From 2dc913b65c76e8f51989cc20ce0ce8b1b087db37 Mon Sep 17 00:00:00 2001 From: dartraiden Date: Wed, 22 May 2019 15:38:52 +0300 Subject: libcurl: update to 7.65 --- libs/libcurl/docs/CHANGES | 11160 ++++++++++++++++++++++---------------------- 1 file changed, 5526 insertions(+), 5634 deletions(-) (limited to 'libs/libcurl/docs/CHANGES') diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index b924571db6..0715ca0d36 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,8007 +6,7899 @@ Changelog -Version 7.64.1 (27 Mar 2019) - -Daniel Stenberg (27 Mar 2019) -- RELEASE: 7.64.1 +Version 7.65.0 (22 May 2019) -- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" - - This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. - - Fixes #3708 +Daniel Stenberg (22 May 2019) +- RELEASE-NOTES: 7.65.0 release -- [Christian Schmitz brought this change] +- THANKS: from the 7.65.0 release-notes - ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set +- url: convert the zone id from a IPv6 URL to correct scope id - Closes #3704 + Reported-by: GitYuanQu on github + Fixes #3902 + Closes #3914 -Jay Satiro (26 Mar 2019) -- tool_cb_wrt: fix writing to Windows null device NUL +- configure: detect getsockname and getpeername on windows too - - Improve console detection. + Made detection macros for these two functions in the same style as other + functions possibly in winsock in the hope this will work better to + detect these functions when cross-compiling for Windows. - Prior to this change WriteConsole could be called to write to a handle - that may not be a console, which would cause an error. This issue is - limited to character devices that are not also consoles such as the null - device NUL. + Follow-up to e91e4816123 - Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 - Reported-by: Gisle Vanem + Fixes #3913 + Closes #3915 -- CURLMOPT_PIPELINING.3: fix typo +Marcel Raad (21 May 2019) +- examples: remove unused variables + + Fixes Codacy/CppCheck warnings. + + Closes -Daniel Stenberg (25 Mar 2019) -- TODO: config file parsing +Daniel Gustafsson (21 May 2019) +- udpateconninfo: mark variable unused - Closes #3698 + When compiling without getpeername() or getsockname(), the sockfd + paramter to Curl_udpateconninfo() became unused after commit e91e481612 + added ifdef guards. + + Closes #3910 + Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 + Reviewed-by: Marcel Raad, Daniel Stenberg -Jay Satiro (24 Mar 2019) -- os400: Disable Alt-Svc by default since it's experimental +- ftp: move ftp_ccc in under featureflag - Follow-up to 520f0b4 which added Alt-Svc support and enabled it by - default for OS400. Since the feature is experimental, it should be - disabled by default. + Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under + the FTP featureflag in the UserDefined struct, but vtls callsites were + still using it unprotected. - Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 - Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html + Closes #3912 + Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 + Reviewed-by: Daniel Stenberg, Marcel Raad + +Daniel Stenberg (20 May 2019) +- curl: report error for "--no-" on non-boolean options - Closes https://github.com/curl/curl/pull/3688 + Reported-by: Olen Andoni + Fixes #3906 + Closes #3907 -Dan Fandrich (24 Mar 2019) -- tests: Fixed XML validation errors in some test files. +- [Guy Poizat brought this change] -- tests: Fix some incorrect precheck error messages. + mbedtls: enable use of EC keys - [ci skip] - -Daniel Stenberg (22 Mar 2019) -- curl_url.3: this is not experimental anymore + Closes #3892 -- travis: bump the used wolfSSL version to 4.0.0 +- lib1560: add tests for parsing URL with too long scheme - Test 311 is now fine, leaving only 313 (CRL) disabled. + Ref: #3905 + +- [Omar Ramadan brought this change] + + urlapi: increase supported scheme length to 40 bytes - Test 313 details can be found here: - https://github.com/wolfSSL/wolfssl/issues/1546 + The longest currently registered URI scheme at IANA is 36 bytes long. - Closes #3697 + Closes #3905 + Closes #3900 -Daniel Gustafsson (22 Mar 2019) -- lib: Fix typos in comments - -David Woodhouse (20 Mar 2019) -- openssl: if cert type is ENG and no key specified, key is ENG too +Marcel Raad (20 May 2019) +- lib: reduce variable scopes - Fixes #3692 - Closes #3692 + Fixes Codacy/CppCheck warnings. + + Closes https://github.com/curl/curl/pull/3872 -Daniel Stenberg (20 Mar 2019) -- sectransp: tvOS 11 is required for ALPN support +- tool_formparse: remove redundant assignment - Reported-by: nianxuejie on github - Assisted-by: Nick Zitzmann - Assisted-by: Jay Satiro - Fixes #3689 - Closes #3690 + Just initialize word_begin with the correct value. + + Closes https://github.com/curl/curl/pull/3873 -- test1541: threaded connection sharing +- ssh: move variable declaration to where it's used - The threaded-shared-conn.c example turned into test case. Only works if - pthread was detected. + This way, we need only one call to free. - An attempt to detect future regressions such as e3a53e3efb942a5 + Closes https://github.com/curl/curl/pull/3873 + +- ssh-libssh: remove unused variable - Closes #3687 + sock was only used to be assigned to fd_read. + + Closes https://github.com/curl/curl/pull/3873 -Patrick Monnerat (17 Mar 2019) -- os400: alt-svc support. +Daniel Stenberg (20 May 2019) +- test332: verify the blksize fix + +- tftp: use the current blksize for recvfrom() - Although experimental, enable it in the platform config file. - Upgrade ILE/RPG binding. + bug: https://curl.haxx.se/docs/CVE-2019-5436.html + Reported-by: l00p3r on hackerone + CVE-2019-5436 -Daniel Stenberg (17 Mar 2019) -- conncache: use conn->data to know if a transfer owns it +Daniel Gustafsson (19 May 2019) +- version: make ssl_version buffer match for multi_ssl - - make sure an already "owned" connection isn't returned unless - multiplexed. + When running a multi TLS backend build the version string needs more + buffer space. Make the internal ssl_buffer stack buffer match the one + in Curl_multissl_version() to allow for the longer string. For single + TLS backend builds there is no use in extended to buffer. This is a + fallout from #3863 which fixes up the multi_ssl string generation to + avoid a buffer overflow when the buffer is too small. - - clear ->data when returning the connection to the cache again + Closes #3875 + Reviewed-by: Daniel Stenberg + +Steve Holme (18 May 2019) +- http_ntlm_wb: Handle auth for only a single request - Regression since 7.62.0 (probably in commit 1b76c38904f0) + Currently when the server responds with 401 on NTLM authenticated + connection (re-used) we consider it to have failed. However this is + legitimate and may happen when for example IIS is set configured to + 'authPersistSingleRequest' or when the request goes thru a proxy (with + 'via' header). - Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + Implemented by imploying an additional state once a connection is + re-used to indicate that if we receive 401 we need to restart + authentication. - Closes #3686 - -- RELEASE-NOTES: synced + Missed in fe6049f0. -- [Chris Young brought this change] +- http_ntlm_wb: Cleanup handshake after clean NTLM failure + + Missed in 50b87c4e. - configure: add --with-amissl +- http_ntlm_wb: Return the correct error on receiving an empty auth message - AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. - It also requires all programs using it to use bsdsocket.library - directly, rather than accessing socket functions through clib, which - libcurl was not necessarily doing previously. Configure will now check - for the headers and ensure they are included if found. + Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. - Closes #3677 - -- [Chris Young brought this change] + Closes #3894 - vtls: rename some of the SSL functions +Daniel Stenberg (18 May 2019) +- curl: make code work with protocol-disabled libcurl - ... in the SSL structure as AmiSSL is using macros for the socket API - functions. + Closes #3844 -- [Chris Young brought this change] +- libcurl: #ifdef away more code for disabled features/protocols - tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr +- progress: CURL_DISABLE_PROGRESS_METER -- [Chris Young brought this change] +- hostip: CURL_DISABLE_SHUFFLE_DNS - tool_operate: build on AmigaOS +- netrc: CURL_DISABLE_NETRC -- makefile: make checksrc and hugefile commands "silent" +Viktor Szakats (16 May 2019) +- docs: Markdown and misc improvements [ci skip] - ... to match the style already used for compiling, linking - etc. Acknowledges 'make V=1' to enable verbose. + Approved-by: Daniel Stenberg + Closes #3896 + +- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] - Closes #3681 + Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 + Approved-by: Daniel Stenberg + Closes #3895 -- curl.1: --user and --proxy-user are hidden from ps output +Daniel Stenberg (16 May 2019) +- travis: add an osx http-only build - Suggested-by: Eric Curtin - Improved-by: Dan Fandrich - Ref: #3680 + Closes #3887 + +- cleanup: remove FIXME and TODO comments - Closes #3683 + They serve very little purpose and mostly just add noise. Most of them + have been around for a very long time. I read them all before removing + or rephrasing them. + + Ref: #3876 + Closes #3883 -- curl.1: mark the argument to --cookie as +- curl: don't set FTP options for FTP-disabled builds - From a discussion in #3676 + ... since libcurl has started to be totally unaware of options for + disabled protocols they now return error. - Suggested-by: Tim Rühsen + Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 - Closes #3682 + Reported-by: Marcel Raad + Closes #3886 -Dan Fandrich (14 Mar 2019) -- fuzzer: Only clone the latest fuzzer code, for speed. +Steve Holme (16 May 2019) +- http_ntlm_wb: Move the type-2 message processing into a dedicated function + + This brings the code inline with the other HTTP authentication mechanisms. + + Closes #3890 -Daniel Stenberg (14 Mar 2019) -- [Dominik Hölzl brought this change] +Daniel Stenberg (15 May 2019) +- RELEASE-NOTES: synced - Negotiate: fix for HTTP POST with Negotiate - - * Adjusted unit tests 2056, 2057 - * do not generally close connections with CURLAUTH_NEGOTIATE after every request - * moved negotiatedata from UrlState to connectdata - * Added stream rewind logic for CURLAUTH_NEGOTIATE - * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC - * Consider authproblem state for CURLAUTH_NEGOTIATE - * Consider reuse_forbid for CURLAUTH_NEGOTIATE - * moved and adjusted negotiate authentication state handling from - output_auth_headers into Curl_output_negotiate - * Curl_output_negotiate: ensure auth done is always set - * Curl_output_negotiate: Set auth done also if result code is - GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may - also indicate the last challenge request (only works with disabled - Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) - * Consider "Persistent-Auth" header, detect if not present; - Reset/Cleanup negotiate after authentication if no persistent - authentication - * apply changes introduced with #2546 for negotiate rewind logic +- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] + +- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] - Fixes #1261 - Closes #1975 + Reported-by: Roy Bellingan + Bug: #3885 -- [Marc Schlatter brought this change] +- parse_proxy: use the URL