 'nc' value for auth-int
+
+ - Increment nc regardless of qop type.
+
+ Prior to this change nc was only incremented for qop type auth even
+ though libcurl sends nc with any qop.
+
+ Closes https://github.com/curl/curl/pull/9090
+
+Daniel Stenberg (5 Jul 2022)
+
+- RELEASE-NOTES: synced
+
+ Bumped to 7.85.0
+
+- urldata: reduce size of four ftp related members
+
+ ftp_filemethod, ftpsslauth and ftp_ccc are now uchars
+
+ accepttimeout is now unsigned int - almost 50 days ought to be enough
+ for this value.
+
+ Closes #9106
+
+- urldata: reduce three type-members from int to uchar
+
+ - timecondition
+ - proxytype
+ - method
+
+ ... previously used their enum type in the struct, which made them
+ unnecesarily large.
+
+ Closes #9105
+
+- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name
+
+ Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the
+ other way around.
+
+ Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias
+ but since the option is for more protocols than FTP the more "correct"
+ version of the option is the "server" one so now we switch.
+
+ Closes #9104
+
+- urldata: make 'ftp_create_missing_dirs' a uchar
+
+ It only ever holds the values 0-2.
+
+ Closes #9103
+
+Don J Olmstead (5 Jul 2022)
+
+- cmake: support ngtcp2 boringssl backend
+
+ Update the ngtcp2 find module to detect the boringssl backend. Determine
+ if the underlying OpenSSL implementation is BoringSSL and if so use that
+ as the ngtcp2 backend.
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9065
+
+Daniel Stenberg (5 Jul 2022)
+
+- urldata: change 4 timeouts to unsigned int from long
+
+ They're not used for that long times anyway, 32 bit milliseconds is long
+ enough.
+
+ Closes #9101
+
+- urldata: make 'use_netrc' a uchar
+
+ Closes #9102
+
+- urldata: make 'buffer_size' an unsigned int
+
+ It is already capped at READBUFFER_MAX which fits easily in 32 bits.
+
+ Closes #9098
+
+- urldata: remove the unused 'rtspversion' struct member
+
+ Closes #9100
+
+- urldata: make 'use_port' an usigned short
+
+ ... instead of a long. It is already enforced to not attempt to set any
+ value outside of 16 bits unsigned.
+
+ Closes #9099
+
+- urldata: store dns cache timeout in an int
+
+ 68 years ought to be enough for most.
+
+ Closes #9097
+
+- curl: proto2num: make sure obuf is inited
+
+ Detected by Coverity. CID 1507052.
+
+ Closes #9096
+
+- cookie: use %zu to infof() for size_t values
+
+ Detected by Coverity. CID 1507051
+ Closes #9095
+
+Viktor Szakats (4 Jul 2022)
+
+- makefile.m32: add support for custom ARCH [ci skip]
+
+ When building curl for target platform other than x64 and x86, it is now
+ possible to pass `ARCH=custom`, that will omit all hardcoded logic for
+ setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be
+ customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly
+ added one for the resource compiler: `CURL_RCFLAG_EXTRAS`.
+
+ This makes it possible to use `makefile.m32` to build for ARM64 for
+ example.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9092
+
+- cmake: do not force Windows target versions
+
+ The goal of this patch is to avoid CMake forcing specific Windows
+ versions and rely on toolchain defaults or manual selection instead.
+ This gives back control to the user. This also brings CMake closer to
+ how autotools and `Makefile.m32` behaves in this regard.
+
+ - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did
+ nothing else than fixing the Windows build target to Vista. This also
+ happened when the toolchain did not have Vista support (e.g. original
+ MinGW), breaking such builds.
+
+ In other environments it did not make a user-facing difference,
+ because libcurl has its own pton() implementation, so it works well
+ with or without Vista's inet_pton().
+
+ This patch drops this setting. inet_pton() is now used whenever
+ building for Vista or newer, either when requested manually or by
+ default with modern toolchains (e.g. mingw-w64). Older envs will fall
+ back to curl's pton().
+
+ Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604
+ Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155
+
+ - When the user did no select a Windows target version manually, stop
+ explicitly targeting Windows XP, and instead use the toolchain default.
+
+ This may pose an issue with old toolchains defaulting to pre-XP
+ targets. In such case you must manually target Windows XP via:
+ `-DCURL_TARGET_WINDOWS_VERSION=0x0501`
+ or
+ `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501`
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+ Closes #9046
+
+- windows: improve random source
+
+ - Use the Windows API to seed the fallback random generator.
+
+ This ensures to always have a random seed, even when libcurl is built
+ with a vtls backend lacking a random generator API, such as rustls
+ (experimental), GSKit and certain mbedTLS builds, or, when libcurl is
+ built without a TLS backend. We reuse the Windows-specific random
+ function from the Schannel backend.
+
+ - Implement support for `BCryptGenRandom()` [1] on Windows, as a
+ replacement for the deprecated `CryptGenRandom()` [2] function.
+
+ It is used as the secure random generator for Schannel, and also to
+ provide entropy for libcurl's fallback random generator. The new
+ function is supported on Vista and newer via its `bcrypt.dll`. It is
+ used automatically when building for supported versions. It also works
+ in UWP apps (the old function did not).
+
+ - Clear entropy buffer before calling the Windows random generator.
+
+ This avoids using arbitrary application memory as entropy (with
+ `CryptGenRandom()`) and makes sure to return in a predictable state
+ when an API call fails.
+
+ [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenra
+ ndom
+ [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptge
+ nrandom
+
+ Closes #9027
+
+Daniel Stenberg (4 Jul 2022)
+
+- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
+
+ ... as replacements for deprecated CURLOPT_PROTOCOLS and
+ CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the
+ 32 bit limit the old ones are facing.
+
+ CURLINFO_PROTCOOL is now deprecated.
+
+ The curl tool is updated to use the new options.
+
+ Added test 1597 to verify the libcurl protocol parser.
+
+ Closes #8992
+
+- digest: simplify a switch() to a simple if
+
+- digest: provide a special bit for "sess" algos
+
+ Also shortened the names and moved them to the .c file since they are
+ private for this source file only. Also made them #defines instead of
+ enum.
+
+ Closes #9079
+
+Thomas Weißschuh (4 Jul 2022)
+
+- select: do not return fatal error on EINTR from poll()
+
+ The same was done for select() in 5912da25 but poll() was missed.
+
+ Bug: https://bugs.archlinux.org/task/75201
+ Reported-by: Alexandre Bury (gyscos at archlinux)
+
+ Ref: https://github.com/curl/curl/issues/8921
+ Ref: https://github.com/curl/curl/pull/8961
+ Ref: https://github.com/curl/curl/commit/5912da25#r77584294
+
+ Closes https://github.com/curl/curl/pull/9091
+
+Kai Pastor (3 Jul 2022)
+
+- cmake: fix build for mingw cross compile
+
+ - Change normaliz lib name to all lowercase.
+
+ This is from a standing patch in vcpkg:
+ Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross
+ builds from Linux), the spelling must match exactly.
+
+ Closes https://github.com/curl/curl/pull/9084
+
+Jay Satiro (2 Jul 2022)
+
+- easy_lock: fix build for mingw
+
+ - Define SRWLOCK symbols missing in some mingw environments.
+
+ Closes https://github.com/curl/curl/pull/8997
+
+Daniel Stenberg (2 Jul 2022)
+
+- tool_progress: avoid division by zero in parallel progress meter
+
+ Reported-by: Brian Carpenter
+ Fixes #9082
+ Closes #9083
+
+- http_aws_sigv4.c: remove two unusued includes
+
+ Closes #9080
+
+- .mailmap: additional edit
+
+ Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git
+ logs even when using old email.
+
+- RELEASE-NOTES: synced
+
+ bumped to 7.84.1
+
+Evgeny Grin (Karlson2k) (1 Jul 2022)
+
+- .mailmap: updated
+
+- THANKS: merged two entries for Evgeny Grin
+
+ Also updated THANKS-filter file
+
+ Closes #9076
+
+Jilayne Lovejoy (1 Jul 2022)
+
+- lib/curl_path.c: add ISC to license expression
+
+ THe text of the ISC license is in this file, so the SPDX license
+ expression should be updated
+
+ Closes #9073
+
+Sean McArthur (30 Jun 2022)
+
+- hyper: use wakers for curl pause/resume
+
+ Closes #9070
+
+Viktor Szakats (30 Jun 2022)
+
+- Makefile.m32: do not set the libcurl.rc debug flag [ci skip]
+
+ Delete `-DDEBUGBUILD=0` windres option. This was likely meant to
+ disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled
+ it instead. Delete this unnecessary option and thus sync up with
+ how CMake compiles libcurl.rc by default.
+
+ Reviewed-by: Jay Satiro
+ Closes #9069
+
+Daniel Stenberg (29 Jun 2022)
+
+- curl.h: CURLE_CONV_FAILED is obsoleted
+
+ The last use was removed in 7.82.0. Updated some docs too to reflect the
+ current error code situation.
+
+ Closes #9067
+
+- curl: output warning when a cookie is dropped due to size
+
+ Dropped from the request, that is.
+
+ Closes #9064
+
+- curl_mime_data.3: polish the wording
+
+ Closes #9063
+
+- configure: check for the stdatomic.h header in configure
+
+ ... and only set HAVE_ATOMIC if that header exists since we use
+ typedefes set in it.
+
+ Reported-by: Ryan Schmidt
+ Fixes #9059
+ Closes #9060
+
+- easy_lock: fix the #ifdef conditional for ia32_pause
+
+ To work better with new and old clang compilers.
+
+ Reported-by: Ryan Schmidt
+ Assisted-by: Joshua Root
+
+ Fixes #9058
+ Closes #9062
+
+- easy_lock: switch to using atomic_int instead of bool
+
+ To work with more compilers without requiring separate libs to
+ link. Like with gcc-12 for RISC-V on Linux.
+
+ Reported-by: Adam Sampson
+ Fixes #9055
+ Closes #9061
+
+vvb2060 (28 Jun 2022)
+
+- ngtcp2: fix incompatible function pointer types
+
+ Closes #9056
+
+- easy_lock.h: use __asm__ instead of asm to fix build
+
+ Closes #9056
+
+Samuel Henrique (27 Jun 2022)
+
+- libcurl-security.3: fix typo on macro "SH_"
+
+ During the packaging of the latest curl release for Debian, Lintian
+ warned me about a typo which causes the section name "Secrets in memory"
+ to not be rendered in the manpage due to "SH_" not being recognized as a
+ header.
+
+ Closes #9057
+
+Daniel Stenberg (27 Jun 2022)
+
+- easy_lock.h: include sched.h if available to fix build
+
+ Patched-by: Harry Sintonen
+
+ Closes #9054
+
+Version 7.84.0 (27 Jun 2022)
+
+Daniel Stenberg (27 Jun 2022)
+
+- RELEASE-NOTES: synced
+
+ Version 7.84.0 release
+
+- THANKS: contributors from 7.84.0 release notes
+
+- hsts: use Curl_fopen()
+
+- altsvc: use Curl_fopen()
+
+- fopen: add Curl_fopen() for better overwriting of files
+
+ Bug: https://curl.se/docs/CVE-2022-32207.html
+ CVE-2022-32207
+ Reported-by: Harry Sintonen
+ Closes #9050
+
+- test444: test many received Set-Cookie:
+
+ The amount of sent cookies in the test is limited to 80 because hyper
+ has its own strict limits in how many headers it allows to be received
+ which triggers at some point beyond this number.
+
+- test442/443: test cookie caps
+
+ 442 - verify that only 150 cookies are sent
+ 443 - verify that the cookie: header remains less than 8K in size
+
+- cookie: apply limits
+
+ - Send no more than 150 cookies per request
+ - Cap the max length used for a cookie: header to 8K
+ - Cap the max number of received Set-Cookie: headers to 50
+
+ Bug: https://curl.se/docs/CVE-2022-32205.html
+ CVE-2022-32205
+ Reported-by: Harry Sintonen
+ Closes #9048
+
+- test387: verify rejection of compression chain attack
+
+- content_encoding: return error on too many compression steps
+
+ The max allowed steps is arbitrarily set to 5.
+
+ Bug: https://curl.se/docs/CVE-2022-32206.html
+ CVE-2022-32206
+ Reported-by: Harry Sintonen
+ Closes #9049
+
+- krb5: return error properly on decode errors
+
+ Bug: https://curl.se/docs/CVE-2022-32208.html
+ CVE-2022-32208
+ Reported-by: Harry Sintonen
+ Closes #9051
+
+- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro
+
+ clang 14 warns about its use. It is being deprecated by the working
+ group for the programming language C: "The macro ATOMIC_VAR_INIT is
+ basically useless for the purpose for which it was designed"
+
+ Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm
+
+ Reported-by: Tatsuhiro Tsujikawa
+ Fixes #9041
+ Closes #9042
+
+Stefan Eissing (23 Jun 2022)
+
+- ngtcp2: avoid supplying 0 length `msg_control` to sendmsg()
+
+ Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control
+ buffer is provided in sengmsg(), even though msg_controllen was set to
+ 0.
+
+ Initialize msg.msg_controllen just as needed and also perform the size
+ assertion only when needed.
+
+ Closes #9039
+
+Tom Eccles (23 Jun 2022)
+
+- ftp: restore protocol state after http proxy CONNECT
+
+ connect_init() (lib/http_proxy.c) swaps out the protocol state while
+ working on the proxy connection, this is then restored by
+ Curl_connect_done() after the connection completes.
+
+ ftp_do_more() extracted the protocol state pointer to a local variable
+ at the start of the function then calls Curl_proxy_connect(). If the proxy
+ connection completes, Curl_proxy_connect() will call Curl_connect_done()
+ (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp
+ protocol state instead of the http proxy protocol state, but the local
+ variable in ftp_do_more still pointed to the old value.
+
+ Ultimately this meant that the state worked on by ftp_do_more() was the
+ http proxy state not the ftp state initialised by ftp_connect(), but
+ subsequent calls to any ftp_ function would use the original state.
+
+ For my use-case, the visible consequence was that ftp->downloadsize was
+ never set and so downloaded data was never returned to the application.
+
+ This commit updates the ftp protocol state pointer in ftp_do_more() after
+ Curl_proxy_connect() returns, ensuring that the correct state pointer is
+ used.
+
+ Fixes #8737
+ Closes #9043
+
+Jay Satiro (23 Jun 2022)
+
+- THANKS: add contributor missing from aea8ac1
+
+ aea8ac1 fixed #8980 which was reported by Sgharat on github, but that
+ info was not included in the commit message.
+
+- curl_setup: include _mingw.h
+
+ Prior to this change _mingw.h needed to be included in each unit before
+ evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It
+ is included only in some mingw headers (eg stdio.h) and not others
+ (eg windows.h) so it's better to explicitly include it once.
+
+ Closes https://github.com/curl/curl/pull/9036
+
+Viktor Szakats (22 Jun 2022)
+
+- rand: stop detecting /dev/urandom in cross-builds
+
+ - Prevent CMake to auto-detect /dev/urandom when cross-building.
+ Before this patch, it would detect it in a cross-build scenario on *nix
+ hosts with this device present. This was a problem for example with
+ Windows builds, but it could affect any target system with this device
+ missing. This also syncs detection behaviour with autotools, which also
+ skips it for cross-builds.
+ - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's
+ fallback random number generator on Windows. Windows does not have the
+ concept of reading a random stream from a filename, nor any guaranteed
+ non-world-writable path on disk. With this, a manual misconfiguration or
+ an overeager auto-detection can no longer result in a user-controllable
+ seed source.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9038
+
+Emanuele Torre (22 Jun 2022)
+
+- ci: avoid `cmake -Hpath`
+
+ This is an undocumented option similar to the `-Spath' option introduced
+ in cmake 3.13.
+ Replace all instances of `-Hpath' with `-Spath' in macos workflow.
+ Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul
+ scripts since it runs an older version of cmake.
+
+ Fixes #9008
+ Closes #9014
+
+Daniel Stenberg (22 Jun 2022)
+
+- INTERNALS: bring back the "Library symbols" section
+
+ Most contents was moved, but this text should remain here.
+
+ Follow-up to: d324ac8
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326
+ Closes #9037
+
+Viktor Szakats (22 Jun 2022)
+
+- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
+
+ Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows
+ XP when the `-ipv6` option is selected. Maybe this was added to support
+ pre-XP Windows versions (?). These days libcurl builds fine for both XP
+ and post-XP versions with IPv6 support enabled. The relevance of pre-XP
+ version is also low by now. Other build methods also do not impose such
+ limitation for a similar configuration. So, drop this hard-wired
+ `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default
+ Windows version set by the compiler. This is Vista for recent MinGW
+ versions.
+
+ Old behaviour can be restored by setting this envvar:
+ export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501
+
+ [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7
+
+ Closes #9035
+
+Daniel Stenberg (21 Jun 2022)
+
+- CONTRIBUTE: mention how we maintain REUSE compliance
+
+ for copyright and license information of all files stored in git
+
+ Closes #9032
+
+- CURLOPT_ALTSVC.3: document the file format
+
+ Closes #9033
+
+Jay Satiro (21 Jun 2022)
+
+- runtests: add "threadsafe" to detected features
+
+ Follow-up to recent commits which added thread-safety support.
+
+ Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782
+ Reported-by: Marc Hörsken
+
+ Closes https://github.com/curl/curl/pull/9030
+
+Daniel Stenberg (20 Jun 2022)
+
+- easy: remove dead code
+
+ Follow-up from 5912da253b64d
+
+ Detected by Coverity (CID 1506519)
+
+ Closes #9029
+
+Glenn Strauss (20 Jun 2022)
+
+- transfer: upload performance; avoid tiny send
+
+ Append to the upload buffer when only small amount remains in buffer
+ rather than performing a separate tiny send to empty buffer.
+
+ Avoid degenerative upload behavior which might cause curl to send mostly
+ 1-byte DATA frames after exhausing the h2 send window size
+
+ Related discussion: https://github.com/nghttp2/nghttp2/issues/1722
+
+ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+ Closes #8965
+
+Steve Holme (20 Jun 2022)
+
+- projects: fix third-party SSL library build paths for Visual Studio
+
+ The paths used by the build batch files were inconsistent with those in
+ the Visual Studio project files.
+
+ Closes #8991
+
+Pierrick Charron (20 Jun 2022)
+
+- urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
+
+ As per the documentation :
+
+ > Setting a part to a NULL pointer will effectively remove that
+ > part's contents from the CURLU handle.
+
+ But currently clearing CURLUPART_URL does nothing and returns
+ CURLUE_OK. This change will clear all parts of the URL at once.
+
+ Closes #9028
+
+Philip Heiduck (18 Jun 2022)
+
+- CI: bump FreeBSD 13.0 to 13.1
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+ Closes #8815
+
+Daniel Stenberg (18 Jun 2022)
+
+- RELEASE-NOTES: synced
+
+ and updated release date in RELEASE-PROCEDURE.md
+
+divinity76 (17 Jun 2022)
+
+- CURLOPT_HTTPHEADER.3: improve comment in example
+
+ Closes #9025
+
+Marc Hoersken (16 Jun 2022)
+
+- CI/azure: reduce flakiness by retrying install/prepare steps
+
+ Closes #9010
+
+- CI/cirrus: align Windows timeout with Azure CI at 120 minutes
+
+ Closes #9009
+
+Jay Satiro (16 Jun 2022)
+
+- vtls: make curl_global_sslset thread-safe
+
+ .. and update some docs to explain curl_global_* is now thread-safe.
+
+ Follow-up to 23af112 which made curl_global_init/cleanup thread-safe.
+
+ Closes https://github.com/curl/curl/pull/9016
+
+- curl_easy_pause.3: remove explanation of progress function
+
+ - Remove misleading text that says progress function "gets called at
+ least once per second, even if the connection is paused."
+
+ The progress function behavior is more nuanced and the user is better
+ served reading the progress function doc rather than attempt to explain
+ it in the curl_easy_pause doc.
+
+ The progress function can only be called at least once per second if an
+ appropriate multi transfer function is called (eg curl_multi_perform) in
+ that time. For a paused transfer there may not be such a call. Rather
+ than explain this in detail in the curl_easy_pause doc, rely on the user
+ reading the CURLOPT_PROGRESSFUNCTION doc.
+
+ Ref: https://github.com/curl/curl/issues/8983
+
+ Closes https://github.com/curl/curl/pull/9015
+
+Daniel Stenberg (15 Jun 2022)
+
+- libssh: skip the fake-close when libssh does the right thing
+
+ Starting in libssh 0.10.0 ssh_disconnect() will no longer close our
+ socket. Instead it will be kept alive as we want it, and it is our
+ responsibility to close it later.
+
+ Ref: #8718
+ Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240
+ Closes #9021
+
+- configure: warn about rustls being experimental
+
+ Right now a dozen test cases are disabled because they don't work with
+ rustls.
+
+ Closes #9019
+
+- runtests: skip starting the ssh server if user name is lacking
+
+ Because the ssh server startup script *requires* a user name there's no
+ point in invoking it if no name was found.
+
+ Reported-by: Ricardo M. Correia
+ Ref: #9007
+ Closes #9013
+
+- copyright.pl: parse and use .reuse/dep5 for skips
+
+ Also scan skipped files to be able to find superfluous ignores, shown with -v
+ .
+
+ Closes #9006
+
+- reuse/dep5: adjusted to parse better
+
+ ... adjusted a few files to contain copyright and license info.
+
+ Closes #9006
+
+- buildconf.bat: update copyright year range
+
+ Closes #9006
+
+- README.md: use the common "Copyright" style formatting
+
+ Closes #9006
+
+- reuse: move license info from .mailmap.license to .reuse/dep5
+
+ Closes #9006
+
+- README.md: add a REUSE badge
+
+ Closes #9004
+
+- .reuse/dep5: remove recursive docs ignore, only skip markdown files
+
+ ... and some additional non-markdown individual files in docs/
+
+ Closes #9005
+
+- docs/cmdline-opts: add copyright and license identifier to each file
+
+ gen.pl now insists on C: and SPDX-License-Identifier: fields to be
+ present in all files.
+
+ Closes #9002
+
+- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md
+
+ Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that
+ file broke site functionality.
+
+ Closes #9001
+
+- bug_report.md: revert the REUSE template to see if it works again
+
+Viktor Szakats (13 Jun 2022)
+
+- version: rename threadsafe-init to threadsafe
+
+ Referring to Daniel's article [1], making the init function thread-safe
+ was the last bit to make libcurl thread-safe as a whole. So the name of
+ the feature may as well be the more concise 'threadsafe', also telling
+ the story that libcurl is now fully thread-safe, not just its init
+ function. Chances are high that libcurl wants to remain so in the
+ future, so there is little likelihood of ever needing any other distinct
+ `threadsafe-<name>` feature flags.
+
+ For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
+ `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
+ thread safety documentation.
+
+ [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-s
+ afe/
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Jay Satiro
+ Closes #8989
+
+Daniel Stenberg (13 Jun 2022)
+
+- test3026: disable on win32
+
+ ... as it's not likely to have working pthreads
+
+ Closes #8996
+
+- GHA: shorten the reuse CI job name
+
+ "REUSE compliance / check" should be good enough
+
+ Closes #9000
+
+- misc: add missing SPDX-License-Identifier info
+
+ For some reason the REUSE CI job did not find these.
