From 36bce64b00dcad9f6bffd1d64f946afa1c94d851 Mon Sep 17 00:00:00 2001 From: dartraiden Date: Sat, 7 Mar 2020 17:44:38 +0300 Subject: libcurl: update to 7.69 --- libs/libcurl/docs/CHANGES | 9911 +++++++++++++++++++++++---------------------- 1 file changed, 5010 insertions(+), 4901 deletions(-) (limited to 'libs/libcurl/docs/CHANGES') diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index b1f1e20ee3..68ebc8265b 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,7125 +6,7234 @@ Changelog -Version 7.68.0 (8 Jan 2020) - -Daniel Stenberg (8 Jan 2020) -- RELEASE-NOTES: 7.68.0 +Version 7.69.0 (4 Mar 2020) -- THANKS: updated with names from the 7.68.0 release +Daniel Stenberg (4 Mar 2020) +- RELEASE-NOTES: 7.69.0 -- RELEASE-PROCEDURE: add four future release dates +- THANKS: from 7.69.0 - and remove four past release dates + Now sorted case insensitive + +Marc Hoersken (3 Mar 2020) +- ci/tests: fix escaping of testnames and disable proxy for CI APIs - [skip ci] + Follow up to ada581f and c0d8b96 + Closes #5031 -Marcel Raad (6 Jan 2020) -- TrackMemory tests: always remove CR before LF +Jay Satiro (3 Mar 2020) +- cmake: Show HTTPS-proxy in the features output - It was removed for output containing ' =' via `s/ =.*//`. With classic - MinGW, this made lines with `free()` end with CRLF, but lines with e.g. - `malloc()` end with only LF. The tests expect LF only. + - Show HTTPS-proxy in the features output for those backends that + support it: OpenSSL, GnuTLS and NSS. - Closes https://github.com/curl/curl/pull/4788 - -Daniel Stenberg (6 Jan 2020) -- multi.h: move INITIAL_MAX_CONCURRENT_STREAMS from public header + Prior to this change HTTPS-proxy was missing from the cmake features + output even if curl was built with it. Only cmake output was affected. + Both the library and tool correctly reported the feature. - ... to the private multihhandle.h. It is not for public use and it - wasn't prefixed correctly anyway! + Bug: https://curl.haxx.se/mail/lib-2020-03/0008.html + Reported-by: David Lopes - Closes #4790 + Closes https://github.com/curl/curl/pull/5025 -- file: fix copyright year range +Marc Hoersken (3 Mar 2020) +- ci/tests: Make it possible to still run but ignore failing tests - Follow-up to 1b71bc532bd + This enables the development of a solution for the failing tests by + running them on CI while ignoring their result for the overall status. + + Closes #4994 -- curl -w: handle a blank input file correctly +- README.md: add Azure DevOps Pipelines build status badge + +- ci/tests: Move CI test result creation above environment setup - Previously it would end up with an uninitialized memory buffer that - would lead to a crash or junk getting output. + This avoids using our test servers as proxy to the AppVeyor API. - Added test 1271 to verify. + Closes #5022 + +- ci/tests: Send test results to AppVeyor for status overview - Reported-by: Brian Carpenter - Closes #4786 + Closes #5021 -- file: on Windows, refuse paths that start with \\ +Daniel Stenberg (3 Mar 2020) +- Revert "sha256: Added SecureTransport implementation" - ... as that might cause an unexpected SMB connection to a given host - name. + This reverts commit 4feb38deed33fed14ff7c370a6a9153c661dbb9c (from #4956) - Reported-by: Fernando Muñoz - CVE-2019-15601 - Bug: https://curl.haxx.se/docs/CVE-2019-15601.html + That commit broke test 1610 on macos builds without TLS. + + Closes #5027 -Jay Satiro (6 Jan 2020) -- CURLOPT_READFUNCTION.3: fix fopen params in example +- dist: include tests/azure.pm in the tarball + + Bug: https://github.com/curl/curl/commit/ada581f2cc32f48c1629b729707ac19208435b27#commitcomment-37601589 + Reported-by: Marcel Raad -- CURLOPT_READFUNCTION.3: fix variable name in example +Steve Holme (3 Mar 2020) +- configure.ac: Disable metalink if mbedTLS is specified - Reported-by: Paul Joyce + Follow up to cdcc9df1 and #5006. Even though I mentioned mbedTLS as + being one of the backends that metalink needs to be disabled for, I + seem to have included it in the list of allowed SSL/TLS backends in + comnfigure.ac :( - Fixes https://github.com/curl/curl/issues/4787 + Closes #5013 -Daniel Stenberg (5 Jan 2020) -- curl:getparameter return error for --http3 if libcurl doesn't support +- sha256: Tidy up following recent changes - Closes #4785 + Reviewed-by: Daniel Stenberg + Closes #4956 -- docs: mention CURL_MAX_INPUT_LENGTH restrictions +- sha256: Added WinCrypt implementation + +- sha256: Added SecureTransport implementation + +- sha256: Added mbedtls implementation + +- sha256: Added GNU TLS gcrypt implementation + +- sha256: Added GNU TLS Nettle implementation + +Jay Satiro (2 Mar 2020) +- curl_escape.3: Add a link to curl_free - ... for curl_easy_setopt() and curl_url_set(). + Ref: https://github.com/curl/curl/pull/5016#issuecomment-593628582 + +- curl_getenv.3: Fix the memory handling description - [skip ci] + - Tell the user to call curl_free() to free the pointer returned by + curl_getenv(). - Closes #4783 + Prior to this change the user was directed to call free(), but that + would not work in cases where the library and application use separate C + runtimes and therefore have separate heap memory management. + + Closes https://github.com/curl/curl/pull/5016 -- curl: properly free mimepost data +Daniel Stenberg (2 Mar 2020) +- [Nick Zitzmann brought this change] + + md4: use init/update/final functions in Secure Transport - ... as it could otherwise leak memory when a transfer failed. + We can use CC_MD4_Init/Update/Final without having to allocate memory + directly. - Added test 1293 to verify. + Closes #4979 + +Marc Hoersken (2 Mar 2020) +- ci/tests: some MacOS builds randomly take longer than 20min + +Daniel Stenberg (2 Mar 2020) +- multi_wait: stop loop when sread() returns zero - Reported-by: Brian Carpenter - Fixes #4781 - Closes #4782 + It's unclear why it would ever return zero here, but this change fixes + Robert's problem and it shouldn't loop forever... + + Reported-by: Robert Dunaj + Bug: https://curl.haxx.se/mail/archive-2020-02/0011.html + Closes #5019 -- curl: cleanup multi handle on failure +- http: mark POSTs with no body as "upload done" from the start - ... to fix memory leak in error path. + As we have logic that checks if we get a >= 400 reponse code back before + the upload is done, which then got confused since it wasn't "done" but + yet there was no data to send! - Fixes #4772 - Closes #4780 - Reported-by: Brian Carpenter + Reported-by: IvanoG on github + Fixes #4996 + Closes #5002 -Marcel Raad (3 Jan 2020) -- lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS` +- tests: disable 962, 963 and 964 on Windows - Closes https://github.com/curl/curl/pull/4775 + These tests are also doing UTF-8 SMTP. + + Follow-up to df207d2dd93b9e73 -Daniel Stenberg (3 Jan 2020) -- COPYING: it's 2020! +Marc Hoersken (2 Mar 2020) +- ci/tests: fine-tune Azure Pipeline timeouts with a small puffer + +Daniel Stenberg (2 Mar 2020) +- configure: bump the AC_COPYRIGHT year range + +- [Steve Holme brought this change] + + tests: disable SMTP UTF-8 tests on Windows - [skip ci] + Fixes #4988 + Closes #4992 -Jay Satiro (3 Jan 2020) -- [Marc Aldorasi brought this change] +- formdata/mime: copyright year range update + + Due to the merge/revert cycle - tests: Fix bounce requests with truncated writes +- Revert "mime: latch last read callback status." - Prior to this change the swsbounce check in service_connection could - fail because prevtestno and prevpartno were not set, which would cause - the wrong response data to be sent to some tests and cause them to fail. + This reverts commit 87869e38d7afdec3ef1bb4965711458b088e254f. - Ref: https://github.com/curl/curl/pull/4717#issuecomment-570240785 + Fixes #5014 + Closes #5015 + Reopens #4833 -Marcel Raad (31 Dec 2019) -- tool: make a few char pointers point to const char instead +- Revert "mime: do not perform more than one read in a row" - These are read-only. + This reverts commit ed0f357f7d25566110d4302f33759f4ffb5a6f83. + +- Revert "mime: fix the binary encoder to handle large data properly" - Closes https://github.com/curl/curl/pull/4771 + This reverts commit b2caaa0681f329eed317ffb6ae6927f4a539f0c1. -Jay Satiro (31 Dec 2019) -- tests: Change NTLM tests to require SSL +- altsvc: both h3 backends now speak h3-27 - Prior to this change tests that required NTLM feature did not require - SSL feature. + ... also updated the HTTP3 build description for ngtcp2 accordingly. + +- [Patrick Monnerat brought this change] + + mime: fix the binary encoder to handle large data properly - There are pending changes to cmake builds that will allow enabling NTLM - in non-SSL builds in Windows. In that case the NTLM auth strings created - are different from what is expected by the NTLM tests and they fail: + New test 666 checks this is effective. + As upload buffer size is significant in this kind of tests, shorten it + in similar test 652. - "The issue with NTLM is that previous non-SSL builds would not enable - NTLM and so the NTLM tests would be skipped." + Fixes #4860 + Reported-by: RuurdBeerstra on github + +- [Patrick Monnerat brought this change] + + mime: do not perform more than one read in a row - Assisted-by: marc-groundctl@users.noreply.github.com + Input buffer filling may delay the data sending if data reads are slow. + To overcome this problem, file and callback data reads do not accumulate + in buffer anymore. All other data (memory data and mime framing) are + considered as fast and still concatenated in buffer. + As this may highly impact performance in terms of data overhead, an early + end of part data check is added to spare a read call. + When encoding a part's data, an encoder may require more bytes than made + available by a single read. In this case, the above rule does not apply + and reads are performed until the encoder is able to deliver some data. - Ref: https://github.com/curl/curl/pull/4717#issuecomment-566218729 + Tests 643, 644, 645, 650 and 654 have been adapted to the output data + changes, with test data size reduced to avoid the boredom of long lists of + 1-byte chunks in verification data. + New test 664 checks mimepost using single-byte read callback with encoder. + New test 665 checks the end of part data early detection. - Closes https://github.com/curl/curl/pull/4768 + Fixes #4826 + Reported-by: MrdUkk on github -- [Michael Forney brought this change] +- [Patrick Monnerat brought this change] - bearssl: Improve I/O handling + mime: latch last read callback status. - Factor out common I/O loop as bearssl_run_until, which reads/writes TLS - records until the desired engine state is reached. This is now used for - the handshake, read, write, and close. + In case a read callback returns a status (pause, abort, eof, + error) instead of a byte count, drain the bytes read so far but + remember this status for further processing. + Takes care of not losing data when pausing, and properly resume a + paused mime structure when requested. + New tests 670-673 check unpausing cases, with easy or multi + interface and mime or form api. - Match OpenSSL SSL_write behavior, and don't return the number of bytes - written until the corresponding records have been completely flushed - across the socket. This involves keeping track of the length of data - buffered into the TLS engine, and assumes that when CURLE_AGAIN is - returned, the write function will be called again with the same data - and length arguments. This is the same requirement of SSL_write. + Fixes #4813 + Reported-by: MrdUkk on github + Closes #4833 + +Steve Holme (1 Mar 2020) +- unit1651: Fixed conversion compilation warning - Handle TLS close notify as EOF when reading by returning 0. + 371:17: warning: conversion to 'unsigned char' from 'int' may alter its + value [-Wconversion] - Closes https://github.com/curl/curl/pull/4748 + Closes #5008 -- travis: Fix error detection +- configure.ac: Disable metalink support if an incompatible SSL/TLS specified - - Stop using inline shell scripts for before_script and script sections. + tool_metalink only supports cryptography from OpenSSL, GnuTLS, NSS, + The Win32 Crypto library and Apple's Common Crypto library. - Prior to this change Travis could ignore errors