diff options
Diffstat (limited to 'plugins/FTPFileYM/curl/CHANGES')
| -rw-r--r-- | plugins/FTPFileYM/curl/CHANGES | 8008 |
1 files changed, 3916 insertions, 4092 deletions
diff --git a/plugins/FTPFileYM/curl/CHANGES b/plugins/FTPFileYM/curl/CHANGES index 08f0a8f60d..a384fadba8 100644 --- a/plugins/FTPFileYM/curl/CHANGES +++ b/plugins/FTPFileYM/curl/CHANGES @@ -6,5746 +6,5570 @@ Changelog -Version 7.29.0 (6 Feb 2013) +Version 7.33.0 (13 Oct 2013) -Daniel Stenberg (6 Feb 2013) -- vms: config-vms.h is removed, no use trying to distribute it +Daniel Stenberg (13 Oct 2013) +- RELEASE-NOTES: synced with 92cf6141ed0de -- RELEASE-NOTES: mention the SASL buffer overflow - -- [Eldar Zaitov brought this change] - - Curl_sasl_create_digest_md5_message: fix buffer overflow - - When negotiating SASL DIGEST-MD5 authentication, the function - Curl_sasl_create_digest_md5_message() uses the data provided from the - server without doing the proper length checks and that data is then - appended to a local fixed-size buffer on the stack. - - This vulnerability can be exploited by someone who is in control of a - server that a libcurl based program is accessing with POP3, SMTP or - IMAP. For applications that accept user provided URLs, it is also - thinkable that a malicious user would feed an application with a URL to - a server hosting code targetting this flaw. +- curl: fix --oauth2-bearer in the --help output - Bug: http://curl.haxx.se/docs/adv_20130206.html + After the option rename in 5df04bfafd1 -Steve Holme (6 Feb 2013) -- FEATURES: Removed erroneous whitespace +- OpenSSL: improve the grammar of the language in 39beaa5ffbcc - Removed whitespace introduced in commit 5f8f20f5e65b that caused - formatting issues when generating the website docs. + Reported-by: Petr Pisar -Yang Tse (6 Feb 2013) -- setup-vms.h: post VMS patch cleanup - III - - - rename post-config-vms.h to setup-vms.h - - move its inclusion into proper location in curl_setup.h +- [Andrej E Baranov brought this change] -- vms_show: post VMS patch cleanup - II + OpenSSL: use failf() when subjectAltName mismatches - - remove multiple declarations of vms_show and add comments - -- tool_main.c: post VMS patch cleanup - I + Write to CURLOPT_ERRORBUFFER information about mismatch alternative + certificate subject names. - - remove header inclusion already done in curl_setup_once.h + Signed-off-by: Andrej E Baranov <admin@andrej-andb.ru> -Steve Holme (6 Feb 2013) -- FEATURES: Added SSPI to list of NTLM libraries +- curl: rename --bearer to --oauth2-bearer + + The option '--bearer' might be slightly ambiguous in name. It doesn't + create any conflict that I am aware of at the moment, however, OAUTH v2 + is not the only authentication mechanism which uses "bearer" tokens. + + Reported-by: Kyle L. Huff + URL: http://curl.haxx.se/mail/lib-2013-10/0064.html -- FEATURES: Added Secure Transport and qssl to list of SSL libraries +- [Kamil Dudka brought this change] -- FEATURES: Added email feature set + ssh: improve the logic for detecting blocking direction - Added SMTP, SMTPS, POP3, POP3S, IMAP and IMAPS features. + This fixes a regression introduced by commit 0feeab78 limiting the speed + of SCP upload to 16384 B/s on a fast connection (such as localhost). -- imap.h: Corrected incorrect comment clarification - - Corrected comment clarification made in commit 167717b8069a. +Dan Fandrich (12 Oct 2013) +- Fixed typo in Makefile.inc that left http2.h out of the tar ball -- COPYING: Updated copyright year to include 2013 +Daniel Stenberg (11 Oct 2013) +- [Heinrich Schaefer brought this change] -Daniel Stenberg (5 Feb 2013) -- RELEASE-NOTES: synced with 25f351424b3538 - - 8 more bug fixes mentioned + minor fix in doc -- [John E. Malmberg brought this change] +- [Gisle Vanem brought this change] - VMS: fix and generate the VMS build config - - config_h.com is a new file that generates a config.h file based on the - curl_config.h.in file and a quick scan of the configure script. This is - actually a generic procedure that is shared with other VMS packages. - - The existing pre-built config-vms.h had over 100 entries that were not - correct and in some cases conflicted with the build options available in - the build_vms.com. - - generate_config_vms_h_curl.com is a helper procedure to the - config_h.com. It covers the cases that the generic config_h.com is not - able to figure out, and accepts input from the build_vms.com procedure. + curl_setup_once: fix errno access for lwip on Windows - build_curlbuild_h.com is a new file to generate the curlbuild.h file - that Curl is now using when it is using a curl_config.h file. - - post-config-vms.h is a new file that is needed to provide VMS specific - definitions, and most of them need to be set before the system header - files are included. - - The VMS build procedure is fixed: - - 1. Fixed to link in the correct HP ssl library. - 2. Fixed to detect if HP Kerberos is installed. - 3. Fixed to detect if HP LDAP is installed. - 4. Fixed to detect if gnv$libzshr is installed. - 5. Simplified the input parameter parsing to not use a loop. - 6. Warn that 64 bit pointer option support is not complete - in comments. - 7. Default to IEEE floating if platform supports it so - resulting libcurl will be compatible with other - open source projects on VMS. - 8. Default to LARGEFILE if platform supports it. - 9. Default to enable SSL, LDAP, Kerberos, libz - if the libraries are present. - 10. Build with exact case global symbols for libcurl. - 11. Generate linker option file needed. - 12. Compiler list option only commonly needed items. - 13. fulllist option for those who really want it. - 14. Create debug symbol file on Alpha, IA64. + lib/curl_setup_once.h assumed lwIP on Windows uses 'SetLastError()' to + set network errors. It doesn't; it uses 'errno'. -- Curl_proxyCONNECT: return once CONNECT is sent - - By doing this unconditionally, we infer a simpler and more defined - behavior. This also has the upside that test 1021 no longer fails for me - even if I run with valgrind. - - Also fixed some wrong comments. +- test1239: verify 4cd444e01ad and the simulated 304 response -Steve Holme (5 Feb 2013) -- email: Reworked comments in the endofresp() functions - - Tidied up the comments in the endofresp() functions to be more - meaningful prior to release. +- [Derek Higgins brought this change] -Marc Hoersken (5 Feb 2013) -- schannel: Removed extended error connection setup flag - - According KB975858 this flag may cause problems on Windows 7 and - Windows Server 2008 R2 systems. Extended error information is not - currently used by libcurl and therefore not a requirement. + HTTP: Output http response 304 when modified time is too old - The flag may improve the SSL-connection shutdown in case of an - error. This means it might be a good improvement in the future. - - Fixes bug/issue #1187 - thanks for the report + When using the -w '%{http_code}' flag and simulating a Not Modified then + 304 should be output. -Daniel Stenberg (5 Feb 2013) -- [Tor Arntsen brought this change] +- contributors: helper script to dig out contributors from git - singleipconnect: Update *sockp for all CURLE_OK - - The 56b7c87c7 change left a case where a good sockfd was not copied to - *sockp before returning with CURLE_OK +- RELEASE-NOTES: add twos refs to bug reports -- curl_easy_perform: Value stored to 'mcode' is never read - - pointed out by clang-analyzer +- RELEASE-NOTES: synced with 173160c0d068 -- singleipconnect: remove dead assignment +Nick Zitzmann (2 Oct 2013) +- darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher - pointed out by clang-analyzer + Credit (for catching a cipher I forgot to add to the blocked ciphers list): + https://www.ssllabs.com/ssltest/viewMyClient.html -Linus Nielsen Feltzing (5 Feb 2013) -- CURLMOPT_MAXCONNECTS: restore functionality +Daniel Stenberg (2 Oct 2013) +- OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER - When a connection is no longer used, it is kept in the cache. If the - cache is full, the oldest idle connection is closed. If no connection is - idle, the current one is closed instead. - -Steve Holme (5 Feb 2013) -- RELEASE-NOTES: Updated following recent changes to the email protocols + Setting only CURLOPT_SSL_VERIFYHOST without CURLOPT_SSL_VERIFYPEER set + should still verify that the host name fields in the server certificate + is fine or return failure. - Added recent additions and fixes following the changes to imap, pop3 - and smtp. Additionally added another contributor that helped to test - the imap sasl changes. + Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html + Reported-by: Ishan SinghLevett -- email: Provided extra comments following recent pop3/imap fixes +- KNOWN_BUGS: #84: CURLINFO_SSL_VERIFYRESULT - Provided additional clarification about the logic of the authenticate() - functions following commit 6b6bdc83bd36 and b4270a9af1d0. + CURLINFO_SSL_VERIFYRESULT is only implemented for the OpenSSL and NSS + backends and not for any other! -Daniel Stenberg (5 Feb 2013) -- [Andrei Kurushin brought this change] +- [François Charlier brought this change] - winbuild: include version info for .dll .exe - - Bug: http://curl.haxx.se/bug/view.cgi?id=1186 + xattr: add support for FreeBSD xattr API -- FAQ: clarify 5.13 How do I stop an ongoing transfer - - Rich Gray provided good feedback and we now clarify that you can in fact - stop a multi transfer at any point you like by removing the easy handle. +- curl_easy_setopt.3: slight clarification of SEEKFUNCTION -- [Matt Arsenault brought this change] +Steve Holme (29 Sep 2013) +- tests: Fixed typos from commit 25a0c96a494297 - cmake: Fix mingw build +- tests: Updated email addresses in SMTP tests following recent changes -- [Sergei Nikulov brought this change] +- test909: Removed custom EHLO response after recent changes + + ...as it is no longer required following capability and authentication + changes and is now causing problems following commit 49341628b50007 as + the test number is obtained from the client address in the EHLO. - cmake: updated OpenSSL build +- ftpserver.pl: Fixed compilation error from commit 49341628b50007 -Steve Holme (4 Feb 2013) -- pop3.c: Updated variable names to use shorter / more readable variant +- ftpserver.pl: Moved specifying the test number from the RCPT address - Tidied up code from commit 6b6bdc83bdUpdated where a few instances of - the pop3c struct variable used the longer conndata struct rather than - matching what other code in pop3_authenticate() used. + ...to the client address as this frees the RCPT strings to contain + just an email address and by passing the test number into curl as the + client address remains consistent with POP3 and IMAP tests as they are + specified in the URL. -Guenter Knauf (4 Feb 2013) -- updated copyright years. +- ftpserver.pl: Added unwanted argument check to SMTP DATA command handler -- configure: update the copyright years for the output. - -Steve Holme (3 Feb 2013) -- imap: Fixed no known authentication mechanism when fallback is required - - Fixed an issue where (lib)curl is compiled without support for a - supported challenge-response based SASL authentication mechanism, such - as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN - mechanisms and (lib)curl doesn't fallback to Clear Text authentication. - - Note: In order to fallback to Clear Text authentication properly this - fix adds support for the LOGINDISABLED server capability. - imap: Fixed no known authentication mechanism when fallback is required - - Fixed an issue where (lib)curl is compiled without support for a - supported challenge-response based SASL authentication mechanism, such - as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN - mechanisms and (lib)curl doesn't fallback to Clear Text authentication. - - Note: In order to fallback to Clear Text authentication properly this - fix adds support for the LOGINDISABLED server capability. +Daniel Stenberg (29 Sep 2013) +- getinmemory: remove a comment - Related bug: http://curl.haxx.se/mail/lib-2013-02/0004.html - Reported by: Stanislav Ivochkin + The comment mentioned the need to free the data, but the example already + does that free -- pop3: Fixed no known authentication mechanism when fallback is required +- postinmemory: new example - Fixed an issue where (lib)curl is compiled without support for a - supported challenge-response based SASL authentication mechanism, such - as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN - mechanisms and (lib)curl doesn't fallback to APOP or Clear Text - authentication. + This is similar to getinmemory.c but with an initial POST. - Bug: http://curl.haxx.se/mail/lib-2013-02/0004.html - Reported by: Stanislav Ivochkin + Combined-by: Ulf Samuelsson -Daniel Stenberg (1 Feb 2013) -- singleipconnect: simplify and clean up +- win32: fix Visual Studio 2010 build with WINVER >= 0x600 - Remove timeout argument that's never used. + If no WINVER and/or _WIN32_IWNNT define was set, the Windows platform + SDK often defaults to high value, e.g. 0x601 (whoch may probably depend + on the Windows version being used, in my case Windows 7). - Make the actual connection get detected on a single spot to reduce code - duplication. + If WINVER >= 0x600 then winsock2.h includes some defines for WSAPoll(), + e.g. POLLIN, POLLPRI, POLLOUT etc. These defines clash with cURL's + lib/select.h. - Store the IPv6 state already when the connection is attempted. - -- Curl_perfom: removed + Make sure HAVE_STRUCT_POLLFD is defined then. - Curl_perfom is no longer used anywhere since the always-multi commit - c43127414d89ccb9, and some related functions were used only from within - Curl_perfom. - -Guenter Knauf (30 Jan 2013) -- Updated date. + Bug: http://curl.haxx.se/bug/view.cgi?id=1282 + Reported-by: "kdekker" + Patch-by: Marcel Raad -Yang Tse (30 Jan 2013) -- zz40-xc-ovr.m4: fix 'wc' detection - follow-up 2 +Steve Holme (28 Sep 2013) +- ssluse.c: Fixed compilation warnings when ENGINE not supported - - Fix a pair of single quotes to double quotes. - - URL: http://curl.haxx.se/mail/lib-2013-01/0355.html - Reported by: Tor Arntsen + The function "ssl_ui_reader" was declared but never referenced + The function "ssl_ui_writer" was declared but never referenced -- zz40-xc-ovr.m4: fix 'wc' detection - follow-up +Daniel Stenberg (27 Sep 2013) +- configure: use icc options without space - - Take into account that 'wc' may return leading spaces and/or tabs. + The latest version(s) of the icc compiler no longer accept the extra + space in the -we (warning enable), -wd (warning disable), etc. - - Set initial IFS to space, tab and newline. + Reported-by: Elmira A Semenova + Bug: http://curl.haxx.se/mail/lib-2013-09/0182.html + +Steve Holme (25 Sep 2013) +- imap: Added clarification to the code about odd continuation responses -- zz40-xc-ovr.m4: fix 'wc' detection +- ftp.c: Fixed compilation warning - - Take into account that 'wc' may return leading spaces. + There is an implicit conversion from "unsigned long" to "long" + +- sasl: Centralised the authentication mechanism strings - - Set internationalization behavior variables. + Moved the standard SASL mechanism strings into curl_sasl.h rather than + hard coding the same values over and over again in the protocols that + use SASL authentication. - Tor Arntsen analyzed and reported the issue. + For more information about the mechanism strings see: - URL: http://curl.haxx.se/mail/lib-2013-01/0351.html + http://www.iana.org/assignments/sasl-mechanisms -- zz40-xc-ovr.m4: check another three basic utilities +Daniel Stenberg (23 Sep 2013) +- RELEASE-NOTES: added recent contributors missing -Guenter Knauf (29 Jan 2013) -- Fixed debug.c to work again unchanged. - - Added CURLOPT_FOLLOWLOCATION since example.com is now redirected. +Steve Holme (23 Sep 2013) +- test906: Fixed type-2 response -Daniel Stenberg (29 Jan 2013) -- [Nick Zitzmann brought this change] +- test915: Corrected test number from commit 22bccb0edaf041 - darwinssl: Fix bug where packets were sometimes transmitted twice - - There was a bug where, if SSLWrite() returned errSSLWouldBlock but did - succeed in transmitting at least something, then we'd incorrectly - resend the packet. Now we never take errSSLWouldBlock as a sign that - nothing was transferred to/from the server. +- test906: Fixed type-1 message not handled error - Bug: http://curl.haxx.se/mail/lib-2013-01/0295.html - Reported by: Bruno de Carvalho + ...from commit f81d1e16664976 due to copy paste error. -- [Nick Zitzmann brought this change] +- tests: Added SMTP AUTH NTLM test - FAQ: "Darwinssl" is AKA "Secure Transport" and supports NTLM +- tests: Added SMTP multiple and invalid --mail-rcpt test -- RELEASE-NOTES: only list Nick once - - Even though he's a fine dude, once is enough for this time! +- tests: Added SMTP multiple --mail-rcpt test -Yang Tse (28 Jan 2013) -- zz40-xc-ovr.m4: 1.0 interface stabilization - - - Stabilization results in 4 public interface m4 macros: - XC_CONFIGURE_PREAMBLE - XC_CONFIGURE_PREAMBLE_VER_MAJOR - XC_CONFIGURE_PREAMBLE_VER_MINOR - XC_CHECK_PATH_SEPARATOR - - Avoid one level of internal indirection - - Update comments - - Drop XC_OVR_ZZ40 macro +- tests: Added SMTP invalid --mail-rcpt test -Kamil Dudka (28 Jan 2013) -- docs: fix typos in man pages - - Reported by: Jiri Jaburek - Bug: https://bugzilla.redhat.com/896544 +- tests: Regrouping of SMTP tests + +Daniel Stenberg (22 Sep 2013) +- [Benoit Sigoure brought this change] -- docs: update the comments about loading CA certs with NSS + test1112: Increase the timeout from 7s to 16s - Bug: https://bugzilla.redhat.com/696783 + As someone reported on the mailing list a while back, the hard-coded + arbitrary timeout of 7s in test 1112 is not sufficient in some build + environments. At Arista Networks we build and test curl as part of our + automated build system, and we've run into this timeout 170 times so + far. Our build servers are typically quite busy building and testing a + lot of code in parallel, so despite being beefy machines with 32 cores + and 128GB of RAM we still hit this 7s timeout regularly. + + URL: http://curl.haxx.se/mail/lib-2010-02/0200.html -Guenter Knauf (28 Jan 2013) -- Updated dependency libs. +Steve Holme (22 Sep 2013) +- tests: Fixed smtp rcpt to addresses -- Fixed simple.c to work again unchanged. +- ftpserver.pl: Expanded the SMTP RCPT handler to validate TO addresses - Added CURLOPT_FOLLOWLOCATION since example.com is now redirected. + RCPT_smtp() will now check for a correctly formatted TO address which + allows for invalid recipient addresses to be added. -Steve Holme (27 Jan 2013) -- smtp.c: Fixed unnecessary state change if starttls fails +- ftpserver.pl: Added cURL SMTP server detection to HELO command handler - The state machine should only be changed to SMTP_STARTTLS when the - STARTTLS command has been successfully sent to the server. + As curl will send a HELO command after an negative EHLO response, added + the same detection from commit b07709f7417c3e to the HELO handler to + ensure the test server is identified correctly and an upload isn't + performed. -- pop3.c: Fixed unnecessary state change if starttls fails - - The state machine should only be changed to POP3_STARTTLS when the - STLS command has been successfully sent to the server. +- ftpserver.pl: Corrected response code for successful RCPT command -- imap.c: Fixed unnecessary state change if starttls fails +- ftpserver.pl: Moved invalid RCPT TO: address detection to RCPT handler - The state machine should only be changed to IMAP_STARTTLS when the - STARTTLS command has been successfully sent to the server. + Rather than detecting the TO address as missing in the DATA handler, + moved the detection to the RCPT command handler where an error response + can be generated. -- email: Updated comment regarding ssldone usage +- RELEASE-NOTES: Corrected missed addition - Updated the ssldone comment as multi mode is always used internally now. + Somehow commit 60a20461629fda missed the last item in the sync list + even though I'm sure I added it during editing. + +- RELEASE-NOTES: Synced with 6dd8bd8d2f9729 -Yang Tse (26 Jan 2013) -- zz40-xc-ovr.m4: emit witness message in configure BODY +- curl.1: Added information about optional login options to --user in manpage - This avoids witness message in output when running configure --help, - while sending the message to config.log for other configure runs. + Added missing information, from curl 7.31.0, regarding the use of the + optional login options that may be specified as part of --user. + + For example: + + --user 'user:password;auth=NTLM' in IMAP, POP3 and SMTP protocols. -Steve Holme (25 Jan 2013) -- smtp.c: Added comments to smtp_endofresp() +- ftpserver.pl: Moved cURL SMTP server detection into EHLO command handler + + Moved the special SMTP server detection code from the DATA command + handler, which happens further down the operation chain after EHLO, + MAIL and RCPT commands, to the EHLO command as it is the first command + to be generated by a SMTP operation as well as containing the special + "verifiedserver" string from the URL. + + This not only makes it easier and quicker to detect but also means that + cURL doesn't need to specify "verifiedserver" as --mail-from and + --mail-rcpt arguments. - Minor code tidy up to add comments similar to those used in the pop3 - and imap end of resp functions, in order to assist anyone reading the - code and highlight the similarities between each of these protocols. + More importantly, this also makes the upcoming verification changes to + the RCPT handler easier to implement. -Yang Tse (25 Jan 2013) -- zz40-xc-ovr.m4: truly do version conditional overriding +Daniel Stenberg (21 Sep 2013) +- openssl: use correct port number in error message - - version conditional overriding - - catch unexpanded XC macros - - fix double words in comments + In ossl_connect_step2() when the "Unknown SSL protocol error" occurs, it + would output the local port number instead of the remote one which + showed when doing SSL over a proxy (but with the correct remote host + name). As libcurl only speaks SSL to the remote we know it is the remote + port. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1281 + Reported-by: Gordon Marler -- zz40-xc-ovr.m4: fix variable assignment of subshell output bashism +- test1415: adjusted to work for 32bit time_t - Tor Arntsen analyzed and reported the issue. + The libcurl date parser returns INT_MAX for all dates > 2037 so this + test is now made to use 2037 instead of 2038 to work the same for both + 32bit and 64bit time_t systems. + +Steve Holme (21 Sep 2013) +- tests: Reworked existing SMTP tests to be single recipient based - URL: http://curl.haxx.se/mail/lib-2013-01/0306.html + ...in preparation of upcoming multiple recipient tests. -- zz40-xc-ovr.m4: reinstate strict AC_REQUIRE macro dependencies +- ftpserver.pl: Corrected SMTP QUIT response to be more realistic -- zz40-xc-ovr.m4: avoid double single-quote usage +Daniel Stenberg (20 Sep 2013) +- curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value -- zz40-xc-ovr.m4: parentheses balancing of 'case' statements - - m4 quadrigraph shell comment technique allows proper autoconf - parentheses balancing in shell 'case' statements. The presence - of unbalanced parentheses may otherwise trigger expansion bugs. +- [Kim Vandry brought this change] -Steve Holme (24 Jan 2013) -- smtp.c: Corrected RFC references + Documented --dns-* options in curl manpage + +Steve Holme (20 Sep 2013) +- pop3: Added basic SASL XOAUTH2 support - The most recent version of the SMTP RFC is RFC5321 and not RFC2821 as - previously documented. + Added the ability to use an XOAUTH2 bearer token [RFC6750] with POP3 for + authentication using RFC6749 "OAuth 2.0 Authorization Framework". - Added RFC1870 and re-ordered list numerically. + The bearer token is expected to be valid for the user specified in + conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has + an advertised auth mechanism of "XOAUTH2", the user and access token are + formatted as a base64 encoded string and sent to the server as + "AUTH XOAUTH2 <bearer token>". -- smtp.c: Fixed failure detection during TLS upgrade +- curl: Added clarification to the --mail options in the --help output - smtp_state_upgrade_tls() would attempt to incorrectly complete the - upgrade to smtps and start the EHLO command if - Curl_ssl_connect_nonblocking() returned a failure code and if ssldone - was set to TRUE. This would only happen when a non-blocking API hadn't - been provided by the SSL implementation and curlssl_connect() was - called underneath. + ... that these options apply to SMTP only. -- pop3.c: Fixed failure detection during TLS upgrade - - pop3_state_upgrade_tls() would attempt to incorrectly complete the - upgrade to pop3s and start the CAPA command if - Curl_ssl_connect_nonblocking() returned a failure code and if ssldone - was set to TRUE. This would only happen when a non-blocking API hadn't - been provided by the SSL implementation and curlssl_connect() was - called underneath. +- ftpserver.pl: Moved SMTP RCPT response text into command handler -- imap.c: Fixed failure detection during TLS upgrade - - imap_state_upgrade_tls() would attempt to incorrectly complete the - upgrade to imaps and start the CAPABILITY command if - Curl_ssl_connect_nonblocking() returned a failure code and if ssldone - was set to TRUE. This would only happen when a non-blocking API hadn't - been provided by the SSL implementation and curlssl_connect() was - called underneath. +- tests: Added SMTP invalid --mail-from test -Yang Tse (24 Jan 2013) -- zz40-xc-ovr.m4: internals overhauling +Nick Zitzmann (19 Sep 2013) +- darwinssl: enable BEAST workaround on iOS 7 & later - - Update comments - - Execute commands in subshells - - Faster path separator check - - Fix missing 'test' command - - Rename private macros - - Minimize AC_REQUIRE usage - -Steve Holme (23 Jan 2013) -- email: Removed unnecessary return statements + iOS 7 finally added the option to enable 1/n-1 when using TLS 1.0 + and a CBC cipher, so we now always turn that on unless the user + manually turns it off using CURLSSLOPT_ALLOW_BEAST. - Small tidy up to remove unnecessary return statements prior to the next - fix. + It appears Apple also added some new PSK ciphers, but no interface to + use them yet, so we at least support printing them if we find them. -Yang Tse (23 Jan 2013) -- zz40-xc-ovr.m4: redirect errors and warnings to stderr +Steve Holme (19 Sep 2013) +- tests: Updated SMTP AUTH tests to use the new AUTH directive + + ...rather than specify a customised EHLO response. -- zz40-xc-ovr.m4: AC_REQUIRE also XC_CONFIGURE_PREAMBLE success message +- tests: Corrected test913 as the QUIT response is received -- zz60-xc-ovr.m4: tighten XC_OVR_ZZ60 macro placement requirements +- tests: Added SMTP large message SIZE test -- configure: use XC_CONFIGURE_PREAMBLE early checks +- ftpserver.pl: Updated email regex from commit 98f7ca7e971006 - Some basic checks we make were placed early enough in generated - configure script when using autoconf 2.5X versions. Newer autoconf - versions expand these checks much further into the configure script, - rendering them useless. Using XC_CONFIGURE_PREAMBLE fixes placement - of early intended checks across all our autoconf supported versions. + ...to not be as strict as it was rejecting valid numeric email + addresses. + +- tests: Fixed smtp mail from addresses -- zz40-xc-ovr.m4: provide XC_CONFIGURE_PREAMBLE macro +- ftpserver.pl: Standardised CAPA and AUTH responses -Daniel Stenberg (23 Jan 2013) -- FAQ: update the SSL lib list and wording in question 2.2 +- ftpserver.pl: Corrected POP3 QUIT reply to be more realistic -Steve Holme (22 Jan 2013) -- curl_sasl.c: Corrected references to RFC +- runtests.pl: Fixed syntax error in commit c873375123343e - The most recent version of the RFC is RFC4422 and not RFC2222 as - previously documented. + Possible unintended interpolation in string at line 796 -- email: Corrected references to SASL RFC +- runtests.pl: Fixed smtp mail from address - The most recent version of the SASL RFC is RFC4422 and not RFC2222 as - previously documented. + Following changes to ftpserver.pl fixed the mail from address to be a + correctly formatted address otherwise the server response will be 501 + Invalid address. -Daniel Stenberg (22 Jan 2013) -- [Ulion brought this change] +- ftpserver.pl: Fixed syntax error in commit 98f7ca7e971006 + + Can't modify constant item in scalar assignment line 779, near "0;" - formpost: support quotes, commas and semicolon in file names +- ftpserver.pl: Expanded the SMTP MAIL handler to validate messages - - document the double-quote and backslash need be escaped if quoting. - - libcurl formdata escape double-quote in filename by backslash. - - curl formparse can parse filename both contains '"' and ',' or ';'. - - curl now can uploading file with ',' or ';' in filename. + MAIl_smtp() will now check for a correctly formatted FROM address as + well as the optional SIZE parameter comparing it against the server + capability when specified. + +Daniel Stenberg (17 Sep 2013) +- [YAMADA Yasuharu brought this change] + + cookies: add expiration - Bug: http://curl.haxx.se/bug/view.cgi?id=1171 + Implement: Expired Cookies These following situation, curl removes + cookie(s) from struct CookieInfo if the cookie expired. + - Curl_cookie_add() + - Curl_cookie_getlist() + - cookie_output() + +Steve Holme (17 Sep 2013) +- ftpserver.pl: Corrected response code for successful MAIL command -- memanalyze.pl: handle fopen() of file names with quotes +- ftpserver.pl: Moved SMTP MAIL handler into own function -Yang Tse (21 Jan 2013) -- xc-cc-check.m4: re-evaluate exporting and AC_SUBST'ing vars +- dns: fix compilation with MinGW from commit df69440d05f113 - Notes: + Avoid 'interface' literal that some MinGW versions define as a macro - When running a configure script that has nested packages (for example - libcurl's configure with --enable-ares and c-ares sources embedded in - curl tree) and AC_CONFIG_SUBDIRS([nested-subdir]) machinery is used to - automatically run the nested configure script from within the parent - configure script, it happens that the nested _shell_ script will - inherit shell variables exported from the parent _shell_ script. + Additionally, corrected some very, very minor coding style errors. + +- tests: Fixed test 1406 following recent changes in ftpserver.pl - If for example parent configure script sets and exports LDFLAGS and LIBS - variables with proper values in order to link either a parent library or - program with a library which will be configured and built by a nested - package; It will happen that when the nested configure script runs, the - nested library does not exist yet and _any_ link-test done in the nested - configure will fail, such as those that autoconf macros perform in order - to detect existing compiler and its characteristics, the result is that - the nested configure script will fail with errors such as: + By default the mail server doesn't send the SIZE capability but instead + it has to be specified as a supported capability. + +- tests: Added test for SMTP SIZE capability + +- ftpserver.pl: Added the ability to include spaces in capabilities - configure: error: C compiler cannot create executables + For example: - For now, we no longer export variables previously exported here. + CAPA "SIZE 1048576" 8BITMIME BINARYMIME - On the other hand, AC_SUBST'ing them is appropriate and even with nested - packages each package's config.status gets its own package values. + will populate the capabilities list with the following in: - So we reinstate AC_SUBST'ing previously AC_SUBST'ed variables. + SIZE 1048576 + 8BITMIME + BINARYMIME -Daniel Stenberg (21 Jan 2013) -- FAQ: 3.22 curl -X gives me HTTP problems +- ftpserver.pl: Corrected response code for successful SMTP QUIT command -Yang Tse (21 Jan 2013) -- xc-cc-check.m4: avoid recursive package automake'ing breakage +- ftpserver.pl: Fixed syntax error in commit 33c1f2876b9029 + + Can't modify constant item in postincrement line 727, near "i++" -- xc-cc-check.m4: mark earlier variables that are to be exported +- ftpserver.pl: Added CAPA & AUTH directive support to the SMTP EHLO handler -- configure: autotools compatibility fixes - step I - - Fix proper macro expansion order across autotools versions for - C compiler and preprocessor program checks. +- ftpserver.pl: Fixed SMTP QUIT handler from dadc495540946e -Steve Holme (20 Jan 2013) -- pop3.c: Fixed conditional compilation of the apop response function +- ftpserver.pl: Moved SMTP EHLO and QUIT handlers in own functions + +- ftpserver.pl: Added support for SMTP HELO command - Extended the fix from commit 8b15c84ea91e to additionally exclude - pop3_state_apop_resp() if the CURL_DISABLE_CRYPTO_AUTH flag is - defined. + ...and updated test902 as explicit HELO response is no longer required. -Yang Tse (20 Jan 2013) -- Makefile.inc: fix $(top_srcdir) not allowed in _SOURCES variables +- ftpserver.pl: Added mailbox check to IMAP SELECT handler -Daniel Stenberg (19 Jan 2013) -- formadd: reject trying to read a directory where a file is expected +- ftpserver.pl: Corrected invalid user details check - Bug: http://curl.haxx.se/mail/archive-2013-01/0017.html - Reported by: Ulrich Doehner + ...in both the IMAP LOGIN and POP3 PASS handlers introduced in commit + 187ac693744949 and 84ad1569e5fc93 respectively. -- curl_easy_send.3: document return codes - - Reported by: Craig Davison - Bug: http://curl.haxx.se/mail/lib-2013-01/0234.html +- ftpserver.pl: Moved IMAP LOGIN handler into own function -- curl_easy_recv.3: document return codes - - Reported by: Craig Davison - Bug: http://curl.haxx.se/mail/lib-2013-01/0234.html +- ftpserver.pl: Moved POP3 USER and PASS handlers into own functions -Steve Holme (19 Jan 2013) -- email: General code tidy up +- ftpserver.pl: Corrected invalid argument check in POP3 TOP handler - Corrected some function argument definitions to maximize the 80 - character line length limit and be in keeping with the curl - coding style. + ...which was accidentally introduced in commit 4d6ef6297ae9b6. -- pop3.c: Fixed a problem with pop3s connections not connecting properly - - Fixed an issue where Curl_ssl_connect_nonblocking() wouldn't complete - correctly and the ssldone flag wouldn't be set to true for pop3s based - connections. - - Bug introduced in commit: 4ffb8a6398ed. +- ftpserver.pl: Added capability prerequisite for extended POP3 commands -Daniel Stenberg (18 Jan 2013) -- RELEASE-NOTES: add references to several bugfixes+changes +- tests: Updated descriptions to be more meaningful -Steve Holme (18 Jan 2013) -- RELEASE-NOTES: Added missing imap fix - - Added missing imap fix as per commit 709b3506cd9b. +- ftpserver.pl: Added support for IMAP NOOP command -Yang Tse (18 Jan 2013) -- runtests.pl: make VPATH builds find valgrind.supp +- imap: Fixed response check for NOOP command -Daniel Stenberg (18 Jan 2013) -- RELEASE-NOTES: synced with c43127414d89 +- tests: Updated descriptions to be more meaningful -- always-multi: always use non-blocking internals - - Remove internal separated behavior of the easy vs multi intercace. - curl_easy_perform() is now using the multi interface itself. +Daniel Stenberg (13 Sep 2013) +- curl.1: detail how short/long options work - Several minor multi interface quirks and bugs have been fixed in the - process. - - Much help with debugging this has been provided by: Yang Tse + URL: http://curl.haxx.se/bug/view.cgi?id=1279 + Suggested-by: Jerry Krinock -Yang Tse (17 Jan 2013) -- url.c: fix HTTP CONNECT tunnel establishment upon delayed response - - Fixes initial proxy response being processed by the tunneled protocol - handler instead of the HTTP wrapper handler. This issue would trigger - upon delayed CONNECT response from the proxy. +Steve Holme (13 Sep 2013) +- curl: Fixed usage of DNS options when not using c-ares resolver - Additionally fixes a multi interface code-path in which connections - would not time out properly. + Commit 32352ed6adddcb introduced various DNS options, however, these + would cause curl to exit with CURLE_NOT_BUILT_IN when c-ares wasn't + being used as the backend resolver even if the options weren't set + by the user. - This does not fix known bug #39. + Additionally corrected some minor coding style errors from the same + commit. + +Daniel Stenberg (13 Sep 2013) +- curl_easy_setopt.3: mention RTMP URL quirks - URL: http://curl.haxx.se/mail/lib-2013-01/0191.html + URL: http://curl.haxx.se/bug/view.cgi?id=1278 + Reported-by: Gorilla Maguila -Daniel Stenberg (16 Jan 2013) -- [Yves Arrouye brought this change] +- [Ben Greear brought this change] - --libcurl: fix for non-zero default options + curl: Add support for various DNS binding options. + + (Passed on to c-ares.) - If the default value for an option taking a long as its value is non - zero, and it is set by zero by a command line option, then that command - line option is not reflected in --libcurl's output. This is because line - 520-521 of tool_setopt.c look like: + Allows something like this: - if(!lval) - skip = TRUE; + curl --dns-interface sta8 --dns-ipv4-addr 8.8.1.111 --interface sta8 \ + --localaddr 8.8.1.111 --dns-servers 8.8.8.1 www.google.com - An example of a command-line option doing so is the -k option that sets - CURLOPT_SLL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to 0L, when the - defaults are non-zero. + Signed-off-by: Ben Greear <greearb@candelatech.com> -- FTP: reject illegal port numbers in EPSV 229 responses +- [Kim Vandry brought this change] -Yang Tse (15 Jan 2013) -- commit bc682cbd follow-up + libcurl: New options to bind DNS to local interfaces or IP addresses -- build: use per-target '_CPPFLAGS' for those currently using default - - Automake documents that doing this will make it choose a different name - for intermediate object files even when sharing source files across - targets of same Makefile.am. - - Up to automake 1.13.1 target's intermediate object files were placed - in the build subdirectory of the target. We depended on this, probably - undocumented behavior, to achieve same behavior as if a per-target flag - had been specified when building targets that actually belong to - different Makefile.am files. - - It seems automake 1.13.2 is going to break behavior mentioned above. +- libcurl.3: for multi interface connections are held in the multi handle - So, lets use a documented behavior in order to achieve same purpose, - across automake versions, no matter where automake wishes to place - intermediate object files. + ... and a few more cleanups/clarifications + +Steve Holme (12 Sep 2013) +- ftpserver.pl: Fixed missing comma from 7fd84b14d219b1 + +- ftpserver.pl: Fixed variable error introduced in 7fd84b14d219b1 - Our build targets that already were using a per-target '_CFLAGS' or - '_CPPFLAGS' need no 'fixing', these were already 'fixed'. The only - Makefile.am or Makefile.in files in libcurl's source tree touched by - this 'fix' are tests/libtest/Makefile.inc and tests/unit/Makefile.inc. + Global symbol "$mailbox" requires explicit package name -- tests/libtest/Makefile.inc: sort build targets +- ftpserver.pl: Added support for UID command -- tests/Makefile.am: remove wildcard usage in EXTRA_DIST +- ftpserver.pl: Added support for LSUB command -Kamil Dudka (15 Jan 2013) -- nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - - Do not use the error messages from NSS for errors not occurring in NSS. +- imap: Fixed response check for LSUB and UID commands -Steve Holme (14 Jan 2013) -- TODO: Updated following IMAP SASL additions +- ftpserver.pl: Added support for IMAP COPY command -Yang Tse (14 Jan 2013) -- configure: fix automake 1.13 compatibility - - Tested with: - - buildconf: autoconf version 2.69 - buildconf: autom4te version 2.69 - buildconf: autoheader version 2.69 - buildconf: automake version 1.13.1 - buildconf: aclocal version 1.13.1 - buildconf: libtool version 2.4 - buildconf: GNU m4 version 1.4.16 +- ftpserver.pl: Added support for IMAP CLOSE and EXPUNGE commands -Daniel Stenberg (13 Jan 2013) -- BUGS: update bug tracker URL - - ... and refresh number of lines of code +- ftpserver.pl: Added support for POP3 RSET command -- Curl_resolver_getsock: fix the function description comment - - It referred to it by the wrong name and said it returned the wrong value. +- ftpserver.pl: Added the ability to remember what messages are deleted - Reported by: Gisle Vanem + ...as this will be required for IMAP CLOSE and EXPUNGE commands as well + as the POP3 RSET command. -Kamil Dudka (11 Jan 2013) -- nss: clear session cache if a client cert from file is used +Daniel Stenberg (10 Sep 2013) +- NI_MAXSERV: remove all use of it - This commit fixes a regression introduced in 052a08ff. + Solaris with the SunStudio Compiler is reportedly missing this define, + but as we're using it without any good reason on all the places it was + used I've now instead switched to just use sensible buffer sizes that + fit a 32 bit decimal number. Which also happens to be smaller than the + common NI_MAXSERV value which is 32 on most machines. - NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback - and if we connect second time to the same server, the cached cert/key - pair is used. If we use multiple client certificates for different - paths on the same server, we need to clear the session cache to force - NSS to call the hook again. The commit 052a08ff prevented the session - cache from being cleared if a client certificate from file was used. - - The condition is now fixed to cover both cases: consssl->client_nickname - is not NULL if a client certificate from the NSS database is used and - connssl->obj_clicert is not NULL if a client certificate from file is - used. + Bug: http://curl.haxx.se/bug/view.cgi?id=1277 + Reported-by: D.Flinkmann + +- http2: use the support HTTP2 draft version in the upgrade header - Review by: Kai Engert + ... instead of HTTP/2.0 to work fine with the nghttpx proxy/server. -Yang Tse (11 Jan 2013) -- sockfilt.c: log file descriptor number on read/write error +Steve Holme (10 Sep 2013) +- ldap.c: Fix compilation warning + + warning: comparison between signed and unsigned integer expressions -- [Gisle Vanem brought this change] +- [Jiri Hruska brought this change] - packages/DOS/common.dj: remove COFF debug info generation - - gcc on DOS hasn't really supported COFF-debug (-gcoff) on djgpp for a - long time. - - "Sounds like the COFF debug info generation has bit-rotted in GCC. - Nothing new here, no other platform uses COFF AFAIK." - - So lets drop it too. + imap/pop3/smtp: Speed up SSL connection initialization - URL: http://curl.haxx.se/mail/lib-2013-01/0130.html + Don't wait for the next callback call (usually 1 second) before + continuing with protocol specific connection initialization. -- curl: ignore SIGPIPE - compilation fix - follow-up +- ldap.c: Corrected build error from commit 857f999353f333 -- test servers: handle W32/W64 SIGBREAK with exit_signal_handler +- RELEASE-NOTES: Corrected duplicate in bfefe2400a16b8 -- test servers: fix errno, ERRNO and SOCKERRNO usage for W32/W64 +- RELEASE-NOTES: Corrected typo from bfefe2400a16b8 -- sockfilt.c: fix some W64 compiler warnings +- RELEASE-NOTES: synced with 25c68903756d6b -Daniel Stenberg (9 Jan 2013) -- [Nick Zitzmann brought this change] +Daniel Stenberg (10 Sep 2013) +- README.http2: explain nghttp2 a little - docs: the --with-darwinssl option is available on Apple OSes +Steve Holme (9 Sep 2013) +- tests: Added test for POP3 TOP command -Yang Tse (9 Jan 2013) -- curl: ignore SIGPIPE - compilation fix +- ftpserver.pl: Added support for POP3 TOP command -- build: fix circular header inclusion with other packages - - This commit renames lib/setup.h to lib/curl_setup.h and - renames lib/setup_once.h to lib/curl_setup_once.h. +- tests: Added test for POP3 UIDL command + +- ftpserver.pl: Added support for POP3 UIDL command + +Daniel Stenberg (9 Sep 2013) +- http2: adjust to new nghttp2_pack_settings_payload proto - Removes the need and usage of a header inclusion guard foreign - to libcurl. [1] + This function was modified in nghttp2 git commit a1c3f89c72e51 + +Kamil Dudka (9 Sep 2013) +- url: handle abortion by read/write callbacks, too - Removes the need and presence of an alarming notice we carried - in old setup_once.h [2] + Otherwise, the FTP protocol would unnecessarily hang 60 seconds if + aborted in the CURLOPT_HEADERFUNCTION callback. - ---------------------------------------- + Reported by: Tomas Mlcoch + Bug: https://bugzilla.redhat.com/1005686 + +Daniel Stenberg (9 Sep 2013) +- ldap: fix the build for systems with ldap_url_parse() - 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard - up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, - this single inclusion guard is enough to ensure that inclusion of - lib/setup_once.h done from lib/setup.h is only done once. + Make sure that the custom struct fields are only used by code that + doesn't use a struct defintion from the outside. - Additionally lib/setup.h has always used __SETUP_ONCE_H macro to - protect inclusion of setup_once.h even after commit ec691ca3, this - was to avoid a circular header inclusion triggered when building a - c-ares enabled version with c-ares sources available which also has - a setup_once.h header. Commit ec691ca3 exposes the real nature of - __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard - foreign to libcurl belonging to c-ares's setup_once.h + Attempts to fix the problem introduced in 3dc6fc42bfc61b + +Steve Holme (9 Sep 2013) +- [Jiri Hruska brought this change] + + pingpong: Check SSL library buffers for already read data - The renaming this commit does, fixes the circular header inclusion, - and as such removes the need and usage of a header inclusion guard - foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. + Otherwise the connection can get stuck during various phases, waiting + for new data on the socket using select() etc., but it will never be + received as the data has already been read into SSL library. + +- imap: Fixed calculation of transfer when partial FETCH received - 2 - Due to the circular interdependency of old lib/setup_once.h and the - c-ares setup_once.h header, old file lib/setup_once.h has carried - back from 2006 up to now days an alarming and prominent notice about - the need of keeping libcurl's and c-ares's setup_once.h in sync. + The transfer size would be calculated incorrectly if the email contained + within the FETCH response, had been partially received by the pingpong + layer. As such the following, example output, would be seen if the + amount remaining was smaller than the amount received: - Given that this commit fixes the circular interdependency, the need - and presence of mentioned notice is removed. + * Excess found in a non pipelined read: excess = 1394, size = 262, + maxdownload = 262, bytecount = 1374 + * transfer closed with -1112 bytes remaining to read - All mentioned interdependencies come back from now old days when - the c-ares project lived inside a curl subdirectory. This commit - removes last traces of such fact. + Bug: http://curl.haxx.se/mail/lib-2013-08/0170.html + Reported-by: John Dunn -Daniel Stenberg (8 Jan 2013) -- curl: ignore SIGPIPE +- ftpserver.pl: Fixed empty array checks - This is a work-around for bug #1180 which is really libcurl's inability - to ignore SIGPIPE in a few cases. With this work-around at least curl - won't suffer from it! - - Bug: http://curl.haxx.se/bug/view.cgi?id=1180 - Reported by: Lluís Batlle i Rossell - -Yang Tse (8 Jan 2013) -- sockfilt.c: fix some compiler warnings + ...from commits 28427b408326a1 and e8313697b6554b. -Daniel Stenberg (8 Jan 2013) -- Revert "configure: update req to 2.59" +- ftpserver: Reworked AUTH support to allow for specifying the mechanisms - This reverts commit 7a6d8b1b1a8fcc184c36d6b6e741e32250b4bacb. + Renamed SUPPORTAUTH to AUTH and added support for specifying a list of + supported SASL mechanisms to return to the client. - URL: http://curl.haxx.se/mail/lib-2013-01/0103.html + Additionally added the directive to the FILEFORMAT document. -Steve Holme (8 Jan 2013) -- pop3: Added support for non-blocking SSL upgrade +- ftpserver: Reworked CAPA support to allow for specifying the capabilities - Added support for asynchronous SSL upgrade when using the - multi-interface. - -Daniel Stenberg (8 Jan 2013) -- configure: update req to 2.59 + Renamed SUPPORTCAPA to CAPA and added support for specifying a list of + supported capabilities to return to the client. - I ran the 2.59 version of autoupdate that updates obsoleted configure.ac - constructs to the 2.59 standard. With a little hands-on fiddling I - prevented it from ruining the quoting in AS_HELP_STRING() uses. + Additionally added the directive to the FILEFORMAT document. + +- ftpserver.pl: Corrected POP3 LIST as message numbers should be contiguous - I subsequently also bumped the required autoconf version to 2.59 - (released in December 2003) as I don't have an older autoconf version - around to test with and I can't be bothered to install one either... + The message numbers given in the LIST response are an index into the + list, which are only valid for the current session, rather than being a + unique message identifier. An index would only be missing from the LIST + response if a DELE command had been issued within the same session and + had not been committed by the end of session QUIT command. Once + committed the POP3 server will regenerate the message numbers in the + next session to be contiguous again. As such our LIST response should + list message numbers contiguously until we support a DELE command in the + same session. - Inspired by: Björn Stenberg - Related blog post: http://cazfi.livejournal.com/195108.html + Should a POP3 user require the unique message ID for any or all + messages then they should use the extended UIDL command. This command + will be supported by the test ftpserver in an upcoming commit. + +Daniel Stenberg (8 Sep 2013) +- [Clemens Gruber brought this change] -Steve Holme (7 Jan 2013) -- imap.c: Small tidy up to add missing comment + curl_easy_pause: suggest one way to unpause -- imap: Added support for sasl digest-md5 authentication +Steve Holme (8 Sep 2013) +- tests: Updated descriptions to be more meaningful -- imap: Added support for sasl cram-md5 authentication +- tests: Added test for POP3 NOOP command -Marc Hoersken (7 Jan 2013) -- tests/server/sockfilt.c: Fixed integer comparison warning +- ftpserver.pl: Added support for POP3 NOOP command -- tests/server/sockfilt.c: Include required Win32 headers +- ftpserver.pl: Fixed 'Use of uninitialized value $args in string ne' -Steve Holme (7 Jan 2013) -- imap: Added support for sasl ntlm authentication +- tests: Added test for POP3 STAT command -- imap: Added support for sasl login authentication +- ftpserver.pl: Added support for POP STAT command -- pop3.c: Fixed default authentication detection +- ftpserver.pl: Moved POP3 QUIT handler into own function + +- ftpserver.pl: Reordered the POP3 handlers to be alphabetical - Fixed an issue where a server may positively respond to the CAPA command - but not list clear text as a valid authentication type. + In preparation for additional POP3 tests, re-ordered the command + function defintions to be sorted alphabetically. -- curl_sasl.c: Small code tidy up following imap changes +- ftpserver.pl: Corrected misaligned indentation in POP3 handlers + + Fixed incorrect indentation used in both the RETR_pop3 and LIST_pop3 + functions which was 5 and 9 characters rather than 4 and 8. -- smtp.c: Small code tidy up following imap changes +- tests: Added test for POP3 DELE command -- pop3.c: Small code tidy up following imap changes +unknown (7 Sep 2013) +- [Steve Holme brought this change] -- imap: Added support for sasl plain text authentication + ftpserver.pl: Added support for POP3 DELE command -Marc Hoersken (6 Jan 2013) -- tests/server/sockfilt.c: Fixed support for listening sockets - - This commit fixes support for sockets that are ready to accept - a new connection and have previously been put into listening mode. +Daniel Stenberg (7 Sep 2013) +- http2: include curl_memory.h - It also includes changes which are the result of investigation - regarding Windows STDIN. These changes are the preparation for further - improvements regarding support for reading data from STDIN on Windows. + Detected by test 1132 + +Nick Zitzmann (7 Sep 2013) +- http: fix build warning under LLVM - Open issue: WaitForMultipleObjectsEx does not support PIPE handles - which are returned by GetStdHandle while running without a GUI. + When building the code using LLVM Clang without NGHTTP2, I was getting + this warning: + ../lib/http.h:155:1: warning: empty struct is a GNU extension [-Wgnu] + Placing a dummy variable into the data structure silenced the warning. -- tests/server/sockfilt.c: Set Windows Console to binary mode +Daniel Stenberg (7 Sep 2013) +- http2: actually init nghttp2 and send HTTP2-Settings properly -- tests/server/sockfilt.c: Improved log error messages - - Include error code and parameters in error messages. +- README.http2: how to use it best with the multi API? -Steve Holme (6 Jan 2013) -- imap: Introduced the continue response in imap_endofresp() +- http2: first embryo toward Upgrade: -- imap: Added support for SASL based authentication mechanism detection +- http: rename use_http_1_1 to use_http_1_1plus - Added support for detecting the supported SASL authentication mechanisms - via the CAPABILITY command. + Since it now actually says if 1.1 or a later version should be used. -Yang Tse (6 Jan 2013) -- Revert changes relative to lib/*.