+
+ Closes #8999
+
+- copyright: verify SPDX-License-Identifier presence as well
+
+- easy_lock: add SPDX license identifier
+
+ Closes #8998
+
+- mailmap: Max Mehl
+
+Max Mehl (13 Jun 2022)
+
+- git: ignore large commit making the curl REUSE compliant
+
+- copyright: make repository REUSE compliant
+
+ Add licensing and copyright information for all files in this repository. Thi
+ s
+ either happens in the file itself as a comment header or in the file
+ `.reuse/dep5`.
+
+ This commit also adds a Github workflow to check pull requests and adapts
+ copyright.pl to the changes.
+
+ Closes #8869
+
+Daniel Stenberg (12 Jun 2022)
+
+- curl_url_set.3: clarify by default using known schemes only
+
+ Closes #8994
+
+- scripts/copyright.pl: ignore leading spaces
+
+Viktor Szakats (10 Jun 2022)
+
+- ngtcp2: fix typo in preprocessor condition
+
+ Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7
+
+ Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185
+ Reported-by: Emil Engler
+ Closes #8987
+
+Daniel Stenberg (10 Jun 2022)
+
+- RELEASE-NOTES: synced
+
+Tatsuhiro Tsujikawa (10 Jun 2022)
+
+- ngtcp2: build without sendmsg
+
+ Closes #8981
+
+- ngtcp2: use handshake helper funcs to simplify TLS handshake integration
+
+ Closes #8968
+
+Daniel Stenberg (10 Jun 2022)
+
+- test390: verify --parallel
+
+ Closes #8985
+
+- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set
+
+ Triggered by a bug report from Adam Light:
+ https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly
+ a misunderstanding of how CURLINFO_EFFECTIVE_URL works.
+
+ Closes #8971
+
+- url: URL encode the path when extracted, if spaces were set
+
+- urlapi: support CURLU_URLENCODE for curl_url_get()
+
+- server/sws: support spaces in the HTTP request path
+
+- tests/getpart: fix getpartattr to work with "data" and "data2"
+
+- select: return error from "lethal" poll/select errors
+
+ Adds two new error codes: CURLE_UNRECOVERABLE_POLL and
+ CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces.
+
+ Reported-by: Harry Sintonen
+ Fixes #8921
+ Closes #8961
+
+- test3026: add missing control file
+
+ Follow-up from 2ed101256414ea5
+
+ Makes the test run, makes 'make dist' work
+
+ This single test takes 24-25 seconds on my machine (with valgrind). For
+ this reason I tag it with a "slow" keyword.
+
+ Closes #8976
+
+- runtests: fix skipping tests not done event-based
+
+ ... and call timestampskippedevents() to avoid the flood of
+ uninitialized variable warnings.
+
+ Closes #8977
+
+- transfer: maintain --path-as-is after redirects
+
+ Reported-by: Marcus T
+ Fixes #8974
+ Closes #8975
+
+- test391: verify --path-as-is with redirect
+
+Jay Satiro (8 Jun 2022)
+
+- curl_global_init.3: Separate the Windows loader lock warning
+
+ This is a slight correction of the parent commit which implied the
+ loader lock warning only applied if not thread-safe. In fact the loader
+ lock warning applies either way.
+
+ Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030
+
+Daniel Stenberg (8 Jun 2022)
+
+- curl_global_init.3: this is now (usually) thread-safe
+
+ Follow-up to 23af112f5556
+
+ Closes #8972
+
+Haxatron (8 Jun 2022)
+
+- libcurl-security.3: Document CRLF header injection
+
+ - Document that user input to header options is not sanitized, which
+ could result in CRLF used to modify the request in a way other than
+ what was intended.
+
+ Ref: https://hackerone.com/reports/1589877
+ Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0
+ d7cfe545
+
+ Closes https://github.com/curl/curl/pull/8964
+
+Jay Satiro (8 Jun 2022)
+
+- CURLOPT_RANGE.3: remove ranged upload advice
+
+ The e-mail link in the advice contains instructions that are prone to
+ error. We need an example that works and can demonstrate how to properly
+ perform a ranged upload, and then we can refer to that example instead.
+
+ Bug: https://github.com/curl/curl/issues/8969
+ Reported-by: Simon Berger
+
+ Closes https://github.com/curl/curl/pull/8970
+
+Thomas Guillem (7 Jun 2022)
+
+- curl_version_info: add CURL_VERSION_THREADSAFE_INIT
+
+ This flag can be used to make sure that curl_global_init() is
+ thread-safe.
+
+ This can be useful for libraries that can't control what other
+ dependencies are doing with Curl.
+
+ Closes #8680
+
+- lib: make curl_global_init() threadsafe when possible
+
+ Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and
+ curl_global_cleanup().
+
+ Closes #8680
+
+Daniel Stenberg (6 Jun 2022)
+
+- RELEASE-NOTES: synced
+
+Fabian Keil (6 Jun 2022)
+
+- test414: add the '--resolve' keyword
+
+ ... so the test can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #8959
+
+- test{440,441,493,977}: add "HTTP proxy" keywords
+
+ ... so the tests can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #8959
+
+- runtests.pl: add the --repeat parameter to the --help output
+
+ Closes #8959
+
+- test 2081: add a valid reply for the second request
+
+ ... so the test works when using a HTTP proxy like
+ Privoxy that sends an error message if the server
+ doesn't send data.
+
+ Closes #8959
+
+- test 675: add missing CR so the test passes when run through Privoxy
+
+ Closes #8959
+
+Daniel Stenberg (6 Jun 2022)
+
+- ftp: when failing to do a secure GSSAPI login, fail hard
+
+ ... instead of switching to cleartext. For the sake of security.
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1590102
+ Closes #8963
+
+- http2: reject overly many push-promise headers
+
+ Getting more than a thousand of them is rather a sign of some kind of
+ attack.
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1589847
+ Closes #8962
+
+Fabian Keil (5 Jun 2022)
+
+- misc: spelling improvements
+
+ Closes #8956
+
+Tatsuhiro Tsujikawa (5 Jun 2022)
+
+- ngtcp2: fix assertion failure on EMSGSIZE
+
+ Closes #8958
+
+Daniel Stenberg (2 Jun 2022)
+
+- easy/transfer: fix cookie-disabled build
+
+ Follow-up from 45de940cebf6a
+ Reported-by: Marcel Raad
+ Fixes #8953
+ Closes #8954
+
+- examples/crawler.c: use the curl license
+
+ With permission from Jeroen Ooms
+
+ URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731
+ Closes #8950
+
+- speed-limit/time.d: mention these affect transfers in either direction
+
+ Reported-by: Ladar Levison
+ Fixes #8948
+ Closes #8951
+
+- scripts/copyright.pl: fix the exclusion to not ignore man pages
+
+ Ref: #8869
+ Closes #8952
+
+- examples: remove fopen.c and rtsp.c
+
+ To simplify the license situation, as they were the only files in the
+ source tree using these specific BSD-3 clause licenses.
+
+ For an fopen style API, we recommend instead going
+ https://github.com/curl/fcurl
+
+ Ref: #8869
+ Closes #8949
+
+Wolf Vollprecht (2 Jun 2022)
+
+- netrc: check %USERPROFILE% as well on Windows
+
+ Closes #8855
+
+Daniel Stenberg (2 Jun 2022)
+
+- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish
+
+Michael Musset (2 Jun 2022)
+
+- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
+
+ The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check
+ wether or not the connection should continue.
+
+ The host key is passed in argument with a custom handle for the
+ application.
+
+ It overrides CURLOPT_SSH_KNOWNHOSTS
+
+ Closes #7959
+
+Daniel Stenberg (2 Jun 2022)
+
+- docs/CONTRIBUTE.md: document the 'needs-votes' concept
+
+ A pull request sent to the project might get labeled `needs-votes` by a
+ project maintainer. This label means that in addition to meeting all
+ other checks and qualifications this pull request must also receive
+ proven support/thumbs-ups from more community members to be considered
+ for merging.
+
+ Closes #8910
+
+Evgeny Grin (Karlson2k) (2 Jun 2022)
+
+- digest: tolerate missing "realm"
+
+ Server headers may not define "realm", avoid NULL pointer dereference
+ in such cases.
+
+ Closes #8912
+
+- digest: added detection of more syntax error in server headers
+
+ Invalid headers should not be processed otherwise they may create
+ a security risk.
+
+ Closes #8912
+
+- digest: unquote realm and nonce before processing
+
+ RFC 7616 (and 2617) requires values to be "unquoted" before used for
+ digest calculations. The only place where unquoting can be done
+ correctly is header parsing function (realm="DOMAIN\\host" and
+ realm=DOMAN\\host are different realms).
+
+ This commit adds unquoting (de-escaping) of all values during header
+ parsing and quoting of the values during header forming. This approach
+ should be most straightforward and easy to read/maintain as all values
+ are processed in the same way as required by RFC.
+
+ Closes #8912
+
+Daniel Stenberg (1 Jun 2022)
+
+- headers: handle unfold of space-cleansed headers
+
+ Detected by OSS-fuzz
+
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767
+
+ Updated test 1274
+
+ Closes #8947
+
+- lib: make more protocol specific struct fields #ifdefed
+
+ ... so that they don't take up space if the protocols are disabled in
+ the build.
+
+ Closes #8944
+
+- DISABLED: disable 1021 for hyper again
+
+ due to flakiness in the CI builds
+
+- urldata: store tcp_keepidle and tcp_keepintvl as ints
+
+ They can't be set larger than INT_MAX in the setsocket API calls.
+
+ Also document the max values in their respective man pages.
+
+ Closes #8940
+
+- urldata: reduce size of a few struct fields
+
+ When the values are never larger than 32 bit, ints are better than longs.
+
+ Closes #8940
+
+- urldata: remove three unused booleans from struct UserDefined
+
+ - is_fwrite_set
+ - free_referer
+ - strip_path_slash
+
+ Closes #8940
+
+- remote-name.d: mention --output-dir
+
+ plus add two see-alsos
+
+ Closes #8945
+
+Jay Satiro (1 Jun 2022)
+
+- configure: skip libidn2 detection when winidn is used
+
+ Prior to this change --with-winidn could be overridden by libidn2
+ detection.
+
+ Closes https://github.com/curl/curl/pull/8934
+
+Daniel Stenberg (31 May 2022)
+
+- CURLOPT_FILETIME.3: fix the protocols this works with
+
+- test681: verify --no-remote-name
+
+ Follow-up to 83ee5c428d960 (from #8931)
+
+ Closes #8942
+
+Tatsuhiro Tsujikawa (31 May 2022)
+
+- ngtcp2: enable Linux GSO
+
+ Enable Linux GSO in ngtcp2 QUIC. In order to recover from the
+ EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write,
+ packet buffer is now held by struct quicsocket. GSO write might fail in
+ runtime depending on NIC. Disable GSO if sendmsg returns EIO.
+
+ Closes #8909
+
+Daniel Stenberg (31 May 2022)
+
+- CURLOPT_PORT.3: We discourage using this option
+
+ Closes #8941
+
+- RELEASE-NOTES: synced
+
+- headers_push: error out if a folded header has no previous header
+
+ As that would indicate an illegal header. The fuzzer reached the assert
+ in unfold_value() proving that this case can happen.
+
+ Follow-up to c9b60f005358a364
+
+ Closes #8939
+
+Boris Verkhovskiy (31 May 2022)
+
+- curl: re-enable --no-remote-name
+
+ Closes #8931
+
+Daniel Stenberg (31 May 2022)
+
+- test680: require 'http' since it uses such a URL
+
+ Follow-up to d1b376c03524
+
+- CURLOPT_NETRC.3: document the .netrc file format
+
+- test680: verify rejection of malformatted .netrc quoted password
+
+- test679: verify netrc quoted string
+
+- netrc: support quoted strings
+
+ The .netrc parser now accepts strings within double-quotes in order to
+ deal with for example passwords containing white space - which
+ previously was not possible.
+
+ A password that starts with a double-quote also ends with one, and
+ double-quotes themselves are escaped with backslashes, like \". It also
+ supports \n, \r and \t for newline, carriage return and tabs
+ respectively.
+
+ If the password does not start with a double quote, it will end at first
+ white space and no escaping is performed.
+
+ WARNING: this change is not entirely backwards compatible. If anyone
+ previously used a double-quote as the first letter of their password,
+ the parser will now get it differently compared to before. This is
+ highly unfortunate but hard to avoid.
+
+ Reported-by: ImpatientHippo on GitHub
+ Fixes #8908
+ Closes #8937
+
+- curl_getdate.3: document that some illegal dates pass through
+
+ Closes #8938
+
+- CI: remove configure --enable-headers-api flags
+
+- headers api: remove EXPERIMENTAL tag
+
+ Closes #8900
+
+Daniel Gustafsson (30 May 2022)
+
+- cookies: fix documentation comment
+
+ Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but
+ missed updating the documentation comment at the head of the file.
+
+Marc Hoersken (30 May 2022)
+
+- tests/data/test1940: use binary mode for expected stdout
+
+ The generated stdout data is written in binary mode with [LF]
+ line endings, therefore we also need to do a binary comparison.
+
+ Assisted-by: Jay Satiro
+ Assisted-by: Daniel Stenberg
+
+ Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84
+ Fixes #8920
+ Closes #8936
+
+Daniel Stenberg (29 May 2022)
+
+- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation
+
+ Spell out the multi-TLS situation.
+
+ Reported-by: Dan Fandrich
+ Fixes #8926
+ Closes #8932
+
+JustAnotherArchivist (28 May 2022)
+
+- tool_getparam: fix --parallel-max maximum value constraint
+
+ - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to
+ default value.
+
+ Previously, --parallel-max 300 would use 300 concurrent transfers, but
+ --parallel-max 301 would unexpectedly use only 50. This change clamps
+ higher values to the maximum (ie --parallel-max 301 would use 300).
+
+ Closes https://github.com/curl/curl/pull/8930
+
+Daniel Stenberg (27 May 2022)
+
+- curl.1: add a few see also --tls-max
+
+ Closes #8929
+
+Viktor Szakats (26 May 2022)
+
+- cmake: do not add libcurl.rc to the static libcurl library
+
+ Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855
+
+ Reviewed-By: Karlson2k@users.noreply.github.com
+ Closes #8923
+
+- cmake: support adding a suffix to the OS value
+
+ CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS
+ string appearing in the --version output after the curl version number,
+ for example:
+
+ 'curl 7.83.1 (Windows)'
+
+ This patchs adds the ability to pass a suffix that is appended to this
+ value. It's useful to add CPU info or other platform details,
+ for example:
+
+ 'curl 7.83.1 (Windows-x64)'
+
+ Closes #8919
+
+- cmake: enable curl.rc for all Windows targets
+
+ Before this patch, it was only enabled for MSVC. This syncs this
+ configuration with libcurl.rc, which was already included with
+ every Windows compiler.
+
+ Closes #8918
+
+- cmake: fix detecting libidn2
+
+ Without this patch, libidn2 detection doesn't even seem to be
+ attempted. With this patch, cmake can be configured to pick it
+ up and enable it. Necessary configuration remains manual and
+ differs from most other dependencies.
+
+ If you are aware of a better fix, we're glad hearing about it
+ in a new Issue.
+
+ Closes #8917
+
+- version: allow stricmp() for sorting the feature list
+
+ In CMakeLists.txt there is an attempt to detect `stricmp()`, and in
+ certain cases, this attempt is the only successful one to detect a
+ case-insensitive comparison function. `HAVE_STRICMP` is defined as
+ a result, but this macro wasn't used anywhere in the source. This
+ patch makes use of it as an alternative when alpha-sorting the
+ `--version` feature list.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #8916
+
+Daniel Stenberg (25 May 2022)
+
+- DISABLED: add six tests that fail with hyper
+
+ 1117 1274 1940 1941 1942 1943
+
+- c-hyper: mark status line as status for Curl_client_write()
+
+ To make sure the headers API can filter it out as not a regular header.
+
+ Reported-by: Gisle Vanem
+ Fixes #8894
+ Closes #8914
+
+Marc Hoersken (25 May 2022)
+
+- tests/data/test1501: kill ftp server after slow LIST response
+
+ This test is contributing to flakiness on the Windows CI runs.
+ Killing the ftp server after the test run like other slowness
+ tests already do may help resolve or reduce the flakiness.
+
+ Closes #8907
+
+Daniel Stenberg (25 May 2022)
+
+- headers: fix the unfold realloc to use proper new size
+
+ Previously it didn't take the old name length into acount
+
+ Follow-up to: c9b60f005358a364
+ Closes #8913
+
+Marc Hoersken (25 May 2022)
+
+- GHA: align all install, configure and build steps again
+
+ First step towards more unified build steps on GitHub Actions.
+
+ Closes #8873
+
+- CI/azure: remove obsolete strategy for single builds
+
+ This shortens these CI job names on GitHub even more.
+ Follow up to #8906 which also increased their timeout.
+
+ Closes #8911
+
+- CI/azure: shorten names of Windows CI jobs
+
+ Suggested-by: Daniel Stenberg
+ Closes #8906
+
+Daniel Stenberg (24 May 2022)
+
+- http: restore header folding behavior
+
+ Folded header lines will now get passed through like before. The headers
+ API is adapted and will provide the content unfolded.
+
+ Added test 1274 and extended test 1940 to verify.
+
+ Reported-by: Petr Pisar
+ Fixes #8844
+ Closes #8899
+
+Viktor Szakats (24 May 2022)
+
+- Makefile.m32: delete obsolete options, improve -On [ci skip]
+
+ - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now
+ .
+ - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and
+ I used this with VxWorks in another project, but otherwise this isn't
+ necessary anymore as a default. If a target still needs it, it can be
+ added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing`
+ - bump up default optimization level to `-O3` (from `-O2`), and also rearrang
+ e
+ option order so the default can now be overridden via
+ `CURL_CFLAG_EXTRAS`.
+ - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS`
+ (strip debug info). They were working against each other. Now, if someone
+ needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g`
+
+ Closes #8904
+
+Daniel Gustafsson (24 May 2022)
+
+- ntlm: fix one more hostname test fallout
+
+ This fixup was missed in commit 5a41abef6dca19.
+
+ Closes: #8901
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- doh: remove UNITTEST macro definition
+
+ The UNITTEST macro is defined by curl_setup.h so there is no use in
+ carry a local copy of the logic.
+
+ Closes: #8902
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (24 May 2022)
+
+- cookie: fix false positive "potentially uninitialized local variable"
+
+ Reviewed-by: Daniel Gustafsson
+ Closes #8903
+
+- curl: add --rate to set max request rate per time unit
+
+ --rate "12/m" - for 12 per minute or
+ --rate "5/h" - for 5 per hour
+
+ Removed from TODO
+
+ Closes #8671
+
+Jay Satiro (23 May 2022)
+
+- max-time.d: clarify max-time sets max transfer time
+
+ Prior to this change the doc said --max-time set the maximum time of the
+ 'whole operation' which is not accurate. The option maps to
+ CURLOPT_TIMEOUT_MS which sets maximum transfer time.
+
+ For example, the maximum time on a transfer is reset if the transfer is
+ retried (--retry).
+
+ Reported-by: Nuru@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/8877
+ Closes #8879
+
+Daniel Stenberg (23 May 2022)
+
+- GHA/hyper: enable debug in the build
+
+- hyper: use 'alt-used'
+
+ Makes test 412+413 work
+
+ Closes #8898
+
+- RELEASE-NOTES: synced
+
+- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
+
+ Closes #8888
+
+- links: update dead links
+
+ The wiki pages are gone, remove and link to more long-living docs.
+
+ Closes #8897
+
+- ntlm: (void) typecast msnprintf() where we ignore return code
+
+ Follow-up to 5a41abef6, to please Coverity
+
+Daniel Gustafsson (22 May 2022)
+
+- ntlm: copy NTLM_HOSTNAME to host buffer
+
+ Commit 709ae2454f43 added a fake hostname to avoid leaking the local
+ hostname, but omitted copying it to the host buffer. Fix by copying
+ and adjust the test fallout.
+
+ Closes: #8895
+ Fixes: #8893
+ Reported-by: Patrick Monnerat <patrick@monnerat.net>
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- configure: use the SED value to invoke sed
+
+ Rather than assuming sed in PATH, use the resolved $SED variable
+ like in all other invocations of sed in configure.
+
+ Closes: #8891
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
+
+Tatsuhiro Tsujikawa (20 May 2022)
+
+- ngtcp2: Allow curl to send larger UDP datagrams
+
+ Allow curl to send larger UDP datagram if Path MTU Discovery finds the
+ availability of larger path MTU. To make it work and not to send
+ fragmented packet, we need to set DF bit. That makes send(2) fail with
+ EMSGSIZE if UDP datagram is too large. In that case, just let it be
+ lost. This patch enables DF bit for Linux only.
+
+ Closes #8883
+
+Daniel Stenberg (20 May 2022)
+
+- libcurl-security.3: add "Secrets in memory"
+
+ Closes #8881
+
+- tests: update NTLM tests to use new host name
+
+ Also drop the debug requirement, remove the setenv sections, remove
+ prechecks and add NTLM to the top keywords.
+
+ Closes #8889
+
+- ntlm: provide a fixed fake host name
+
+ The NTLM protocol includes providing the local host name, but apparently
+ other implementations already provide a fixed fake name instead to avoid
+ leaking the real local name.
+
+ The exact name used is 'WORKSTATION', because Firefox uses that.
+
+ The change is written to allow someone to "back-pedal" fairly easy in
+ case of need.
+
+ Reported-by: Carlo Alberto
+ Fixes #8859
+ Closes #8889
+
+Daniel Gustafsson (20 May 2022)
+
+- KNOWN_BUGS: fix typo in problem description
+
+ s/TSL/TLS/
+
+- FEATURES: remove yassl as TLS library for NTLM
+
+ yassl was added in commit 9d904ee41b880b but is no longer available
+ and is thus not a library to use for NTLM. This aligns the FEATURES
+ doc with the FAQ.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- FEATURES: reorder footnotes
+
+ The empty left-behind footnote confused the website rendering into
+ creating a nested emoty list, making the resulting page look quite
+ odd. Remove and re-order the remaining ones to avoid a gap in the
+ sequence.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- FAQ: remove opinionated sentence on NTLM
+
+ curl is a tool that support many different things, and it doesn't
+ really seem like our job to tell other what to use (as they might
+ not have much say in the matter even). Also tidy up wording.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Viktor Szakats (20 May 2022)
+
+- log2changes: do not indent empty lines [ci skip]
+
+ This will omit two spaces of indentation from lines with no content,
+ thus avoiding 'spaces @ EOL'.
+
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Closes #8887
+
+Daniel Stenberg (19 May 2022)
+
+- wolfssl: correct the failf() message when a handle can't be made
+
+ Closes #8885
+
+Viktor Szakats (19 May 2022)
+
+- Makefile.m32: delete two obsolete OpenSSL options [ci skip]
+
+ - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or
+ LibreSSL 3.5.x, yet it collides with the latter, which defines
+ it unconditionally, resulting in this warning:
+ ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_
+ NO_KRB5' macro redefined [-Wmacro-redefined]
+ It was originally added to curl in 2004.
+
+ - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or
+ LibreSSL back to at least 2.5.5. Originally added in the same
+ commit as the above, in 2004.
+
+ Closes #8884
+
+Daniel Stenberg (19 May 2022)
+
+- RELEASE-NOTES: synced
+
+ bump to 7.84.0
+
+Christian Weisgerber via curl-library (19 May 2022)
+
+- Makefile.am: fix portability issues
+
+ Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that
+ there is a portability issue in curl's top-level Makefile.am.