from commands in inline - scripts. I don't understand how or why it happens. This is a workaround. + If an TLS backend such as mbedTLS or WolfSSL is specified then the + following error is given during compilation along, with a load of + unresolved extern errors: - Assisted-by: Simon Warta + Can't compile METALINK support without a crypto library. - Ref: https://github.com/travis-ci/travis-ci/issues/1066 + Reviewed-by: Daniel Stenberg + Closes #5006 + +Marc Hoersken (1 Mar 2020) +- ci/tests: Update Azure DevOps pipeline job display names - Fixes https://github.com/curl/curl/issues/3730 - Closes https://github.com/curl/curl/pull/3755 + Make the configure step more descriptive and align others. -- tool_operate: fix mem leak when failed config parse +- ci/tests: Fix typo in previous commit 597cf2 + +- ci/tests: Make sure that the AZURE_ACCESS_TOKEN is available - Found by fuzzing the config file. + For security reasons the access token is not available to PR builds. + Therefore we should not try to use the DevOps API with an empty token. + +Daniel Stenberg (1 Mar 2020) +- build: remove all HAVE_OPENSSL_ENGINE_H defines - Reported-by: Geeknik Labs + ... as there's nothing in the code that actually uses the define! The + last reference was removed in 38203f158. - Fixes https://github.com/curl/curl/issues/4767 + Closes #5007 -- [Xiang Xiao brought this change] +Jay Satiro (29 Feb 2020) +- [Rolf Eike Beer brought this change] - lib: remove erroneous +x file permission on some c files + CMake: clean up and improve build procedures - Modified by commit eb9a604 accidentally. + - remove check for unsupported old CMake versions - Closes https://github.com/curl/curl/pull/4756 - -- [Xiang Xiao brought this change] - - lib: fix warnings found when porting to NuttX + - do not link to c-ares library twice - - Undefine DEBUGASSERT in curl_setup_once.h in case it was already - defined as a system macro. + - modernize custom Find modules - - Don't compile write32_le in curl_endian unless - CURL_SIZEOF_CURL_OFF_T > 4, since it's only used by Curl_write64_le. + - FindLibSSH2: + - pass version to FPHSA to show it in the output + - use LIBSSH2_VERSION define to extract the version number in + one shot. This variable exists in the header for 10 years. + - remove unneeded code - - Include in socketpair.c. + - FindNGHTTP2.cmake: + - drop needless FPHSA argument + - mark found variables as advanced - Closes https://github.com/curl/curl/pull/4756 - -- os400: Add missing CURLE error constants + - FindNSS.cmake: + - show version number - Bug: https://github.com/curl/curl/pull/4754#issuecomment-569126922 - Reported-by: Emil Engler - -- CURLOPT_HEADERFUNCTION.3: Document that size is always 1 + - FindCARES.cmake: + - drop default paths + - use FPHSA instead of checking things by hand - For compatibility with `fwrite`, the `CURLOPT_HEADERFUNCTION` callback - is passed two `size_t` parameters which, when multiplied, designate the - number of bytes of data passed in. In practice, CURL always sets the - first parameter (`size`) to 1. + - remove needless explict variable dereference - This practice is also enshrined in documentation and cannot be changed - in future. The documentation states that the default callback is - `fwrite`, which means `fwrite` must be a suitable function for this - purpose. However, the documentation also states that the callback must - return the number of *bytes* it successfully handled, whereas ISO C - `fwrite` returns the number of items (each of size `size`) which it - wrote. The only way these numbers can be equal is if `size` is 1. + - simplify count_true() - Since `size` is 1 and can never be changed in future anyway, document - that fact explicitly and let users rely on it. + - allow all policies up to version 3.16 to be set to NEW - Reported-by: Frank Gevaerts - Commit-message-by: Christopher Head + - do not rerun check for -Wstrict-aliasing=3 every time - Ref: https://github.com/curl/curl/pull/2787 + In contrast to every other compiler flag this has a = in it, which CMake + can't have in a variable name. - Fixes https://github.com/curl/curl/issues/4758 + - only read the interesting strings from curlver.h + + Reviewed-by: Peter Wu + + Closes https://github.com/curl/curl/pull/4975 -- examples/postinmemory.c: Call curl_global_cleanup always +- runtests: fix output to command log - Prior to this change curl_global_cleanup was not called if - curl_easy_init failed. + - Record only the command of the most recently ran test in the command + log. - Reported-by: kouzhudong@users.noreply.github.com + This is a follow-up to 02988b7 from several weeks ago which fixed + writing to the command log, however it saved all commands for all tests + instead of just the most recently ran test as we would now expect. - Fixes https://github.com/curl/curl/issues/4751 + Fixes https://github.com/curl/curl/commit/02988b7#commitcomment-37546876 + Closes https://github.com/curl/curl/pull/5001 -Daniel Stenberg (21 Dec 2019) -- url2file.c: fix copyright year +Steve Holme (1 Mar 2020) +- polarssl: Additional removal - Follow-up to 525787269599b5 + Follow up to 6357a19f. + + Reviewed-by: Daniel Stenberg + Closes #5004 -- [Rickard Hallerbäck brought this change] +- [Jonathan Cardoso Machado brought this change] - examples/url2file.c: corrected a comment - - The comment was confusing and suggested that setting CURLOPT_NOPROGRESS - to 0L would both enable and disable debug output at the same time, like - a Schrödinger's cat of CURLOPTs. + docs: fix typo on CURLINFO_RETRY_AFTER - alwaus -> always - Closes #4745 + Reviewed-by: Steve Holme + Closes #5005 -- HISTORY: OSS-Fuzz started fuzzing libcurl in 2017 +- md5: Added implementation for mbedTLS + + Reviewed-by: Jay Satiro + Closes #4980 -- RELEASE-NOTES: synced +- md5: Use pointer notation for array parameters in GnuTLS implementation -Jay Satiro (20 Dec 2019) -- ngtcp2: Support the latest update key callback type +- md4: Use non-deprecated functions in mbedTLS >= 2.7.0 - - Remove our cb_update_key in favor of ngtcp2's new - ngtcp2_crypto_update_key_cb which does the same thing. + Closes #4983 + +Marc Hoersken (29 Feb 2020) +- ci/tests: Send test results to Azure DevOps for reporting + +Daniel Stenberg (29 Feb 2020) +- pause: force-drain the transfer on unpause - Several days ago the ngtcp2_update_key callback function prototype was - changed in ngtcp2/ngtcp2@42ce09c. Though it would be possible to - fix up our cb_update_key for that change they also added - ngtcp2_crypto_update_key_cb which does the same thing so we'll use that - instead. + ... since the socket might not actually be readable anymore when for + example the data is already buffered in the TLS layer. - Ref: https://github.com/ngtcp2/ngtcp2/commit/42ce09c + Fixes #4966 + Reported-by: Anders Berg + Closes #5000 + +- TODO: curl --proxycommand - Closes https://github.com/curl/curl/pull/4735 + Suggested-by: Kristian Mide + Closes #4941 -Daniel Stenberg (19 Dec 2019) -- sws: search for "Testno:" header uncondtionally if no testno +- smtp: overwriting 'from' leaks memory - Even if the initial request line wasn't found. With the fix to 1455, the - test number is now detected correctly. + Detected by Coverity. CID 1418139. - (Problem found when running tests in random order.) + Also, make sure to return error if the new 'from' allocation fails. - Closes #4744 + Closes #4997 -- tests: set LC_ALL in more tests +- CIfuzz: switch off 'dry_run' mode - Follow-up to 23208e330ac0c21 + Follow-up from #4960: now make it fail if it detects problems. - Closes #4743 + Closes #4998 -- test165: set LC_ALL=en_US.UTF-8 too +Marc Hoersken (28 Feb 2020) +- ci/tests: Increase timeouts of Windows builds due to new tests - On my current Debian Unstable with libidn2 2.2.0, I get an error if - LC_ALL is set to blank. Then curl errors out with: + Recently added tests increased their runtime above the limit of 60min. + +- ci/tests: align Azure Pipeline job names with each other + +- ci/tests: Add Windows builds via Azure Pipelines using Docker + +- tests: fix Python 3 compatibility of smbserver.py + +Daniel Stenberg (27 Feb 2020) +- runtests: restore the command log - curl: (3) Failed to convert www.åäö.se to ACE; could not convert string to UTF-8 + The log file with all command lines for the invoked command lines is now + called logs/commands.log - Closes #4738 + Fixes #4911 + Closes #4989 -- curl.h: add two defines for the "pre ISO C" case +- smtp: fix memory leak on exit path - Without this fix, this caused a compilation failure on AIX with IBM xlc - 13.1.3 compiler. + Detected by Coverity. CID 1418139. "leaked_storage: Variable 'from' + going out of scope leaks the storage it points to" - Reported-by: Ram Krushna Mishra - Fixes #4739 - Closes #4740 + Closes #4990 -- create_conn: prefer multiplexing to using new connections +Steve Holme (27 Feb 2020) +- gtls: Fixed compilation when using GnuTLS < 3.5.0 - ... as it would previously prefer new connections rather than - multiplexing in most conditions! The (now removed) code was a leftover - from the Pipelining code that was translated wrongly into a - multiplex-only world. + Reverts the functionality from 41fcb4f when compiling with GnuTLS older + than 3.5.0. - Reported-by: Kunal Ekawde - Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html - Closes #4732 + Reviewed-by: Daniel Stenberg + Closes #4984 -- test1456: remove the use of a fixed local port - - Fixup the test to instead not compare the port number. It sometimes - caused problems like this: +- RELEASE-NOTES: Corrected the link to issue #4892 + +Daniel Stenberg (27 Feb 2020) +- Curl_is_ASCII_name: handle a NULL argument - "curl: (45) bind failed with errno 98: Address already in use" + Make the function tolerate a NULL pointer input to avoid dereferencing + that pointer. - Closes #4733 + Follow-up to efce3ea5a85126d + Detected by OSS-Fuzz + Reviewed-By: Steve Holme + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20907 + Fixes #4985 + Closes #4986 -Jay Satiro (18 Dec 2019) -- CURLOPT_QUOTE.3: fix typos +- RELEASE-NOTES: synced + +- http2: make pausing/unpausing set/clear local stream window - Prior to this change the EXAMPLE in the QUOTE/PREQUOTE/POSTQUOTE man - pages would not compile because a variable name was incorrect. + This reduces the HTTP/2 window size to 32 MB since libcurl might have to + buffer up to this amount of data in memory and yet we don't want it set + lower to potentially impact tranfer performance on high speed networks. - Reported-by: Bylon2@users.noreply.github.com + Requires nghttp2 commit b3f85e2daa629 + (https://github.com/nghttp2/nghttp2/pull/1444) to work properly, to end + up in the next release after 1.40.0. - Fixes https://github.com/curl/curl/issues/4736 + Fixes #4939 + Closes #4940 -- [Gisle Vanem brought this change] +- [Anderson Toshiyuki Sasaki brought this change] - strerror: Fix compiler warning "empty expression" + libssh: improve known hosts handling - - Remove the final semi-colon in the SEC2TXT() macro definition. + Previously, it was not possible to get a known hosts file entry due to + the lack of an API. ssh_session_get_known_hosts_entry(), introduced in + libssh-0.9.0, allows libcurl to obtain such information and behave the + same as when compiled with libssh2. - Before: #define SEC2TXT(sec) case sec: txt = #sec; break; + This also tries to avoid the usage of deprecated functions when the + replacements are available. The behaviour will not change if versions + older than libssh-0.8.0 are used. - After: #define SEC2TXT(sec) case sec: txt = #sec; break + Signed-off-by: Anderson Toshiyuki Sasaki - Prior to this change SEC2TXT(foo); would generate break;; which caused - the empty expression warning. + Fixes #4953 + Closes #4962 + +Steve Holme (27 Feb 2020) +- tests: Automatically deduce the tool name from the test case for unit tests - Ref: https://github.com/curl/curl/commit/5b22e1a#r36458547 + It is still possible to override the executable to run during the test, + using the tag, but this patch removes the requirement that the + tag must be present for unit tests. + + It also removes the possibility of human error when existing test cases + are used as the basis for new tests, as recently