[ch] recent renaming - - This reverts renaming and usage of lib/*.h header files done - 28-12-2012, reverting 2 commits: - - f871de0... build: make use of 76 lib/*.h renamed files - ffd8e12... build: rename 76 lib/*.h files - - This also reverts removal of redundant include guard (redundant thanks - to changes in above commits) done 2-12-2013, reverting 1 commit: - - c087374... curl_setup.h: remove redundant include guard - - This also reverts renaming and usage of lib/*.c source files done - 3-12-2013, reverting 3 commits: - - 13606bb... build: make use of 93 lib/*.c renamed files - 5b6e792... build: rename 93 lib/*.c files - 7d83dff... build: commit 13606bbfde follow-up 1 - - Start of related discussion thread: +- configure: improve CURL_CHECK_COMPILER_PROTOTYPE_MISMATCH - http://curl.haxx.se/mail/lib-2013-01/0012.html - - Asking for confirmation on pushing this revertion commit: + The compiler test used a variable before it was assigned when it tried + to see how it acts on a mismatching prototype, which could cause a false + positive. + +- [Petr Písař brought this change] + + Pass password to OpenSSL engine by user interface - http://curl.haxx.se/mail/lib-2013-01/0048.html + Recent OpenSSL uses user interface abstraction to negotiate access to + private keys in the cryprographical engines. An OpenSSL application is + expected to implement the user interface. Otherwise a default one + provided by OpenSSL (interactive standard I/O) will be used and the + aplication will have no way how to pass a password to the engine. - Confirmation summary: + Longer-desc: http://curl.haxx.se/mail/lib-2013-08/0265.html + +- urlglob: improved error messages and column number on bad use - http://curl.haxx.se/mail/lib-2013-01/0079.html + Introduce a convenience macro and keep of the column better so that it + can point out the offending column better. - NOTICE: The list of 2 files that have been modified by other - intermixed commits, while renamed, and also by at least one - of the 6 commits this one reverts follows below. These 2 files - will exhibit a hole in history unless git's '--follow' option - is used when viewing logs. + Updated test 75 accordingly. + +- urlglob: avoid error code translation - lib/curl_imap.h - lib/curl_smtp.h + By using the correct values from the start we don't have to translate + them! -Daniel Stenberg (6 Jan 2013) -- mk-ca-bundle.1: convert syntax to what's used elsewhere +- urlglob: avoid NULL pointer dereference - ... mostly to make sure roffit works better on it, but also to make our - man pages use a more unified style. + Thanks to clang-analyzer + +- [Gisle Vanem brought this change] -- mk-ca-bundle.1: mention new -f, fix outputfile output + http2: use correct include for snprintf - also edited a few sentences to become more verbose + Using the first little merge of nghttp2 into libcurl, I stumbeled on the + missing 'snprintf' in MSVCRT. Isn't this how we do it for other libcurl + files? I.e. use 'curl_msnprintf' and not 'snprintf' directly: -- mk-ca-bundle: add -f, support passing to stdout and more +- --data: mention CRLF treatment when reading from file + +- [Geoff Beier brought this change] + + LDAP: fix bad free() when URL parsing failed - 1. When the downloaded data file from Mozilla is current, but the output - bundle does not exist: continue processing to create the bundle. The - goal is to have the output file - not just download the latest input. + When an error occurs parsing an LDAP URL, The ludp->lud_attrs[i] entries + could be freed even though they sometimes point to data within an + allocated area. - 2. added -f option to force re-processing the file. Useful for - debugging/testing the process. + This change introduces a lud_attrs_dup[] array for the duplicated string + pointers, and it removes the unused lud_exts array. - 3. added support for output to '-' (stdout), allowing the output to be - piped. + Bug: http://curl.haxx.se/mail/lib-2013-08/0209.html + +Nick Zitzmann (5 Sep 2013) +- darwinssl: add support for PKCS#12 files for client authentication - 4. All progress and error messages go to STDERR rather than STDOUT (3) + I also documented the fact that the OpenSSL engine also supports them. + +Daniel Stenberg (5 Sep 2013) +- symbols: added HTTP2 symbols and sorted list - 5. The script opened and closed the output file many times - unnecessarily. It now opens it once, does the output and closes it. + CURL_HTTP_VERSION_2_0 and CURL_VERSION_HTTP2 are new + +- configure: add HTTP2 as a curl-config --feature output - 6. Backup of the input files happens after successful processing, not - before. + Fixes the test 1014 failure + +- curl: unbreak --http1.0 again - 7. The output is written to a temporary file, and renamed to the - requested name after backup - this greatly reduces the window where the - file can be seen partially written. + I broke it in 2eabb7d590 + +- SASL: fix compiler warnings - 8. all die calls have a \n at the end to suppress perl's traceback - the - traceback isn't useful to end users. + comparison between signed and unsigned integer expressions - Patch: http://curl.haxx.se/mail/lib-2013-01/0045.html + suggest parentheses around '&&' within '||' (twice) -Yang Tse (5 Jan 2013) -- imap test server: fix typo in name of SELECT_imap() sub definition - - IMAP test server breaking typo introduced with commit b708a522a1 +- curl: add --http1.1 and --http2.0 options -Steve Holme (4 Jan 2013) -- imap test server: Added support for the CAPABILITY command - - Added support for the CAPABILITY command in preparation of upcoming - changes. - -Daniel Stenberg (3 Jan 2013) -- writeout: -w now supports remote_ip/port and local_ip/port - - Added mention to the curl.1 man page. - - Test case 1223 verifies remote_ip/port. - -Yang Tse (3 Jan 2013) -- test 1222: 8 chars object name generation && test 1221: adjustments - -Daniel Stenberg (3 Jan 2013) -- INTERNALS: remove "footnote" never used - -Yang Tse (3 Jan 2013) -- build: commit 13606bbfde follow-up 1 - -Daniel Stenberg (3 Jan 2013) -- FAQ: Can I write a server with libcurl? - -Yang Tse (3 Jan 2013) -- build: rename 93 lib/*.c files - - 93 lib/*.c source files renamed to use our standard naming scheme. - - This commit only does the file renaming. - - ---------------------------------------- - - renamed: lib/amigaos.c -> lib/curl_amigaos.c - renamed: lib/asyn-ares.c -> lib/curl_asyn_ares.c - renamed: lib/asyn-thread.c -> lib/curl_asyn_thread.c - renamed: lib/axtls.c -> lib/curl_axtls.c - renamed: lib/base64.c -> lib/curl_base64.c - renamed: lib/bundles.c -> lib/curl_bundles.c - renamed: lib/conncache.c -> lib/curl_conncache.c - renamed: lib/connect.c -> lib/curl_connect.c - renamed: lib/content_encoding.c -> lib/curl_content_encoding.c - renamed: lib/cookie.c -> lib/curl_cookie.c - renamed: lib/cyassl.c -> lib/curl_cyassl.c - renamed: lib/dict.c -> lib/curl_dict.c - renamed: lib/easy.c -> lib/curl_easy.c - renamed: lib/escape.c -> lib/curl_escape.c - renamed: lib/file.c -> lib/curl_file.c - renamed: lib/fileinfo.c -> lib/curl_fileinfo.c - renamed: lib/formdata.c -> lib/curl_formdata.c - renamed: lib/ftp.c -> lib/curl_ftp.c - renamed: lib/ftplistparser.c -> lib/curl_ftplistparser.c - renamed: lib/getenv.c -> lib/curl_getenv.c - renamed: lib/getinfo.c -> lib/curl_getinfo.c - renamed: lib/gopher.c -> lib/curl_gopher.c - renamed: lib/gtls.c -> lib/curl_gtls.c - renamed: lib/hash.c -> lib/curl_hash.c - renamed: lib/hmac.c -> lib/curl_hmac.c - renamed: lib/hostasyn.c -> lib/curl_hostasyn.c - renamed: lib/hostcheck.c -> lib/curl_hostcheck.c - renamed: lib/hostip.c -> lib/curl_hostip.c - renamed: lib/hostip4.c -> lib/curl_hostip4.c - renamed: lib/hostip6.c -> lib/curl_hostip6.c - renamed: lib/hostsyn.c -> lib/curl_hostsyn.c - renamed: lib/http.c -> lib/curl_http.c - renamed: lib/http_chunks.c -> lib/curl_http_chunks.c - renamed: lib/http_digest.c -> lib/curl_http_digest.c - renamed: lib/http_negotiate.c -> lib/curl_http_negotiate.c - renamed: lib/http_negotiate_sspi.c -> lib/curl_http_negotiate_sspi.c - renamed: lib/http_proxy.c -> lib/curl_http_proxy.c - renamed: lib/idn_win32.c -> lib/curl_idn_win32.c - renamed: lib/if2ip.c -> lib/curl_if2ip.c - renamed: lib/imap.c -> lib/curl_imap.c - renamed: lib/inet_ntop.c -> lib/curl_inet_ntop.c - renamed: lib/inet_pton.c -> lib/curl_inet_pton.c - renamed: lib/krb4.c -> lib/curl_krb4.c - renamed: lib/krb5.c -> lib/curl_krb5.c - renamed: lib/ldap.c -> lib/curl_ldap.c - renamed: lib/llist.c -> lib/curl_llist.c - renamed: lib/md4.c -> lib/curl_md4.c - renamed: lib/md5.c -> lib/curl_md5.c - renamed: lib/memdebug.c -> lib/curl_memdebug.c - renamed: lib/mprintf.c -> lib/curl_mprintf.c - renamed: lib/multi.c -> lib/curl_multi.c - renamed: lib/netrc.c -> lib/curl_netrc.c - renamed: lib/non-ascii.c -> lib/curl_non_ascii.c - renamed: lib/curl_non-ascii.h -> lib/curl_non_ascii.h - renamed: lib/nonblock.c -> lib/curl_nonblock.c - renamed: lib/nss.c -> lib/curl_nss.c - renamed: lib/nwlib.c -> lib/curl_nwlib.c - renamed: lib/nwos.c -> lib/curl_nwos.c - renamed: lib/openldap.c -> lib/curl_openldap.c - renamed: lib/parsedate.c -> lib/curl_parsedate.c - renamed: lib/pingpong.c -> lib/curl_pingpong.c - renamed: lib/polarssl.c -> lib/curl_polarssl.c - renamed: lib/pop3.c -> lib/curl_pop3.c - renamed: lib/progress.c -> lib/curl_progress.c - renamed: lib/qssl.c -> lib/curl_qssl.c - renamed: lib/rawstr.c -> lib/curl_rawstr.c - renamed: lib/rtsp.c -> lib/curl_rtsp.c - renamed: lib/security.c -> lib/curl_security.c - renamed: lib/select.c -> lib/curl_select.c - renamed: lib/sendf.c -> lib/curl_sendf.c - renamed: lib/share.c -> lib/curl_share.c - renamed: lib/slist.c -> lib/curl_slist.c - renamed: lib/smtp.c -> lib/curl_smtp.c - renamed: lib/socks.c -> lib/curl_socks.c - renamed: lib/socks_gssapi.c -> lib/curl_socks_gssapi.c - renamed: lib/socks_sspi.c -> lib/curl_socks_sspi.c - renamed: lib/speedcheck.c -> lib/curl_speedcheck.c - renamed: lib/splay.c -> lib/curl_splay.c - renamed: lib/ssh.c -> lib/curl_ssh.c - renamed: lib/sslgen.c -> lib/curl_sslgen.c - renamed: lib/ssluse.c -> lib/curl_ssluse.c - renamed: lib/strdup.c -> lib/curl_strdup.c - renamed: lib/strequal.c -> lib/curl_strequal.c - renamed: lib/strerror.c -> lib/curl_strerror.c - renamed: lib/strtok.c -> lib/curl_strtok.c - renamed: lib/strtoofft.c -> lib/curl_strtoofft.c - renamed: lib/telnet.c -> lib/curl_telnet.c - renamed: lib/tftp.c -> lib/curl_tftp.c - renamed: lib/timeval.c -> lib/curl_timeval.c - renamed: lib/transfer.c -> lib/curl_transfer.c - renamed: lib/url.c -> lib/curl_url.c - renamed: lib/version.c -> lib/curl_version.c - renamed: lib/warnless.c -> lib/curl_warnless.c - renamed: lib/wildcard.c -> lib/curl_wildcard.c - - ---------------------------------------- - -- build: make use of 93 lib/*.c renamed files - - 93 *.c source files renamed to use our standard naming scheme. - - This change affects 77 files in libcurl's source tree. - -Daniel Stenberg (3 Jan 2013) -- INSTALL: unify the SSL library texts - - Make them smaller and more similar for each separate SSL library - supported by the configure build - -Yang Tse (2 Jan 2013) -- curl_setup.h: remove redundant include guard - -- build and tests: curl_10char_object_name() shell function - - lib/objnames.inc provides definition of curl_10char_object_name() shell - function. The intended purpose of this function is to transliterate a - (*.c) source file name that may be longer than 10 characters, or not, - into a string with at most 10 characters which may be used as an OS/400 - object name. - - Test case 1221 does unit testng of this function and also verifies - that it is possible to generate distinct short object names for all - curl and libcurl *.c source file names. - - lib/objnames-test.sh is the shell script used for test case 1221. - - tests/runtests.pl modified to accept shell script test cases. - - More details inside lib/objnames.inc and lib/objnames-test.sh +- Curl_setopt: refuse CURL_HTTP_VERSION_2_0 if built without support -- configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS - - automake 1.13 errors if AM_CONFIG_HEADER is used in configure script. - automake 1.13 no longer autoupdates AM_CONFIG_HEADER to - AC_CONFIG_HEADERS, thing which automake has been doing since automake - version 1.7 +- http2: add http2.[ch] and add nghttp2 version output + +- curl -V: output HTTP2 as a feature if present + +- curl.h: add CURL_VERSION_HTTP2 as a feature - Given that our first automake supported version is automake 1.7, - simply replacing AM_CONFIG_HEADER usage with AC_CONFIG_HEADERS seems - enough to yet support same automake versions. + It isn't added as a separate protocol as HTTP2 will be done over HTTP:// + URLs that can be upgraded to HTTP2 if the server supports it as well. + +Steve Holme (4 Sep 2013) +- imap/smtp: Fixed incorrect SASL mechanism selection with XOAUTH2 servers - Dave Reisner reported issue with 1.13 and provided patch. + XOAUTH2 would be selected in preference to LOGIN and PLAIN if the IMAP + or SMTP server advertised support for it even though a user's password + was supplied but bearer token wasn't. - http://curl.haxx.se/mail/lib-2012-12/0246.html + Modified the selection logic so that XOAUTH2 will only be selected if + the server supports it and A) The curl user/libcurl programmer has + specifically asked for XOAUTH via the ;AUTH=XOAUTH login option or 2) + The bearer token is specified. Obviously if XOAUTH is asked for via + the login option but no token is specified the user will receive a + authentication failure which makes more sense than no known + authentication mechanisms supported! -- curl-override.m4: provide AC_CONFIG_MACRO_DIR definition conditionally +Daniel Stenberg (4 Sep 2013) +- curl.h: added CURL_HTTP_VERSION_2_0 - Provide a 'traceable' AC_CONFIG_MACRO_DIR definition only when using - an autoconf version that does not provide it, instead of what we were - doing up to now of providing and overriding AC_CONFIG_MACRO_DIR for - all autoconf versions. + Initial library considerations documented in lib/README.http2 -Steve Holme (30 Dec 2012) -- imap.c: Minor follow up tidy up +- configure: added --with-nghttp2 -- imap: Code tidy up prior to adding support for the CAPABILITY command +- acinclude: fix --without-ca-path when cross-compiling - * Changing the order of the state machine to represent the order in - which commands are sent to the server. + The commit 7b074a460b64811 to CURL_CHECK_CA_BUNDLE in 7.31 (don't check + for paths when cross-compiling) causes --without-ca-path to no longer + works when cross-compiling, since ca and capath only ever get set to + "no" when not cross-compiling, I attach a patch that works for me. Also + in the cross-compilation case, no ca-path seems to be a better default + (IMVHO) than empty ca-path. - * Reworking the imap_endofresp() function as the FETCH response doesn't - include the command id and shouldn't be part of the length comparison - that takes into account the id string. + Bug: http://curl.haxx.se/bug/view.cgi?id=1273 + Patch-by: Stefan Neis -- pop3_doing: Applied debug info message when function fails +Steve Holme (2 Sep 2013) +- lib1512.c: Fixed compilation warning + + An enumerated type is mixed with another type. - Applied the same debug message as used in smtp_doing() and imap_doing() - when pop3_multi_statemach() fails. + ...as well as a small coding style error. -- imap_doing: don't call imap_dophase_done() if already failed +Guenter Knauf (1 Sep 2013) +- Killed warning 'res' might be used uninitialized. + +Steve Holme (1 Sep 2013) +- url.c: Fixed compilation warning - Applied the POP3 fix from commit 2897ce7dc2e1 so imap_dophase_done() - isn't called if imap_multi_statemach() fails. + An enumerated type is mixed with another type -- smtp_doing: don't call smtp_dophase_done() if already failed +- easy.c: Fixed compilation warning - Applied the POP3 fix from commit 2897ce7dc2e1 so smtp_dophase_done() - isn't called if smtp_multi_statemach() fails. + warning: `code' might be used uninitialized in this function -Yang Tse (29 Dec 2012) -- examples/certinfo.c: fix compiler warning +Daniel Stenberg (31 Aug 2013) +- -x: rephrased the --proxy section somewhat -Steve Holme (29 Dec 2012) -- pop3.c: Removed unnecessary POP3_STOP state changes - - Removed unnecessary state changes in pop3_state_starttls_resp() - following previous fix in IMAP module. +Steve Holme (31 Aug 2013) +- tests: Added test for IMAP CHECK command -- smtp.c: Added extra comments around SMTP_STOP state change - - Provided extra comments in the SMTP module following previous IMAP fix. +- ftpserver.pl: Added support for the IMAP CHECK command -- imap.c: Fixed bad state error when logging in with invalid credentials - - Fixed a problem with the state machine when attempting to log in with - invalid credentials. The server would report login failure but libcurl - would not read the response due to inappropriate IMAP_STOP states being - set after the login was sent. +Guenter Knauf (31 Aug 2013) +- Removed reference to krb4.c. -Yang Tse (29 Dec 2012) -- imap.c: remove trailing whitespace +Steve Holme (31 Aug 2013) +- ftpserver.pl: Corrected flawed logic in commit 1ca6ed7b75cad0 -Steve Holme (28 Dec 2012) -- imap.c: Code tidy up - Part 2 - -- imap.c: Code tidy up - Part 1 - - Applied some of the comment and layout changes that had already been - applied to the pop3 and smtp code over the last 6 to 9 months. - - This is in preparation of adding SASL based authentication. - -- pop3.c: Minor code tidy up - - Minor tidy up of comments and layout prior to next part of imap work. - -- smtp: Minor code tidy up - - Minor tidy up of comments and layout prior to next part of imap work. - -- curl_imap.h: Tidy up of comments to be more readable - -- imap.c: Code tidy up renaming imapsendf() to imap_sendf() +- imap: Fixed response check for EXPUNGE command + +- ftpserver.pl: Added argument check to IMAP command handlers - Renamed imapsendf() to imap_sendf() to be more in keeping with the - other imap functions as well as Curl_pp_sendf() that it replaces. - -Yang Tse (28 Dec 2012) -- build: rename 76 lib/*.h files - - 76 private header files renamed to use our standard naming scheme. - - This commit only does the file renaming. - - ---------------------------------------- + Added BAD argument check to the following IMAP command handlers: - renamed: amigaos.h -> curl_amigaos.h - renamed: arpa_telnet.h -> curl_arpa_telnet.h - renamed: asyn.h -> curl_asyn.h - renamed: axtls.h -> curl_axtls.h - renamed: bundles.h -> curl_bundles.h - renamed: conncache.h -> curl_conncache.h - renamed: connect.h -> curl_connect.h - renamed: content_encoding.h -> curl_content_encoding.h - renamed: cookie.h -> curl_cookie.h - renamed: cyassl.h -> curl_cyassl.h - renamed: dict.h -> curl_dict.h - renamed: easyif.h -> curl_easyif.h - renamed: escape.h -> curl_escape.h - renamed: file.h -> curl_file.h - renamed: fileinfo.h -> curl_fileinfo.h - renamed: formdata.h -> curl_formdata.h - renamed: ftp.h -> curl_ftp.h - renamed: ftplistparser.h -> curl_ftplistparser.h - renamed: getinfo.h -> curl_getinfo.h - renamed: gopher.h -> curl_gopher.h - renamed: gtls.h -> curl_gtls.h - renamed: hash.h -> curl_hash.h - renamed: hostcheck.h -> curl_hostcheck.h - renamed: hostip.h -> curl_hostip.h - renamed: http.h -> curl_http.h - renamed: http_chunks.h -> curl_http_chunks.h - renamed: http_digest.h -> curl_http_digest.h - renamed: http_negotiate.h -> curl_http_negotiate.h - renamed: http_proxy.h -> curl_http_proxy.h - renamed: if2ip.h -> curl_if2ip.h - renamed: imap.h -> curl_imap.h - renamed: inet_ntop.h -> curl_inet_ntop.h - renamed: inet_pton.h -> curl_inet_pton.h - renamed: krb4.h -> curl_krb4.h - renamed: llist.h -> curl_llist.h - renamed: memdebug.h -> curl_memdebug.h - renamed: multiif.h -> curl_multiif.h - renamed: netrc.h -> curl_netrc.h - renamed: non-ascii.h -> curl_non-ascii.h - renamed: nonblock.h -> curl_nonblock.h - renamed: nssg.h -> curl_nssg.h - renamed: parsedate.h -> curl_parsedate.h - renamed: pingpong.h -> curl_pingpong.h - renamed: polarssl.h -> curl_polarssl.h - renamed: pop3.h -> curl_pop3.h - renamed: progress.h -> curl_progress.h - renamed: qssl.h -> curl_qssl.h - renamed: rawstr.h -> curl_rawstr.h - renamed: rtsp.h -> curl_rtsp.h - renamed: select.h -> curl_select.h - renamed: sendf.h -> curl_sendf.h - renamed: setup.h -> curl_setup.h - renamed: setup_once.h -> curl_setup_once.h - renamed: share.h -> curl_share.h - renamed: slist.h -> curl_slist.h - renamed: smtp.h -> curl_smtp.h - renamed: sockaddr.h -> curl_sockaddr.h - renamed: socks.h -> curl_socks.h - renamed: speedcheck.h -> curl_speedcheck.h - renamed: splay.h -> curl_splay.h - renamed: ssh.h -> curl_ssh.h - renamed: sslgen.h -> curl_sslgen.h - renamed: ssluse.h -> curl_ssluse.h - renamed: strdup.h -> curl_strdup.h - renamed: strequal.h -> curl_strequal.h - renamed: strerror.h -> curl_strerror.h - renamed: strtok.h -> curl_strtok.h - renamed: strtoofft.h -> curl_strtoofft.h - renamed: telnet.h -> curl_telnet.h - renamed: tftp.h -> curl_tftp.h - renamed: timeval.h -> curl_timeval.h - renamed: transfer.h -> curl_transfer.h - renamed: url.h -> curl_url.h - renamed: urldata.h -> curl_urldata.h - renamed: warnless.h -> curl_warnless.h - renamed: wildcard.h -> curl_wildcard.h + APPEND, STORE, LIST, EXAMINE, STATUS and SEARCH + +- ftpserver.pl: More whitespace corrections - ---------------------------------------- - -- build: make use of 76 lib/*.h renamed files - - 76 private header files renamed to use our standard naming scheme. - - This change affects 322 files in libcurl's source tree. - -- lib/*.h: use our standard naming scheme for header inclusion guards - -Steve Holme (28 Dec 2012) -- imsp.c: Fixed usernames and passwords that contain escape characters - - Fixed a problem with sending usernames and passwords that contain - backslash, quotation mark and space characters. - -Daniel Stenberg (27 Dec 2012) -- curl.1: extend the -X, --request description - -- RELEASE-NOTES: synced with e3ed2b82e6 - -- [Nick Zitzmann brought this change] - - darwinssl: Fixed inability to disable peer verification - - ... on Snow Leopard and Lion - - Snow Leopard introduced the SSLSetSessionOption() function, but it - doesn't disable peer verification as expected on Snow Leopard or - Lion (it works as expected in Mountain Lion). So we now use sysctl() - to detect whether or not the user is using Snow Leopard or Lion, - and if that's the case, then we now use the deprecated - SSLSetEnableCertVerify() function instead to disable peer verification. - -Yang Tse (26 Dec 2012) -- curl tool: rename hugehelp files to tool_hugehelp - -- curl tool: renaming hugehelp files to tool_hugehelp - -- sockfilt.c: commit b44da5a82a follow-up 2 - -- sockfilt.c: commit b44da5a82a follow-up - -- sockfilt.c: fix some compiler warnings + LIST_imap() had a second level of indentation at 9 characters and not 8. -- curl_multi_remove_handle: commit 0aabfd9963 follow-up +- ftpserver.pl: Small correction tidy up + + Corrected some IMAP variable names and whitespace issues. -Daniel Stenberg (25 Dec 2012) -- lib556: enable VERBOSE to ease debugging on failures +- [Kyle L. Huff brought this change] -Marc Hoersken (25 Dec 2012) -- socklift.c: Quick fix to re-add missing code + docs: Added documentation for CURLOPT_BEARER -- socklift.c: Added select_ws function to support Windows - - WinSock select() does not support standard file descriptors, - it can only check SOCKETs. The following function is an attempt - to create a select() function with support for other handles. +- [Kyle L. Huff brought this change] -Yang Tse (25 Dec 2012) -- Enable tests 1503, 1504 and 1505 + curl.1: Add usage of '--bearer' option -- curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE +- tests: Added tests for IMAP CREATE, DELETE and RENAME commands -- Curl_hash_clean: OOM handling fix +Daniel Stenberg (30 Aug 2013) +- ftpserver: Bareword "to_mailbox" not allowed + + Added missing $ -- test 1504 and 1505: same as 1502 but with different cleanup sequences +Steve Holme (30 Aug 2013) +- ftpserver.pl: Added support for IMAP CREATE, DELETE and RENAME commands -Daniel Stenberg (24 Dec 2012) -- Curl_conncache_foreach: allow callback to break loop +Daniel Stenberg (29 Aug 2013) +- FTP: fix getsock during DO_MORE state - ... and have it take a proper 'struct connectdata *' as first argument + ... when doing upload it would return the wrong values at times. This + commit attempts to cleanup the mess. + + Bug: http://curl.haxx.se/mail/lib-2013-08/0109.html + Reported-by: Mike Mio -- pop3_doing: don't call pop3_dophase_done() if already failed +- curl_multi_remove_handle: allow multiple removes - ... it also clobbered the 'result' return value so that it wouldn't - return the error back to the parent function properly, which broke test - 809 when run with 'multi-always'. + When removing an already removed handle, avoid that to ruin the + internals and just return OK instead. -Yang Tse (23 Dec 2012) -- test 1503: same as 1502 but with a different cleanup sequence +Steve Holme (29 Aug 2013) +- ftpserver.pl: Updated IMAP EXAMINE handler to use dynamic test data -- test 1502: OOM handling fixes +Daniel Stenberg (29 Aug 2013) +- unit1304: include memdebug and free everything correctly -- curl_multi_wait: OOM handling fix +- Curl_parsenetrc: document that the arguments must be allocated -- [Daniel Stenberg brought this change] +- easy: rename struct monitor to socketmonitor + + 'struct monitor', introduced in 6cf8413e, already exists in an IRIX + header file (sys/mon.h) which gets included via various standard headers + by lib/easy.c + + cc-1101 cc: ERROR File = ../../curl/lib/easy.c, Line = 458 + "monitor" has already been declared in the current scope. + + Reported-by: Tor Arntsen - curl_multi_wait: avoid an unnecessary memory allocation +Steve Holme (29 Aug 2013) +- ftpserver.pl: Added SELECT check to IMAP FETCH and STORE handlers -- runtests.pl: prepend $srcdir to HTTPTLS server config files path +- ftpserver.pl: Corrected accidental move of logmsg() call + + Corrected the call to logmsg() in the IMAP SEARCH handler from commit + 4ae7b7ea691497 as it should have been outputting the what argument and + not the test number. -- multi.c: OOM handling fix +Daniel Stenberg (28 Aug 2013) +- ftpserver: add missing '}' from 4ae7b7ea69149 -- lib543.c: OOM handling fixes +Steve Holme (28 Aug 2013) +- ftpserver.pl: Added SELECT check to IMAP SEARCH command -- configure: add internal sanity check (warn only) on vars for makefiles +- ftpserver.pl: Fixed IMAP SEARCH command -Daniel Stenberg (21 Dec 2012) -- SCP: relative path didn't work - - When prefixing a path with /~/ it is supposed to be used relative to the - user's home directory but it didn't work. Now we cut off the entire - three byte sequenct "/~/" which seems to be how OpenSSH does it. - - Bug: http://curl.haxx.se/bug/view.cgi?id=1173 - Reported by: Balaji Parasuram +Daniel Stenberg (28 Aug 2013) +- bump: next release is 7.33.0 due to added features -Yang Tse (21 Dec 2012) -- configure: LIBMETALINK_CFLAGS actually is LIBMETALINK_CPPFLAGS +- symbols-in-versions: add CURLOPT_XOAUTH2_BEARER -- configure: add minimal sanity check on user provided CFLAGS and CPPFLAGS +Steve Holme (28 Aug 2013) +- tests: Added test for IMAP SEARCH command -- bundles connection caching: some out of memory handling fixes +Daniel Stenberg (28 Aug 2013) +- valgrind.supp: fix for regular curl_easy_perform too + + When we introduced curl_easy_perform_ev, this got a slightly modified + call trace. Without this, test 165 causes a false positive valgrind + error. -- libntlmconnect.c: fix compiler warnings and OOM handling +- valgrind.supp: add the event-based call stack-trace too + + Without this, test 165 triggers a valgrind error when ran with + curl_easy_perform_ev -- configure.ac: clear local test intended variables before use +- multi_socket: improved 100-continue timeout handling + + When waiting for a 100-continue response from the server, the + Curl_readwrite() will refuse to run if called until the timeout has been + reached. + + We timeout code in multi_socket() allows code to run slightly before the + actual timeout time, so for test 154 it could lead to the function being + executed but refused in Curl_readwrite() and then the application would + just sit idling forever. + + This was detected with runtests.pl -e on test 154. -- VC6 IDE: link with advapi32.lib when using WIN32 crypto API (md5.c) +Steve Holme (27 Aug 2013) +- ftpserver.pl: Added support for IMAP SEARCH command -- curl-functions.m4: improve gethostname arg 2 data type check +- tool_operate.c: Fixed compilation warning + + warning: implicit declaration of function 'checkpasswd' -- setup_once.h: HP-UX specific 'bool', 'false' and 'true' definitions. +- curl: Moved check for password out of get parameter loop - Also reverts commit f254c59dc7 + Moved the calls to checkpasswd() out of the getparameter() function + which allows for any related arguments to be specified on the command + line before or after --user (and --proxy-user). + + For example: --bearer doesn't need to be specified before --user to + prevent curl from asking for an unnecessary password as is the case + with commit e7dcc454c67a2f. -- configure: check if compiler halts on function prototype mismatch +- RELEASE-NOTES: synced with acf59be7f09a7 -- warnless.c: fix compiler warnings +- [Kyle L. Huff brought this change] -- curl-functions.m4: add gethostname arg 2 data type check and definition + curl: added --bearer option to help + + Added the --bearer option to the help output -Daniel Stenberg (14 Dec 2012) -- [Nick Zitzmann brought this change] +- [Kyle L. Huff brought this change] - darwinssl: Fix implicit conversion compiler warnings + curl: added basic SASL XOAUTH2 support - The Clang compiler found a few implicit conversion problems that have - now been fixed. - -Yang Tse (14 Dec 2012) -- setup_once.h: HP-UX <sys/socket.h> issue workaround + Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the + --bearer option. - Issue: When building a 32bit target with large file support HP-UX - <sys/socket.h> header file may simultaneously provide two different - sets of declarations for sendfile and sendpath functions, one with - static and another with external linkage. Given that we do not use - mentioned functions we really don't care which linkage is the - appropriate one, but on the other hand, the double declaration emmits - warnings when using the HP-UX compiler and errors when using modern - gcc versions resulting in fatal compilation errors. + Example usage: + curl --url "imaps://imap.gmail.com:993/INBOX/;UID=1" --ssl-reqd + --bearer ya29.AHES6Z...OMfsHYI --user username@example.com + +- tool_urlglob.c: Fixed compiler warnings - Mentioned issue is now fixed as long as we don't use sendfile nor - sendpath functions. + warning: 'variable' may be used uninitialized in this function -- setup_once.h: refactor inclusion of <unistd.h> and <sys/socket.h> +Daniel Stenberg (26 Aug 2013) +- security.h: rename to curl_sec.h to avoid name collision - Inclusion of top two most included header files now done in setup_once.h + I brought back security.h in commit bb5529331334e. As we actually + already found out back in 2005 in commit 62970da675249, the file name + security.h causes problems so I renamed it curl_sec.h instead. -- setup_once.h: HP-UX specific TRUE and FALSE definitions +- runtests.pl: allow -vc point to a separate curl binary to verify with - Some HP-UX system headers require TRUE defined to 1 and FALSE to 0. + The specified curl binary will then be used to verify the running + server(s) instead of the development version. This is very useful in + some cases when the development version fails to verify correctly as + then the test case may not run at all. + + The actual test will still be run with the "normal" curl executable + (unless the test case specifies something differently). + +Steve Holme (26 Aug 2013) +- [Kyle L. Huff brought this change] -Daniel Stenberg (12 Dec 2012) -- gopher: #include cleanup + smtp: added basic SASL XOAUTH2 support - Remove all system file includes from this file as they're not needed + Added the ability to use an XOAUTH2 bearer token [RFC6750] with SMTP for + authentication using RFC6749 "OAuth 2.0 Authorization Framework". - Reported by: Dan Fandrich + The bearer token is expected to be valid for the user specified in + conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has + an advertised auth mechanism of "XOAUTH2", the user and access token are + formatted as a base64 encoded string and sent to the server as + "AUTH XOAUTH2 <bearer token>". -Yang Tse (11 Dec 2012) -- examples/simplessl.c: fix compiler warning +- [Kyle L. Huff brought this change] -- examples/externalsocket.c: fix SunPro compilation issue + imap: added basic SASL XOAUTH2 support + + Added the ability to use an XOAUTH2 bearer token [RFC6750] with IMAP for + authentication using RFC6749 "OAuth 2.0 Authorization Framework". + + The bearer token is expected to be valid for the user specified in + conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has + an advertised auth mechanism of "XOAUTH2", the user and access token are + formatted as a base64 encoded string and sent to the server as + "A001 AUTHENTICATE XOAUTH2 <bearer token>". -- examples/simplessl.c: fix compiler warning +- security.h: Fixed compilation warning + + ISO C forbids forward references to 'enum' types -- build: add bundles and conncache files to other build systems +Daniel Stenberg (26 Aug 2013) +- KNOWN_BUGS: refer to bug numbers with the existing number series + + The old numbers would still redirect but who knows for how long... -- conncache: fix enumerated type mixed with another type +Steve Holme (25 Aug 2013) +- [Kyle L. Huff brought this change] -- examples/anyauthput.c: fix Tru64 compilation issue + options: added basic SASL XOAUTH2 support + + Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the + option CURLOPT_XOAUTH2_BEARER for authentication using RFC6749 "OAuth + 2.0 Authorization Framework". -Daniel Stenberg (8 Dec 2012) -- [Colin Watson brought this change] +- [Kyle L. Huff brought this change] - configure: fix cross pkg-config detection + sasl: added basic SASL XOAUTH2 support - When cross-compiling, CURL_CHECK_PKGCONFIG was checking for the cross - pkg-config using ${host}-pkg-config. + Added the ability to generated a base64 encoded XOAUTH2 token + containing: "user=<username>^Aauth=Bearer <bearer token>^A^A" + as per RFC6749 "OAuth 2.0 Authorization Framework". + +Daniel Stenberg (25 Aug 2013) +- FTP: remove krb4 support - The gold standard for doing this correctly is pkg-config's own macro, - PKG_PROG_PKG_CONFIG. However, on the assumption that you have a good - reason not to use that directly (reduced dependencies for maintainer - builds?), the behaviour of cURL's version should at least match. - PKG_PROG_PKG_CONFIG uses AC_PATH_TOOL, which ultimately ends up trying - ${host_alias}-pkg-config; this is not quite the same as what cURL does, - and may differ because ${host} has been run through config.sub. For - instance, when cross-building to the armhf architecture on Ubuntu, - ${host_alias} is arm-linux-gnueabihf while ${host} is - arm-unknown-linux-gnueabihf. This may also have been the cause of the - problem reported at http://curl.haxx.se/mail/lib-2012-04/0224.html. + We've announced this pending removal for a long time and we've + repeatedly asked if anyone would care or if anyone objects. Nobody has + objected. It has probably not even been working for a good while since + nobody has tested/used this code recently. - AC_PATH_TOOL is significantly simpler than cURL's current code, and - dates back to well before the current minimum of Autoconf 2.57, so let's - use it instead. + The stuff in krb4.h that was generic enough to be used by other sources + is now present in security.h -- [Linus Nielsen Feltzing brought this change] +- easy: define away easy_events() for non-debug builds - Introducing a new persistent connection caching system using "bundles". - - A bundle is a list of all persistent connections to the same host. - The connection cache consists of a hash of bundles, with the - hostname as the key. - The benefits may not be obvious, but they are two: +- FAQ: editorial updates - 1) Faster search for connections to reuse, since the hash - lookup only finds connections to the host in question. - 2) It lays out the groundworks for an upcoming patch, - which will introduce multiple HTTP pipelines. + Several language fixes. Several reformats that should make the HTML + generation of this document look better. - This patch also removes the awkward list of "closure handles", - which were needed to send QUIT commands to the FTP server - when closing a connection. - Now we allocate a separate closure handle and use that - one to close all connections. - - This has been tested in a live system for a few weeks, and of - course passes the test suite. + Reported-by: Dave Thompson -- [Fabian Keil brought this change] +- RELEASE-NOTES: synced with 22adb46a32bee - runtests and friends: Do not add undefined values to @INC +- multi: move on from STATE_DONE faster - On FreeBSD this fixes the warning: - Use of uninitialized value $p in string eq at /usr/local/lib/perl5/5.14.2/BSDPAN/BSDPAN.pm line 36. - -Steve Holme (5 Dec 2012) -- Merge pull request #52 from isn-/master + Make sure we always return CURLM_CALL_MULTI_PERFORM when we reach + CURLM_STATE_DONE since the state is transient and it can very well + continue executing as there is nothing to wait for. - small compilation fix + Bug: http://curl.haxx.se/mail/lib-2013-08/0211.html + Reported-by: Yi Huang -Stanislav Ivochkin (5 Dec 2012) -- build: fix compilation with CURL_DISABLE_CRYPTO_AUTH flag +- curl.h: name space pollution by "enum type" + + Renamed to "enum curl_khtype" now. Will break compilation for programs + that rely on the enum name. + + Bug: https://github.com/bagder/curl/pull/76 + Reported-by: Shawn Landden -Yang Tse (5 Dec 2012) -- libtest: fix some compiler warnings +- TFTP: make the CURLOPT_LOW_SPEED* options work + + ... this also makes sure that the progess callback gets called more + often during TFTP transfers. + + Added test 1238 to verify. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1269 + Reported-by: Jo3 -- examples: fix compilation issues - commit 7332a7cafb follow-up +- tftpd: support "writedelay" within <servercmd> -- examples: fix compilation issues - commit 23f8dca6fb follow-up +- tftpd: convert 6 global variables into local ones -- examples: fix compilation issues +- [Gisle Vanem brought this change] -- build: explain current role of LIBS in our Makefile.am files + curl_easy_perform_ev: make it CURL_EXTERN - BLANK_AT_MAKETIME may be used in our Makefile.am files to blank - LIBS variable used in generated makefile at makefile processing - time. Doing this functionally prevents LIBS from being used for - all link targets in given makefile. + I build curl.exe (using MingW) with '-DCURLDEBUG' and by importing from + libcurl.dll. Which means the new curl_easy_perform_ev() must be + exported from libcurl.dll. -Daniel Stenberg (4 Dec 2012) -- multi: fix re-sending request on early connection close +- CURLM_ADDED_ALREADY: new error code - This handling already works with the easy-interface code. When a request - is sent on a re-used connection that gets closed by the server at the - same time as the request is sent, the situation may occur so that we can - send the request and we discover the broken connection as a RECV_ERROR - in the PERFORM state and then the request needs to be retried on a fresh - connection. Test 64 broke with 'multi-always-internally'. + Doing curl_multi_add_handle() on an easy handle that is already added to + a multi handle now returns this error code. It previously returned + CURLM_BAD_EASY_HANDLE for this condition. -Yang Tse (4 Dec 2012) -- configure: add minimal sanity check on user provided LIBS and LDFLAGS +- multi_init: moved init code here from add_handle + + The closure_handle is "owned" by the multi handle and it is + unconditional so the setting up of it should be in the Curl_multi_handle + function rather than curl_multi_add_handle. -- build: prevent global LIBS from influencing src and lib build targets +- multi: remove dns cache creation code from *add_handle - Currently, LIBS is already used through other macros. + As it is done unconditionally in multi_init() this code will never run! -Kamil Dudka (3 Dec 2012) -- nss: prevent NSS from crashing on client auth hook failure +- curl_easy_perform_ev: debug/test function - Although it is not explicitly stated in the documentation, NSS uses - *pRetCert and *pRetKey even if the client authentication hook returns - a failure. Namely, if we destroy *pRetCert without clearing *pRetCert - afterwards, NSS destroys the certificate once again, which causes a - double free. + This function is meant to work *exactly* as curl_easy_perform() but will + use the event-based libcurl API internally instead of + curl_multi_perform(). To avoid relying on an actual event-based library + and to not use non-portable functions (like epoll or similar), there's a + rather inefficient emulation layer implemented on top of Curl_poll() + instead. - Reported by: Bob Relyea - -Yang Tse (30 Nov 2012) -- testcurl.pl: build example programs for several autobuilds + There's currently some convenience logging done in curl_easy_perform_ev + which helps when tracking down problems. They may be suitable to remove + or change once things seem to be fine enough. - Affected autobuilds: IRIX, AIX, Tru64 and AIX. + curl has a new --test-event option when built with debug enabled that + then uses curl_easy_perform_ev() instead of curl_easy_perform(). If + built without debug, using --test-event will only output a warning + message. + + NOTE: curl_easy_perform_ev() is not part if the public API on purpose. + It is only present in debug builds of libcurl and MUST NOT be considered + stable even then. Use it for libcurl-testing purposes only. + + runtests.pl now features an -e command line option that makes it use + --test-event for all curl command line tests. The man page is updated. -- build: prevent global LIBS from influencing examples build targets +- [Gisle Vanem brought this change] -- build: prevent global LIBS from influencing libtest build targets + transfer: the recent sessionhandle change broke CURL_DOES_CONVERSIONS -- build: prevent global LIBS from influencing test server build targets +- test1237: verify 1000+ letter user name + passwords -- build: fix Windows build targets damaged since commit 550e403f00 +- [Jonathan Nieder brought this change] -- build: avoid linkage of directly unused libraries + url: handle arbitrary-length username and password before '@' + + libcurl quietly truncates usernames, passwords, and options from + before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) + characters to fit in fixed-size buffers on the stack. Allocate a + buffer large enough to fit the parsed fields on the fly instead to + support longer passwords. + + After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH + left, so stop defining that constant while at it. The hardcoded max + username and password length constants, on the other hand, are still + used in HTTP proxy credential handling (which this patch doesn't + touch). + + Reported-by: Colby Ranger -- dd missing NTLM feature for tests 2025, and 2028 to 2032 +- [Jonathan Nieder brought this change] + + url: handle exceptional cases first in parse_url_login() + + Instead of nesting "if(success)" blocks and leaving the reader in + suspense about what happens in the !success case, deal with failure + cases early, usually with a simple goto to clean up and return from + the function. + + No functional change intended. The main effect is to decrease the + indentation of this function slightly. -- avoid mixing of enumerated type with another type +- [Jonathan Nieder brought this change] -- multi.c: disambiguate precedence of bitwise and relational operation + Curl_setopt: handle arbitrary-length username and password + + libcurl truncates usernames, passwords, and options set with + curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters. + This doesn't affect the return value from curl_easy_setopt(), so from + the caller's point of view, there is no sign anything strange has + happened, except that authentication fails. + + For example: + + # Prepare a long (300-char) password. + s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s; + # Start a server. + nc -l -p 8888 | tee out & pid=$! + # Tell curl to pass the password to the server. + curl --user me:$s http://localhost:8888 & sleep 1; kill $pid + # Extract the password. + userpass=$( + awk '/Authorization: Basic/ {print $3}' <out | + tr -d '\r' | + base64 -d + ) + password=${userpass#me:} + echo ${#password} + + Expected result: 300 + Actual result: 255 + + The fix is simple: allocate appropriately sized buffers on the heap + instead of trying to squeeze the provided values into fixed-size + on-stack buffers. + + Bug: http://bugs.debian.org/719856 + Reported-by: Colby Ranger -Daniel Stenberg (26 Nov 2012) -- [Fabian Keil brought this change] +- [Jonathan Nieder brought this change] - Remove stray CRLF in chunk-encoded content-free request bodies + netrc: handle longer username and password - .. that are sent when auth-negotiating before a chunked - upload or when setting the 'Transfer-Encoding: chunked' - header and intentionally sending no content. + libcurl truncates usernames and passwords it reads from .netrc to + LOGINSIZE and PASSWORDSIZE (64) characters without any indication to + the user, to ensure the values returned from Curl_parsenetrc fit in a + caller-provided buffer. - Adjust test565 and test1333 accordingly. - -- FAQ: clarify the 3.4 section + Fix the interface by passing back dynamically allocated buffers + allocated to fit the user's input. The parser still relies on a + 256-character buffer to read each line, though. - You can do custom commands to FTP without sending anything by using the - CURLOPT_NOBODY, which -I sets. - -- [Lijo Antony brought this change] - - examples: Updated asiohiper.cpp to remove connect from opensocket + So now you can include an ~246-character password in your .netrc, + instead of the previous limit of 63 characters. - Blocking connect on the socket has been removed from opensocket - callback. opensocket just opens a new socket and gives it back to - libcurl and libcurl will take care of the connect. sockopt_callback has - also been removed, as it is no longer required. + Reported-by: Colby Ranger -Yang Tse (23 Nov 2012) -- build: fix AIX compilation and usage +- [Jonathan Nieder brought this change] + + url: allocate username, password, and options on the heap - AIX sys/poll.h header file defines 'events' and 'revents' as C - preprocessor macros. Usage of these literals in libcurl's external - API was introduced in commit de24d7bd4c causing AIX build failures. - Appropriate inclusion of sys/poll.h by libcurl's external interface - fixes AIX build and usage issues while avoiding a SONAME bump. + This makes it possible to increase the size of the buffers when needed + in later patches. No functional change yet. -Steve Holme (23 Nov 2012) -- DOCS: Updated CURLOPT_CONNECT_ONLY to reflect usage in other protocols +- [Jonathan Nieder brought this change] -Daniel Stenberg (23 Nov 2012) -- test: offer "automake" output and check for perl better + url: use goto in create_conn() for exception handling - runtests.pl -am now uses the "PASS/FAIL: [desc]" output for each - executed test. You can run 'make test-am' in the root build directory to - invoke that. The reason for this output style is to better allow generic - test suite parsers to also grok our test output. + Instead of remembering before each "return" statement which temporary + allocations, if any, need to be freed, take care to set pointers to + NULL when no longer needed and use a goto to a common block to exit + the function and free all temporaries. - The test Makefile now also tests that perl was indeed found and that the - PERL variable points to an executable before it tries to run the main - test perl script runtests.pl, + No functional change intended. Currently the only temporary buffer in + this function is "proxy" which is already correctly freed when + appropriate, but there will be more soon. -- [Fabian Keil brought this change] +- [Jonathan Nieder brought this change] - Test 206: Use a Content-Length header for the 407 response + sasl: allow arbitrarily long username and password - Otherwise curl would have to guess where the body ends. - -- [Fabian Keil brought this change] - - Test 206: Don't respond to a succesful CONNECT request with a body + Use appropriately sized buffers on the heap instead of fixed-size + buffers on the stack, to allow for longer usernames and passwords. - It's against the spec and caused test failures when header - and response were read from the network separately in which - case bug #39 wasn't triggered. - -- htmltitle: use .cpp extension for C++ examples + Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp. + MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet. -- [Lijo Antony brought this change] +Steve Holme (19 Aug 2013) +- [Alex McLellan brought this change] - examples: Added a c++ example of using multi with boost::asio + imap: Fixed response check for SEARCH command - Added an example for demonstrating the usage of curl multi interface - with boost::asio in c++ + Adding this line allows libcurl to return the server response when + performing a search command via a custom request. -- VC Makefiles: add missing hostcheck +Daniel Stenberg (16 Aug 2013) +- glob: error out on range overflow - the newly introduced hostcheck.h/c is missing in the Visual Studio - Makefiles as obj file. + The new multiply() function detects range value overflows. 32bit + machines will overflow on a 32bit boundary while 64bit hosts support + ranges up to the full 64 bit range. - Bug: http://curl.haxx.se/mail/lib-2012-11/0176.html - -- compiler warning fixes + Added test 1236 to verify. - The conversions from ssize_t to int need to be typecasted. + Bug: http://curl.haxx.se/bug/view.cgi?id=1267 + Reported-by: Will Dietz -- bump: start working on 7.28.2 +- urlglob: better detect unclosed braces, empty lists and overflows + + A rather big overhaul and cleanup. + + 1 - curl wouldn't properly detect and reject globbing that ended with an + open brace if there were brackets or braces before it. Like "{}{" or + "[0-1]{" + + 2 - curl wouldn't properly reject empty lists so that "{}{}" would + result in curl getting (nil) strings in the output. + + 3 - By using strtoul() instead of sscanf() the code will now detected + over and underflows. It now also better parses the step argument to only + accept positive numbers and only step counters that is smaller than the + delta between the maximum and minimum numbers. + + 4 - By switching to unsigned longs instead of signed ints for the + counters, the max values for []-ranges are now very large (on 64bit + machines). + + 5 - Bumped the maximum number of globs in a single URL to 100 (from 10) + + 6 - Simplified the code somewhat and now it stores fixed strings as + single- entry lists. That's also one of the reasons why I did (5) as now + all strings between "globs" will take a slot in the array. + + Added test 1234 and 1235 to verify. Updated test 87. + + This commit fixes three separate bug reports. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1264 + Bug: http://curl.haxx.se/bug/view.cgi?id=1265 + Bug: http://curl.haxx.se/bug/view.cgi?id=1266 + Reported-by: Will Dietz -- THANKS: added 14 contributors from the 7.28.1 release +- [John Malmberg brought this change] -Version 7.28.1 (20 Nov 2012) + VMS: Add RELEASE-NOTES to vms document + + Add the curl release notes to the release note document generated for + VMS packages. + + Add the different filenames generated by a daily build to the + cleanup procedures. -Daniel Stenberg (20 Nov 2012) -- RELEASE-NOTES: synced with 52af6e69f079 / 7.28.1 +- [Tor Arntsen brought this change] -Kamil Dudka (20 Nov 2012) -- [Anthony Bryan brought this change] + tests 2032, 2033: Don't hardcode port in expected output - RELEASE-NOTES: NSS can be used for metalink hashing +- ftp: convert state names to a global array + + ... just to make them easier to print in debug ouputs while debugging. + They are still within #ifdef [debugbuild]. -- [Fabian Keil brought this change] +- --help: fix the --sasl-ir in the help output - Get test 2032 working when using valgrind +- ftp_domore_getsock: when passive mode, the second conn is already there + + This makes the socket callback get called with the proper bitmask as + otherwise the application could be left hanging waiting for reading on + an upload connection! - If curl_multi_fdset() sets maxfd to -1, the socket detection - loop is skipped and thus !found_new_socket is no cause for alarm. + Bug: http://curl.haxx.se/mail/lib-2013-08/0043.html + Reported-by: Bill Doyle -- test2032: spurious failure caused by premature termination +- curl: make --no-[option] work properly for several options - Bug: http://curl.haxx.se/mail/lib-2012-11/0095.html + --create-dirs, --crlf, --socks5-gssapi-nec and --sasl-ir -Daniel Stenberg (19 Nov 2012) -- [Fabian Keil brought this change] +Kamil Dudka (12 Aug 2013) +- nss: make sure that NSS is initialized + + ... prior to calling PK11_GenerateRandom() - Fix comment typos in test 517 +Daniel Stenberg (12 Aug 2013) +- multi: s/easy/data + + With everything being struct SessionHandle pointers now, this rename + makes multi.c use the library-wide practise of calling that pointer + 'data' instead of the previously used 'easy'. -- [Fabian Keil brought this change] +- cleanup: removed one function, made one static + + Moved Curl_easy_addmulti() from easy.c to multi.c, renamed it to + easy_addmulti and made it static. + + Removed Curl_easy_initHandleData() and uses of it since it was emptied + in commit cdda92ab67b47d74a. - Test 92 and 194: normalize spaces in the Server headers +- SessionHandle: the protocol specific pointer is now a void * + + All protocol handler structs are now opaque (void *) in the + SessionHandle struct and moved in the request-specific sub-struct + 'SingleRequest'. The intension is to keep the protocol specific + knowledge in their own dedicated source files [protocol].c etc. - It makes no difference from curl's point of view but - makes it more convenient to use the tests with a - lws-normalizing proxy between curl and the test server. + There's some "leakage" where this policy is violated, to be addressed at + a later point in time. -- [Fabian Keil brought this change] +- urldata: clean up the use of the protocol specific structs + + 1 - always allocate the struct in protocol->setup_connection. Some + protocol handlers had to get this function added. + + 2 - always free at the end of a request. This is also an attempt to keep + less memory in the handle after it is completed. - Add a HOSTIP precheck for tests 31 and 1105 +- version number: bump to 7.32.1 for now - They currently only work for 127.0.0.1 which - is hardcoded and can't be easily changed. + Start working on the next version and up some counters. + +Version 7.32.0 (11 Aug 2013) + +Daniel Stenberg (11 Aug 2013) +- THANKS: added contributors from the 7.32.0 release notes - [Fabian Keil brought this change] - Let test 8 work as long as %HOSTIP ends with ".0.0.1" - - .. and add a precheck to skip the test otherwise. + test1228: add 'HTTP proxy' to the keywords - [Fabian Keil brought this change] - Add --resolve to the keywords and name of test 1318 - - This makes it easier to skip it automatically when - the test suite is used with external proxies. + tests: add keywords for a couple of FILE tests - [Fabian Keil brought this change] - Add FTP keywords for a couple of currently keyword-less FTP tests + tests: add 'FAILURE' keywords to tests 1409 and 1410 - [Fabian Keil brought this change] - Add keywords for a couple of currently keyword-less HTTP tests + tests: add keywords for a couple of HTTP tests - [Fabian Keil brought this change] - Use carriage returns in all headers in test 31 - - Trailing spaces were left unmodifed, assuming they were intentional. + tests: add keywords for a couple of FTP tests - [Fabian Keil brought this change] - Do not mix CRLF and LF header endings in a couple of HTTP tests - - Consistently use CRLF instead. The mixed endings weren't - documented so I assume they were unintentional. - - This change doesn't matter for curl itself but makes using - the tests with a proxy between curl and the test server - more convenient. + test1511: consistently terminate headers with CRLF + +- DISABLED: shut of test 1512 for now - Tests that consistently use no carriage returns were - left unmodified as one can easily work around this. + It shows intermittent failures and I haven't been able to track them + down yet. Disable this test for now. + +- curl_multi_add_handle.3: ... that timer callback is for event-based + +- comments: remove old and wrong multi/easy interface statements + +- curl_multi_add_handle.3: mention the CURLMOPT_TIMERFUNCTION use + +- [John E. Malmberg brought this change] + + KNOWN_BUGS: 22 and 57 have been fixed and committed -- fixed memory leak: CURLOPT_RESOLVE with multi interface +- RELEASE-NOTES: synced with d20def20462e7 + +- global dns cache: fix memory leak - DNS cache entries populated with CURLOPT_RESOLVE were not properly freed - again when done using the multi interface. + The take down of the global dns cache didn't take CURLOPT_RESOLVE names + into account. + +- global dns cache: didn't work [regression] - Test case 1502 added to verify. + CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c43127414d89ccb (been + broken since the libcurl 7.29.0 release). While this option has been + documented as deprecated for almost a decade and nobody even reported + this bug, it should remain functional. - Bug: http://curl.haxx.se/bug/view.cgi?id=3575448 - Reported by: Alex Gruz + Added test case 1512 to verify -- RELEASE-NOTES: synced with ee588fe08807778 - - 4 more bug fixes and 4 more contributors +Yang Tse (8 Aug 2013) +- [John Malmberg brought this change] -- mem-include-scan: verify memory #includes + packages/vms: update VMS build files - If we use memory functions (malloc, free, strdup etc) in C sources in - libcurl and we fail to include curl_memory.h or memdebug.h we either - fail to properly support user-provided memory callbacks or the memory - leak system of the test suite fails. + VMS modified files either missing from a previous commit and changes + to remove references to CVS repositories. + +Daniel Stenberg (8 Aug 2013) +- FTP: renamed several local functions - After Ajit's report of a failure in the first category in http_proxy.c, - I spotted a few in the second category as well. These problems are now - tested for by test 1132 which runs a perl program that scans for and - attempts to check that we use the correct include files if a memory - related function is used in the source code. + The previous naming scheme ftp_state_post_XXXX() wasn't really helpful + as it wasn't always immediately after 'xxxx' and it wasn't easy to + understand what it does based on such a name. - Reported by: Ajit Dhumale - Bug: http://curl.haxx.se/mail/lib-2012-11/0125.html + This new one is instead ftp_state_yyyy() where yyyy describes what it + does or sends. -- tftp_rx: code style cleanup +- mk-ca-bundle.1: don't install on make install - Fixed checksrc warnings - -- [Fabian Keil brought this change] - - Fix the libauthretry changes from 7c0cbcf2f61 + Since the mk-ca-bundle tool itself isn't installed with make install, + there's no point in installing its documentation. - They broke the NTLM tests from 2023 to 2031. + Bug: http://curl.haxx.se/mail/lib-2013-08/0057.html + Reported-by: Guenter Knauf -- [Christian Vogt brought this change] +Yang Tse (7 Aug 2013) +- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST - tftp_rx: handle resends +- [John Malmberg brought this change] + + Building_vms_pcsi_kit - Re-send ACK for block X in case we receive block X data again while - waiting for block X+1. + These are the files needed to build VMS distribution packages known as + PCSI kits. - Based on an earlier patch by Marcin Adamski. + Also minor update to the existing files, mainly to the documentation and + file clean up code. -- autoconf: don't force-disable compiler debug option +Daniel Stenberg (6 Aug 2013) +- LIBCURL-STRUCTS: new document + + This is the first version of this new document, detailing the seven + perhaps most important internal structs in libcurl source code: - When nothing is told to configure, we should not enforce switching off - debug options with -g0 (or similar). We instead don't use -g at all in - that situaion and therefore allow the user's CFLAGS settings possibly - dictate what to do. + 1.1 SessionHandle + 1.2 connectdata + 1.3 Curl_multi + 1.4 Curl_handler + 1.5 conncache + 1.6 Curl_share + 1.7 CookieInfo -- [Mark Snelling brought this change] +- CONTRIBUTE: minor language polish - winbuild: Fix PDB file output +- FTP: when EPSV gets a 229 but fails to connect, retry with PASV - And fix some newlines to be proper CRLF + This is a regression as this logic used to work. It isn't clear when it + broke, but I'm assuming in 7.28.0 when we went all-multi internally. - Bug: http://curl.haxx.se/bug/view.cgi?id=3586741 - -- RELEASE-NOTES: synced with fa1ae0abcde + This likely never worked with the multi interface. As the failed + connection is detected once the multi state has reached DO_MORE, the + Curl_do_more() function was now expanded somewhat so that the + ftp_do_more() function can request to go "back" to the previous state + when it makes another attempt - using PASV. + + Added test case 1233 to verify this fix. It has the little issue that it + assumes no service is listening/accepting connections on port 1... + + Reported-by: byte_bucket in the #curl IRC channel -- [Cristian Rodríguez brought this change] +Nick Zitzmann (5 Aug 2013) +- md5: remove use of CommonCrypto-to-OpenSSL macros for the benefit of Leopard + + For some reason, OS X 10.5's GCC suddenly stopped working correctly with + macros that change MD5_Init etc. in the code to CC_MD5_Init etc., so I + worked around this by removing use of the macros and inserting static + functions that just call CommonCrypto's implementations of the functions + instead. - OpenSSL: Disable SSL/TLS compression +Guenter Knauf (5 Aug 2013) +- Simplify check for trusted certificates. - It either causes increased memory usage or exposes users - to the "CRIME attack" (CVE-2012-4929) + This changes the previous check for untrusted certs to a check for + certs explicitely marked as trusted. + The change is backward-compatible (tested with certdata.txt v1.80). -- [Sebastian Rasmussen brought this change] +Daniel Stenberg (5 Aug 2013) +- configure: warn on bad env variable use, don't error + + Use XC_CHECK_BUILD_FLAGS instead XC_CHECK_USER_FLAGS. - FILE: Make upload-writes unbuffered by not using FILE streams +- Revert "configure: don't error out on variable confusions, just warn" + + This reverts commit 6b27703b5f525eccdc0a8409f51de8595c75132a. -Kamil Dudka (13 Nov 2012) -- tool_metalink: fix error detection of hash alg initialization +- formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used - The {MD5,SHA1,SHA256}_Init functions from OpenSSL are called directly - without any wrappers and they return 1 for success, 0 otherwise. Hence, - we have to use the same approach in all the wrapper functions that are - used for the other crypto libraries. + The internal function that's used to detect known file extensions for + the default Content-Type got the the wrong pointer passed in when + CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that + strlen() would be used which could lead to an out-of-bounds read (and + thus segfault). In most cases it would only lead to it not finding or + using the correct default content-type. - This commit fixes a regression introduced in commit dca8ae5f. - -Daniel Stenberg (13 Nov 2012) -- RELEASE-NOTES: synced with 7c0cbcf2f617b - -- [Sergei Nikulov brought this change] + It also showed that test 554 and test 587 were testing for the + previous/wrong behavior and now they're updated as well. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1262 + Reported-by: Konstantin Isakov - fixed Visual Studio 2010 compilation +Guenter Knauf (4 Aug 2013) +- Skip more untrusted certificates. + + Christian Heimes brought to our attention that the certdata.txt + format has recently changed [1], causing ca-bundle.crt created + with mk-ca-bundle.[pl|vbs] to include untrusted certs. + + [1] http://lists.debian.org/debian-release/2012/11/msg00411.html -- [Anton Malov brought this change] +Daniel Stenberg (4 Aug 2013) +- configure: don't error out on variable confusions, just warn - ftp: EPSV-disable fix over SOCKS +- configure: rephrase the notice in _XC_CHECK_VAR_* - Bug: http://curl.haxx.se/bug/view.cgi?id=3586338 + Instead of claiming it is an error, we call it a "note" to reduce the + severity level. But the following text now says the [variable] "*should* + only be used to specify"... instead of previously having said "may". -Patrick Monnerat (12 Nov 2012) -- Merge branch 'master' of github.com:bagder/curl +- multi: remove data->state.current_conn struct field + + Not needed -- OS400: upgrade wrappers for the 7.28.1 release. +- multi: remove the one_easy struct field + + Since the merge of SessionHandle with Curl_one_easy, this indirection + isn't used anymore. -Daniel Stenberg (12 Nov 2012) -- runtests: limit execessive logging/output +- multi: rename all Curl_one_easy to SessionHandle -- [Gabriel Sjoberg brought this change] +- multi: remove the multi_pos struct field + + Since Curl_one_easy is really a SessionHandle now, this indirection + doesn't exist anymore. - Digst: Add microseconds into nounce calculation +- multi: remove easy_handle struct field - When using only 1 second precision, curl doesn't create new cnonce - values quickly enough for all uses. + It isn't needed anymore + +- multi: remove 'Curl_one_easy' struct, phase 1 - For example, issuing the following command multiple times to a recent - Tomcat causes authentication failures: + The motivation for having a separate struct that keep track of an easy + handle when using the multi handle was removed when we switched to + always using the multi interface internally. Now they were just two + separate struct that was always allocated for each easy handle. - curl --digest -utest:test http://tomcat.test.com:8080/manager/list + This first step just moves the Curl_one_easy struct members into the + SessionHandle struct and hides this somehow (== keeps the source code + changes to a minimum) by defining Curl_one_easy to SessionHandle - This is because curl uses the same cnonce for several seconds, but - doesn't increment the nonce counter. Tomcat correctly interprets - this as a replay attack and rejects the request. + The biggest changes in this commit are: - When microsecond-precision is available, this commit causes curl to - change cnonce values much more frequently. + 1 - the linked list of easy handles had to be changed somewhat due + to the new struct layout. This made the main linked list pointer + get renamed to 'easyp' and there's also a new pointer to the last + node, called easylp. It is no longer circular but ends with ->next + pointing to NULL. New nodes are still added last. - With microsecond resolution, increasing the nounce length used in the - headers to 32 was made to further reduce the risk of duplication. + 2 - easy->state is now called easy->mstate to avoid name collision -- SCP/SFTP: improve error code used for send failures +Steve Holme (2 Aug 2013) +- Revert "DOCS: Added IMAP URL example for listing new messages" - Instead of relying on the generic CURLE error for SCP or SFTP send - failures, try passing back a more suitable error if possible. - -- Curl_write: remove unneeded typecast + This reverts commit 82ab5f1b0c7c3f as this was the wrong place to + document the complexity of IMAP URLs and Custom Requests. -Kamil Dudka (9 Nov 2012) -- tool_metalink: allow to use hash algorithms provided by NSS +- DOCS: Added IMAP URL example for listing new messages - Fixes bug #3578163: - http://sourceforge.net/tracker/?func=detail&atid=100976&aid=3578163&group_id=976 + In addition to listing the folder contents, in the URL examples, added + an example to list the new messages waiting in the user's inbox. -- tool_metalink: allow to handle failure of hash alg initialization +Yang Tse (1 Aug 2013) +- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST -- tool_metalink: introduce metalink_cleanup() in the internal API - - ... to release resources allocated at global scope +- [John Malmberg brought this change] -Daniel Stenberg (8 Nov 2012) -- hostcheck: only build for the actual users + Add in the files needed to build libcurl shared images on VMS. - and make local function static - -- [Oscar Koeroo brought this change] - - SSL: Several SSL-backend related fixes - - axTLS: - - This will make the axTLS backend perform the RFC2818 checks, honoring - the VERIFYHOST setting similar to the OpenSSL backend. - - Generic for OpenSSL and axTLS: + Update the packages/vms/readme file to be current. - Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c - files to make them genericly available for both the OpenSSL, axTLS and - other SSL backends. They are now in the new lib/hostcheck.c file. + Also some files for the GNV based build were either missing or needed an + update. - CyaSSL: + curl_crtl_init.c is a special file that is run before main() to + set up the proper C runtime behavior. - CyaSSL now also has the RFC2818 checks enabled by default. There is a - limitation that the verifyhost can not be enabled exclusively on the - Subject CN field comparison. This SSL backend will thus behave like the - NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: - setting verifyhost to 0 or 1 will disable the Subject Alt Names checks - too. + generate_vax_transfer.com generates the VAX transfer vector modules from + the gnv_libcurl_symbols.opt file. - Schannel: + gnv_conftest.c_first is a helper file needed for configure scripts to + come up with the expected answers on VMS. - Updated the schannel information messages: Split the IP address usage - message from the verifyhost setting and changed the message about - disabling SNI (Server Name Indication, used in HTTP virtual hosting) - into a message stating that the Subject Alternative Names checks are - being disabled when verifyhost is set to 0 or 1. As a side effect of - switching off the RFC2818 related servername checks with - SCH_CRED_NO_SERVERNAME_CHECK - (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature - is being disabled. This effect is not documented in MSDN, but Wireshark - output clearly shows the effect (details on the libcurl maillist). + gnv_libcurl_symbols.opt is the public symbols for the libcurl shared + image. - PolarSSL: + gnv_link_curl.com builds the shared libcurl image and rebuilds other + programs to use it. - Fix the prototype change in PolarSSL of ssl_set_session() and the move - of the peer_cert from the ssl_context to the ssl_session. Found this - change in the PolarSSL SVN between r1316 and r1317 where the - POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu - PolarSSL version 1.1.4 the check is to discriminate between lower then - PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN - trunk jumped from version 1.1.1 to 1.2.0. + macro32_exactcase.patch is a hack to make a local copy of the VMS Macro32 + assembler case sensitive, which is needed to build the VAX transfer modules. - Generic: - - All the SSL backends are fixed and checked to work with the - ssl.verifyhost as a boolean, which is an internal API change. + report_openssl_version.c is a tool for help verify that the libcurl + shared image is being built for a minium version of openssl. -- libcurl: VERSIONINFO update - - Since we added the curl_multi_wait function, the VERSIONINFO needed - updating. +- curl: second follow-up for commit 5af2bfb9 - Reported by: Patrick Monnerat + Display progress-bar unconditionally on first call -Guenter Knauf (8 Nov 2012) -- Added .def file to output. +- curl: follow-up for commit 5af2bfb9 - Requested by Johnny Luong on the libcurl list. + Use tvnow() and tvdiff() to avoid introducing new linkage issues -- Added deps for static metalink-aware MinGW builds. +Daniel Stenberg (31 Jul 2013) +- curl: --progress-bar max update frequency now at 5Hz -Daniel Stenberg (8 Nov 2012) -- [Fabian Keil brought this change] - - Fix compilation of lib1501 - -- Curl_readwrite: remove debug output +- curl: make --progress-bar update the line less frequently - The text "additional stuff not fine" text was added for debug purposes a - while ago, but it isn't really helping anyone and for some reason some - Linux distributions provide their libcurls built with debug info still - present and thus (far too many) users get to read this info. - -- RELEASE-NOTES: synced with 487538e87a3d5e + Also, use memset() instead of a lame loop. - 6 new bugfixes and 3 more contributors... - -- http_perhapsrewind: consider NTLM over proxy too + The previous logic that tried to avoid too many updates were very + ineffective for really fast transfers, as then it could easily end up + doing hundreds of updates per second that would make a significant + impact in transfer performance! - The logic previously checked for a started NTLM negotiation only for - host and not also with proxy, leading to problems doing POSTs over a - proxy NTLM that are larger than 2000 bytes. Now it includes proxy in the - check. - - Bug: http://curl.haxx.se/bug/view.cgi?id=3582321 - Reported by: John Suprock - -- [Lars Buitinck brought this change] + Bug: http://curl.haxx.se/mail/archive-2013-07/0031.html + Reported-by: Marc Doughty - Curl_connecthost: friendlier "couldn't connect" message +Nick Zitzmann (30 Jul 2013) +- darwinssl: added LFs to some strings passed into infof() + + (This doesn't need to appear in the release notes.) I noticed a few places + where infof() was called, and there should've been an LF at the end of the + string, but there wasn't. -- test1413: verify redirects to URLs with fragments +- darwinssl: fix build error in crypto authentication under Snow Leopard - The bug report claimed it didn't work. This problem was probably fixed - in 473003fbdf. + It turns out Snow Leopard not only has SecItemCopyMatching() defined in + a header not included by the omnibus header, but it won't work for our + purposes, because searching for SecIdentityRef objects wasn't added + to that API until Lion. So we now use the old SecKeychainSearch API + instead if the user is building under, or running under, Snow Leopard. - Bug: http://curl.haxx.se/bug/view.cgi?id=3581898 + Bug: http://sourceforge.net/p/curl/bugs/1255/ + Reported by: Edward Rudd -- URL parser: cut off '#' fragments from URLs (better) +- md5 & metalink: use better build macros on Apple operating systems - The existing logic only cut off the fragment from the separate 'path' - buffer which is used when sending HTTP to hosts. The buffer that held - the full URL used for proxies were not dealt with. It is now. + Previously we used __MAC_10_X and __IPHONE_X to mark digest-generating + code that was specific to OS X and iOS. Now we use + __MAC_OS_X_VERSION_MAX_ALLOWED and __IPHONE_OS_VERSION_MAX_ALLOWED + instead of those macros. - Test case 5 was updated to use a fragment on a URL over a proxy. - - Bug: http://curl.haxx.se/bug/view.cgi?id=3579813 + Bug: http://sourceforge.net/p/curl/bugs/1255/ + Reported by: Edward Rudd -- OpenSSL/servercert: use correct buffer size, not size of pointer - - Bug: http://curl.haxx.se/bug/view.cgi?id=3579286 +Yang Tse (29 Jul 2013) +- tool_operhlp.c: fix add_file_name_to_url() OOM handling -- curl: set CURLOPT_SSL_VERIFYHOST to 0 to disable +- tool_operate.c: fix brace placement for vi/emacs delimiter matching -- test 2027/2030: take duplicate Digest requests into account - - With the reversion of ce8311c7e49eca and the new clear logic, this flaw - is present and we allow it. +- tool_operate.c: move <fabdef.h> header inclusion location -- Curl_pretransfer: clear out unwanted auth methods - - As a handle can be re-used after having done HTTP auth in a previous - request, it must make sure to clear out the HTTP types that aren't - wanted in this new request. +Daniel Stenberg (29 Jul 2013) +- RELEASE-NOTES: synced with b5478a0e033e7 -- test1412: verify Digest with repeated URLs +- curl_easy_pause: on unpause, trigger mulit-socket handling - This test case verifies that bug 3582718 is fixed. + When the multi-socket API is used, we need the handle to be checked + again when it gets unpaused. - Bug: http://curl.haxx.se/bug/view.cgi?id=3582718 - Reported by: Nick Zitzmann (originally) + Bug: http://curl.haxx.se/mail/lib-2013-07/0239.html + Reported-by: Justin Karneges -- Revert "Zero out auth structs before transfer" - - This reverts commit ce8311c7e49eca93c136b58efa6763853541ec97. - - The commit made test 2024 work but caused a regression with repeated - Digest authentication. We need to fix this differently. +- [John E. Malmberg brought this change] -- CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value + curl_formadd: fix file upload on VMS - After a research team wrote a document[1] that found several live source - codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST - option thinking it was a boolean, this change now bans 1 as a value and - will make libcurl return error for it. + For the standard VMS text file formats, VMS needs to read the file to + get the actual file size. - 1 was never a sensible value to use in production but was introduced - back in the days to help debugging. It was always documented clearly - this way. + For the standard VMS binary file formats, VMS needs a special format of + fopen() call so that it stops reading at the logical end of file instead + of at the end of the blocks allocated to the file. - 1 was never supported by all SSL backends in libcurl, so this cleanup - makes the treatment of it unified. + I structured the patch this way as I was not sure about changing the + structures or parameters to the routines, but would prefer to only call + the stat() function once and pass the information to where the fopen() + call is made. - The report's list of mistakes for this option were all PHP code and - while there's a binding layer between libcurl and PHP, the PHP team has - decided that they have an as thin layer as possible on top of libcurl so - they will not alter or specifically filter a 'TRUE' value for this - particular option. I sympathize with that position. + Bug: https://sourceforge.net/p/curl/bugs/758/ + +- formadd: CURLFORM_FILECONTENT wrongly rejected some option combos + + The code for CURLFORM_FILECONTENT had its check for duplicate options + wrong so that it would reject CURLFORM_PTRNAME if used in combination + with it (but not CURLFORM_COPYNAME)! The flags field used for this + purpose cannot be interpreted that broadly. - [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/ + Bug: http://curl.haxx.se/mail/lib-2013-07/0258.html + Reported-by: Byrial Jensen -- gnutls: fix compiler warnings +Yang Tse (25 Jul 2013) +- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST -- [Alessandro Ghedini brought this change] +- [John E. Malmberg brought this change] - gnutls: print alerts during handshake + VMS: intial set of files to allow building using GNV toolkit. -- [Alessandro Ghedini brought this change] +- string formatting: fix too many arguments for format - gnutls: fix the error_is_fatal logic +- string formatting: fix zero-length printf format string -- RELEASE-NOTES: synced with fa6d78829fd30ad +- easy.c: curl_easy_getinfo() fix va_start/va_end matching -- httpcustomheader.c: free the headers after use +- imap.c: imap_sendf() fix va_start/va_end matching -- [Dave Reisner brought this change] +- string formatting: fix 15+ printf-style format strings - uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES - - Since automake 1.12.4, the warnings are issued on running automake: +Patrick Monnerat (24 Jul 2013) +- OS400: sync ILE/RPG binding with current curl.h + +Yang Tse (24 Jul 2013) +- string formatting: fix 25+ printf-style format strings + +Daniel Stenberg (23 Jul 2013) +- Makefile.am: use LDFLAGS as well when linking libcurl - warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS') + Linking on Solaris 10 x86 with Sun Studio 12 failed when we upgraded + automake for the release builds. - Avoid INCLUDES and roll these flags into AM_CPPFLAGS. + Bug: http://curl.haxx.se/bug/view.cgi?id=1217 + Reported-by: Dagobert Michelsen + +- [Fabian Keil brought this change] + + url.c: Fix dot file path cleanup when using an HTTP proxy - Compile tested on: - Ubuntu 10.04 (automake 1:1.11.1-1) - Ubuntu 12.04 (automake 1:1.11.3-1ubuntu2) - Arch Linux (automake 1.12.4) + Previously the path was cleaned, but the URL wasn't properly updated. + +- [Fabian Keil brought this change] -- libauthretry.c: shorten lines to fit within 80 cols + tests: test1232 verifies dotdot removal from path with proxy -- ftp_readresp: fix build without krb4 support +- [Fabian Keil brought this change] + + dotdot.c: Fix a RFC section number in a comment for Curl_dedotdotify() + +- [John E. Malmberg brought this change] + + build_vms.com: fix debug and float options - Oops, my previous commit broke builds with krb support. + In the reorganization of the build_vms.com the debug and float options + were not fixed up correctly. -- test/README: mention the 1500 test number range +- [John E. Malmberg brought this change] -- FTP: prevent the multi interface from blocking + curl: fix upload of a zip file in OpenVMS - As pointed out in Bug report #3579064, curl_multi_perform() would - wrongly use a blocking mechanism internally for some commands which - could lead to for example a very long block if the LIST response never - showed. + Two fixes: - The solution was to make sure to properly continue to use the multi - interface non-blocking state machine. + 1. Force output file format to be stream-lf so that partial downloads + can be continued. - The new test 1501 verifies the fix. + This should have minor impact as if the file does not exist, it was + created with stream-lf format. The only time this was an issue is if + there was already an existing file with a different format. - Bug: http://curl.haxx.se/bug/view.cgi?id=3579064 - Reported by: Guido Berhoerster - -Marc Hoersken (1 Nov 2012) -- winbuild: Use machine type of development environment + 2. Fix file uploads are now fixed. - This patch restores the original behavior instead of always - falling back to x86 if no MACHINE-type was specified. - -- winbuild: Additional clean up - -- [Sapien2 brought this change] - - Even more winbuild refactoring - -- [Sapien2 brought this change] + a. VMS binary files such as ZIP archives are now uploaded + correctly. + + b. VMS text files are read once to get the correct size + and then converted to line-feed terminated records as + they are read into curl. + + The default VMS text formats do not contain either line-feed or + carriage-return terminated records. Those delimiters are added by the + operating system file read calls if the application requests them. + + Bug: http://curl.haxx.se/bug/view.cgi?id=496 - Minor winbuild refactoring +Yang Tse (22 Jul 2013) +- libtest: fix data type of some *_setopt() 'long' arguments -- [Sapien2 brought this change] +- curl: fix symbolic names for CURL_NETRC_* enum in --libcurl output - Architecture selection for winbuild and minor makefiles refactoring +- curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output -Daniel Stenberg (1 Nov 2012) -- BUGS: fix the bug tracker URL +- tool_operate.c: fix passing curl_easy_setopt long arg on some x64 ABIs - The URL we used before is the one that goes directly to 'add' a bug - report, but since you can only do that after first having logged in to - sourceforge, the link often doesn't work for visitors. + We no longer pass our 'bool' data type variables nor constants as + an argument to my_setopt(), instead we use proper 1L or 0L values. - Bug: http://curl.haxx.se/bug/view.cgi?id=3582408 - Reported by: Oscar Norlander - -- evhiperfifo: fix the pointer passed to WRITEDATA + This also fixes macro used to pass string argument for CURLOPT_SSLCERT, + CURLOPT_SSLKEY and CURLOPT_EGDSOCKET using my_setopt_str() instead of + my_setopt(). - Bug: http://curl.haxx.se/bug/view.cgi?id=3582407 - Reported by: Oscar Norlander + This also casts enum or int argument data types to long when passed to + my_setopt_enum(). -Guenter Knauf (1 Nov 2012) -- Fixed MSVC libssh2 static build. +Daniel Stenberg (21 Jul 2013) +- curl_multi_wait: fix revents - Since libssh2 supports now agent stuff it also depends on user32.lib. - Posted to the list by Jan Ehrhardt. - -Daniel Stenberg (23 Oct 2012) -- tlsauthtype: deal with the string case insensitively + Commit 6d30f8ebed34e7276 didn't work properly. First, it used the wrong + array index, but this fix also: - When given a string as 'srp' it didn't work, but required 'SRP'. - Starting now, the check disregards casing. + 1 - only does the copying if indeed there was any activity - Bug: http://curl.haxx.se/bug/view.cgi?id=3578418 - Reported by: Jeff Connelly + 2 - makes sure to properly translate between internal and external + bitfields, which are not guaranteed to match + + Reported-by: Evgeny Turnaev + +- RELEASE-NOTES: synced with d529f3882b9bca -- asyn-ares: restore working with c-ares < 1.6.1 +- curl_easy_perform: gradually increase the delay time - Back in those days the public ares.h header didn't include the - ares_version.h header so it needs to be included here. + Instead of going 50,100,150 etc millisecond delay time when nothing has + been found to do or wait for, we now start lower and double each loop as + in 4,8,16,32 etc. - Bug: http://curl.haxx.se/bug/view.cgi?id=3577710 - -- [Nick Zitzmann brought this change] + This lowers the minimum wait without sacrifizing the longer wait too + much with unnecessary CPU cycles burnt. + + Bug: http://curl.haxx.se/mail/lib-2013-07/0103.html + Reported-by: Andreas Malzahn - metalink/md5: Use CommonCrypto on Apple operating systems +- ftp_do_more: consider DO_MORE complete when server connects back - Previously the Metalink code used Apple's CommonCrypto library only if - curl was built using the --with-darwinssl option. Now we use CommonCrypto - on all Apple operating systems including Tiger or later, or iOS 5 or - later, so you don't need to build --with-darwinssl anymore. Also rolled - out this change to libcurl's md5 code. + In the case of an active connection when ftp_do_more() detects that the + server has connected back, it must make sure to mark it as complete so + that the multi_runsingle() function will detect this and move on to the + next state. + + Bug: http://curl.haxx.se/mail/lib-2013-07/0115.html + Reported-by: Clemens Gruber -- href_extractor.c: fix the URL +Yang Tse (19 Jul 2013) +- Makefile.b32: Borland makefile adjustments. Tested with BCC 5.5.1 -- [Michał Kowalczyk brought this change] +- WIN32 MemoryTracking: require UNICODE for wide strdup code support - href_extractor: example code extracting href elements +Daniel Stenberg (18 Jul 2013) +- CURLOPT_XFERINFOFUNCTION: introducing a new progress callback - It does so in a streaming manner using the "Streaming HTML parser". - -- [Nick Zitzmann brought this change] + CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function + and CURLOPT_PROGRESSFUNCTION is considered deprecated. + + This new callback uses pure 'curl_off_t' arguments to pass on full + resolution sizes. It otherwise retains the same characteristics: the + same call rate, the same meanings for the arguments and the return code + is used the same way. + + The progressfunc.c example is updated to show how to use the new + callback for newer libcurls while supporting the older one if built with + an older libcurl or even built with a newer libcurl while running with + an older. - darwinssl: un-broke iOS build, fix error on server disconnect +Yang Tse (18 Jul 2013) +- Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage". + + This reverts commit 7ed25cc, reinstating commit 8ec2cb5. + + As of 18-jul-2013 we still do have code in libcurl that makes use of these + memory functions. Commit 8ec2cb5 comment still applies and is yet valid. + + These memory functions are solely used in Windows builds, so all related + code is protected with '#ifdef WIN32' preprocessor conditional compilation + directives. + + Specifically, wcsdup() _wcsdup() are used when building a Windows target with + UNICODE and USE_WINDOWS_SSPI preprocessor symbols defined. This is the case + when building a Windows UNICODE target with Windows native SSL/TLS support + enabled. + + Realizing that wcsdup() _wcsdup() are used is a bit tricky given that usage + of these is hidden behind _tcsdup() which is MS way of dealing with code + that must tolerate UNICODE and non-UNICODE compilation. Additionally, MS + header files and those compatible from other compilers use this preprocessor + conditional compilation directive in order to select at compilation time + whether 'wide' or 'ansi' MS API functions are used. - The iOS build was broken by a reference to a function that only existed - under OS X; fixed. Also fixed a hard-to-reproduce problem where, if the - server disconnected before libcurl got the chance to hang up first and - SecureTransport was in use, then we'd raise an error instead of failing - gracefully. + Without this code, Windows build targets with Windows native SSL/TLS support + enabled and MemoryTracking support enabled misbehave in tracking memory usage, + regardless of being a UNICODE enabled build or not. -- [Alessandro Ghedini brought this change] +- xc-am-iface.m4: comments refinement - gnutls: put reset code into else block +- configure: fix 'subdir-objects' distclean related issue - Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690551 + See XC_AMEND_DISTCLEAN comments for details. -Guenter Knauf (13 Oct 2012) -- Fix now broken libmetalink-aware OpenSSL build. +Daniel Stenberg (18 Jul 2013) +- [Evgeny Turnaev brought this change] -- Revert c44e674; add OpenSSL includes/defines. + curl_multi_wait: set revents for extra fds - The makefile is designed to build against a libmetalink devel package; - therefore is does not matter what will change inside libmetalink. - Add OpenSSL includes and defines for libmetalink-aware OpenSSL builds. + Pass back the revents that happened for the user-provided file + descriptors. -Daniel Stenberg (10 Oct 2012) -- version-bump: towards 7.28.1! +- [Ben Greear brought this change] -- THANKS: 14 new contributors from 7.28.0 + asyn-ares: Don't blank ares servers if none configured. + + Best to just let c-ares use it's defaults if none are configured + in (lib)curl. + + Signed-off-by: Ben Greear <greearb@candelatech.com> -Version 7.28.0 (10 Oct 2012) +- [Sergei Nikulov brought this change] -Daniel Stenberg (10 Oct 2012) -- RELEASE-NOTES: synced with 8373ca3641 + cmake: Fix for MSVC2010 project generation - One bug, one contributor. Getting ready for release. - -- curl_multi_wait: no wait if no descriptors to wait for + Fixed issue with static build for MSVC2010. - This is a minor change in behavior after having been pointed out by Mark - Tully and discussed on the list. Initially this case would internally - call poll() with no sockets and a timeout which would equal a sleep for - that specified time. + After some investigation I've discovered known issue + http://public.kitware.com/Bug/view.php?id=11240 When .rc file is linked + to static lib it fails with following linker error - Bug: http://curl.haxx.se/mail/lib-2012-10/0076.html - Reported by: Mark Tully - -- TODO-RELEASE: cleanup for 7.28.0 + LINK : warning LNK4068: /MACHINE not specified; defaulting to X86 + file.obj : fatal error LNK1112: module machine type 'x64' conflicts with + target machine type 'X86' - one issue is now KNOWN_BUG #79 + Fix add target property /MACHINE: for MSVC generation. - the other we just skip since nobody is working on it or is planning to - start working on it anytime soon - -- curl_multi_wait.3: style formatting mistake - -Marc Hoersken (8 Oct 2012) -- ssluse.c: md5.h is required for Curl_ossl_md5sum - -Daniel Stenberg (8 Oct 2012) -- curl_multi_wait.3: fix the name of the man page - -- curl_multi_wait.3: renamed the last argument variable for clarity - -Marc Hoersken (6 Oct 2012) -- curl_schannel.c: Fixed caching more data than required + Also removed old workarounds - it caused errors during msvc build. - Do not fill the decrypted data buffer with more data unless - required in order to return the requested amount of data. + Bug: http://curl.haxx.se/mail/lib-2013-07/0046.html -- curl_schannel: Removed buffer limit and optimized buffer strategy - - Since there are servers that seem to return very big encrypted - data packages, we need to be able to handle those without having - an internal size limit. To avoid the buffer growing to fast to - early the initial size was decreased and the minimum free space - in the buffer was decreased as well. +- mk-ca-bundle.1: point out certdata.txt format docs -- lib/socks.c: Merged two size variables into one +Yang Tse (16 Jul 2013) +- slist.c: Curl_slist_append_nodup() OOM handling fix -- lib/socks.c: Avoid type conversions where possible - - Streamlined variable names and types to avoid type conversions that - may result in data being lost on non 32-bit systems. +Daniel Stenberg (16 Jul 2013) +- test1414: FTP PORT download without SIZE support -- lib/curl_schannel.c: Hide size_t conversion warning +Yang Tse (16 Jul 2013) +- tests/Makefile.am: add configurehelp.pm to DISTCLEANFILES -- krb5/curl_rtmp.c: Hide size_t to int type conversion warning +Patrick Monnerat (15 Jul 2013) +- curl_slist_append(): fix error detection -- security.c: Aligned internal type to return type - - Use ssize_t instead of int to avoid conversion problems on 64-bit - systems. Also added curlx_sztosi where necessary. +- slist.c: fix indentation -- lib/curl_schannel: Increased maximum buffer size to factor 128 +- OS400: new SSL backend GSKit -- winbuild/MakefileBuild.vc: Follow up on 0c8ccf7 +- OS400: add slist and certinfo EBCDIC support -Daniel Stenberg (2 Oct 2012) -- RELEASE-NOTES: synced with 971f5bcedd418 - - 9 new bug fixes, 5 changes, 6 more contributors +- config-os400.h: enable system strdup(), strcmpi(), etc. -- multi_runsingle: CURLOPT_LOW_SPEED_* fix for rate limitation - - During the periods of rate limitation, the speedcheck function wasn't - called and thus the values weren't updated accordingly and it would then - easily trigger wrongly once data got transferred again. - - Also, the progress callback's return code was not acknowledged in this - state so it could make an "abort" return code to get ignored and not - have the documented effect of aborting an ongoing transfer. - - Bug: http://curl.haxx.se/mail/lib-2012-09/0081.html - Reported by: Jie He +- x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract + Use from qssl backend -- [Tatsuhiro Tsujikawa brought this change] +- ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL - tool_metalink.c: Filtered resource URLs by type +- Merge branch 'master' of github.com:bagder/curl - In Metalink v3, the type attribute of url element indicates the - type of the resource the URL points to. It can include URL to the - meta data, such as BitTorrent metainfo file. In Curl, we are not - interested in these meta data URLs. Instead, we are only - interested in the HTTP and FTP URLs. This change filters out - non-HTTP and FTP URLs. If we don't filter out them, it will be - downloaded by curl and hash check will fail if hash is provided - and next URL will be tried. This change will cut this useless - network transfer. + Merge for resync -Kamil Dudka (1 Oct 2012) -- https.c example: remember to call curl_global_init() - - ... in order not to leak memory on initializing an SSL library. +- slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup() + +Yang Tse (15 Jul 2013) +- sslgen.c: fix Curl_rand() compiler warning - Reported by: Tomas Mlcoch + Use simple seeding method upon RANDOM_FILE seeding method failure. -Daniel Stenberg (28 Sep 2012) -- FAQ: remove the date from the topmost line +- sslgen.c: fix unreleased Curl_rand() infinite recursion -- FAQ: 5.16 I want a different time-out! +Daniel Stenberg (14 Jul 2013) +- [Dave Reisner brought this change] -- Curl_reconnect_request: clear pointer on failure + src/tool: allow timeouts to accept decimal values - The Curl_reconnect_request() function could end up returning a pointer - to a free()d struct when Curl_done() failed inside. Clearing the pointer - unconditionally after Curl_done() avoids this risk. + Implement wrappers around strtod to convert the user argument to a + double with sane error checking. Use this to allow --max-time and + --connect-timeout to accept decimal values instead of strictly integers. - Reported by: Ho-chi Chen - Bug: http://curl.haxx.se/mail/lib-2012-09/0188.html + The manpage is updated to make mention of this feature and, + additionally, forewarn that the actual timeout of the operation can + vary in its precision (particularly as the value increases in its + decimal precision). -- CURLOPT_CONNECTTIMEOUT: works without signals or posix too! - -Marc Hoersken (24 Sep 2012) -- Makefile.vc6: Follow up on 0c8ccf7 +- [Dave Reisner brought this change] -- Makefile.vc6: Added missing default library advapi32.lib + curl.1: fix long line, found by checksrc.pl -Daniel Stenberg (19 Sep 2012) -- HTTP_ONLY: disable more protocols +- [Dave Reisner brought this change] -- test2006: Updated expected output to include hash name + src/tool_paramhlp: try harder to catch negatives - Output changed in commit a34197ef77cb - -- [Sergei Nikulov brought this change] + strto* functions happily chomp off leading whitespace, so simply + checking for str[0] can lead to false negatives. Do the full parse and + check the out value instead. - cmake: use standard findxxx modules for cmake v2.8+ - -- [Sergei Nikulov brought this change] +- [John E. Malmberg brought this change] - setup.h: fixed for MS VC10 build + build_vms.com: detect and use zlib shared image - Bug: http://curl.haxx.se/bug/view.cgi?id=3568327 - -- TODO-RELEASE: push new features to 7.29 + Update the build_vms.com to detect and use zlib shared image installed + by the ZLIB kit produced by Jean-Francois Pieronne, and the also the + future ZLIB 1.2.8 kit in addition to the older ZLIB kits. - Leave two bug fixes as possibly fixed for 7.28 but as nobody seems to be - working on them I have little hope... + Also fix the indentation to match one of the common standards used for + VMS DCL command files and removed the hard tab characters. + + Tested on OpenVMS 8.4 Alpha and IA64, and OpenVMS 7.3 VAX. -Marc Hoersken (17 Sep 2012) -- metalink tests: Updated expected output to include hash name +Yang Tse (14 Jul 2013) +- url.c: fix parse_url_login() OOM handling -Daniel Stenberg (16 Sep 2012) -- [Sara Golemon brought this change] +- http_digest.c: SIGSEGV and OOM handling fixes - curl_multi_wait: Add parameter to return number of active sockets - - Minor change to recently introduced function. BC breaking, but since - curl_multi_wait() doesn't exist in any releases that should be fine. +- url.c: fix parse_login_details() OOM handling -Marc Hoersken (14 Sep 2012) -- socks.c: Fixed warning: conversion to 'int' from 'long unsigned int' +- [John E. Malmberg brought this change] -- http_negotiate.c: Fxied warning: unused variable 'rc' + setup-vms.h: sk_pop symbol tweak + + Newer versions of curl are referencing a sk_pop symbol while the HP + OpenSSL library has the symbol in uppercase only. -- ssh.c: Fixed warning: implicit conversion from enumeration type +- getinfo.c: fix enumerated type mixed with another type -- socks.c: Check that IPv6 is enabled before using it's features +- test 1511: fix enumerated type mixed with another type -- checksrc: Fixed line length and comment indentation +- url.c: fix SIGSEGV -- socks.c: Updated error messages to handle hostname and IPv6 +- dotdot.c: fix global declaration shadowing -- socks.c: Added support for IPv6 connections through SOCKSv5 proxy +- easy.c: fix global declaration shadowing -Daniel Stenberg (13 Sep 2012) -- parse_proxy: treat "socks://x" as a socks4 proxy - - Selected socks proxy in Google's Chrome browser. Resulting in the - following environment variables: - - NO_PROXY=localhost,127.0.0.0/8 - ALL_PROXY=socks://localhost:1080/ - all_proxy=socks://localhost:1080/ - no_proxy=localhost,127.0.0.0/8 - - ... and libcurl didn't treat 'socks://' as socks but instead picked HTTP - proxy. +Kamil Dudka (9 Jul 2013) +- Revert "curl.1: document the --time-cond option in the man page" - Reported by: Scott Bailey + This reverts commit 3a0e931fc715a80004958794a96b12cf90503f99 because + the documentation of --time-cond was duplicated by mistake. - Bug: http://curl.haxx.se/bug/view.cgi?id=3566860 + Reported by: Dave Reisner -Kamil Dudka (12 Sep 2012) -- ssh: do not crash if MD5 fingerprint is not provided by libssh2 - - The MD5 fingerprint cannot be computed when running in FIPS mode. +- curl.1: document the --sasl-ir option in the man page -- ssh: move the fingerprint checking code to a separate fnc +- curl.1: document the --post303 option in the man page -Marc Hoersken (12 Sep 2012) -- tool_metalink.c: Added name of validation hash to messages - - This makes it easier to debug broken hashes or hash functions. +- curl.1: document the --time-cond option in the man page -- wincrypt: Fixed cross-compilation issues caused by include name - - For some reason WinCrypt.h is named wincrypt.h under MinGW. +Yang Tse (9 Jul 2013) +- configure: automake 1.14 compatibility tweak (use XC_AUTOMAKE) -- md5.c: Added support for Microsoft Windows CryptoAPI +- xc-am-iface.m4: provide XC_AUTOMAKE macro -- Makefile.m32: Updated to build against libmetalink 0.1.2 - - The include and library path were moved within libmetalink, this - patch adjusts the defaults provided within the curl MinGW makefile. +Guenter Knauf (8 Jul 2013) +- Added winssl-zlib target to VC builds. -- tool_metalink.c: Added support for Microsoft Windows CryptoAPI +- Synced Makefile.vc6 with recent changes. - Since Metalink support requires a crypto library for hash functions - and Windows comes with the builtin CryptoAPI, this patch adds that - API as a fallback to the supported crypto libraries. - It is automatically used on Windows if no other library is provided. + Issue posted to the list by malinowsky AT FTW DOT at. -- libntlmconnect.c: Fixed typo and conversion +- Added libmetalink URL; added Android versions. -- libntlmconnect.c: Fixed warning: curl_easy_getinfo expects long pointer +Dan Fandrich (3 Jul 2013) +- examples: Moved usercertinmem.c to COMPLICATED_EXAMPLES - Fixed tests/libtest/libntlmconnect.c:52: warning: call to - '_curl_easy_getinfo_err_long' declared with attribute warning: - curl_easy_getinfo expects a pointer to long for this info + This prevents it from being built during a "make check" since it + depends on OpenSSL. -- sws.c: Fixed warning: 'err' may be used uninitialized in this function +Nick Zitzmann (2 Jul 2013) +- Merge branch 'master' of https://github.com/bagder/curl -- libntlmconnect.c: Fixed warning: comparison of signed/unsigned integer +- darwinssl: SSLv2 connections are aborted if unsupported by the OS - Windows does not use -1 to represent invalid sockets and the - SOCKET type is unsigned. + I just noticed that OS X no longer supports SSLv2. Other TLS engines return + an error if the requested protocol isn't supported by the underlying + engine, so we do that now for SSLv2 if the framework returns an error + when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is + only enabled in curl when starting the app with the -2 argument; it's off + by default. SSLv2 is really old and insecure.) -- nss.c: Fixed warning: 'err' may be used uninitialized in this function +Marc Hoersken (1 Jul 2013) +- lib506.c: Fixed possible use of uninitialized variables -- tool_metalink.c: Fixed error: 'O_BINARY' undeclared +Kamil Dudka (30 Jun 2013) +- url: restore the functionality of 'curl -u :' - Check for O_BINARY which is not available on every system. - -- tool_metalink.c: Fixed validation of binary files containing EOF + This commit fixes a regression introduced in + fddb7b44a79d78e05043e1c97e069308b6b85f79. - Since Windows/MinGW threat 0x1A as the EOF character, reading binary - files which contain that byte does not work using text mode. - The read function will only read until the first 0x1A byte. This - means that the hash is not computed from the whole file and the - final validation check using hash comparision fails. + Reported by: Markus Moeller + Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html -- winbuild: Added support for building with SPNEGO enabled - - Since Simple and Protected GSSAPI Negotiation Mechanism - is already implemented in curl and supported by the MinGW - builds, this change adds build support to winbuild makefiles. +Daniel Stenberg (25 Jun 2013) +- digest: append the timer to the random for the nonce -- winbuild: Adjusted order of options to generated config name +- digest: improve nonce generation - Cleaned up order of handled build options by ordering them - nearly alphabetically by using the order of the generated - config name. Preparation for future/more build options. - -Daniel Stenberg (9 Sep 2012) -- [Anthony Bryan brought this change] + Use the new improved Curl_rand() to generate better random nonce for + Digest auth. - MANUAL: clarified user+password in HTTP URLs +- curl.1: fix typo in --xattr description + + Bug: http://curl.haxx.se/bug/view.cgi?id=1252 + Reported-by: Jean-Noël Rouvignac -- RELEASE-NOTES: synced with 6c6f1f64c2 +- RELEASE-NOTES: synced with 365c5ba39591 - 6 bug fixes to mention, 5 contributors + The 10 first bug fixes for the pending release... -- TODO-RELEASE: CURLSSH_AUTH_AGENT and curl_multi_wait() are done +- formpost: better random boundaries + + When doing multi-part formposts, libcurl used a pseudo-random value that + was seeded with time(). This turns out to be bad for users who formpost + data that is provided with users who then can guess how the boundary + string will look like and then they can forge a different formpost part + and trick the receiver. + + My advice to such implementors is (still even after this change) to not + rely on the boundary strings being cryptographically strong. Fix your + code and logic to not depend on them that much! - -321 - CURLSSH_AUTH_AGENT patch by Armel Asselin + I moved the Curl_rand() function into the sslgen.c source file now to be + able to take advantage of the SSL library's random function if it + provides one. If not, try to use the RANDOM_FILE for seeding and as a + last resort keep the old logic, just modified to also add microseconds + which makes it harder to properly guess the exact seed. - -324 - curl_multi_select() vs curl_multi_fdvec() etc + The formboundary() function in formdata.c is now using 64 bit entropy + for the boundary and therefore the string of dashes was reduced by 4 + letters and there are 16 hex digits following it. The total length is + thus still the same. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1251 + Reported-by: "Floris" -Marc Hoersken (9 Sep 2012) -- curl_schannel.c: Reference count the credential/session handle +- printf: make sure %x are treated unsigned - Reference counting the credential handle should avoid that such a - handle is freed while it is still required for connection shutdown + When using %x, the number must be treated as unsigned as otherwise it + would get sign-extended on for example 64bit machines and do wrong + output. This problem showed when doing printf("%08x", 0xffeeddcc) on a + 64bit host. -Daniel Stenberg (8 Sep 2012) -- [Nick Zitzmann brought this change] +- tests: add test1395 to the tarball - darwinssl: fixed for older Mac OS X versions +- SIGPIPE: don't use 'data' in sigpipe restore - SSL didn't work on older cats if built on a newer cat with weak-linking - turned on to support the older cat - -- [David Blaikie brought this change] + Follow-up fix from 7d80ed64e43515. + + The SessionHandle may not be around to use when we restore the sigpipe + sighandler so we store the no_signal boolean in the local struct to know + if/how to restore. - tool_easysrc.c: Test pointers against NULL +- TODO: 1.8 Modified buffer size approach - While validating a new Clang diagnostic (-Wnon-literal-null-conversion - - yes, the name isn't quite correct in this case, but it suffices) I found - a few violations of it in Curl. + Thoughts around buffer sizes and what might be possible to do... -- SOCKS: truly disable it if CURL_DISABLE_PROXY is defined +- c-ares: improve error message on failed resolve - Bug: http://curl.haxx.se/bug/view.cgi?id=3561305 + When the c-ares based resolver backend failed to resolve a name, it + tried to show the name that failed from existing structs. This caused + the wrong output and shown hostname when for example --interface + [hostname] was used and that name resolving failed. - Patch by: Marcel Raad - -- mk-ca-bundle: detect start of trust section better + Now we use the hostname used in the actual resolve attempt in the error + message as well. - Each certificate section of the input certdata.txt file has a trust - section following it with details. + Bug: http://curl.haxx.se/bug/view.cgi?id=1191 + Reported-by: Kim Vandry + +- ossl_recv: check for an OpenSSL error, don't assume - This script failed to detect the start of the trust for at least one - cert[*], which made the script continue pass that section into the next - one where it found an 'untrusted' marker and as a result that certficate - was not included in the output. + When we recently started to treat a zero return code from SSL_read() as + an error we also got false positives - which primarily looks to be + because the OpenSSL documentation is wrong and a zero return code is not + at all an error case in many situations. - [*] = "Hellenic Academic and Research Institutions RootCA 2011" + Now ossl_recv() will check with ERR_get_error() to see if there is a + stored error and only then consider it to be a true error if SSL_read() + returned zero. - Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html + Bug: http://curl.haxx.se/bug/view.cgi?id=1249 + Reported-by: Nach M. S. + Patch-by: Nach M. S. -- [Alessandro Ghedini brought this change] +Nick Zitzmann (22 Jun 2013) +- Merge branch 'master' of https://github.com/bagder/curl - gnutls: do not fail on non-fatal handshake errors +- darwinssl: fix crash that started happening in Lion - Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685402 - -- FILEFORMAT: the FTP commands work for more protocols + Something (a recent security update maybe?) changed in Lion, and now it + has changed SSLCopyPeerTrust such that it may return noErr but also give + us a null trust, which caught us off guard and caused an eventual crash. -- test1411: verify SMTP without SIZE support +Daniel Stenberg (22 Jun 2013) +- SIGPIPE: ignored while inside the library + + ... and restore the ordinary handling again when it returns. This is + done for curl_easy_perform() and curl_easy_cleanup() only for now - and + only when built to use OpenSSL as backend as this is the known culprit + for the spurious SIGPIPEs people have received. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1180 + Reported by: Lluís Batlle i Rossell -- [František Kučera brought this change] +- KNOWN_BUGS: #83 unable to load non-default openssl engines - SMTP: only send SIZE if supported +- test1396: invoke the correct test tool! - SMTP client will send SIZE parameter in MAIL FROM command only if server - supports it. Without this patch server might say "504 Command parameter - not implemented" and reject the message. - - Bug: http://curl.haxx.se/bug/view.cgi?id=3564114 + This erroneously run unit test 1310 instead of 1396! -- ftpserver: respond with a 250 to SMTP EHLO +Kamil Dudka (22 Jun 2013) +- test1230: avoid using hard-wired port number - ... and specify that SIZE is supported. 250 is the "correct" response - code according to RFC 2821 + ... to prevent failure when a non-default -b option is given -- RELEASE-NOTES: synced with abb0da919300e +- curl-config.in: replace tabs by spaces -Dan Fandrich (3 Sep 2012) -- Updated Symbian build files +Nick Zitzmann (22 Jun 2013) +- darwinssl: reform OS-specific #defines - This is untested, but at least Symbian still has a chance of - still working now. + This doesn't need to be in the release notes. I cleaned up a lot of the #if + lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and + MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like + __MAC_10_6 or whatever were defined, because for some SDKs Apple has released + they were defined out of place. + +Daniel Stenberg (22 Jun 2013) +- [Alessandro Ghedini brought this change] -- Updated build docs w.r.t. Android and binary sizes + docs: fix typo in curl_easy_getinfo manpage -Daniel Stenberg (1 Sep 2012) -- symbols-in-versions: new CURL_WAIT_* symbols +- dotdot: introducing dot file path cleanup + + RFC3986 details how a path part passed in as part of a URI should be + "cleaned" from dot sequences before getting used. The described + algorithm is now implemented in lib/dotdot.c with the accompanied test + case in test 1395. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1200 + Reported-by: Alex Vinnik -- [Sara Golemon brought this change] +- bump: start working towards what most likely will become 7.32.0 - Unit test for curl_multi_wait() +- THANKS: added 24 new contributors from the 7.31.0 release -- [Sara Golemon brought this change] +Version 7.31.0 (22 Jun 2013) - Manpage for curl_multi_wait(). +Daniel Stenberg (22 Jun 2013) +- RELEASE-NOTES: synced with 0de7249bb39a2 - 7.31.0 -- [Sara Golemon brought this change] +- unit1396: unit tests to verify curl_easy_(un)escape - multi: add curl_multi_wait() +- Curl_urldecode: no peeking beyond end of input buffer + + Security problem: CVE-2013-2174 + + If a program would give a string like "%FF" to curl_easy_unescape() but + ask for it to decode only the first byte, it would still parse and + decode the full hex sequence. The function then not only read beyond the + allowed buffer but it would also deduct the *unsigned* counter variable + for how many more bytes there's left to read in the buffer by two, + making the counter wrap. Continuing this, the function would go on + reading beyond the buffer and soon writing beyond the allocated target + buffer... - /* - * Name: curl_multi_wait() - * - * Desc: Poll on all fds within a CURLM set as well as any - * additional fds passed to the function. - * - * Returns: CURLMcode type, general multi error code. - */ - CURL_EXTERN CURLMcode curl_multi_wait(CURLM *multi_handle, - struct curl_waitfd extra_fds[], - unsigned int extra_nfds, - int timeout_ms); + Bug: http://curl.haxx.se/docs/adv_20130622.html + Reported-by: Timo Sirainen -- [Nick Zitzmann brought this change] +Guenter Knauf (20 Jun 2013) +- Use opened body.out file and write content to it. - darwinssl: Bugfix for previous commit for older cats +Daniel Stenberg (20 Jun 2013) +- multi_socket: react on socket close immediately - I accidentally broke functionality for versions of OS X prior to Mountain - Lion in the previous commit. This commit fixes the problems. + As a remedy to the problem when a socket gets closed and a new one is + opened with the same file descriptor number and as a result + multi.c:singlesocket() doesn't detect the difference, the new function + Curl_multi_closed() gets told when a socket is closed so that it can be + removed from the socket hash. When the old one has been removed, a new + socket should be detected fine by the singlesocket() on next invoke. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1248 + Reported-by: Erik Johansson -- [Joe Mason brought this change] +- RELEASE-NOTES: synced with e305f5ec715f - Use MAX_EASY_HANDLES instead of hardcoding the number of handles twice +- TODO: mention the DANE patch from March -- test2032: bail out after last transfer +- CURLOPT_COOKIELIST: take cookie share lock - The test would hang and get aborted with a "ABORTING TEST, since it - seems that it would have run forever." until I prevented that from - happening. + When performing COOKIELIST operations the cookie lock needs to be taken + for the cases where the cookies are shared among multiple handles! - I also fixed the data file which got broken CRLF line endings when I - sucked down the path from Joe's repo == my fault. + Verified by Benjamin Gilbert's updated test 506 - Removed #37 from KNOWN_BUGS as this fix and test case verifies exactly - this. + Bug: http://curl.haxx.se/bug/view.cgi?id=1215 + Reported-by: Benjamin Gilbert -- [Joe Mason brought this change] +- [Benjamin Gilbert brought this change] - NTLM: re-use existing connection better + test506: verify that CURLOPT_COOKIELIST takes share lock - If we need an NTLM connection and one already exists, always choose that - one. + It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215 + +- TODO: HTTP2/SPDY support -- [Joe Mason brought this change] +- curl_easy_setopt.3: clarify CURLOPT_PROGRESSFUNCTION frequency + + Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be + called more frequently than once per second when things are happening. - NTLM: verify multiple connections work +- RELEASE-NOTES: synced with 9c3e098259b82 - Add test2032 to test that NTLM does not switch connections in the middle - of the handshake + Mention 7 recent bug fixes and their associated contributors -- curl.1: list the -w variables sorted alphabetically +- curl_multi_wait.3: clarify the numfds counter -- libcurl-share.3: remove wrong info of what can be shared +- curl_easy_perform: avoid busy-looping - "Currently you can only share DNS and/or COOKIE data" is incorrect since - also SSL sessions can be shared. + When curl_multi_wait() finds no file descriptor to wait for, it returns + instantly and this must be handled gracefully within curl_easy_perform() + or cause a busy-loop. Starting now, repeated fast returns without any + file descriptors is detected and a gradually increasing sleep will be + used (up to a max of 1000 milliseconds) before continuing the loop. - Bug: http://curl.haxx.se/bug/view.cgi?id=3562261 - Reported by: Joe Mason + Bug: http://curl.haxx.se/bug/view.cgi?id=1238 + Reported-by: Miguel Angel -- [Dave Reisner brought this change] +- [YAMADA Yasuharu brought this change] - examples: use do/while loop for multi examples + cookies: follow-up fix for path checking - It's conceivable that after the first time curl_multi_perform returns, - the outvalue still_running will be 0, but work will have been done. This - is shown by a workload of small, purely file:// based URLs. Ensure that - we always read pending messages off the multi handle by forcing the - while loop to run at least once. + The initial fix to only compare full path names were done in commit + 04f52e9b4db0 but found out to be incomplete. This takes should make the + change more complete and there's now two additional tests to verify + (test 31 and 62). -- curl.h: fix comment to refer to current names - - CURLOPT_USE_SSL should be set to CURLUSESSL_* and nothing else in modern - libcurl versions. +- [Sergei Nikulov brought this change] -- ftpsget: simple example showing a FTPS fetch + lib1900: use tutil_tvnow instead of gettimeofday + + Makes it build on windows -- sftpget: SFTP is not "SSH FTP" +- [Eric Hu brought this change] -- [Armel Asselin brought this change] + axtls: now done non-blocking - sftpget: example showing a simple SFTP download - - ... using SSH-agent +- [Eric Hu brought this change] -- curl_multi_perform.3: extended/clarified + test2033: requires NTLM support -- INSTALL.cmake: clarify some flaws/limits in the cmake build +- KNOWN_BUGS: #82 failed build with Borland compiler -- https.c example: spell check used define +- Curl_output_digest: support auth-int for empty entity body - Bug: http://curl.haxx.se/bug/view.cgi?id=3559845 - Reported by: Olivier Berger - -- configure: update the copyright years for the output + By always returning the md5 for an empty body when auth-int is asked + for, libcurl now at least sometimes does the right thing. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1235 + Patched-by: Nach M. S. -- [Nick Zitzmann brought this change] +- multi_socket: reduce timeout inaccuracy margin + + Allow less room for "triggered too early" mistakes by applications / + timers on non-windows platforms. Starting now, we assume that a timeout + call is never made earlier than 3 milliseconds before the actual + timeout. This greatly improves timeout accuracy on Linux. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1228 + Reported-by: Hang Su - darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions +- cert_stuff: avoid double free in the PKCS12 code + + In the pkcs12 code, we get a list of x509 records returned from + PKCS12_parse but when iterating over the list and passing each to + SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from + the "stack", which made them get freed twice (both in sk_X509_pop_free() + and then later in SSL_CTX_free). - In Mountain Lion, Apple added TLS 1.1 and 1.2, and deprecated a number - of SecureTransport functions, some of which we were using. We now check - to see if the replacement functions are present, and if so, we use them - instead. The old functions are still present for users of older - cats. Also fixed a build warning that started to appear under Mountain - Lion + This isn't really documented anywhere... + + Bug: http://curl.haxx.se/bug/view.cgi?id=1236 + Reported-by: Nikaiw -- curl_easy_setopt: documented CURLSOCKTYPE_ACCEPT for SOCKOPTFUNCTION +- cert_stuff: remove code duplication in the pkcs12 logic -- [Gokhan Sengun brought this change] +- [Aleksey Tulinov brought this change] - ftp: active conn, place calling sockopt callback at the end of function + axtls: honor disabled VERIFYHOST - Commit b91d29a28e170c16d65d956db79f2cd3a82372d2 introduces a bug and breaks Curl_closesocket function. sock_accepted flag for the second socket should be tagged as TRUE before the sockopt callback is called because in case the callback returns an error, Curl_closesocket function is going to call the - fclosesocket - callback for the accept()ed socket + When VERIFYHOST == 0, libcurl should let invalid certificates to pass. -- [Gokhan Sengun brought this change] +- [Peter Gal brought this change] - ftp: active conn, allow application to set sockopt after accept() call + curl_easy_setopt.3: HTTP header with no content - For active FTP connections, applications may need setting the sockopt after accept() call returns successful. This fix gives a call to the callback registered with CURL_SOCKOPTFUNCTION option. Also a new sock type - CURLSOCKTYPE_ACCEPT - is added. This type is to be passed to application callbacks with - purpose - parameter. Applications may use this parameter to distinguish between socket types. + Update the documentation on how to specify a HTTP header with no + content. -- configure: remove the --enable/disable-nonblocking options +- RELEASE-NOTES: synced with 87cf677eca55 - Removing this option as it currently only functions to lure people into - wrongly using it and falsely believing that libcurl will work fine - without using nonblocking sockets internally - which leads to hard to - track or understand errors. - -- [Ant Bryan brought this change] + Added 11 bugs and 7 contributors - MANUAL review +- lib1500: remove bad check + + After curl_multi_wait() returns, this test checked that we got exactly + one file descriptor told to read from, but we cannot be sure that is + true. curl_multi_wait() will sometimes return earlier without any file + descriptor to handle, just just because it is a suitable time to call + *perform(). + + This problem showed up with commit 29bf0598. + + Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html + Reported-by: Fabian Keil -- curl.1: shorten lines, avoid referring to libcurl instead of curl +- tests/Makefile: typo in the perlcheck target + + Bug: http://curl.haxx.se/bug/view.cgi?id=1239 + Reported-by: Christian Weisgerber -- [Ant Bryan brought this change] +- test1230: verify CONNECT to a numerical ipv6-address - curl.1: fix more consistent wording +- sws: support extracting test number from CONNECT ipv6-address! - "If this option is used several times, the last one will be used." - uniformity + If an ipv6-address is provided to CONNECT, the last hexadecimal group in + the address will be used as the test number! For example the address + "[1234::ff]" would be treated as test case 255. -- ssh: use the libssh2 agent API conditionally +- curl_multi_wait: only use internal timer if not -1 + + commit 29bf0598aad5 introduced a problem when the "internal" timeout is + prefered to the given if shorter, as it didn't consider the case where + -1 was returned. Now the internal timeout is only considered if not -1. - Commit e351972bc89aa4c brought in the ssh agent support but some uses of - the libssh2 agent API was done unconditionally which wasn't good enough - since that API hasn't always been present. + Reported-by: Tor Arntsen + Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html -- white space fix: shorten long line +Dan Fandrich (3 Jun 2013) +- libcurl-tutorial.3: added a section on IPv6 - ... to please checksrc.pl + Also added a (correctly-escaped) backslash to the autoexec.bat + example file and a new Windows character device name with + a colon as examples of other characters that are special + and potentially dangerous (this reverts and reworks commit + 7d8d2a54). -Kamil Dudka (9 Aug 2012) -- docs: update the links to cipher-suites supported by NSS +Daniel Stenberg (3 Jun 2013) +- curl_multi_wait: reduce timeout if the multi handle wants to - ... and make the list of cipher-suites in nss.c readable by humans. + If the multi handle's pending timeout is less than what is passed into + this function, it will now opt to use the shorter time anyway since it + is a very good hint that the handle wants to process something in a + shorter time than what otherwise would happen. - Bug: http://curl.haxx.se/mail/archive-2012-08/0016.html - -- nss: do not print misleading NSS error codes + curl_multi_wait.3 was updated accordingly to clarify + + This is the reason for bug #1224 + + Bug: http://curl.haxx.se/bug/view.cgi?id=1224 + Reported-by: Andrii Moiseiev -Daniel Stenberg (8 Aug 2012) -- RELEASE-NOTES: synced with 0774386b23 +- multi_runsingle: switch an if() condition for readability - 5 more bug fixes, one change, 6 contributors + ... because there's an identical check right next to it so using the + operators in the check in the same order increases readability. -- [Armel Asselin brought this change] +Marc Hoersken (2 Jun 2013) +- curl_schannel.c: Removed variable unused since 35874298e4 - docs: mention CURLSSH_AUTH_AGENT +- curl_setup.h: Fixed redefinition warning using mingw-w64 -- [Armel Asselin brought this change] +Daniel Stenberg (30 May 2013) +- multi_runsingle: add braces to clarify the code - SSH: added agent based authentication +- libcurl-tutorial.3: remove incorrect backslash - CURLSSH_AUTH_AGENT is a new auth type for SSH + A single backslash in the content is not legal nroff syntax. + + Reported and fixed by: Eric S. Raymond + Bug: http://curl.haxx.se/bug/view.cgi?id=1234 -- bump version to 7.28.0 +- curl_formadd.3: fixed wrong "end-marker" syntax - I am about to merge the first patch that adds changes into the pending - release, and thus we bump the minor number. + Reported and fixed by: Eric S. Raymond + Bug: http://curl.haxx.se/bug/view.cgi?id=1233 -- RELEASE-NOTES: added missing link +- curl.1: clarify that --silent still outputs data -- curl_version: fixed Value stored to 'len' is never read +- Digest auth: escape user names with \ or " in them + + When sending the HTTP Authorization: header for digest, the user name + needs to be escaped if it contains a double-quote or backslash. - Fixed this (harmless) clang-analyzer warning. Also fixed the source - indentation level. + Test 1229 was added to verify + + Reported and fixed by: Nach M. S + Bug: http://curl.haxx.se/bug/view.cgi?id=1230 -- TODO-RELEASE: the (nil) bug is fixed +- [Mike Giancola brought this change] -- add_next_timeout: minor restructure of code + ossl_recv: SSL_read() returning 0 is an error too - By reading the ->head pointer and using that instead of the ->size - number to figure out if there's a list remaining we avoid the (false - positive) clang-analyzer warning that we might dereference of a null - pointer. + SSL_read can return 0 for "not successful", according to the open SSL + documentation: http://www.openssl.org/docs/ssl/SSL_read.html -- verbose messages: fixed output of hostnames in re-used connections - - I suspect this is a regression introduced in commit 207cf150, included - since 7.24.0. +- [Mike Giancola brought this change] + + ossl_send: SSL_write() returning 0 is an error too - Avoid showing '(nil)' as hostname in verbose output by making sure the - hostname fixup function is called early enough to set the pointers that - are used for this. The name data is set again for each request even for - re-used connections to handle multiple hostnames over the same - connection (like with proxy) or that the casing etc of the host name is - changed between requests (which has proven to be important at least once - in the past). + We found that in specific cases if the connection is abruptly closed, + the underlying socket is listed in a close_wait state. We continue to + call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs + report the socket closed / connection finished. Since we have cases + where the multi connection is only used once, this can pose a problem + for us. I've read that if another connection was to come in, curl would + see the socket as bad and attempt to close it at that time - + unfortunately, this does not work for us. - Test1011 was modified to use a redirect with a re-used a connection - since it then showed the bug and now lo longer does. There's currently - no easy way to have the test suite detect 'nil' texts in verbose ouputs - so no tests will detect if this problem gets reintroduced. + I found that in specific situations, if SSL_write returns 0, curl did + not recognize the socket as closed (or errored out) and did not report + it to the application. I believe we need to change the code slightly, to + check if ssl_write returns 0. If so, treat it as an error - the same as + a negative return code. - Bug: http://curl.haxx.se/mail/lib-2012-07/0111.html - Reported by: Gisle Vanem - -- [Nick Zitzmann brought this change] - - metalink: Un-broke the build when building --with-darwinssl + For OpenSSL - the ssl_write documentation is here: + http://www.openssl.org/docs/ssl/SSL_write.html -Guenter Knauf (8 Aug 2012) -- Fix some compiler warnings. +- KNOWN_BUGS: curl -OJC- fails to resume + + Bug: http://curl.haxx.se/bug/view.cgi?id=1169 -Daniel Stenberg (8 Aug 2012) -- TODO-RELEASE: two bugs fixed +- Curl_cookie_add: handle IPv6 hosts - These are now addressed: + 1 - don't skip host names with a colon in them in an attempt to bail out + on HTTP headers in the cookie file parser. It was only a shortcut anyway + and trying to parse a file with HTTP headers will still be handled, only + slightly slower. - 323 - patch - select.c / Curl_socket_check() interrupted + 2 - don't skip domain names based on number of dots. The original + netscape cookie spec had this oddity mentioned and while our code + decreased the check to only check for two, the existing cookie spec has + no such dot counting required. - 325 - Avoid leak of local device string when reusing connection + Bug: http://curl.haxx.se/bug/view.cgi?id=1221 + Reported-by: Stefan Neis -- curl.1: minor format fix for --data-ascii +- curl_easy_setopt.3: expand the PROGRESSFUNCTION section - ... and removal of trailing whitespace on a single line - -- [Ant Bryan brought this change] + Explain the callback and its arguments better and with more descriptive + text. - curl man page cleanup +- tests: add test1394 file to the tarball -- [Mike Crowe brought this change] +- tarball: include the xmlstream example - Avoid leak of local device string when reusing connection - - Ensure that the copy of the CURLOPT_INTERFACE string is freed if we - decide we can reuse an existing connection. +- [David Strauss brought this change] -- Curl_socket_check: fix timeout return value for select users + xmlstream: XML stream parsing example source code - This is the same fix applied for the conditional code that uses select() - that was already done for the poll specific code in commit - b61e8b81f5038. + Add an XML stream parsing example using Expat. Add missing ignore for + the binary from an unrelated example. -- [Maxime Larocque brought this change] +- [YAMADA Yasuharu brought this change] - Curl_socket_check: fix return code for timeout - - We found a problem with ftp transfer using libcurl (7.23 and 7.25) - inside an application which is receiving unix signals (SIGUSR1, - SIGUSR2...) almost continuously. (Linux 2.4, PowerPC, HAVE_POLL_FINE - defined). + cookies: only consider full path matches - Curl_socket_check() uses poll() to wait for the socket, and retries it - when a signal is received (EINTR). However, if a signal is received and - it also happens that the timeout has been reached, Curl_socket_check() - returns -1 instead of 0 (indicating an error instead of a timeout). + I found a bug which cURL sends cookies to the path not to aim at. + For example: + - cURL sends a request to http://example.fake/hoge/ + - server returns cookie