+
+ $< can only be used in rules that deal with .SUFFIXES. Its use
+ for general prerequisites is a GNU make extension.
+
+ $< could be replaced by $?, but I think in an autotools context,
+ something like this is better:
+
+ Bug: https://curl.se/mail/lib-2022-05/0024.html
+ Closes #8861
+
+Balakrishnan Balasubramanian (19 May 2022)
+
+- socks: support unix sockets for socks proxy
+
+ Usage:
+ curl -x "socks5h://localhost/run/tor/socks" "https://example.com"
+
+ Updated runtests.pl to run a socksd server listening on unix socket
+
+ Added tests test1467 test1468
+
+ Added documentation for proxy command line option and socks proxy
+ options
+
+ Closes #8668
+
+Vincent Torri (19 May 2022)
+
+- cmake: add libpsl support
+
+ Fixes #8865
+ Closes #8867
+
+Tatsuhiro Tsujikawa (19 May 2022)
+
+- ngtcp2: extend QUIC transport parameters buffer
+
+ Extend QUIC transport parameters buffer because 64 bytes are too
+ short for the ever increasing parameters.
+
+ Closes #8872
+
+- ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
+
+ Closes #8871
+
+- ngtcp2: send appropriate connection close error code
+
+ Closes #8870
+
+Daniel Stenberg (19 May 2022)
+
+- test1561: adjusted for the cookie fix
+
+- test414: verify secure cookie domain overlay
+
+Harry Sintonen (19 May 2022)
+
+- cookie: address secure domain overlay
+
+ Bug: https://hackerone.com/reports/1560324
+ Co-authored-by: Daniel Stenberg
+ Closes #8840
+
+Frank Gevaerts (19 May 2022)
+
+- strcase: some optimisations
+
+ Lookup tables for toupper() and tolower() make Curl_strcasecompare()
+ about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit
+ early then also allows simplifying the check at the end, for another
+ 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7
+ times faster.
+
+ Note that these optimisation assume ASCII. The original
+ Curl_raw_toupper() and raw_tolower() look like they already made that
+ assumption.
+
+ Closes #8875
+
+Daniel Stenberg (19 May 2022)
+
+- BUG-BOUNTY.md: mention the audit exception
+
+ Dedicated - paid for - security audits that are performed in
+ collaboration with curl developers are not eligible for bounties.
+
+ (plus I changed the sub-titles to use ## instead of # in the markdown)
+
+ Closes #8880
+
+- lib/vssh/wolfssh.h: removed
+
+ Unused header file
+
+ Reported-by: Illarion Taev
+ Fixes #8863
+ Closes #8866
+
+Elms (17 May 2022)
+
+- wolfSSL: explicitly use compatibility layer
+
+ This change removes adding an include `$prefix/wolfssl` or similar to
+ allow for openssl include aliasing. Include paths of `wolfssl/openssl/`
+ are used to explicitly use wolfSSL includes. This fixes cmake builds as
+ well as avoiding potentially using openSSL headers since include path
+ order is not guaranteed.
+
+ Closes #8864
+
+Daniel Stenberg (17 May 2022)
+
+- curl: deprecate --random-file and --egd-file
+
+ As libcurl no longer has any functionality for them, the tool now does
+ nothing with them.
+
+ Closes #8670
+
+- opts: deprecate RANDOM_FILE and EGDSOCKET
+
+ These two options were only ever used for the OpenSSL backend for
+ versions before 1.1.0. They were never used for other backends and they
+ are not used with recent OpenSSL versions. They were never used much by
+ applications.
+
+ The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time
+ for ancient EOL OpenSSL versions.
+
+ Closes #8670
+
+Harry Sintonen (17 May 2022)
+
+- bindlocal: don't use a random port if port number would wrap
+
+ Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port
+ 65535 the code would fall back to random port rather than giving up.
+
+ Closes #8862
+
+Daniel Gustafsson (16 May 2022)
+
+- transfer: Fix potential NULL pointer dereference
+
+ Commit 0ef54abf5208 accidentally used the conn variable before the
+ assertion for it being NULL. Fix by moving the assignment which use
+ conn to after the assertion.
+
+ Closes: #8857
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- docs: clarify data replacement policy for MIME API
+
+ The API documentation for the MIME functions specify that the parts
+ can be set twice, with the last call winning. While true, the user
+ can set the parts n times for n > 2, reword to specify multiple API
+ calls instead.
+
+ Closes: #8860
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+vvb2060 on github (16 May 2022)
+
+- ngtcp2: support boringssl crypto backend
+
+ Closes #8789
+
+Tatsuhiro Tsujikawa (16 May 2022)
+
+- quic: add Curl_quic_idle
+
+ Add Curl_quic_idle which is called when no HTTP level read or write is
+ performed. It is a good place to handle timer expiry for QUIC transport
+ (.e.g, retransmission).
+
+ Closes #8698
+
+Gregor Jasny (16 May 2022)
+
+- mprintf: ignore clang non-literal format string
+
+ Closes #8740
+
+Nick Zitzmann (16 May 2022)
+
+- sectransp: check for a function defined when __BLOCKS__ is undefined
+
+ SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it
+ requires Grand Central Dispatch to be supported by the compiler, and
+ some third-party macOS compilers do not support Grand Central Dispatch.
+ SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't
+ adversely affect anything.
+
+ Fixes #8846
+ Reported-by: Egor Pugin
+ Closes #8854
+
+Daniel Gustafsson (16 May 2022)
+
+- test412/413: Use version macro for User-Agent
+
+ Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test
+ output file which breaks when curlver is updated. Shift to using
+ the %VERSION macro instead.
+
+ Closes: #8856
+
+- macos9: remove partial support
+
+ The support for compiling on Mac OS 9 hasn't been modified since 2001
+ and has no active maintainer or packager, so it's time to remove it as
+ it's incredibly unlikely to work. If a maintainer re-emerges it can be
+ resurrected from Git history.
+
+ Closes: #8836
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (16 May 2022)
+
+- test1635: verify --fail-with-body with --retry
+
+ Almost a dupe of 1634
+
+ Closes #8847
+
+- tool_operate: make sure --fail-with-body works with --retry
+
+ ... in the same way --fail already does.
+
+ Reported-by: Jakub Bochenski
+ Fixes #8845
+ Closes #8847
+
+Tatsuhiro Tsujikawa (16 May 2022)
+
+- ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types
+
+ Closes #8851
+
+- ngtcp2: Fix alert_read_func return value
+
+ Closes #8852
+
+Harry Sintonen (16 May 2022)
+
+- Curl_parsenetrc: don't access local pwbuf outside of scope
+
+ Accessing local variables outside of the scope is forbidden and
+ depending on the compiler can result in the value being
+ overwritten. Fixed by moving the pwbuf to be in scope.
+
+ Closes #8850
+
+Daniel Stenberg (16 May 2022)
+
+- RELEASE-NOTES: synced
+
+ and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon)
+
+Frazer Smith (14 May 2022)
+
+- ci: update github actions
+
+ - bump actions/checkout from 2 to 3
+ - bump actions/upload-artifact from 1 to 3
+ - bump github/codeql-actions from 1 to 2
+ - use version tag for actions/checkout
+
+ Closes #8843
+
+Daniel Stenberg (14 May 2022)
+
+- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix
+
+- url: free old conn better on reuse
+
+ Make use of conn_free() better and avoid duplicate code.
+
+ Reported-by: Andrea Pappacoda
+ Fixes #8841
+ Closes #8842
+
+Jay Satiro (14 May 2022)
+
+- FAQ: Clarify Windows double quote usage
+
+ - Windows command prompt doesn't use literal quoting via single quotes.
+
+ - Windows command prompt inner double quotes are escaped with a
+ backslash.
+
+ - Windows powershell does use single quotes but curl is not a powershell
+ script so the arguments may not be passed on correctly.
+
+ - Windows powershell inner double quotes seems can be passed to curl if
+ the outer quotes are double quotes and an escape of backslash-backtick
+ is used.
+
+ Command prompt example:
+
+ ~~~
+ getargs -v -d "\"a\""
+
+ argv[0]: getargs
+ argv[1]: -v
+ argv[2]: -d
+ argv[3]: "a"
+ ~~~
+
+ Ref: https://github.com/curl/curl/issues/8818
+ Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c
+
+ Reported-by: KotlinIsland@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/8823
+
+Daniel Stenberg (12 May 2022)
+
+- github/workflows/nss: apt update first
+
+ Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found"
+
+ Closes #8837
+
+- page-footer: mention exit code zero too
+
+ Success (zero) is also an "exit code" worth mentioning.
+
+ Closes #8833
+
+Daniel Gustafsson (12 May 2022)
+
+- gssapi: initialize gss_buffer_desc strings
+
+ Explicitly initialize gss_buffer_desc strings such that a call to
+ freeing resources will succeed even if no data has been allocated
+ to it.
+
+ Reported-by: Jay Satiro <raysatiro@yahoo.com>
+
+- gssapi: improve handling of errors from gss_display_status
+
+ In case gss_display_status() returns an error, avoid trying to add
+ it to the buffer as the message may well be a NULL pointer.
+
+ Originally this fix comes from a discussion in issue #8816.
+
+ Closes: #8832
+ Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+
+steini2000 (12 May 2022)
+
+- http2: always debug print stream id in decimal with %u
+
+ Prior to this change the stream id shown could be hex or decimal which
+ was inconsistent and confusing.
+
+ Closes https://github.com/curl/curl/pull/8808
+
+Kamil Dudka (11 May 2022)
+
+- url: remove redundant #ifdefs in allocate_conn()
+
+ No change in behavior intended by this commit.
+
+Fabian Keil (11 May 2022)
+
+- tests 266, 116 and 1540: add a small write delay
+
+ This makes it more likely that the trailer is received
+ seperately from the last-chunk.
+
+ curl doesn't seem to care about this but it makes the tests
+ more useful when testing external proxies like Privoxy.
+
+- tests 1117,1238,1523: adjust writedelay servercmds
+
+ ... so the delays are the same now that the unit
+ is in milliseconds.
+
+- tests/server/sws.c: change the HTTP writedelay unit to milliseconds
+
+ This allows to use write delays for large responses without
+ resulting in the test taking an unreasonable amount of time.
+
+ In many cases delaying writes by a whole second or more isn't
+ necessary for the desired effect.
+
+ Closes #8827
+
+Daniel Gustafsson (11 May 2022)
+
+- aws-sigv4: fix potentional NULL pointer arithmetic
+
+ We need to check if the strchr() call returns NULL (due to missing
+ char) before we use the returned value in arithmetic. There is no
+ live bug here, but fixing it before it can become for hygiene.
+
+ Closes: #8814
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (11 May 2022)
+
+- quiche: support ca-fallback
+
+ Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl
+
+ Removed from KNOWN_BUGS
+
+ Fixes #8696
+ Closes #8830
+
+Daniel Gustafsson (11 May 2022)
+
+- x509asn1: mark msnprintf return as unchecked
+
+ We have lots of unchecked msnprintf calls, and this particular msnprintf
+ call isn't more interesting than the others, but this one yields a Coverity
+ warning so let's implicitly silence it. Going over the other invocations
+ is probably a worthwhile project, but for now let's keep the static
+ analyzers happy.
+
+ Closes: #8831
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Version 7.83.1 (11 May 2022)
+
+Daniel Stenberg (11 May 2022)
+
+- RELEASE-NOTES: synced
+
+ curl 7.83.1 release
+
+- THANKS: added contributors from 7.83.1
diff --git a/libs/libcurl/docs/COPYING b/libs/libcurl/docs/COPYING index 90f05adf25..ce7566ed03 100644 --- a/libs/libcurl/docs/COPYING +++ b/libs/libcurl/docs/COPYING @@ -1,22 +1,22 @@ -COPYRIGHT AND PERMISSION NOTICE - -Copyright (c) 1996 - 2022, Daniel Stenberg, <daniel@haxx.se>, and many -contributors, see the THANKS file. - -All rights reserved. - -Permission to use, copy, modify, and distribute this software for any purpose -with or without fee is hereby granted, provided that the above copyright -notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN -NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, -DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR -OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE -OR OTHER DEALINGS IN THE SOFTWARE. - -Except as contained in this notice, the name of a copyright holder shall not -be used in advertising or otherwise to promote the sale, use or other dealings -in this Software without prior written authorization of the copyright holder. +COPYRIGHT AND PERMISSION NOTICE
+
+Copyright (c) 1996 - 2022, Daniel Stenberg, <daniel@haxx.se>, and many
+contributors, see the THANKS file.
+
+All rights reserved.
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
+NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+OR OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of a copyright holder shall not
+be used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization of the copyright holder.
diff --git a/libs/libcurl/docs/THANKS b/libs/libcurl/docs/THANKS index b898341c95..df87d193d3 100644 --- a/libs/libcurl/docs/THANKS +++ b/libs/libcurl/docs/THANKS @@ -1,2737 +1,2777 @@ - This project has been alive for many years. Countless people have provided - feedback that have improved curl. Here follows a list of people that have - contributed (a-z order). - - If you have contributed but are missing here, please let us know! - -0xee on github -0xflotus on github -12932 on github -1337vt on github -1ocalhost on github -3dyd on github -3eka on github -8U61ife on github -a1346054 on github -Aaro Koskinen -Aaron Oneal -Aaron Orenstein -Aaron Scarisbrick -aasivov on github -Abhinav Singh -Abram Pousada -accountantM on github -AceCrow on Github -Adam Barclay -Adam Brown -Adam Coyne -Adam D. Moss -Adam Langley -Adam Light -Adam Marcionek -Adam Piggott -Adam Rosenfield -Adam Sampson -Adam Tkac -Adnan Khan -adnn on github -Adrian Burcea -Adrian Peniak -Adrian Schuur -Adriano Meirelles -afrind on github -Aftab Alam -ahodesuka on github -ajak in #curl -Ajit Dhumale -Akhil Kedia -Aki Koskinen -Akos Pasztory -Akshay Vernekar -Alain Danteny -Alain Miniussi -Alan Jenkins -Alan Pinstein -Albert Chin-A-Young -Albert Choy -Albin Vass -Alejandro Alvarez Ayllon -Alejandro Colomar -Alejandro R. Sedeño -Aleksandar Milivojevic -Aleksander Mazur -Aleksandr Krotov -Aleksey Tulinov -Ales Mlakar -Ales Novak -Alessandro Ghedini -Alessandro Vesely -Alex aka WindEagle -Alex Baines -Alex Bligh -Alex Chan -Alex Crichton -Alex Fishman -Alex Gaynor -Alex Grebenschikov -Alex Gruz -Alex Kiernan -Alex Konev -Alex Malinovich -Alex Mayorga -Alex McLellan -Alex Neblett -Alex Nichols -Alex Potapenko -Alex Rousskov -Alex Samorukov -Alex Suykov -Alex Vinnik -Alex Xu -Alexander Beedie -Alexander Chuykov -Alexander Dyagilev -Alexander Elgert -Alexander Kanavin -Alexander Klauer -Alexander Kourakos -Alexander Krasnostavsky -Alexander Lazic -Alexander Pepper -Alexander Peslyak -Alexander Sinditskiy -Alexander Traud -Alexander V. Tikhonov -Alexander Zhuravlev -Alexandre Bury -Alexandre Pion -Alexey Borzov -Alexey Eremikhin -Alexey Melnichuk -Alexey Pesternikov -Alexey Simak -Alexey Zakhlestin -Alexis Carvalho -Alexis La Goutte -Alexis Vachette -Alfonso Martone -Alfred Gebert -Allen Pulsifer -Alona Rossen -Amaury Denoyelle -amishmm on github -Amit Katyal -Amol Pattekar -Amr Shahin -Anatol Belski -Anatoli Tubman -Anders Bakken -Anders Berg -Anders Gustafsson -Anders Havn -Anders Roxell -Anderson Sasaki -Anderson Toshiyuki Sasaki -Andi Jahja -Andre Guibert de Bruet -Andre Heinecke -Andrea Pappacoda -Andreas Damm -Andreas Falkenhahn -Andreas Farber -Andreas Fischer -Andreas Kostyrka -Andreas Malzahn -Andreas Ntaflos -Andreas Olsson -Andreas Rieke -Andreas Roth -Andreas Schneider -Andreas Schuldei -Andreas Sommer -Andreas Streichardt -Andreas Wurf -Andrei Benea -Andrei Bica -Andrei Cipu -Andrei Karas -Andrei Kurushin -Andrei Neculau -Andrei Rybak -Andrei Sedoi -Andrei Valeriu BICA -Andrei Virtosu -Andrej E Baranov -Andrew Barnert -Andrew Barnes -Andrew Benham -Andrew Biggs -Andrew Bushnell -Andrew de los Reyes -Andrew Francis -Andrew Fuller -Andrew Ishchuk -Andrew Krieger -Andrew Kurushin -Andrew Lambert -Andrew Moise -Andrew Potter -Andrew Robbins -Andrew Wansink -Andrey Alifanov -Andrey Gursky -Andrey Labunets -Andrii Moiseiev -Andrius Merkys -Andrés García -Andy Cedilnik -Andy Fiddaman -Andy Serpa -Andy Tsouladze -Angus Mackay -anio on github -anon00000000 on github -anshnd on github -Antarpreet Singh -Anthon Pang -Anthony Avina -Anthony Bryan -Anthony G. Basile -Anthony Hu -Anthony Ramine -Anthony Shaw -Antoine Aubert -Antoine Calando -Antoine Pietri -Anton Bychkov -Anton Gerasimov -Anton Kalmykov -Anton Malov -Anton Yabchinskiy -Antoni Villalonga -Antonio Larrosa -Antony74 on github -Antti Hätälä -April King -arainchik on github -Archangel_SDY on github -Arkadiusz Miskiewicz -Armel Asselin -Arnaud Compan -Arnaud Ebalard -Arnaud Rebillout -Aron Bergman -Aron Rotteveel -Artak Galoyan -Arthur Murray -Artur Sinila -Arve Knudsen -Arvid Norberg -arvids-kokins-bidstack on github -asavah on github -Ashish Shukla -Ashwin Metpalli -Ask Bjørn Hansen -Askar Safin -Ates Goral -Augustus Saunders -Austin Green -Avery Fay -awesomenode on github -Axel Chong -Axel Morawietz -Axel Tillequin -Ayoub Boudhar -Ayushman Singh Chauhan -b9a1 on github -Bachue Zhou -Balaji Parasuram -Balaji S Rao -Balaji Salunke -Balakrishnan Balasubramanian -Balazs Kovacsics -Balint Szilakszi -Barry Abrahamson -Barry Pollard -Bart Whiteley -Baruch Siach -Bas Mevissen -Bas van Schaik -Bastian Krause -Bastien Bouclet -Basuke Suzuki -baumanj on github -bdry on github -beckenc on github -Ben Boeckel -Ben Darnell -Ben Greear -Ben Kohler -Ben Madsen -Ben Noordhuis -Ben Van Hof -Ben Voris -Ben Winslow -Benau on github -Benbuck Nason -Benjamin Gerard -Benjamin Gilbert -Benjamin Johnson -Benjamin Kircher -Benjamin Loison -Benjamin Riefenstahl -Benjamin Ritcey -Benjamin Sergeant -Benoit Neil -Benoit Sigoure -Bernard Leak -Bernard Spil -Bernat Mut -Bernd Mueller -Bernhard Iselborn -Bernhard M. Wiedemann -Bernhard Reutner-Fischer -Bernhard Walle -Bert Huijben -Bertrand Demiddelaer -Bertrand Simonnet -beslick5 on github -Bevan Weiss -Bill Doyle -Bill Egert -Bill Hoffman -Bill Middlecamp -Bill Nagel -Bill Pyne -billionai on github -Billyzou0741326 on github -Bin Lan -Bin Meng -Bjarni Ingi Gislason -Bjoern Franke -Bjoern Sikora -Bjorn Augustsson -Bjorn Reese -Björn Stenberg -Blaise Potard -Blake Burkhart -bnfp on github -Bo Anderson -Bob Relyea -Bob Richmond -Bob Schader -bobmitchell1956 on github -Bodo Bergmann -Bogdan Nicula -Boris Rasin -Boris Verkhovskiy -Brad Burdick -Brad Fitzpatrick -Brad Forschinger -Brad Harder -Brad Hards -Brad King -Brad Spencer -Bradford Bruce -bramus on github -Brandon Casey -Brandon Dong -Brandon Wang -Brendan Jurd -Brent Beardsley -Brian Akins -Brian Bergeron -Brian Carpenter -Brian Chaplin -Brian Childs -Brian Chrisman -Brian Dessent -Brian E. Gallew -Brian Inglis -Brian J. Murrell -Brian Prodoehl -Brian R Duffy -Brian Ulm -Brock Noland -Bru Rom -Bruce Mitchener -Bruce Stephens -BrumBrum on hackerone -Bruno Baguette -Bruno de Carvalho -Bruno