parser API + + As we treat a given proxy as a URL we should use the unified URL parser + to extract the parts out of it. + + Closes #3878 - http: send payload when (proxy) authentication is done +Steve Holme (15 May 2019) +- http_negotiate: Move the Negotiate state out of the negotiatedata structure - The check that prevents payload from sending in case of authentication - doesn't check properly if the authentication is done or not. + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. - They're cases where the proxy respond "200 OK" before sending - authentication challenge. This change takes care of that. + Closes #3882 + +- http_ntlm: Move the NTLM state out of the ntlmdata structure - Fixes #2431 - Closes #3669 + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. -- file: fix "Checking if unsigned variable 'readcount' is less than zero." +- url: Move the negotiate state type into a dedicated enum + +- url: Remove duplicate clean up of the winbind variables in conn_shutdown() - Pointed out by codacy + Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior + to calling conn_shutdown() and it in turn performs this, there is no + need to perform the same action in conn_shutdown(). - Closes #3672 + Closes #3881 -- memdebug: log pointer before freeing its data +Daniel Stenberg (14 May 2019) +- urlapi: require a non-zero host name length when parsing URL - Coverity warned for two potentional "Use after free" cases. Both are false - positives because the memory wasn't used, it was only the actual pointer - value that was logged. + Updated test 1560 to verify. - The fix still changes the order of execution to avoid the warnings. + Closes #3880 + +- configure: error out if OpenSSL wasn't detected when asked for - Coverity CID 1443033 and 1443034 + If --with-ssl is used and configure still couldn't enable SSL this + creates an error instead of just silently ignoring the fact. - Closes #3671 + Suggested-by: Isaiah Norton + Fixes #3824 + Closes #3830 -- RELEASE-NOTES: synced +Daniel Gustafsson (14 May 2019) +- imap: Fix typo in comment -Marcel Raad (12 Mar 2019) -- travis: actually use updated compiler versions +Steve Holme (14 May 2019) +- url: Remove unnecessary initialisation from allocate_conn() - For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the - new GCC versions were only used for the coverage build and for building - nghttp2, while the new clang version was not used at all. + No need to set variables to zero as calloc() does this for us. - BoringSSL needs to use the default GCC as it respects CC, but not CXX, - so it would otherwise pass gcc 8 options to g++ 4.8 and fail. + Closes #3879 + +Daniel Stenberg (14 May 2019) +- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] - Also remove GCC 7, it's not needed anymore. + Clues-provided-by: Jay Satiro + Clues-provided-by: Jeroen Ooms + Fixes #3711 + Closes #3874 + +Daniel Gustafsson (13 May 2019) +- vtls: fix potential ssl_buffer stack overflow - Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + In Curl_multissl_version() it was possible to overflow the passed in + buffer if the generated version string exceeded the size of the buffer. + Fix by inverting the logic, and also make sure to not exceed the local + buffer during the string generation. - Closes https://github.com/curl/curl/pull/3670 + Closes #3863 + Reported-by: nevv on HackerOne/curl + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg -- travis: update clang to version 7 - - Closes https://github.com/curl/curl/pull/3670 +Daniel Stenberg (13 May 2019) +- RELEASE-NOTES: synced -Jay Satiro (11 Mar 2019) -- [Andre Guibert de Bruet brought this change] +- appveyor: also build "/ci" branches like travis - examples/externalsocket: add missing close socket calls - - .. and for Windows also call WSACleanup since we call WSAStartup. +- pingpong: disable more when no pingpong enabled + +- proxy: acknowledge DISABLE_PROXY more + +- parsedate: CURL_DISABLE_PARSEDATE + +- sasl: only enable if there's a protocol enabled using it + +- mime: acknowledge CURL_DISABLE_MIME + +- wildcard: disable from build when FTP isn't present + +- http: CURL_DISABLE_HTTP_AUTH + +- base64: build conditionally if there are users + +- doh: CURL_DISABLE_DOH + +Steve Holme (12 May 2019) +- auth: Rename the various authentication clean up functions - The example is to demonstrate handling the socket independently of - libcurl. In this case libcurl is not responsible for creating, opening - or closing the socket, it is handled by the application (our example). + For consistency and to a avoid confusion. - Fixes https://github.com/curl/curl/pull/3663 + Closes #3869 -Daniel Stenberg (11 Mar 2019) -- multi: removed unused code for request retries +Daniel Stenberg (12 May 2019) +- [Jay Satiro brought this change] + + docs/INSTALL: fix broken link [ci skip] - This code was once used for the non multi-interface using code path, but - ever since easy_perform was turned into a wrapper around the multi - interface, this code path never runs. + Reported-by: Joombalaya on github + Fixes #3818 + +Marcel Raad (12 May 2019) +- easy: fix another "clarify calculation precedence" warning - Closes #3666 + I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. -Jay Satiro (11 Mar 2019) -- doh: inherit some SSL options from user's easy handle +- build: fix "clarify calculation precedence" warnings - - Inherit SSL options for the doh handle but not SSL client certs, - SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, - SSL pinned public key, SSL ciphers, SSL id cache setting, - SSL kerberos or SSL gss-api settings. + Codacy/CppCheck warns about this. Consistently use parentheses as we + already do in some places to silence the warning. - - Fix inheritance of verbose setting. + Closes https://github.com/curl/curl/pull/3866 + +- cmake: restore C89 compatibility of CurlTests.c - - Inherit NOSIGNAL. + I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and + 97de97daefc2ed084c91eff34af2426f2e55e134. - There is no way for the user to set options for the doh (DNS-over-HTTPS) - handles and instead we inherit some options from the user's easy handle. + Reported-by: Viktor Szakats + Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 + Closes https://github.com/curl/curl/pull/3868 + +Steve Holme (11 May 2019) +- http_ntlm: Corrected the name of the include guard - My thinking for the SSL options not inherited is they are most likely - not intended by the user for the DOH transfer. I did inherit insecure - because I think that should still be in control of the user. + Missed in f0bdd72c. - Prior to this change doh did not work for me because CAINFO was not - inherited. Also verbose was set always which AFAICT was a bug (#3660). + Closes #3867 + +- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - Fixes https://github.com/curl/curl/issues/3660 - Closes https://github.com/curl/curl/pull/3661 + Closes #3861 -Daniel Stenberg (9 Mar 2019) -- test331: verify set-cookie for dotless host name +- http_negotiate: Don't expose functions when HTTP is disabled + +Daniel Stenberg (11 May 2019) +- SECURITY-PROCESS: fix links [ci skip] + +Marcel Raad (11 May 2019) +- CMake: suppress unused variable warnings - Reproduced bug #3649 - Closes #3659 + I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. -- Revert "cookies: extend domain checks to non psl builds" +Daniel Stenberg (11 May 2019) +- doh: disable DOH for the cases it doesn't work - This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. + Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for + DOH resolves. This fix disables DOH for those. - Regression shipped in 7.64.0 - Fixes #3649 + Limitation added to KNOWN_BUGS. + + Fixes #3850 + Closes #3857 -- memdebug: make debug-specific functions use curl_dbg_ prefix +Jay Satiro (11 May 2019) +- checksrc.bat: Ignore snprintf warnings in docs/examples - To not "collide" or use up the regular curl_ name space. Also makes them - easier to detect in helper scripts. + .. because we allow snprintf use in docs/examples. - Closes #3656 + Closes https://github.com/curl/curl/pull/3862 -- cmdline-opts/proxytunnel.d: the option tunnnels all protocols +Steve Holme (10 May 2019) +- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() - Clarify the language and simplify. + ...and misalignment of these comments. From a78c61a4. - Reported-by: Daniel Lublin - Closes #3658 + Closes #3860 -- KNOWN_BUGS: Client cert (MTLS) issues with Schannel +Jay Satiro (10 May 2019) +- Revert "multi: support verbose conncache closure handle" - Closes #3145 + This reverts commit b0972bc. + + - No longer show verbose output for the conncache closure handle. + + The offending commit was added so that the conncache closure handle + would inherit verbose mode from the user's easy handle. (Note there is + no way for the user to set options for the closure handle which is why + that was necessary.) Other debug settings such as the debug function + were not also inherited since we determined that could lead to crashes + if the user's per-handle private data was used on an unexpected handle. + + The reporter here says he has a debug function to capture the verbose + output, and does not expect or want any output to stderr; however + because the conncache closure handle does not inherit the debug function + the verbose output for that handle does go to stderr. + + There are other plausible scenarios as well such as the user redirects + stderr on their handle, which is also not inherited since it could lead + to crashes when used on an unexpected handle. + + Short of allowing the user to set options for the conncache closure + handle I don't think there's much we can safely do except no longer + inherit the verbose setting. + + Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html + Reported-by: Kristoffer Gleditsch + + Ref: https://github.com/curl/curl/pull/3598 + Ref: https://github.com/curl/curl/pull/3618 + + Closes https://github.com/curl/curl/pull/3856 -- ROADMAP: updated to some more current things to work on +Steve Holme (10 May 2019) +- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() + + From 6012fa5a. + + Closes #3858 -- tests: fix multiple may be used uninitialized warnings +Daniel Stenberg (9 May 2019) +- BUG-BOUNTY: minor formatting fixes [ci skip] - RELEASE-NOTES: synced -- source: fix two 'nread' may be used uninitialized warnings - - Both seem to be false positives but we don't like warnings. +- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] - Closes #3646 + Closes #3839 -- gopher: remove check for path == NULL - - Since it can't be NULL and it makes Coverity believe we lack proper NULL - checks. Verified by test 659, landed in commit 15401fa886b. - - Pointed out by Coverity CID 1442746. +Kamil Dudka (9 May 2019) +- http_negotiate: do not treat failure of gss_init_sec_context() as fatal - Assisted-by: Dan Fandrich - Fixes #3617 - Closes #3642 + Fixes #3726 + Closes #3849 -- examples: only include - - That's the only public curl header we should encourage use of. +- spnego_gssapi: fix return code on gss_init_sec_context() failure - Reviewed-by: Marcel Raad - Closes #3645 + Fixes #3726 + Closes #3849 -- ssh: loop the state machine if not done and not blocking +Steve Holme (9 May 2019) +- gen_resp_file.bat: Removed unnecessary @ from all but the first command - If the state machine isn't complete, didn't fail and it didn't return - due to blocking it can just as well loop