which with path=/hoge; + the point is there is NOT the '/' end of path string. + - cURL sends a request to http://example.fake/hogege/ with the cookie. - In our case, the result is an aborted connection even before the ftp - banner is received from the server, and a return value of - CURLE_OUT_OF_MEMORY from curl_easy_perform() (Curl_pp_multi_statemach(), - in pingpong.c, actually returns OOM if Curl_socket_check() fails :-) - Funny to debug on a system on which OOM is a possible cause). + The reason for this old "feature" is because that behavior is what is + described in the original netscape cookie spec: + http://curl.haxx.se/rfc/cookie_spec.html - Bug: http://curl.haxx.se/mail/lib-2012-07/0122.html + The current cookie spec (RFC6265) clarifies the situation: + http://tools.ietf.org/html/rfc6265#section-5.2.4 -- RELEASE-NOTES: synced with b4a558041fdf65c0 +- [Eric Hu brought this change] -- TODO-RELEASE: fixed another bug - - bug #3544688 "crash during retry with libcurl and SFTP" + axtls: prevent memleaks on SSL handshake failures -- WSAPoll: disabled on all windows builds +- Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage" - Due to WSAPoll bugs, libcurl does not work as intended. When the cURL - library is used to setup a connection to an incorrect port, normally the - result is CURLE_COULDNT_CONNECT, /* 7 */, but due to the bug in WSAPoll, - the result now is CURLE_OPERATION_TIMEDOUT, /* 28 - the timeout time was - reached */. + This reverts commit 8ec2cb5544b86306b702484ea785b6b9596562ab. - On August 1, Jan Koen Annot opened a case for this to Microsoft Premier - Online (https://premier.microsoft.com/). The support engineer handling - the case wrote that the case description is quite clear. He will try to - reproduce the issue and then proceed with troubleshooting it. + We don't have any code anywhere in libcurl (or the curl tool) that use + wcsdup so there's no such memory use to track. It seems to cause mild + problems with the Borland compiler though that we may avoid by reverting + this change again. - Reported by: Jan Koen Annot - Bug: http://curl.haxx.se/mail/lib-2012-07/0310.html + Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html -- retry request: only access the HTTP data if in fact HTTP - - When figuring out if the data stream needs to be rewound when the - request is to be resent, we must not access the HTTP struct unless the - protocol used is indeed HTTP... - - Bug: http://curl.haxx.se/bug/view.cgi?id=3544688 +- RELEASE-NOTES: synced with ae26ee3489588f0 -- TODO: support DANE, we already support gnutls without gcrypt +Guenter Knauf (11 May 2013) +- Updated zlib version in build files. -- curl-config: parentheses fix - - Braces, not parentheses, should be used for shell variable names. - - Bug: http://curl.haxx.se/bug/view.cgi?id=3551460 - Reported by: Edward Sheldrake +Daniel Stenberg (9 May 2013) +- [Renaud Guillard brought this change] -- VC build: add define for openssl - - This fixes a build failure of lib/ssluse.c. - - Bug: http://curl.haxx.se/bug/view.cgi?id=3552997 + OS X framework: fix invalid symbolic link -- TODO-RELEASE: two bugs fixed! +Kamil Dudka (9 May 2013) +- [Daniel Stenberg brought this change] -- globbing: fix segfault when >9 globs were used + nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send - Stupid lack of range checks caused the code to overwrite local variables - after glob number nine. Added checks now. - - Bug: http://curl.haxx.se/bug/view.cgi?id=3546353 + Reported by: David Strauss + Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html -- [Joe Mason brought this change] +Daniel Stenberg (8 May 2013) +- libtest: gitignore more binary files - sws: close sockets properly - - Fix a bug where closed sockets (fd -1) were left in the all_sockets - list, because of missing parens in a pointer arithmetic expression +- servercert: allow empty subject - Reenable the tests that were locking up due to this bug. - -- [Joe Mason brought this change] + Bug: http://curl.haxx.se/bug/view.cgi?id=1220 + Patch by: John Gardiner Myers - Remove debug logs that were accidentally checked in +- [Steve Holme brought this change] -- [Joe Mason brought this change] + tests: Added new SMTP tests to verify commit 99b40451836d - Use select in sws, which has better cross-platform support than poll +- runtests.pl: support nonewline="yes" in client/stdin sections -- [Joe Mason brought this change] +- build: fixed unit1394 for debug and metlink builds - Use cross-platform curlx_nonblock instead of fcntl in sws +Kamil Dudka (6 May 2013) +- unit1394.c: plug the curl tool unit test in -- operate: fix clang-analyzer warnings for never read variables - - Two separate "Value stored to 'XXX' is never read" warnings +- [Jared Jennings brought this change] -- operate: fix clang-analyzer warning - - Value stored to 'separator' is never read + unit1394.c: basis of a unit test for parse_cert_parameter() -- metalink: change code order to build with gnutls-nettle - - Bug: http://curl.haxx.se/bug/view.cgi?id=3554668 - Reported by: Anthony G. Basile +- src/Makefile.am: build static lib for unit tests if enabled -- gtls: fix build failure by including nettle-specific headers - - Bug: http://curl.haxx.se/bug/view.cgi?id=3554668 - Reported by: Anthony G. Basile +- tool_getparam: ensure string termination in parse_cert_parameter() -Guenter Knauf (6 Aug 2012) -- Fixed compiler warning - argument is type long. +- tool_getparam: fix memleak in handling the -E option -Daniel Stenberg (6 Aug 2012) -- DISABLED: disable the new tests that do NTLM +- tool_getparam: describe what parse_cert_parameter() does - The tests 2025, 2028 and 2031 don't work for me so I'll have them - disabled for now until we solve the problem. + ... and de-duplicate the code initializing *passphrase -Joe Mason (3 Aug 2012) -- Add tests of auth retries +- curl.1: document escape sequences recognized by -E -- Cleanup handshake after clean NTLM failure +- [Jared Jennings brought this change] -- Zero out auth structs before transfer + curl -E: allow to escape ':' in cert nickname -- Add a polling loop in main to read from more than one socket at once. Add the O_NONBLOCK and - SO_KEEPALIVE flag to all sockets. Note that several loops which used to continue on a return value - of 0 (theoretical since 0 would never be returned without O_NONBLOCK) now break on 0 so that they - won't continue reading until after poll is called again. +Marc Hoersken (5 May 2013) +- curl_schannel.c: Fixed invalid memory access during SSL shutdown -- Change return values of get_request, accept_connection and service_connection to add a return code - for non-blocking sockets: now -1 means error or connection finished, 1 means data was read, and 0 - means there is no data available now so need to wait for poll (new return value) +Steve Holme (4 May 2013) +- smtp: Fix trailing whitespace warning -- Hoist the loop out of get_request, and make sure that it can be reentered when a request is - half-finished. - - Note the the req struct used to be re-initialized AFTER reading pipeline data, so now that we - initialize it from the caller we must be careful not to overwrite the pipeline data. - - Also we now need to handle the case where the buffer is already full when get_request is called - - previously this never happened as it was always called with an empty buffer and looped until done. +- smtp: Fix compilation warning - Now get_request is called in a loop, so the next step is to run the loop on a socket only when poll - signals it is readable. + comparison between signed and unsigned integer expressions -- Move blocks of code from the sws main loop into their own functions for easier refactoring later. - The next step will be to call the correct function after a poll, rather than looping unconditionally +- RELEASE-NOTES: synced with 92ef5f19c801 -- Remove the --fork option of sws, since it makes refactoring to use poll more complicated and should - be redundant once we poll +- smtp: Updated RFC-2821 references to RFC-5321 -Kamil Dudka (30 Jul 2012) -- file: use fdopen() for uploaded files if available +- smtp: Fixed sending of double CRLF caused by first in EOB - It eliminates noisy events when using inotify and fixes a TOCTOU issue. + If the mail sent during the transfer contains a terminating <CRLF> then + we should not send the first <CRLF> of the EOB as specified in RFC-5321. - Bug: https://bugzilla.redhat.com/844385 + Additionally don't send the <CRLF> if there is "no mail data" as the + DATA command already includes it. -Guenter Knauf (29 Jul 2012) -- Added DWANT_IDN_PROTOTYPES define for MSVC too. +- tests: Corrected MAIL SIZE for CRLF line endings - Discussion on the list: http://curl.haxx.se/mail/lib-2012-07/0271.html + ... which was missed in commit: f5c3d9538452 -- Added Win32 problems. - -- Added hint to read docs/INSTALL too. - -- Added new file to distro. - -Steve Holme (28 Jul 2012) -- TODO: Updated after 7.27.0 release - - Removed APOP and SASL authentication from the POP3 section and metalink - support from the client section as these features were implemented in - this release. +- tests: Corrected infilesize for CRLF line endings - Moved adding gssapi to SASL into it's own section rather than repeat it - for each protocol. + ... which was missed in commit: f5c3d9538452 -Daniel Stenberg (28 Jul 2012) -- TODO-RELEASE: updated after 7.27.0 release +- tests: Corrected test1406 to be RFC2821 compliant -- THANKS: 12 new contributors from the 7.27.0 release +- tests: Corrected test1320 to be RFC2821 compliant -- version bump: start towards next release +- tests: Corrected typo in test909 - Let's call it 7.27.1 for now, but it it probably going to become 7.28.0 - when released. + Introduced in commit: 514817669e9e -Version 7.27.0 (27 Jul 2012) +- tests: Corrected test909 to be RFC2821 compliant -Guenter Knauf (27 Jul 2012) -- Fixed compiler warning 'unused parameter'. - -- Added prototypes to kill compiler warning. - -- Added --with-winidn to configure. +- tests: Updated test references to 909 from 1411 - This needs another look from the configure experts. I tested that - it works so far with MinGW64 cross-compiler; libcurl builds and - links fine, but curl not yet ... + ...and removed references to libcurl and test1406. -Daniel Stenberg (27 Jul 2012) -- [Ant Bryan brought this change] +- tests: Renamed test1411 to test909 as this is a main SMTP test - Update man page info on --metalink and typo. +Daniel Stenberg (1 May 2013) +- [Lars Johannesen brought this change] -- RELEASE-NOTES: remove mentioned of bug never in a release + bindlocal: move brace out of #ifdef - The --silent bug came with 7561a0fc834c435 which was never in a release. - Pointed out by Kamil Dudka - -- RELEASE-NOTES: synced with 33b815e894fb + The code within #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID wrongly had two + closing braces when it should only have one, so builds without that + define would fail. - 4 more bugfixes, 3 more contributors + Bug: http://curl.haxx.se/mail/lib-2013-05/0000.html -Guenter Knauf (26 Jul 2012) -- Changed Windows IDN text to 'WinIDN'. +Steve Holme (30 Apr 2013) +- smtp: Tidy up to move the eob counter to the per-request structure - Synced the output to the same short form as we now use for - Windows SSL (WinSSL). + Move the eob counter from the smtp_conn structure to the SMTP structure + as it is associated with a SMTP payload on a per-request basis. -Daniel Stenberg (25 Jul 2012) -- [Nick Zitzmann brought this change] +- TODO: Updated following the addition of CURLOPT_SASL_IR - darwinssl: fixed freeze involving the multi interface +- smtp: Fixed unknown percentage complete in progress bar - Previously the curl_multi interface would freeze if darwinssl was - enabled and at least one of the handles tried to connect to a Web site - using HTTPS. Removed the "wouldblock" state darwinssl was using because - I figured out a solution for our "would block but in which direction?" - dilemma. + The curl command line utility would display the the completed progress + bar with a percentage of zero as the progress routines didn't know the + size of the transfer. -Guenter Knauf (25 Jul 2012) -- Added support for tls-srp to MinGW builds. - -Daniel Stenberg (24 Jul 2012) -- curl_easy_setopt: fix typo +Daniel Stenberg (29 Apr 2013) +- ftpserver: silence warnings - Reported by: Santhana Todatry + Fix regressions in commit b56e3d43e5d. Make @data local and filter off + non-numerical digits from $testno in STATUS_imap. -- keepalive: multiply value for OS-specific units - - DragonFly uses milliseconds, while our API and Linux use full seconds. +Steve Holme (29 Apr 2013) +- ftpserver.pl: Corrected the imap LOGIN response - Reported by: John Marino - Bug: http://curl.haxx.se/bug/view.cgi?id=3546257 + ...to be more realistic and consistent with the other imap responses. -Kamil Dudka (22 Jul 2012) -- http: print reason phrase from HTTP status line on error - - Bug: https://bugzilla.redhat.com/676596 +- tests: Added imap STATUS command test -- tool_operate: fix misplaced initialization of orig_noprogress +- tests: Corrected the SMTP tests to be RFC2821 compliant - ... and orig_isatty which caused --silent to be entirely ignored in case - the standard output was redirected to a file! - -Daniel Stenberg (21 Jul 2012) -- [Anton Yabchinskiy brought this change] + The emails that are sent to the server during these tests were + incorrectly formatted as they contained one or more LF terminated lines + rather than being CRLF terminated as per Section 2.3.7 of RFC-2821. + + This wasn't a problem for the test suite as the <stdin> data matched the + <upload> data but anyone using these tests as reference would be sending + incorrect data to a server. - Client's "qop" value should not be quoted (RFC2617, section 3.2.2). +- email: Tidy up of *_perform_authenticate() + + Removed the hard returns from imap and pop3 by using the same style for + sending the authentication string as smtp. Moved the "Other mechanisms + not supported" check in smtp to match that of imap and pop3 to provide + consistency between the three email protocols. -Guenter Knauf (21 Jul 2012) -- Fixed typo. +- smtp: Updated limit check to be more readable like the check in pop3 -Daniel Stenberg (20 Jul 2012) -- make: make distclean work again +- pop3: Added 255 octet limit check when sending initial response - The clean-local hook needed some polish to make sure make distclean - works. Added comment describing why. - -- test Makefile: only feature 'unit' once in the list of dirs + Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034. -Dan Fandrich (20 Jul 2012) -- Fixed some typos in documentation +- DOCS: Corrected line length of recent Secure Transport changes -Guenter Knauf (20 Jul 2012) -- Fixed CR issue with Win32 version on MSYS. +Nick Zitzmann (27 Apr 2013) +- darwinssl: add TLS crypto authentication - Previous fix didnt work on Linux ... + Users using the Secure Transport (darwinssl) back-end can now use a + certificate and private key to authenticate with a site using TLS. Because + Apple's security system is based around the keychain and does not have any + non-public function to create a SecIdentityRef data structure from data + loaded outside of the Keychain, the certificate and private key have to be + loaded into the Keychain first (using the certtool command line tool or + the Security framework's C API) before we can find it and use it. -- Fixed CR issue with Win32 version on MSYS. +Steve Holme (27 Apr 2013) +- Corrected version numbers after bump -- Fixed MSYS <-> Windows path convertion. +Daniel Stenberg (27 Apr 2013) +- bump version - Replaced the Windows real path from mount hack with a more - reliable and simpler hack: the MSYS shell has a builtin pwd - which understands a -W option which does convertion to Windows - paths. Tested and confirmed that this works on all MSYS versions - I have back to a 3 year old one. + Since we're adding new stuff, the next release will bump the minor + version and we're looking forward to 7.31.0 -- Follow-up fix to detect SSL libs with MinGW. +Steve Holme (27 Apr 2013) +- RELEASE-NOTES: synced with f4e6e201b146 + +- DOCS: Updated following the addition of CURLOPT_SASL_IR - 1) the check for winssl needs to come before nss check - 2) the SSL checks must begin with a new if or else we will - never find any SSL lib with MinGW. + Documented the the option in curl_easy_setopt() and added it to + symbols-in-versions. -- Tell git to not convert configure-related files. +- tests: Corrected command line arguments in test907 and test908 -- Trial to teach runtests.pl about WinSSL. +- tests: Added SMTP AUTH with initial response tests -- Fixed warning 'uninitialized value in numeric gt'. +- tests: Updated SMTP tests to decouple client initial response - This is a MSYS/MinGW-only warning; full warning text is: - Use of uninitialized value in numeric gt (>) at ../../curl/tests/runtests.pl line 2227. + Updated test903 and test904 following the addition of CURLOPT_SASL_IR + as the default behaviour of SMTP AUTH responses is now to not include + the initial response. New tests with --sasl-ir support to follow. -Daniel Stenberg (15 Jul 2012) -- RELEASE-NOTES: synced with 9d11716933616 +- imap: Added support for overriding the SASL initial response - Fixed 6 bugs, added 3 contributors + In addition to checking for the SASL-IR capability the user can override + the sending of the client's initial response in the AUTHENTICATION + command with the use of CURLOPT_SASL_IR should the server erroneously + not report SASL-IR when it does support it. -- multi_runsingle: added precaution against easy_conn NULL pointer +- smtp: Added support for disabling the SASL initial response + + Updated the default behaviour of sending the client's initial response in the AUTH + command to not send it and added support for CURLOPT_SASL_IR to allow the user to + specify including the response. - In many states the easy_conn pointer is referenced and just assumed to - be working. This is an added extra check since analyzing indicates - there's a risk we can end up in these states with a NULL pointer there. + Related Bug: http://curl.haxx.se/mail/lib-2012-03/0114.html + Reported-by: Gokhan Sengun -- getparam: fix the GetStr() macro +- pop3: Added support for enabling the SASL initial response - It should return PARAM_NO_MEM if the strdup fails. Spotted by - clang-analyzer + Allowed the user to specify whether to send the client's intial response + in the AUTH command via CURLOPT_SASL_IR. -Guenter Knauf (15 Jul 2012) -- Tell git to not convert configure-related files. +- sasl-ir: Added --sasl-ir option to curl command line tool -Daniel Stenberg (13 Jul 2012) -- parse_proxy: remove dead assignment - - Spotted by clang-analyzer +- sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial response -- ftp_do_more: add missing check of return code +Daniel Stenberg (26 Apr 2013) +- curl_easy_init: use less mallocs - Spotted by clang-analyzer. The return code was never checked, just - stored. - -- getinfo: use va_end and cut off Curl_ from static funcs + By introducing an internal alternative to curl_multi_init() that accepts + parameters to set the hash sizes, easy handles will now use tiny socket + and connection hash tables since it will only ever add a single easy + handle to that multi handle. - va_end() needs to be used after va_start() and we don't normally use - Curl_ prefixes for purely static functions. + This decreased the number mallocs in test 40 (which is a rather simple + and typical easy interface use case) from 1142 to 138. The maximum + amount of memory allocated used went down from 118969 to 78805. -- [Philip Craig brought this change] - - Split up Curl_getinfo +Steve Holme (26 Apr 2013) +- ftpserver.pl: Fixed imap logout confirmation data - This avoids false positives from clang's scan-build. - -Guenter Knauf (12 Jul 2012) -- Added error checking for curl_global_init(). - -- Added curl_global_* functions. + An IMAP server should response with the BYE continuation response before + confirming the LOGOUT command was successful. -- Minor fixes to MinGW makefiles. - -Daniel Stenberg (12 Jul 2012) -- docs: mention CURL_GLOBAL_DEFAULT - -Guenter Knauf (12 Jul 2012) -- Added curl_global_* functions. - -Daniel Stenberg (12 Jul 2012) -- tests: verify the stricter numeric option parser +Daniel Stenberg (26 Apr 2013) +- ftp_state_pasv_resp: connect through proxy also when set by env - Test 1409 and 1410 verifies the stricter numeric option parser - introduced the other day in commit f2b6ebed7b. - -- SWS: use of uninitialized memory fix + When connecting back to an FTP server after having sent PASV/EPSV, + libcurl sometimes didn't use the proxy properly even though the proxy + was used for the initial connect. - I made "connmon" not get initialized properly before use, and I use the - big hammer and make sure we always clear the entire struct to avoid any - problem like this in the future. - -- test48: verify that HEAD doesn't close extra + The function wrongly checked for the CURLOPT_PROXY variable to be set, + which made it act wrongly if the proxy information was set with an + environment variable. - Two commits ago, we fixed a bug where the connction would be closed - prematurely after a HEAD. Now I added connection-monitor to test 48 and - added a second HEAD and make sure that both are sent over the same - connection. + Added test case 711 to verify (based on 707 which uses --socks5). Also + added test712 to verify another variation of setting the proxy: with + --proxy socks5:// - This triggered a failure before the bug fix and now works. Will help us - avoid a future regression of this kind. + Bug: http://curl.haxx.se/bug/view.cgi?id=1218 + Reported-by: Zekun Ni -- connection-monitor: always log disconnect when enabled - - This makes verifying easier and makes us more sure curl closes the - connection only at the correct point in time. Adjusted test 206 and 1008 - accordingly and updated the docs for it. +Kamil Dudka (26 Apr 2013) +- [Zdenek Pavlas brought this change] -- HEAD: don't force-close after response-headers + url: initialize speed-check data for file:// protocol - A HEAD response has no body length and gets the headers like the - corresponding GET would so it should not get closed after the response - based on the same rules. This mistake caused connections that did HEAD - to get closed too often without a valid reason. + ... in order to prevent an artificial timeout event based on stale + speed-check data from a previous network transfer. This commit fixes + a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e. - Bug: http://curl.haxx.se/bug/view.cgi?id=3542731 - Reported by: Eelco Dolstra + Bug: https://bugzilla.redhat.com/906031 -Guenter Knauf (12 Jul 2012) -- Removed trailing empty strings from awk script. +Daniel Stenberg (25 Apr 2013) +- test709: clarify the test in the name -- Cleaned up version awk script. - -- Added project copyright header. +- sshserver: disable StrictHostKeyChecking + + I couldn't figure out why the host key logic isn't working, but having + it set to yes prevents my SSH-based test cases to run. I also don't see + a strong need to use strict host key checking on this test server. + + So I disabled it. -- Removed libcurl.imp from Makefile.am. +- runtests: log more commands in verbose mode - Updated .gitignore for NetWare created files. + ... to aid tracking down failures -- Added missing dependency to export list. +Steve Holme (25 Apr 2013) +- TODO: Corrected copy/paste typo -- Fixed export list path. +- TODO: Added new ideas for future SMTP, POP3 and IMAP features -- Changed NetWare build to generate export list. +- TODO: Updated following the addition of ;auth=<MECH> support -- Added pointer to FAQ for linkage errors. +- DOCS: Minor rewording / clarification of host name protocol detection -- Small NetWare makefile tweak. +- RELEASE-NOTES: synced with a8c92cb60890 -- Changed MinGW makefiles to use WINSSL now. +- DOCS: Added reference to IETF draft for SMTP URL Interface + + ...when mentioning login options. Additional minor clarification of + "Windows builds" to be "Windows builds with SSPI"as a way of enabling + NTLM as Windows builds may be built with OpenSSL to enable NTLM or + without NTLM support altogether. -Daniel Stenberg (10 Jul 2012) -- test231: fix wrong -C use! +Linus Nielsen Feltzing (23 Apr 2013) +- HISTORY: Fix spelling error. -- cmdline: parse numerical options stricter - - 1 - str2offset() no longer accepts negative numbers since offsets are by - nature positive. +Steve Holme (23 Apr 2013) +- DOCS: Reworked the scheme calculation explanation under CURLOPT_URL + +- url: Added smtp and pop3 hostnames to the protocol detection list + +Daniel Stenberg (23 Apr 2013) +- HISTORY: correct some years/dates - 2 - introduced str2unum() for the command line parser that accepts - numericals which are not supposed to be negative, so that it will - properly complain on apparent bad uses and mistakes. + Thanks to archive.org's wayback machine I updated this document with + some facts from the early httpget/urlget web page: - Bug: http://curl.haxx.se/mail/archive-2012-07/0013.html + http://web.archive.org/web/19980216125115/http://www.inf.ufrgs.br/~sagula/urlget.html -- docs: switch to proper UTF-8 for text file encoding +- [Alessandro Ghedini brought this change] -Yang Tse (9 Jul 2012) -- Make Curl_schannel_version() return "WinSSL" - - Modification based on voting result: + tests: add test1511 to check timecond clean-up - http://curl.haxx.se/mail/lib-2012-07/0104.html + Verifies the timecond fix in commit c49ed0b6c0f + +- [Alessandro Ghedini brought this change] -Daniel Stenberg (9 Jul 2012) -- test 46: use different path lengths to get reliable sort order + getinfo.c: reset timecond when clearing session-info variables - Since the order of the cookies is sorted by the length of the paths, - having them on the same path length will make the test depend on what - order the qsort() implementation will put them. As seen in the - windows/msys output posted by Guenter in this posting: - http://curl.haxx.se/mail/lib-2012-07/0105.html + Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783 + Reported-by: Ludovico Cavedon <cavedon@debian.org> -- cookie: fixed typo in comment +Steve Holme (22 Apr 2013) +- DOCS: Added information about login options to CURLOPT_USERPWD -- [Christian Hägele brought this change] +- DOCS: Added information about login options in the URL - https_getsock: provided for schannel backend as well +- url: Fixed missing length check in parse_proxy() - The function https_getsock was only implemented properly when USE_SSLEAY - or USE_GNUTLS is defined, but it is also necessary for USE_SCHANNEL. + Commit 11332577b3cb removed the length check that was performed by the + old scanf() code. + +- url: Fixed crash when no username or password supplied for proxy - The problem occurs when Curl_read_plain or Curl_write_plain returns - CURLE_AGAIN. In that case CURL_OK is returned to the multi-interface an - the used socket is set to state CURL_POLL_REMOVE and the easy-state is - set to CURLM_STATE_PROTOCONNECT. This is fine, because later the socket - should be set to CURL_POLL_IN or CURL_POLL_OUT via multi_getsock. That's - where https_getsock is called and doesn't return any sockets. + Fixed an issue in parse_proxy(), introduced in commit 11332577b3cb, + where an empty username or password (For example: http://:@example.com) + would cause a crash. -- RELEASE-NOTES: added a URL reference to cookie docs +- url: Removed unused text length constants -Guenter Knauf (8 Jul 2012) -- Removed obsolete include path to project root. +- url: Updated proxy URL parsing to use parse_login_details() -Daniel Stenberg (8 Jul 2012) -- TODO-RELEASE: issue 316 NTLM over proxy is fixed +- url: Tidy up of setstropt_userpwd() parameters + + Updated the naming convention of the login parameters to match those of + other functions. -- [Nick Zitzmann brought this change] +- url: Tidy up of code and comments following recent changes + + Tidy up of variable names and comments in setstropt_userpwd() and + parse_login_details(). - darwinssl: don't use arc4random_buf +- url: Simplified setstropt_userpwd() following recent changes - Re-wrote Curl_darwinssl_random() to not use arc4random_buf() because the - function is not available prior to iOS 4.3 and OS X 10.7. + There is no need to perform separate clearing of data if a NULL option + pointer is passed in. Instead this operation can be performed by simply + not calling parse_login_details() and letting the rest of the code do + the work. -- KNOWN_BUGS: #80 Curl doesn't recognize certs in DER format +- url: Correction to scope of if statements when setting data -- KNOWN_BUGS: #79 - any RCPT TO failure makes and error +- url: Fixed memory leak in setstropt_userpwd() + + setstropt_userpwd() was calling setstropt() in commit fddb7b44a79d to + set each of the login details which would duplicate the strings and + subsequently cause a memory leak. -Marc Hoersken (8 Jul 2012) -- winbuild: Aligned BUILD.WINDOWS.txt and Makefile.vc usage help +- RELEASE-NOTES: synced with d535c4a2e1f7 -- winbuild: Make USE_WINSSL depend on USE_SSPI +- url: Added overriding of URL login options from CURLOPT_USERPWD + +- tool_paramhlp: Fixed options being included in username - Since WinSSL cannot be build without SSPI being enabled, - USE_WINSSL now defaults to the value of USE_SSPI. + Fix to prevent the options from being displayed when curl requests the + user's password if the following command line is specified: - The makefile does now raise an error if WinSSL is enabled - while SSPI is disabled. + --user username;options -- winbuild: Aligned USE_SSPI with other USE_x defines +- url: Added support for parsing login options from the CURLOPT_USERPWD - Renamed external parameter USE_SSPI = yes/no to ENABLE_SSPI = yes/no. - Backwards compatible change: USE_SSPI can still be passed as external - parameter with yes/no value as long as ENABLE_SSPI is not given. + In addition to parsing the optional login options from the URL, added + support for parsing them from CURLOPT_USERPWD, to allow the following + supported command line: - USE_x defines are passed around with true/false values internally, - USE_SSPI is now aligned to this approach, but still accepts external - values yes/no being passed, just like the other defines. + --user username:password;options -- winbuild: Clean up formatting and variable naming +- url: Added bounds checking to parse_login_details() - - Changed space usage to line up with the whole file - - Renamed CFLAGS_SSPI/IPV6 to SSPI/IPV6_CFLAGS to be - consistent with the other CFLAGS_x variables - - Make use of existing CFLAGS_IPV6 (previously IPV6_CFLAGS) - instead of appending directly to CFLAGS + Added bounds checking when searching for the separator characters within + the login string as this string may not be NULL terminated (For example + it is the login part of a URL). We do this in preference to allocating a + new string to copy the login details into which could then be passed to + parse_login_details() for performance reasons. + +- url: Added size_t cast to pointer based length calculations -Daniel Stenberg (7 Jul 2012) -- [Nick Zitzmann brought this change] +- url: Corrected minor typo in comment - darwinssl: output cipher with text, remove SNI warning +Daniel Stenberg (18 Apr 2013) +- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling - The code was printing a warning when SNI was set up successfully. Oops. + When cross-compiling we can't scan and detect existing files or paths. - Printing the cipher number in verbose mode was something only TLS/SSL - programmers might understand, so I had it print the name of the cipher, - just like in the OpenSSL code. That'll be at least a little bit easier - to understand. The SecureTransport API doesn't have a method of getting - a string from a cipher like OpenSSL does, so I had to generate the - strings manually. + Bug: http://curl.haxx.se/mail/lib-2013-04/0294.html -- RELEASE-NOTES: synced with 5a99bce07d +- [Ishan SinghLevett brought this change] -- KNOWN_BUGS: NTLM with unicode works with schannel/winssl! + usercertinmem.c: add example showing user cert in memory - Bug #75 updated with additional info, still remains for builds with - other backends. + Relies on CURLOPT_SSL_CTX_FUNCTION, which is OpenSSL specific -- code police: narrow source to < 80 columns +Steve Holme (18 Apr 2013) +- url: Fix chksrc longer than 79 columns warning -Yang Tse (5 Jul 2012) -- unicode NTLM SSPI: cleanup follow-up +- url: Fix incorrect variable type for result code -- unicode NTLM SSPI: cleanup +- url: Fix compiler warning - Reduce the number of #ifdef UNICODE directives used in source files. + signed and unsigned type in conditional expression -Daniel Stenberg (5 Jul 2012) -- tests: use connection-monitor and verify results +- url: Moved parsing of login details out of parse_url_login() - Test 1008 and 206 don't show the disconnect since it happens when SWS - awaits a new request, but 503 does and so the verify section needs that - string added. + Separated the parsing of login details from the processing of them in + parse_url_login() ready for use by setstropt_userpwd(). -- http-proxy: keep CONNECT connections alive (for NTLM) - - When doing CONNECT requests, libcurl must make sure the connection is - alive as much as possible. NTLM requires it and it is generally good for - other cases as well. - - NTLM over CONNECT requests has been broken since this regression I - introduced in my CONNECT cleanup commits that started with 41b02378342, - included since 7.25.0. +- url: Re-factored set_userpass() and parse_url_userpass() - Bug: http://curl.haxx.se/bug/view.cgi?id=3538625 - Reported by: Marcel Raad + Re-factored these functions to reflect their new behaviour following the + addition of login options. -- sws: support <servercmd> for CONNECT requests - - I moved out the servercmd parsing into a its own function called - parse_servercmd() and made sure it gets used also when the test number - is extracted from CONNECT requests. It turned out sws didn't do that - previously! +- url: Reworked URL parsing to allow overriding by CURLOPT_USERPWD -- FILEFORMAT: provided a full description of connection-monitor +Daniel Stenberg (18 Apr 2013) +- maketgz: make bzip2 creation work with Parallel BZIP2 too + + Apparently the previous usage didn't work with that implementation, + while this updated version works with at least both Parallel BZIP2 + v1.1.8 and regular bzip "Version 1.0.6, 6-Sept-2010". -- lib503: enable verbose to ease debugging this +Linus Nielsen Feltzing (18 Apr 2013) +- Add tests/http_pipe.py to the tarball build -- sws: add 'connection-monitor' command support - - Using this, the server will output in the protocol log when the - connection gets disconnected and thus we will verify correctly in the - test cases that the connection doesn't get closed prematurely. This is - important for example NTLM to work. +Steve Holme (16 Apr 2013) +- smtp: Re-factored all perform based functions - Documentation added to FILEFORMAT, test 503 updated to use this. + Standardised the naming of all perform based functions to be in the form + smtp_perform_something(). -Guenter Knauf (4 Jul 2012) -- Removed non-used variable. +- smtp: Added description comments to all perform based functions -- Added error checking for samples. +- smtp: Moved smtp_quit() to be with the other perform functions -- Renamed vars to avoid shadow global declaration. +- smtp: Moved smtp_rcpt_to() to be with the other perform functions -Daniel Stenberg (3 Jul 2012) -- docs: clarify how to start with curl_multi_socket_action - - Mention the CURL_SOCKET_TIMEOUT argument in step 6 of the typical - application. +- smtp: Moved smtp_mail() to be with the other perform functions -Guenter Knauf (3 Jul 2012) -- Moved some patterns to subfolder's .gitignore. +Daniel Stenberg (16 Apr 2013) +- [Wouter Van Rooy brought this change] -- Merge branch 'master' of ssh://github.com/bagder/curl + curl-config: don't output static libs when they are disabled + + Curl-config outputs static libraries even when they are disabled in + configure. + + This causes problems with the build of pycurl. -- MinGW makefile tweaks for running from sh. +- [Dave Reisner brought this change] + + docs/libcurl: fix formatting in manpage - Added function macros to make path converting easier. - Added CROSSPREFIX to all compile tools. + Commit c3ea3eb6 introduced some minor cosmetic errors in + curl_mutli_socket_action(3). -Yang Tse (3 Jul 2012) -- [Marc Hoersken brought this change] +- [Paul Howarth brought this change] - curl_ntlm_msgs.c: Removed unused variable passwd + Add extra libs for lib1900 and lib2033 test programs + + These are needed in cases where clock_gettime is used, from librt. -Guenter Knauf (3 Jul 2012) -- Added files generated by mingw32, eclipse and VC. +Dan Fandrich (15 Apr 2013) +- FAQ: mention that the network connection can be monitored - Posted by Marc Hoersken. + Also note the prohibition on sharing handles across threads. -Daniel Stenberg (3 Jul 2012) -- cookies: change the URL in the cookie jar file header +Steve Holme (15 Apr 2013) +- pop3: Added missing comment for pop3_state_apop_resp() -- HTTP-COOKIES: clarified and modified layout +- smtp: Updated the coding style of smtp_state_servergreet_resp() + + Updated the coding style, in this function, to be consistant with other + response functions rather then performing a hard return on failure. -- HTTP-COOKIES: use the FAQ document layout +- pop3: Updated the coding style of pop3_state_servergreet_resp() + + Updated the coding style, in this function, to be consistent with other + response functions rather then performing a hard return on failure. -- HTTP-COOKIES: added cookie documentation +- pop3: Re-factored all perform based functions + + Standardised the naming of all perform based functions to be in the form + pop3_perform_something() following the changes made to IMAP. -Yang Tse (3 Jul 2012) -- curl_ntlm_msgs.c: include <tchar.h> for prototypes +- pop3: Added description comments to all perform based functions -- [Neil Bowers brought this change] +- pop3: Moved pop3_quit() to be with the other perform functions - testcurl.pl: fix missing semicolon +- pop3: Moved pop3_command() to be with the other perform functions + + Started to apply the same tidy up to the POP3 code as applied to the + IMAP code in the 7.30.0 release. -Daniel Stenberg (2 Jul 2012) -- [Christian Hägele brought this change] +- RELEASE-NOTES: Removed erroneous spaces - unicode NTLM SSPI: heap corruption fixed - - When compiling libcurl with UNICODE defined and using unicode characters - in username. +- RELEASE-NOTES: synced with 8723cade21fb -Yang Tse (2 Jul 2012) -- testcurl.pl: allow non in-tree c-ares enabled autobuild +- smtp: Added support for ;auth=<mech> in the URL + + Added support for specifying the preferred authentication mechanism in + the URL as per Internet-Draft 'draft-earhart-url-smtp-00'. -- configure.ac: verify that libmetalink is new enough +- pop3: Reworked authentication type constants - Enabling test2017 to test2022. + ... to use left-shifted values, like those defined in curl.h, rather + than 16-bit hexadecimal values. -- [Tatsuhiro Tsujikawa brought this change] +- pop3: Small consistency tidy up - curl: Added runtime version check for libmetalink +- pop3: Added support for ;auth=<mech> in the URL + + Added support for specifying the preferred authentication type and SASL + mechanism in the URL as per RFC-2384. -- [Tatsuhiro Tsujikawa brought this change] +- imap: Added support for ;auth=<mech> in the URL + + Added support for specifying the preferred authentication mechanism in + the URL as per RFC-5092. - Include metalink/metalink.h for libmetalink functions +- sasl: Reworked SASL mechanism constants + + ... to use left-shifted values, like those defined in curl.h, rather + than 16-bit hexadecimal values. -Daniel Stenberg (2 Jul 2012) -- errors: CURLM_CALL_MULTI_PERFORM is not returned anymore +- sasl: Added predefined preferred mechanism values + + In preparation for the upcoming changes to IMAP, POP3 and SMTP added + preferred mechanism values. -- release: cleaned up plans for this and coming release +- url: Added support for parsing login options from the URL + + As well as parsing the username and password from the URL, added support + for parsing the optional options part from the login details, to allow + the following supported URL format: + + schema://username:password;options@example.com/path?q=foobar + + This will only be used by IMAP, POP3 and SMTP at present but any + protocol that may be given login options in the URL will be able to + add support for them. -Yang Tse (29 Jun 2012) -- curl-compilers.m4: remove -Wstrict-aliasing=3 from clang +- smtp: Fix compiler warning - Currently it is unknown if there is any version of clang that - actually supports -Wstrict-aliasing. What is known is that there - are several that don't support it. + warning: unused variable 'smtp' introduced in commit 73cbd21b5ee6. + +- smtp: Moved parsing of url path into separate function -- test2017 to test2022: more metalink tests +Daniel Stenberg (12 Apr 2013) +- FTP: handle a 230 welcome response - With this commit, checks done in previous test2017 are now done in test2018. + ...instead of the 220 we otherwise expect. - Whole range test2017 to test2022 DISABLED until configure is capable of - requiring a new-enough metalink library. + Made the ftpserver.pl support sending a custom "welcome" and then + created test 1219 to verify this fix with such a 230 welcome. - Don't try these without mentioned check in place! + Bug: http://curl.haxx.se/mail/lib-2013-02/0102.html + Reported by: Anders Havn -- test2005 to test2016: improve failure detection - -- lib582.c: fix conversion warning +- configure: try pthread_create without -lpthread + + For libc variants without a spearate pthread lib (like bionic), try + using pthreads without the pthreads lib first and only if that fails try + the -lpthread linker flag. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1216 + Reported by: Duncan -- nss.c: #include warnless.h for curlx_uztosi and curlx_uztoui prototypes +- FTP: access files in root dir correctly + + Accessing a file with an absolute path in the root dir but with no + directory specified was not handled correctly. This fix comes with four + new test cases that verify it. + + Bug: http://curl.haxx.se/mail/lib-2013-04/0142.html + Reported by: Sam Deane -- [Marc Hoersken brought this change] +Steve Holme (12 Apr 2013) +- pop3: Reworked the function description for Curl_pop3_write() - nss.c: Fixed size_t conversion warnings +- pop3: Added function description to pop3_parse_custom_request() -- sslgen.c: cleanup temporary compile-time SSL-backend check +- pop3: Moved utility functions to end of pop3.c -Daniel Stenberg (28 Jun 2012) -- schannel: provide two additional (dummy) API defines +Nick Zitzmann (12 Apr 2013) +- darwinssl: add TLS session resumption + + This ought to speed up additional TLS handshakes, at least in theory. -Yang Tse (28 Jun 2012) -- [Tatsuhiro Tsujikawa brought this change] +Steve Holme (12 Apr 2013) +- imap: Added function description to imap_parse_custom_request() - Metalink: message updates +- imap: Moved utility functions to end of imap.c (Part 3/3) - Print "parsing (...) OK" only when no warnings are generated. If - no file is found in Metalink, treat it FAILED. + Moved imap_is_bchar() be with the other utility based functions. + +- imap: Moved utility functions to end of imap.c (Part 2/3) - If no digest is provided, print WARNING in parse_metalink(). - Also print validating FAILED after download. + Moved imap_parse_url_path() and imap_parse_custom_request() to the end of the + file allowing all utility functions to be grouped together. + +- imap: Moved utility functions to end of imap.c (Part 1/3) - These changes make tests 2012 to 2016 pass. + Moved imap_atom() and imap_sendf() to the end of the file allowing all + utility functions to be grouped together. -Daniel Stenberg (27 Jun 2012) -- sslgen: avoid compiler error in SSPI builds +- imap: Corrected function description for imap_connect() -Yang Tse (27 Jun 2012) -- ssluse.c: fix compiler warning: conversion to 'int' from 'size_t' +Kamil Dudka (12 Apr 2013) +- tests: prevent test206, test1060, and test1061 from failing - Reported by Tatsuhiro Tsujikawa + ... in case runtests.pl is invoked with non-default -b option - http://curl.haxx.se/mail/lib-2012-06/0371.html + Fixes a regression caused by 1e29d275c643ef6aab7948f0f55a7a9397e56b42. -- sslgen.c: add compile-time check for SSL-backend completeness +Daniel Stenberg (12 Apr 2013) +- [David Strauss brought this change] -- build: add our standard includes to curl_darwinssl.c and curl_multibyte.c - -- build: add curl_schannel and curl_darwinssl files to other build systems + libcurl-share.3: update what it does and does not share. + + Update sharing interface documentation to provide exhaustive list of + what it does and does not share. -- tests: add five more Metalink test cases +- THANKS: remove duplicated names -- tests: update Metalink message format +- bump: start working towards next release -- [Tatsuhiro Tsujikawa brought this change] +- THANKS: added people from the 7.30.0 RELEASE-NOTES - Metalink: updated message format +Version 7.30.0 (12 Apr 2013) -- [Nick Zitzmann brought this change] +Daniel Stenberg (12 Apr 2013) +- RELEASE-NOTES: cleaned up for 7.30 (synced with 5c5e1a1cd20) + + Most notable the security advisory: + http://curl.haxx.se/docs/adv_20130412.html - DarwinSSL: allow using NTLM authentication +- test1218: another cookie tailmatch test - Allow NTLM authentication when building using SecureTransport (Darwin) for SSL. + ... and make 1216 also verify it with a file input - This uses CommonCrypto, a cryptography library that ships with all versions of - iOS and Mac OS X. It's like OpenSSL's libcrypto, except that it's missing a few - less-common cyphers and doesn't have a big number data structure. + These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie + domain tailmatch" vulnerability. See + http://curl.haxx.se/docs/adv_20130412.html -- curl_darwinssl.h: add newline at end of file +- [YAMADA Yasuharu brought this change] -Daniel Stenberg (26 Jun 2012) -- ossl_seed: remove leftover RAND_screen check + cookie: fix tailmatching to prevent cross-domain leakage - Before commit 2dded8fedba (dec 2010) there was logic that used - RAND_screen() at times and now I remove the leftover #ifdef check for - it. + Cookies set for 'example.com' could accidentaly also be sent by libcurl + to the 'bexample.com' (ie with a prefix to the first domain name). - The seeding code that uses Curl_FormBoundary() in ossl_seed() is dubious - to keep since it hardly increases randomness but I fear I'll break - something if I remove it now... - -Yang Tse (26 Jun 2012) -- [Nick Zitzmann brought this change] - - DarwinSSL: several adjustments + This is a security vulnerabilty, CVE-2013-1944. - - Renamed st_ function prefix to darwinssl_ - - Renamed Curl_st_ function prefix to Curl_darwinssl_ - - Moved the duplicated ssl_connect_done out of the #ifdef in lib/urldata.h - - Fixed a teensy little bug that made non-blocking connection attempts block - - Made it so that it builds cleanly against the iOS 5.1 SDK + Bug: http://curl.haxx.se/docs/adv_20130412.html -- curl-compilers.m4: -Wstrict-aliasing=3 for warning enabled gcc and clang builds +Guenter Knauf (11 Apr 2013) +- Enabled MinGW sync resolver builds. -- [Marc Hoersken brought this change] +Yang Tse (10 Apr 2013) +- if2ip.c: fix compiler warning - sockaddr.h: Fixed dereferencing pointer breakin strict-aliasing +Guenter Knauf (10 Apr 2013) +- Fixed lost OpenSSL output with "-t" - followup. - Fixed warning: dereferencing pointer does break strict-aliasing rules - by using a union inside the struct Curl_sockaddr_storage declaration. + The previously applied patch didnt work on Windows; we cant rely + on shell commands like 'echo' since they act diffently on each + platform and each shell. + In order to keep this script platform-independent the code must + only use pure Perl. -Daniel Stenberg (26 Jun 2012) -- SSL cleanup: use crypto functions through the sslgen layer +Daniel Stenberg (9 Apr 2013) +- test1217: verify parsing 257 responses with "rubbish" before path - curl_ntlm_msgs.c would previously use an #ifdef maze and direct - SSL-library calls instead of using the SSL layer we have for this - purpose. + Test 1217 verifies commit e0fb2d86c9f78, and without that change this + test fails. -- [Nick Zitzmann brought this change] +- [Bill Middlecamp brought this change] - darwinssl: add support for native Mac OS X/iOS SSL + FTP: handle "rubbish" in front of directory name in 257 responses + + When doing PWD, there's a 257 response which apparently some servers + prefix with a comment before the path instead of after it as is + otherwise the norm. + + Failing to parse this, several otherwise legitimate use cases break. + + Bug: http://curl.haxx.se/mail/lib-2013-04/0113.html -- RELEASE-NOTES: link to more metalink info +Guenter Knauf (9 Apr 2013) +- Fixed ares-enabled builds with static makefiles. -- RELEASE-NOTES: synced with d025af9bb576 +- Fixed lost OpenSSL output with "-t". + + The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM + output wrote to a temporary file. Consequently, the OpenSSL output was + lost when the temp file was renamed to the final file at script finish + (overwriting the final file written earlier by openssl). + Patch posted to the list by Richard Michael (rmichael edgeofthenet org). -Yang Tse (25 Jun 2012) -- curl_schannel.c: Remove redundant NULL assignments following Curl_safefree() +Daniel Stenberg (9 Apr 2013) +- test1216: test tailmatching cookie domains + + This test is an attempt to repeat the problem YAMADA Yasuharu reported + at http://curl.haxx.se/mail/lib-2013-04/0108.html -- [Marc Hoersken brought this change] +- RELEASe-NOTES: synced with 29fdb2700f797 + + added "tcpkeepalive on Mac OS X" - curl_schannel.c: Replace free() with Curl_safefree() +Nick Zitzmann (8 Apr 2013) +- darwinssl: disable insecure ciphers by default + + I noticed that aria2's SecureTransport code disables insecure ciphers such + as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later. + That's a good idea, and now we do the same thing in order to prevent curl + from accessing a "secure" site that only negotiates insecure ciphersuites. -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (8 Apr 2013) +- [Robert Wruck brought this change] - curl.1: Updated Metalink description in man page + tcpkeepalive: Support CURLOPT_TCP_KEEPIDLE on OSX - Documented that --include will be ignored if both --metalink - and --include are specified. - Also documented that a Metalink file in the local file system - cannot be used if FILE protocol is disabled. + MacOS X doesn't have TCP_KEEPIDLE/TCP_KEEPINTVL but only a single + TCP_KEEPALIVE (see + http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ManPages/man4/tcp.4.html). + Here is a patch for CURLOPT_TCP_KEEPIDLE on OSX platforms. -Steve Holme (24 Jun 2012) -- DOCS: Added clarification to CURLOPT_CUSTOMREQUEST for the POP3 protocol +- configure: remove CURL_CHECK_FUNC_RECVFROM - Bug: http://curl.haxx.se/mail/lib-2012-06/0302.html - Reported by: Nagai H - -- smtp: Corrected result code for MAIL, RCPT and DATA commands + 1 - We don't use the results from the test and we never did. recvfrom() + is only used by the TFTP code and it has not caused any problems. - Bug: http://curl.haxx.se/mail/lib-2012-06/0094.html - Reported by: Dan + 2 - the CURL_CHECK_FUNC_RECVFROM function is extremely slow + +Steve Holme (8 Apr 2013) +- RELEASE-NOTES: Corrected duplicate NTLM memory leaks -Daniel Stenberg (24 Jun 2012) -- [Ghennadi Procopciuc brought this change] +- RELEASE-NOTES: Removed trailing full stop - test: Added test HTTP receive cookies over IPv6 +Daniel Stenberg (8 Apr 2013) +- [Fabian Keil brought this change] -Yang Tse (22 Jun 2012) -- tests: add another Metalink test case + proxy: make ConnectionExists() check credential of proxyconnections too + + Previously it only compared credentials if the requested needle + connection wasn't using a proxy. This caused NTLM authentication + failures when using proxies as the authentication code wasn't send on + the connection where the challenge arrived. + + Added test 1215 to verify: NTLM server authentication through a proxy + (This is a modified copy of test 67) -- [Tatsuhiro Tsujikawa brought this change] +- RELEASE-NOTES: sync with 704a5dfca9 - tests: Enable test2010 and fixed hash value +- TODO-RELEASE: cleaned up, not really maintained lately -- [Tatsuhiro Tsujikawa brought this change] +Marc Hoersken (7 Apr 2013) +- if2ip.c: Fixed another warning: unused parameter 'remote_scope' - Metalink: ignore --include if --metalink is used. +Daniel Stenberg (7 Apr 2013) +- [Marc Hoersken brought this change] + + cookie.c: Made cookie sort function more deterministic - Including headers in response body will break Metalink XML parser. - If it is included in the file described in Metalink XML, hash check - will fail. Therefore, --include should be ignored if --metalink is - used. + Since qsort implementations vary with regards to handling the order + of similiar elements, this change makes the internal sort function + more deterministic by comparing path length first, then domain length + and finally the cookie name. Spotted with testcase 62 on Windows. -- tests: add six Metalink test cases +Marc Hoersken (7 Apr 2013) +- curl_schannel.c: Follow up on memory leak fix ae4558d -- test 2005: add verification of hash checking outcome +- Revert "getpart.pm: Strip carriage returns to fix Windows support" + + This reverts commit e51b23c925a2721cf7c29b2b376d3d8903cfb067. + As discussed on the mailinglist, this was not the correct approach. -- getpart.pm: remove misleading comment +- http_negotiate.c: Fixed passing argument from incompatible pointer type -- [Tatsuhiro Tsujikawa brought this change] +- ftp.c: Added missing brackets around ABOR command logic - curl: Prefixed all Metalink related messages with "Metalink: " +- sockfilt.c: Fixed detection of client-side connection close + + WINSOCK only: + Since FD_CLOSE is only signaled once, it may trigger at the same + time as FD_READ. Data actually being available makes it impossible + to detect that the connection was closed by checking that recv returns + zero. Another recv attempt could block the connection if it was + not closed. This workaround abuses exceptfds in conjunction with + readfds to signal that the connection has actually closed. -- [Tatsuhiro Tsujikawa brought this change] +- curl_schannel.c: Fixed memory leak if connection was not successful - tests: Added Metalink test case # 2005 +- if2ip.c: Fixed warning: unused parameter 'remote_scope' -- [Tatsuhiro Tsujikawa brought this change] +- runtests.pl: Fixed --verbose parameter passed to http_pipe.py - curl: Restore noprogress and isatty config values. - - The noprogress and isatty in Configurable are global, in a sense - that they persist in one curl invocation. Currently once one - download writes its response data to tty, they are set to FALSE - and they are not restored on successive downloads. This change - first backups the current noprogress and isatty, and restores - them when download does not write its data to tty. +- sockfilt.c: Reduce CPU load while running under a Windows PIPE -- [Tatsuhiro Tsujikawa brought this change] +- tftpd.c: Apply sread timeout to the whole data transfer session - curl: Made --metalink option toggle Metalink functionality - - In this change, --metalink option no longer takes argument. If - it is specified, given URIs are processed as Metalink XML file. - If given URIs are remote (e.g., http URI), curl downloads it - first. Regardless URI is local file (e.g., file URI scheme) or - remote, Metalink XML file is not written to local file system and - the received data is fed into Metalink XML parser directly. This - means with --metalink option, filename related options like -O - and -o are ignored. +- getpart.pm: Strip carriage returns to fix Windows support + +Daniel Stenberg (6 Apr 2013) +- ftp tests: libcurl returns CURLE_FTP_ACCEPT_FAILED better now - Usage examples: + Since commit 57aeabcc1a20f, it handles errors on the control connection + while waiting for the data connection better. - $ curl --metalink http://example.org/foo.metalink + Test 591 and 592 are updated accordingly. + +- FTP: wait on both connections during active STOR state - This will download foo.metalink and parse it and then download - the URI described there. + When doing PORT and upload (STOR), this function needs to extract the + file descriptor for both connections so that it will respond immediately + when the server eventually connects back. - $ curl --metalink file://foo.metalink + This flaw caused active connections to become unnecessary slow but they + would still often work due to the normal polling on a timeout. The bug + also would not occur if the server connected back very fast, like when + testing on local networks. - This will parse local file foo.metalink and then download the URI - described there. - -- [Tatsuhiro Tsujikawa brought this change] + Bug: http://curl.haxx.se/bug/view.cgi?id=1183 + Reported by: Daniel Theron - curl: Refactored metalink_checksum - - When creating metalink_checksum from metalink_checksum_t, first - check hex digest is valid for the given hash function. We do - this check in the order of digest_aliases so that first good - match will be chosen (strongest hash function available). As a - result, the metalinkfile now only contains at most one - metalink_checksum because other entries are just redundant. +Marc Hoersken (6 Apr 2013) +- tftpd.c: Follow up cleanup and restore of previous sockopt -- [Gisle Vanem brought this change] +Daniel Stenberg (6 Apr 2013) +- [Kim Vandry brought this change] - tool_doswin.c: fix djgpp function _use_lfn() used without a prototype + connect: treat an interface bindlocal() problem as a non-fatal error - http://curl.haxx.se/mail/archive-2012-06/0028.html - -- build: fix RESOURCE bug in lib/Makefile.vc* + I am using curl_easy_setopt(CURLOPT_INTERFACE, "if!something") to force + transfers to use a particular interface but the transfer fails with + CURLE_INTERFACE_FAILED, "Failed binding local connection end" if the + interface I specify has no IPv6 address. The cause is as follows: - Removed two, not intended to exist, RESOURCE declarations. + The remote hostname resolves successfully and has an IPv6 address and an + IPv4 address. - Bug: http://curl.haxx.se/bug/view.cgi?id=3535977 + cURL attempts to connect to the IPv6 address first. - And sorted configuration hunks to reflect same internal order - as the one shown in the usage message. - -Daniel Stenberg (20 Jun 2012) -- [Marc Hoersken brought this change] - - schannel: Implement new buffer size strategy + bindlocal (in lib/connect.c) fails because Curl_if2ip cannot find an + IPv6 address on the interface. - Increase decrypted and encrypted cache buffers using limitted - doubling strategy. More information on the mailinglist: - http://curl.haxx.se/mail/lib-2012-06/0255.html + This is a fatal error in singleipconnect() - It updates the two remaining reallocations that have already been there - and fixes the other one to use the same "do we need to increase the - buffer"-condition as the other two. CURL_SCHANNEL_BUFFER_STEP_SIZE was - renamed to CURL_SCHANNEL_BUFFER_FREE_SIZE since that is actually what it - is now. Since we don't know how much more data we are going to read - during the handshake, CURL_SCHANNEL_BUFFER_FREE_SIZE is used as the - minimum free space required in the buffer for the next operation. - CURL_SCHANNEL_BUFFER_STEP_SIZE was used for that before, too, but since - we don't have a step size now, the define was renamed. - -Yang Tse (20 Jun 2012) -- schannel SSL: fix compiler warning - -- [Mark Salisbury brought this change] - - schannel SSL: fix for renegotiate problem + This change will make cURL try the next IP address in the list. - In schannel_connect_step2() doread should be initialized based - on connssl->connecting_state. - -- [Tatsuhiro Tsujikawa brought this change] - - runtests.pl: make it support metalink feature - -- getpart.pm: make test definition section/part parser more robust + Also included are two changes related to IPv6 address scope: - Test definition section parts which needed to include xml-lingo as contents - of that part required that the xml-blurb was written as a single line. Now the - xml-data inside the part can be written multiline making it more readable. + - Filter the choice of address in Curl_if2ip to only consider addresses + with the same scope ID as the connection address (mismatched scope for + local and remote address does not result in a working connection). - Tested with <client><file> part which is written to disk before <command> runs. + - bindlocal was ignoring the scope ID of addresses returned by + Curl_if2ip . Now it uses them. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1189 -Daniel Stenberg (20 Jun 2012) -- schannel_connect_step2: checksrc whitespace fix +Marc Hoersken (6 Apr 2013) +- tftpd.c: Fixed sread timeout on Windows by setting it manually -Yang Tse (20 Jun 2012) -- [Mark Salisbury brought this change] +- ftp.pm: Added tskill to support Windows XP Home - schannel SSL: changes in schannel_connect_step2 - - Process extra data buffer before returning from schannel_connect_step2. - Without this change I've seen WinCE hang when schannel_connect_step2 - returns and calls Curl_socket_ready. - - If the encrypted handshake does not fit in the intial buffer (seen with - large certificate chain), increasing the encrypted data buffer is necessary. - - Fixed warning in curl_schannel.c line 1215. +- runtests.pl: Modularization of MinGW/Msys compatibility functions -- [Mark Salisbury brought this change] +- ftp.pm: Made Perl testsuite able to handle Windows processes - config-win32ce.h: WinCE config adjustment - - process.h is not present on WinCE +- util.c: Revert workaround eeefcdf, 6eb56e7 and e3787e8 + +- ftp.pm: Made Perl testsuite able to kill Windows processes -- [Mark Salisbury brought this change] +- util.c: Follow up cleanup on eeefcdf - schannel SSL: Made send method handle unexpected cases better +Daniel Stenberg (6 Apr 2013) +- cpp: use #ifdef __MINGW32__ to avoid compiler complaints - Implemented timeout loop in schannel_send while sending data. This - is as close as I think we can get to write buffering; I put a big - comment in to explain my thinking. + ... instead of just #if + +Marc Hoersken (6 Apr 2013) +- util.c: Made write_pidfile write the correct PID on MinGW/Msys - With some committer adjustments + This workaround fixes an issue on MinGW/Msys regarding the Perl + testsuite scripts not being able to signal or control the server + processes. The MinGW Perl runtime only sees the Msys processes and + their corresponding PIDs, but sockfilt (and other servers) wrote the + Windows PID into their PID-files. Since this PID is useless to the + testsuite, the write_pidfile function was changed to search for the + Msys PID and write that into the PID-file. -Daniel Stenberg (19 Jun 2012) -- [Marc Hoersken brought this change] +Daniel Stenberg (5 Apr 2013) +- RELEASE-NOTES: synced with 5e722b2d09087 + + 3 more bug fixes, 6 more contributors - curl_schannel.c: Avoid unnecessary realloc calls to reduce buffer size +Marc Hoersken (5 Apr 2013) +- sockfilt.c: Fixed handling of multiple fds being signaled -Yang Tse (19 Jun 2012) -- [Mark Salisbury brought this change] +Kamil Dudka (5 Apr 2013) +- curl_global_init.3: improve description of CURL_GLOBAL_ALL + + Reported by: Tomas Mlcoch - schannel SSL: Use standard Curl read/write methods +- examples/multi-single.c: fix the order of destructions - Replaced calls to swrite with Curl_write_plain and calls to sread - with Curl_read_plain. + ... so that it adheres to the API documentation. - With some committer adjustments - -- schannel SSL: make wording of some trace messages better reflect reality + Reported by: Tomas Mlcoch -Daniel Stenberg (19 Jun 2012) -- [Marc Hoersken brought this change] +Daniel Stenberg (5 Apr 2013) +- Curl_open: restore default MAXCONNECTS to 5 + + At some point recently we lost the default value for the easy handle's + connection cache, and this change puts it back to 5 - which is the + former default value and it is documented in the curl_easy_setopt.3 man + page. - curl_schannel.h: Use BUFSIZE as the initial buffer size if available +Marc Hoersken (4 Apr 2013) +- sockfilt.c: Added wrapper functions to fix Windows console issues - Make the Schannel implementation use libcurl's default buffer size - for the initial received encrypted and decrypted data cache buffers. - The implementation still needs to handle more data since more data - might have already been received or decrypted during the handshake - or a read operation which needs to be cached for the next read. + The new read and write wrapper functions support reading from stdin + and writing to stdout/stderr on Windows by using the appropriate + Windows API functions and data types. -Guenter Knauf (19 Jun 2012) -- Fixed NetWare makefile broken from last commit. +Yang Tse (4 Apr 2013) +- lib1509.c: fix compiler warnings -Yang Tse (19 Jun 2012) -- [Mark Salisbury brought this change] +- easy.c: fix compiler warning - schannel SSL: Implemented SSL shutdown +Daniel Stenberg (4 Apr 2013) +- --engine: spellfix the help message - curl_schannel.c - implemented graceful SSL shutdown. If we fail to - shutdown the connection gracefully, I've seen schannel try to use a - session ID for future connects and the server aborts the connection - during the handshake. + Reported by: Fredrik Thulin -- [Mark Salisbury brought this change] +Yang Tse (4 Apr 2013) +- http_negotiate.c: follow-up for commit 3dcc1a9c - schannel SSL: certificate validation on WinCE +Linus Nielsen Feltzing (4 Apr 2013) +- easy: Fix the broken CURLOPT_MAXCONNECTS option + + Copy the CURLOPT_MAXCONNECTS option to CURLMOPT_MAXCONNECTS in + curl_easy_perform(). - curl_schannel.c - auto certificate validation doesn't seem to work - right on CE. I added a method to perform the certificate validation - which uses CertGetCertificateChain and manually handles the result. + Bug: http://curl.haxx.se/bug/view.cgi?id=1212 + Reported-by: Steven Gu -- [Mark Salisbury brought this change] +Guenter Knauf (4 Apr 2013) +- Updated copyright date. - schannel SSL: Added helper methods to simplify code - - Added helper methods InitSecBuffer() and InitSecBufferDesc() to make it - easier to set up SecBuffer & SecBufferDesc structs. +- Another small output fix for --help and --version. -Guenter Knauf (18 Jun 2012) -- Some more NetWare makefile tweaks for metalink. +Yang Tse (4 Apr 2013) +- http_negotiate.c: fix several SPNEGO memory handling issues -Yang Tse (18 Jun 2012) -- tool_cb_see.c: WinCE build adjustment +Guenter Knauf (4 Apr 2013) +- Added a cont to specify base64 line wrap. -- [Mark Salisbury brought this change] +- Fixed version output. - setup.h: WinCE build adjustment +- Added support for --help and --version options. -- [Mark Salisbury brought this change] +- Added option to specify length of base64 output. + + Based on a patch posted to the list by Richard Michael. - ftplistparser.c: do not compile if FTP protocol is not enabled +Daniel Stenberg (3 Apr 2013) +- curl_easy_setopt.3: CURLOPT_HTTPGET disables CURLOPT_UPLOAD -- Win32: downplay MS bazillion type synonyms game +- [Yasuharu Yamada brought this change] + + Curl_cookie_add: only increase numcookies for new cookies - Avoid usage of some MS type synonyms to allow compilation with - compiler headers that don't define these, using simpler synonyms. + Count up numcookies in Curl_cookie_add() only when cookie is new one -Daniel Stenberg (15 Jun 2012) -- Curl_rtsp_parseheader: avoid useless malloc/free +- SO_SNDBUF: don't set SNDBUF for win32 versions vista or later + + The Microsoft knowledge-base article + http://support.microsoft.com/kb/823764 describes how to use SNDBUF to + overcome a performance shortcoming in winsock, but it doesn't apply to + Windows Vista and later versions. If the described SNDBUF magic is + applied when running on those more recent Windows versions, it seems to + instead have the reversed effect in many cases and thus make libcurl + perform less good on those systems. + + This fix thus adds a run-time version-check that does the SNDBUF magic + conditionally depending if it is deemed necessary or not. - Coverity actually pointed out flawed logic in the previous call to - Curl_strntoupper() where the code used sizeof() of a pointer to pass in - a size argument. That code still worked since it only needed to - uppercase 4 letters. Still, the entire malloc/uppercase/free sequence - was pointless since the code has already matched the string once in the - condition that starts the block of code. + Bug: http://curl.haxx.se/bug/view.cgi?id=1188 + Reported by: Andrew Kurushin + Tested by: Christian Hägele -- curl_share_setopt: use va_end() +Nick Zitzmann (1 Apr 2013) +- darwinssl: additional descriptive messages of SSL handshake errors - As spotted by Coverity, va_end() was not used previously. To make it - used I took away a bunch of return statements and made them into - assignments instead. + (This doesn't need to appear in the release notes.) -Yang Tse (15 Jun 2012) -- SSPI related code: Unicode support for WinCE - kill compiler warnings +Guenter Knauf (1 Apr 2013) +- Added dns and connect time to output. -- [Mark Salisbury brought this change] +Daniel Stenberg (1 Apr 2013) +- RELEASE-NOTES: synced with 0614b902136 - SSPI related code: Unicode support for WinCE - commit 46480bb9 follow-up +- code-policed -- build: add curl_multibyte files to build systems +- tcpkeepalive: support TCP_KEEPIDLE/TCP_KEEPINTVL on win32 + + Patch by: Robert Wruck + Bug: http://curl.haxx.se/bug/view.cgi?id=1209 -- [Mark Salisbury brought this change] +- BINDINGS: BBHTTP is a cocoa binding, Julia has a binding - SSPI related code: Unicode support for WinCE - - SSPI related code now compiles with ANSI and WCHAR versions of security - methods (WinCE requires WCHAR versions of methods). - - Pulled UTF8 to WCHAR conversion methods out of idn_win32.c into their own file. - - curl_sasl.c - include curl_memory.h to use correct memory functions. +- ftp_sendquote: use PPSENDF, not FTPSENDF - getenv.c and telnet.c - WinCE compatibility fix + The last remaining code piece that still used FTPSENDF now uses PPSENDF. + In the problematic case, a PREQUOTE series was done on a re-used + connection when Curl_pp_init() hadn't been called so it had messed up + pointers. The init call is done properly from Curl_pp_sendf() so this + change fixes this particular crash. - With some committer adjustments + Bug: http://curl.haxx.se/mail/lib-2013-03/0319.html + Reported by: Sam Deane -Guenter Knauf (15 Jun 2012) -- Fixed typo. +Steve Holme (27 Mar 2013) +- RELEASE-NOTES: Corrected typo -Yang Tse (14 Jun 2012) -- winbuild/MakefileBuild.vc: convert line endings to DOS style - - As per request on mailing list: http://curl.haxx.se/mail/lib-2012-06/0222.html +Daniel Stenberg (27 Mar 2013) +- [Clemens Gruber brought this change] -- [Marc Hoersken brought this change] + multi-uv.c: remove unused variable + +- RELEASE-NOTES: add two references - winbuild: Allow SSPI build with or without Schannel +- test1509: verify proxy header response headers count - The changes introduced in commit 2bfa57bc32 are not enough - to make it actually possible to use the USE_WINSSL option. - Makefile.vc was not updated and the configuration name which is - used in the build path did not match between both build files. + Modified sws to support and use custom CONNECT responses instead of the + previously naive hard-coded version. Made the HTTP test server able to + extract test case number from the host name in a CONNECT request by + finding the number after the last dot. It makes 'machine.moo.123' use + test case 123. - This patch fixes those issues and introduces the following changes: + Adapted a larger amount of tests to the new <connect> style. - - Replaced the -schannel name with -winssl in order to be consistent - with the other options - - Added ENABLE_WINSSL option to winbuild/Makefile.vc (default yes) - - Changed winbuild/MakefileBuild.vc to set USE_WINSSL to true if - USE_SSL is false and USE_WINSSL was not specified as a parameter - - Separated WINSSL handling from SSPI handling to be consistent with - the other options and their corresponding code path + Bug: http://curl.haxx.se/bug/view.cgi?id=1204 + Reported by: Martin Jansen -- curl.1: 7.27.0 seems next release +- [Clemens Gruber brought this change] -- schannel: fix printf-style format strings + Added libuv example multi-uv.c -- Fix bad failf() and info() usage +Yang Tse (25 Mar 2013) +- NTLM: fix several NTLM code paths memory leaks + +- WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage - Calls to failf() are not supposed to provide trailing newline. - Calls to infof() must provide trailing newline. + As of 25-mar-2013 wcsdup() _wcsdup() and _tcsdup() are only used in + WIN32 specific code, so tracking of these has not been extended for + other build targets. Without this fix, memory tracking system on + WIN32 builds, when using these functions, would provide misleading + results. - Fixed 30 or so strings. - -- schannel: fix unused parameter warnings - -- schannel: fix comparisons between signed and unsigned - -- schannel: fix discarding qualifier from pointer type + In order to properly extend this support for all targets curl.h + would have to define curl_wcsdup_callback prototype and consequently + wchar_t should be visible before that in curl.h. IOW curl_wchar_t + defined in curlbuild.h and this pulling whatever system header is + required to get wchar_t definition. + + Additionally a new curl_global_init_mem() function that also receives + user defined wcsdup() callback would be required. -- schannel: fix shadowing of global declarations +- curl_ntlm_msgs.c: revert commit 463082bea4 + + reverts unreleased invalid memory leak fix -- schannel: fix Curl_schannel_init() and Curl_schannel_cleanup() declarations +Daniel Stenberg (23 Mar 2013) +- RELEASE-NOTES: synced with bc6037ed3ec02 + + More changes, bugfixes and contributors! -- [Gisle Vanem brought this change] +- [Martin Jansen brought this change] - urldata.h: fix cyassl/openssl/ssl.h build clash with wincrypt.h + Curl_proxyCONNECT: count received headers - Building with CyaSSL failed compilation. Reason being that OCSP_REQUEST and - OCSP_RESPONSE are enum values in CyaSSL and defines in <wincrypt.h> included - via <winldap.h> in ldap.c. + Proxy servers tend to add their own headers at the beginning of + responses. The size of these headers was not taken into account by + CURLINFO_HEADER_SIZE before this change. - http://curl.haxx.se/mail/lib-2012-06/0196.html + Bug: http://curl.haxx.se/bug/view.cgi?id=1204 -- MakefileBuild.vc: Allow building without SSL +Steve Holme (21 Mar 2013) +- sasl: Corrected a few violations of the curl coding standards - In order to use Windows native SSL support define 'USE_WINSSL' + Corrected some incorrectly positioned pointer variable declarations to + be "char *" rather than "char* ". -- configure: new option --with-winssl - - This option may be used to build curl/libcurl using SSL/TLS support provided - by MS windows system libraries. Option is mutually exclusive with any other - SSL library. Default value is --without-winssl. +- multi.c: Corrected a couple of violations of the curl coding standards - --with-winssl option implies --with-sspi option. - - Option meaningful only for Windows builds. + Corrected some incorrectly positioned pointer variable declarations to + be "type *" rather than "type* ". -Guenter Knauf (13 Jun 2012) -- Changed Schannel string to SSL-Windows-native. +- imap-tests: Added CRLF to reply data to be compliant with RFC-822 - This is more descriptive for the user who might - not even know what schannnel is at all. + Updated the reply data in tests: 800, 801, 802, 804 and 1321 to possess + the CRLF as per RFC-822. -Yang Tse (13 Jun 2012) -- schannel: remove version number and identify its use with 'schannel' literal - - Version number is removed in order to make this info consistent with - how we do it with other MS and Linux system libraries for which we don't - provide this info. +- multi.c: Fix compilation warning - Identifier changed from 'WinSSPI' to 'schannel' given that this is the - actual provider of the SSL/TLS support. libcurl can still be built with - SSPI and without SCHANNEL support. + warning: an enumerated type is mixed with another type -Daniel Stenberg (12 Jun 2012) -- singlesocket: remove dead code +- multi.c: fix compilation error - No need to check if 'entry' is non-NULL in a spot where it is already checked - and guaranteed to be non-NULL. + warning: conversion from enumeration type to different enumeration type + +- lib1900.c: fix compilation warning - (Spotted by a Coverity scan) + warning: declaration of 'time' shadows a global declaration + +Yang Tse (20 Mar 2013) +- [John E. Malmberg brought this change] -- netrc: remove dead code + build_vms.com: use existing curlbuild.h and parsing fix - Remove two states from the enum and the corresponding code for them as - these states were never reached or used. + This patch removes building curlbuild.h from the build_vms.com procedure + and uses the one in the daily or release tarball instead. - (Spotted by a Coverity scan) - -Yang Tse (12 Jun 2012) -- Revert "connect.c/ftp.c: Fixed dereferencing pointer breakin strict-aliasing" + packages/vms/build_curlbuild_h.com is obsolete with this change. - This reverts commit 9c94236e6cc078a0dc5a78b6e2fefc1403e5375e. + Accessing the library module name "tool_main" needs different handling + when the optional extended parsing is enabled. - It didn't server its purpose, so lets go back to long-time working code. - -- socks_sspi.c: further cleanup - -- [Marc Hoersken brought this change] + Tested on IA64/VMS 8.4 and VAX/VMS 7.3 - socks_sspi.c: Clean up and removal of obsolete minor status +Nick Zitzmann (19 Mar 2013) +- darwinssl: disable ECC ciphers under Mountain Lion by default - Removed obsolete minor status variable and parameter of status function - which was never used or set at all. Also Curl_sspi_strerror does support - only one status and there is no need for a second sub status. - -Guenter Knauf (12 Jun 2012) -- Removed trailing whitespaces. - -Yang Tse (12 Jun 2012) -- strerror.c: make Curl_sspi_strerror() always return code for errors - -- curl_sspi.h: provide sspi status definitions missing in old headers + I found out that ECC doesn't work as of OS X 10.8.3, so those ciphers are + turned off until the next point release of OS X. -- sspi: make Curl_sspi_strerror() libcurl's sspi status code string function +Steve Holme (18 Mar 2013) +- FEATURES: Small tidy up for constancy and grammar -- sspi: make Curl_sspi_strerror() libcurl's sspi status code string function +Daniel Stenberg (18 Mar 2013) +- [Oliver Schindler brought this change] -Daniel Stenberg (11 Jun 2012) -- Revert: 634f7cfee40d4658 partially + Curl_proxyCONNECT: clear 'rewindaftersend' on success - Make sure CURL_VERSION_SSPI is present and works as in previous releases - for ABI and API compatibility reasons. - -- checksrc: shorten a few lines to comply - -- cleanup: remove trailing whitespace - -- [Marc Hoersken brought this change] + After having done a POST over a CONNECT request, the 'rewindaftersend' + boolean could be holding the previous value which could lead to badness. + + This should be tested for in a new test case! + + Bug: https://groups.google.com/d/msg/msysgit/B31LNftR4BI/KhRTz0iuGmUJ - winbuild: Removed WITH_SSL=schannel and tie schannel to SSPI +Steve Holme (18 Mar 2013) +- TODO: Reordered the protocol and security sections + + Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the + other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and + GnuTLS as these are all security related. - Removed specific WITH_SSL=schannel paramter that did not fit the general - schema and complicated the parameters. For now Schannel will be enabled - if SSPI is enabled and OpenSSL is disabled. + Additionally fixed numbering of the SSL and GnuTLS sections as they + weren't consecutive. -- [Steve Holme brought this change] +Yang Tse (18 Mar 2013) +- tests: specify 'text' mode for some output files in verify section - Makefile.vc6: Added version.lib if built with SSPI +Steve Holme (17 Mar 2013) +- imap: Fixed incorrect initial response generation for SASL AUTHENTICATE + + Fixed incorrect initial response generation for the NTLM and LOGIN SASL + authentication mechanisms when the SASL-IR was detected. + + Introduced in commit: 6da7dc026c14. -- [Marc Hoersken brought this change] +- FEATURES: Expanded the supported enhanced IMAP command list - winbuild: Updated winbuild scripts to add schannel +- TODO: Corrected typo in TOC -- [Marc Hoersken brought this change] +- TODO: Added IMAP section and removed unused Other protocols section - mingw32: Fixed warning of USE_SSL being redefined +- TODO: Added graceful base64 decoding failure to SMTP and POP3 -- [Marc Hoersken brought this change] +- TODO: Corrected typo on section 10.2 heading - sspi: Fixed incompatible parameter pointer type in Curl_sspi_version +Yang Tse (16 Mar 2013) +- tests: 96, 558, 1330: strip build subdirectory dependent leading path -- [Marc Hoersken brought this change] +Steve Holme (15 Mar 2013) +- TODO: Added section 10.2 Initial response to POP3 to do list - sspi: Updated RELEASE-NOTES, FEATURES and THANKS +- imap-tests: Corrected copy/paste error in test808 reply data -- [Marc Hoersken brought this change] +Yang Tse (15 Mar 2013) +- unit1330.c: fix date - setup.h: Automatically define USE_SSL if USE_SCHANNEL is defined +- tests: add #96 #558 and #1330 + + These verfy that the 'memory tracking' subsystem is actually doing its + job when using curl tool (#96), a test in libtest (#558) and also a unit + test (#1330), in order to prevent regressions in this functionallity. -- [Marc Hoersken brought this change] +Steve Holme (15 Mar 2013) +- imap-tests: Added test808 for custom EXAMINE command - version: Replaced SSPI feature information with version string details +Daniel Stenberg (15 Mar 2013) +- HTTP proxy: insert slash in URL if missing - Added Windows SSPI version information to the curl version string when - SCHANNEL SSL is not enabled, as the version of the library should also - be included when SSPI is used to generate security contexts. + curl has been accepting URLs using slightly wrong syntax for a long + time, such as when completely missing as slash "http://example.org" or + missing a slash when a query part is given + "http://example.org?q=foobar". - Removed SSPI from the feature list as the features are GSS-Negotiate, - NTLM and SSL depending on the usage of the SSPI library. - -- [Steve Holme brought this change] - - sspi.c: Post Curl_sspi_version() rework code tidy up + curl would translate these into a legitimate HTTP request to servers, + although as was shown in bug #1206 it was not adjusted properly in the + cases where a HTTP proxy was used. - Removed duplicate blank lines. - Removed spaces between the not and test in various if statements. - Removed explicit test of NULL in an if statement. - Placed function returns on same line as function declarations. - Replaced the use of curl_maprintf() with aprintf() as it is the - preprocessor job to do this substitution if ENABLE_CURLX_PRINTF - is set. - -- [Steve Holme brought this change] + Test 1213 and 1214 were added to the test suite to verify this fix. + + The test HTTP server was adjusted to allow us to specify test number in + the host name only without using any slashes in a given URL. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1206 + Reported by: ScottJi - sspi: Reworked Curl_sspi_version() to return version components +Steve Holme (14 Mar 2013) +- ftpserver.pl: Added EXAMINE_imap() for IMAP EXAMINE commands - Reworked the version function to return four version components rather - than a string that has to be freed by the caller. + Used hard coded data from RFC-3501 section 6.3.2. -- [Guenter Knauf brought this change] +Yang Tse (14 Mar 2013) +- curl_memory.h: introduce CURLX_NO_MEMORY_CALLBACKS usage possibility + + This commit alone does not fix anything nor modifies existing + interfaces or behaviors, although it is a prerequisite for other + fixes. - configure.ac: Added -lversion if built with SSPI +- Makefile.vc6: add missing files -- [Marc Hoersken brought this change] +Linus Nielsen Feltzing (14 Mar 2013) +- pipelining: Remove dead code. - schannel: Code cleanup and bug fixes +- Multiple pipelines and limiting the number of connections. - curl_sspi.c: Fixed mingw32-gcc compiler warnings - curl_sspi.c: Fixed length of error code hex output + Introducing a number of options to the multi interface that + allows for multiple pipelines to the same host, in order to + optimize the balance between the penalty for opening new + connections and the potential pipelining latency. - The hex value was printed as signed 64-bit value on 64-bit systems: - SEC_E_WRONG_PRINCIPAL (0xFFFFFFFF80090322) + Two new options for limiting the number of connections: - It is now correctly printed as the following: - SEC_E_WRONG_PRINCIPAL (0x80090322) + CURLMOPT_MAX_HOST_CONNECTIONS - Limits the number of running connections + to the same host. When adding a handle that exceeds this limit, + that handle will be put in a pending state until another handle is + finished, so we can reuse the connection. - curl_sspi.c: Fallback to security function table version number - Instead of reporting an unknown version, the interface version is used. + CURLMOPT_MAX_TOTAL_CONNECTIONS - Limits the number of connections in total. + When adding a handle that exceeds this limit, + that handle will be put in a pending state until another handle is + finished. The free connection will then be reused, if possible, or + closed if the pending handle can't reuse it. - curl_sspi.c: Removed SSPI/ version prefix from Curl_sspi_version - curl_schannel: Replaced static buffer sizes with defined names - curl_schannel.c: First brace when declaring functions on column 0 - curl_schannel.c: Put the pointer sign directly at variable name - curl_schannel.c: Use structs directly instead of typedef'ed structs - curl_schannel.c: Removed space before opening brace - curl_schannel.c: Fixed lines being longer than 80 chars - -- [Marc Hoersken brought this change] - - curl_sspi: Added Curl_sspi_version function + Several new options for pipelining: - Added new function to get SSPI version as string. - Added required library version.lib to makefiles. - Changed curl_schannel.c to use Curl_sspi_version. - -- [Guenter Knauf brought this change] - - schannel: Updated mingw32 makefiles - -- [Marc Hoersken brought this change] - - schannel: Replace ASCII specific code with general defines - -- [Marc Hoersken brought this change] - - schannel: Added definitions which are missing in mingw32 - -- [Marc Hoersken brought this change] + CURLMOPT_MAX_PIPELINE_LENGTH - Limits the pipeling length. If a + pipeline is "full" when a connection is to be reused, a new connection + will be opened if the CURLMOPT_MAX_xxx_CONNECTIONS limits allow it. + If not, the handle will be put in a pending state until a connection is + ready (either free or a pipe got shorter). + + CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE - A pipelined connection will not + be reused if it is currently processing a transfer with a content + length that is larger than this. + + CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE - A pipelined connection will not + be reused if it is currently processing a chunk larger than this. + + CURLMOPT_PIPELINING_SITE_BL - A blacklist of hosts that don't allow + pipelining. + + CURLMOPT_PIPELINING_SERVER_BL - A blacklist of server types that don't allow + pipelining. + + See the curl_multi_setopt() man page for details. - schannel: Moved interal struct types to urldata.h +Yang Tse (13 Mar 2013) +- tool_main.c: remove redundant vms_show storage-class specifier + + vms_show 'extern' storage-class specifier removed from tool_main.c due to... - Moved type definitions in order to avoid inclusion loop + - Advice from Tor Arntsen: http://curl.haxx.se/mail/lib-2013-03/0164.html + + - HP OpenVMS docs stating that 'Extern is the default storage class for + variables declared outside a function.' + http://h71000.www7.hp.com/commercial/c/docs/dec_c_help_5.html + (Storage_Classes section) -- [Marc Hoersken brought this change] +- test509: libcurl initialization with memory callbacks and actual usage - schannel: Fixed compiler warnings about pointer type assignments +Steve Holme (13 Mar 2013) +- pop3: Removed unnecessary transfer cancellation + + Following commit e450f66a02d8 and the changes in the multi interface + being used internally, from 7.29.0, the transfer cancellation in + pop3_dophase_done() is no longer required. -- [Marc Hoersken brought this change] +Yang Tse (13 Mar 2013) +- Makefile.am: add VMS files not being included in tarball - schannel: Fixed critical typo in conditions and added buffer length checks +- [Tom Grace brought this change] -- [Marc Hoersken brought this change] - - sspi: Refactored socks_sspi and schannel to use same error message functions + build_vms.com: VMS build fixes - Moved the error constant switch to curl_sspi.c and added two new helper - functions to curl_sspi.[ch] which either return the constant or a fully - translated message representing the SSPI security status. - Updated socks_sspi.c and curl_schannel.c to use the new functions. + Added missing slash in cc_full_list. + Removed unwanted extra quotes inside symbol tool_main + for non-VAX architectures that triggered link failure. + Replaced curl_sys_inc with sys_inc. -- [Marc Hoersken brought this change] +- [Tom Grace brought this change] - schannel: Added special shutdown check for Windows 2000 Professional + tool_main.c: fix VMS global variable storage-class specifier - Windows 2000 Professional: Schannel returns SEC_E_OK instead - of SEC_I_CONTEXT_EXPIRED. If the length of the output buffer - is zero and the first byte of the encrypted packet is 0x15, - the application can safely assume that the message was a - close_notify message and change the return value to - SEC_I_CONTEXT_EXPIRED. + An extern submits a psect and a global reference to the linker to point + to it. Using "extern int vms_show = 0" also creates a globaldef. - Connection shutdown does not mean that there is no data to read - Correctly handle incomplete message and ask curl to re-read - Fixed buffer for decrypted being to small - Re-structured read condition to be more effective - Removed obsolete verbose messages - Changed memory reduction method to keep a minimum buffer of size 4096 + The use of the extern by itself does declare a psect but does not declare + a globalsymbol. It does declare a globalref. But the linker needs one and + only one globaldef or there is an error. -- [Marc Hoersken brought this change] +Patrick Monnerat (12 Mar 2013) +- OS400: synchronize RPG binding - schannel: Implemented SSL/TLS renegotiation +Steve Holme (12 Mar 2013) +- pop3: Fixed continuous wait when using --ftp-list - Updated TODO information and added related MSDN articles + Don't initiate a transfer when using --ftp-list. -- [Marc Hoersken brought this change] +Kamil Dudka (12 Mar 2013) +- [Zdenek Pavlas brought this change] - schannel: Save session credential handles in session cache + curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag + + The flag can be used in pycurl-based applications where using the multi + interface would not be acceptable because of the performance lost caused + by implementing the select() loop in python. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1168 + Downstream Bug: https://bugzilla.redhat.com/919127 -- [Marc Hoersken brought this change] +- easy: do not ignore poll() failures other than EINTR - schannel: Code cleanup +Yang Tse (12 Mar 2013) +- curl.h: stricter CURL_EXTERN linkage decorations logic + + No API change involved. + + Info: http://curl.haxx.se/mail/lib-2013-02/0234.html -- [Marc Hoersken brought this change] +Daniel Stenberg (11 Mar 2013) +- THANKS: Latin-1'ified Jiri's name - schannel: Check for required context attributes +Steve Holme (11 Mar 2013) +- test806: Added CRLF to reply data to be compliant with RFC-822 -- [Marc Hoersken brought this change] +Daniel Stenberg (11 Mar 2013) +- test805: added crlf newlines to make data size match + + since mails sent are supposed to have CRLF line endings I added them and + now the data size after (\Seen) matches again properly - schannel: Allow certificate and revocation checks being deactivated +- test: fix newline for the data check of 807 -- [Marc Hoersken brought this change] +Yang Tse (11 Mar 2013) +- test801 to test807: fix protocol section line endings - schannel: Added SSL/TLS support with Microsoft Windows Schannel SSPI +Steve Holme (10 Mar 2013) +- Makefile.am: Corrected a couple of spurious tab characters + + Corrected a couple of tab characters between test702 and test703, and + between test900 and test901 which should be spaces. -- [Marc Hoersken brought this change] +- [Jiri Hruska brought this change] - http: Replaced specific SSL libraries list in https_getsock fallback + imap: Added test807 for custom request functionality (STORE) -- [Marc Hoersken brought this change] +- [Jiri Hruska brought this change] - connect.c/ftp.c: Fixed dereferencing pointer breakin strict-aliasing - - Fixed warning: dereferencing pointer does break strict-aliasing rules - by using a union instead of separate pointer variables. - Internal union sockaddr_u could probably be moved to generic header. - Thanks to Paul Howarth for the hint about using unions for this. - - Important for winbuild: Separate declaration of sockaddr_u pointer. - The pointer variable *sock cannot be declared and initialized right - after the union declaration. Therefore it has to be a separate statement. + imap: Added test806 for IMAP (folder) LIST command -- [Marc Hoersken brought this change] +- [Jiri Hruska brought this change] - curl_ntlm_msgs.c: Fixed passwdlen not being used and recalculated + imap: Added test805 for APPEND functionality -Yang Tse (11 Jun 2012) -- tests: fix test definitions # 1355, 1363, 1385 and 1393 - - -i without HTTP protocol shall not include headers in the output +- [Jiri Hruska brought this change] -Daniel Stenberg (10 Jun 2012) -- Curl_pgrsDone: return int and acknowledge return code - - Since Curl_pgrsDone() itself calls Curl_pgrsUpdate() which may return an - abort instruction or similar we need to return that info back and - subsequently properly handle return codes from Curl_pgrsDone() where - used. - - (Spotted by a Coverity scan) + imap: Added test804 for skipping SELECT if in the same mailbox -Steve Holme (10 Jun 2012) -- [Marc Hoersken brought this change] +- [Jiri Hruska brought this change] - winbuild: Fixed environment variables being lost + imap: Added test802 and test803 for UIDVALIDITY verification - Fixed USE_IPV6 and USE_IDN not being passed - from Makefile.vc to MakefileBuild.vc - Fixed whitespace and formatting issues - Fixed typo and format in help message - -Guenter Knauf (9 Jun 2012) -- Added metalink support to NetWare builds. - -Steve Holme (9 Jun 2012) -- smtp.c: Removed unused variable + Added one test for a request with matching UIDVALIDITY and one which is + a mismatched request that will fail. -- smtp: Post apop feature code tidy up +- [Jiri Hruska brought this change] -- pop3: Post apop feature code tidy up + imap: Added test801 for UID and SECTION URL parameters -- pop3: Added support for apop authentication +- [Jiri Hruska brought this change] -- pop3: Enhanced the extended authentication mechanism detection + imap-tests: Accept quoted parameters in ftpserver.pl - Enhanced the authentication type / mechanism detection in preparation - for the introduction of APOP support. + Any IMAP parameter can come in escaped and in double quotes. Added a + simple function to unquote the command parameters and applied it to + the IMAP command handlers. -- pop3.c: Fixed length of SASL check +- [Jiri Hruska brought this change] -Yang Tse (9 Jun 2012) -- Fixes allowing 26 more test cases in 1334 to 1393 range to succeed - -- tests: fix test definitions # 1370 and 1371 + tests: Fix ftpserver.pl indentation - -J without -O shall not honor C-D filename + The whole of FETCH_imap() had one extra space of indentation, whilst + APPEND_imap() used indentation of 2 instead of 4 in places. -Daniel Stenberg (9 Jun 2012) -- OpenSSL: support longer certificate subject names - - Previously it would use a 256 byte buffer and thus cut off very long - subject names. The limit is now upped to the receive buffer size, 16K. +- Makefile.am: Corrected end of line filler character - Bug: http://curl.haxx.se/bug/view.cgi?id=3533045 - Reported by: Anthony G. Basile + The majority of lines, that specify a test file for inclusion, end with + a tab character before the slash whilst some end with a space. Corrected + those that end with a space to end with a tab character as well. -Kamil Dudka (8 Jun 2012) -- ssl: fix duplicated SSL handshake with multi interface and proxy +- email-tests: Updated the test data that corresponds to the test number - Bug: https://bugzilla.redhat.com/788526 - Reported by: Enrico Scholz + Finished segregating the email protocol tests, into their own protocol + based ranges, in preparation of adding more e-mail related tests to the + test suite. -Daniel Stenberg (8 Jun 2012) -- tool_getparam.h: fix compiler error +- email-tests: Renamed the IMAP test to be 800 - forward declare the Configurable struct + Continued segregating the email protocol tests, into their own protocol + based ranges, in preparation of adding more e-mail related tests to the + test suite. -- metalink: restore some includes +- email-tests: Renamed the SMTP tests to be in the range 900-906 - Commit eeeba1496cbca removed them and thus broke my Linux build + Continued segregating the email protocol tests, into their own protocol + based ranges, in preparation of adding more e-mail related tests to the + test suite. -- openldap: OOM fixes +- email-tests: Renamed the POP3 tests to be in the range 850-857 - when calloc fails, return error! (Detected by Fortify) + Started segregating the email protocol tests, into their own protocol + based ranges, in preparation of adding more e-mail related tests to the + test suite. + +Daniel Stenberg (10 Mar 2013) +- hiperfifo: updated to use current libevent API - Reported by: Robert B. Harris + Patch by: Myk Taylor -Steve Holme (8 Jun 2012) -- sasl: Re-factored mechanism constants in preparation for APOP work +Steve Holme (10 Mar 2013) +- imap: Reworked some function descriptions -Yang Tse (8 Jun 2012) -- metalink: build fixes and adjustments II - - Additionally, make hash checking ability mandatory in order to allow metalink - support in curl. - - A command line option could be introduced to skip hash checking at runtime, - but the ability to check hashes should always be built-in when providing - metalink support. +- imap: Added some missing comments to imap_sendf() -Guenter Knauf (8 Jun 2012) -- Added metalink support to MinGW builds. +- email: Removed hard returns from init functions -Daniel Stenberg (7 Jun 2012) -- log2changes.pl: fix the Version output +Daniel Stenberg (9 Mar 2013) +- curl_multi_wait: avoid second loop if nothing to do - Previously it could easily wrongly get repeated + ... hopefully this will also make clang-analyzer stop warning on + potentional NULL dereferences (which were false positives anyway). -Yang Tse (7 Jun 2012) -- metalink: build fixes and adjustments I - -Daniel Stenberg (7 Jun 2012) -- lib554.c: use curl_formadd() properly +- multi_runsingle: avoid NULL dereference - The length/size options take longs so make sure to pass on such types. + When Curl_do() returns failure, the connection pointer could be NULL so + the code path following needs to that that into account. - Reported by: Neil Bowers - Bug: http://curl.haxx.se/mail/lib-2012-06/0001.html + Bug: http://curl.haxx.se/mail/lib-2013-03/0062.html + Reported by: Eric Hu -Steve Holme (7 Jun 2012) -- smtp.c: Re-factored the smtp_state_*_resp() functions +Steve Holme (9 Mar 2013) +- imap: Re-factored all perform based functions - Re-factored the smtp_state_*_resp() functions to 1) Match the constants - that were refactored in commit 00fddba6727c, 2) To be more readable and - 3) To match their counterparties in pop3.c. - -Yang Tse (7 Jun 2012) -- Fixes allowing HTTP test cases 1338, 1339, 1368 and 1369 to succeed + Standardised the naming of all perform based functions to be in the form + imap_perform_something(). -- tests 1364 to 1393: several -o filename -J -i -D combinations for HTTP and FTP +Daniel Stenberg (9 Mar 2013) +- [Cédric Deltheil brought this change] -- tests 1348 to 1363: test definition polishing + examples/getinmemory.c: abort the transfer if not enough memory - Verify that the "Saved to filename 'blabla'" message is only displayed when - the 'blabla' filename being used _actually_ has been specified by the server - in the Content-Disposition header. - - Use relative path for unintended file creation postcheck. + No more use exit(3) but instead tell libcurl that no byte has been + written to let it return a `CURLE_WRITE_ERROR`. In addition, check + curl easy handle return code. -Steve Holme (6 Jun 2012) -- smtp: Re-factored the SMTP_AUTH* state machine constants +- RELEASE-NOTES: synced with ca3c0ed3a9c - Re-factored the SMTP_AUTH* constants, that are used by the state - machine, to be clearer to read. + 8 more bugfixes, one change and a bunch of contributors -Guenter Knauf (6 Jun 2012) -- Added hint for pkg-config wrapper script. +Yang Tse (9 Mar 2013) +- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility -- Updated Android section with recent NDK. - - The r7b had some bugs, and shouldnt be used. +Steve Holme (9 Mar 2013) +- imap: Added description comments to all perform based functions -Yang Tse (6 Jun 2012) -- Disable non-HTTP header related tests +- imap: Removed the need for separate custom request functions - These now detect incompleate header data and fail - -- tests 1348 to 1363: compleate header data part of test definition + Moved the custom request processing into the LIST command as the logic + is the same. -- tests 1334 to 1363 revisited. - - Add a postcheck section to verify unintended file creation. - - Remove needless <file> checks in verify section. Renumbering where appropriate. +- imap: Corrected typo in comment -- tests: adjust file part behavior in test verify section. - - When a <file> part is now specified with no contents at all, this - will actually verify that the specified file has no contents at all. - Previously file contents would be ignored. +Yang Tse (9 Mar 2013) +- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility -Steve Holme (5 Jun 2012) -- smtp.c: Removed whitespace +Steve Holme (9 Mar 2013) +- imap: Moved imap_logout() to be grouped with the other perform functions -- pop3: Another small code tidy up +- email: Updated the function descriptions for the logout / quit functions - Missed some comments that we identified during the SMTP tidy up earlier. + Updated the function description comments following commit 4838d196fdbf. -- smtp: Post authentication code tidy up - - Corrected lines longer than 78 characters. +- email: Simplified the logout / quit functions - Removed unnecessary braces in smtp_state_helo_resp(). + Moved the blocking state machine to the disconnect functions so that the + logout / quit functions are only responsible for sending the actual + command needed to logout or quit. - Introduced some comments in data sending functions. + Additionally removed the hard return on failure. + +- email: Tidied up the *_regular_transfer() functions - Tidied up comments to match changes made in pop3.c. + Added comments and simplified convoluted dophase_done comparison. -Yang Tse (5 Jun 2012) -- tests 1348 to 1363: add a comma in test description +- email: Simplified nesting of if statements in *_doing() functions -Steve Holme (5 Jun 2012) -- email: Removed duplicated header file +Daniel Stenberg (8 Mar 2013) +- RELEASE-NOTES: mention that krb4 is up for consideration -- sasl: Renamed Curl_sasl_decode_ntlm_type2_message() +Steve Holme (8 Mar 2013) +- imap: Fixed handling of untagged responses for the STORE custom command - For consistency with other SASL based functions renamed this function - to Curl_sasl_create_ntlm_type3_message() which better describes its - usage. + Added an exception, for the STORE command, to the untagged response + processor in imap_endofresp() as servers will back respones containing + the FETCH keyword instead. -- pop3: Post authentication code tidy up +Yang Tse (8 Mar 2013) +- curlbuild.h.dist: enhance non-configure GCC ABI detection logic + + GCC specific adjustments: - Corrected lines longer than 78 characters. + - check __ILP32__ before 32 and 64bit processor architectures in + order to detect ILP32 programming model on 64 bit processors + which, of course, also support LP64 programming model, when using + gcc 4.7 or newer. - Changed POP3_AUTH_FINAL to POP3_AUTH to match SMTP code now that the - AUTH command is no longer sent on its own. + - keep 32bit processor architecture checks in order to support gcc + versions older than 4.7 which don't define __ILP32__ - Introduced some comments in data sending functions. + - check __LP64__ for gcc 3.3 and newer, while keeping 64bit processor + architecture checks for older versions which don't define __LP64__ + +- curlbuild.h.dist: fix GCC build on ARM systems without configure script - Another attempt at trying to rational code and comment style. + Bug: http://curl.haxx.se/bug/view.cgi?id=1205 + Reported by: technion -- pop3: Added support for sasl digest-md5 authentication +- [Gisle Vanem brought this change] -Yang Tse (4 Jun 2012) -- sasl: add reference for curl_sasl + polarssl.c: fix header filename typo -- Makefile.inc: tab adjustment +- configure: use XC_LIBTOOL for portability across libtool versions -Daniel Stenberg (4 Jun 2012) -- pop3 tests: CAPA instead of AUTH - - After Steve's commit e336bc7c42c7340 test 1319 and 1407 need to check - for CAPA instead of AUTH. +- xc-lt-iface.m4: provide XC_LIBTOOL macro -Steve Holme (4 Jun 2012) -- sasl: Added service parameter to Curl_sasl_create_digest_md5_message() - - Added a service type parameter to Curl_sasl_create_digest_md5_message() - to allow the function to be used by different services rather than being - hard coded to "smtp". +Steve Holme (7 Mar 2013) +- imap: Fixed SELECT not being performed for custom requests -Yang Tse (4 Jun 2012) -- tests 1356 to 1363: several -O -J -i -D combinations with FTP protocol - - Currently 1356 to 1362 succeed but a write failure is logged in traceNNNN. +- email: Minor code tidy up following recent changes - Currently 1363 fails, so disabled for now. + Removed unwanted braces and added variable initialisation. -Steve Holme (4 Jun 2012) -- tests: Updated pop3 tests for change in auth mechanism detection +- DOCS: Corrected the IMAP URL grammar of the UIDVALIDITY parameter -- pop3: Changed the sasl mechanism detection from auth to capa - - Not all SASL enabled POP3 servers support the AUTH command on its own - when trying to detect the supported mechanisms. As such changed the - mechanism detection to use the CAPA command instead. +- FEATURES: Provided a little clarity in some IMAP features -Daniel Stenberg (4 Jun 2012) -- curl_easy_setopt.3: proto updates + cleanups - - - For all *FUNCTION options, they now all show the complete prototype in - the description. Previously some of them would just refer to a - typedef'ed function pointer in the curl.h header. +- email: Optimised block_statemach() functions - - I made the phrasing of that "Pass a pointer to a function that matches - the following prototype" the same for all *FUNCTION option descriptions. - - - I removed some uses of 'should'. I think I sometimes over-use this - word as in many places I actually mean MUST or otherwise more specific - and not-so-optional synonyms. + Optimised the result test in each of the block_statemach() functions. -Yang Tse (4 Jun 2012) -- tests 1348 to 1355: several -O -J -i -D combinations with FTP protocol +- DOCS: Added the list command to the IMAP URL section - Currently 1348 to 1354 succeed but a write failure is logged in traceNNNN. + Added examples of the list command and clarified existing example URLs + following recent changes. + +- FEATURES: Updated for recent imap additions - Currently 1355 fails, so disabled for now. + Updated the imap features list, corrected a typo in the smtp features + and clarified a pop3 feature. -- tests 1346 to 1347: several -O -J -i -D combinations with HTTP protocol +Daniel Stenberg (7 Mar 2013) +- version bump: the next release will be 7.30.0 -Steve Holme (4 Jun 2012) -- sasl: Small code tidy up +- checksrc: ban unsafe functions - Reworked variable names in Curl_sasl_create_cram_md5_message() to match - those in Curl_sasl_create_digest_md5_message() as they are more - appropriate. + The list of unsafe functions currently consists of sprintf, vsprintf, + strcat, strncat and gets. + + Subsequently, some existing code needed updating to avoid warnings on + this. -- sasl: Moved digest-md5 authentication message creation from smtp.c +Steve Holme (7 Mar 2013) +- RELEASE-NOTES: Added missing imap fixes and additions - Moved the digest-md5 message creation from smtp.c into the sasl module - to allow for use by other modules such as pop3. + With all the recent imap changes it wasn't clear what new features and + fixes should be included in the release notes. + +Nick Zitzmann (6 Mar 2013) +- RELEASE-NOTES: brought this up-to-date with the latest changes + +Steve Holme (6 Mar 2013) +- [Jiri Hruska brought this change] -- sasl: Small code tidy up before moving digest-md5 over + imap: Fixed test801 and test1321 to specify a message UID - Correction of comments and variable names. + Just a folder list would be retrieved if UID was not specified now. -- RELEASE-NOTES: Added missing addition of sasl login support +- [Jiri Hruska brought this change] -- pop3: Added support for sasl cram-md5 authentication + imap: Fixed ftpserver.pl to allow verification even through LIST command + + Commit 198012ee inadvertently broke LIST_imap(). -Daniel Stenberg (3 Jun 2012) -- Curl_sasl_create_plain_message: remove TAB +- imap: Tidied up the APPEND and final APPEND response functions + + Removed unnecessary state changes on failure and setting of result codes + on success. -Steve Holme (3 Jun 2012) -- sasl: Small code tidy up +- imap: Tidied up the final FETCH response function - Added some comments and removed an unreferenced variable. + Removed unnecessary state change on failure and setting of result code on + success. -- pop3.c: Added conditional compilation for NTLM function calls +- imap: Tidied up the LIST response function - Added USE_NTLM condition compilation around the NTLM functions called - from pop3_statemach_act() introduced in commit 69f7156ad96877. + Reworked comments as they referenced custom commands, removed + unnecessary state change on failure and setting of result code on + success. -- sasl: Moved cram-md5 authentication message creation from smtp.c +- imap: Removed the custom request response function - Moved the cram-md5 message creation from smtp.c into the sasl module - to allow for use by other modules such as pop3. + Removed imap_state_custom_resp() as imap_state_list_resp() provides the + same functionality. + +- [Jiri Hruska brought this change] -- pop3: Fixed an issue with changes introduced in commit c267c53017bc + imap: Updated ftpserver.pl to be more compliant, added new commands - Because pop3_endofresp() is called for each line of data yet is not - passed the line and line length, so we have to use the data pointed to - by pp->linestart_resp which contains the whole packet, the mechanisms - were being detected in one call yet the function would be called for - each line of data. + Enriched IMAP capabilities of ftpserver.pl in order to be able to + add tests for the new IMAP features. - Using curl with verbose mode enabled would show that one line of data - would be received in response to the AUTH command, before the AUTH - <mechanism> command was sent to the server and then the next few lines - of the original AUTH command would be displayed before the response from - the AUTH <mechanism> command. This would then cause problems when - parsing the CRAM-MD5 challenge data as extra data was contained in the - buffer. + * Added support for APPEND - Saves uploaded data to log/upload.$testno + * Added support for LIST - Returns the contents of <reply/> section in + the current test, like e.g FETCH. + * Added support for STORE - Returns hardcoded updated flags + * Changed handling of SELECT - Returns much more information in the + usual set of untagged responses; uses hardcoded data from an example + in the IMAP RFC + * Changed handling of FETCH - Fixed response format + +- imap: Added check for empty UID in FETCH command - Changed the parsing so that each line is checked for the mechanisms - and the function returns FALSE until the whole of the AUTH response has - been processed. + As the UID has to be specified by the user for the FETCH command to work + correctly, added a check to imap_fetch(), although strictly speaking it + is protected by the call from imap_perform(). -Daniel Stenberg (3 Jun 2012) -- version: bump to 7.27.0 for next release +Kamil Dudka (6 Mar 2013) +- nss: fix misplaced code enabling non-blocking socket mode - Due to new features + The option needs to be set on the SSL socket. Setting it on the model + takes no effect. Note that the non-blocking mode is still not enabled + for the handshake because the code is not yet ready for that. -- RELEASE-NOTES: synced with c4e3578e4bf +Daniel Stenberg (6 Mar 2013) +- imap: fix compiler warning - Also bumped the contributor number and next release is to become 7.27.0 + imap.c:694:21: error: unused variable 'imapc' [-Werror=unused-variable] -- THANKS: 16 new contributors from the 7.26.0 release +Steve Holme (5 Mar 2013) +- imap: Added support for list command -Steve Holme (3 Jun 2012) -- DOCS: Fixed list in Section 18.2 not displaying correctly on web site +- imap: Added list perform and response handler functions -- DOCS: Corrected missed heading renumbering from commit 530675a1ad7 +- imap: Introduced IMAP_LIST state -- DOCS: Added IMAP and LDAP sections - - Added new sections 11. IMAP and 12. LDAP to document adding SASL based - authentication. +- imap: Small tidy up of imap_select() to match imap_append() - Renumbered current sections 11 to 17 as 13 to 19. - - Additionally added 19.10 Add CURLOPT_MAIL_CLIENT option. + Updated the style of imap_select() before adding the LIST command. -- sasl.c: Fix to avoid warnings introduced in commit d9ca9e9869e8 +- imap: Moved mailbox check from the imap_do() function - Applied a fix to avoid warnings on systems where Curl_ntlm_sspi_cleanup() - is just a nop. - -- pop3.c:Corrected typo in commit 69ba0da8272d + In preparation for the addition of the LIST command, moved the mailbox + check from imap_do() to imap_select() and imap_append(). -- pop3: Fixed the issue of having to supply the user name for all requests +- curl_setup.h: Added S_IRDIR() macro for compilers that don't support it - Previously it wasn't possible to connect to POP3 and not specify the - user name as a CURLE_ACCESS_DENIED error would be returned. This error - occurred because USER would be sent to the server with a blank user name - if no mailbox user was specified as the server would reply with -ERR. + Commit 26eaa8383001 introduces the use of S_ISDIR() yet some compilers, + such as MSVC don't support it, so we must define a substitute using + file flags and mask. + +Daniel Stenberg (4 Mar 2013) +- AddFormData: prevent only directories from being posted - This wasn't a problem prior to the 7.26.0 release but with the - introduction of custom commands the user and/or application developer - might want to issue a CAPA command without having to log in as a - specific mailbox user. + Commit f4cc54cb4746ae5a6d (shipped as part of the 7.29.0 release) was a + bug fix that introduced a regression in that while trying to avoid + allowing directory names, it also forbade "special" files like character + devices and more. like "/dev/null" as was used by Oliver who reported + this regression. - Additionally this fix won't send the newly introduced AUTH command if no - user name is specified. + Reported by: Oliver Gondža + Bug: http://curl.haxx.se/mail/archive-2013-02/0040.html -- pop3.c: Small code tidy up +Nick Zitzmann (3 Mar 2013) +- darwinssl: fix infinite loop if server disconnected abruptly - Corrected lines exceeding 78 characters. + If the server hung up the connection without sending a closure alert, + then we'd keep probing the socket for data even though it's dead. Now + we're ready for this situation. - Repositioned some comments and added extra clarity. - -- sasl: Corrected variable names in comments and parameters - -- pop3: Added support for sasl ntlm authentication + Bug: http://curl.haxx.se/mail/lib-2013-03/0014.html + Reported by: Aki Koskinen -- sasl: Small comment style tidy up following ntlm commit +Steve Holme (3 Mar 2013) +- imap: Added comments to imap_append() -- sasl: Moved ntlm authentication message handling from smtp.c - - Moved the ntlm message creation and decoding from smtp.c into the sasl - module to allow for use by other modules such as pop3. +- [Jiri Hruska brought this change] -- pop3: Added support for sasl login authentication + imap: Added required mailbox check for FETCH and APPEND commands -Yang Tse (1 Jun 2012) -- tests 1334 to 1345: several -O -J -i -D combinations with HTTP protocol +- pingpong.c: Fix enumerated type mixed with another type -- tests: support test definitions with up to 5 file checks in <verify> section +- smtp: Updated the coding style for state changes after a send operation - This is done introducing tags <file1> to <file4> besides existing <file> one, - as well as corresponding <stripfile1> to <stripfile4> ones, that can be used - in the <verify> section in the same way as the non-numbered ones. + Some state changes would be performed after a failure test that + performed a hard return, whilst others would be performed within a test + for success. Updated the code, for consistency, so all instances are + performed within a success test. -Steve Holme (31 May 2012) -- sasl: Moved login authentication message creation from smtp.c +- pop3: Updated the coding style for state changes after a send operation - Moved the login message creation from smtp.c into the sasl module - to allow for use by other modules such as pop3. + Some state changes would be performed after a failure test that + performed a hard return, whilst others would be performed within a test + for success. Updated the code, for consistency, so all instances are + performed within a success test. -- smtp.c: Reworked message encoding in smtp_state_authpasswd_resp() - - Rather than encoding the password message itself the - smtp_state_authpasswd_resp() function now delegates the work to the same - function that smtp_state_authlogin_resp() and smtp_authenticate() use - when constructing the encoded user name. +- imap: Fixed typo in variable assignment -- smtp.c: Re-factored smtp_auth_login_user() for use with passwords - - In preparation for moving to the SASL module re-factored the - smtp_auth_login_user() function to smtp_auth_login() so that it can be - used for both user names and passwords as sending both of these under - the login authentication mechanism is the same. +- [Jiri Hruska brought this change] -- pop3: Added support for sasl plain text authentication + imap: Fixed custom request handling in imap_done() + + Fixed imap_done() so that neither the FINAL states are not entered when + a custom command has been performed. -- curl_ntlm_msgs.c: Corrected small spelling mistake in comments +- [Jiri Hruska brought this change] -- sasl: Moved plain text authentication message creation from smtp.c + imap: Enabled custom requests in imap_select_resp() - Moved the plain text message creation from smtp.c into the sasl module - to allow for use by other modules such as pop3. + Changed imap_select_resp() to invoke imap_custom() instead of + imap_fetch() after the mailbox has been selected if a custom + command has been set. -Yang Tse (30 May 2012) -- configure: fix LDAPS disabling related misplaced closing parenthesis +- [Jiri Hruska brought this change] -- pop3 test server: allow pop3 test server verification to succeed again + imap: Enabled custom requests in imap_perform() - Introduce SUPPORTCAPA and SUPPORTAUTH config commands to allow further - pop3 test server expansion for tests that require CAPA or AUTH support, - although this will need some extra work to make it fully functional. + Modified imap_perform() to start with the custom command instead of + SELECT when a custom command is to be performed and no mailbox has + been given. -Steve Holme (28 May 2012) -- pop3: Introduced the continue response in pop3_endofresp() +- [Jiri Hruska brought this change] -- pop3: Changed response code from O and E to + and - + imap: Added custom request perform and response handler functions - The POP3 protocol doesn't really have the concept of error codes and - uses +, +OK and -ERR in response to commands to indicate continue, - success and error. + Added imap_custom(), which initiates the custom command processing, + and an associated response handler imap_state_custom_resp(), which + handles any responses by sending them to the client as body data. - The AUTH command is one of those commands that requires multiple pieces - of data to be sent to the server where the server will respond with + as - part of the handshaking. This meant changing the values before - continuing with the next stage of adding authentication support. + All untagged responses with the same name as the first word of the + custom request string are accepted, with the exception of SELECT and + EXAMINE which have responses that cannot be easily identified. An + extra check has been provided for them so that any untagged responses + are accepted for them. -- pop3: Small code tidy up following authentication work so far +- pop3: Fixed unnecessary parent structure reference - Changed the order of the state machine to match the order of actual - events. - - Reworked some comments and function parameter positioning that I missed - the other day. + Updated pop3 code following recent imap changes. -Kamil Dudka (28 May 2012) -- nss: use human-readable error messages provided by NSS - - Bug: http://lists.baseurl.org/pipermail/yum-devel/2012-January/009002.html +- [Jiri Hruska brought this change] -Daniel Stenberg (27 May 2012) -- test1013.pl: filter out Metalink + imap: Added custom request parsing - Since it isn't a feature supported by curl-config we can't compare that - with the --version output + Added imap_parse_custom_request() for parsing the CURLOPT_CUSTOMREQUEST + parameter which URL decodes the value and separates the request from + any parameters - This makes it easier to filter untagged responses + by the request command. -- pop3: remove variable-not-used warnings +- [Jiri Hruska brought this change] -Steve Holme (27 May 2012) -- DOCS: Corrected the "Added in" version number for CURLOPT_MAIL_AUTH + imap: Introduced custom request parameters - Additionally corrected another RFC link that I missed yesterday. + Added custom request parameters to the per-request structure. -- pop3: Added support for SASL based authentication mechanism detection - - Added support for detecting the supported SASL authentication mechanisms - via the AUTH command. There are two ways of detecting them, either by - using the AUTH command, that will return -ERR if not supported or by - using the CAPA command which will return SASL and the list of mechanisms - if supported, not include SASL if SASL authentication is not supported - or -ERR if the CAPA command is not supported. As such it seems simpler - to use the AUTH command and fallback to normal clear text authentication - if the the command is not supported. - - Additionally updated the test cases to return -ERR when the AUTH command - is encountered. Additional test cases will be added when support for the - individual authentication mechanisms is added. +- [Jiri Hruska brought this change] -Daniel Stenberg (27 May 2012) -- pop3: remove trailing whitespace + imap: Introduced IMAP_CUSTOM state -Steve Holme (27 May 2012) -- pop3: Code tidy up before the introduction of authentication code - - Moved EOB definition into header file. - - Switched the logic around in pop3_endofresp() to allow for the - introduction of auth-mechanism detection. - - Repositioned second and third function variables where they will fit - within the 78 character line limit. +- imap: Minor code tidy up - Tidied up some comments. + Minor tidy up of code layout and comments following recent changes. -Guenter Knauf (27 May 2012) -- Enabled OpenSSL static linkage. +- imap: Simplified the imap_state_append_resp() function + + Introduced the result code variable to simplify the state changes and + remove the hard returns. -- Enabled OpenSSL static linkage. +- imap: Changed successful response logic in imap_state_append_resp() + + For consistency changed the logic of the imap_state_append_resp() + function to test for an unsucessful continuation response rather than a + succesful one. -- Try to detect OpenSSL build type automatically. +- imap: Standardised imapcode condition tests + + For consistency changed two if(constant != imapcode) tests to be + if(imapcode != constant). -Daniel Stenberg (26 May 2012) -- metalink: fix build errors when disabled +- imap: Moved imap_append() to be with the other perform functions -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Reduced #ifdef HAVE_METALINK + imap: Enabled APPEND support in imap_perform() + + Added logic in imap_perform() to perform an APPEND rather than SELECT + and FETCH if an upload has been specified. -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Disable hash check if neither OpenSSL nor GNUTLS is installed. + imap: Implemented APPEND final processing + + The APPEND operation needs to be performed in several steps: + 1) We send "<tag> APPEND <mailbox> <flags> {<size>}\r\n" + 2) Server responds with continuation respose "+ ...\r\n" + 3) We start the transfer and send <size> bytes of data + 4) Only now we end the request command line by sending "\r\n" + 5) Server responds with "<tag> OK ...\r\n" + + This commit performs steps 4 and 5, in the DONE phase, as more + processing is required after the transfer. -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Format GETOUT_METALINK nicely + imap: Added APPEND perform and response handler functions + + Added imap_append() function to initiate upload and imap_append_resp() + to handle the continuation response and start the transfer. -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Minimize usage of structs from libmetalink + imap: Introduced IMAP_APPEND and IMAP_APPEND_FINAL states -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Check checksum of downloaded file if checksum is available + imap: Updated setting of transfer variables in imap_state_fetch_resp() - Metalink file contains several hash types of checksums, such as - md5, sha-1, sha-256, etc. To deal with these checksums, I created - abstraction layer based on lib/curl_md5.h and - lib/md5.c. Basically, they are almost the same but I changed the - code so that it is not hash type dependent. Currently, - GNUTLS(nettle or gcrypt) and OpenSSL functions are supported. - - Checksum checking is done by reopening download file. If there - is an I/O error, the current implementation just prints error - message and does not try next resource. - - In this patch, the supported hash types are: md5, sha-1 and sha-256. + Add number of bytes retrieved from the PP cache to req.bytecount and set + req.maxdownload only when starting a proper download. -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Always create directory hierarchy for Metalink. - - Filenames contained in Metalink file can include directory information. - Filenames are unique in Metalink file, taking into account the directory - information. So we need to create the directory hierarchy. + imap: Improved FETCH response parsing - Curl has --create-dirs option, but we create directory hierarchy for - Metalink downloads regardless of the option value. - - This patch also put metalink int variable outside of HAVE_LIBMETALINK - guard. This reduces the number of #ifdefs. + Added safer parsing of the untagged FETCH response line and the size of + continuation data. -- [Tatsuhiro Tsujikawa brought this change] +- imap: Fixed accidentally lossing the result code + + Accidentally lost the result code in imap_state_capability() and + imap_state_login() with commit b06a78622609. - Fixed segmentation fault when Metalink has no valid file or no resource. +- imap: Another minor comment addition / tidy up -- [Tatsuhiro Tsujikawa brought this change] +- imap: Updated the coding style for state changes after a send operation + + Some state changes would be performed after a failure test that + performed a hard return, whilst others would be performed within a test + for success. Updated the code, for consistency, so all instances are + performed within a success test. - Support media-type parameter in Content-Type +- pop3 / smtp: Small comment tidy up + + Small tidy up to keep some comments consistant across each of the email + protocols. -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Print "Metalink" in Features if Metalink support is enabled. + imap: FETCH response handler cleanup before further changes + + Removed superfluous NULL assignment after Curl_safefree() and rewrote + some comments and logging messages. -- [Tatsuhiro Tsujikawa brought this change] +- pop3: Small tidy up of function arguments - Removed trailing space +- imap: Small tidy up of function arguments -- [ant brought this change] +- smtp: Corrected debug message for POP3_AUTH_FINAL constant + + Following commit ad3177da24b8 corrected the debug message in state() + from AUTH to AUTH_FINAL. - Add --metalink to --help +- pop3: Corrected debug message for POP3_AUTH_FINAL constant + + Following commit afad1ce753a1 corrected the debug message in state() + from AUTH to AUTH_FINAL. -- [ant brought this change] +- imap: Corrected debug message for IMAP_AUTHENTICATE_FINAL constant + + Following commit 13006f3de9ec corrected the debug message in state() + from AUTHENTICATE to AUTHENTICATE_FINAL. - Add Metalink information and --metalink option to man page +- [Jiri Hruska brought this change] -- [ant brought this change] + imap: Fixed error code returned for invalid FETCH response + + If the FETCH command does not result in an untagged response the the + UID is probably invalid. As such do not return CURLE_OK. - Add Metalink information and --metalink option to man page +- [Jiri Hruska brought this change] -- [ant brought this change] + imap: Added processing of the final FETCH responses + + Not processing the final FETCH responses was not optimal, not only + because the response code would be ignored but it would also leave data + unread on the socket which would prohibit connection reuse. - Adds Metalink information to INSTALL +- [Jiri Hruska brought this change] -- [Tatsuhiro Tsujikawa brought this change] + imap: Introduced FETCH_FINAL state for processing final fetch responses + + A typical FETCH response can be broken down into four parts: + + 1) "* <uid> FETCH (<what> {<size>}\r\n", using continuation syntax + 2) <size> bytes of the actual message + 3) ")\r\n", finishing the untagged response + 4) "<tag> OK ...", finishing the command + + Part 1 is read in imap_fetch_resp(), part 2 is consumed in the PERFORM + phase by the transfer subsystem, parts 3 and 4 are currently ignored. - --metalink option is available regardless of Metalink support. +- imap: fix autobuild warning + + Removed whitespace from imap_perform() -- [Tatsuhiro Tsujikawa brought this change] +- imap: fix compiler warning + + error: declaration of 'imap' shadows a previous local - metalink: parse downloaded Metalink file +- smtp: Re-factored the final SMTP_AUTH constant - Parse downloaded Metalink file and add downloads described there. Fixed - compile error without metalink support. + Changed the final SMTP_AUTH constant to SMTP_AUTH_FINAL for consistency + with the response function. -- [Tatsuhiro Tsujikawa brought this change] +- pop3: Re-factored the final POP3_AUTH constant + + Changed the final POP3_AUTH constant to POP3_AUTH_FINAL for consistency + with the response function. - Fixed HAVE_LIBMETALINK conditional is always true +- imap: Re-factored final IMAP_AUTHENTICATE constant + + Changed the final IMAP_AUTHENTICATE constant to IMAP_AUTHENTICATE_FINAL + for consistency with the response function. -- [Tatsuhiro Tsujikawa brought this change] +- imap: Updated the coding style of imap_state_servergreet_resp() + + Updated the coding style, in this function, to be consistant with other + response functions rather then performing a hard return on failure. - metalink: minor metalinkfile fix +- imap: Reversed the logic of the (un)successful tagged SELECT response - Don't update config->metalinkfile_last in operate(). Use local variable - to point to the current metalinkfile. + Reversed the logic of the unsuccessful vs successful tagged SELECT + response in imap_state_select_resp() to be more logical to read. -- [Tatsuhiro Tsujikawa brought this change] +- imap: Reversed the logic of the (un)successful tagged CAPABILITY response + + Reversed the logic of the unsuccessful vs successful tagged CAPABILITY + response in imap_state_capability_resp() to be more logical to read. - metalink: show help message even if disabled +- imap: Corrected char* references with char * - Print message if --metalink is used while metalink support is not - enabled. Migrated Metalink support in tool_operate.c and removed - operatemetalink(). + Corrected char* references made in commit: 709b3506cd9b. -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Applied patches from Daniel + imap: Added processing of more than one response when sent in same packet + + Added a loop to imap_statemach_act() in which Curl_pp_readresp() is + called until the cache is drained. Without this multiple responses + received in a single packet could result in a hang or delay. -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Support Metalink. - - This change adds experimental Metalink support to curl. - To enable Metalink support, run configure with --with-libmetalink. - To feed Metalink file to curl, use --metalink option like this: - - $ curl -O --metalink foo.metalink + imap: Added skipping of SELECT command if already in the same mailbox - We use libmetalink to parse Metalink files. + Added storage and checking of the last mailbox userd to prevent + unnecessary switching. -Steve Holme (26 May 2012) -- DOCS: Fixed line spacing of authentication examples in CURLOPT_URL +- [Jiri Hruska brought this change] -- DOCS: Changed domain names in various examples to example.com + imap: Introduced the mailbox variable - Updated various references of real domain names to example.com as per - RFC-2606. + Added the mailbox variable to the per-connection structure in + preparation for checking for an already selected mailbox. -- DOCS: Fixed meaning of bit 2 in CURLOPT_POSTREDIR +- email: Slight reordering of connection based variables - Setting bit 2 for this value was documented as having a constant value - defined as CURL_REDIR_POST_303 yet referenced a 302 request. - - Additionally corrected the meaning of CURL_REDIR_POST_ALL for all three - bits and fixed problems with the bolding of keywords in this section. + Reordered the state and ssl_done variables in order to provide more + consistency between the email protocols as well as for for an upcoming + change. -- DOCS: Standardised how RFCs are referenced. - - Standardised how RFCs are referenced so that the website may autolink to - the correct documentation on ietf.org. Additionally removed the one link - to RFC3986 on curl.haxx.se. +- imap: Tidied up comments for connection based variables -Yang Tse (26 May 2012) -- Fix libcurl.pc and curl-config generation for static MingW* cross builds +- DOCS: Added the IMAP UIDVALIDITY property to the CURLOPT_URL section -Daniel Stenberg (25 May 2012) -- [Tatsuhiro Tsujikawa brought this change] +- [Jiri Hruska brought this change] - Made -D option work with -O and -J. - - To achieve this, first new structure HeaderData is defined to hold - necessary data to perform header-related work. Then tool_header_cb now - receives HeaderData pointer as userdata. All header-related work - (currently, dumping header and Content-Disposition inspection) are done - in this callback function. HeaderData.outs->config is used to determine - whether each work is done. - - Unit tests were also updated because after this change, curl code always - sets CURLOPT_HEADERFUNCTION and CURLOPT_HEADERDATA. + imap: Added verification of UIDVALIDITY mailbox attribute - Tested with -O -J -D, -O -J -i and -O -J -D -i and all worked fine. + Added support for checking the UIDVALIDITY, and aborting the request, if + it has been specified in the URL and the server response is different. -Steve Holme (25 May 2012) -- sasl: Re-factored auth-mechanism constants to be more generic +- [Jiri Hruska brought this change] -- smtp: Moved auth-mechanism constants into a separate header file + imap: Added support for parsing the UIDVALIDITY property - Move the SMTP_AUTH constants into a separate header file in - preparation for adding SASL based authentication to POP3 as the two - protocols will need to share them. + Added support for parsing the UIDVALIDITY property from the SELECT + response and storing it in the per-connection structure. -Kamil Dudka (25 May 2012) -- nss: avoid using explicit casts of code pointers +- [Jiri Hruska brought this change] -Steve Holme (24 May 2012) -- DOCS: Added LDAP to the CURLOPT_URL section - -- TODO: Removed DIGEST-MD5 authentication from SMTP to do list - - Removed DIGEST-MD5 from Section 9.1 Other authentication mechanisms as - the feature was added to SMTP in 7.26.0. + imap: Introduced the mailbox_uidvalidity variable - Also corrected small spelling mistake. + Added the mailbox_uidvalidity variable to the per-connection structure + in preparation for checking the UIDVALIDITY mailbox attribute. + +- imap: Corrected comment in imap_endofresp() -Daniel Stenberg (24 May 2012) -- bump to 7.26.1: start working towards next release +- imap: Corrected whitespace -Version 7.26.0 (24 May 2012) +- [Jiri Hruska brought this change] -Daniel Stenberg (24 May 2012) -- RELEASE-NOTES: synced with ef60fdbd73 + imap: Added filtering of CAPABILITY and FETCH untagged responses - Just before 7.26.0 is about to ship + Only responses that contain "CAPABILITY" and "FETCH", respectively, + will be sent to their response handler. -Steve Holme (22 May 2012) -- smtp: Fixed an issue with the multi-interface always sending postdata +- [Jiri Hruska brought this change] + + imap: Added a helper function for upcoming untagged response filtering - Due to the result code being reset to CURLE_OK when smtp_dophase_done() - was called, postdata would incorrectly be sent to the server when the - MAIL FROM or RCPT command was rejected. + RFC 3501 states that "the client MUST be prepared to accept any response + at all times" yet we assume anything received with "* " at the beginning + is the untagged response we want. - As such, libcurl would return the wrong result code from performing the - operation and additionally set CURLINFO_RESPONSE_CODE to be that - returned by the postdata command. + Introduced a helper function that checks whether the input looks like a + response to specified command, so that we may filter the ones we are + interested in according to the current state. + +- [Jiri Hruska brought this change] + + imap: Moved CAPABILITY response handling to imap_state_capability_resp() - Bug: http://curl.haxx.se/mail/lib-2012-05/0108.html - Reported by: Gokhan Sengun + Introduced similar handling to the FETCH responses, where even the + untagged data responses are handled