Grasselli -Bruno Thomsen -Bryan Henderson -Bryan Kemp -bsammon on github -bsergean on github -Bubu on github -buzo-ffm on github -bxac on github -Bylon2 on github -Byrial Jensen -Caleb Raitto -Calvin Buckley -Cameron Cawley -Cameron Kaiser -Cameron MacMinn -Cameron Will -Camille Moncelier -Cao ZhenXiang -Caolan McNamara -Captain Basil -Carie Pointer -Carl Zogheib -Carlo Alberto -Carlo Cannas -Carlo Marcelo Arenas Belón -Carlo Teubner -Carlo Wood -Carlos ORyan -Carsten Lange -Casey O'Donnell -Catalin Patulea -causal-agent on github -cbartl on github -cclauss on github -Cering on github -Cesar Eduardo Barros -Chad Monroe -Chandrakant Bagul -Charles Cazabon -Charles Kerr -Charles Romestant -Chen Prog -Cherish98 on github -Chester Liu -Chih-Chung Chang -Chih-Hsuan Yen -Chris "Bob Bob" -Chris Araman -Chris Carlmar -Chris Combes -Chris Conlon -Chris Deidun -Chris Faherty -Chris Flerackers -Chris Gaukroger -Chris Maltby -Chris Mumford -Chris Paulson-Ellis -Chris Roberts -Chris Smowton -Chris Young -Christian Fillion -Christian Grothoff -Christian Heimes -Christian Hägele -Christian Krause -Christian Kurz -Christian Robottom Reis -Christian Schmitz -Christian Stewart -Christian Vogt -Christian Weisgerber -Christoph Krey -Christoph M. Becker -Christophe Demory -Christophe Dervieux -Christophe Legry -Christopher Conroy -Christopher Degawa -Christopher Head -Christopher Palow -Christopher R. Palmer -Christopher Reid -Christopher Sauer -Christopher Stone -Chungtsun Li -Ciprian Badescu -civodul on github -Claes Jakobsson -Clarence Gardner -Claudio Neves -clbr on github -Clemens Gruber -Cliff Crosland -Clifford Wolf -Clint Clayton -Clément Notin -cmfrolick on github -codesniffer13 on github -Cody Jones -Cody Mack -COFFEETALES on github -coinhubs on github -Colby Ranger -Colin Blair -Colin Hogben -Colin Leroy -Colin O'Dell -Colin Watson -Colm Buckley -Constantine Sapuntzakis -coralw on github -Cory Benfield -Cory Nelson -Costya Shulyupin -Craig A West -Craig Andrews -Craig Davison -Craig de Stigter -Craig Markwardt -crazydef on github -Cris Bailiff -Cristian Greco -Cristian Morales Vega -Cristian Rodríguez -Curt Bogmine -Cynthia Coan -Cyril B -Cyrill Osterwalder -Cédric Connes -Cédric Deltheil -D. Flinkmann -d4d on hackerone -d912e3 on github -Da-Yoon Chung -daboul on github -Dag Ekengren -Dagobert Michelsen -Daiki Ueno -Dair Grant -Dambaev Alexander -Damian Dixon -Damien Adant -Damien Vielpeau -Damien Walsh -Dan Becker -Dan Cristian -Dan Donahue -Dan Fandrich -Dan Jacobson -Dan Johnson -Dan Kenigsberg -Dan Locks -Dan McNulty -Dan Nelson -Dan Petitt -Dan Torop -Dan Zitter -Daniel at touchtunes -Daniel Bankhead -Daniel Black -Daniel Carpenter -Daniel Cater -Daniel Egger -Daniel Gustafsson -Daniel Hallberg -Daniel Hwang -Daniel Jeliński -Daniel Johnson -Daniel Kahn Gillmor -Daniel Katz -Daniel Krügler -Daniel Kurečka -Daniel Lee Hwang -Daniel Lublin -Daniel Marjamäki -Daniel Melani -Daniel Mentz -Daniel Romero -Daniel Schauenberg -Daniel Seither -Daniel Shahaf -Daniel Silverstone -Daniel Steinberg -Daniel Stenberg -Daniel Theron -Daniel Valenzuela -Daniel Woelfel -Daphne Luong -Dario Nieuwenhuis -Dario Weißer -Darryl House -Darshan Mody -Darío Hereñú -dasimx on github -Dave Dribin -Dave Halbakken -Dave Hamilton -Dave May -Dave Reisner -Dave Thompson -Dave Vasilevsky -Davey Shafik -David Bau -David Benjamin -David Binderman -David Blaikie -David Bohman -David Byron -David Carlier -David Cohen -David Cook -David Demelier -David E. Narváez -David Earl -David Eriksson -David Garske -David Goerger -David Houlder -David Hu -David Hull -David J Meyer -David James -David Kalnischkies -David Kierznowski -David Kimdon -David L. -David Lang -David LeBlanc -David Lopes -David Lord -David McCreedy -David McLaughlin -David Odin -David Phillips -David Rosenstrauch -David Ryskalczyk -David Sanderson -David Schweikert -David Shaw -David Strauss -David Tarendash -David Thiel -David Walser -David Woodhouse -David Wright -David Yan -Davide Cassioli -davidedec on github -dbrowndan on github -dEajL3kA on github -Dengminwen -Denis Baručić -Denis Chaplygin -Denis Feklushkin -Denis Goleshchikhin -Denis Laxalde -Denis Ollier -Dennis Clarke -Dennis Felsing -Derek Higgins -Desmond O. Chang -destman on github -Detlef Schmier -Dheeraj Sangamkar -Didier Brisebourg -Diego Bes -Diego Casorran -Dietmar Hauser -Dilyan Palauzov -Dima Barsky -Dima Pasechnik -Dima Tisnek -Dimitar Boevski -Dimitre Dimitrov -Dimitrios Apostolou -Dimitrios Siganos -Dimitris Sarris -Dinar -Dirk Eddelbuettel -Dirk Feytons -Dirk Manske -Dirk Wetter -Dirkjan Bussink -Diven Qi -divinity76 on github -dkjjr89 on github -dkwolfe4 on github -Dmitri Shubin -Dmitri Tikhonov -Dmitriy Sergeyev -dmitrmax on github -Dmitry Bartsevich -Dmitry Eremin-Solenikov -Dmitry Falko -Dmitry Karpov -Dmitry Kostjuchenko -Dmitry Kurochkin -Dmitry Mikhirev -Dmitry Popov -Dmitry Rechkin -Dmitry S. Baikov -Dmitry Wagin -dnivras on github -Dolbneff A.V -Domen Kožar -Domenico Andreoli -Dominick Meglio -Dominik Hölzl -Dominik Klemba -Dominik Thalhammer -Dominique Leuenberger -Don J Olmstead -Dongliang Mu -Doron Behar -Doug Kaufman -Doug Porter -Douglas Creager -Douglas E. Wegscheid -Douglas Kilpatrick -Douglas Mencken -Douglas R. Horner -Douglas R. Reno -Douglas Steinwand -Dov Murik -dpull on github -Drake Arconis -dtmsecurity on github -Duane Cathey -Duncan Mac-Vicar Prett -Duncan Wilcox -Dustin Boswell -Dustin Howett -Dusty Mabe -Duy Phan Thanh -Dwarakanath Yadavalli -Dylan Ellicott -Dylan Salisbury -Dániel Bakai -Early Ehlinger -Earnestly on github -Eason-Yu on github -Ebe Janchivdorj -ebejan on github -Ebenezer Ikonne -Ed Morley -Eddie Lumpkin -Edgaras Janušauskas -Edin Kadribasic -Edmond Yu -Edoardo Lolletti -Eduard Bloch -Edward Kimmel -Edward Rudd -Edward Sheldrake -Edward Thomson -Eelco Dolstra -Eetu Ojanen -Egon Eckert -Egor Pugin -Ehren Bendler -Eldar Zaitov -elelel on github -elephoenix on github -Eli Schwartz -Elia Tufarolo -Elliot Saba -Ellis Pritchard -Elmira A Semenova -Elms -Eloy Degen -elsamuko on github -emanruse on github -Emanuele Bovisio -Emanuele Torre -Emil Engler -Emil Lerner -Emil Romanus -Emiliano Ida -Emilio López -Emmanuel Tychon -Enrico Scholz -Enrik Berkhan -Eramoto Masaya -Eric Cooper -Eric Curtin -Eric Gallager -Eric Hu -Eric Landes -Eric Lavigne -Eric Lubin -Eric Melville -Eric Mertens -Eric Musser -Eric Rautman -Eric Rescorla -Eric Ridge -Eric Rosenquist -Eric S. Raymond -Eric Sauvageau -Eric Thelin -Eric Vergnaud -Eric Wong -Eric Wu -Eric Young -Erick Nuwendam -Erik Jacobsen -Erik Janssen -Erik Johansson -Erik Minekus -Erik Olsson -Erik Stenlund -Ernest Beinrohr -Ernst Sjöstrand -Erwan Legrand -Erwin Authried -Estanislau Augé-Pujadas -Ethan Glasser Camp -Etienne Simard -Eugene Kotlyarov -Evan Jordan -Evangelos Foutras -Even Rouault -Evert Pot -Evgeny Grin (Karlson2k) -Evgeny Turnaev -eXeC64 on github -Eygene Ryabinkin -Eylem Ugurel -Fabian Fischer -Fabian Frank -Fabian Hiernaux -Fabian Keil -Fabian Ruff -Fabian Yamaguchi -Fabrice Fontaine -Fabrizio Ammollo -Fahim Chandurwala -Faizur Rahman -Farzin on github -Fawad Mirza -fds242 on github -Federico Bianchi -Fedor Karpelevitch -Fedor Korotkov -Feist Josselin -Felipe Gasper -Felix Hädicke -Felix Kaiser -Felix von Leitner -Felix Yan -Feng Tu -Fernando Muñoz -Filip Lundgren -Filip Salomonsson -Firefox OS -Flameborn on github -Flavio Medeiros -Florian Kohnhäuser -Florian Pritz -Florian Schoppmann -Florian Van Heghe -Florian Weimer -Florin Petriuc -Forrest Cahoon -Francisco Moraes -Francisco Munoz -Francisco Olarte -Francisco Sedano -Francois Petitjean -Francois Rivard -Frank Denis -Frank Gevaerts -Frank Hempel -Frank Keeney -Frank McGeough -Frank Meier -Frank Ticheler -Frank Van Uffelen -František Kučera -François Charlier -François Rigault -Frazer Smith -Fred Machado -Fred New -Fred Noz -Fred Stluka -Frederic Lepied -Frederik B -Frederik Wedel-Heinen -Fredrik Thulin -FuccDucc on github -fullincome on github -Gabriel Kuri -Gabriel Simmer -Gabriel Sjoberg -Gambit Communications -Ganesh Kamath -gaoxingwang on github -Garrett Holmstrom -Garrett Squire -Gary Maxwell -Gaurav Malhotra -Gautam Kachroo -Gautam Mani -Gavin Wong -Gavrie Philipson -Gaz Iqbal -Gaël Portay -gclinch on github -Gealber Morales -Geeknik Labs -Geoff Beier -Georeth Zhou -Georg Horn -Georg Huettenegger -Georg Lippitsch -Georg Wicherski -George Liu -Gerd v. Egidy -Gergely Nagy -Gerhard Herre -Gerrit Bruchhäuser -Gerrit Renker -Ghennadi Procopciuc -Giancarlo Formicuccia -Giaslas Georgios -Gil Weber -Gilad -Gilbert Ramirez Jr. -Gilles Blanc -Gilles Vollant -Giorgos Oikonomou -Gisle Vanem -git-bruh on github -GitYuanQu on github -Giuseppe Attardi -Giuseppe D'Ambrosio -Giuseppe Persico -Gleb Ivanovsky -Glen A Johnson Jr. -Glen Nakamura -Glen Scott -Glenn de boer -Glenn Sheridan -Glenn Strauss -Godwin Stewart -Google Inc. -Gordon Marler -Gorilla Maguila -Gou Lingfeng -Grant Erickson -Grant Pannell -Greg Hewgill -Greg Morse -Greg Onufer -Greg Pratt -Greg Rowe -Greg Zavertnik -Gregor Jasny -Gregory Jefferis -Gregory Muchka -Gregory Nicholls -Gregory Szorc -Griffin Downs -Grigory Entin -Guenole Bescon -Guido Berhoerster -Guillaume Arluison -guitared on github -Gunter Knauf -Gustaf Hui -Gustavo Grieco -Guy Poizat -GwanYeong Kim -Gwen Shapira -Gwenole Beauchesne -Gökhan Şengün -Götz Babin-Ebell -h1zzz on github -H3RSKO on github -Hagai Auro -Haibo Huang -Hamish Mackenzie -hamstergene on github -Han Han -Han Qiao -Hang Kin Lau -Hang Su -Hannes Magnusson -Hanno Böck -Hanno Kranzhoff -Hans Steegers -Hans-Christian Noren Egtvedt -Hans-Jurgen May -Hao Wu -Hardeep Singh -Haris Okanovic -Harold Stuart -Harry Sarson -Harry Sintonen -Harshal Pradhan -Hauke Duden -Hayden Roche -He Qin -Heikki Korpela -Heinrich Ko -Heinrich Schaefer -Helge Klein -Helmut K. C. Tessarek -Helwing Lutz -Hendrik Visage -Henri Gomez -Henrik Gaßmann -Henrik Holst -Henrik Storner -Henry Ludemann -Henry Roeland -Herve Amblard -HexTheDragon -Hidemoto Nakada -highmtworks on github -Himanshu Gupta -Hiroki Kurosawa -Ho-chi Chen -Hoi-Ho Chan -Hongli Lai -Hongyi Zhao -Howard Blaise -Howard Chu -hsiao yi -htasta on github -Hubert Kario -Hugh Macdonald -Hugo van Kemenade -Huzaifa Sidhpurwala -huzunhao on github -hydra3333 on github -Hzhijun -iammrtau on github -Ian Blanes -Ian D Allen -Ian Fette -Ian Ford -Ian Gulliver -Ian Lynagh -Ian Spence -Ian Turner -Ian Wilkes -Ignacio Vazquez-Abrams -Igor Franchuk -Igor Khristophorov -Igor Makarov -Igor Novoseltsev -Igor Polyakov -Ihor Karpenko -ihsinme on github -Iida Yosiaki -Ikko Ashimine -Ilguiz Latypov -Ilja van Sprundel -Illarion Taev -illusory-dream on github -Ilya Kosarev -imilli on github -Immanuel Gregoire -ImpatientHippo on GitHub -Inca R -infinnovation-dev on github -Ingmar Runge -Ingo Ralf Blum -Ingo Wilken -Inho Oh -Ionuț-Francisc Oancea -Irfan Adilovic -Ironbars13 on github -Irving Wolfe -Isaac Boukris -Isaiah Norton -Ishan SinghLevett -Ithubg on github -Ivan Avdeev -Ivan Tsybulin -IvanoG on github -Ivo Bellin Salarin -iz8mbw on github -J. Bromley -Jack Boos Yu -Jack Zhang -Jackarain on github -Jacky Lam -Jacob Barthelmeh -Jacob Hoffman-Andrews -Jacob Meuser -Jacob Moshenko -Jacob Tolar -Jactry Zeng -Jad Chamcham -Jaime Fullaondo -jakirkham on github -Jakub Bochenski -Jakub Wilk -Jakub Zakrzewski -James Atwill -James Brown -James Bursa -James Cheng -James Clancy -James Cone -James Dury -James Fuller -James Gallagher -James Griffiths -James Housley -James Knight -James Le Cuirot -James MacMillan -James Slaughter -Jamie Lokier -Jamie Newton -Jamie Wilkinson -Jan Alexander Steffens -Jan Chren -Jan Ehrhardt -Jan Koen Annot -Jan Kunder -Jan Mazur -Jan Schaumann -Jan Schmidt -Jan Van Boghout -Jan Venekamp -Jan Verbeek -Jan-Piet Mens -JanB on github -Janne Johansson -Jared Jennings -Jared Lundell -Jari Aalto -Jari Sundell -jasal82 on github -Jason Baietto -Jason Glasgow -Jason Juang -Jason Lee -Jason Liu -Jason McDonald -Jason S. Priebe -Javier Barroso -Javier Blazquez -Javier G. Sogo -Javier Navarro -Javier Sixto -Jay Austin -Jay Dommaschk -Jayesh A Shah -Jaz Fresh -Jean Fabrice -Jean Gressmann -Jean Jacques Drouin -Jean-Claude Chauve -Jean-Francois Bertrand -Jean-Francois Durand -Jean-Louis Lemaire -Jean-Marc Ranger -Jean-Noël Rouvignac -Jean-Philippe Barrette-LaPierre -Jean-Philippe Menil -Jeff Connelly -Jeff Hodges -Jeff Johnson -Jeff King -Jeff Lawson -Jeff Luszcz -Jeff Mears -Jeff Phillips -Jeff Pohlmeyer -Jeff Weber -Jeffrey Tolar -Jeffrey Walton -jeffrson on github -Jenny Heino -Jens Finkhaeuser -Jens Rantil -Jens Schleusener -Jeremie Rapin -Jeremy Falcon -Jeremy Friesner -Jeremy Huddleston -Jeremy Lainé -Jeremy Lin -Jeremy Maitin-Shepard -Jeremy Pearson -Jeremy Tan -Jeremy Thibault -Jeroen Koekkoek -Jeroen Ooms -Jerome Mao -Jerome Muffat-Meridol -Jerome Robert -Jerome Vouillon -Jerry Krinock -Jerry Wu -Jes Badwal -Jesper Jensen -Jesse Chisholm -Jesse Noller -Jesse Tan -jethrogb on github -jhoyla on github -Jie He -Jilayne Lovejoy -Jim Beveridge -Jim Drash -Jim Freeman -Jim Fuller -Jim Hollinger -Jim Meyering -Jimmy Gaussen -Jiri Dvorak -Jiri Hruska -Jiri Jaburek -Jishan Shaikh -Jiří Malák -jmdavitt on github -jnbr on github -Jocelyn Jaubert -Jochem Broekhoff -Joe Halpin -Joe Malicki -Joe Mason -Joel Chen -Joel Depooter -Joel Jakobsson -Joel Teichroeb -joey-l-us on github -Jofell Gallardo -Johan Anderson -Johan Lantz -Johan Nilsson -Johan van Selst -Johann150 on github -Johannes Bauer -Johannes Ernst -Johannes G. Kristinsson -Johannes Lesr -Johannes Schindelin -John A. Bristor -John Bampton -John Bradshaw -John Butterfield -John Coffey -John Crow -John David Anglin -John DeHelian -John Dennis -John Dunn -John E. Malmberg -John Gardiner Myers -John H. Ayad -John Hascall -John Janssen -John Joseph Bachir -John Kelly -John Kohl -John Lask -John Levon -John Lightsey -John Marino -John Marshall -John McGowan -John P. McCaskey -John Schroeder -John Simpson -John Starks -John Suprock -John V. Chow -John Wanghui -John Weismiller -John Wilkinson -John-Mark Bell -Johnny Luong -Jojojov on github -Jon DeVree -Jon Grubbs -Jon Johnson Jr -Jon Nelson -Jon Rumsey -Jon Sargeant -Jon Seymour -Jon Spencer -Jon Torrey -Jon Travis -Jon Turner -Jon Wilkes -Jonas Forsman -Jonas Haag -Jonas Minnberg -Jonas Schnelli -Jonas Vautherin -Jonatan Lander -Jonatan Vela -Jonathan Cardoso Machado -Jonathan Hseu -Jonathan Moerman -Jonathan Nieder -Jonathan Watt -Jonathan Wernberg -Jongki Suwandi -jonny112 on github -Joombalaya on github -Joonas Kuorilehto -Jordan Brown -Jose Alf -Jose Kahan -Josef Wolf -Joseph Chen -Josh Bialkowski -Josh Kapell -Josh Soref -joshhe on github -Joshua Kwan -Joshua Root -Joshua Swink -Josie Huddleston -Josip Medved -Josue Andrade Gomes -José Joaquín Atria -Jozef Kralik -Juan Barreto -Juan F. Codagnone -Juan Ignacio Hervás -Juan RP -Judson Bishop -Juergen Hoetzel -Juergen Wilke -Jukka Pihl -Julian Montes -Julian Noble -Julian Ospald -Julian Romero Nieto -Julian Taylor -Julian Z -Julien Chaffraix -Julien Nabet -Julien Royer -Jun Tseng -Jun-ichiro itojun Hagino -Jun-ya Kato -jungle-boogie on github -Junho Choi -Jurij Smakov -jurisuk on github -Juro Bystricky -justchen1369 on github -Justin Clift -Justin Ehlert -Justin Fletcher -Justin Karneges -Justin Maggard -jveazey on github -jvvprasad78 on github -jzinn on github -János Fekete -Jérémy Rocher -Jörg Mueller-Tolk -Jörn Hartroth -Jürgen Gmach -K. R. Walker -ka7 on github -Kael1117 on github -Kai Engert -Kai Noda -Kai Pastor -Kai Sommerfeld -Kai-Uwe Rommel -Kalle Vahlman -Kamil Dudka -Kane York -Kang Lin -Kang-Jin Lee -Kantanat Wannapaka -Kari Pahula -Karl Chen -Karl Moerder -Karol Pietrzak -Kartik Mahajan -Kaspar Brand -Katie Wang -Katsuhiko YOSHIDA -Kazuho Oku -Kees Cook -Kees Dekker -Keitagit-kun on github -Keith MacDonald -Keith McGuigan -Keith Mok -Kelly Kaoudis -Ken Brown -Ken Hirsch -Ken Rastatter -Kenneth Davidson -Kenny To -Kent Boortz -Kerem Kat -Keshav Krity -Kevin Adler -Kevin Baughman -Kevin Burke -Kevin Fisk -Kevin Ji -Kevin Lussier -Kevin R. Bulgrien -Kevin Reed -Kevin Roth -Kevin Smith -Kevin Ushey -Kim Minjoong -Kim Rinnewitz -Kim Vandry -Kimmo Kinnunen -Kirill Efimov -Kirill Marchuk -Kjell Ericson -Kjetil Jacobsen -Klaus Crusius -Klaus Stein -Klevtsov Vadim -Kobi Gurkan -Koen Dergent -Koichi Shiraishi -kokke on github -Konstantin Isakov -Konstantin Kushnir -KotlinIsland on github -kotoriのねこ -kouzhudong on github -Kovalkov Dmitrii -kreshano on github -Kris Kennaway -Krishnendu Majumdar -Krister Johansen -Kristian Gunstone -Kristian Köhntopp -Kristian Mide -Kristiyan Tsaklev -Kristoffer Gleditsch -Kunal Chandarana -Kunal Ekawde -Kurt Fankhauser -Kushal Das -Kwon-Young Choi -Kyle Abramowitz -Kyle Edwards -Kyle J. McKay -Kyle L. Huff -Kyle Sallee -Kyohei Kadota -Kyselgov E.N -l00p3r on Hackerone -Lachlan O'Dea -Ladar Levison -Lance Ware -Laramie Leavitt -Larry Campbell -Larry Fahnoe -Larry Lin -Larry Stefani -Larry Stone -Lars Buitinck -Lars Gustafsson -Lars J. Aas -Lars Johannesen -Lars Nilsson -Lars Torben Wilson -Laurent Bonnans -Laurent Dufresne -Laurent Rabret -Lauri Kasanen -Laurie Clark-Michalek -Lawrence Gripper -Lawrence Matthews -Lawrence Wagerfield -Leah Neukirchen -Leandro Coutinho -Legoff Vincent -Lehel Bernadt -Leif W -Leigh Purdie -Leith Bade -Len Krause -Len Marinaccio -Lenaic Lefever -Lenny Rachitsky -Leo Neat -Leon Breedt -Leon Winter -Leonardo Rosati -Leonardo Taccari -Leszek Kubik -Li Xinwei -Liam Healy -Liam Warfield -LigH-de on github -lijian996 on github -Lijo Antony -lilongyan-huawei on github -Linas Vepstas -Lindley French -Ling Thio -Linos Giannopoulos -Linus Lewandowski -Linus Nielsen Feltzing -Linus Nordberg -Lior Kaplan -Lisa Xu -Litter White -Liviu Chircu -Liza Alenchery -lllaffer on github -Lloyd Fournier -Lluís Batlle i Rossell -locpyl-tidnyd on github -Loganaden Velvindron -Loic Dachary -Loren Kirkby -Luan Cestari -Luca Altea -Luca Boccassi -Lucas Adamski -Lucas Clemente Vella -Lucas Holt -Lucas Pardue -Lucas Servén Marín -Lucas Severo -Lucien Zürcher -Ludek Finstrle -Ludovico Cavedon -Ludwig Nussel -Lukas Ruzicka -Lukasz Czekierda -lukaszgn on github -Luke Amery -Luke Call -Luke Dashjr -Luke Granger-Brown -luminixinc on github -Luo Jinghua -Luong Dinh Dung -Luz Paz -Luật Nguyễn -lwthiker on github -Lyman Epp -Lyndon Hill -M.R.T on github -Maciej Karpiuk -Maciej Puzio -Maciej W. Rozycki -madblobfish on github -Mahmoud Samir Fayed -Maks Naumov -Maksim Kuzevanov -Maksim Stsepanenka -Malik Idrees Hasan Khan -Mamoru Tasaka -Mamta Upadhyay -Mandy Wu -Manfred Schwarb -Manuel Massing -Manuj Bhatia -Marc Aldorasi -Marc Boucher -Marc Deslauriers -Marc Doughty -Marc Hesse -Marc Hörsken -Marc Kleine-Budde -Marc Renault -Marc Schlatter -Marc-Antoine Perennou -marc-groundctl on github -Marcel Hernandez -Marcel Raad -Marcel Roelofs -Marcelo Echeverria -Marcelo Juchem -Marcin Adamski -Marcin Gryszkalis -Marcin Konicki -Marco Deckel -Marco G. Salvagno -Marco Kamner -Marco Maggi -Marcos Diazr -Marcus Hoffmann -Marcus Klein -Marcus