again. - - This addresses the problem with SFTP directory listings where we would - otherwise return back to the parent and as the multi state machine - doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the - doing phase isn't complete, it would return out when in reality there - was more data to deal with. + There is need to use @ on every command once echo has been turned off. - Fixes #3506 - Closes #3644 + Closes #3854 -Jay Satiro (5 Mar 2019) -- multi: support verbose conncache closure handle +Jay Satiro (8 May 2019) +- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies - - Change closure handle to receive verbose setting from the easy handle - most recently added via curl_multi_add_handle. + - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to + the destination host. - The closure handle is a special easy handle used for closing cached - connections. It receives limited settings from the easy handle most - recently added to the multi handle. Prior to this change that did not - include verbose which was a problem because on connection shutdown - verbose mode was not acknowledged. + We already do something similar for HTTPS proxies by not sending h2. [1] - Ref: https://github.com/curl/curl/pull/3598 + Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would + incorrectly use HTTP/2 to talk to the proxy, which is not something we + support (yet?). Also it's debatable whether or not that setting should + apply to HTTP/2 proxies. - Co-authored-by: Daniel Stenberg + [1]: https://github.com/curl/curl/commit/17c5d05 - Closes https://github.com/curl/curl/pull/3618 + Bug: https://github.com/curl/curl/issues/3570 + Bug: https://github.com/curl/curl/issues/3832 + + Closes https://github.com/curl/curl/pull/3853 -Daniel Stenberg (4 Mar 2019) -- CURLU: fix NULL dereference when used over proxy +Marcel Raad (8 May 2019) +- travis: update mesalink build to xenial - Test 659 verifies + Closes https://github.com/curl/curl/pull/3842 + +Daniel Stenberg (8 May 2019) +- [Ricky Leverence brought this change] + + OpenSSL: Report -fips in version if OpenSSL is built with FIPS - Also fixed the test 658 name + Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS + define. It uses this define to determine whether to publish -fips at + the end of the version displayed. Applications that utilize the version + reported by OpenSSL will see a mismatch if they compare it to what curl + reports, as curl is not modifying the version in the same way. This + change simply adds a check to see if OPENSSL_FIPS is defined, and will + alter the reported version to match what OpenSSL itself provides. This + only appears to be applicable in versions of OpenSSL <1.1.1 - Closes #3641 + Closes #3771 -- altsvc_out: check the return code from Curl_gmtime +Kamil Dudka (7 May 2019) +- [Frank Gevaerts brought this change] + + nss: allow fifos and character devices for certificates. - Pointed out by Coverity, CID 1442956. + Currently you can do things like --cert <(cat ./cert.crt) with (at least) the + openssl backend, but that doesn't work for nss because is_file rejects fifos. - Closes #3640 + I don't actually know if this is sufficient, nss might do things internally + (like seeking back) that make this not work, so actual testing is needed. + + Closes #3807 -- docs/ALTSVC.md: docs describing the approach +Daniel Gustafsson (6 May 2019) +- test2100: Fix typos in test description + +Daniel Stenberg (6 May 2019) +- ssh: define USE_SSH if SSH is enabled (any backend) - Closes #3498 + Closes #3846 -- alt-svc: add a travis build +Steve Holme (5 May 2019) +- winbuild: Add our standard copyright header to the winbuild batch files -- alt-svc: add test 355 and 356 to verify with command line curl +- makedebug: Fix ERRORLEVEL detection after running where.exe + + Closes #3838 -- alt-svc: the curl command line bits +Daniel Stenberg (5 May 2019) +- urlapi: add CURLUPART_ZONEID to set and get + + The zoneid can be used with IPv6 numerical addresses. + + Updated test 1560 to verify. + + Closes #3834 -- alt-svc: the libcurl bits +- [Taiyu Len brought this change] -- travis: add build using gnutls + WRITEFUNCTION: add missing set_in_callback around callback - Closes #3637 + Closes #3837 - RELEASE-NOTES: synced -- [Simon Legner brought this change] - - scripts/completion.pl: also generate fish completion file +- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] - This is the renamed script formerly known as zsh.pl + Reported-by: Ricardo Gomes - Closes #3545 + Bug: #3537 + Closes #3836 -- gnutls: remove call to deprecated gnutls_compression_get_name +- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value - It has been deprecated by GnuTLS since a year ago and now causes build - warnings. + The time field in the curl_fileinfo struct will always be zero. No code + was ever implemented to actually convert the date string to a time_t. - Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f - Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html + Fixes #3829 + Closes #3835 + +- OS400/ccsidcurl.c: code style fixes + +- OS400/ccsidcurl: replace use of Curl_vsetopt - Closes #3636 + (and make the code style comply) + + Fixes #3833 -Jay Satiro (2 Mar 2019) -- system_win32: move win32_init here from easy.c +- urlapi: strip off scope id from numerical IPv6 addresses - .. since system_win32 is a more appropriate location for the functions - and to extern the globals. + ... to make the host name "usable". Store the scope id and put it back + when extracting a URL out of it. - Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 - Reported-by: Gisle Vanem + Also makes curl_url_set() syntax check CURLUPART_HOST. - Closes https://github.com/curl/curl/pull/3625 + Fixes #3817 + Closes #3822 -Daniel Stenberg (1 Mar 2019) -- curl_easy_duphandle.3: clarify that a duped handle has no shares +- RELEASE-NOTES: synced + +- multiif.h: remove unused protos - Reported-by: Sara Golemon + ... for functions related to pipelining. Those functions were removed in + 2f44e94efb3df. - Fixes #3592 - Closes #3634 - -- 10-at-a-time.c: fix too long line + Closes #3828 -- [Arnaud Rebillout brought this change] +- [Yiming Jing brought this change] - examples: various fixes in ephiperfifo.c + travis: mesalink: temporarily disable test 3001 - The main change here is the timer value that was wrong, it was given in - usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * - 1000). This resulted in the callback being invoked WAY TOO OFTEN. + ... due to SHA-1 signatures in test certs + +- [Yiming Jing brought this change] + + travis: upgrade the MesaLink TLS backend to v1.0.0 - As a quick check you can run this command before and after applying this - commit: + Closes #3823 + Closes #3776 + +- ConnectionExists: improve non-multiplexing use case - # shell 1 - ./ephiperfifo 2>&1 | tee ephiperfifo.log - # shell 2 - echo http://hacking.elboulangero.com > hiper.fifo + - better log output - Then just compare the size of the logs files. + - make sure multiplex is enabled for it to be used + +- multi: provide Curl_multiuse_state to update information - Closes #3633 - Fixes #3632 - Signed-off-by: Arnaud Rebillout + As soon as a TLS backend gets ALPN conformation about the specific HTTP + version it can now set the multiplex situation for the "bundle" and + trigger moving potentially queued up transfers to the CONNECT state. -- urldata: simplify bytecounters +- process_pending_handles: mark queued transfers as previously pending - - no need to have them protocol specific + With transfers being queued up, we only move one at a a time back to the + CONNECT state but now we mark moved transfers so that when a moved + transfer is confirmed "successful" (it connected) it will trigger the + move of another pending transfer. Previously, it would otherwise wait + until the transfer was done before doing this. This makes queued up + pending transfers get processed (much) faster. + +- http: mark bundle as not for multiuse on < HTTP/2 response - - no need to set pointers to them with the Curl_setup_transfer() call + Fixes #3813 + Closes #3815 + +Daniel Gustafsson (1 May 2019) +- cookie: Guard against possible NULL ptr deref - - make Curl_setup_transfer() operate on a transfer pointer, not - connection + In case the name pointer isn't set (due to memory pressure most likely) + we need to skip the prefix matching and reject with a badcookie to avoid + a possible NULL pointer dereference. - - switch some counters from long to the more proper curl_off_t type + Closes #3820 #3821 + Reported-by: Jonathan Moerman + Reviewed-by: Daniel Stenberg + +Patrick Monnerat (30 Apr 2019) +- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings + +Kamil Dudka (29 Apr 2019) +- nss: provide more specific error messages on failed init - Closes #3627 + Closes #3808 -- examples/10-at-a-time.c: improve readability and simplify +Daniel Stenberg (29 Apr 2019) +- [Reed Loden brought this change] + + docs: minor polish to the bug bounty / security docs - - use better variable names to explain their purposes - - convert logic to curl_multi_wait() + Closes #3811 -- threaded-resolver: shutdown the resolver thread without error message +- CURL_MAX_INPUT_LENGTH: largest acceptable string input size - When a transfer is done, the resolver thread will be brought down. That - could accidentally generate an error message in the error buffer even - though this is not an error situationand the transfer would still return - OK. An application that still reads the error buffer could find a - "Could not resolve host: [host name]" message there and get confused. + This limits all accepted input strings passed to libcurl to be less than + CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: + curl_easy_setopt() and curl_url_set(). - Reported-by: Michael Schmid - Fixes #3629 - Closes #3630 + The 8000000 number is arbitrary picked and is meant to detect mistakes + or abuse, not to limit actual practical use cases. By limiting the + acceptable string lengths we also reduce the risk of integer overflows + all over. + + NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + + Test 1559 verifies. + + Closes #3805 -- [Ԝеѕ brought this change] +- [Tseng Jun brought this change] - docs: update max-redirs.d phrasing - - clarify redir - "in absurdum" doesn't seem to make sense in this context + curlver.h: use parenthesis in CURL_VERSION_BITS macro - Closes #3631 + Closes #3809 -- ssh: fix Condition '!status' is always true +Marcel Raad (27 Apr 2019) +- [Simon Warta brought this change] + + cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP - in the same sftp_done function in both SSH backends. Simplify them - somewhat. + Closes https://github.com/curl/curl/pull/3769 + +Steve Holme (23 Apr 2019) +- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 + +- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 - Pointed out by Codacy. + Just like we do for mbed TLS, use our local implementation of MD4 when + OpenSSL doesn't support it. This allows a type-3 message to include the + NT response. + +Daniel Gustafsson (23 Apr 2019) +- INTERNALS: fix misindentation of ToC item - Closes #3628 + Kerberos was incorrectly indented as a subsection under FTP, which is + incorrect as they are both top level sections. A fix for this was first + attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that + was a few paddles short of being complete. -- test578: make it read data from the correct test +- [Aron Bergman brought this change] -- Curl_easy: remove req.maxfd - never used! + INTERNALS: Add structs to ToC - Introduced in 8b6314ccfb, but not used anymore in current code. Unclear - since when. + Add the subsections under "Structs in libcurl" to the table of contents. - Closes #3626 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -- http: set state.infilesize when sending formposts +- [Aron Bergman brought this change] + + INTERNALS: Add code highlighting - Without it set, we would unwillingly triger the "HTTP error before end - of send, stop sending" condition even if the entire POST body had been - sent (since it wouldn't know the expected size) which would - unnecessarily log that message and close the connection when it didn't - have to. + Make all struct members under the Curl_handler section + print in monospace font. - Reported-by: Matt McClure - Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html - Closes #3624 + Closes #3801 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -- INSTALL: refer to the current TLS library names and configure options +Daniel Stenberg (22 Apr 2019) +- docs/BUG-BOUNTY: bug bounty time [skip ci] + + Introducing the curl bug bounty program on hackerone. We now recommend + filing security issues directly in the hackerone ticket system which + only is readable to curl security team members. + + Assisted-by: Daniel Gustafsson + + Closes #3488 -- FAQ: minor updates and spelling fixes +Steve Holme (22 Apr 2019) +- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 + + RFC 4616 specifies the authzid is optional in the client authentication + message and that the server will derive the authorisation identity + (authzid) from the authentication identity (authcid) when not specified + by the client. -- GOVERNANCE.md: minor spelling fixes +Jay Satiro (22 Apr 2019) +- [Gisle Vanem brought this change] -- Secure Transport: no more "darwinssl" + memdebug: fix variable name - Everyone calls it Secure Transport, now we do too. + Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. - Reviewed-by: Nick Zitzmann + Ref: https://github.com/curl/curl/commit/76b6348#r33259088 + +Steve Holme (21 Apr 2019) +- vauth/cleartext: Don't send the authzid if it is empty - Closes #3619 + Follow up to 762a292f. -Marcel Raad (27 Feb 2019) -- AppVeyor: add classic MinGW build +Daniel Stenberg (21 Apr 2019) +- test 196,197,198: add 'retry' keyword [skip ci] + +- RELEASE-NOTES: synced + +- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - But use the MSYS2 shell rather than the default MSYS shell because of - POSIX path conversion issues. Classic MinGW is only available on the - Visual Studio 2015 image. + ... and disconnect too old ones instead of trying to reuse. - Closes https://github.com/curl/curl/pull/3623 + Default max age is set to 118 seconds. + + Ref: #3722 + Closes #3782 -- AppVeyor: add MinGW-w64 build +Daniel Gustafsson (20 Apr 2019) +- [Po-Chuan Hsieh brought this change] + + altsvc: Fix building with cookies disables - Add a MinGW-w64 build using CMake's MSYS Makefiles generator. - Use the Visual Studio 2015 image as it has GCC 8, while the - Visual Studio 2017 image only has GCC 7.2. + ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if + check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is + disabled. Fix by splitting out the function into a separate file which can + be included where needed. - Closes https://github.com/curl/curl/pull/3623 + Closes #3717 + Reviewed-by: Daniel Gustafsson + Reviewed-by: Marcel Raad -Daniel Stenberg (27 Feb 2019) -- cookies: only save the cookie file if the engine is enabled - - Follow-up to 8eddb8f4259. +Daniel Stenberg (20 Apr 2019) +- test1002: correct the name [skip ci] + +- test660: verify CONNECT_ONLY with IMAP - If the cookieinfo pointer is NULL there really is nothing to save. + which basically just makes sure LOGOUT is *not* issued on disconnect + +- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - Without this fix, we got a problem when a handle was using shared object - with cookies and is told to "FLUSH" it to file (which worked) and then - the share object was removed and when the easy handle was closed just - afterwards it has no cookieinfo and no cookies so it decided to save an - empty jar (overwriting the file just flushed). + Since the connection has been used by the "outside" we don't know the + state of it anymore and curl should not use it anymore. - Test 1905 now verifies that this works. + Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html - Assisted-by: Michael Wallner - Assisted-by: Marcel Raad + Closes #3795 + +- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) - Closes #3621 + The list of names must be in sync with the defined states in the header + file! -- [DaVieS brought this change] +Steve Holme (16 Apr 2019) +- openvms: Remove pre-processors for Windows as VMS cannot support them - cacertinmem.c: use multiple certificates for loading CA-chain +- openvms: Remove pre-processor for SecureTransport as VMS cannot support it - Closes #3421 + Fixes #3768 + Closes #3785 -- urldata: convert bools to bitfields and move to end +Jay Satiro (16 Apr 2019) +- TODO: Add issue link to an existing entry + +Daniel Stenberg (16 Apr 2019) +- RELEASE-NOTES: synced + +Jay Satiro (16 Apr 2019) +- tool_help: Warn if curl and libcurl versions do not match - This allows the compiler to pack and align the structs better in - memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 - makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. + .. because functionality may be affected if the versions differ. - Removed an unused struct field. + This commit implements TODO 18.7 "warning if curl version is not in sync + with libcurl version". - No functionality changes. + Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 - Closes #3610 + Closes https://github.com/curl/curl/pull/3774 -- [Don J Olmstead brought this change] +Steve Holme (16 Apr 2019) +- md5: Update the function signature following d84da52d - curl.h: use __has_declspec_attribute for shared builds - - Closes #3616 +- md5: Forgot to update the code alignment in d84da52d -- curl: display --version features sorted alphabetically +- md5: Return CURLcode from the internally accessible functions - Closes #3611 + Following 28f826b3 to return CURLE_OK instead of numeric 0. -- runtests: detect "schannel" as an alias for "winssl" +Daniel Gustafsson (15 Apr 2019) +- tests: Run global cleanup at end of tests - Follow-up to 180501cb02 + Make sure to run curl_global_cleanup() when shutting down the test + suite to release any resources allocated in the SSL setup. This is + clearly visible when running tests with PolarSSL where the thread + lock calloc() memory which isn't released when not running cleanup. + Below is an excerpt from the autobuild logs: - Reported-by: Marcel Raad - Fixes #3609 - Closes #3620 + ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 + ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) + ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) + ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup + (polarssl_threadlock.c:54) + ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) + ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) + ==12368== by 0x118B4C: global_init (easy.c:158) + ==12368== by 0x118BF5: curl_global_init (easy.c:221) + ==12368== by 0x118D0B: curl_easy_init (easy.c:299) + ==12368== by 0x114E96: test (lib1906.c:32) + ==12368== by 0x115495: main (first.c:174) + + Closes #3783 + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg -Marcel Raad (26 Feb 2019) -- AppVeyor: update to Visual Studio 2017 +Marcel Raad (15 Apr 2019) +- travis: use mbedtls from Xenial - Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a - moving target anymore as the last update, Update 9, has been released. + No need to build it from source anymore. - Closes https://github.com/curl/curl/pull/3606 + Closes https://github.com/curl/curl/pull/3779 -- AppVeyor: switch VS 2015 builds to VS 2017 image +- travis: use libpsl from Xenial - The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. + This makes building libpsl and libidn2 from source unnecessary and + removes the need for the autopoint and libunistring-dev packages. - Closes https://github.com/curl/curl/pull/3606 + Closes https://github.com/curl/curl/pull/3779 -- AppVeyor: explicitly select worker image +Daniel Stenberg (15 Apr 2019) +- runtests: start socksd like other servers - Currently, we're using the default Visual Studio 2015 image for - everything. + ... without a $srcdir prefix. Triggered by the failures in several + autobuilds. - Closes https://github.com/curl/curl/pull/3606 + Closes #3781 -Daniel Stenberg (26 Feb 2019) -- strerror: make the strerror function use local buffers - - Instead of using a fixed 256 byte buffer in the connectdata struct. +Daniel Gustafsson (14 Apr 2019) +- socksd: Fix typos - In my build, this reduces the size of the connectdata struct by 11.8%, - from 2160 to 1904 bytes with no functionality or performance loss. + Reviewed-by: Daniel Stenberg + +- socksd: Properly decorate static variables - This also fixes a bug in schannel's Curl_verify_certificate where it - called Curl_sspi_strerror when it should have called Curl_strerror for - string from GetLastError. the only effect would have been no text or the - wrong text being shown for the error. + Mark global variables static to avoid compiler warning in Clang when + using -Wmissing-variable-declarations. - Co-authored-by: Jay Satiro + Closes #3778 + Reviewed-by: Daniel Stenberg + +Steve Holme (14 Apr 2019) +- md(4|5): Fixed indentation oddities with the importation of replacement code - Closes #3612 + The indentation from 211d5329 and 57d6d253 was a little strange as + parts didn't align correctly, uses 4 spaces rather than 2. Checked + the indentation of the original source so it aligns, albeit, using + curl style. -- [Michael Wallner brought this change] +- md5: Code style to return CURLE_OK rather than numeric 0 - cookies: fix NULL dereference if flushing cookies with no CookieInfo set - - Regression brought by a52e46f3900fb0 (shipped in 7.63.0) - - Closes #3613 +- md5: Corrected code style for some pointer arguments -Marcel Raad (26 Feb 2019) -- AppVeyor: re-enable test 500 +Marcel Raad (13 Apr 2019) +- travis: update some builds to xenial - It's passing now. + Xenial comes with more up-to-date software versions and more available + packages, some of which we currently build from source. Unfortunately, + some builds would fail with Xenial because of assertion failures in + Valgrind when using OpenSSL, so leave these at Trusty. - Closes https://github.com/curl/curl/pull/3615 + Closes https://github.com/curl/curl/pull/3777 -- AppVeyor: remove redundant builds +Daniel Stenberg (13 Apr 2019) +- test: make tests and test scripts use socksd for SOCKS - Remove the Visual Studio 2012 and 2013 builds as they add little value. + Make all SOCKS tests use socksd instead of ssh. + +- socksd: new SOCKS 4+5 server for tests - Ref: https://github.com/curl/curl/pull/3606 - Closes https://github.com/curl/curl/pull/3614 + Closes #3752 -Daniel Stenberg (25 Feb 2019) -- RELEASE-NOTES: synced +- singleipconnect: show port in the verbose "Trying ..." message + + To aid debugging better. -- [Bernd Mueller brought this change] +- [tmilburn brought this change] - OpenSSL: add support for TLS ASYNC state + CURLOPT_ADDRESS_SCOPE: fix range check and more - Closes #3591 - -Jay Satiro (25 Feb 2019) -- [Michael Felt brought this change] + Commit 9081014 fixed most of the confusing issues between scope id and + scope however 844896d added bad limits checking assuming that the scope + is being set and not the scope id. + + I have fixed the documentation so it all refers to scope ids. + + In addition Curl_if2ip refered to the scope id as remote_scope_id which + is incorrect, so I renamed it to local_scope_id. + + Adjusted-by: Daniel Stenberg + + Closes #3655 + Closes #3765 + Fixes #3713 - acinclude: add additional libraries to check for LDAP support +- urlapi: stricter CURLUPART_PORT parsing - - Add an additional check for LDAP that also checks for OpenSSL since - on AIX those libraries may be required to link LDAP properly. + Only allow well formed decimal numbers in the input. - Fixes https://github.com/curl/curl/issues/3595 - Closes https://github.com/curl/curl/pull/3596 + Document that the number MUST be between 1 and 65535. + + Add tests to test 1560 to verify the above. + + Ref: https://github.com/curl/curl/issues/3753 + Closes #3762 -- [georgeok brought this change] +Jay Satiro (13 Apr 2019) +- [Jan Ehrhardt brought this change] - schannel: support CALG_ECDH_EPHEM algorithm + winbuild: Support MultiSSL builds - Add support for Ephemeral elliptic curve Diffie-Hellman key exchange - algorithm option when selecting ciphers. This became available on the - Win10 SDK. + - Remove the lines in winbuild/Makefile.vc that generate an error with + multiple SSL backends. - Closes https://github.com/curl/curl/pull/3608 + - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL + backends are set. + + Closes https://github.com/curl/curl/pull/3772 -Daniel Stenberg (24 Feb 2019) -- multi: call multi_done on connect timeouts +Daniel Stenberg (12 Apr 2019) +- travis: remove mesalink builds (temporarily?) - Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get - updated correctly and could end up getting reported to the application - completely wrong (way too small). + Since the mesalink build started to fail on travis, even though we build + a fixed release version, we disable it to prevent it from blocking + progress. - Reported-by: accountantM on github - Fixes #3602 - Closes #3605 + Closes #3767 -- examples: remove recursive calls to curl_multi_socket_action +- openssl: mark connection for close on TLS close_notify - From within the timer callbacks. Recursive is problematic for several - reasons. They should still work, but this way the examples and the - documentation becomes simpler. I don't think we need to encourage - recursive calls. + Without this, detecting and avoid reusing a closed TLS connection + (without a previous GOAWAY) when doing HTTP/2 is tricky. - Discussed in #3537 - Closes #3601 + Reported-by: Tom van der Woerdt + Fixes #3750 + Closes #3763 -Marcel Raad (23 Feb 2019) -- configure: remove CURL_CHECK_FUNC_FDOPEN call +- RELEASE-NOTES: synced + +Steve Holme (11 Apr 2019) +- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 - The macro itself has been removed in commit - 11974ac859c5d82def59e837e0db56fef7f6794e. + Functionally this doesn't change anything as we still use the username + for both the authorisation identity and the authentication identity. - Closes https://github.com/curl/curl/pull/3604 + Closes #3757 -Daniel Stenberg (23 Feb 2019) -- wolfssl: stop custom-adding curves +Daniel Stenberg (11 Apr 2019) +- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage - since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in - wolfSSL 3.10.2 and later) it sends these curves by default already. + Based-on-code-by: Poul T Lomholt + +- url: always clone the CUROPT_CURLU handle - Pointed-out-by: David Garske + Since a few code paths actually update that data. - Closes #3599 + Fixes #3753 + Closes #3761 + + Reported-by: Poul T Lomholt -- configure: remove the unused fdopen macro +- CURLOPT_DNS_USE_GLOBAL_CACHE: remove - and the two remaining #ifdefs for it + Remove the code too. The functionality has been disabled in code since + 7.62.0. Setting this option will from now on simply be ignored and have + no function. - Closes #3600 + Closes #3654 -Jay Satiro (22 Feb 2019) -- url: change conn shutdown order to unlink data as last step - - - Split off connection shutdown procedure from Curl_disconnect into new - function conn_shutdown. +Marcel Raad (11 Apr 2019) +- travis: install libgnutls28-dev only for --with-gnutls build - - Change the shutdown procedure to close the sockets before - disassociating the transfer. + Reduces the time needed for the other jobs a little. - Prior to this change the sockets were closed after disassociating the - transfer so SOCKETFUNCTION wasn't called since the transfer was already - disassociated. That likely came about from recent work started in - Jan 2019 (#3442) to separate transfers from connections. + Closes https://github.com/curl/curl/pull/3721 + +- travis: install libnss3-dev only for --with-nss build - Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html - Reported-by: Pavel Löbl + Reduces the time needed for the other jobs a little. - Closes https://github.com/curl/curl/issues/3597 - Closes https://github.com/curl/curl/pull/3598 + Closes https://github.com/curl/curl/pull/3721 -Marcel Raad (22 Feb 2019) -- Fix strict-prototypes GCC warning +- travis: install libssh2-dev only for --with-libssh2 build - As seen in the MinGW autobuilds. Caused by commit - f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. - -Dan Fandrich (21 Feb 2019) -- tests: Fixed XML validation errors in some test files. + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -Daniel Stenberg (20 Feb 2019) -- TODO: Allow SAN names in HTTP/2 server push +- travis: install libssh-dev only for --with-libssh build - Suggested-by: Nicolas Grekas + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -- RELEASE-NOTES: synced +- travis: install krb5-user only for --with-gssapi build + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -- curl: remove MANUAL from -M output +- travis: install lcov only for the coverage job - ... and remove it from the dist tarball. It has served its time, it - barely gets updated anymore and "everything curl" is now convering all - this document once tried to include, and does it more and better. + Reduces the time needed for the other jobs a little. - In the compressed scenario, this removes ~15K data from the binary, - which is 25% of the -M output. + Closes https://github.com/curl/curl/pull/3721 + +- travis: install clang only when needed - It remains in the git repo for now for as long as the web site builds a - page using that as source. It renders poorly on the site (especially for - mobile users) so its not even good there. + This reduces the GCC job runtimes a little and it's needed to + selectively update clang builds to xenial. - Closes #3587 + Closes https://github.com/curl/curl/pull/3721 -- http2: verify :athority in push promise requests +- AppVeyor: enable testing for WinSSL build - RFC 7540 says we should verify that the push is for an "authoritative" - server. We make sure of this by only allowing push with an :athority - header that matches the host that was asked for in the URL. + Closes https://github.com/curl/curl/pull/3725 + +- build: fix Codacy/CppCheck warnings - Fixes #3577 - Reported-by: Nicolas Grekas - Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html - Closes #3581 + - remove unused variables + - declare conditionally used variables conditionally + - suppress unused variable warnings in the CMake tests + - remove dead variable stores + - consistently use WIN32 macro to detect Windows + + Closes https://github.com/curl/curl/pull/3739 -- singlesocket: fix the 'sincebefore' placement +- polarssl_threadlock: remove conditionally unused code - The variable wasn't properly reset within the loop and thus could remain - set for sockets that hadn't been set before and miss notifying the app. + Make functions no-ops if neither both USE_THREADS_POSIX and + HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are + defined. Previously, if only one of them was defined, there was either + code compiled that did nothing useful or the wrong header included for + the functions used. - This is a follow-up to 4c35574 (shipped in curl 7.64.0) + Also, move POLARSSL_MUTEX_T define to implementation file as it's not + used externally. - Reported-by: buzo-ffm on github - Detected-by: Jan Alexander Steffens - Fixes #3585 - Closes #3589 + Closes https://github.com/curl/curl/pull/3739 -- connection: never reuse CONNECT_ONLY conections +- lib557: initialize variables - and make CONNECT_ONLY conections never reuse any existing ones either. + These variables are only conditionally initialized. - Reported-by: Pavel Löbl - Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html - Closes #3586 + Closes https://github.com/curl/curl/pull/3739 -Patrick Monnerat (19 Feb 2019) -- cli tool: fix mime post with --disable-libcurl-option configure option +- lib509: add missing include for strdup - Reported-by: Marcel Raad - Fixes #3576 - Closes #3583 + Closes https://github.com/curl/curl/pull/3739 -Daniel Stenberg (19 Feb 2019) -- x509asn1: cleanup and unify code layout +- README.md: fix no-consecutive-blank-lines Codacy warning - - rename 'n' to buflen in functions, and use size_t for them. Don't pass - in negative buffer lengths. + Consistently use one blank line between blocks. - - move most function comments to above the function starts like we use - to + Closes https://github.com/curl/curl/pull/3739 + +- tests/server/util: fix Windows Unicode build - - remove several unnecessary typecasts (especially of NULL) + Always use the ANSI version of FormatMessage as we don't have the + curl_multibyte gear available here. - Reviewed-by: Patrick Monnerat - Closes #3582 + Closes https://github.com/curl/curl/pull/3758 -- curl_multi_remove_handle.3: use at any time, just not from within callbacks - - [ci skip] +Daniel Stenberg (11 Apr 2019) +- curl_easy_getinfo.3: fix minor formatting mistake -- http: make adding a blank header thread-safe +Daniel Gustafsson (11 Apr 2019) +- xattr: skip unittest on unsupported platforms - Previously the function would edit the provided header in-place when a - semicolon is used to signify an empty header. This made it impossible to - use the same set of custom headers in multiple threads simultaneously. + The stripcredentials unittest fails to compile on platforms without + xattr support, for example the Solaris member in the buildfarm which + fails with the following: - This approach now makes a local copy when it needs to edit the string. + CC unit1621-unit1621.o + CC ../libtest/unit1621-first.o + CCLD unit1621 + Undefined first referenced + symbol in file + stripcredentials unit1621-unit1621.o + goto problem 2 + ld: fatal: symbol referencing errors. No output written to .libs/unit1621 + collect2: error: ld returned 1 exit status + gmake[2]: *** [Makefile:996: unit1621] Error 1 - Reported-by: d912e3 on github - Fixes #3578 - Closes #3579 - -- unit1651: survive curl_easy_init() fails + Fix by excluding the test on such platforms by using the reverse + logic from where stripcredentials() is defined. + + Closes #3759 + Reviewed-by: Daniel Stenberg -- [Frank Gevaerts brought this change] +Steve Holme (11 Apr 2019) +- emailL Added reference to RFC8314 for implicit TLS - rand: Fix a mismatch