witnessed in 81c37124. + + Reviewed-by: Daniel Stenberg + Closes #4976 -Daniel Stenberg (18 Dec 2019) -- curl/parseconfig: use curl_free() to free memory allocated by libcurl +- test1323: Added the missing 'unit test' feature requirement in the test case + +Daniel Stenberg (26 Feb 2020) +- cookie: remove unnecessary check for 'out != 0' - Reported-by: bxac on github - Fixes #4730 - Closes #4731 + ... as it will always be non-NULL at this point. + + Detected by Coverity: CID 1459009 -- curl/parseconfig: fix mem-leak +- http: added 417 response treatment - When looping, first trying '.curlrc' and then '_curlrc', the function - would not free the first string. + When doing a request with a body + Expect: 100-continue and the server + responds with a 417, the same request will be retried immediately + without the Expect: header. - Closes #4731 + Added test 357 to verify. + + Also added a control instruction to tell the sws test server to not read + the request body if Expect: is present, which the new test 357 uses. + + Reported-by: bramus on github + Fixes #4949 + Closes #4964 -- CURLOPT_URL.3: "curl supports SMB version 1 (only)" +Steve Holme (26 Feb 2020) +- smtp: Tidy up, following recent changes, to maintain the coding style - [skip ci] + Closes #4892 -- test1270: a basic -w redirect_url test +- smtp: Support the SMTPUTF8 extension for the EXPN command - Closes #4728 + Simply notify the server we support the SMTPUTF8 extension if it does. -- HISTORY: the SMB(S) support landed in 2014 +- smtp: Support the SMTPUTF8 extension in the VRFY command -- define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore +- smtp: Support the SMTPUTF8 extension in the RCPT TO command - It is covered by USE_OPENSSL_ENGINE now. + Note: The RCPT TO command isn't required to advertise to the server that + it contains UTF-8 characters, instead the server is told that a mail may + contain UTF-8 in any envelope command via the MAIL command. + +- smtp: Support the SMTPUTF8 extension in the MAIL command - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/87b9337c8f76c21c57b204e88b68c6ecf3bd1ac0#commitcomment-36447951 + Support the SMTPUTF8 extension when sending mailbox information in the + MAIL command (FROM and AUTH parameters). Non-ASCII domain names will + be ACE encoded, if IDN is supported, whilst non-ASCII characters in + the local address part are passed to the server. - Closes #4725 + Reported-by: ygthien on github + Fixes #4828 -- lib: remove ASSIGNWITHINCONDITION exceptions, use our code style - - ... even for macros +- smtp: Detect server support for the UTF-8 extension as defined in RFC-6531 + +- smtp: Support UTF-8 based host names in the VRFY command + +- smtp: Support UTF-8 based host names in the RCPT TO command + +- smtp: Support UTF-8 based host names in the MAIL command - Reviewed-by: Daniel Gustafsson - Reviewed-by: Jay Satiro - Reported-by: Jay Satiro - Fixes #4683 - Closes #4722 + Non-ASCII host names will be ACE encoded if IDN is supported. -- tests: make sure checksrc runs on header files too +- url: Make the IDN conversion functions available to others -- Revert "checksrc: fix regexp for ASSIGNWITHINCONDITION" +- smtp: Added UTF-8 mailbox tests to verify existing behaviour + +- ftpserver: Updated VRFY_smtp() so the response isn't necessary in the test case + +- ftpserver: Corrected the e-mail address regex in MAIL_smtp() and RCTP_smtp() - This reverts commit ba82673dac3e8d00a76aa5e3779a0cb80e7442af. + The dot character between the host and the tld was not being escaped, + which meant it specified a match of 'any' character rather than an + explicit dot separator. - Bug: #4683 - -- KNOWN_BUGS: TLS session cache doesn't work with TFO + Additionally removed the dot character from the host name as it allowed + the following to be specified as a valid address in our test cases: - [skip ci] - Closes #4301 + + + Both are typos from 98f7ca7 and 8880f84 :( + + I can't remember whether my intention was to allow sub-domains to be + specified in the host or not with these additional dots, but by placing + it outside of the host means it can only be specified once per domain + and by placing a + after the new grouping support for sub-domains is + kept. + + Closes #4912 -- KNOWN_BUGS: Connection information when using TCP Fast Open +- hmac: Added a unit test for the HMAC hash generation - Also point to #4296 for more details - Closes #4296 + Closes #4973 -- KNOWN_BUGS: LDAP on Windows doesn't work +- ntlm: Moved the HMAC MD5 function into the HMAC module as a generic function + +- tests: Added a unit test for MD4 digest generation - Closes #4261 + Closes #4970 -- docs: TLS SRP doesn't work with TLS 1.3 +- md4: Use const for the length input parameter - Reported-by: sayrer on github - Closes #4262 - [skip ci] + This keeps the interface the same as md5 and sha256. -Dan Fandrich (16 Dec 2019) -- cirrus: Switch to the FreeBSD 12.1 point release & enable more tests. +- test1610: Fixed the link to the unit test - A few tests are now passing on FreeBSD, so no longer skip them. - [skip ci] + Typo from 81c37124. -Daniel Stenberg (16 Dec 2019) -- azure: the macos cmake doesn't need to install cmake +- ntlm: Removed the dependency on the TLS libaries when using MD5 - Error: cmake 3.15.5 is already installed - To upgrade to 3.16.1, run `brew upgrade cmake`. + As we have our own MD5 implementation use the MD5 wrapper to remove the + TLS dependency. - Closes #4723 + Closes #4967 -Jay Satiro (15 Dec 2019) -- winbuild: Document CURL_STATICLIB requirement for static libcurl +- md5/sha256: Updated the functions to allow non-string data to be hashed + +- digest: Corrected the name of the local HTTP digest function - A static libcurl (ie winbuild mode=static) requires that the user define - CURL_STATICLIB when using it in their application. This is already - covered in the FAQ and INSTALL.md, but is a pretty important point so - now it's noted in the BUILD.WINDOWS.txt as well. + Follow up to 2b5b37cb. Local static functions do not require the Curl + prefix. + +- tests: Added a unit test for SHA256 digest generation - Assisted-by: Michael Vittiglio + Follow up to 2b5b37c. - Closes https://github.com/curl/curl/pull/4721 - -Daniel Stenberg (15 Dec 2019) -- [Santino Keupp brought this change] + Closes #4968 - libssh2: add support for ECDSA and ed25519 knownhost keys +- md4: Fixed compilation issues when using GNU TLS gcrypt - ... if a new enough libssh2 version is present. + * Don't include 'struct' in the gcrypt MD4_CTX typedef + * The call to gcry_md_read() should use a dereferenced ctx + * The call to gcry_md_close() should use a dereferenced ctx - Source: https://curl.haxx.se/mail/archive-2019-12/0023.html - Co-Authored-by: Daniel Stenberg - Closes #4714 + Additional minor whitespace issue in the USE_WIN32_CRYPTO code. + + Closes #4959 -- lib1591: free memory properly on OOM, in the trailers callback +Daniel Stenberg (21 Feb 2020) +- RELEASE-NOTES: synced + +- http2: now require nghttp2 >= 1.12.0 - Detected by torture tests. + To simplify our code and since earlier versions lack important function + calls libcurl needs to function correctly. - Closes #4720 + nghttp2 1.12.0 was relased on June 26, 2016. + + Closes #4961 -- runtests: --repeat=[num] to repeat tests +- gtls: fix the copyright year - Closes #4715 + Follow-up from 41fcb4f609 -- RELEASE-NOTES: synced +- [jethrogb brought this change] -- azure: add a torture test on mac + GnuTLS: Always send client cert - Uses --shallow=25 to keep it small enough to get through in time. + TLS servers may request a certificate from the client. This request + includes a list of 0 or more acceptable issuer DNs. The client may use + this list to determine which certificate to send. GnuTLS's default + behavior is to not send a client certificate if there is no + match. However, OpenSSL's default behavior is to send the configured + certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL + behavior. - Closes #4712 + Authored-by: jethrogb on github + Fixes #1411 + Closes #4958 -- multi: free sockhash on OOM +- [Leo Neat brought this change] + + github action: add CIFuzz - This would otherwise leak memory in the error path. + Closes #4960 + +- cleanup: comment typos - Detected by torture test 1540. + Spotted by 'codespell' - Closes #4713 + Closes #4957 -Marcel Raad (13 Dec 2019) -- tests: use DoH feature for DoH tests +Steve Holme (20 Feb 2020) +- win32: USE_WIN32_CRYPTO to enable Win32 based MD4, MD5 and SHA256 functions - Previously, http/2 was used instead. + Whilst lib\md4.c used this pre-processor, lib\md5.c and + src\tool_metalink.c did not and simply relied on the WIN32 + pre-processor directive. - Assisted-by: Jay Satiro - Closes https://github.com/curl/curl/pull/4692 + Reviewed-by: Marcel Raad + Closes #4955 -- hostip: suppress compiler warning +Daniel Stenberg (19 Feb 2020) +- connect: remove some spurious infof() calls - With `--disable-doh --disable-threaded-resolver`, the `dns` parameter - is not used. + As they were added primarily for debugging, they provide little use for + users. - Closes https://github.com/curl/curl/pull/4692 + Closes #4951 -- tests: fix build with `CURL_DISABLE_DOH` +- HTTP-COOKIES: mention that a trailing newline is required - Closes https://github.com/curl/curl/pull/4692 - -Daniel Stenberg (13 Dec 2019) -- azure: add a torture test + ... so that we know we got the whole and not a partial line. - Skipping all FTP tests for speed reasons. + Also, changed the formatting of the fields away from a table again since + the table format requires a github-markdown tool version that we don't + run on the web server atm. - Closes #4697 + Reported-by: Sunny Bean + Fixes #4946 + Closes #4947 -- azure: make the default build use --enable-debug --enable-werror +- nit: Copyright year out of date + + Follow-up to 1fc0617dcc -- ntlm_wb: fix double-free in OOM +Jay Satiro (18 Feb 2020) +- tool_util: Improve Windows version of tvnow() - Detected by torture testing test 1310 + - Change tool_util.c tvnow() for Windows to match more closely to + timeval.c Curl_now(). - Closes #4710 + - Create a win32 init function for the tool, since some initialization + is required for the tvnow() changes. + + Prior to this change the monotonic time function used by curl in Windows + was determined at build-time and not runtime. That was a problem because + when curl was built targeted for compatibility with old versions of + Windows (eg _WIN32_WINNT < 0x0600) it would use GetTickCount which wraps + every 49.7 days that Windows has been running. + + This change makes curl behave similar to libcurl's tvnow function, which + determines at runtime whether the OS is Vista+ and if so calls + QueryPerformanceCounter instead. (Note QueryPerformanceCounter is used + because it has higher resolution than the more obvious candidate + GetTickCount64). The changes to tvnow are basically a copy and paste but + the types in some cases are different. + + Ref: https://github.com/curl/curl/issues/3309 + + Closes https://github.com/curl/curl/pull/4847 -Dan Fandrich (13 Dec 2019) -- cirrus: Drop the FreeBSD 10.4 build +Daniel Stenberg (18 Feb 2020) +- SOCKS: fix typo in printf formatting - Upstream support for 10.4 ended a year ago, and it looks like the image - is now gone, too. - [skip ci] + Follow-up to 4a4b63daa + + Reported-by: Peter Piekarski + Bug: https://github.com/curl/curl/commit/4a4b63daaa01ef59b131d91e8e6e6dfe275c0f08#r37351330 -Daniel Stenberg (13 Dec 2019) -- unit1620: fix bad free in OOM +- CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section - Closes #4709 + to be in sync with the description above + + Reported-by: Joonas Kuorilehto + Fixes #4943 + Closes #4945 -- unit1609: fix mem-leak in OOM +- docs/GOVERNANCE: refreshed + added "donations" and "commercial support" + +- altsvc: make saving the cache an atomic operation - Closes #4709 + ... by writing the file to temp name then rename to the final when done. + + Assisted-by: Jay Satiro + Fixes #4936 + Closes #4942 -- unit1607: fix mem-leak in OOM +- rename: a new file for Curl_rename() - Closes #4709 + And make the cookie save function use it. -- lib1559: fix mem-leak in OOM +- cookies: make saving atomic with a rename - Closes #4709 + Saves the file as "[filename].