Sundberg -Marcus T -Marcus Webster -Marian Klymov -Mario Schroeder -Mark Brand -Mark Butler -Mark Davies -Mark Dodgson -Mark Hamilton -Mark Incley -Mark Itzcovitz -Mark Karpeles -Mark Lentczner -Mark Nottingham -Mark Salisbury -Mark Snelling -Mark Swaanenburg -Mark Tully -Mark W. Eichin -Mark Wotton -Markus Duft -Markus Elfring -Markus Koetter -Markus Moeller -Markus Oberhumer -Markus Olsson -Markus Westerlind -Maros Priputen -Marquis de Muesli -Martijn Koster -Martin Ankerl -Martin Bašti -Martin C. Martin -Martin Dorey -Martin Drasar -Martin Dreher -Martin Frodl -Martin Galvan -Martin Gartner -Martin Hager -Martin Halle -Martin Hedenfalk -Martin Howarth -Martin Jansen -Martin Kammerhofer -Martin Kepplinger -Martin Lemke -Martin Skinner -Martin Staael -Martin Storsjö -Martin Strunz -Martin V -Martin Vejnár -Martin Ågren -Marty Kuhrt -Maruko -Masaya Suzuki -masbug on github -Massimiliano Fantuzzi -Massimiliano Ziccardi -Massimo Callegari -MasterInQuestion on github -Mateusz Loskot -Mathias Axelsson -Mathias Gumz -Mathieu Carbonneaux -Mathieu Legare -Matias N. Goldberg -Mats Lidell -Mats Lindestam -Matt Arsenault -Matt Ford -Matt Holt -Matt Kraai -Matt McClure -Matt Veenstra -Matt Witherspoon -Matt Wixson -Matteo Baccan -Matteo Bignotti -Matteo Bignottignotti -Matteo Rocco -Matthew Blain -Matthew Clarke -Matthew Hall -Matthew Kerwin -Matthew Thompson -Matthew Whitehead -Matthias Bolte -Matthias Gatto -Matthias Naegler -Mattias Fornander -Matus Uzak -Maurice Barnum -Mauro Iorio -Mauro Rappa -Max Dymond -Max Katsev -Max Kellermann -Max Khon -Max Mehl -Max Peal -Max Savenkov -Max Zettlmeißl -Maxim Ivanov -Maxim Perenesenko -Maxim Prohorov -Maxime Larocque -Maxime Legros -mbeifuss on github -mccormickt12 on github -Median Median Stride -mehatzri on github -Mehmet Bozkurt -Mekonikum -Melissa Mears -Melroy van den Berg -Mert Yazıcıoğlu -Mettgut Jamalla -Michael Afanasiev -Michael Anti -Michael Baentsch -Michael Benedict -Michael Brehm -Michael Brown -Michael Calmer -Michael Cronenworth -Michael Curtis -Michael Day -Michael Drake -Michael Felt -Michael Forney -Michael Gmelin -Michael Goffioul -Michael Heimpold -Michael Hordijk -Michael Jahn -Michael Jerris -Michael Kalinin -Michael Kaufmann -Michael Kilburn -Michael Kolechkin -Michael Kujawa -Michael König -Michael Lee -Michael Maltese -Michael Mealling -Michael Mueller -Michael Musset -Michael O'Farrell -Michael Olbrich -Michael Osipov -Michael Schmid -Michael Smith -Michael Stapelberg -Michael Steuer -Michael Stillwell -Michael Trebilcock -Michael Vittiglio -Michael Wallner -Michal Bonino -Michal Marek -Michal Rus -Michal Trybus -Michal Čaplygin -Michał Antoniak -Michał Fita -Michał Górny -Michał Janiszewski -Michał Kowalczyk -Michał Piechowski -Michel Promonet -Michele Bini -Miguel Angel -Miguel Diaz -migueljcrum on github -Mihai Ionescu -Mikael Johansson -Mikael Sennerholm -Mikalai Ananenka -Mike Bytnar -Mike Crowe -Mike Dobbs -Mike Dowell -Mike Frysinger -Mike Gelfand -Mike Giancola -Mike Hasselberg -Mike Henshaw -Mike Hommey -Mike Mio -Mike Norton -Mike Power -Mike Protts -Mike Revi -Mike Tzou -Miklos Nemeth -Miloš Ljumović -Mingliang Zhu -Mingtao Yang -Miroslav Franc -Miroslav Spousta -Mischa Salle -Mitz Wark -mkzero on github -modbw on github -Mohamed Lrhazi -Mohamed Osama -Mohammad AlSaleh -Mohammad Hasbini -Mohammed Naser -Mohun Biswas -momala454 on github -Momoka Yamamoto -moohoorama on github -Morten Minde Neergaard -Mostyn Bramley-Moore -Moti Avrahami -MrdUkk on github -MrSorcus on github -Muhammad Herdiansyah -Muhammed Yavuz Nuzumlalı -Murugan Balraj -Muz Dima -Myk Taylor -n0name321 on github -Nach M. S. -Nagai H -Nao Yonashiro -naost3rn on github -Nate Prewitt -Nathan Coulter -Nathan O'Sullivan -Nathanael Nerode -Nathaniel J. Smith -Nathaniel R. Lewis -Nathaniel Waisbrot -Naveen Chandran -Naveen Noel -Neal McBurnett -Neal Poole -nedres on github -neex on github -Nehal J Wani -neheb on github -Neil Bowers -Neil Dunbar -Neil Kolban -Neil Spring -neutric on github -nevv on HackerOne/curl -Niall O'Reilly -niallor on github -nian6324 on github -nianxuejie on github -Nic Roets -Nicholas Maniscalco -Nick Banks -Nick Coghlan -Nick Draffen -Nick Gimbrone -Nick Humfrey -Nick Miyake -Nick Zitzmann -Nicklas Avén -Nico Baggus -nico-abram on github -Nicolas Berloquin -Nicolas Croiset -Nicolas François -Nicolas Grekas -Nicolas Guillier -Nicolas Morey-Chaisemartin -Nicolas Sterchele -Niels Martignène -Niels van Tongeren -Nikita Schmidt -Nikitinskit Dmitriy -Niklas Angebrand -Niklas Hambüchen -Nikolai Kondrashov -Nikos Mavrogiannopoulos -Nikos Tsipinakis -nimaje on github -niner on github -Ning Dong -Nir Soffer -Niranjan Hasabnis -Nis Jorgensen -nk -Noam Moshe -NobodyXu on github -Nobuhiro Ban -Nodak Sodak -nopjmp on github -Norbert Frese -Norbert Kett -Norbert Novotny -nosajsnikta on github -NTMan on Github -Nuru on github -Octavio Schroeder -Ofer -Okhin Vasilij -Ola Mork -Olaf Flebbe -Olaf Hering -Olaf Stüben -Oleg Pudeyev -Oleguer Llopart -Olen Andoni -olesteban on github -Oli Kingshott -Oliver Gondža -Oliver Graute -Oliver Kuckertz -Oliver Roberts -Oliver Schindler -Oliver Urbann -Olivier Berger -Olivier Brunel -Omar Ramadan -omau on github -opensignature on github -Orange Tsai -Oren Souroujon -Oren Tirosh -Orgad Shaneh -Ori Avtalion -orycho on github -osabc on github -Oscar Koeroo -Oscar Norlander -Oskar Liljeblad -Oumph on github -ovidiu-benea on github -P R Schaffner -Palo Markovic -Paolo Mossino -Paolo Piacentini -Paras Sethia -parazyd on github -Pascal Gaudette -Pascal Terjan -Pasha Kuznetsov -Pasi Karkkainen -Pat Ray -patelvivekv1993 on github -patnyb on github -Patrice Guerin -Patricia Muscalu -Patrick Bihan-Faou -Patrick Dawson -Patrick McManus -Patrick Monnerat -Patrick Rapin -Patrick Schlangen -Patrick Scott -Patrick Smith -Patrick Watson -Patrik Thunstrom -Pau Garcia i Quiles -Paul B. Omta -Paul Donohue -Paul Dreik -Paul Groke -Paul Harrington -Paul Harris -Paul Hoffman -Paul Howarth -Paul Johnson -Paul Joyce -Paul Marks -Paul Marquis -Paul Moore -Paul Nolan -Paul Oliver -Paul Querna -Paul Saab -Paul Seligman -Paul Vixie -Paulo Roberto Tomasi -Pavel Cenek -Pavel Gushchin -Pavel Löbl -Pavel Orehov -Pavel Pavlov -Pavel Raiskup -Pavel Rochnyak -Pavel Volgarev -Pavol Markovic -Pawel A. Gajda -Pawel Kierski -Paweł Kowalski -Paweł Wegner -Pedro Larroy -Pedro Monreal -Pedro Neves -pendrek at hackerone -Peng Li -Peng-Yu Chen -Per Jensen -Per Lundberg -Per Malmberg -Per Nilsson -Pete Lomax -Peter Bray -Peter Forret -Peter Frühberger -Peter Gal -Peter Goodman -Peter Heuchert -Peter Hjalmarsson -Peter Korsgaard -Peter Körner -Peter Lamare -Peter Lamberg -Peter Laser -Peter O'Gorman -Peter Pentchev -Peter Piekarski -Peter Silva -Peter Simonyi -Peter Su -Peter Sumatra -Peter Sylvester -Peter Todd -Peter Varga -Peter Verhas -Peter Wang -Peter Wu -Peter Wullinger -Peteris Krumins -Petr Bahula -Petr Novak -Petr Pisar -Petr Voytsik -Petr Štetiar -Phil Blundell -Phil Crump -Phil E. Taylor -Phil Karn -Phil Lisiecki -Phil Pellouchoud -Philip Craig -Philip Gladstone -Philip Heiduck -Philip Langdale -Philip Prindeville -Philipp Klaus Krause -Philipp Waehnert -Philippe Hameau -Philippe Marguinaud -Philippe Raoult -Philippe Vaucher -Pierre -Pierre Brico -Pierre Chapuis -Pierre Joye -Pierre Yager -Pierre Ynard -Pierre-Yves Bigourdan -Pierrick Charron -Piotr Dobrogost -Piotr Komborski -Po-Chuan Hsieh -Pontus Lundkvist -Pooyan McSporran -Poul T Lomholt -Pramod Sharma -Prash Dush -Praveen Pvs -Prithvi MK -privetryan on github -Priyanka Shah -ProceduralMan on github -Przemysław Tomaszewski -pszemus on github -puckipedia on github -Puneet Pawaia -qiandu2006 on github -Quagmire -Quanah Gibson-Mount -Quentin Balland -Quinn Slack -r-a-sattarov on github -R. Dennis Steed -Radek Zajic -Radoslav Georgiev -Radu Simionescu -Rafa Muyo -Rafael Antonio -Rafael Sagula -Rafayel Mkrtchyan -Rafaël Carré -Rafał Mikrut -Rainer Canavan -Rainer Jung -Rainer Koenig -Rainer Müller -Rajesh Naganathan -Rajkumar Mandal -Ralf S. Engelschall -Ralph Beckmann -Ralph Langendam -Ralph Mitchell -Ram Krushna Mishra -ramsay-jones on github -Ran Mozes -Randall S. Becker -Randolf J -Randy Armstrong -Randy McMurchy -Raphael Gozzo -Rasmus Melchior Jacobsen -Raul Onitza-Klugman -Ravi Pratap -Ray Dassen -Ray Pekowski -Ray Satiro -Razvan Cojocaru -rcombs on github -Red Hat Product Security -Reed Loden -Reinhard Max -Reinout van Schouwen -RekGRpth on github -Remco van Hooff -Remi Gacogne -Remo E -Renato Botelho -Renaud Allard -Renaud Chaillat -Renaud Duhaut -Renaud Guillard -Renaud Lehoux -Rene Bernhardt -Rene Rebe -Reuven Wachtfogel -Reza Arbab -Rianov Viacheslav -Ricardo Cadime -Ricardo Gomes -Ricardo M. Correia -Ricardo Martins -Rich Burridge -Rich FitzJohn -Rich Gray -Rich Mirch -Rich Rauenzahn -Rich Salz -Rich Turner -Richard Adams -Richard Alcock -Richard Archer -Richard Atterer -Richard Bowker -Richard Bramante -Richard Clayton -Richard Cooper -Richard Gorton -Richard Gray -Richard Hosking -Richard Hsu -Richard Marion -Richard Michael -Richard Moore -Richard Prescott -Richard Silverman -Richard van den Berg -Richard Whitehouse -Richy Kim -Rici Lake -Rick Deist -Rick Jones -Rick Lane -Rick Richardson -Rick Welykochy -Rickard Hallerbäck -Ricki Hirner -Ricky Leverence -Ricky-Tigg on github -Rider Linden -RiderALT on github -Rikard Falkeborn -rl1987 on github -Rob Boeckermann -Rob Cotrone -Rob Crittenden -Rob Davies -Rob Jones -Rob Sanders -Rob Stanzel -Rob Ward -RobBotic1 on github -Robby Simpson -Robert A. Monat -Robert B. Harris -Robert Brose -Robert Charles Muir -Robert D. Young -Robert Dunaj -Robert Foreman -Robert Iakobashvili -Robert Kolcun -Robert Linden -Robert Olson -Robert Prag -Robert Ronto -Robert Schumann -Robert Weaver -Robert Wruck -Robin A. Meade -Robin Cornelius -Robin Douine -Robin Johnson -Robin Kay -Robson Braga Araujo -Rod Widdowson -Rodger Combs -Rodney Simmons -Rodric Glaser -Rodrigo Silva -Roger Leigh -Roger Orr -Roger Young -Roland Blom -Roland Hieber -Roland Krikava -Roland Zimmermann -Rolf Eike Beer -Rolland Dudemaine -Romain Coltel -Romain Fliedel -Romain Geissler -romamik om github -Roman Koifman -Roman Mamedov -Romulo A. Ceccon -Ron Eldor -Ron Parker -Ron Zapp -Ronnie Mose -Rosen Penev -Rosimildo da Silva -Ross Burton -Roy Bellingan -Roy Li -Roy Shan -Rui LIU -Rui Pinheiro -Rune Kleveland -Ruslan Baratov -Ruslan Gazizov -Rutger Hofman -Ruurd Beerstra -RuurdBeerstra on github -Ryan Beck-Buysse -Ryan Braud -Ryan Chan -Ryan Mast -Ryan Nelson -Ryan Schmidt -Ryan Scott -Ryan Sleevi -Ryan Winograd -ryancaicse on github -Ryuichi KAWAMATA -rzrymiak on github -Rémy Léone -S. Moonesamy -Sai Ram Kunala -Salah-Eddin Shaban -Saleem Abdulrasool -Salvador Dávila -Salvatore Sorrentino -Sam Deane -Sam Hurst -Sam Roth -Sam Schanken -Samanta Navarro -Sampo Kellomaki -Samuel Díaz García -Samuel Henrique -Samuel Listopad -Samuel Marks -Samuel Surtees -Samuel Thibault -Samuel Tranchet -Sander Gates -Sandor Feldi -Sandro Jaeckel -Santhana Todatry -Santino Keupp -Saqib Ali -Sara Golemon -Saran Neti -Sascha Swiercy -Sascha Zengler -Satadru Pramanik -Saul good -Saurav Babu -sayrer on github -SBKarr on github -Scott Bailey -Scott Barrett -Scott Cantor -Scott Davis -Scott McCreary -Sean Boudreau -Sean Burford -Sean MacLennan -Sean McArthur -Sean Miller -Sean Molenaar -Sebastiaan van Erk -Sebastian Haglund -Sebastian Mundry -Sebastian Pohlschmidt -Sebastian Rasmussen -Sebastian Sterk -Senthil Raja Velu -Sergei Kuzmin -Sergei Nikulov -Sergey Bronnikov -Sergey Markelov -Sergey Ogryzkov -Sergey Tatarincev -Sergii Kavunenko -Sergii Pylypenko -Sergio Ballestrero -Sergio Barresi -Sergio Borghese -Sergio Durigan Junior -sergio-nsk on github -Serj Kalichev -Seshubabu Pasam -Seth Mos -Sevan Janiyan -Sgharat on github -Sh Diao -Shachaf Ben-Kiki -ShadowZzj on github -Shailesh Kapse -Shankar Jadhavar -Shao Shuchao -Sharad Gupta -Shard -Sharon Brizinov -Shaun Jackman -Shaun Mirani -Shawn Landden -Shawn Poulson -Shikha Sharma -Shine Fan -Shiraz Kanga -shithappens2016 on github -Shlomi Fish -Shmulik Regev -Siddhartha Prakash Jain -siddharthchhabrap on github -Sidney San Martín -Siegfried Gyuricsko -silveja1 on github -Simon Berger -Simon Chalifoux -Simon Dick -Simon H. -Simon Josefsson -Simon Legner -Simon Liu -Simon Warta -Siva Sivaraman -SLDiggie on github -smuellerDD on github -sn on hackerone -sofaboss on github -Somnath Kundu -Song Ma -Sonia Subramanian -Spacen Jasset -Spezifant on github -Spiridonoff A.V -Spoon Man -Spork Schivago -ssdbest on github -sspiri on github -sstruchtrup on github -Stadler Stephan -Stan Hu -Stan van de Burgt -Stanislav Ivochkin -Stanislav Zidek -Stathis Kapnidis -Stav Nir -steelman on github -Stefan Agner -Stefan Bühler -Stefan Eissing -Stefan Esser -Stefan Grether -Stefan Huber -Stefan Kanthak -Stefan Karpinski -Stefan Krause -Stefan Neis -Stefan Strogin -Stefan Teleman -Stefan Tomanek -Stefan Ulrich -Stefan Yohansson -Stefano Simonelli -Steinar H. Gunderson -steini2000 on github -Stepan Broz -Stepan Efremov -Stephan Bergmann -Stephan Lagerholm -Stephan Mühlstrasser -Stephan Szabo -Stephane Pellegrino -Stephen Boost -Stephen Brokenshire -Stephen Collyer -Stephen Kick -Stephen M. Coakley -Stephen More -Stephen Toub -Sterling Hughes -Steve Green -Steve H Truong -Steve Havelka -Steve Holme -Steve Lhomme -Steve Little -Steve Marx -Steve Oliphant -Steve Roskowski -Steve Walch -Steven Bazyl -Steven G. Johnson -Steven Gu -Steven M. Schweda -Steven Parkes -Steven Penny -Stewart Gebbie -Stian Soiland-Reyes -Stoned Elipot -stootill on github -Stuart Henderson -Sukanya Hanumanthu -SumatraPeter on github -Sune Ahlgren -Sunny Bean -Sunny Purushe -Sven Anders -Sven Blumenstein -Sven Neuhaus -Sven Wegener -Svyatoslav Mishyn -swalkaus at yahoo.com -sylgal on github -Sylvestre Ledru -Symeon Paraschoudis -Sébastien Willemijns -T. Bharath -T. Yamada -T200proX7 on github -Tadej Vengust -Tae Hyoung Ahn -Taiyu Len -Taneli Vähäkangas -Tanguy Fautre -Taras Kushnir -tarek112 on github -Tatsuhiro Tsujikawa -tawmoto on github -tbugfinder on github -Ted Lyngmo -Teemu Yli-Elsila -Temprimus -Terri Oda -Terry Wu -thanhchungbtc on github -The Infinnovation team -TheAssassin on github -TheKnarf on github -Theodore Dubois -therealhirudo on github -Thiago Suchorski -tholin on github -Thomas Bouzerar -Thomas Braun -Thomas Danielsson -Thomas Gamper -Thomas Glanzmann -Thomas Guillem -Thomas J. Moore -Thomas Klausner -Thomas L. Shinnick -Thomas Lopatic -Thomas M. DuBuisson -Thomas Petazzoni -Thomas Ruecker -Thomas Schwinge -Thomas Tonino -Thomas van Hesteren -Thomas Vegas -Thomas Weißschuh -Thorsten Schöning -Tiit Pikma -Till Maas -Tim Ansell -Tim Baker -Tim Bartley -Tim Chen -Tim Costello -Tim Harder -Tim Heckman -Tim Mcdonough -Tim Newsome -Tim Rühsen -Tim Sedlmeyer -Tim Sneddon -Tim Stack -Tim Starling -Tim Tassonis -Tim Verhoeven -Timo Lange -Timo Sirainen -Timotej Lazar -Timothe Litt -Timothy Gu -Timothy Polich -Timur Artikov -Tinus van den Berg -TJ Saunders -Tk Xiong -tlahn on github -tmkk on github -Tobias Blomberg -Tobias Gabriel -Tobias Hieta -Tobias Hintze -Tobias Lindgren -Tobias Markus -Tobias Nießen -Tobias Nygren -Tobias Nyholm -Tobias Rundström -Tobias Schaefer -Tobias Stoeckmann -Toby Peterson -Todd A Ouska -Todd Kaufmann -Todd Kulesza -Todd Short -Todd Vierling -Tom Benoist -Tom Donovan -Tom Eccles -Tom G. Christensen -Tom Grace -Tom Greenslade -Tom Lee -Tom Mattison -Tom Moers -Tom Mueller -Tom Regner -Tom Seddon -Tom Sparrow -Tom van der Woerdt -Tom Wright -Tom Zerucha -Tomas Berger -Tomas Hoger -Tomas Jakobsson -Tomas Mlcoch -Tomas Mraz -Tomas Pospisek -Tomas Szepe -Tomas Tomecek -Tomasz Kojm -Tomasz Lacki -Tommie Gannert -tommink[at]post.pl -Tommy Chiang -Tommy Odom -Tommy Petty -Tommy Tam -Ton Voon -Toni Moreno -Tony Kelman -tonystz on Github -Toon Verwaest -Tor Arntsen -Torben Dannhauer -Torsten Foertsch -Toshio Kuratomi -Toshiyuki Maezawa -tpaukrt on github -Traian Nicolescu -Trail of Bits -Travis Burtrum -Travis Obenhaus -Trivikram Kamat -Troels Walsted Hansen -Troy Engel -Tseng Jun -Tuomas Siipola -Tuomo Rinne -Tupone Alfredo -Tyler Hall -Török Edwin -Ulf Härnhammar -Ulf Samuelsson -Ulrich Doehner -Ulrich Telle -Ulrich Zadow -updatede on github -UrsusArctos on github -User Sg -ustcqidi on github -Vadim Grinshpun -Valentin David -Valentin Richter -Valentyn Korniienko -Valentín Gutiérrez -Valerii Zapodovnikov -vanillajonathan on github -Varnavas Papaioannou -Vasiliy Faronov -Vasiliy Ulyanov -Vasily Lobaskin -Vasy Okhin -Venkat Akella -Venkataramana Mokkapati -Vicente Garcia -Victor Magierski -Victor Snezhko -Victor Vieux -Vijay Panghal -Vikram Saxena -Viktor Szakats -Vilhelm Prytz -Ville Skyttä -Vilmos Nebehaj -Vincas Razma -Vincent Bronner -Vincent Grande -Vincent Le Normand -Vincent Penquerc'h -Vincent Sanders -Vincent Torri -vitaha85 on github -Vitaly Varyvdin -vl409 on github -Vlad Grachov -Vlad Ureche -Vladimir Grishchenko -Vladimir Kotal -Vladimir Lazarenko -Vladimir Panteleev -Vladimir Varlamov -Vlastimil Ovčáčík -vlubart on github -Vojtech Janota -Vojtech Minarik -Vojtěch Král -Volker Schmid -Vsevolod Novikov -vshmuk on hackerone -vvb2060 on github -Vyron Tsingaras -W. Mark Kubacki -Waldek Kozba -Walter J. Mack -Ward Willats -Warren Menzer -Wayne Haigh -Wenchao Li -Wenxiang Qian -Werner Koch -Werner Stolz -Wes Hinsley -wesinator on github -Wesley Laxton -Wesley Miaw -Wez Furlong -Wham Bang -Wilfredo Sanchez -Will Dietz -Will Roberts -Willem Hoek -Willem Sparreboom -William A. Rowe Jr -William Ahern -William Desportes -wmsch on github -wncboy on github -Wojciech Zwiefka -Wolf Vollprecht -Wouter Van Rooy -Wu Yongzheng -Wu Zheng -Wyatt O'Day -Wyatt OʼDay -x2018 on github -Xavier Bouchoux -XhmikosR on github -XhstormR on github -Xiang Xiao -Xiangbin Li -Xiaoke Wang -Xiaoyin Liu -XmiliaH on github -xnynx on github -xwxbug on github -Yaakov Selkowitz -Yang Tse -Yaobin Wen -Yarram Sunil -Yasuharu Yamada -Yasuhiro Matsumoto -Yechiel Kalmenson -Yehezkel Horowitz -Yehoshua Hershberg -ygthien on github -Yi Huang -Yiming Jing -Yingwei Liu -yiyuaner on github -Ymir1711 on github -Yonggang Luo -Yongkang Huang -Younes El-karama -youngchopin on github -Yousuke Kimoto -Yu Xin -Yukihiro Kawada -Yun SangHo -Yuri Slobodyanyuk -Yuriy Chernyshov -Yuriy Sosov -Yusuke Nakamura -Yves Arrouye -Yves Lejeune -z2-2z on github -z2_ on hackerone -Zachary Seguin -Zdenek Pavlas -Zekun Ni -zelinchen on github -Zenju on github -Zero King -Zhang Xiuhua -zhanghu on xiaomi -Zhao Yisha -Zhaoyang Wu -Zhibiao Wu -Zhouyihai Ding -ZimCodes on github -zloi-user on github -Zmey Petroff -Zvi Har'El -zzq1015 on github -Ádler Jonas Gross -Érico Nogueira -Érico Nogueira Rolim -İsmail Dönmez -Łukasz Domeradzki -Štefan Kremeň -Борис Верховский -Коваленко Анатолий Викторович -Никита Дорохин -ウさん -不确定 -加藤郁之 -梦终无痕 + This project has been alive for many years. Countless people have provided
+ feedback that have improved curl. Here follows a list of people that have
+ contributed (a-z order).