between comments in source and header. +- README: Schannel, stop calling it "winssl" - Reported-by: Björn Stenberg - Closes #3584 + Stick to "Schannel" everywhere - follow up to 180501cb. -Patrick Monnerat (18 Feb 2019) -- x509asn1: replace single char with an array +Jakub Zakrzewski (10 Apr 2019) +- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use - Although safe in this context, using a single char as an array may - cause invalid accesses to adjacent memory locations. + This fixes GSSAPI builds with the libraries in a non-standard location. + The testing for recv() were failing because it failed to link + the Kerberos libraries, which are not needed for this or subsequent + tests. - Detected by Coverity. + fixes #3743 + closes #3744 -Daniel Stenberg (18 Feb 2019) -- examples/http2-serverpush: add some sensible error checks +- cmake: avoid linking executable for some tests with cmake 3.6+ - To avoid NULL pointer dereferences etc in the case of problems. + With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() + (which is used by check_c_source_compiles()) will build static library + instead of executable. This avoids linking additional libraries in and thus + speeds up those checks a little. - Closes #3580 - -Jay Satiro (18 Feb 2019) -- easy: fix win32 init to work without CURL_GLOBAL_WIN32 + This commit also avoids #3743 (GSSAPI build errors) on itself with cmake + 3.6 or above. That issue was fixed separately for all versions. - - Change the behavior of win32_init so that the required initialization - procedures are not affected by CURL_GLOBAL_WIN32 flag. + Ref: #3744 + +- cmake: minor cleanup - libcurl via curl_global_init supports initializing for win32 with an - optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop - Winsock initialization. It did so internally by skipping win32_init() - when that flag was set. Since then win32_init() has been expanded to - include required initialization routines that are separate from - Winsock and therefore must be called in all cases. This commit fixes - it so that CURL_GLOBAL_WIN32 only controls the optional win32 - initialization (which is Winsock initialization, according to our doc). + - Remove nneeded include_regular_expression. + It was setting what is already a default. - The only users affected by this change are those that don't pass - CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the - risk of a potential crash. + - Remove duplicated include. - Ref: https://github.com/curl/curl/pull/3573 + - Don't check for pre-3.0.0 CMake version. + We already require at least 3.0.0, so it's just clutter. - Fixes https://github.com/curl/curl/issues/3313 - Closes https://github.com/curl/curl/pull/3575 + Ref: #3744 -Daniel Gustafsson (17 Feb 2019) -- cookie: Add support for cookie prefixes - - The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes - and how they should affect cookie initialization, which has been - adopted by the major browsers. This adds support for the two prefixes - defined, __Host- and __Secure, and updates the testcase with the - supplied examples from the draft. - - Closes #3554 - Reviewed-by: Daniel Stenberg +Steve Holme (8 Apr 2019) +- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ -- mbedtls: release sessionid resources on error - - If mbedtls_ssl_get_session() fails, it may still have allocated - memory that needs to be freed to avoid leaking. Call the library - API function to release session resources on this errorpath as - well as on Curl_ssl_addsessionid() errors. - - Closes: #3574 - Reported-by: Michał Antoniak - Reviewed-by: Daniel Stenberg +- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) -Patrick Monnerat (16 Feb 2019) -- cli tool: refactor encoding conversion sequence for switch case fallthrough. +- build-openssl.bat: Perform the install for each build type directly after the build -- version.c: silent scan-build even when librtmp is not enabled +- build-openssl.bat: Split the install of static and shared build types -Daniel Stenberg (15 Feb 2019) -- RELEASE-NOTES: synced +- build-openssl.bat: Split the building of static and shared build types -- Curl_now: figure out windows version in win32_init - - ... and avoid use of static variables that aren't thread safe. - - Fixes regression from e9ababd4f5a (present in the 7.64.0 release) - - Reported-by: Paul Groke - Fixes #3572 - Closes #3573 +- build-openssl.bat: Move the installation into a separate function -Marcel Raad (15 Feb 2019) -- unit1307: just fail without FTP support - - I missed to check this in with commit - 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. - This fixes the actual linker error. - - Closes https://github.com/curl/curl/pull/3568 +- build-openssl.bat: Move the build step into a separate function -Daniel Stenberg (15 Feb 2019) -- travis: enable valgrind for the iconv tests too - - Closes #3571 +- build-openssl.bat: Move the OpenSSL configuration into a separate function -- travis: add scan-build +- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised - Closes #3564 + Should the parent environment set this variable then the build might + not be performed as the user intended. -- examples/sftpuploadresume: Value stored to 'result' is never read - - Detected by scan-build +Daniel Stenberg (8 Apr 2019) +- socks: fix error message -- examples/http2-upload: cleaned up +- config.d: clarify that initial : and = might need quoting [skip ci] - Fix scan-build warnings, no globals, no silly handle scan. Also remove - handles from the multi before cleaning up. + Fixes #3738 + Closes #3749 -- examples/http2-download: cleaned up +- RELEASE-NOTES: synced - To avoid scan-build warnings and global variables. + bumped to 7.65.0 for next release -- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' +- socks5: user name and passwords must be shorter than 256 - Detected by scan-build - -- examples/httpcustomheader: Value stored to 'res' is never read + bytes... since the protocol needs to store the length in a single byte field. - Detected by scan-build + Reported-by: XmiliaH on github + Fixes #3737 + Closes #3740 -- examples: remove superfluous null-pointer checks - - in ftpget, ftpsget and sftpget, so that scan-build stops warning for - potential NULL pointer dereference below! - - Detected by scan-build +- [Jakub Zakrzewski brought this change] -- strip_trailing_dot: make sure NULL is never used for strlen - - scan-build warning: Null pointer passed as an argument to a 'nonnull' - parameter + test: urlapi: urlencode characters above 0x7f correctly -- [Jay Satiro brought this change] +- [Jakub Zakrzewski brought this change] - connection_check: restore original conn->data after the check - - - Save the original conn->data before it's changed to the specified - data transfer for the connection check and then restore it afterwards. - - This is a follow-up to 38d8e1b 2019-02-11. + urlapi: urlencode characters above 0x7f correctly - History: + fixes #3741 + Closes #3742 + +- [Even Rouault brought this change] + + multi_runsingle(): fix use-after-free - It was discovered a month ago that before checking whether to extract a - dead connection that that connection should be associated with a "live" - transfer for the check (ie original conn->data ignored and set to the - passed in data). A fix was landed in 54b201b which did that and also - cleared conn->data after the check. The original conn->data was not - restored, so presumably it was thought that a valid conn->data was no - longer needed. + Fixes #3745 + Closes #3746 - Several days later it was discovered that a valid conn->data was needed - after the check and follow-up fix was landed in bbae24c which partially - reverted the original fix and attempted to limit the scope of when - conn->data was changed to only when pruning dead connections. In that - case conn->data was not cleared and the original conn->data not - restored. + The following snippet + ``` - A month later it was discovered that the original fix was somewhat - correct; a "live" transfer is needed for the check in all cases - because original conn->data could be null which could cause a bad deref - at arbitrary points in the check. A fix was landed in 38d8e1b which - expanded the scope to all cases. conn->data was not cleared and the - original conn->data not restored. + int main() + { + CURL* hCurlHandle = curl_easy_init(); + curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); + curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); + curl_easy_perform(hCurlHandle); + curl_easy_cleanup(hCurlHandle); + return 0; + } + ``` + triggers the following Valgrind warning - A day later it was discovered that not restoring the original conn->data - may lead to busy loops in applications that use the event interface, and - given this observation it's a pretty safe assumption that there is some - code path that still needs the original conn->data. This commit is the - follow-up fix for that, it restores the original conn->data after the - connection check. + ``` + ==4125== Invalid read of size 8 + ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) + ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) + ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd + ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) + ==4125== by 0x4E62C36: conn_free (url.c:756) + ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) + ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) + ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Block was alloc'd at + ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) + ==4125== by 0x4E6438E: allocate_conn (url.c:1654) + ==4125== by 0x4E685B4: create_conn (url.c:3496) + ==4125== by 0x4E6968F: Curl_connect (url.c:4023) + ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ``` - Assisted-by: tholin@users.noreply.github.com - Reported-by: tholin@users.noreply.github.com + This has been bisected to commit 2f44e94 - Fixes https://github.com/curl/curl/issues/3542 - Closes #3559 + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 + Credit to OSS Fuzz -- memdebug: bring back curl_mark_sclose +- pipelining: removed - Used by debug builds with NSS. + As previously planned and documented in DEPRECATE.md, all pipelining + code is removed. - Reverted from 05b100aee247bb + Closes #3651 -Patrick Monnerat (14 Feb 2019) -- transfer.c: do not compute length of undefined hex buffer. - - On non-ascii platforms, the chunked hex header was measured for char code - conversion length, even for chunked trailers that do not have an hex header. - In addition, the efective length is already known: use it. - Since the hex length can be zero, only convert if needed. - - Reported by valgrind. +- [cclauss brought this change] -Daniel Stenberg (14 Feb 2019) -- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP + tests: make Impacket (SMB server) Python 3 compatible - Closes #2367 + Closes #3731 + Fixes #3289 -Patrick Monnerat (14 Feb 2019) -- x509asn1: "Dereference of null pointer" - - Detected by scan-build (false positive). +Marcel Raad (6 Apr 2019) +- [Simon Warta brought this change] -Daniel Stenberg (14 Feb 2019) -- configure: show features as well in the final summary + cmake: set SSL_BACKENDS - Closes #3569 - -- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 + This groups all SSL backends into the feature "SSL" and sets the + SSL_BACKENDS analogue to configure.ac - Closes #2905 + Closes https://github.com/curl/curl/pull/3736 -- KNOWN_BUGS: Deflate error after all content was received - - Closes #2719 +- [Simon Warta brought this change] -- gssapi: fix deprecated header warnings - - Heimdal includes on FreeBSD spewed out lots of them. Less so now. + cmake: don't run SORT on empty list - Closes #3566 - -- TODO: Upgrade to websockets + In case of an empty list, SORTing leads to the cmake error "list + sub-command SORT requires list to be present." - Closes #3523 + Closes https://github.com/curl/curl/pull/3736 -- TODO: cmake test suite improvements - - Closes #3109 +Daniel Gustafsson (5 Apr 2019) +- [Eli Schwartz brought this change] -Patrick Monnerat (13 Feb 2019) -- curl: "Dereference of null pointer" + configure: fix default location for fish completions - Rephrase to satisfy scan-build. - -Marcel Raad (13 Feb 2019) -- unit1307: require FTP support + Fish defines a vendor completions directory for completions that are not + installed as part of the fish project itself, and the vendor completions + are preferred if they exist. This prevents trying to overwrite the + builtin curl.fish completion (or creating file conflicts in distro + packaging). - This test doesn't link without FTP support after - fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch - unavailable without FTP support. + Prefer the pkg-config defined location exported by fish, if it can be + found, and fall back to the correct directory defined by most systems. - Closes https://github.com/curl/curl/pull/3565 + Closes #3723 + Reviewed-by: Daniel Gustafsson -Daniel Stenberg (13 Feb 2019) -- TODO: TFO support on Windows +Marcel Raad (5 Apr 2019) +- ftplistparser: fix LGTM alert "Empty block without comment" - Nobody works on this now. + Removing the block is consistent with line 954/957. - Closes #3378 + Closes https://github.com/curl/curl/pull/3732 -- multi: Dereference of null pointer - - Mostly a false positive, but this makes the code easier to read anyway. +- transfer: fix LGTM alert "Comparison is always true" - Detected by scan-build. + Just remove the redundant condition, which also makes it clear that + k->buf is always 0-terminated if this break is not hit. - Closes #3563 + Closes https://github.com/curl/curl/pull/3732 -- urlglob: Argument with 'nonnull' attribute passed null - - Detected by scan-build. +Jay Satiro (4 Apr 2019) +- [Rikard Falkeborn brought this change] -Jay Satiro (12 Feb 2019) -- schannel: restore some debug output but only for debug builds + smtp: fix compiler warning - Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy - debug output in DEBUGF but omitted a few lines. + - Fix clang string-plus-int warning. - Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 - -- examples/crawler: Fix the Accept-Encoding setting + Clang 8 warns about adding a string to an int does not append to the + string. Indeed it doesn't, but that was not the intention either. Use + array indexing as suggested to silence the warning. There should be no + functional changes. - - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default - supported encodings. + (In other words clang warns about "foo"+2 but not &"foo"[2] so use the + latter.) - Prior to this change the specific encodings of gzip and deflate were set - but there's no guarantee they'd be supported by the user's libcurl. + smtp.c:1221:29: warning: adding 'int' to a string does not append to the + string [-Wstring-plus-int] + eob = strdup(SMTP_EOB + 2); + ~~~~~~~~~~~~~~~~^~~~ + + Closes https://github.com/curl/curl/pull/3729 -Daniel Stenberg (12 Feb 2019) -- mime: put the boundary buffer into the curl_mime struct +Marcel Raad (4 Apr 2019) +- VS projects: use Unicode for VC10+ - ... instead of allocating it separately and point to it. It is - fixed-size and always used for each part. + All Windows APIs have been natively UTF-16 since Windows 2000 and the + non-Unicode variants are just wrappers around them. Only Windows 9x + doesn't understand Unicode without the UnicoWS DLL. As later Visual + Studio versions cannot target Windows 9x anyway, using the ANSI API + doesn't really have any benefit there. - Closes #3561 - -- schannel: be quiet + This avoids issues like KNOWN_BUGS 6.5. - Convert numerous infof() calls into debug-build only messages since they - are annoyingly verbose for regular applications. Removed a few. + Ref: https://github.com/curl/curl/issues/2120 + Closes https://github.com/curl/curl/pull/3720 + +Daniel Gustafsson (3 Apr 2019) +- RELEASE-NOTES: synced - Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html - Reported-by: Volker Schmid - Closes #3552 + Bump the version in progress to 7.64.2, if we merge any "change" + before the cut-off date we can update the version. -- [Romain Geissler brought this change] +- [Tim Rühsen brought this change] - Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning + documentation: Fix several typos - Closes #3562 + Closes #3724 + Reviewed-by: Jakub Zakrzewski + Reviewed-by: Daniel Gustafsson -- http2: multi_connchanged() moved from multi.c, only used for h2 - - Closes #3557 +Jay Satiro (2 Apr 2019) +- [Mert Yazıcıoğlu brought this change] -- curl: "Function call argument is an uninitialized value" + vauth/oauth2: Fix OAUTHBEARER token generation - Follow-up to cac0e4a6ad14b42471eb + OAUTHBEARER tokens were incorrectly generated in a format similar to + XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the + RFC7628. - Detected by scan-build - Closes #3560 + Fixes: #2487 + Reported-by: Paolo Mossino + + Closes https://github.com/curl/curl/pull/3377 -- pretransfer: don't strlen() POSTFIELDS set for GET requests +Marcel Raad (2 Apr 2019) +- tool_cb_wrt: fix bad-function-cast warning - ... since that data won't be used in the request anyway. + Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the + warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. + Extend fhnd's scope and reuse that variable instead of calling + _get_osfhandle a second time to fix the warning again. - Fixes #3548 - Reported-by: Renaud Allard - Close #3549 + Closes https://github.com/curl/curl/pull/3718 -- multi: remove verbose "Expire in" ... messages +- VC15 project: remove MinimalRebuild - Reported-by: James Brown - Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html - Closes #3558 + Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the + library project, but I forgot the tool project template. Now also + removed for that. -- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set +Dan Fandrich (1 Apr 2019) +- cirrus: Customize the disabled tests per FreeBSD version - Reported-by: MAntoniak on github - Fixes #3553 - Closes #3556 + Try to run as many test cases as possible on each OS version. + 12.0 passes 13 more tests than the older versions, so we might as well + run them. -Daniel Gustafsson (12 Feb 2019) -- non-ascii.c: fix typos in comments +Daniel Stenberg (1 Apr 2019) +- tool_help: include for strcasecmp - Fix two occurrences of s/convers/converts/ spotted while reading code. + Reported-by: Wyatt O'Day + Fixes #3715 + Closes #3716 -Daniel Stenberg (12 Feb 2019) -- fnmatch: disable if FTP is disabled - - Closes #3551 +Daniel Gustafsson (31 Mar 2019) +- scripts: fix typos -- curl_path: only enabled for SSH builds +Dan Fandrich (28 Mar 2019) +- travis: allow builds on branches named "ci" + + This allows a way to test changes other than through PRs. -- [Frank Gevaerts brought this change] +Daniel Stenberg (27 Mar 2019) +- [Brad Spencer brought this change] - tests: add stderr comparison to the test suite + resolve: apply Happy Eyeballs philosophy to parallel c-ares queries - The code is more or less copied from the stdout comparison code, maybe - some better reuse is possible. + Closes #3699 + +- multi: improved HTTP_1_1_REQUIRED handling - test 1457 is adjusted to make the output actually match (by using --silent) - test 506 used without actually needing it, so that block is removed + Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error + on first flight. - Closes #3536 + Reported-by: niner on github + Fixes #3696 + Closes #3707 -Patrick Monnerat (11 Feb 2019) -- cli tool: do not use mime.h private structures. +- [Leonardo Taccari brought this change] + + configure: avoid unportable `==' test(1) operator - Option -F generates an intermediate representation of the mime structure - that is used later to create the libcurl mime structure and generate - the --libcurl statements. - - Reported-by: Daniel Stenberg - Fixes #3532 - Closes #3546 + Closes #3709 -Daniel Stenberg (11 Feb 2019) -- curlver: bump to 7.64.1-dev +Version 7.64.1 (27 Mar 2019) -- RELEASE-NOTES: synced - - and bump the version in progress to 7.64.1. If we merge any "change" - before the cut-off date, we update again. +Daniel Stenberg (27 Mar 2019) +- RELEASE: 7.64.1 -Daniel Gustafsson (11 Feb 2019) -- curl: follow-up to 3f16990ec84 +- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" - Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was - inadvertently introducing a new bug in the ternary expression. + This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. - Close #3555 - Reviewed-by: Daniel Stenberg + Fixes #3708 -- dns: release sharelock as soon as possible - - There is no benefit to holding the data sharelock when freeing the - addrinfo in case it fails, so ensure releaseing it as soon as we can - rather than holding on to it. This also aligns the code with other - consumers of sharelocks. +- [Christian Schmitz brought this change] + + ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set - Closes #3516 - Reviewed-by: Daniel Stenberg + Closes #3704 -Daniel Stenberg (11 Feb 2019) -- curl: follow-up to b49652ac66cc0 +Jay Satiro (26 Mar 2019) +- tool_cb_wrt: fix writing to Windows null device NUL - On FreeBSD, return non-zero on error otherwise zero. + - Improve console detection. - Reported-by: Marcel Raad - -- multi: (void)-prefix when ignoring return values + Prior to this change WriteConsole could be called to write to a handle + that may not be a console, which would cause an error. This issue is + limited to character devices that are not also consoles such as the null + device NUL. - ... and added braces to two function calls which fixes warnings if they - are replace by empty macros at build-time. + Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 + Reported-by: Gisle Vanem -- curl: fix FreeBSD compiler warning in the --xattr code +- CURLMOPT_PIPELINING.3: fix typo + +Daniel Stenberg (25 Mar 2019) +- TODO: config file parsing - Closes #3550 + Closes #3698 -- connection_check: set ->data to the transfer doing the check +Jay Satiro (24 Mar 2019) +- os400: Disable Alt-Svc by default since it's experimental - The http2 code for connection checking needs a transfer to use. Make - sure a working one is set before handler->connection_check() is called. + Follow-up to 520f0b4 which added Alt-Svc support and enabled it by + default for OS400. Since the feature is experimental, it should be + disabled by default. - Reported-by: jnbr on github - Fixes #3541 - Closes #3547 + Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 + Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html + + Closes https://github.com/curl/curl/pull/3688 -- hostip: make create_hostcache_id avoid alloc + free +Dan Fandrich (24 Mar 2019) +- tests: Fixed XML validation errors in some test files. + +- tests: Fix some incorrect precheck error messages. - Closes #3544 + [ci skip] -- scripts/singleuse: script