[8 random hex digits].tmp" and renames + away the extension when done. + + Co-authored-by: Jay Satiro + Reported-by: Mike Frysinger + Fixes #4914 + Closes #4926 -- lib1557: fix mem-leak in OOM +- RELEASE-NOTES: synced + +- socks: make the connect phase non-blocking - Closes #4709 + Removes two entries from KNOWN_BUGS. + + Closes #4907 -- altsvc: make the save function ignore NULL filenames +- multi: if Curl_readwrite sets 'comeback' use expire, not loop - It might happen in OOM situations. Detected bv torture tests. + Otherwise, a very fast single transfer ricks starving out other + concurrent transfers. - Closes #4707 + Closes #4927 -- curl: fix memory leak in OOM in etags logic +- ftp: convert 'sock_accepted' to a plain boolean - Detected by torture tests + This was an array indexed with sockindex but it was only ever used for + the secondary socket. - Closes #4706 + Closes #4929 -- doh: make it behave when built without proxy support +Jay Satiro (15 Feb 2020) +- CURLINFO_COOKIELIST.3: Fix example - Reported-by: Marcel Raad - Bug: https://github.com/curl/curl/pull/4692#issuecomment-564115734 + Prior to this change the example would try to import cookies from stdin, + which wasn't what was intended. - Closes #4704 + Reported-by: 3dyd@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/4930 -- curl: improved cleanup in upload error path +Daniel Stenberg (14 Feb 2020) +- TODO: Paged searches on LDAP server - Memory leak found by torture test 58 + Closes #4452 + +- TODO: CURLOPT_SSL_CTX_FUNCTION for LDAPS - Closes #4705 + Closes #4108 -- mailmap: fix Andrew Ishchuk +- azure: disable brotli on the macos debug-builds + + Because of: + + brotli/decode.h:204:33: error: variable length array used [-Werror,-Wvla] + const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], + + Closes #4925 -- travis: make torture use --shallow=40 +Steve Holme (13 Feb 2020) +- tool_home: Fix the copyright year being out of date - As a first step to enable it to run over a more diverse set of tests in - a reasonable time. + Follow up to 9dc350b6. -- runtests: introduce --shallow to reduce huge torture tests +Jay Satiro (12 Feb 2020) +- tool_homedir: Change GetEnv() to use libcurl's curl_getenv() - When set, shallow mode limits runtests -t to make no more than NUM fails - per test case. If more are found, it will randomly discard entries until - the number is right. The random seed can also be set. + - Deduplicate GetEnv() code. - This is particularly useful when running MANY tests as then most torture - failures will already fail the same functions over and over and make the - total operation painfully tedious. + - On Windows change ultimate call to use Windows API + GetEnvironmentVariable() instead of C runtime getenv(). - Closes #4699 + Prior to this change both libcurl and the tool had their own GetEnv + which over time diverged. Now the tool's GetEnv is a wrapper around + curl_getenv (libcurl API function which is itself a wrapper around + libcurl's GetEnv). + + Furthermore this change fixes a bug in that Windows API + GetEnvironmentVariable() is called instead of C runtime getenv() to get + the environment variable since some changes aren't always visible to the + latter. + + Reported-by: Christoph M. Becker + + Fixes https://github.com/curl/curl/issues/4774 + Closes https://github.com/curl/curl/pull/4863 -- conncache: CONNECT_ONLY connections assumed always in-use +Daniel Stenberg (12 Feb 2020) +- strerror.h: Copyright year out of date - This makes them never to be considered "the oldest" to be discarded when - reaching the connection cache limit. The reasoning here is that - CONNECT_ONLY is primarily used in combination with using the - connection's socket post connect and since that is used outside of - curl's knowledge we must assume that it is in use until explicitly - closed. + Follow-up to 1c4fa67e8a8fcf6 + +Jay Satiro (12 Feb 2020) +- strerror: Increase STRERROR_LEN 128 -> 256 - Reported-by: Pavel Pavlov - Reported-by: Pavel Löbl - Fixes #4426 - Fixes #4369 - Closes #4696 + STRERROR_LEN is the constant used throughout the library to set the size + of the buffer on the stack that the curl strerror functions write to. + + Prior to this change some extended length Windows error messages could + be truncated. + + Closes https://github.com/curl/curl/pull/4920 -- [Gisle Vanem brought this change] +- multi: fix outdated comment + + - Do not say that conn->data is "cleared" by multi_done(). + + If the connection is in use then multi_done assigns another easy handle + still using the connection to conn->data, therefore in that case it is + not cleared. + + Closes https://github.com/curl/curl/pull/4901 - vtls: make BearSSL possible to set with CURL_SSL_BACKEND +- easy: remove dead code - Ref: https://github.com/curl/curl/commit/9b879160df01e7ddbb4770904391d3b74114302b#commitcomment-36355622 + multi is already assigned to data->multi by curl_multi_add_handle. - Closes #4698 + Closes https://github.com/curl/curl/pull/4900 + +Daniel Stenberg (12 Feb 2020) +- create-dirs.d: mention the mode + + Reported-by: Dan Jacobson + Fixes #4766 + Closes #4916 + +- CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording + + Assisted-by: Jay Satiro + Reported-by: Craig Andrews + Fixes #4909 + Closes #4910 - RELEASE-NOTES: synced -- travis: remove "coverage", make it "torture" +Steve Holme (9 Feb 2020) +- smtp: Simplify the MAIL command and avoid a duplication of send strings - The coveralls service and test coverage numbers are just too unreliable. - Removed badge from README.md as well. + This avoids the duplication of strings when the optional AUTH and SIZE + parameters are required. It also assists with the modifications that + are part of #4892. - Fixes #4694 - Closes #4695 + Closes #4903 -- azure: add libssh2 and cmake macos builds +Daniel Stenberg (9 Feb 2020) +- altsvc: keep a copy of the file name to survive handle reset - Removed the macos libssh2 build from travis + The alt-svc cache survives a call to curl_easy_reset fine, but the file + name to use for saving the cache was cleared. Now the alt-svc cache has + a copy of the file name to survive handle resets. - Closes #4686 + Added test 1908 to verify. + + Reported-by: Craig Andrews + Fixes #4898 + Closes #4902 -- curl: use errorf() better +Steve Holme (9 Feb 2020) +- url: Include the failure reason when curl_win32_idn_to_ascii() fails - Change series of error outputs to use errorf(). + Provide the failure reason in the failf() info just as we do for the + libidn2 version of code. - Only errors that are due to mistakes in command line option usage should - use helpf(), other types of errors in the tool should rather use - errorf(). + Closes #4899 + +Jay Satiro (9 Feb 2020) +- asyn-thread: remove dead code + +Daniel Stenberg (8 Feb 2020) +- [Emil Engler brought this change] + + github: Instructions to post "uname -a" on Unix systems in issues - Closes #4691 + Closes #4896 -Jay Satiro (9 Dec 2019) -- [Marc Hoersken brought this change] +- [Cristian Greco brought this change] - tests: make it possible to set executable extensions + configure.ac: fix comments about --with-quiche - This enables the use of Windows Subsystem for Linux (WSL) to run the - testsuite against Windows binaries while using Linux servers. + A simple s/nghttp3/quiche in some comments of --with-quiche. + Looks like a copy-paste error from --with-nghttp3. - This commit introduces the following environment variables: - - CURL_TEST_EXE_EXT: set the executable extension for all components - - CURL_TEST_EXE_EXT_TOOL: set it for the curl tool only - - CURL_TEST_EXE_EXT_SSH: set it for the SSH tools only + Closes #4897 + +Steve Holme (7 Feb 2020) +- checksrc.bat: Fix not being able to run script from the main curl directory - Later testcurl.pl could be adjusted to make use of those variables. - - CURL_TEST_EXE_EXT_SRV: set it for the test servers only + If the script was ran from the main curl directory rather then the + projects directory then the script would simply exit without error: - (This is one of several commits to support use of WSL for the tests.) + C:\url> projects\checksrc.bat - Closes https://github.com/curl/curl/pull/3899 + The user would either need to change to the projects directory, + explicitly specify the current working directory, or perform a + oneline hacky workaround: + + C:\url> cd projects + C:\url\projects> checksrc.bat + + C:\url> checksrc.bat %cd% + + C:\url> pushd projects & checksrc.bat & popd + + Closes #4894 -- [Marc Hoersken brought this change] +Daniel Stenberg (7 Feb 2020) +- [Pierre-Yves Bigourdan brought this change] - tests: fix permissions of ssh keys in WSL + digest: Do not quote algorithm in HTTP authorisation - Keys created on Windows Subsystem for Linux (WSL) require it for some - reason. + RFC 7616 section 3.4 (The Authorization Header Field) states that "For + historical reasons, a sender MUST NOT generate the quoted string syntax + for the following parameters: algorithm, qop, and nc". This removes the + quoting for the algorithm parameter. - (This is one of several commits to support use of WSL for the tests.) + Reviewed-by: Steve Holme + Closes #4890 + +- ftp: remove the duplicated user/password struct fields - Ref: https://github.com/curl/curl/pull/3899 + Closes #4887 -- [Marc Hoersken brought this change] +- ftp: remove superfluous checking for crlf in user or pwd + + ... as this is already done much earlier in the URL parser. + + Also add test case 894 that verifies that pop3 with an encodedd CR in + the user name is rejected. + + Closes #4887 - tests: use \r\n for log messages in WSL +Steve Holme (6 Feb 2020) +- ntlm_wb: Use Curl_socketpair() for greater portability - Bash in Windows Subsystem for Linux (WSL) requires it for some reason. + Reported-by: Daniel Stenberg + Closes #4886 + +Daniel Stenberg (5 Feb 2020) +- [Frank Gevaerts brought this change] + + contributors: Also include people who contributed to curl-www - (This is one of several commits to support use of WSL for the tests.) + Closes #4884 + +- [Frank Gevaerts brought this change] + + contrithanks: Use the most recent tag by default - Ref: https://github.com/curl/curl/pull/3899 + (similar to 5296abe) + + Closes #4883 -- [Andrew Ishchuk brought this change] +- scripts: use last set tag if none given + + Makes 'delta' and 'contributors.sh' easier to use. + + Make the delta script invoke contrithanks to get current number of + contributors instead of counting THANKS, for accuracy. + + Closes #4881 - winbuild: Define CARES_STATICLIB when WITH_CARES=static +- ftp: shrink temp buffers used for PORT - When libcurl is built with MODE=static, c-ares is forced into static - linkage too. That doesn't happen when MODE=dll so linker would break - over undefined symbols. + These two stack based buffers only need to be 46 + 66 bytes instead of + 256 + 1024. - closes https://github.com/curl/curl/pull/4688 + Closes #4880 -Daniel Stenberg (9 Dec 2019) -- conn: always set bits.close with connclose() +- curl: error on --alt-svc use w/o support - Closes #4690 + Make the tool check for alt-svc support at run-time and return error + accordingly if not present when the option is used. + + Reported-by: Harry Sintonen + Closes #4878 -- cirrus: enable clang sanitizers on freebsd 13 +- docs/HTTP3: add --enable-alt-svc to curl's configure -- conncache: fix multi-thread use of shared connection cache +- RELEASE-PROCEDURE: feature win is closed post-release a few days - It could accidentally let the connection get used by more than one - thread, leading to double-free and more. + We've tried to uphold this already but let's make it official by + publicly stating this is the way we do it. - Reported-by: Christopher Reid - Fixes #4544 - Closes #4557 + Closes #4877 -- azure: add a vanilla macos build +- altsvc: set h3 version at a common single spot - Closes #4685 + ... and move the #ifdefs out of the functions. Addresses the fact they + were different before this change. + + Reported-by: Harry Sintonen + Closes #4876 -- curl: make the etag load logic work without fseek +- [Harry Sintonen brought this change] + + altsvc: improved header parser - The fseek()s were unnecessary and caused Coverity