+
+ If you have contributed but are missing here, please let us know!
+
+0xee on github
+0xflotus on github
+12932 on github
+1337vt on github
+1ocalhost on github
+3dyd on github
+3eka on github
+8U61ife on github
+a1346054 on github
+Aaro Koskinen
+Aaron Oneal
+Aaron Orenstein
+Aaron Scarisbrick
+aasivov on github
+Abhinav Singh
+Abram Pousada
+accountantM on github
+AceCrow on Github
+Adam Averay
+Adam Barclay
+Adam Brown
+Adam Coyne
+Adam D. Moss
+Adam Langley
+Adam Light
+Adam Marcionek
+Adam Piggott
+Adam Rosenfield
+Adam Sampson
+Adam Tkac
+Adnan Khan
+adnn on github
+Adrian Burcea
+Adrian Peniak
+Adrian Schuur
+Adriano Meirelles
+afrind on github
+Aftab Alam
+ahodesuka on github
+ajak in #curl
+Ajit Dhumale
+Akhil Kedia
+Aki Koskinen
+Akos Pasztory
+Akshay Vernekar
+Alain Danteny
+Alain Miniussi
+Alan Jenkins
+Alan Pinstein
+Albert Chin-A-Young
+Albert Choy
+Albin Vass
+Alejandro Alvarez Ayllon
+Alejandro Colomar
+Alejandro R. Sedeño
+Aleksandar Milivojevic
+Aleksander Mazur
+Aleksandr Krotov
+Aleksey Tulinov
+Ales Mlakar
+Ales Novak
+Alessandro Ghedini
+Alessandro Vesely
+Alex aka WindEagle
+Alex Baines
+Alex Bligh
+Alex Chan
+Alex Crichton
+Alex Fishman
+Alex Gaynor
+Alex Grebenschikov
+Alex Gruz
+Alex Kiernan
+Alex Konev
+Alex Malinovich
+Alex Mayorga
+Alex McLellan
+Alex Neblett
+Alex Nichols
+Alex Potapenko
+Alex Rousskov
+Alex Samorukov
+Alex Suykov
+Alex Vinnik
+Alex Xu
+Alexander Beedie
+Alexander Chuykov
+Alexander Dyagilev
+Alexander Elgert
+Alexander Kanavin
+Alexander Klauer
+Alexander Kourakos
+Alexander Krasnostavsky
+Alexander Lazic
+Alexander Pepper
+Alexander Peslyak
+Alexander Sinditskiy
+Alexander Traud
+Alexander V. Tikhonov
+Alexander Zhuravlev
+Alexandre Bury
+Alexandre Ferrieux
+Alexandre Pion
+Alexey Borzov
+Alexey Eremikhin
+Alexey Melnichuk
+Alexey Pesternikov
+Alexey Simak
+Alexey Zakhlestin
+Alexis Carvalho
+Alexis La Goutte
+Alexis Vachette
+Alfonso Martone
+Alfred Gebert
+Ali Utku Selen
+Allen Pulsifer
+Alona Rossen
+Amaury Denoyelle
+amishmm on github
+Amit Katyal
+Amol Pattekar
+Amr Shahin
+Anatol Belski
+Anatoli Tubman
+Anders Bakken
+Anders Berg
+Anders Gustafsson
+Anders Havn
+Anders Roxell
+Anderson Sasaki
+Anderson Toshiyuki Sasaki
+Andi Jahja
+Andre Guibert de Bruet
+Andre Heinecke
+Andrea Pappacoda
+Andreas Damm
+Andreas Falkenhahn
+Andreas Farber
+Andreas Fischer
+Andreas Kostyrka
+Andreas Malzahn
+Andreas Ntaflos
+Andreas Olsson
+Andreas Rieke
+Andreas Roth
+Andreas Schneider
+Andreas Schuldei
+Andreas Sommer
+Andreas Streichardt
+Andreas Wurf
+Andrei Benea
+Andrei Bica
+Andrei Cipu
+Andrei Karas
+Andrei Kurushin
+Andrei Neculau
+Andrei Rybak
+Andrei Sedoi
+Andrei Valeriu BICA
+Andrei Virtosu
+Andrej E Baranov
+Andrew Barnert
+Andrew Barnes
+Andrew Benham
+Andrew Biggs
+Andrew Bushnell
+Andrew de los Reyes
+Andrew Francis
+Andrew Fuller
+Andrew Ishchuk
+Andrew Krieger
+Andrew Kurushin
+Andrew Lambert
+Andrew Moise
+Andrew Potter
+Andrew Robbins
+Andrew Wansink
+Andrey Alifanov
+Andrey Gursky
+Andrey Labunets
+Andrii Moiseiev
+Andrius Merkys
+Andrés García
+Andy Alt
+Andy Cedilnik
+Andy Fiddaman
+Andy Serpa
+Andy Stamp
+Andy Tsouladze
+Angus Mackay
+anio on github
+anon00000000 on github
+anshnd on github
+Antarpreet Singh
+Anthon Pang
+Anthony Avina
+Anthony Bryan
+Anthony G. Basile
+Anthony Hu
+Anthony Ramine
+Anthony Shaw
+Antoine Aubert
+Antoine Calando
+Antoine Pietri
+Anton Bychkov
+Anton Gerasimov
+Anton Kalmykov
+Anton Malov
+Anton Yabchinskiy
+Antoni Villalonga
+Antonio Larrosa
+Antony74 on github
+Antti Hätälä
+April King
+arainchik on github
+Archangel_SDY on github
+Arkadiusz Miskiewicz
+Armel Asselin
+Arnaud Compan
+Arnaud Ebalard
+Arnaud Rebillout
+Aron Bergman
+Aron Rotteveel
+Artak Galoyan
+Arthur Murray
+Artur Sinila
+Arve Knudsen
+Arvid Norberg
+arvids-kokins-bidstack on github
+asavah on github
+Ashish Shukla
+Ashwin Metpalli
+Ask Bjørn Hansen
+Askar Safin
+AtariDreams on github
+Ates Goral
+Augustus Saunders
+Austin Green
+Avery Fay
+awesomenode on github
+Axel Chong
+Axel Morawietz
+Axel Tillequin
+Ayesh Karunaratne
+Ayoub Boudhar
+Ayushman Singh Chauhan
+b9a1 on github
+Bachue Zhou
+Baitinq on github
+Balaji Parasuram
+Balaji S Rao
+Balaji Salunke
+Balakrishnan Balasubramanian
+Balazs Kovacsics
+Balint Szilakszi
+Barry Abrahamson
+Barry Pollard
+Bart Whiteley
+Baruch Siach
+Bas Mevissen
+Bas van Schaik
+Bastian Krause
+Bastien Bouclet
+Basuke Suzuki
+baumanj on github
+bdry on github
+beckenc on github
+Ben Boeckel
+Ben Darnell
+Ben Greear
+Ben Kohler
+Ben Madsen
+Ben Noordhuis
+Ben Van Hof
+Ben Voris
+Ben Winslow
+Benau on github
+Benbuck Nason
+Benjamin Gerard
+Benjamin Gilbert
+Benjamin Johnson
+Benjamin Kircher
+Benjamin Loison
+Benjamin Riefenstahl
+Benjamin Ritcey
+Benjamin Sergeant
+Benoit Neil
+Benoit Sigoure
+Bernard Leak
+Bernard Spil
+Bernat Mut
+Bernd Mueller
+Bernhard Iselborn
+Bernhard M. Wiedemann
+Bernhard Reutner-Fischer
+Bernhard Walle
+Bert Huijben
+Bertrand Demiddelaer
+Bertrand Simonnet
+beslick5 on github
+Bevan Weiss
+Bill Doyle
+Bill Egert
+Bill Hoffman
+Bill Middlecamp
+Bill Nagel
+Bill Pyne
+billionai on github
+Billyzou0741326 on github
+Bin Lan
+Bin Meng
+Bjarni Ingi Gislason
+Bjoern Franke
+Bjoern Sikora
+Bjorn Augustsson
+Bjorn Reese
+Björn Stenberg
+Blaise Potard
+Blake Burkhart
+bnfp on github
+Bo Anderson
+Bob Relyea
+Bob Richmond
+Bob Schader
+bobmitchell1956 on github
+Bodo Bergmann
+Bogdan Nicula
+Boris Rasin
+Boris Verkhovskiy
+Brad Burdick
+Brad Fitzpatrick
+Brad Forschinger
+Brad Harder
+Brad Hards
+Brad King
+Brad Spencer
+Bradford Bruce
+bramus on github
+Brandon Casey
+Brandon Dong
+Brandon Wang
+BratSinot on github
+Brendan Jurd
+Brent Beardsley
+Brian Akins
+Brian Bergeron
+Brian Carpenter
+Brian Chaplin
+Brian Childs
+Brian Chrisman
+Brian Dessent
+Brian E. Gallew
+Brian Inglis
+Brian J. Murrell
+Brian Prodoehl
+Brian R Duffy
+Brian Ulm
+Brock Noland
+Bru Rom
+Bruce Mitchener
+Bruce Stephens
+BrumBrum on hackerone
+Bruno Baguette
+Bruno de Carvalho
+Bruno Grasselli
+Bruno Thomsen
+Bryan Henderson
+Bryan Kemp
+bsammon on github
+bsergean on github
+Bubu on github
+buzo-ffm on github
+bxac on github
+Bylon2 on github
+Byrial Jensen
+Caleb Raitto
+Calvin Buckley
+Cameron Cawley
+Cameron Kaiser
+Cameron MacMinn
+Cameron Will
+Camille Moncelier
+Cao ZhenXiang
+Caolan McNamara
+Captain Basil
+Carie Pointer
+Carl Zogheib
+Carlo Alberto
+Carlo Cannas
+Carlo Marcelo Arenas Belón
+Carlo Teubner
+Carlo Wood
+Carlos ORyan
+Carsten Lange
+Casey Bodley
+Casey O'Donnell
+Catalin Patulea
+causal-agent on github
+cbartl on github
+cclauss on github
+Cering on github
+Cesar Eduardo Barros
+Chad Monroe
+Chandrakant Bagul
+Charles Cazabon
+Charles Kerr
+Charles Romestant
+Chen Prog
+Cherish98 on github
+Chester Liu
+Chih-Chung Chang
+Chih-Hsuan Yen
+Chris "Bob Bob"
+Chris Araman
+Chris Carlmar
+Chris Combes
+Chris Conlon
+Chris Deidun
+Chris Faherty
+Chris Flerackers
+Chris Gaukroger
+Chris Maltby
+Chris Mumford
+Chris Paulson-Ellis
+Chris Roberts
+Chris Smowton
+Chris Young
+Christian Fillion
+Christian Grothoff
+Christian Heimes
+Christian Hägele
+Christian Krause
+Christian Kurz
+Christian Robottom Reis
+Christian Schmitz
+Christian Stewart
+Christian Vogt
+Christian Weisgerber
+Christoph Krey
+Christoph M. Becker
+Christoph Reiter
+Christophe Demory
+Christophe Dervieux
+Christophe Legry
+Christopher Conroy
+Christopher Degawa
+Christopher Head
+Christopher Palow
+Christopher R. Palmer
+Christopher Reid
+Christopher Sauer
+Christopher Stone
+Chungtsun Li
+Ciprian Badescu
+civodul on github
+Claes Jakobsson
+Clarence Gardner
+Claudio Neves
+clbr on github
+Clemens Gruber
+Cliff Crosland
+Clifford Wolf
+Clint Clayton
+Clément Notin
+cmfrolick on github
+codesniffer13 on github
+Cody Jones
+Cody Mack
+COFFEETALES on github
+coinhubs on github
+Colby Ranger
+Colin Blair
+Colin Hogben
+Colin Leroy
+Colin O'Dell
+Colin Watson
+Colm Buckley
+Constantine Sapuntzakis
+coralw on github
+Cory Benfield
+Cory Nelson
+Costya Shulyupin
+Craig A West
+Craig Andrews
+Craig Davison
+Craig de Stigter
+Craig Markwardt
+crazydef on github
+Cris Bailiff
+Cristian Greco
+Cristian Morales Vega
+Cristian Rodríguez
+Curt Bogmine
+Cynthia Coan
+Cyril B
+Cyrill Osterwalder
+Cédric Connes
+Cédric Deltheil
+D. Flinkmann
+d4d on hackerone
+d912e3 on github
+Da-Yoon Chung
+daboul on github
+Dag Ekengren
+Dagobert Michelsen
+Daiki Ueno
+Dair Grant
+Dambaev Alexander
+Damian Dixon
+Damien Adant
+Damien Vielpeau
+Damien Walsh
+Dan Becker
+Dan Cristian
+Dan Donahue
+Dan Fandrich
+Dan Jacobson
+Dan Johnson
+Dan Kenigsberg
+Dan Locks
+Dan McNulty
+Dan Nelson
+Dan Petitt
+Dan Torop
+Dan Zitter
+Daniel at touchtunes
+Daniel Bankhead
+Daniel Black
+Daniel Carpenter
+Daniel Cater
+Daniel Egger
+Daniel Faust
+Daniel Gustafsson
+Daniel Hallberg
+Daniel Hwang
+Daniel Jeliński
+Daniel Johnson
+Daniel Kahn Gillmor
+Daniel Katz
+Daniel Krügler
+Daniel Kurečka
+Daniel Lee Hwang
+Daniel Lublin
+Daniel Marjamäki
+Daniel Melani
+Daniel Mentz
+Daniel Romero
+Daniel Schauenberg
+Daniel Seither
+Daniel Shahaf
+Daniel Silverstone
+Daniel Steinberg
+Daniel Stenberg
+Daniel Theron
+Daniel Valenzuela
+Daniel Woelfel
+Daphne Luong
+Dario Nieuwenhuis
+Dario Weißer
+Darryl House
+Darshan Mody
+Darío Hereñú
+dasimx on github
+Dave Dribin
+Dave Halbakken
+Dave Hamilton
+Dave May
+Dave Reisner
+Dave Thompson
+Dave Vasilevsky
+Davey Shafik
+David Bau
+David Benjamin
+David Binderman
+David Blaikie
+David Bohman
+David Byron
+David Carlier
+David Cohen
+David Cook
+David Demelier
+David E. Narváez
+David Earl
+David Eriksson
+David Garske
+David Goerger
+David Houlder
+David Hu
+David Hull
+David J Meyer
+David James
+David Kalnischkies
+David Kierznowski
+David Kimdon
+David L.
+David Lang
+David LeBlanc
+David Lopes
+David Lord
+David McCreedy
+David McLaughlin
+David Odin
+David Phillips
+David Rosenstrauch
+David Ryskalczyk
+David Sanderson
+David Schweikert
+David Shaw
+David Strauss
+David Tarendash
+David Thiel
+David Walser
+David Woodhouse
+David Wright
+David Yan
+Davide Cassioli
+davidedec on github
+dbrowndan on github
+dEajL3kA on github
+Dengminwen
+Denis Baručić
+Denis Chaplygin
+Denis Feklushkin
+Denis Goleshchikhin
+Denis Laxalde
+Denis Ollier
+Dennis Clarke
+Dennis Felsing
+Derek Higgins
+Desmond O. Chang
+destman on github
+Detlef Schmier
+Dheeraj Sangamkar
+Didier Brisebourg
+Diego Bes
+Diego Casorran
+Dietmar Hauser
+Dilyan Palauzov
+Dima Barsky
+Dima Pasechnik
+Dima Tisnek
+Dimitar Boevski
+Dimitre Dimitrov
+Dimitrios Apostolou
+Dimitrios Siganos
+Dimitris Sarris
+Dinar
+Diogo Teles Sant'Anna
+Dirk Eddelbuettel
+Dirk Feytons
+Dirk Manske
+Dirk Wetter
+Dirkjan Bussink
+Diven Qi
+divinity76 on github
+dkjjr89 on github
+dkwolfe4 on github
+Dmitri Shubin
+Dmitri Tikhonov
+Dmitriy Sergeyev
+dmitrmax on github
+Dmitry Bartsevich
+Dmitry Eremin-Solenikov
+Dmitry Falko
+Dmitry Karpov
+Dmitry Kostjuchenko
+Dmitry Kurochkin
+Dmitry Mikhirev
+Dmitry Popov
+Dmitry Rechkin
+Dmitry S. Baikov
+Dmitry Wagin
+dnivras on github
+Dolbneff A.V
+Domen Kožar
+Domenico Andreoli
+Dominick Meglio
+Dominik Hölzl
+Dominik Klemba
+Dominik Thalhammer
+Dominique Leuenberger
+Don J Olmstead
+Dongliang Mu
+Doron Behar
+Doug Kaufman
+Doug Porter
+Douglas Creager
+Douglas E. Wegscheid
+Douglas Kilpatrick
+Douglas Mencken
+Douglas R. Horner
+Douglas R. Reno
+Douglas Steinwand
+Dov Murik
+dpull on github
+Drake Arconis
+dtmsecurity on github
+Duane Cathey
+Duncan Mac-Vicar Prett
+Duncan Wilcox
+Dustin Boswell
+Dustin Howett
+Dusty Mabe
+Duy Phan Thanh
+Dwarakanath Yadavalli
+Dylan Ellicott
+Dylan Salisbury
+Dániel Bakai
+Early Ehlinger
+Earnestly on github
+Eason-Yu on github
+Ebe Janchivdorj
+ebejan on github
+Ebenezer Ikonne
+Ed Morley
+Eddie Lumpkin
+Edgaras Janušauskas
+Edin Kadribasic
+Edmond Yu
+Edoardo Lolletti
+Eduard Bloch
+Edward Kimmel
+Edward Rudd
+Edward Sheldrake
+Edward Thomson
+Eelco Dolstra
+Eetu Ojanen
+Egon Eckert
+Egor Pugin
+Ehren Bendler
+Eldar Zaitov
+elelel on github
+elephoenix on github
+Eli Schwartz
+Elia Tufarolo
+Elliot Saba
+Ellis Pritchard
+Elmira A Semenova
+Elms
+Eloy Degen
+elsamuko on github
+emanruse on github
+Emanuele Bovisio
+Emanuele Torre
+Emil Engler
+Emil Lerner
+Emil Romanus
+Emil Österlund
+Emiliano Ida
+Emilio López
+Emmanuel Tychon
+Enrico Scholz
+Enrik Berkhan
+Eramoto Masaya
+Eric Cooper
+Eric Curtin
+Eric Gallager
+Eric Hu
+Eric Landes
+Eric Lavigne
+Eric Lubin
+Eric Melville
+Eric Mertens
+Eric Musser
+Eric Rautman
+Eric Rescorla
+Eric Ridge
+Eric Rosenquist
+Eric S. Raymond
+Eric Sauvageau
+Eric Thelin
+Eric Vergnaud
+Eric Vigeant
+Eric Wong
+Eric Wu
+Eric Young
+Erick Nuwendam
+Erik Jacobsen
+Erik Janssen
+Erik Johansson
+Erik Minekus
+Erik Olsson
+Erik Stenlund
+Ernest Beinrohr
+Ernst Sjöstrand
+Erwan Legrand
+Erwin Authried
+Estanislau Augé-Pujadas
+Ethan Glasser Camp
+Etienne Simard
+Eugene Kotlyarov
+Evan Jordan
+Evangelos Foutras
+Even Rouault
+Evert Pot
+Evgeny Grin (Karlson2k)
+Evgeny Turnaev
+eXeC64 on github
+Eygene Ryabinkin
+Eylem Ugurel
+Fabian Fischer
+Fabian Frank
+Fabian Hiernaux
+Fabian Keil
+Fabian Ruff
+Fabian Yamaguchi
+Fabrice Fontaine
+Fabrizio Ammollo
+Fahim Chandurwala
+Faizur Rahman
+Farzin on github
+Fata Nugraha
+Fawad Mirza
+fds242 on github
+Federico Bianchi
+Fedor Karpelevitch
+Fedor Korotkov
+Feist Josselin
+Felipe Gasper
+Felix Hädicke
+Felix Kaiser
+Felix von Leitner
+Felix Yan
+Feng Tu
+Fernando Muñoz
+Filip Lundgren
+Filip Salomonsson
+Firefox OS
+Flameborn on github
+Flavio Medeiros
+Florian Kohnhäuser
+Florian Pritz
+Florian Schoppmann
+Florian Van Heghe
+Florian Weimer
+Florin Petriuc
+Forrest Cahoon
+Francisco Moraes
+Francisco Munoz
+Francisco Olarte
+Francisco Sedano
+Francois Petitjean
+Francois Rivard
+Frank Denis
+Frank Gevaerts
+Frank Hempel
+Frank Keeney
+Frank McGeough
+Frank Meier
+Frank Ticheler
+Frank Van Uffelen
+František Kučera
+François Charlier
+François Rigault
+Frazer Smith
+Fred Machado
+Fred New
+Fred Noz
+Fred Stluka
+Frederic Lepied
+Frederik B
+Frederik Wedel-Heinen
+Fredrik Thulin
+FuccDucc on github
+fullincome on github
+Gabriel Kuri
+Gabriel Simmer
+Gabriel Sjoberg
+Gambit Communications
+Ganesh Kamath
+gaoxingwang on github
+Garrett Holmstrom
+Garrett Squire
+Gary Maxwell
+Gaurav Malhotra
+Gautam Kachroo
+Gautam Mani
+Gavin Wong
+Gavrie Philipson
+Gaz Iqbal
+Gaël Portay
+gclinch on github
+Gealber Morales
+Geeknik Labs
+Geoff Beier
+Georeth Zhou
+Georg Horn
+Georg Huettenegger
+Georg Lippitsch
+Georg Wicherski
+George Liu
+Gerd v. Egidy
+Gergely Nagy
+Gerhard Herre
+Gerrit Bruchhäuser
+Gerrit Renker
+Ghennadi Procopciuc
+Giancarlo Formicuccia
+Giaslas Georgios
+Gil Weber
+Gilad
+Gilbert Ramirez Jr.