by the response handler of the + individual state. -- DOCS: Updated version number for features added in the pending release +Linus Nielsen Feltzing (26 Feb 2013) +- Remove unused variable in smtp_state_data_resp() -Daniel Stenberg (22 May 2012) -- [Tatsuhiro Tsujikawa brought this change] +Steve Holme (25 Feb 2013) +- email: Small tidy up following recent changes - Fixed compile error with GNUTLS+NETTLE - - In nettle/md5.h, md5_init and md5_update are defined as macros to - nettle_md5_init and nettle_md5_update respectively. This causes - error when using MD5_params.md5_init and md5_update. This patch - renames these members as md5_init_func and md5_update_func to - avoid name conflict. For completeness, MD5_params.md5_final was - also renamed as md5_final_func. +- smtp: Removed bytecountp from the per-request structure - The changes in curl_ntlm_core.c is conversion error and fixed by - casting to proper type. + Removed this pointer to a downloaded bytes counter because it was set in + smtp_init() to point to the same variable the transfer functions keep + the count in (k->bytecount), effectively making the code in transfer.c + "*k->bytecountp = k->bytecount" a no-op. -- TODO-RELEASE: mention the pending biggies for 7.27.0 +- pop3: Removed bytecountp from the per-request structure + + Removed this pointer to a downloaded bytes counter because it was set in + pop3_init() to point to the same variable the transfer functions keep + the count in (k->bytecount), effectively making the code in transfer.c + "*k->bytecountp = k->bytecount" a no-op. -- [Jan Ehrhardt brought this change] +- [Jiri Hruska brought this change] - winbuild: fix IPv6 enabled build + imap: Removed bytecountp from the per-request structure - The existing check was wrong so IPv6 support would never be enabled + Removed this pointer to a downloaded bytes counter because it was set in + imap_init() to point to the same variable the transfer functions keep + the count in (k->bytecount), effectively making the code in transfer.c + "*k->bytecountp = k->bytecount" a no-op. -- 7.26.0: will be the next release version +- [Jiri Hruska brought this change] -- RELEASE-NOTES: synced with 8ae1e657e82a + imap: Adjusted SELECT and FETCH function order - And mention that this will become 7.26.0 + Moved imap_select() and imap_fetch() to be grouped with the other + perform functions. -Guenter Knauf (22 May 2012) -- Updated dependency libary versions. +- [Jiri Hruska brought this change] -Daniel Stenberg (20 May 2012) -- curl-config.1: fix curl-config usage in example - - The curl-config command must be used twice in the single command line to - work properly in some environments. + imap: Adjusted SELECT and FETCH state order in imap_statemach_act() - Bug: http://curl.haxx.se/bug/view.cgi?id=3528241 - Reported by: Julian Taylor + Exchanged the position of these states in the switch statements to + match the state enum, execution and function order. -Steve Holme (17 May 2012) -- smtp: Fixed non-escaping of dot character at beginning of line - - A dot character at the beginning of a line would not be escaped to a - double dot as required by RFC-2821, instead it would be deleted by the - mail server. Please see section 4.5.2 of the RFC for more information. +- imap: Minor tidy up of comments in imap_parse_url_path() - Note: This fix also simplifies the detection of repeated CRLF.CRLF - combinations, such as CRLF.CRLF.CRLF, a little rather than having to - advance the eob counter to 2. + Tidy up of comments before next round of imap changes. -Daniel Stenberg (16 May 2012) -- FAQ: updated 1.10 How many are using curl? +- imap: Fixed incorrect comparison for STARTTLS in imap_endofresp() - Now linking to http://daniel.haxx.se/blog/2012/05/16/300m-users/ + Corrected the comparison type in addition to commit 1dac29fa83a9. -- disable-versioned-symbols: removed superfluous 'fi' +- DOCS: Corrected IMAP URL examples according to RFC5092 - The commit e315927a1a left this in + URL examples that included the UID weren't technically correct although + would pass the curl parser. -- MakefileBuild.vc: use the correct IDN variable +Nick Zitzmann (24 Feb 2013) +- darwinssl: fix undefined $ssllib warning in runtests.pl - The variable that control IDN enablement is called USE_IDN within these - Makefiles + I also added --with-darwinssl to the list of SSL options in configure. -- [Pierre Chapuis brought this change] +Steve Holme (24 Feb 2013) +- imap: Added check for new internal imap response code - autoconf: improve handling of versioned symbols +- imap: Changed the order of the response types in imap_endofresp() - It checks whether versioned symbols should be enabled before checking - whether it is possible (i.e. the linker supports --version-script) or - not. This avoids a useless warning when building cURL on a platform that - does not use GNU ld. + From a maintenance point of view the code reads better to view tagged + responses, then untagged followed by continuation responses. - Moreover, it fixes broken indentation of this chunk of code. + Additionally, this matches the order of responses in POP3. -- curl.1: clarify -x usage - - 1 - fix the syntax in the .IP line - - 2 - Provided user names and passwords are URL decoded by libcurl - - Bug: http://curl.haxx.se/bug/view.cgi?id=3525935 +- [Jiri Hruska brought this change] -- NTLM: is supported in GnuTLS builds too + imap: Added stricter parsing of continuation responses - ... since commit 9a4c887c4a7 introduced in libcurl 7.19.4 + Enhanced the parsing to only allow continuation responses in some + states. -- TODO: happy eyeballs is now RFC6555 +- imap: Simplified memcmp() in tagged response parsing -- my_useragent: shorten user-agent - - The built-in user-agent will now only say curl/[version] and nothing - else in an attempt to decrease overhead in HTTP requests. +- [Jiri Hruska brought this change] -- CURLOPT_HEADERFUNCTION: works for non-HTTP protocols too + imap: Reworked the logic of untagged command responses -Claes Jakobsson (3 May 2012) -- Add note about default timeout in CURLOPT_TIMEOUT +- imap: Corrected spacing of trailing brace -Daniel Stenberg (2 May 2012) -- [Gokhan Sengun brought this change] +- [Jiri Hruska brought this change] - MD5: OOM fix + imap: Added stricter parsing of tagged command responses - check whether md5 initialization succeeded before updating digest of - buffers onto it + Enhanced the parsing of tagged responses which must start with "OK", + "NO" or "BAD" -- REALEASE-NOTES: synced with 64f48e884e3c1 +- [Jiri Hruska brought this change] -- [Jan Schaumann brought this change] + imap: Simplified command response test in imap_endofresp() - add newly created manual page +- [Jiri Hruska brought this change] -- [Jan Schaumann brought this change] + imap: Corrected comment in imap_endofresp() - add a manual page for mk-ca-bundle - -Guenter Knauf (26 Apr 2012) -- Updated dependency lib versions. - -Daniel Stenberg (23 Apr 2012) -- URL parse: reject numerical IPv6 addresses outside brackets +- DOCS: Corrected layout of POP3 and IMAP URL examples - Roman Mamedov spotted (in - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670126) that curl would - not complain when given a URL with an IPv6 numerical address without - brackets. It would simply cut off the last ":[hex]" part and thus not - work correctly. + Corrected layout issues with the POP3 and IMAP URL examples introduced + in commit cb3ae6894fb2. + +- DOCS: Updated CURLOPT_URL section following recent POP3 and IMAP changes - That's a URL using an illegal syntax and now libcurl will instead return - a clear error code and error message detailing the error. + Updated the POP3 sub-section to refer to message ID rather than mailbox. - The above mentioned bug report claims this to be a regression but - libcurl does not guarantee functionality when given URLs that aren't - following the URL spec (RFC3986 mostly). I consider the fact that it - used to handle this differently a mere coincidence. + Added an IMAP sub-section with example URLs depicting the specification + of mailbox, uid and section. -- Curl_MD5_init: fix OOM memory leak +- pop3: Refactored the mailbox variable as it didn't reflect it's purpose - Bug: http://curl.haxx.se/mail/lib-2012-04/0246.html - Reported by: Michael Mueller + Updated the mailbox variable to correctly reflect it's purpose. The + name mailbox was a leftover from when IMAP and POP3 support was + initially added to curl. -- [Gokhan Sengun brought this change] +- FEATURES: Updated following recent IMAP changes - OpenSSL cert: provide more details when cert check fails - - curl needs to be more chatty regarding certificate verification failure - during SSL handshake +- [Jiri Hruska brought this change] -Yang Tse (23 Apr 2012) -- Revert "sspi: Added version information" + imap: Added the ability to FETCH a specific UID and SECTION - This reverts commit 2976de480808119dae08fc6f52c8d75ba1aedb1a. - -- Revert "sspi - Small code tidy up" + Updated the FETCH command to send the UID and SECTION parsed from the + URL. By default the BODY specifier doesn't include a section, BODY[] is + now sent whereas BODY[TEXT] was previously sent. In my opinion + retrieving just the message text is rarely useful when dealing with + emails, as the headers are required for example, so that functionality + is not retained. In can however be simulated by adding SECTION=TEXT to + the URL. - This reverts commit 46cd5f1daddad3b3e542e6d93eee52e8bb9a8687. + Also updated test801 and test1321 due to the BODY change. -- Revert "Fixed 'extra tokens at end of #endif directive'." - - This reverts commit 77172a242fc0c820f97eae39d0e3e0f265222fe6. +- email: Additional tidy up of comments following recent changes -- Revert "Fixed 'Trailing whitespace' found by checksrc." +- smtp: Removed some FTP heritage leftovers + + Removed user and passwd from the SMTP struct as these cannot be set on + a per-request basis and are leftover from legacy FTP code. - This reverts commit 683bfa60ad0b52505947e59b03515e5f44378523. + Changed some comments still using FTP terminology. -- Revert "sspi: Code tidy up to remove unused variable." +- smtp: Moved the per-request variables to the per-request data structure - This reverts commit 412510f97407d617426d93b80e6b6bf0a8ff11ac. + Moved the rcpt variable from the per-connection struct smtp_conn to the + new per-request struct and fixed references accordingly. -- Revert "Add -lversion if build with SSPI." +- pop3: Introduced a custom SMTP structure for per-request data - This reverts commit 9ec0b7e0c44d29eca6f45916fe5af3501168fe85. + Created a new SMTP structure and changed the type of the smtp proto + variable in connectdata from FTP* to SMTP*. -Guenter Knauf (23 Apr 2012) -- Add -lversion if build with SSPI. +unknown (23 Feb 2013) +- [Steve Holme brought this change] -Steve Holme (22 Apr 2012) -- sspi: Code tidy up to remove unused variable. + imap: Minor correction of comments for max line length -Guenter Knauf (22 Apr 2012) -- Fixed 'Trailing whitespace' found by checksrc. +Daniel Stenberg (23 Feb 2013) +- strcasestr: remove check for this unused function -- Fixed 'extra tokens at end of #endif directive'. +- pop3: fix compiler warning + + error: declaration of 'pop3' shadows a previous local -Steve Holme (22 Apr 2012) -- sspi - Small code tidy up +Steve Holme (23 Feb 2013) +- [Jiri Hruska brought this change] -- sspi: Added version information + imap: Added URL parsing of new variables - Added version information for Windows SSPI to curl's main version - string and removed SSPI from the features string. + Updated the imap_parse_url_path() function to parse uidvalidity, uid and + section parameters based on RFC-5092. -Daniel Stenberg (20 Apr 2012) -- HTTP: empty chunked POST ended up in two zero size chunks - - When doing a chunked-encoded POST with -d (CURLOPT_POSTFIELDS) and the - size of the POST was zero length, it made libcurl first send a zero - chunk and then the terminating one. This could confuse a receiver and it - should rather just send the terminating chunk as it does with this fix. - - Test case 1333 is added to verify. +- [Jiri Hruska brought this change] + + imap: Introduced imap_is_bchar() function - Bug: http://curl.haxx.se/mail/archive-2012-04/0060.html - Reported by: Arnaud Compan + Added imap_is_bchar() for testing if a given character is a valid bchar + or not. -Guenter Knauf (20 Apr 2012) -- Updated dependency lib versions. +- [Jiri Hruska brought this change] -Daniel Stenberg (19 Apr 2012) -- singleipconnect: return OK even when Curl_socket() fails + imap: Introduced new per-request veriables - Commit 9109cdec11ee5a brought this regression (shipped since 7.24.0). + Added uidvalidity, uid and section variables to the per-request IMAP + structure in preparation for upcoming URL parsing. + +- pingpong: Renamed curl_ftptransfer to curl_pp_transfer + +- pop3: Removed some FTP heritage leftovers - The singleipconnect() function must not return an error if Curl_socket() - returns an error. It should then simply return OK and pass a SOCKET_BAD - back simply because that is how the user of this function expects it to - work and something else is not fine. + Removed user and passwd from the POP3 struct as these cannot be set on + a per-request basis and are leftover from legacy FTP code. - Reported by: Blaise Potard - Bug: http://curl.haxx.se/bug/view.cgi?id=3516508 + Changed some comments still using FTP terminology. -Yang Tse (19 Apr 2012) -- Take in account that CURLAUTH_* bitmasks are now 'unsigned long' - follow-up +- pop3: Moved the per-request variables to the per-request data structure - MIPSPro compiler detected curl_easy_getinfo() related missing adjustments. - SunPro compiler detected curl tool --libcurl option related missing adjustments. + Moved the mailbox and custom request variables from the per-connection + struct pop3_conn to the new per-request struct and fixed references + accordingly. -- url.c: CURLOPT_HTTPAUTH and CURLOPT_PROXYAUTH fixes +- pop3: Introduced a custom POP3 structure for per-request data - Fail with CURLE_NOT_BUILT_IN when none of requested auth methods is supported. - - Reject CURLAUTH_ONLY bit when given alone or with CURLAUTH_NONE. + Created a new POP3 structure and changed the type of the pop3 proto + variable in connectdata from FTP* to POP*. + +- [Jiri Hruska brought this change] -- Take in account that CURLAUTH_* bitmasks are now 'unsigned long' + imap: Fixed escaping of mailbox names - Data type of internal vars holding CURLAUTH_* bitmasks changed from 'long' to - 'unsigned long' for proper handling and operating. + Used imap_atom() to escape mailbox names in imap_select(). -- curl.h: CURLAUTH_* bitmasks adjusted to become 'unsigned long' typed +- pingpong: Moved curl_ftptransfer definition to pingpong.h - Info: http://curl.haxx.se/mail/lib-2012-04/0170.html + Moved the ftp transfer structure into pingpong.h so other protocols that + require it don't have to include ftp.h. -- Some explicit conversion to 'long' of curl_easy_setopt() third argument +- urldata.h: Fixed comment for opt_no_body variable - Explicit conversion to 'long' of curl_easy_setopt() third argument for options - CURLOPT_HTTPAUTH and CURLOPT_PROXYAUTH given that this is how its bitmasks are - docummented to be used. + Corrected comment for opt_no_body variable to CURLOPT_NOBODY. -- build adjustments: commit 9e24b9c7 follow-up +- email: Minor tidy up following IMAP changes -Daniel Stenberg (17 Apr 2012) -- -# progress meter: avoid superfluous updates and duplicate lines - - By comparing if a different "progress point" is reached or not since the - previous update, the progress function callback for this now avoids many - superfluous screen updates. This has the nice side-effect that it fixes - a problem that causes a second progress meter line. - - The second line output happened because when we use the -# progress - meter, we force a newline output after the transfer in the main loop in - curl, but when libcurl calls the progress callback from - curl_easy_cleanup() it would then output the progress display - again. Possibly the naive newline output is wrong but this optimization - was suitable anyway... +- [Jiri Hruska brought this change] + + imap: Removed more FTP leftovers - Reported by: Daniel Theron - Bug: http://curl.haxx.se/bug/view.cgi?id=3517418 + Changed some variables and comments still using FTP terminology. -Yang Tse (16 Apr 2012) -- nss.c: fix compiler warning +- [Jiri Hruska brought this change] -- curl-compilers.m4: -Wno-pedantic-ms-format for Windows gcc 4.5 builds + imap: Removed some FTP heritage leftovers - When building a Windows target with gcc 4.5 or newer and strict compiler - warnings enabled use -Wno-pedantic-ms-format in addition to other flags. + Removed user and passwd from the IMAP struct as these cannot be set on + a per-request basis and are leftover from legacy FTP code. -Kamil Dudka (16 Apr 2012) -- tests/valgrind.pm: suppress memleaks of NSS_InitContext() - - Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=745224 +- [Jiri Hruska brought this change] -Yang Tse (14 Apr 2012) -- setup_once.h: tighten requirements for stdbool.h header inclusion + imap: Introduced a custom IMAP structure for per-request data - Include stdbool.h only when it is available and configure is capable of - detecting a proper 'bool' data type when the header is included. + Created a new IMAP structure and changed the type of the imap proto + variable in connectdata from FTP* to the new IMAP*. - Compilation fix for old or unpatched versions of XL C compiler. + Moved the mailbox variable from the per-connection struct imap_conn to + the new per-request struct and fixed references accordingly. + +- pop3: Updated do phrase clean-up comment - Report: http://curl.haxx.se/mail/archive-2012-04/0022.html + Following commit 65644b833532 for the IMAP module updated the clean-up + comment in POP3. -- headers: require GCC 2.7 or newer in order to allow attribute GCC'isms usage +- imap: Fixed memory leak when performing multiple selects - Usage in other code paths already protected and requiring even newer versions. + Moved the clean-up of the mailbox variable from imap_disconnect() to + imap_done() as this variable is allocated in the do phase, yet would + have only been freed only once if multiple selects where preformed + on a single connection. -- [Jonathan Nieder brought this change] +Daniel Stenberg (22 Feb 2013) +- [Alexander Klauer brought this change] - headers: surround GCC attribute names with double underscores - - This protects from attribute names being defined by third party's code. + Documentation: Typo in docs/CONTRIBUTE - Improvement: http://curl.haxx.se/mail/lib-2012-04/0127.html + Fixes a typo get → git in docs/CONTRIBUTE. -Guenter Knauf (13 Apr 2012) -- Updated copyright year. +- [Alexander Klauer brought this change] -Yang Tse (13 Apr 2012) -- testcurl.pl: build example programs for Android cross-compiles + repository: ignore patch files generated by git + + Ignores the patch files generated by the 'git format-patch' command. -- nss.c: fix compiler warning +- [Alexander Klauer brought this change] -- examples: fix compiler warnings + libcurl documentation: clarifications and typos + + * Elaborates on default values of some curl_easy_setopt() options. + * Reminds the user to cast variadic arguments to curl_easy_setopt() to + 'void *' where curl internally interprets them as such. + * Clarifies the working of the CURLOPT_SEEKFUNCTION option for + curl_easy_setopt(). + * Fixes typo 'forth' → 'fourth'. + * Elaborates on CURL_SOCKET_TIMEOUT. + * Adds some missing periods. + * Notes that the return value of curl_version() must not be passed to + free(). -Kamil Dudka (13 Apr 2012) -- nss: provide human-readable names for NSS errors +- [Alexander Klauer brought this change] -- nss: use NSS_InitContext() to initialize NSS if available + lib/url.c: Generic read/write data pointers - NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent - collisions on NSS initialization/shutdown with other libraries. - - Bug: https://bugzilla.redhat.com/738456 + Always interprets the pointer passed with the CURLOPT_WRITEDATA or + CURLOPT_READDATA options of curl_easy_setopt() as a void pointer in + order to avoid problems in environments where FILE and void pointers + have non-trivial conversion. + +- [Alexander Klauer brought this change] -- nss: unconditionally require PK11_CreateGenericObject() + libcurl documentation: updates HTML index - This bumps the minimal supported version of NSS to 3.12.x. + * Adds several links to documentation of library functions which were + missing. + * Marks documentation of deprecated library functions "(deprecated)". + * Removes spurious .html suffixes. -Guenter Knauf (13 Apr 2012) -- Set batch mode to 755 to make Cygwin git pulls work. +- ossl_seed: avoid recursive seeding! -- Added section for Android configure cross-compile. +Steve Holme (22 Feb 2013) +- [Jiri Hruska brought this change] -- Added NetWare export. + Fixed checking the socket if there is data waiting in the cache + + Use Curl_pp_moredata() in Curl_pp_multi_statemach() to check if there is + more data to be received, rather than the socket state, as a task could + hang waiting for more data from the socket itself. -Yang Tse (12 Apr 2012) -- testcurl.pl: build example programs for MinGW cross-compiles +- imap.c: Fixed an incorrect variable reference + + Fixed an incorrect variable reference which was introduced in commit + a1701eea289f as a result of a copy and paste from SMTP/POP3. -- tool_operate.c: fix compiler warning +- [Jiri Hruska brought this change] -- url.c: fix compiler warning + pingpong: Introduce Curl_pp_moredata() + + A simple function to test whether the PP is not sending and there are + still more data in its receiver cache. This will be later utilized to: + + 1) Change Curl_pp_multi_statemach() and Curl_pp_easy_statemach() to + not test socket state and just call user's statemach_act() function + when there are more data to process, because otherwise the task would + just hang, waiting for more data from the socket. + + 2) Allow PP users to read multiple responses by looping as long as there + are more data available and current phase is not finished. + (Currently needed for correct processing of IMAP SELECT responses.) -Guenter Knauf (12 Apr 2012) -- Updated dependency lib versions (2nd try). +Nick Zitzmann (19 Feb 2013) +- FEATURES: why yes, we do support metalink + + I just noticed Metalink support wasn't listed as a feature of the tool. -- Updated dependency lib versions. +- metalink: fix improbable crash parsing metalink filename + + The this_url pointer wasn't being initialized, so if strdup() would return + null when copying the filename in a metalink file, then hilarity would + ensue during the cleanup phase. This change was brought to you by clang, + which noticed this and raised a warning. -Yang Tse (12 Apr 2012) -- tool_formparse.c: rename a couple of vars to avoid declaration shadowing +Yang Tse (19 Feb 2013) +- smtp.c: fix enumerated type mixed with another type -- OS400/initscript.sh: fix db2_name() module name generation +- polarssl threadlock cleanup + +Nick Zitzmann (18 Feb 2013) +- docs: schannel and darwinssl documentation improvements - Allow repeatable file name length reduction on file names with underscore or - dash characters. This is done in order to better support libcurl's existing - source file names and allow OS/400 package to build out of the box again. + Schannel and darwinssl use the certificates built into the + OS to do vert verification instead of bundles. darwinssl + is thread-safe. Corrected typos in the NSS docs. -- testcurl.pl: log more environment vars that modify configure and build behavior +Daniel Stenberg (18 Feb 2013) +- resolver_error: remove wrong error message output + + The attempt to use gai_strerror() or alternative function didn't work as + the 'sock_error' field didn't contain the proper error code. But since + this hasn't been reported and thus isn't really a big deal I decided to + just scrap the whole attempt to output the detailed resolver error and + instead remain with just stating that the resolving of the name failed. -- configure: NATIVE_WINDOWS no longer defined in config files +- [Kim Vandry brought this change] -- build adjustments: CURL_HIDDEN_SYMBOLS no longer defined in config files - - configure script now provides conditional definitions for Makefile.am - that result in CURL_HIDDEN_SYMBOLS being defined by resulting makefiles - when appropriate. + Curl_resolver_is_resolved: show proper host name on failed resolve + +- Curl_resolver_is_resolved: fix compiler warning - Additionally, configure script option for symbol hiding control is now - named --enable-symbol-hiding --disable-symbol-hiding. While still valid, - old option name --enable-hidden-symbols --disable-hidden-symbols will - be deprecated in some future release. + conversion to 'int' from 'long int' may alter its value -- build adjustments: functionally revert commits 4d3fb91f and bbfe1182 +- compiler warning fix - Undefining CURL_HIDDEN_SYMBOLS in source files isn't the proper fix. + follow-up to commit ed7174c6f66, rename 'wait' to 'block' -- test servers: build adjustment +- compiler warning fix: declaration of 'wait' shadows a global declaration + + It seems older gcc installations (at least) will cause warnings if we + name a variable 'wait'. Now changed to 'block' instead. - Undefine CURL_HIDDEN_SYMBOLS libcurl private preprocessor macro that might - leak from lib/setup.h into source files where this should not be defined. + Reported by: Jiří Hruška + Bug: http://curl.haxx.se/mail/lib-2013-02/0247.html -- libtests: build adjustment +Nick Zitzmann (17 Feb 2013) +- MacOSX-Framework: Make script work in Xcode 4.0 and later - Undefine CURL_HIDDEN_SYMBOLS libcurl private preprocessor macro that might - leak from lib/setup.h into source files where this should not be defined. + Apple made a number of changes to Xcode 4. The SDKs were moved, the entire + Developer folder was moved, and PowerPC support was removed. The script + will now adapt to those changes and should be future-proofed against + additional changes in case Apple moves the Developer folder ever again. + Also, the minimum OS X version compiler option was removed, so that the + framework can be built against the latest SDK but still run in older cats. -- curl tool: make setup.h first header included in tool_setup.h again +Daniel Stenberg (17 Feb 2013) +- docs: refer to CURLOPT_ACCEPT_ENCODING instead of the old name -- curl tool: use configuration files from lib directory - follow-up II +Steve Holme (16 Feb 2013) +- email: Tidied up result code variables - lib/config-win32.h no longer copied to src/config-win32.h + Tidied up result variables to be consistent in name, declaration order + and default values. -- configure: Windows cross-compilation fixes +Nick Zitzmann (16 Feb 2013) +- ntlm_core: fix compiler warning when building with clang - BUILDING_LIBCURL and CURL_STATICLIB are no longer defined in curl_config.h, - configure will generate appropriate conditionals so that mentioned symbols - get defined and used in Makefiles at compilation time + Fixed a 64-to-32 compiler warning raised when building with + clang and the --with-darwinssl option. -- curl tool: make curl.h first header included in tool_setup.h +Daniel Stenberg (16 Feb 2013) +- Guile-curl: a new libcurl binding -- curl tool: use configuration files from lib directory - follow-up I +- polarsslthreadlock: #include the proper memory and debug includes - amigaos.[ch] now integrates nicely with any libcurl build + Pointed out by Steve Holme -- curl tool: use configuration files from lib directory - - Configuration files such as curl_config.h and all config-*.h no longer exist - nor are generated/copied into 'src' directory, now these only exist in 'lib' - directory from where curl tool sources uses them. - - Additionally old src/setup.h has been refactored into src/tool_setup.h which - now pulls lib/setup.h +Steve Holme (16 Feb 2013) +- email: Removed unnecessary forward declaration - The possibility of a makefile needing an include path adjustment exists. + Due to the reordering of functions in commit 586f5d361474 the forward + declaration to state_upgrade_tls() are no longer required. -Daniel Stenberg (6 Apr 2012) -- PolarSSL: correct return code for CRL matches - - When a server certificate matches one in the given CRL file, the code - now returns CURLE_SSL_CACERT as test case 313 expects and verifies. +- pop3.c: Added reference to RFC-5034 + +Daniel Stenberg (15 Feb 2013) +- [Willem Sparreboom brought this change] -- PolarSSL: include version number in version string + PolarSSL: Change to cURL coding style - Previously it would say PolarSSL only, now it says PolarSSL/1.1.0 in the - same style other libs and components do. + Repaired all curl/lib/checksrc.pl warnings in the previous four patches -- test: added test 1332 that tests --post303 +- [Willem Sparreboom brought this change] -- curl: add --post303 to set the CURL_REDIR_POST_303 option + PolarSSL: WIN32 threading support for entropy + + Added WIN32 threading support for PolarSSL entropy if + --enable-threaded-resolver config flag is set and process.h can be found. -- [Andrei Cipu brought this change] +- [Willem Sparreboom brought this change] - CURLOPT_POSTREDIR: also allow 303 to do POST on the redirected URL + PolarSSL: pthread support for entropy - As it turns out, some people do want that after all. + Added pthread support for polarssl entropy if --enable-threaded-resolver + config flag is set and pthread.h can be found. -- test1331: cookies on a 407 response +- [Willem Sparreboom brought this change] + + PolarSSL: changes to entropy/ctr_drbg/HAVEGE_RANDOM - Verify that cookies are sent back even after a 407 response has been - received + Add non-threaded entropy and ctr_drbg and removed HAVEGE_RANDOM define -- [Dag Ekengren brought this change] +- [Willem Sparreboom brought this change] - PolarSSL: add support for asynchronous connect + PolarSSL: added human readable error strings + + Print out human readable error strings for PolarSSL related errors -- [Tim Heckman brought this change] +Steve Holme (15 Feb 2013) +- pop3: Removed unnecessary state changes on failure - Revert "access the CA source file using HTTPS" - - This reverts commit f7e2ab6. - - This change caused fetching of the certificates to become unreliable. - - Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html - Reported by: Tim Heckman +- imap: Removed unnecessary state change on failure -- [Andrei Cipu brought this change] +Daniel Stenberg (15 Feb 2013) +- metalink_cleanup: yet another follow-up fix - IPv6 cookie domain: get rid of the first bracket before the second. +- metalink_cleanup: define it without argument - Commit 97b66ebe was copying a smaller buffer, thus duplicating the last - character. + Since the function takes no argument, the macro shouldn't take one as + some compilers will error out on that. -- MAIL-ETIQUETTE: Added "How to unsubscribe" +- rename "easy" statemachines: call them block instead - ... as it seems to hard for some people + ... since they're not used by the easy interface really, I wanted to + remove the association. Also, I unified the pingpong statemachine driver + into a single function with a 'wait' argument: Curl_pp_statemach. -Yang Tse (4 Apr 2012) -- ftp.c: ftplistparser related OOM handling fix +Yang Tse (15 Feb 2013) +- [Gisle Vanem brought this change] -- smtp.c: fix compiler warnings + curl_setup_once.h: definition of HAVE_CLOSE_S defines sclose() to close_s() -- lib599.c: fix compiler warning +- [Gisle Vanem brought this change] -Daniel Stenberg (4 Apr 2012) -- runtests: yassl and polarssl are not openssl - - Don't set the "has_openssl" variable if yassl or polarssl is found as - they will simply not work as 100% drop-in replacements for some of the - stuff the "OpenSSL" feature is used for. - - I spotted this problem when doing test runs with PolarSSL builds. + config-dos.h: define HAVE_CLOSE_S for MSDOS/Watt-32 -- [Lijo Antony brought this change] +- [Gisle Vanem brought this change] - connect.c: return changed to CURLE_COULDNT_CONNECT when opensocket fails - - Curl_socket returns CURLE_COULDNT_CONNECT when the opensocket callback - returns CURL_SOCKET_BAD. Previous return value CURLE_FAILED_INIT - conveys incorrect information to the user. + config-dos.h: define strerror() to strerror_s_() for High-C -Steve Holme (2 Apr 2012) -- pop3: Reworked the command sending and handling - - Reworked the command sending from two specific LIST and RETR command - functions into a single command based function as well as the two - associated response handlers into a generic command handler. +- [Gisle Vanem brought this change] -Daniel Stenberg (1 Apr 2012) -- [Dave Reisner brought this change] + config-dos.h: define HAVE_TERMIOS_H only for djgpp - curl tool: add filename_effective token for --write-out +Steve Holme (14 Feb 2013) +- smtp.c: Fixed a trailing whitespace - By modifying the parameter list for ourWriteOut() and passing the - OutStruct that collects data in tool_operate, we get access to the - remote name that we're writing to. Shell scripters should find this - useful when used in conjuntion with the --remote-header-name option. + Remove tailing whitespace introduced in commit 7ed689d24a4e. -Steve Holme (1 Apr 2012) -- smtp.c: Code policing and tidy up - -Daniel Stenberg (1 Apr 2012) -- [Armel Asselin brought this change] +- pop3: Fixed blocking SSL connect when connecting via POP3S + + A call to Curl_ssl_connect() was accidentally left in when the SSL/TLS + connection layer was reworked in 7.29. Not only would this cause the + connection to block but had the additional overhead of calling the + non-blocking connect a little bit later. - SSH: public key can now be an empty string +- smtp: Refactored the smtp_state_auth_resp() function - If an empty string is passed to CURLOPT_SSH_PUBLIC_KEYFILE, libcurl will - pass no public key to libssh2 which then tries to compute it from the - private key. This is known to work when libssh2 1.4.0+ is linked against - OpenSSL. + Renamed smtp_state_auth_resp() function to match the implementations in + IMAP and POP3. -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (14 Feb 2013) +- remove ifdefs + + Clarify the code by reducing ifdefs - OpenSSL: Made cert hostname check conform to RFC 6125 +- strlcat: remove function - This change replaces RFC 2818 based hostname check in OpenSSL build with - RFC 6125 [1] based one. + This function was only used twice, both in places where performance + isn't crucial (socks + if2ip). Removing the use of this function removes + the need to have our private version for systems without it == reduced + amount of code. - The hostname check in RFC 2818 is ambiguous and each project implements - it in the their own way and they are slightly different. I check curl, - gnutls, Firefox and Chrome and they are all different. + Also, in the SOCKS case it is clearly better to fail gracefully rather + than to truncate the results. - I don't think there is a bug in current implementation of hostname - check. But it is not as strict as the modern browsers do. Currently, - curl allows multiple wildcard character '*' and it matches '.'. (as - described in the comment in ssluse.c). + This work was triggered by a bug report on the strcal prototype in + strequal.h. - Firefox implementation is also based on RFC 2818 but it only allows at - most one wildcard character and it must be in the left-most label in the - pattern and the wildcard must not be followed by any character in the - label.[2] Chromium implementation is based on RFC 6125 as my patch does. - Firefox and Chromium both require wildcard in the left-most label in the - presented identifier. + strlcat was added in commit db70cd28 in February 2001! - This patch is more strict than the current implementation, so there may - be some cases where old curl works but new one does not. But at the same - time I think it is good practice to follow the modern browsers do and - follow the newer RFC. + Bug: http://curl.haxx.se/bug/view.cgi?id=1192 + Reported by: Jeremy Huddleston + +- Curl_FormBoundary: made static - [1] http://tools.ietf.org/html/rfc6125#section-6.4.3 - [2] https://bugzilla.mozilla.org/show_bug.cgi?id=159483 + As Curl_FormBoundary() is no longer used outside of this file (since + commit ad7291c1a9d), it is now renamed to formboundary() and is made + static. -- HTTP: reset expected DL/UL sizes on redirects +- ossl_seed: fix the last resort PRNG seeding + + Instead of just abusing the pseudo-randomizer from Curl_FormBoundary(), + this now uses Curl_ossl_random() to get entropy. + +Steve Holme (13 Feb 2013) +- email: Tidy up before additional IMAP work + + Replaced two explicit comparisons of CURLE_OK with boolean alternatives. - With FOLLOWLOCATION enabled. When a 3xx page is downloaded and the - download size was known (like with a Content-Length header), but the - subsequent URL (transfered after the 3xx page) was chunked encoded, then - the previous "known download size" would linger and cause the progress - meter to get incorrect information, ie the former value would remain - being sent in. This could easily result in downloads that were WAY - larger than "expected" and would cause >100% outputs with the curl - command line tool. + General tidy up of comments. + +- smtp: Removed duplicate pingpong structure initialisation - Test case 599 was created and it was used to repeat the bug and then - verify the fix. + The smtp_connect() function was setting the member variables of the + pingpong structure twice, once before calling Curl_pp_init() and once + after! + +Yang Tse (13 Feb 2013) +- move msvc IDE related files to 'vs' directory tree - Bug: http://curl.haxx.se/bug/view.cgi?id=3510057 - Reported by: Michael Wallner + Use 'vs' directory tree given that 'vc' intended one clashes + with an already existing build target in file Makefile.dist. -Steve Holme (31 Mar 2012) -- [Gökhan Şengün brought this change] +Daniel Stenberg (13 Feb 2013) +- install-sh: updated to support multiple source files as arguments + + Version 7.29.0 uses Makefiles generated with a newer version of the + autotools than the previous 7.28.1. These Makefiles try to install + e.g. header files by calling install-sh with multiple source files as + arguments. The bundled install-sh is to old and does not support this. + + The problem only occurs, if install-sh is actually being used, ie. the + platform install executable is to old or not usable. Example: Solaris + 10. + + The files install-sh and mkinstalldirs are now updated with the automake + 1.11.3 versions. A better fix might be to completely remove them from + git and force the files to be added/created during buildconf. + + Bug: http://curl.haxx.se/bug/view.cgi?id=1195 + Reported by: Rainer Jung - smtp: Add support for DIGEST-MD5 authentication +Yang Tse (13 Feb 2013) +- move msvc IDE related files to 'vc' directory tree -- [Gökhan Şengün brought this change] +- msvc IDE 'vc' directory tree preparation - smtp: Cody tidy up of md5 digest length +Steve Holme (12 Feb 2013) +- imap: Corrected a whitespace issue from previous commit - Replaced the hard coded md5 digest length (16) with a preprocessor - constant + Fixed a small whitespace issue that crept in there in commit + 508cdf4da4d7. -- [Gökhan Şengün brought this change] +- email: Another post optimisation of endofresp() tidy up - md5: Add support for calculating the md5 sum of buffers incrementally +- sasl: Fixed null pointer reference when decoding empty digest challenge + + Fixed a null pointer reference when an empty challenge is passed to the + Curl_sasl_create_digest_md5_message() function. - It is now possible to calculate the md5 sum as the stream of buffers - becomes known where as previously it was only possible to calculate the - md5 sum of a pre-prepared buffer. + Bug: http://sourceforge.net/p/curl/bugs/1193/ + Reported by: Saran Neti -Daniel Stenberg (31 Mar 2012) -- Revert "mk-ca-bundle.pl: use LWP::UserAgent for https" +- email: Post optimisation of endofresp() tidy up - This reverts commit 9f0e1689f169b83b8fbdae23e0024cc57dcbc770. + Removed unnecessary end of line check and return. + +Nick Zitzmann (12 Feb 2013) +- darwinssl: Fix send glitchiness with data > 32 or so KB - It turned out that "improvement" instead made the fetching of the - certificates unreliable + An ambiguity in the SSLWrite() documentation lead to a bad inference in the + code where we assumed SSLWrite() returned the amount of bytes written to + the socket, when that is not actually true; it returns the amount of data + that is buffered for writing to the socket if it returns errSSLWouldBlock. + Now darwinssl_send() returns CURLE_AGAIN if data is buffered but not written. - Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html - Reported by: Tim Heckman + Reference URL: http://curl.haxx.se/mail/lib-2013-02/0145.html -Steve Holme (31 Mar 2012) -- DOCS: Added information regarding POP3 commands to CURLOPT_CUSTOMREQUEST +Steve Holme (12 Feb 2013) +- pingpong.h: Fixed line length over 78 characters from b56c9eb48e3c -- pop3: Added support for additional pop3 commands +- pingpong: Optimised the endofresp() function + + Reworked the pp->endofresp() function so that the conndata, line and + line length are passed down to it just as with Curl_client_write() + rather than each implementation of the function having to query + these values. - This feature allows the user to specify and use additional POP3 - commands such as UIDL and DELE via libcurl's CURLOPT_CUSTOMREQUEST or - curl's -X command line option. + Additionally changed the int return type to bool as this is more + representative of the function's usage. -Yang Tse (30 Mar 2012) -- [tetetest tetetest brought this change] +- email: Post STARTLS capability code tidy up (Part Three) + + Corrected the order of the upgrade_tls() functions and moved the handler + upgrade and getsock() functions out from the middle of the state related + functions. - CMakeLists.txt: fix Windows LDAP/LDAPS option handling +- email: Post STARTLS capability code tidy up (Part Two) - bug: http://curl.haxx.se/mail/lib-2012-03/0278.html + Corrected the order of the pop3_state_capa() / imap_state_capability() + and the pop3_state_capa_resp() / imap_state_capability_resp() functions + to match the execution order. -- [tetetest tetetest brought this change] +Daniel Stenberg (11 Feb 2013) +- [ulion brought this change] - CMakeLists.txt: fix MS Visual Studio x64 unsigned long long literal suffix + SOCKS: fix socks proxy when noproxy matched + + Test 1212 added to verify - bug: http://curl.haxx.se/mail/lib-2012-03/0255.html + Bug: http://curl.haxx.se/bug/view.cgi?id=1190 -Steve Holme (28 Mar 2012) -- TODO: Corrected POP3 section heading +Steve Holme (11 Feb 2013) +- ntlm: Updated comments for the addition of SASL support to IMAP in v7.29 -Yang Tse (28 Mar 2012) -- curl-functions.m4: update detection logic of getaddrinfo() thread-safeness +- RELEASE-NOTES: Updated following the recent imap/pop3/smtp changes + +Linus Nielsen Feltzing (10 Feb 2013) +- Fix NULL pointer reference when closing an unused multi handle. + +Steve Holme (10 Feb 2013) +- email: Post STARTLS capability code tidy up (Part One) - Take in account that h_errno might be a modifiable lvalue not defined as - a C preprocessor macro + Corrected the order of the CAPA / CAPABILITY state machine constants to + match the execution order. -Steve Holme (27 Mar 2012) -- TODO: Added SMTP and POP3 specific features +- imap: Fixed memory leak following commit f6010d9a0359 -Yang Tse (27 Mar 2012) -- [Olaf Flebbe brought this change] +- smtp: Added support for the STARTTLS capability (Part Two) + + Added honoring of the tls_supported flag when starting a TLS upgrade + rather than unconditionally attempting it. If the use_ssl flag is set + to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the + connection will continue to authenticate. If this flag is set to + CURLUSESSL_ALL then the connection will complete with a failure as it + did previously. - tool_cb_dbg.c: fix tool_cb_dbg() to behave properly even for size 0 +- pop3: Added support for the STLS capability (Part Three) - curl segfault in debug callback triggered with CURLINFO_HEADER_OUT and size 0 + Added honoring of the tls_supported flag when starting a TLS upgrade + rather than unconditionally attempting it. If the use_ssl flag is set + to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the + connection will continue to authenticate. If this flag is set to + CURLUSESSL_ALL then the connection will complete with a failure as it + did previously. + +- imap: Added support for the STARTTLS capability (Part Three) - bug: http://curl.haxx.se/bug/view.cgi?id=3511794 + Added honoring of the tls_supported flag when starting a TLS upgrade + rather than unconditionally attempting it. If the use_ssl flag is set + to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the + connection will continue to authenticate. If this flag is set to + CURLUSESSL_ALL then the connection will complete with a failure as it + did previously. -- test #1405: support HTTP disabled builds +Daniel Stenberg (10 Feb 2013) +- [Alessandro Ghedini brought this change] -Steve Holme (26 Mar 2012) -- test #809: Updated error code to match recent pop3 changes + htmltitle: fix suggested build command -Yang Tse (25 Mar 2012) -- ssh.c: code cleanup, Curl_safefree() already nullifies pointer +Steve Holme (10 Feb 2013) +- pop3: Added support for the STLS capability (Part Two) + + Added sending of initial CAPA command before STLS is sent. This allows + for the detection of the capability before trying to upgrade the + connection. -- fix some compiler warnings +- imap: Added support for the STARTTLS capability (Part Two) + + Added sending of initial CAPABILITY command before STARTTLS is sent. + This allows for the detection of the capability before trying to + upgrade the connection. -Steve Holme (25 Mar 2012) -- pop3.c: Corrected problem with state() introduced in 01690ed2bce5 +- smtp: Added support for the STLS capability (Part One) + + Introduced detection of the STARTTLS capability, in order to add support + for TLS upgrades without unconditionally sending the STARTTLS command. -- pop.c: Small code tidy up +- pop3: Added support for the STLS capability (Part One) + + Introduced detection of the STLS capability, in order to add support + for TLS upgrades without unconditionally sending the STLS command. -- pop3: Removed the need for the single message LIST command handler +- imap: Added support for the STARTTLS capability (Part One) - Simplified the code to remove the need for a separate "LIST <msg id>" - command handler and state machine and instead use the LIST command - handler for both operations. + Introduced detection of the STARTTLS capability, in order to add support + for TLS upgrades without unconditionally sending the STARTTLS command. |