warning CID 1456554 + - Fixed the flag parsing to apply to specific alternative entry only, as + per RFC. The earlier code would also get totally confused by + multiprotocol header, parsing flags from the wrong part of the header. - Closes #4681 + - Fixed the parser terminating on unknown protocols, instead of skipping + them. + + - Fixed a busyloop when protocol-id was present without an equal sign. + + Closes #4875 -- mailmap: Mohammad Hasbini +- [Harry Sintonen brought this change] -- [Mohammad Hasbini brought this change] + ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6 - docs: fix some typos +- docs/HTTP3: update the OpenSSL branch to use for ngtcp2 - Closes #4680 + Reported-by: James Fuller +Steve Holme (4 Feb 2020) +- ntlm: Pass the Curl_easy structure to the private winbind functions + + ...rather than the full conndata structure. + +Daniel Stenberg (4 Feb 2020) - RELEASE-NOTES: synced -Jay Satiro (5 Dec 2019) -- lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAIN +- tool_operhlp: Copyright year out of date, should be 2020 - Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS - and OS400 package spec. + Follow-up from 2bc373740a3 + +- [Orgad Shaneh brought this change] + + curl: avoid using strlen for testing if a string is empty - Also I added the option to the NameValue list in the tool even though it - isn't exposed as a command-line option (...yet?). (NameValue stringizes - the option name for the curl cmd -> libcurl source generator) + Closes #4873 + +Steve Holme (3 Feb 2020) +- ntlm: Ensure the HTTP header data is not stored in the challenge/response + +Marcel Raad (3 Feb 2020) +- openssl: remove redundant assignment - Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN. + Fixes a scan-build failure on Bionic. - Ref: https://github.com/curl/curl/pull/4655 + Closes https://github.com/curl/curl/pull/4872 -- setopt: Fix ALPN / NPN user option when built without HTTP2 +- travis: update non-OpenSSL Linux jobs to Bionic - - Stop treating lack of HTTP2 as an unknown option error result for - CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN. + For the OpenSSL builds, test 323 [TLS-SRP to non-TLS-SRP server] is + failing with "curl returned 52, when expecting 35". - Prior to this change it was impossible to disable ALPN / NPN if libcurl - was built without HTTP2. Setting either option would result in - CURLE_UNKNOWN_OPTION and the respective internal option would not be - set. That was incorrect since ALPN and NPN are used independent of - HTTP2. + Closes https://github.com/curl/curl/pull/4872 + +Dan Fandrich (3 Feb 2020) +- cirrus: Add some missing semicolons - Reported-by: Shailesh Kapse + Newlines aren't preserved in this section so they're needed to separate + commands. The exports luckily worked anyway as a single long line, but + erroneously exported a variable called "export" + [skip ci] + +Daniel Gustafsson (2 Feb 2020) +- [Pedro Monreal brought this change] + + cleanup: fix typos and wording in docs and comments - Fixes https://github.com/curl/curl/issues/4668 - Closes https://github.com/curl/curl/pull/4672 + Closes #4869 + Reviewed-by: Emil Engler and Daniel Gustafsson -Daniel Stenberg (5 Dec 2019) -- etag: allow both --etag-compare and --etag-save in same cmdline +Steve Holme (2 Feb 2020) +- ntlm: Move the winbind data into the NTLM data structure - Fixes #4669 - Closes #4678 + To assist with adding winbind support to the SASL NTLM authentication, + move the winbind specific data out of conndata into ntlmdata. -Marcel Raad (5 Dec 2019) -- curl_setup: fix `CURLRES_IPV6` condition +Daniel Stenberg (30 Jan 2020) +- quiche: Copyright year out of date - Move the definition of `CURLRES_IPV6` to before undefining - `HAVE_GETADDRINFO`. Regression from commit 67a08dca27a which caused - some tests to fail and others to be skipped with c-ares. + Follow-up to 7fc63d72333a + +- altsvc: use h3-25 - Fixes https://github.com/curl/curl/issues/4673 - Closes https://github.com/curl/curl/pull/4677 + Closes #4868 -Daniel Stenberg (5 Dec 2019) -- test342: make it return a 304 as the tag matches +- [Alessandro Ghedini brought this change] -Peter Wu (4 Dec 2019) -- CMake: add support for building with the NSS vtls backend + quiche: update to draft-25 - Options are cross-checked with configure.ac and acinclude.m4. - Tested on Arch Linux, untested on other platforms like Windows or macOS. + Closes #4867 + +- ngtcp2: update to git master and its draft-25 support - Closes #4663 - Reviewed-by: Kamil Dudka + Closes #4865 -Daniel Stenberg (4 Dec 2019) -- azure: add more builds +- cookie: check __Secure- and __Host- case sensitively - ... removed two from travis (that now runs on azure instead) + While most keywords in cookies are case insensitive, these prefixes are + specified explicitly to get checked "with a case-sensitive match". - Closes #4671 + (From the 6265bis document in progress) + + Ref: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-04 + Closes #4864 -- CURLOPT_VERBOSE.3: see also ERRORBUFFER +- KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header -- hostip4.c: bump copyright year range +- oauth2-bearer.d: works for HTTP too + + Reported-by: Mischa Salle + Bug: https://curl.haxx.se/mail/lib-2020-01/0070.html + Closes #4862 -Marcel Raad (3 Dec 2019) -- configure: enable IPv6 support without `getaddrinfo` +- multi_done: if multiplexed, make conn->data point to another transfer - This makes it possible to recognize and connect to literal IPv6 - addresses when `getaddrinfo` is not available, which is already the - case for the CMake build. This affects e.g. classic MinGW because it - still targets Windows 2000 by default, where `getaddrinfo` is not - available, but general IPv6 support is. + ... since the current transfer is being killed. Setting to NULL is + wrong, leaving it pointing to 'data' is wrong since that handle might be + about to get freed. - Instead of checking for `getaddrinfo`, check for `sockaddr_in6` as the - CMake build does. + Fixes #4845 + Closes #4858 + Reported-by: dmitrmax on github + +- location.d: the method change is from POST to GET only - Closes https://github.com/curl/curl/pull/4662 + Not from generic non-GET to GET. + + Reported-by: Andrius Merkys + Ref: #4859 + Closes #4861 -- curl_setup: disable IPv6 resolver without `getaddrinfo` +- urlapi: guess scheme correct even with credentials given - Also, use `CURLRES_IPV6` only for actual DNS resolution, not for IPv6 - address support. This makes it possible to connect to IPv6 literals by - setting `ENABLE_IPV6` even without `getaddrinfo` support. It also fixes - the CMake build when using the synchronous resolver without - `getaddrinfo` support. + In the "scheme-less" parsing case, we need to strip off credentials + first before we guess scheme based on the host name! - Closes https://github.com/curl/curl/pull/4662 + Assisted-by: Jay Satiro + Fixes #4856 + Closes #4857 -Daniel Stenberg (3 Dec 2019) -- github action/azure pipeline: run 'make test-nonflaky' for tests +- global_init: move the IPv6 works status bool to multi handle - To match travis and give more info on failures. + Previously it was stored in a global state which contributed to + curl_global_init's thread unsafety. This boolean is now instead figured + out in curl_multi_init() and stored in the multi handle. Less effective, + but thread safe. + + Closes #4851 -- openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains +- [Jay Satiro brought this change] + + README: mention that the docs is in docs/ - Closes #4655 + Reported-by: Austin Green + Fixes #4830 + Closes #4853 -- openssl: set X509_V_FLAG_PARTIAL_CHAIN +- curl.h: define CURL_WIN32 on windows - Have intermediate certificates in the trust store be treated as - trust-anchors, in the same way as self-signed root CA certificates - are. This allows users to verify servers using the intermediate cert - only, instead of needing the whole chain. + ... so that the subsequent logic below can use a single known define to know + when built on Windows (as we don't define WIN32 anymore). - Other TLS backends already accept partial chains. + Follow-up to 1adebe7886ddf20b - Reported-by: Jeffrey Walton - Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html + Reported-by: crazydef on github + Assisted-by: Marcel Raad + Fixes #4854 + Closes #4855 -- curl: show better error message when no homedir is found +- RELEASE-NOTES: synced + +- [Jon Rumsey brought this change] + + urldata: do string enums without #ifdefs for build scripts - Reported-by: Vlastimil Ovčáčík - Fixes #4644 - Closes #4665 + ... and check for inconsistencies for OS400 at build time with the new + chkstrings tool. + + Closes #4822 -- OPENSOCKETFUNCTION.3: correct the purpose description +- curl: make the -# spaceship bar not wrap the line - Reported-by: Jeff Mears - Bug: https://curl.haxx.se/mail/lib-2019-12/0007.html + The fixed-point math made us lose precision and thus a too high index + value could be used for outputting the hashtags which could overwrite + the newline. - Closes #4667 + The fix increases the precision in the sine table (*100) and the + associated position math. + + Reported-by: Andrew Potter + Fixes #4849 + Closes #4850 -- [Peter Wu brought this change] +- global_init: assume the EINTR bit by default + + - Removed from global_init since it isn't thread-safe. The symbol will + still remain to not break compiles, it just won't have any effect going + forward. + + - make the internals NOT loop on EINTR (the opposite from previously). + It only risks returning from the select/poll/wait functions early, and that + should be risk-free. + + Closes #4840 - travis: do not use OVERRIDE_CC or OVERRIDE_CXX if empty +- [Peter Piekarski brought this change] + + conn: do not reuse connection if SOCKS proxy credentials differ - Fixes the macOS builds where OVERRIDE_CC and OVERRIDE_CXX are not set. + Closes #4835 + +- llist: removed unused Curl_llist_move() - Reported-by: Jay Satiro - Fixes #4659 - Closes #4661 - Closes #4664 + (and the corresponding unit test) + + Closes #4842 -- azure-pipelines: fix the test script +- conncache: removed unused Curl_conncache_bundle_size() -- Azure Pipelines: initial CI setup +- strcase: turn Curl_raw_tolower into static - [skip ci] + Only ever used from within this file. -- docs: add "added: 7.68.0" to the --etag-* docs +- singleuse.pl: support new API functions, fix curl_dbg_ handling -- copyright: fix the year ranges for two files +- wolfssh: make it init properly via Curl_ssh_init() - Follow-up to 9c1806ae + Closes #4846 -Jay Satiro (1 Dec 2019) -- build: Disable Visual Studio warning "conditional expression is constant" +- [Aron Rotteveel brought this change] + + form.d: fix two minor typos - - Disable warning C4127 "conditional expression is constant" globally - in curl_setup.h for when building with Microsoft's compiler. + Closes #4843 + +- openssl: make CURLINFO_CERTINFO not truncate x509v3 fields - This mainly affects building with the Visual Studio project files found - in the projects dir. + Avoid "reparsing" the content and instead deliver more exactly what is + provided in the certificate and avoid truncating the data after 512 + bytes as done previously. This no longer removes embedded newlines. - Prior to this change the cmake and winbuild build systems already - disabled 4127 globally for when building with Microsoft's compiler. - Also, 4127 was already disabled for all build systems in the limited - circumstance of the WHILE_FALSE macro which disabled the warning - specifically for while(0). This commit removes the WHILE_FALSE macro and - all other cruft in favor of disabling globally in curl_setup. + Fixes #4837 + Reported-by: bnfp on github + Closes #4841 + +Jay Satiro (23 Jan 2020) +- CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3 - Background: + - Copy CURLOPT_SSL_OPTIONS.3 description to CURLOPT_PROXY_SSL_OPTIONS.3. - We have various macros that cause 0 or 1 to be evaluated, which would - cause warning C4127 in Visual Studio. For example this causes it: + Prior to this change CURLSSLOPT_NO_PARTIALCHAIN was missing from the + CURLOPT_PROXY_SSL_OPTIONS description. + +Daniel Stenberg (22 Jan 2020) +- mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER - #define Curl_resolver_asynch() 1 + For now, no cert in the bundle actually sets a date there... - Full behavior is not clearly defined and inconsistent across versions. - However it is documented that since VS 2015 Update 3 Microsoft has - addressed this somewhat but not entirely, not warning on while(true) for - example. + Co-Authored-by: Jay Satiro + Reported-by: Christian Heimes + Fixes #4834 + Closes #4836 + +- RELEASE-NOTES: synced + +- [Pavel Volgarev brought this change] + + smtp: Allow RCPT TO command to fail for some recipients - Prior to this change some C4127 warnings occurred when I built with - Visual Studio using the generated projects in the projects dir. + Introduces CURLOPT_MAIL_RCPT_ALLLOWFAILS. - Closes https://github.com/curl/curl/pull/4658 + Verified with the new tests 3002-3007 + + Closes #4816 -- openssl: retrieve reported LibreSSL version at runtime +- copyright: fix year ranges - - Retrieve LibreSSL runtime version when supported (>= 2.7.1). + follow-up from dea17b519d (one of these days I'll learn to check before + I push) + +- [nao brought this change] + + http: move "oauth_bearer" from connectdata to Curl_easy - For earlier versions we continue to use the compile-time version. + Fixes the bug where oauth_bearer gets deallocated when we re-use a + connection. - Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3 + Closes #4824 + +- [Emil Engler brought this change] + + curl: Let -D merge headers in one file again - Closes https://github.com/curl/curl/pull/2425 + Closes #4762 + Fixes #4753 -- strerror: Add Curl_winapi_strerror for Win API specific errors +- data.d: remove "Multiple files can also be specified" - - In all code call Curl_winapi_strerror instead of Curl_strerror when - the error code is known to be from Windows GetLastError. - - Curl_strerror prefers CRT error codes (errno) over Windows API error - codes (GetLastError) when the two overlap. When we know the error code - is from GetLastError it is more accurate to prefer the Windows API error - messages. - - Reported-by: Richard Alcock + It is superfluous and could even be misleading. - Fixes https://github.com/curl/curl/issues/4550 - Closes https://github.com/curl/curl/pull/4581 + Bug: https://curl.haxx.se/mail/archive-2020-01/0016.html + Reported-by: Mike Norton + Closes #4832 -Daniel Stenberg (2 Dec 2019) -- global_init: undo the "intialized" bump in case of failure +Marcel Raad (20 Jan 2020) +- CMake: support specifying the target Windows version - ... so that failures in the global init function don't count as a - working init and it can then be called again. + Previously, it was only possible to set it to Windows Vista or XP by + setting the option `ENABLE_INET_PTON` to `ON` resp. `OFF`. + Use a new cache variable `CURL_TARGET_WINDOWS_VERSION` to be able to + explicitly set the target Windows version. `ENABLE_INET_PTON` is + ignored in this case. - Reported-by: Paul Groke - Fixes #4636 - Closes #4653 + Ref: https://github.com/curl/curl/pull/1639#issuecomment-313039352 + Ref: https://github.com/curl/curl/pull/4607#issuecomment-557541456 + Closes https://github.com/curl/curl/pull/4815 -- parsedate: offer a getdate_capped() alternative - - ... and use internally. This function will return TIME_T_MAX instead of - failure if the parsed data is found to be larger than what can be - represented. TIME_T_MAX being the largest value curl can represent. +Daniel Stenberg (20 Jan 2020) +- http.h: Copyright year out of date, should be 2020 - Reviewed-by: Daniel Gustafsson - Reported-by: JanB on github - Fixes #4152 - Closes #4651 + Follow-up to 7ff9222ced8c -- docs: add more references to curl_multi_poll - - Fixes #4643 - Closes #4652 +- [加藤郁之 brought this change] -- sha256: bump the copyright year range + HTTP: increase EXPECT_100_THRESHOLD to 1Mb - Follow-up from 66e21520f - -Daniel Gustafsson (28 Nov 2019) -- curl_setup_once: consistently use WHILE_FALSE in macros + Mentioned: https://curl.haxx.se/mail/lib-2020-01/0050.html - The WHILE_FALSE construction is used to avoid compiler warnings in - macro constructions. This fixes a few instances where it was not - used in order to keep the code consistent. + Closes #4814 + +- ROADMAP: thread-safe `curl_global_init()` - Closes #4649 - Reviewed-by: Daniel Stenberg + I'd like to see this happen. -Daniel Stenberg (28 Nov 2019) -- [Steve Holme brought this change] +- RELEASE-NOTES: synced - http_ntlm: Remove duplicate NSS initialisation +- wolfssl: use the wc-prefixed symbol alternatives - Given that this is performed by the NTLM code there is no need to - perform the initialisation in the HTTP layer. This also keeps the - initialisation the same as the SASL based protocols and also fixes a - possible compilation issue if both NSS and SSPI were to be used as - multiple SSL backends. + The symbols without wc_ prefix are not always provided. - Reviewed-by: Kamil Dudka - Closes #3935 + Ref: https://github.com/wolfSSL/wolfssl/issues/2744 + + Closes #4827 -Daniel Gustafsson (28 Nov 2019) -- checksrc: fix regexp for ASSIGNWITHINCONDITION +- polarssl: removed - The regexp looking for assignments within conditions was too greedy - and matched a too long string in the case of multiple conditionals - on the same line. This is basically only a problem in single line - macros, and the code which exemplified this was essentially: + As detailed in DEPRECATE.md, the polarssl support is now removed after + having been disabled for 6 months and nobody has missed it. - do { if((x) != NULL) { x = NULL; } } while(0) + The threadlock files used by mbedtls are renamed to an 'mbedtls' prefix + instead of the former 'polarssl' and the common functions that + previously were shared between mbedtls and polarssl and contained the + name 'polarssl' have now all been renamed to instead say 'mbedtls'. - ..where the final parenthesis of while(0) matched the regexp, and - the legal assignment in the block triggered the warning. Fix by - making the regexp less greedy by matching for the tell-tale signs - of the if statement ending. + Closes #4825 + +Marcel Raad (16 Jan 2020) +- libssh2: fix variable type - Also remove the one occurrence where the warning was disabled due - to a construction like the above, where the warning didn't apply - when fixed. + This led to a conversion warning on 64-bit MinGW, which has 32-bit + `long` but 64-bit `size_t`. - Closes #4647 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (28 Nov 2019) -- RELEASE-NOTES: synced - -- [Maros Priputen brought this change] + Closes https://github.com/curl/curl/pull/4823 - curl: two new command line options for etags +Daniel Stenberg (16 Jan 2020) +- curl:progressbarinit: ignore column width from terminals < 20 - --etag-compare and --etag-save + To avoid division by zero - or other issues. - Suggested-by: Paul Hoffman - Fixes #4277 - Closes #4543 - -Daniel Gustafsson (28 Nov 2019) -- docs: fix typos + Reported-by: Daniel Marjamäki + Closes #4818 -Daniel Stenberg (28 Nov 2019) -- mailmap: Niall O'Reilly's name +- wolfssh: set the password correctly for PASSWORD auth -- [Niall O'Reilly brought this change] +- wolfssh: remove fprintf() calls (and uses of __func__) - doh: use dedicated probe slots +Marcel Raad (14 Jan 2020) +- CMake: use check_symbol_exists also for inet_pton - ... to easier allow additional DNS transactions. + It doesn't make much sense to only check if the function can be linked + when it's not declared in any header and that is treated as an error. + With the correct target Windows version set, the function is declared + in ws2tcpip.h and the comment above the modified block is invalid. - Closes #4629 - -- travis: build ngtcp2 with --enable-lib-only + Also, move the definition of `_WIN32_WINNT` up to before all symbol + availability checks so that we don't have to care which ones must be + done after it. - ... makes it skip the examples and other stuff we don't neeed. + Tested with Visual Studio 2019 and current MinGW-w64. - Closes #4646 - -- [David Benjamin brought this change] + Closes https://github.com/curl/curl/pull/4808 - ngtcp2: fix thread-safety bug in error-handling +Jay Satiro (13 Jan 2020) +- schannel_verify: Fix alt names manual verify for UNICODE builds - ERR_error_string(NULL) should never be called. It places the error in a - global buffer, which is not thread-safe. Use ERR_error_string_n with a - local buffer instead. + Follow-up to 29e40a6 from two days ago, which added that feature for + Windows 7 and earlier. The bug only occurred in same. - Closes #4645 + Ref: https://github.com/curl/curl/pull/4761 -- travis: export the CC/CXX variables when set +Daniel Stenberg (13 Jan 2020) +- HTTP-COOKIES.md: describe the cookie file format - Suggested-by: Peter Wu - Fixes #4637 - Closes #4640 + ... and refer to that file from from CURLOPT_COOKIEFILE.3 and + CURLOPT_COOKIELIST.3 + + Assisted-by: Jay Satiro + Reported-by: bsammon on github + Fixes #4805 + Closes #4806 -Marcel Raad (26 Nov 2019) -- dist: add error-codes.pl +- [Tobias Hieta brought this change] + + CMake: Add support for CMAKE_LTO option. - Follow-up to commit 74f441c6d31. - This should fix test 1175 when run via the daily source tarballs. + This enables Link Time Optimization. LTO is a proven technique for + optimizing across compilation units. - Closes https://github.com/curl/curl/pull/4638 + Closes #4799 -Daniel Stenberg (26 Nov 2019) -- [John Schroeder brought this change] +- RELEASE-NOTES: synced - curl: fix --upload-file . hangs if delay in STDIN +- ConnectionExists: respect the max_concurrent_streams limits - Attempt to unpause a busy read in the CURLOPT_XFERINFOFUNCTION. + A regression made the code use 'multiplexed' as a boolean instead of the + counter it is intended to be. This made curl try to "over-populate" + connections with new streams. - When uploading from stdin in non-blocking mode, a delay in reading - the stream (EAGAIN) causes curl to pause sending data - (CURL_READFUNC_PAUSE). Prior to this change, a busy read was - detected and unpaused only in the CURLOPT_WRITEFUNCTION handler. - This change performs the same busy read handling in a - CURLOPT_XFERINFOFUNCTION handler. + This regression came with 41fcdf71a1, shipped in curl 7.65.0. - Fixes #2051 - Closes #4599 - Reported-by: bdry on github - -- [John Schroeder brought this change] + Also, respect the CURLMOPT_MAX_CONCURRENT_STREAMS value in the same + check. + + Reported-by: Kunal Ekawde + Fixes #4779 + Closes #4784 - XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE +- curl: make #0 not output the full URL - (also for PROGRESSFUNCTION) + It was not intended nor documented! - By returning this value from the callback, the internal progress - function call is still called afterward. + Added test 1176 to verify. - Closes #4599 + Reported-by: vshmuk on hackerone + + Closes #4812 -- [Michael Forney brought this change] +- wolfSSH: new SSH backend + + Adds support for SFTP (not SCP) using WolfSSH. + + Closes #4231 - TLS: add BearSSL vtls implementation +- curl: remove 'config' field from OutStruct - Closes #4597 + As it was just unnecessary duplicated information already stored in the + 'per_transfer' struct and that's around mostly anyway. + + The duplicated pointer caused problems when the code flow was aborted + before the dupe was filled in and could cause a NULL pointer access. + + Reported-by: Brian Carpenter + Fixes #4807 + Closes #4810 -- curl_multi_wakeup.3: add example and AVAILABILITY +- misc: Copyright year out of date, should be 2020 - Reviewed-by: Gergely Nagy - Closes #4635 + Follow-up to recent commits + + [skip ci] -- [Gergely Nagy brought this change] +Jay Satiro (11 Jan 2020) +- [Santino Keupp brought this change] - multi: add curl_multi_wakeup() + libssh2: add support for forcing a hostkey type - This commit adds curl_multi_wakeup() which was previously in the TODO - list under the curl_multi_unblock name. + - Allow forcing the host's key type found in the known_hosts file. - On some platforms and with some configurations this feature might not be - available or can fail, in these cases a new error code - (CURLM_WAKEUP_FAILURE) is returned from curl_multi_wakeup(). + Currently, curl (with libssh2) does not take keys from your known_hosts + file