+Gilles Blanc
+Gilles Vollant
+Giorgos Oikonomou
+Gisle Vanem
+git-bruh on github
+GitYuanQu on github
+Giuseppe Attardi
+Giuseppe D'Ambrosio
+Giuseppe Persico
+Gleb Ivanovsky
+Glen A Johnson Jr.
+Glen Nakamura
+Glen Scott
+Glenn de boer
+Glenn Sheridan
+Glenn Strauss
+godmar on github
+Godwin Stewart
+Google Inc.
+Gordon Marler
+Gorilla Maguila
+Gou Lingfeng
+Grant Erickson
+Grant Pannell
+Greg Hewgill
+Greg Morse
+Greg Onufer
+Greg Pratt
+Greg Rowe
+Greg Zavertnik
+Gregor Jasny
+Gregory Jefferis
+Gregory Muchka
+Gregory Nicholls
+Gregory Szorc
+Griffin Downs
+Grigory Entin
+Guenole Bescon
+Guido Berhoerster
+Guillaume Arluison
+guitared on github
+Gunter Knauf
+Gustaf Hui
+Gustavo Grieco
+Guy Poizat
+GwanYeong Kim
+Gwen Shapira
+Gwenole Beauchesne
+Gökhan Şengün
+Götz Babin-Ebell
+h1zzz on github
+H3RSKO on github
+Hagai Auro
+Haibo Huang
+Hamish Mackenzie
+hamstergene on github
+Han Han
+Han Qiao
+Hang Kin Lau
+Hang Su
+Hannes Magnusson
+Hanno Böck
+Hanno Kranzhoff
+Hans Steegers
+Hans-Christian Noren Egtvedt
+Hans-Jurgen May
+Hao Wu
+Hardeep Singh
+Haris Okanovic
+Harold Stuart
+Harry Sarson
+Harry Sintonen
+Harshal Pradhan
+Hauke Duden
+Hayden Roche
+He Qin
+Heikki Korpela
+Heinrich Ko
+Heinrich Schaefer
+Helge Klein
+Helmut K. C. Tessarek
+Helwing Lutz
+Hendrik Visage
+Henning Schild
+Henri Gomez
+Henrik Gaßmann
+Henrik Holst
+Henrik Storner
+Henry Ludemann
+Henry Roeland
+Herve Amblard
+HexTheDragon
+Hidemoto Nakada
+highmtworks on github
+Himanshu Gupta
+Hiroki Kurosawa
+Hirotaka Tagawa
+Ho-chi Chen
+Hoi-Ho Chan
+Hongli Lai
+Hongyi Zhao
+Howard Blaise
+Howard Chu
+hsiao yi
+htasta on github
+Hubert Kario
+Hugh Macdonald
+Hugo van Kemenade
+Huzaifa Sidhpurwala
+huzunhao on github
+hydra3333 on github
+Hzhijun
+iammrtau on github
+Ian Blanes
+Ian D Allen
+Ian Fette
+Ian Ford
+Ian Gulliver
+Ian Lynagh
+Ian Spence
+Ian Turner
+Ian Wilkes
+Ignacio Vazquez-Abrams
+Igor Franchuk
+Igor Khristophorov
+Igor Makarov
+Igor Novoseltsev
+Igor Polyakov
+Ihor Karpenko
+ihsinme on github
+Iida Yosiaki
+Ikko Ashimine
+Ilguiz Latypov
+Ilja van Sprundel
+Illarion Taev
+illusory-dream on github
+Ilya Kosarev
+imilli on github
+Immanuel Gregoire
+ImpatientHippo on GitHub
+Inca R
+infinnovation-dev on github
+Ingmar Runge
+Ingo Ralf Blum
+Ingo Wilken
+Inho Oh
+Ionuț-Francisc Oancea
+Irfan Adilovic
+Ironbars13 on github
+Irving Wolfe
+Isaac Boukris
+Isaiah Norton
+Ishan SinghLevett
+Ithubg on github
+Ivan Avdeev
+Ivan Tsybulin
+IvanoG on github
+Ivo Bellin Salarin
+iz8mbw on github
+J. Bromley
+Jack Boos Yu
+Jack Zhang
+Jackarain on github
+Jacky Lam
+Jacob Barthelmeh
+Jacob Hoffman-Andrews
+Jacob Meuser
+Jacob Moshenko
+Jacob Tolar
+Jactry Zeng
+Jad Chamcham
+Jaime Fullaondo
+jakirkham on github
+Jakub Bochenski
+Jakub Wilk
+Jakub Zakrzewski
+James Atwill
+James Brown
+James Bursa
+James Cheng
+James Clancy
+James Cone
+James Dury
+James Fuller
+James Gallagher
+James Griffiths
+James Housley
+James Knight
+James Le Cuirot
+James MacMillan
+James Slaughter
+Jamie Lokier
+Jamie Newton
+Jamie Wilkinson
+Jan Alexander Steffens
+Jan Chren
+Jan Ehrhardt
+Jan Koen Annot
+Jan Kunder
+Jan Mazur
+Jan Schaumann
+Jan Schmidt
+Jan Van Boghout
+Jan Venekamp
+Jan Verbeek
+Jan-Piet Mens
+JanB on github
+Janne Johansson
+Jared Jennings
+Jared Lundell
+Jari Aalto
+Jari Sundell
+jasal82 on github
+Jason Baietto
+Jason Glasgow
+Jason Juang
+Jason Lee
+Jason Liu
+Jason McDonald
+Jason S. Priebe
+Javier Barroso
+Javier Blazquez
+Javier G. Sogo
+Javier Navarro
+Javier Sixto
+Jay Austin
+Jay Dommaschk
+Jayesh A Shah
+Jaz Fresh
+Jean Fabrice
+Jean Gressmann
+Jean Jacques Drouin
+Jean-Claude Chauve
+Jean-Francois Bertrand
+Jean-Francois Durand
+Jean-Louis Lemaire
+Jean-Marc Ranger
+Jean-Noël Rouvignac
+Jean-Philippe Barrette-LaPierre
+Jean-Philippe Menil
+Jeff Connelly
+Jeff Hodges
+Jeff Johnson
+Jeff King
+Jeff Lawson
+Jeff Luszcz
+Jeff Mears
+Jeff Phillips
+Jeff Pohlmeyer
+Jeff Weber
+Jeffrey Tolar
+Jeffrey Walton
+jeffrson on github
+Jenny Heino
+Jens Finkhaeuser
+Jens Rantil
+Jens Schleusener
+Jeremie Rapin
+Jeremy Falcon
+Jeremy Friesner
+Jeremy Huddleston
+Jeremy Lainé
+Jeremy Lin
+Jeremy Maitin-Shepard
+Jeremy Pearson
+Jeremy Tan
+Jeremy Thibault
+Jeroen Koekkoek
+Jeroen Ooms
+Jerome Mao
+Jerome Muffat-Meridol
+Jerome Robert
+Jerome Vouillon
+Jerry Krinock
+Jerry Wu
+Jes Badwal
+Jesper Jensen
+Jesse Chisholm
+Jesse Noller
+Jesse Tan
+jethrogb on github
+jhoyla on github
+Jie He
+Jilayne Lovejoy
+Jim Beveridge
+Jim Drash
+Jim Freeman
+Jim Fuller
+Jim Hollinger
+Jim Meyering
+Jimmy Gaussen
+Jiri Dvorak
+Jiri Hruska
+Jiri Jaburek
+Jishan Shaikh
+Jiří Malák
+jmdavitt on github
+jnbr on github
+Jocelyn Jaubert
+Jochem Broekhoff
+Joe Halpin
+Joe Malicki
+Joe Mason
+Joel Chen
+Joel Depooter
+Joel Jakobsson
+Joel Teichroeb
+joey-l-us on github
+Jofell Gallardo
+Johan Anderson
+Johan Lantz
+Johan Nilsson
+Johan van Selst
+Johann150 on github
+Johannes Bauer
+Johannes Ernst
+Johannes G. Kristinsson
+Johannes Lesr
+Johannes Schindelin
+John A. Bristor
+John Bampton
+John Bradshaw
+John Butterfield
+John Coffey
+John Crow
+John David Anglin
+John DeHelian
+John Dennis
+John Dunn
+John E. Malmberg
+John Gardiner Myers
+John H. Ayad
+John Hascall
+John Janssen
+John Joseph Bachir
+John Kelly
+John Kohl
+John Lask
+John Levon
+John Lightsey
+John Marino
+John Marshall
+John McGowan
+John P. McCaskey
+John Schroeder
+John Sherrill
+John Simpson
+John Starks
+John Suprock
+John V. Chow
+John Wanghui
+John Weismiller
+John Wilkinson
+John-Mark Bell
+Johnny Luong
+Jojojov on github
+Jon DeVree
+Jon Grubbs
+Jon Johnson Jr
+Jon Nelson
+Jon Rumsey
+Jon Sargeant
+Jon Seymour
+Jon Spencer
+Jon Torrey
+Jon Travis
+Jon Turner
+Jon Wilkes
+Jonas Forsman
+Jonas Haag
+Jonas Minnberg
+Jonas Schnelli
+Jonas Vautherin
+Jonatan Lander
+Jonatan Vela
+Jonathan Cardoso Machado
+Jonathan Hseu
+Jonathan Moerman
+Jonathan Nieder
+Jonathan Watt
+Jonathan Wernberg
+Jongki Suwandi
+jonny112 on github
+Joombalaya on github
+Joonas Kuorilehto
+Jordan Brown
+Jose Alf
+Jose Kahan
+Josef Wolf
+Joseph Chen
+Josh Bialkowski
+Josh Kapell
+Josh Soref
+joshhe on github
+Joshua Kwan
+Joshua Root
+Joshua Swink
+Josie Huddleston
+Josip Medved
+Josue Andrade Gomes
+José Joaquín Atria
+Jozef Kralik
+Juan Barreto
+Juan F. Codagnone
+Juan Ignacio Hervás
+Juan RP
+Judson Bishop
+Juergen Hoetzel
+Juergen Wilke
+Jukka Pihl
+Julian Montes
+Julian Noble
+Julian Ospald
+Julian Romero Nieto
+Julian Taylor
+Julian Z
+Julien Chaffraix
+Julien Nabet
+Julien Royer
+Jun Tseng
+Jun-ichiro itojun Hagino
+Jun-ya Kato
+jungle-boogie on github
+Junho Choi
+Jurij Smakov
+jurisuk on github
+Juro Bystricky
+justchen1369 on github
+Justin Clift
+Justin Ehlert
+Justin Fletcher
+Justin Karneges
+Justin Maggard
+jveazey on github
+jvreelanda on github
+jvvprasad78 on github
+jzinn on github
+János Fekete
+Jérémy Rocher
+Jörg Mueller-Tolk
+Jörn Hartroth
+Jürgen Gmach
+K. R. Walker
+ka7 on github
+Kael1117 on github
+Kai Engert
+Kai Noda
+Kai Pastor
+Kai Sommerfeld
+Kai-Uwe Rommel
+Kalle Vahlman
+Kamil Dudka
+Kane York
+Kang Lin
+Kang-Jin Lee
+Kantanat Wannapaka
+Kari Pahula
+Karl Chen
+Karl Moerder
+Karol Pietrzak
+Karthikdasari0423 on github
+Kartik Mahajan
+Kaspar Brand
+Katie Wang
+Katsuhiko YOSHIDA
+Kazuho Oku
+Kees Cook
+Kees Dekker
+Keitagit-kun on github
+Keith MacDonald
+Keith McGuigan
+Keith Mok
+Kelly Kaoudis
+Ken Brown
+Ken Hirsch
+Ken Rastatter
+Kenneth Davidson
+Kenneth Myhra
+Kenny To
+Kent Boortz
+Kerem Kat
+Keshav Krity
+Kevin Adler
+Kevin Baughman
+Kevin Burke
+Kevin Fisk
+Kevin Ji
+Kevin Lussier
+Kevin R. Bulgrien
+Kevin Reed
+Kevin Roth
+Kevin Smith
+Kevin Ushey
+Kim Minjoong
+Kim Rinnewitz
+Kim Vandry
+Kimmo Kinnunen
+Kirill Efimov
+Kirill Marchuk
+Kjell Ericson
+Kjetil Jacobsen
+Klaus Crusius
+Klaus Stein
+Klevtsov Vadim
+Kobi Gurkan
+Koen Dergent
+Koichi Shiraishi
+kokke on github
+Konstantin Isakov
+Konstantin Kushnir
+KotlinIsland on github
+kotoriのねこ
+kouzhudong on github
+Kovalkov Dmitrii
+kreshano on github
+Kris Kennaway
+Krishnendu Majumdar
+Krister Johansen
+Kristian Gunstone
+Kristian Köhntopp
+Kristian Mide
+Kristiyan Tsaklev
+Kristoffer Gleditsch
+Kunal Chandarana
+Kunal Ekawde
+Kurt Fankhauser
+Kushal Das
+Kwon-Young Choi
+Kyle Abramowitz
+Kyle Edwards
+Kyle J. McKay
+Kyle L. Huff
+Kyle Sallee
+Kyohei Kadota
+Kyselgov E.N
+l00p3r on Hackerone
+Lachlan O'Dea
+Ladar Levison
+Lance Ware
+Laramie Leavitt
+Larry Campbell
+Larry Fahnoe
+Larry Lin
+Larry Stefani
+Larry Stone
+Lars Buitinck
+Lars Gustafsson
+Lars J. Aas
+Lars Johannesen
+Lars Nilsson
+Lars Torben Wilson
+Laurent Bonnans
+Laurent Dufresne
+Laurent Rabret
+Lauri Kasanen
+Laurie Clark-Michalek
+Lawrence Gripper
+Lawrence Matthews
+Lawrence Wagerfield
+Leah Neukirchen
+Leandro Coutinho
+Legoff Vincent
+Lehel Bernadt
+Leif W
+Leigh Purdie
+Leith Bade
+Len Krause
+Len Marinaccio
+Lenaic Lefever
+Lenny Rachitsky
+Leo Neat
+Leon Breedt
+Leon Winter
+Leonardo Rosati
+Leonardo Taccari
+Leszek Kubik
+Li Xinwei
+Liam Healy
+Liam Warfield
+LigH-de on github
+lijian996 on github
+Lijo Antony
+lilongyan-huawei on github
+Linas Vepstas
+Lindley French
+Ling Thio
+Linos Giannopoulos
+Linus Lewandowski
+Linus Nielsen Feltzing
+Linus Nordberg
+Lior Kaplan
+Lisa Xu
+Litter White
+Liviu Chircu
+Liza Alenchery
+lllaffer on github
+Lloyd Fournier
+Lluís Batlle i Rossell
+locpyl-tidnyd on github
+Loganaden Velvindron
+Loic Dachary
+Loren Kirkby
+Lorenzo Miniero
+Luan Cestari
+Luca Altea
+Luca Boccassi
+Luca Niccoli
+Lucas Adamski
+Lucas Clemente Vella
+Lucas Holt
+Lucas Pardue
+Lucas Servén Marín
+Lucas Severo
+Lucien Zürcher
+Ludek Finstrle
+Ludovico Cavedon
+Ludwig Nussel
+Lukas Ruzicka
+Lukasz Czekierda
+lukaszgn on github
+Luke Amery
+Luke Call
+Luke Dashjr
+Luke Granger-Brown
+luminixinc on github
+Luo Jinghua
+Luong Dinh Dung
+Luz Paz
+Luật Nguyễn
+lwthiker on github
+Lyman Epp
+Lyndon Hill
+M.R.T on github
+Maciej Karpiuk
+Maciej Puzio
+Maciej W. Rozycki
+madblobfish on github
+Mahmoud Samir Fayed
+Maks Naumov
+Maksim Kuzevanov
+Maksim Stsepanenka
+Malik Idrees Hasan Khan
+Mamoru Tasaka
+Mamta Upadhyay
+Mandy Wu
+Manfred Schwarb
+Manuel Massing
+Manuj Bhatia
+Marc Aldorasi
+Marc Boucher
+Marc Deslauriers
+Marc Doughty
+Marc Hesse
+Marc Hörsken
+Marc Kleine-Budde
+Marc Renault
+Marc Schlatter
+Marc-Antoine Perennou
+marc-groundctl on github
+Marcel Hernandez
+Marcel Raad
+Marcel Roelofs
+Marcelo Echeverria
+Marcelo Juchem
+Marcin Adamski
+Marcin Gryszkalis
+Marcin Konicki
+Marco Deckel
+Marco G. Salvagno
+Marco Kamner
+Marco Maggi
+Marcos Diazr
+Marcus Hoffmann
+Marcus Klein
+Marcus Sundberg
+Marcus T
+Marcus Webster
+Marian Klymov
+Mario Schroeder
+Mark Brand
+Mark Butler
+Mark Davies
+Mark Dodgson
+Mark Gaiser
+Mark Hamilton
+Mark Incley
+Mark Itzcovitz
+Mark Karpeles
+Mark Lentczner
+Mark Nottingham
+Mark Salisbury
+Mark Snelling
+Mark Swaanenburg
+Mark Tully
+Mark W. Eichin
+Mark Wotton
+Markus Duft
+Markus Elfring
+Markus Koetter
+Markus Moeller
+Markus Oberhumer
+Markus Olsson
+Markus Westerlind
+Maros Priputen
+Marquis de Muesli
+Martijn Koster
+Martin Ankerl
+Martin Bašti
+Martin C. Martin
+Martin Dorey
+Martin Drasar
+Martin Dreher
+Martin Frodl
+Martin Galvan
+Martin Gartner
+Martin Hager
+Martin Halle
+Martin Hedenfalk
+Martin Howarth
+Martin Jansen
+Martin Kammerhofer
+Martin Kepplinger
+Martin Lemke
+Martin Skinner
+Martin Staael
+Martin Storsjö
+Martin Strunz
+Martin V
+Martin Vejnár
+Martin Ågren
+Marty Kuhrt
+Maruko
+Masaya Suzuki
+masbug on github
+Massimiliano Fantuzzi
+Massimiliano Ziccardi
+Massimo Callegari
+MasterInQuestion on github
+Mateusz Loskot
+Mathias Axelsson
+Mathias Gumz
+Mathieu Carbonneaux
+Mathieu Legare
+Matias N. Goldberg
+Mats Lidell
+Mats Lindestam
+Matt Arsenault
+Matt Ford
+Matt Holt
+Matt Kraai
+Matt McClure
+Matt Veenstra
+Matt Witherspoon
+Matt Wixson
+Matteo Baccan
+Matteo Bignotti
+Matteo Bignottignotti
+Matteo Rocco
+Matthew Blain
+Matthew Clarke
+Matthew Hall
+Matthew Kerwin
+Matthew Thompson
+Matthew Whitehead
+Matthias Bolte
+Matthias Gatto
+Matthias Naegler
+Mattias Fornander
+Matus Uzak
+Maurice Barnum
+Mauro Iorio
+Mauro Rappa
+Max Dymond
+Max Katsev
+Max Kellermann
+Max Khon
+Max Mehl
+Max Peal
+Max Savenkov
+Max Zettlmeißl
+Maxim Ivanov
+Maxim Perenesenko
+Maxim Prohorov
+Maxime Larocque
+Maxime Legros
+mbeifuss on github
+mccormickt12 on github
+Median Median Stride
+mehatzri on github
+Mehmet Bozkurt
+Mekonikum
+Melissa Mears
+Melroy van den Berg
+Mert Yazıcıoğlu
+Mettgut Jamalla
+Michael Afanasiev
+Michael Anti
+Michael Baentsch
+Michael Benedict
+Michael Brehm
+Michael Brown
+Michael Calmer
+Michael Cronenworth
+Michael Curtis
+Michael Day
+Michael Drake
+Michael Felt
+Michael Forney
+Michael Gmelin
+Michael Goffioul
+Michael Heimpold
+Michael Hordijk
+Michael Jahn
+Michael Jerris
+Michael Kalinin
+Michael Kaufmann
+Michael Kilburn
+Michael Kolechkin
+Michael Kujawa
+Michael König
+Michael Lee
+Michael Maltese
+Michael Mealling
+Michael Mueller
+Michael Musset
+Michael O'Farrell
+Michael Olbrich
+Michael Osipov
+Michael Schmid
+Michael Smith
+Michael Stapelberg
+Michael Steuer
+Michael Stillwell
+Michael Trebilcock
+Michael Vittiglio
+Michael Wallner
+Michal Bonino
+Michal Marek
+Michal Rus
+Michal Trybus
+Michal Čaplygin
+Michał Antoniak
+Michał Fita
+Michał Górny
+Michał Janiszewski
+Michał Kowalczyk
+Michał Piechowski
+Michel Promonet
+Michele Bini
+Miguel Angel
+Miguel Diaz
+migueljcrum on github
+Mihai Ionescu
+Mikael Johansson
+Mikael Sennerholm
+Mikalai Ananenka
+Mike Bytnar
+Mike Crowe
+Mike Dobbs
+Mike Dowell
+Mike Frysinger
+Mike Gelfand
+Mike Giancola
+Mike Hasselberg
+Mike Henshaw
+Mike Hommey
+Mike Mio
+Mike Norton
+Mike Power
+Mike Protts
+Mike Revi
+Mike Tzou
+Mikhail Kuznetsov
+Miklos Nemeth
+Miloš Ljumović
+Mingliang Zhu
+Mingtao Yang
+Miroslav Franc
+Miroslav Spousta
+Mischa Salle
+Mitz Wark
+mkzero on github
+modbw on github
+Mohamed Lrhazi
+Mohamed Osama
+Mohammad AlSaleh
+Mohammad Hasbini
+Mohammed Naser
+Mohun Biswas
+momala454 on github
+Momoka Yamamoto
+MonkeybreadSoftware on github
+moohoorama on github
+Morten Minde Neergaard
+Mostyn Bramley-Moore
+Moti Avrahami
+MrdUkk on github
+MrSorcus on github
+Muhammad Herdiansyah
+Muhammed Yavuz Nuzumlalı
+Murugan Balraj
+Muz Dima
+Myk Taylor
+n0name321 on github
+Nach M. S.