to use to track single-use functions +Daniel Stenberg (22 Mar 2019) +- curl_url.3: this is not experimental anymore + +- travis: bump the used wolfSSL version to 4.0.0 - That is functions that are declared global but are not used from outside - of the file in which it is declared. Such functions should be made - static or even at times be removed. + Test 311 is now fine, leaving only 313 (CRL) disabled. - It also verifies that all used curl_ prefixed functions are "blessed" + Test 313 details can be found here: + https://github.com/wolfSSL/wolfssl/issues/1546 - Closes #3538 + Closes #3697 -- cleanup: make local functions static +Daniel Gustafsson (22 Mar 2019) +- lib: Fix typos in comments + +David Woodhouse (20 Mar 2019) +- openssl: if cert type is ENG and no key specified, key is ENG too - urlapi: turn three local-only functions into statics + Fixes #3692 + Closes #3692 + +Daniel Stenberg (20 Mar 2019) +- sectransp: tvOS 11 is required for ALPN support - conncache: make conncache_find_first_connection static + Reported-by: nianxuejie on github + Assisted-by: Nick Zitzmann + Assisted-by: Jay Satiro + Fixes #3689 + Closes #3690 + +- test1541: threaded connection sharing - multi: make detach_connnection static + The threaded-shared-conn.c example turned into test case. Only works if + pthread was detected. - connect: make getaddressinfo static + An attempt to detect future regressions such as e3a53e3efb942a5 - curl_ntlm_core: make hmac_md5 static + Closes #3687 + +Patrick Monnerat (17 Mar 2019) +- os400: alt-svc support. - http2: make two functions static + Although experimental, enable it in the platform config file. + Upgrade ILE/RPG binding. + +Daniel Stenberg (17 Mar 2019) +- conncache: use conn->data to know if a transfer owns it - http: make http_setup_conn static + - make sure an already "owned" connection isn't returned unless + multiplexed. - connect: make tcpnodelay static + - clear ->data when returning the connection to the cache again - tests: make UNITTEST a thing to mark functions with, so they can be static for - normal builds and non-static for unit test builds + Regression since 7.62.0 (probably in commit 1b76c38904f0) - ... and mark Curl_shuffle_addr accordingly. + Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html - url: make up_free static + Closes #3686 + +- RELEASE-NOTES: synced + +- [Chris Young brought this change] + + configure: add --with-amissl - setopt: make vsetopt static + AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. + It also requires all programs using it to use bsdsocket.library + directly, rather than accessing socket functions through clib, which + libcurl was not necessarily doing previously. Configure will now check + for the headers and ensure they are included if found. - curl_endian: make write32_le static + Closes #3677 + +- [Chris Young brought this change] + + vtls: rename some of the SSL functions - rtsp: make rtsp_connisdead static + ... in the SSL structure as AmiSSL is using macros for the socket API + functions. + +- [Chris Young brought this change] + + tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr + +- [Chris Young brought this change] + + tool_operate: build on AmigaOS + +- makefile: make checksrc and hugefile commands "silent" - warnless: remove unused functions + ... to match the style already used for compiling, linking + etc. Acknowledges 'make V=1' to enable verbose. - memdebug: remove one unused function, made another static + Closes #3681 -Dan Fandrich (10 Feb 2019) -- cirrus: Added FreeBSD builds using Cirrus CI. +- curl.1: --user and --proxy-user are hidden from ps output - The build logs will be at https://cirrus-ci.com/github/curl/curl + Suggested-by: Eric Curtin + Improved-by: Dan Fandrich + Ref: #3680 - Some tests are currently failing and so disabled for now. The SSH server - isn't starting for the SSH tests due to unsupported options used in its - config file. The DICT server also is failing on startup. + Closes #3683 -Daniel Stenberg (9 Feb 2019) -- url/idnconvert: remove scan for <= 32 ascii values +- curl.1: mark the argument to --cookie as - The check was added back in fa939220df before the URL parser would catch - these problems and therefore these will never trigger now. + From a discussion in #3676 - Closes #3539 + Suggested-by: Tim Rühsen + + Closes #3682 -- urlapi: reduce variable scope, remove unreachable 'break' +Dan Fandrich (14 Mar 2019) +- fuzzer: Only clone the latest fuzzer code, for speed. + +Daniel Stenberg (14 Mar 2019) +- [Dominik Hölzl brought this change] + + Negotiate: fix for HTTP POST with Negotiate - Both nits pointed out by codacy.com + * Adjusted unit tests 2056, 2057 + * do not generally close connections with CURLAUTH_NEGOTIATE after every request + * moved negotiatedata from UrlState to connectdata + * Added stream rewind logic for CURLAUTH_NEGOTIATE + * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC + * Consider authproblem state for CURLAUTH_NEGOTIATE + * Consider reuse_forbid for CURLAUTH_NEGOTIATE + * moved and adjusted negotiate authentication state handling from + output_auth_headers into Curl_output_negotiate + * Curl_output_negotiate: ensure auth done is always set + * Curl_output_negotiate: Set auth done also if result code is + GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may + also indicate the last challenge request (only works with disabled + Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) + * Consider "Persistent-Auth" header, detect if not present; + Reset/Cleanup negotiate after authentication if no persistent + authentication + * apply changes introduced with #2546 for negotiate rewind logic - Closes #3540 + Fixes #1261 + Closes #1975 -Alessandro Ghedini (7 Feb 2019) -- zsh.pl: escape ':' character - - ':' is interpreted as separator by zsh, so if used as part of the argument - or option's description it needs to be escaped. +- [Marc Schlatter brought this change] + + http: send payload when (proxy) authentication is done - The problem can be reproduced as follows: + The check that prevents payload from sending in case of authentication + doesn't check properly if the authentication is done or not. - % curl --reso - % curl -E + They're cases where the proxy respond "200 OK" before sending + authentication challenge. This change takes care of that. - Bug: https://bugs.debian.org/921452 + Fixes #2431 + Closes #3669 -- zsh.pl: update regex to better match curl -h output +- file: fix "Checking if unsigned variable 'readcount' is less than zero." - The current regex fails to match '<...>' arguments properly (e.g. those - with spaces in them), which causes an completion script with wrong - descriptions for some options. + Pointed out by codacy - Here's a diff of the generated completion script, comparing the previous - version to the one with this fix: + Closes #3672 + +- memdebug: log pointer before freeing its data - --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 - +++ _curl 2019-02-05 20:57:29.453349040 +0000 - @@ -9,48 +9,48 @@ + Coverity warned for two potentional "Use after free" cases. Both are false + positives because the memory wasn't used, it was only the actual pointer + value that was logged. - _arguments -C -S \ - --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ - + --resolve'[Resolve the host+port to this address]':'' \ - {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ - {-D,--dump-header}'[Write the received headers to ]':'':_files \ - {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ - --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ - - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ - {-E,--cert}'[Client certificate file and password]':'' \ - --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ - --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ - - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ - --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ - --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ - - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ - - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ - + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ - --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ - --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ - + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ - --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ - + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ - {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ - --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ - --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ - - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ - --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ - --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ - - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ - {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ - --local-port'[Force use of RANGE for local port numbers]':'' \ - --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ - {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ - - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ - - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ - - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ - - --location-trusted'[--location, and send auth to other hosts]':'Like' \ - + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ - --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ - {-O,--remote-name}'[Write output to a file named as the remote file]' \ - + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ - + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ - --trace-ascii'[Like --trace, but without hex output]':'':_files \ - --connect-timeout'[Maximum time allowed for connection]':'' \ - --expect100-timeout'[How long to wait for 100-continue]':'' \ - {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ - + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ - {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ - --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ - --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ - - --ignore-content-length'[the size of the remote resource]':'Ignore' \ - {-k,--insecure}'[Allow insecure server connections when using SSL]' \ - + --location-trusted'[Like --location, and send auth to other hosts]' \ - --mail-auth'[Originator address of the original email]':'
' \ - --noproxy'[List of hosts which do not use proxy]':'' \ - --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ - @@ -62,18 +62,19 @@ - --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ - --cacert'[CA certificate to verify peer against]':'':_files \ - {-H,--header}'[Pass custom header(s) to server]':'
' \ - + --ignore-content-length'[Ignore the size of the remote resource]' \ - {-i,--include}'[Include protocol response headers in the output]' \ - --proxy-header'[Pass custom header(s) to proxy]':'
' \ - --unix-socket'[Connect through this Unix domain socket]':'' \ - {-w,--write-out}'[Use output FORMAT after completion]':'' \ - - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ - {-o,--output}'[Write to file instead of stdout]':'':_files \ - - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ - + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ - --socks4a'[SOCKS4a proxy on given host + port]':'' \ - {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ - {-z,--time-cond}'[Transfer based on a time condition]':'