into account when talking to a server. With this patch the + known_hosts file will be searched for an entry matching the hostname + and, if found, libssh2 will be told to claim this key type from the + server. - Fixes #4418 - Closes #4608 + Closes https://github.com/curl/curl/pull/4747 -Jay Satiro (24 Nov 2019) -- [Xiaoyin Liu brought this change] +- [Nicolas Guillier brought this change] - schannel: fix --tls-max for when min is --tlsv1 or default + cmake: Improve libssh2 check on Windows - Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_ - macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS - (CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always. + - Add "libssh2" name to FindLibSSH2 library search. - Closes https://github.com/curl/curl/pull/4633 - -- checksrc.bat: Add a check for vquic and vssh directories + On Windows systems, libSSH2 CMake installation may name the library + "LibSSH2". - Ref: https://github.com/curl/curl/pull/4607 + Prior to this change cmake only checked for name "ssh2". On Linux that + works fine because it will prepend the "lib", but it doesn't do that on + Windows. + + Closes https://github.com/curl/curl/pull/4804 -- projects: Fix Visual Studio projects SSH builds +- [Faizur Rahman brought this change] + + schannel: Make CURLOPT_CAINFO work better on Windows 7 - - Generate VQUIC and VSSH filenames in Visual Studio project files. + - Support hostname verification via alternative names (SAN) in the + peer certificate when CURLOPT_CAINFO is used in Windows 7 and earlier. - Prior to this change generated Visual Studio project configurations that - enabled SSH did not build properly. Broken since SSH files were moved to - lib/vssh 3 months ago in 5b2d703. + CERT_NAME_SEARCH_ALL_NAMES_FLAG doesn't exist before Windows 8. As a + result CertGetNameString doesn't quite work on those versions of + Windows. This change provides an alternative solution for + CertGetNameString by iterating through CERT_ALT_NAME_INFO for earlier + versions of Windows. - Fixes https://github.com/curl/curl/issues/4492 - Fixes https://github.com/curl/curl/issues/4630 - Closes https://github.com/curl/curl/pull/4607 + Prior to this change many certificates failed the hostname validation + when CURLOPT_CAINFO was used in Windows 7 and earlier. Most certificates + now represent multiple hostnames and rely on the alternative names field + exclusively to represent their hostnames. + + Reported-by: Jeroen Ooms + + Fixes https://github.com/curl/curl/issues/3711 + Closes https://github.com/curl/curl/pull/4761 -Daniel Stenberg (23 Nov 2019) -- RELEASE-NOTES: synced +- [Emil Engler brought this change] -Jay Satiro (22 Nov 2019) -- openssl: Revert to less sensitivity for SYSCALL errors + ngtcp2: Add an error code for QUIC connection errors - - Disable the extra sensitivity except in debug builds (--enable-debug). + - Add new error code CURLE_QUIC_CONNECT_ERROR for QUIC connection + errors. - - Improve SYSCALL error message logic in ossl_send and ossl_recv so that - "No error" / "Success" socket error text isn't shown on SYSCALL error. + Prior to this change CURLE_FAILED_INIT was used, but that was not + correct. - Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity - of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were - also considered errors. For example, a server that does not send a known - protocol termination point (eg HTTP content length or chunked encoding) - _and_ does not send a TLS termination point (close_notify alert) would - cause an error if it closed the connection. + Closes https://github.com/curl/curl/pull/4754 + +- multi: Change curl_multi_wait/poll to error on negative timeout - To be clear that behavior made it into release build 7.67.0 - unintentionally. Several users have reported it as an issue. + - Add new error CURLM_BAD_FUNCTION_ARGUMENT and return that error when + curl_multi_wait/poll is passed timeout param < 0. - Ultimately the idea is a good one, since it can help prevent against a - truncation attack. Other SSL backends may already behave similarly (such - as Windows native OS SSL Schannel). However much more of our user base - is using OpenSSL and there is a mass of legacy users in that space, so I - think that behavior should be partially reverted and then rolled out - slowly. + Prior to this change passing a negative value to curl_multi_wait/poll + such as -1 could cause the function to wait forever. - This commit changes the behavior so that the increased sensitivity is - disabled in all curl builds except curl debug builds (DEBUGBUILD). If - after a period of time there are no major issues then it can be enabled - in dev and release builds with the newest OpenSSL (1.1.1+), since users - using the newest OpenSSL are the least likely to have legacy problems. + Reported-by: hamstergene@users.noreply.github.com - Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794 - Reported-by: Bjoern Franke + Fixes https://github.com/curl/curl/issues/4763 - Fixes https://github.com/curl/curl/issues/4624 - Closes https://github.com/curl/curl/pull/4623 + Closes https://github.com/curl/curl/pull/4765 -- [Daniel Stenberg brought this change] +- [Marc Aldorasi brought this change] - openssl: improve error message for SYSCALL during connect + cmake: Enable SMB for Windows builds - Reported-by: Paulo Roberto Tomasi - Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html + - Define USE_WIN32_CRYPTO by default. This enables SMB. - Closes https://github.com/curl/curl/pull/4593 - -Daniel Stenberg (22 Nov 2019) -- test1175: verify symbols-in-versions and libcurl-errors.3 in sync + - Show whether SMB is enabled in the "Enabled features" output. - Closes #4628 + - Fix mingw compiler warning for call to CryptHashData by casting away + const param. mingw CryptHashData prototype is wrong. + + Closes https://github.com/curl/curl/pull/4717 -- include: make CURLE_HTTP3 use a new error code +- vtls: Refactor Curl_multissl_version to make the code clearer - To avoid potential issues with error code reuse. + Reported-by: Johannes Schindelin - Reported-by: Christoph M. Becker - Assisted-by: Dan Fandrich - Fixes #4601 - Closes #4627 + Ref: https://github.com/curl/curl/pull/3863#pullrequestreview-241395121 + + Closes https://github.com/curl/curl/pull/4803 -- bump: next release will be 7.68.0 +Daniel Stenberg (10 Jan 2020) +- fix: Copyright year out of date, should be 2020 + + Follow-up to 875314ed0bf3b -- curl: add --parallel-immediate +Marcel Raad (10 Jan 2020) +- hostip: move code to resolve IP address literals to `Curl_resolv` - Starting with this change when doing parallel transfers, without this - option set, curl will prefer to create new transfers multiplexed on an - existing connection rather than creating a brand new one. + The code was duplicated in the various resolver backends. - --parallel-immediate can be set to tell curl to prefer to use new - connections rather than to wait and try to multiplex. + Also, it was called after the call to `Curl_ipvalid`, which matters in + case of `CURLRES_IPV4` when called from `connect.c:bindlocal`. This + caused test 1048 to fail on classic MinGW. - libcurl-wise, this means that curl will set CURLOPT_PIPEWAIT by default - on parallel transfers. + The code ignores `conn->ip_version` as done previously in the + individual resolver backends. - Suggested-by: Tom van der Woerdt - Closes #4500 + Move the call to the `resolver_start` callback up to appease test 655, + which wants it to be called also for literal addresses. + + Closes https://github.com/curl/curl/pull/4798 -Daniel Gustafsson (20 Nov 2019) -- [Victor Magierski brought this change] +Daniel Stenberg (9 Jan 2020) +- scripts/delta: adapt to new public header layout - docs: fix typos +- test1167: verify global symbols in public headers are curl prefixed - Change 'experiemental' to 'experimental'. + ... using the new badsymbols.pl perl script - Closes #4618 - Reviewed-by: Daniel Gustafsson + Fixes #4793 + Closes #4794 -Jay Satiro (18 Nov 2019) -- projects: Fix Visual Studio wolfSSL configurations +- libtest/mk-lib1521: adapt to new public header layout + +- include: remove non-curl prefixed defines - - s/USE_CYASSL/USE_WOLFSSL/ - - - Remove old compatibility macros. + ...requires some rearranging of the setup of CURLOPT_ and CURLMOPT_ + enums. + +- curl.h: remove WIN32 define - Follow-up to 1c6c59a from several months ago when CyaSSL named symbols - were renamed to wolfSSL. The wolfSSL library was formerly named CyaSSL - and we kept using their old name for compatibility reasons, until - earlier this year. + It isn't our job to define this in a public header - and it defines a + name outside of our naming scope. -Daniel Stenberg (18 Nov 2019) -- RELEASE-NOTES: synced +- tool_dirhie.c: fix the copyright year range + + Follow-up to: 4027bd72d9 -- [Javier Blazquez brought this change] +- bump: work towards 7.69.0 is started - ngtcp2: use overflow buffer for extra HTTP/3 data +Jay Satiro (9 Jan 2020) +- tool_dirhie: Allow directory traversal during creation - Fixes #4525 - Closes #4603 - -- altsvc: bump to h3-24 + - When creating a directory hierarchy do not error when mkdir fails due + to error EACCESS (13) "access denied". - ... as both ngtcp2 and quiche now support that in their master branches + Some file systems allow for directory traversal; in this case that it + should be possible to create child directories when permission to the + parent directory is restricted. - Closes #4604 - -- ngtcp2: free used resources on disconnect + This is a regression caused by me in f16bed0 (precedes curl-7_61_1). + Basically I had assumed that if a directory already existed it would + fail only with error EEXIST, and not error EACCES. The latter may + happen if the directory exists but has certain restricted permissions. - Fixes #4614 - Closes #4615 - -- ngtcp2: handle key updates as ngtcp2 master branch tells us + Reported-by: mbeifuss@users.noreply.github.com - Reviewed-by: Tatsuhiro Tsujikawa + Fixes https://github.com/curl/curl/issues/4796 + Closes https://github.com/curl/curl/pull/4797 + +Daniel Stenberg (9 Jan 2020) +- KNOWN_BUGS: AUTH PLAIN for SMTP is not working on all servers - Fixes #4612 - Closes #4613 + Closes #4080 -Jay Satiro (17 Nov 2019) -- [Gergely Nagy brought this change] +- docs/RELEASE-PROCEDURE.md: pushed some release dates + + Ref: https://curl.haxx.se/mail/lib-2020-01/0031.html - multi: Fix curl_multi_poll wait when extra_fds && !extra_nfds +- runtests: make random seed fixed for a month - Prior to this change: + When using randomized features of runtests (-R and --shallow) it is + useful to have a fixed random seed to make sure for example extra + commits in a branch or a rebase won't change the seed that would make + repeated runs work differently. - The check if an extra wait is necessary was based not on the - number of extra fds but on the pointer. + As it is also useful to change seed sometimes, the default seed is now + determined based on the current month (and first line curl -V + output). When the month changes, so will the random seed. - If a non-null pointer was given in extra_fds, but extra_nfds - was zero, then the wait was skipped even though poll was not - called. + The specific seed is also shown in the standard test suite top header + and it can be set explictly with the new --seed=[num] option so that the + exact order of a previous run can be achieved. - Closes https://github.com/curl/curl/pull/4610 + Closes #4734 -- lib: Move lib/ssh.h -> lib/vssh/ssh.h +- RELEASE-PROCEDURE.md: fix next release date (Feb 26) - Follow-up to 5b2d703 which moved ssh source files to vssh. - - Closes https://github.com/curl/curl/pull/4609 + [skip ci] -Daniel Stenberg (16 Nov 2019) -- [Andreas Falkenhahn brought this change] +Version 7.68.0 (8 Jan 2020) - INSTALL.md: provide Android build instructions - - Closes #4606 +Daniel Stenberg (8 Jan 2020) +- RELEASE-NOTES: 7.68.0 -- [Niall O'Reilly brought this change] +- THANKS: updated with names from the 7.68.0 release - doh: improced both encoding and decoding +- RELEASE-PROCEDURE: add four future release dates - Improved estimation of expected_len and updated related comments; - increased strictness of QNAME-encoding, adding error detection for empty - labels and names longer than the overall limit; avoided treating DNAME - as unexpected; + and remove four past release dates - updated unit test 1655 with more thorough set of proofs and tests + [skip ci] + +Marcel Raad (6 Jan 2020) +- TrackMemory tests: always remove CR before LF - Closes #4598 + It was removed for output containing ' =' via `s/ =.