+Nagai H
+Nao Yonashiro
+naost3rn on github
+Nate Prewitt
+Nathan Coulter
+Nathan Moinvaziri
+Nathan O'Sullivan
+Nathanael Nerode
+Nathaniel J. Smith
+Nathaniel R. Lewis
+Nathaniel Waisbrot
+Naveen Chandran
+Naveen Noel
+Neal McBurnett
+Neal Poole
+nedres on github
+neex on github
+Nehal J Wani
+neheb on github
+Neil Bowers
+Neil Dunbar
+Neil Kolban
+Neil Spring
+neutric on github
+nevv on HackerOne/curl
+Niall O'Reilly
+niallor on github
+nian6324 on github
+nianxuejie on github
+Nic Roets
+Nicholas Maniscalco
+Nick Banks
+Nick Coghlan
+Nick Draffen
+Nick Gimbrone
+Nick Humfrey
+Nick Miyake
+Nick Zitzmann
+Nicklas Avén
+Nico Baggus
+nico-abram on github
+Nicolas Berloquin
+Nicolas Croiset
+Nicolas François
+Nicolas Grekas
+Nicolas Guillier
+Nicolas Morey-Chaisemartin
+Nicolas Sterchele
+Niels Martignène
+Niels van Tongeren
+Nikita Schmidt
+Nikitinskit Dmitriy
+Niklas Angebrand
+Niklas Hambüchen
+Nikolai Kondrashov
+Nikos Mavrogiannopoulos
+Nikos Tsipinakis
+nimaje on github
+niner on github
+Ning Dong
+Nir Soffer
+Niranjan Hasabnis
+Nis Jorgensen
+nk
+Noam Moshe
+NobodyXu on github
+Nobuhiro Ban
+Nodak Sodak
+nopjmp on github
+Norbert Frese
+Norbert Kett
+Norbert Novotny
+nosajsnikta on github
+NTMan on Github
+Nuru on github
+Octavio Schroeder
+Ofer
+Okhin Vasilij
+Ola Mork
+Olaf Flebbe
+Olaf Hering
+Olaf Stüben
+Oleg Pudeyev
+Oleguer Llopart
+Olen Andoni
+olesteban on github
+Oli Kingshott
+Oliver Gondža
+Oliver Graute
+Oliver Kuckertz
+Oliver Roberts
+Oliver Schindler
+Oliver Urbann
+Olivier Berger
+Olivier Brunel
+Omar Ramadan
+omau on github
+opensignature on github
+Orange Tsai
+Oren Souroujon
+Oren Tirosh
+Orgad Shaneh
+Ori Avtalion
+orycho on github
+osabc on github
+Oscar Koeroo
+Oscar Norlander
+Oskar Liljeblad
+Oskar Sigvardsson
+Oumph on github
+ovidiu-benea on github
+P R Schaffner
+Palo Markovic
+Paolo Mossino
+Paolo Piacentini
+Paras Sethia
+parazyd on github
+Pascal Gaudette
+Pascal Terjan
+Pasha Kuznetsov
+Pasi Karkkainen
+Pat Ray
+patelvivekv1993 on github
+patnyb on github
+Patrice Guerin
+Patricia Muscalu
+Patrick Bihan-Faou
+Patrick Dawson
+Patrick McManus
+Patrick Monnerat
+Patrick Rapin
+Patrick Schlangen
+Patrick Scott
+Patrick Smith
+Patrick Watson
+Patrik Thunstrom
+Pau Garcia i Quiles
+Paul B. Omta
+Paul Donohue
+Paul Dreik
+Paul Groke
+Paul Harrington
+Paul Harris
+Paul Hoffman
+Paul Howarth
+Paul Johnson
+Paul Joyce
+Paul Marks
+Paul Marquis
+Paul Moore
+Paul Nolan
+Paul Oliver
+Paul Querna
+Paul Saab
+Paul Seligman
+Paul Vixie
+Paulo Roberto Tomasi
+Pavel Cenek
+Pavel Gushchin
+Pavel Löbl
+Pavel Orehov
+Pavel Pavlov
+Pavel Raiskup
+Pavel Rochnyak
+Pavel Volgarev
+Pavol Markovic
+Pawel A. Gajda
+Pawel Kierski
+Paweł Kowalski
+Paweł Wegner
+Pedro Larroy
+Pedro Monreal
+Pedro Neves
+pendrek at hackerone
+Peng Li
+Peng-Yu Chen
+Per Jensen
+Per Lundberg
+Per Malmberg
+Per Nilsson
+Pete Lomax
+Peter Bray
+Peter Forret
+Peter Frühberger
+Peter Gal
+Peter Goodman
+Peter Heuchert
+Peter Hjalmarsson
+Peter Korsgaard
+Peter Körner
+Peter Lamare
+Peter Lamberg
+Peter Laser
+Peter O'Gorman
+Peter Pentchev
+Peter Piekarski
+Peter Silva
+Peter Simonyi
+Peter Su
+Peter Sumatra
+Peter Sylvester
+Peter Todd
+Peter Varga
+Peter Verhas
+Peter Wang
+Peter Wu
+Peter Wullinger
+Peteris Krumins
+Petr Bahula
+Petr Novak
+Petr Pisar
+Petr Voytsik
+Petr Štetiar
+Phil Blundell
+Phil Crump
+Phil E. Taylor
+Phil Karn
+Phil Lisiecki
+Phil Pellouchoud
+Philip Chan
+Philip Craig
+Philip Gladstone
+Philip Heiduck
+Philip Langdale
+Philip Prindeville
+Philip Sanetra
+Philipp Klaus Krause
+Philipp Waehnert
+Philippe Hameau
+Philippe Marguinaud
+Philippe Raoult
+Philippe Vaucher
+Pierre
+Pierre Brico
+Pierre Chapuis
+Pierre Joye
+Pierre Yager
+Pierre Ynard
+Pierre-Yves Bigourdan
+Pierrick Charron
+Piotr Dobrogost
+Piotr Komborski
+Po-Chuan Hsieh
+Pontus Lundkvist
+Pooyan McSporran
+Poul T Lomholt
+Pramod Sharma
+Prash Dush
+Praveen Pvs
+Prithvi MK
+privetryan on github
+Priyanka Shah
+ProceduralMan on github
+Przemysław Tomaszewski
+pszemus on github
+puckipedia on github
+Puneet Pawaia
+qiandu2006 on github
+Quagmire
+Quanah Gibson-Mount
+Quentin Balland
+Quinn Slack
+r-a-sattarov on github
+R. Dennis Steed
+Radek Zajic
+Radoslav Georgiev
+Radu Simionescu
+Rafa Muyo
+Rafael Antonio
+Rafael Sagula
+Rafayel Mkrtchyan
+Rafaël Carré
+Rafał Mikrut
+Rainer Canavan
+Rainer Jung
+Rainer Koenig
+Rainer Müller
+Rajesh Naganathan
+Rajkumar Mandal
+Ralf S. Engelschall
+Ralph Beckmann
+Ralph Langendam
+Ralph Mitchell
+Ram Krushna Mishra
+ramsay-jones on github
+Ran Mozes
+Randall S. Becker
+Randolf J
+Randy Armstrong
+Randy McMurchy
+Raphael Gozzo
+Rasmus Melchior Jacobsen
+Raul Onitza-Klugman
+Ravi Pratap
+Ray Dassen
+Ray Pekowski
+Ray Satiro
+Razvan Cojocaru
+rcombs on github
+Red Hat Product Security
+Reed Loden
+Reinhard Max
+Reinout van Schouwen
+RekGRpth on github
+Remco van Hooff
+Remi Gacogne
+Remo E
+Renato Botelho
+Renaud Allard
+Renaud Chaillat
+Renaud Duhaut
+Renaud Guillard
+Renaud Lehoux
+Rene Bernhardt
+Rene Rebe
+Reuven Wachtfogel
+Reza Arbab
+Rianov Viacheslav
+Ricardo Cadime
+Ricardo Gomes
+Ricardo M. Correia
+Ricardo Martins
+Rich Burridge
+Rich FitzJohn
+Rich Gray
+Rich Mirch
+Rich Rauenzahn
+Rich Salz
+Rich Turner
+Richard Adams
+Richard Alcock
+Richard Archer
+Richard Atterer
+Richard Bowker
+Richard Bramante
+Richard Clayton
+Richard Cooper
+Richard Gorton
+Richard Gray
+Richard Hosking
+Richard Hsu
+Richard Marion
+Richard Michael
+Richard Moore
+Richard Prescott
+Richard Silverman
+Richard van den Berg
+Richard Whitehouse
+Richy Kim
+Rici Lake
+Rick Deist
+Rick Jones
+Rick Lane
+Rick Richardson
+Rick Welykochy
+Rickard Hallerbäck
+Ricki Hirner
+Ricky Leverence
+Ricky-Tigg on github
+Rider Linden
+RiderALT on github
+Rikard Falkeborn
+rl1987 on github
+Rob Boeckermann
+Rob Cotrone
+Rob Crittenden
+Rob Davies
+Rob de Wit
+Rob Jones
+Rob Sanders
+Rob Stanzel
+Rob Ward
+RobBotic1 on github
+Robby Simpson
+Robert A. Monat
+Robert B. Harris
+Robert Brose
+Robert Charles Muir
+Robert D. Young
+Robert Dunaj
+Robert Foreman
+Robert Iakobashvili
+Robert Kolcun
+Robert Linden
+Robert Olson
+Robert Prag
+Robert Ronto
+Robert Schumann
+Robert Weaver
+Robert Wruck
+Robin A. Meade
+Robin Cornelius
+Robin Douine
+Robin Johnson
+Robin Kay
+Robin Marx
+Robson Braga Araujo
+Rod Widdowson
+Rodger Combs
+Rodney Simmons
+Rodric Glaser
+Rodrigo Silva
+Roger Leigh
+Roger Orr
+Roger Young
+Roland Blom
+Roland Hieber
+Roland Krikava
+Roland Zimmermann
+Rolf Eike Beer
+Rolland Dudemaine
+Romain Coltel
+Romain Fliedel
+Romain Geissler
+romamik om github
+Roman Koifman
+Roman Mamedov
+Romulo A. Ceccon
+Ron Eldor
+Ron Parker
+Ron Zapp
+Ronnie Mose
+Rosen Penev
+Rosimildo da Silva
+Ross Burton
+Roy Bellingan
+Roy Li
+Roy Shan
+Rui LIU
+Rui Pinheiro
+Rune Kleveland
+Ruslan Baratov
+Ruslan Gazizov
+Rutger Hofman
+Ruurd Beerstra
+RuurdBeerstra on github
+Ryan Beck-Buysse
+Ryan Braud
+Ryan Chan
+Ryan Mast
+Ryan Nelson
+Ryan Schmidt
+Ryan Scott
+Ryan Sleevi
+Ryan Winograd
+ryancaicse on github
+Ryuichi KAWAMATA
+rzrymiak on github
+Rémy Léone
+S. Moonesamy
+Sai Ram Kunala
+Salah-Eddin Shaban
+Saleem Abdulrasool
+Salvador Dávila
+Salvatore Sorrentino
+Sam Deane
+Sam Hurst
+Sam Roth
+Sam Schanken
+Samanta Navarro
+Sampo Kellomaki
+Samuel Díaz García
+Samuel Henrique
+Samuel Listopad
+Samuel Marks
+Samuel Surtees
+Samuel Thibault
+Samuel Tranchet
+Sander Gates
+Sandor Feldi
+Sandro Jaeckel
+Santhana Todatry
+Santino Keupp
+Saqib Ali
+Sara Golemon
+Saran Neti
+Sascha Swiercy
+Sascha Zengler
+Satadru Pramanik
+Saul good
+Saurav Babu
+sayrer on github
+SBKarr on github
+Scott Bailey
+Scott Barrett
+Scott Cantor
+Scott Davis
+Scott McCreary
+Sean Boudreau
+Sean Burford
+Sean MacLennan
+Sean McArthur
+Sean Miller
+Sean Molenaar
+Sebastiaan van Erk
+Sebastian Haglund
+Sebastian Mundry
+Sebastian Pohlschmidt
+Sebastian Rasmussen
+Sebastian Sterk
+Senthil Raja Velu
+Sergei Kuzmin
+Sergei Nikulov
+Sergey Bronnikov
+Sergey Markelov
+Sergey Ogryzkov
+Sergey Tatarincev
+Sergii Kavunenko
+Sergii Pylypenko
+Sergio Ballestrero
+Sergio Barresi
+Sergio Borghese
+Sergio Durigan Junior
+sergio-nsk on github
+Serj Kalichev
+Seshubabu Pasam
+Seth Mos
+Sevan Janiyan
+Sgharat on github
+Sh Diao
+Shachaf Ben-Kiki
+ShadowZzj on github
+Shailesh Kapse
+Shankar Jadhavar
+Shao Shuchao
+Sharad Gupta
+Shard
+Sharon Brizinov
+Shaun Jackman
+Shaun Mirani
+Shawn Landden
+Shawn Poulson
+Shikha Sharma
+Shine Fan
+Shiraz Kanga
+shithappens2016 on github
+Shlomi Fish
+Shmulik Regev
+Siddhartha Prakash Jain
+siddharthchhabrap on github
+Sidney San Martín
+Siegfried Gyuricsko
+silveja1 on github
+Simon Berger
+Simon Chalifoux
+Simon Dick
+Simon H.
+Simon Josefsson
+Simon Legner
+Simon Liu
+Simon Warta
+Siva Sivaraman
+SLDiggie on github
+smuellerDD on github
+sn on hackerone
+sofaboss on github
+Somnath Kundu
+Song Ma
+Sonia Subramanian
+Spacen Jasset
+Spezifant on github
+Spiridonoff A.V
+Spoon Man
+Spork Schivago
+ssdbest on github
+sspiri on github
+sstruchtrup on github
+Stadler Stephan
+Stan Hu
+Stan van de Burgt
+Stanislav Ivochkin
+Stanislav Zidek
+Stathis Kapnidis
+Stav Nir
+steelman on github
+Stefan Agner
+Stefan Bühler
+Stefan Eissing
+Stefan Esser
+Stefan Grether
+Stefan Huber
+Stefan Kanthak
+Stefan Karpinski
+Stefan Krause
+Stefan Neis
+Stefan Strogin
+Stefan Teleman
+Stefan Tomanek
+Stefan Ulrich
+Stefan Yohansson
+Stefano Simonelli
+Steinar H. Gunderson
+steini2000 on github
+Stepan Broz
+Stepan Efremov
+Stephan Bergmann
+Stephan Guilloux
+Stephan Lagerholm
+Stephan Mühlstrasser
+Stephan Szabo
+Stephane Pellegrino
+Stephen Boost
+Stephen Brokenshire
+Stephen Collyer
+Stephen Kick
+Stephen M. Coakley
+Stephen More
+Stephen Toub
+Sterling Hughes
+Steve Green
+Steve H Truong
+Steve Havelka
+Steve Holme
+Steve Lhomme
+Steve Little
+Steve Marx
+Steve Oliphant
+Steve Roskowski
+Steve Walch
+Steven Bazyl
+Steven G. Johnson
+Steven Gu
+Steven M. Schweda
+Steven Parkes
+Steven Penny
+Stewart Gebbie
+Stian Soiland-Reyes
+Stoned Elipot
+stootill on github
+Stuart Henderson
+Sukanya Hanumanthu
+SumatraPeter on github
+Sune Ahlgren
+Sunny Bean
+Sunny Purushe
+Sven Anders
+Sven Blumenstein
+Sven Neuhaus
+Sven Wegener
+Svyatoslav Mishyn
+swalkaus at yahoo.com
+sylgal on github
+Sylvestre Ledru
+Symeon Paraschoudis
+Sébastien Willemijns
+T. Bharath
+T. Yamada
+T200proX7 on github
+Tadej Vengust
+Tae Hyoung Ahn
+Taiyu Len
+Taneli Vähäkangas
+Tanguy Fautre
+Taras Kushnir
+tarek112 on github
+Tatsuhiro Tsujikawa
+tawmoto on github
+tbugfinder on github
+Ted Lyngmo
+Teemu Yli-Elsila
+Temprimus
+Terri Oda
+Terry Wu
+thanhchungbtc on github
+The Infinnovation team
+TheAssassin on github
+TheKnarf on github
+Theodore Dubois
+therealhirudo on github
+Thiago Suchorski
+tholin on github
+Thomas Bouzerar
+Thomas Braun
+Thomas Danielsson
+Thomas Gamper
+Thomas Glanzmann
+Thomas Guillem
+Thomas J. Moore
+Thomas Klausner
+Thomas L. Shinnick
+Thomas Lopatic
+Thomas M. DuBuisson
+Thomas Petazzoni
+Thomas Ruecker
+Thomas Schwinge
+Thomas Tonino
+Thomas van Hesteren
+Thomas Vegas
+Thomas Weißschuh
+Thorsten Schöning
+Tiit Pikma
+Till Maas
+Tim Ansell
+Tim Baker
+Tim Bartley
+Tim Chen
+Tim Costello
+Tim Harder
+Tim Heckman
+Tim Mcdonough
+Tim Newsome
+Tim Rühsen
+Tim Sedlmeyer
+Tim Sneddon
+Tim Stack
+Tim Starling
+Tim Tassonis
+Tim Verhoeven
+Timo Lange
+Timo Sirainen
+Timotej Lazar
+Timothe Litt
+Timothy Gu
+Timothy Polich
+Timur Artikov
+Tinus van den Berg
+TJ Saunders
+Tk Xiong
+tlahn on github
+tmkk on github
+Tobias Blomberg
+Tobias Gabriel
+Tobias Hieta
+Tobias Hintze
+Tobias Lindgren
+Tobias Markus
+Tobias Nießen
+Tobias Nygren
+Tobias Nyholm
+Tobias Rundström
+Tobias Schaefer
+Tobias Stoeckmann
+Toby Peterson
+Todd A Ouska
+Todd Kaufmann
+Todd Kulesza
+Todd Short
+Todd Vierling
+Tom Benoist
+Tom Donovan
+Tom Eccles
+Tom G. Christensen
+Tom Grace
+Tom Greenslade
+Tom Lee
+Tom Mattison
+Tom Moers
+Tom Mueller
+Tom Regner
+Tom Seddon
+Tom Sparrow
+Tom van der Woerdt
+Tom Wright
+Tom Zerucha
+Tomas Berger
+Tomas Hoger
+Tomas Jakobsson
+Tomas Mlcoch
+Tomas Mraz
+Tomas Pospisek
+Tomas Szepe
+Tomas Tomecek
+Tomasz Kojm
+Tomasz Lacki
+Tommie Gannert
+tommink[at]post.pl
+Tommy Chiang
+Tommy Odom
+Tommy Petty
+Tommy Tam
+Ton Voon
+Toni Moreno
+Tony Kelman
+tonystz on Github
+Toon Verwaest
+Tor Arntsen
+Torben Dannhauer
+Torsten Foertsch
+Toshio Kuratomi
+Toshiyuki Maezawa
+tpaukrt on github
+Traian Nicolescu
+Trail of Bits
+Travis Burtrum
+Travis Obenhaus
+Trivikram Kamat
+Troels Walsted Hansen
+Troy Engel
+Tseng Jun
+Tuomas Siipola
+Tuomo Rinne
+Tupone Alfredo
+Tyler Hall
+Török Edwin
+u20221022 on github
+Ulf Härnhammar
+Ulf Samuelsson
+Ulrich Doehner
+Ulrich Telle
+Ulrich Zadow
+updatede on github
+UrsusArctos on github
+User Sg
+ustcqidi on github
+Vadim Grinshpun
+Valentin David
+Valentin Richter
+Valentyn Korniienko
+Valentín Gutiérrez
+Valerii Zapodovnikov
+vanillajonathan on github
+Varnavas Papaioannou
+Vasiliy Faronov
+Vasiliy Ulyanov
+Vasily Lobaskin
+Vasy Okhin
+Venkat Akella
+Venkataramana Mokkapati
+Vicente Garcia
+Victor Magierski
+Victor Snezhko
+Victor Vieux
+Vijay Panghal
+Vikram Saxena
+Viktor Szakats
+Vilhelm Prytz
+Ville Skyttä
+Vilmos Nebehaj
+Vincas Razma
+Vincent Bronner
+Vincent Grande
+Vincent Le Normand
+Vincent Penquerc'h
+Vincent Sanders
+Vincent Torri
+vitaha85 on github
+Vitaly Varyvdin
+vl409 on github
+Vlad Grachov
+Vlad Ureche
+Vladimir Grishchenko
+Vladimir Kotal
+Vladimir Lazarenko
+Vladimir Panteleev
+Vladimir Varlamov
+Vlastimil Ovčáčík
+vlubart on github
+Vojtech Janota
+Vojtech Minarik
+Vojtěch Král
+Volker Schmid
+Vsevolod Novikov
+vshmuk on hackerone
+vvb2060 on github
+Vyron Tsingaras
+W. Mark Kubacki
+Waldek Kozba
+Walter J. Mack
+Ward Willats
+Warren Menzer
+Wayne Haigh
+Wenchao Li
+Wenxiang Qian
+Werner Koch
+Werner Stolz
+Wes Hinsley
+wesinator on github
+Wesley Laxton
+Wesley Miaw
+Wez Furlong
+Wham Bang
+Wilfredo Sanchez
+Will Dietz
+Will Roberts
+Willem Hoek
+Willem Sparreboom
+William A. Rowe Jr
+William Ahern
+William Desportes
+wmsch on github
+wncboy on github
+Wojciech Zwiefka
+Wolf Vollprecht
+Wouter Van Rooy
+Wu Yongzheng
+Wu Zheng
+Wyatt O'Day
+Wyatt OʼDay
+x2018 on github
+Xavier Bouchoux
+XhmikosR on github
+XhstormR on github
+Xiang Xiao
+Xiangbin Li
+xianghongai on github
+Xiaoke Wang
+Xiaoyin Liu
+XmiliaH on github
+xnynx on github
+xtonik on github
+xwxbug on github
+Xì Gà
+Yaakov Selkowitz
+Yang Tse
+Yaobin Wen
+Yarram Sunil
+Yasuharu Yamada
+Yasuhiro Matsumoto
+Yechiel Kalmenson
+Yehezkel Horowitz
+Yehoshua Hershberg
+ygthien on github
+Yi Huang
+Yiming Jing
+Yingwei Liu
+yiyuaner on github
+Ymir1711 on github
+Yonggang Luo
+Yongkang Huang
+Younes El-karama
+youngchopin on github
+Yousuke Kimoto
+Yu Xin
+Yukihiro Kawada
+Yun SangHo
+Yuri Slobodyanyuk
+Yuriy Chernyshov
+Yuriy Sosov
+Yusuke Nakamura
+Yves Arrouye
+Yves Lejeune
+z2-2z on github
+z2_ on hackerone
+Zachary Seguin
+Zdenek Pavlas
+Zekun Ni
+zelinchen on github
+Zenju on github
+Zero King
+Zespre Schmidt
+Zhang Xiuhua
+zhanghu on xiaomi
+Zhao Yisha
+Zhaoyang Wu
+Zhibiao Wu
+Zhouyihai Ding
+ZimCodes on github
+zloi-user on github
+Zmey Petroff
+Zvi Har'El
+zzq1015 on github
+Ádler Jonas Gross
+Érico Nogueira
+Érico Nogueira Rolim
+İsmail Dönmez
+Łukasz Domeradzki
+Štefan Kremeň
+Борис Верховский
+Коваленко Анатолий Викторович
+Никита Дорохин
+ウさん
+不确定
+加藤郁之
+梦终无痕
|