*//`. With classic + MinGW, this made lines with `free()` end with CRLF, but lines with e.g. + `malloc()` end with only LF. The tests expect LF only. + + Closes https://github.com/curl/curl/pull/4788 -- ngtcp2: increase QUIC window size when data is consumed +Daniel Stenberg (6 Jan 2020) +- multi.h: move INITIAL_MAX_CONCURRENT_STREAMS from public header - Assisted-by: Javier Blazquez - Ref #4525 (partial fix) - Closes #4600 + ... to the private multihhandle.h. It is not for public use and it + wasn't prefixed correctly anyway! + + Closes #4790 -- [Melissa Mears brought this change] +- file: fix copyright year range + + Follow-up to 1b71bc532bd - config-win32: cpu-machine-OS for Windows on ARM +- curl -w: handle a blank input file correctly - Define the OS macro properly for Windows on ARM builds. Also, we might - as well add the GCC-style IA-64 macro. + Previously it would end up with an uninitialized memory buffer that + would lead to a crash or junk getting output. - Closes #4590 + Added test 1271 to verify. + + Reported-by: Brian Carpenter + Closes #4786 -- examples: add multi-poll.c +- file: on Windows, refuse paths that start with \\ - Show how curl_multi_poll() makes it even easier to use the multi - interface. + ... as that might cause an unexpected SMB connection to a given host + name. - Closes #4596 + Reported-by: Fernando Muñoz + CVE-2019-15601 + Bug: https://curl.haxx.se/docs/CVE-2019-15601.html -- multi_poll: avoid busy-loop when called without easy handles attached +Jay Satiro (6 Jan 2020) +- CURLOPT_READFUNCTION.3: fix fopen params in example + +- CURLOPT_READFUNCTION.3: fix variable name in example - Fixes #4594 - Closes #4595 - Reported-by: 3dyd on github + Reported-by: Paul Joyce + + Fixes https://github.com/curl/curl/issues/4787 -- curl: fix -T globbing +Daniel Stenberg (5 Jan 2020) +- curl:getparameter return error for --http3 if libcurl doesn't support - Regression from e59371a4936f8 (7.67.0) + Closes #4785 + +- docs: mention CURL_MAX_INPUT_LENGTH restrictions - Added test 490, 491 and 492 to verify the functionality. + ... for curl_easy_setopt() and curl_url_set(). - Reported-by: Kamil Dudka - Reported-by: Anderson Sasaki + [skip ci] - Fixes #4588 - Closes #4591 - -- HISTORY: added cmake, HTTP/3 and parallel downloads with curl + Closes #4783 -- quiche: reject headers in the wrong order +- curl: properly free mimepost data - Pseudo header MUST come before regular headers or cause an error. + ... as it could otherwise leak memory when a transfer failed. - Reported-by: Cynthia Coan - Fixes #4571 - Closes #4584 + Added test 1293 to verify. + + Reported-by: Brian Carpenter + Fixes #4781 + Closes #4782 -- openssl: prevent recursive function calls from ctx callbacks +- curl: cleanup multi handle on failure - Follow the pattern of many other callbacks. + ... to fix memory leak in error path. - Ref: #4546 - Closes #4585 + Fixes #4772 + Closes #4780 + Reported-by: Brian Carpenter -- CURL-DISABLE: initial docs for the CURL_DISABLE_* defines +Marcel Raad (3 Jan 2020) +- lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS` - The disable-scan script used in test 1165 is extended to also verify - that the docs cover all used defines and all defines offered by - configure. + Closes https://github.com/curl/curl/pull/4775 + +Daniel Stenberg (3 Jan 2020) +- COPYING: it's 2020! - Reported-by: SLDiggie on github - Fixes #4545 - Closes #4587 + [skip ci] -- remove_handle: clear expire timers after multi_done() +Jay Satiro (3 Jan 2020) +- [Marc Aldorasi brought this change] + + tests: Fix bounce requests with truncated writes - Since 59041f0, a new timer might be set in multi_done() so the clearing - of the timers need to happen afterwards! + Prior to this change the swsbounce check in service_connection could + fail because prevtestno and prevpartno were not set, which would cause + the wrong response data to be sent to some tests and cause them to fail. - Reported-by: Max Kellermann - Fixes #4575 - Closes #4583 + Ref: https://github.com/curl/curl/pull/4717#issuecomment-570240785 -Marcel Raad (10 Nov 2019) -- test1558: use double slash after file: +Marcel Raad (31 Dec 2019) +- tool: make a few char pointers point to const char instead - Classic MinGW / MSYS 1 doesn't support `MSYS2_ARG_CONV_EXCL`, so this - test unnecessarily failed when using `file:/` instead of `file:///`. + These are read-only. - Closes https://github.com/curl/curl/pull/4554 + Closes https://github.com/curl/curl/pull/4771 -Daniel Stenberg (10 Nov 2019) -- pause: avoid updating socket if done was already called +Jay Satiro (31 Dec 2019) +- tests: Change NTLM tests to require SSL - ... avoids unnecesary recursive risk when the transfer is already done. + Prior to this change tests that required NTLM feature did not require + SSL feature. - Reported-by: Richard Bowker - Fixes #4563 - Closes #4574 - -Jay Satiro (9 Nov 2019) -- strerror: Fix an error looking up some Windows error strings + There are pending changes to cmake builds that will allow enabling NTLM + in non-SSL builds in Windows. In that case the NTLM auth strings created + are different from what is expected by the NTLM tests and they fail: - - Use FORMAT_MESSAGE_IGNORE_INSERTS to ignore format specifiers in - Windows error strings. + "The issue with NTLM is that previous non-SSL builds would not enable + NTLM and so the NTLM tests would be skipped." - Since we are not in control of the error code we don't know what - information may be needed by the error string's format specifiers. + Assisted-by: marc-groundctl@users.noreply.github.com - Prior to this change Windows API error strings which contain specifiers - (think specifiers like similar to printf specifiers) would not be shown. - The FormatMessage Windows API call which turns a Windows error code into - a string could fail and set error ERROR_INVALID_PARAMETER if that error - string contained a format specifier. FormatMessage expects a va_list for - the specifiers, unless inserts are ignored in which case no substitution - is attempted. + Ref: https://github.com/curl/curl/pull/4717#issuecomment-566218729 - Ref: https://devblogs.microsoft.com/oldnewthing/20071128-00/?p=24353 + Closes https://github.com/curl/curl/pull/4768 -- [r-a-sattarov brought this change] +- [Michael Forney brought this change] - system.h: fix for MCST lcc compiler + bearssl: Improve I/O handling - Fixed build by MCST lcc compiler on MCST Elbrus 2000 architecture and do - some code cleanup. + Factor out common I/O loop as bearssl_run_until, which reads/writes TLS + records until the desired engine state is reached. This is now used for + the handshake, read, write, and close. - e2k (Elbrus 2000) - this is VLIW/EPIC architecture, like Intel Itanium - architecture. + Match OpenSSL SSL_write behavior, and don't return the number of bytes + written until the corresponding records have been completely flushed + across the socket. This involves keeping track of the length of data + buffered into the TLS engine, and assumes that when CURLE_AGAIN is + returned, the write function will be called again with the same data + and length arguments. This is the same requirement of SSL_write. - Ref: https://en.wikipedia.org/wiki/Elbrus_2000 + Handle TLS close notify as EOF when reading by returning 0. - Closes https://github.com/curl/curl/pull/4576 + Closes https://github.com/curl/curl/pull/4748 -Daniel Stenberg (8 Nov 2019) -- TODO: curl_multi_unblock +- travis: Fix error detection - Closes #4418 - -- TODO: Run web-platform-tests url tests + - Stop using inline shell scripts for before_script and script sections. - Closes #4477 - -- TODO: 1.4 alt-svc sharing + Prior to this change Travis could ignore errors from commands in inline + scripts. I don't understand how or why it happens. This is a workaround. - Closes #4476 + Assisted-by: Simon Warta + + Ref: https://github.com/travis-ci/travis-ci/issues/1066 + + Fixes https://github.com/curl/curl/issues/3730 + Closes https://github.com/curl/curl/pull/3755 -- test1560: require IPv6 for IPv6 aware URL parsing +- tool_operate: fix mem leak when failed config parse - The URL parser function can't reject a bad IPv6 address properly when - curl was built without IPv6 support. + Found by fuzzing the config file. - Reported-by: Marcel Raad - Fixes #4556 - Closes #4572 + Reported-by: Geeknik Labs + + Fixes https://github.com/curl/curl/issues/4767 -- checksrc: repair the copyrightyear check +- [Xiang Xiao brought this change] + + lib: remove erroneous +x file permission on some c files - - Consider a modified file to be committed this year. + Modified by commit eb9a604 accidentally. - - Make the travis CHECKSRC also do COPYRIGHTYEAR scan in examples and - includes + Closes https://github.com/curl/curl/pull/4756 + +- [Xiang Xiao brought this change] + + lib: fix warnings found when porting to NuttX - - Ignore 0 parents when getting latest commit date of file. + - Undefine DEBUGASSERT in curl_setup_once.h in case it was already + defined as a system macro. - since in the CI we're dealing with a truncated repo of last 50 commits, - the file's most recent commit may not be available. when this happens - git log and rev-list show the initial commit (ie first commit not to be - truncated) but that's incorrect so ignore it. + - Don't compile write32_le in curl_endian unless + CURL_SIZEOF_CURL_OFF_T > 4, since it's only used by Curl_write64_le. - Ref: https://github.com/curl/curl/pull/4547 + - Include in socketpair.c. - Closes https://github.com/curl/curl/pull/4549 + Closes https://github.com/curl/curl/pull/4756 + +- os400: Add missing CURLE error constants - Co-authored-by: Jay Satiro + Bug: https://github.com/curl/curl/pull/4754#issuecomment-569126922 + Reported-by: Emil Engler -- copyrights: fix copyright year range +- CURLOPT_HEADERFUNCTION.3: Document that size is always 1 - .. because checksrc's copyright year check stopped working. + For compatibility with `fwrite`, the `CURLOPT_HEADERFUNCTION` callback + is passed two `size_t` parameters which, when multiplied, designate the + number of bytes of data passed in. In practice, CURL always sets the + first parameter (`size`) to 1. - Ref: https://github.com/curl/curl/pull/4547 + This practice is also enshrined in documentation and cannot be changed + in future. The documentation states that the default callback is + `fwrite`, which means `fwrite` must be a suitable function for this + purpose. However, the documentation also states that the callback must + return the number of *bytes* it successfully handled, whereas ISO C + `fwrite` returns the number of items (each of size `size`) which it + wrote. The only way these numbers can be equal is if `size` is 1. - Closes https://github.com/curl/curl/pull/4549 - -- RELEASE-NOTES: synced - -- curlver: bump to 7.67.1 - -- mailmap: fixup Massimiliano Fantuzzi - -- scripts/contributors: make committers get included too + Since `size` is 1 and can never be changed in future anyway, document + that fact explicitly and let users rely on it. - in addition to authors - -Jay Satiro (8 Nov 2019) -- [Massimiliano Fantuzzi brought this change] - - configure: fix typo in help text + Reported-by: Frank Gevaerts + Commit-message-by: Christopher Head - Closes https://github.com/curl/curl/pull/4570 - -Daniel Stenberg (7 Nov 2019) -- [Christian Schmitz brought this change] - - ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set + Ref: https://github.com/curl/curl/pull/2787 - Closes #3704 + Fixes https://github.com/curl/curl/issues/4758 -Jay Satiro (6 Nov 2019) -- [Wyatt O'Day brought this change] +- examples/postinmemory.c: Call curl_global_cleanup always + + Prior to this change curl_global_cleanup was not called if + curl_easy_init failed. + + Reported-by: kouzhudong@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/4751 - build: fix for CURL_DISABLE_DOH +Daniel Stenberg (21 Dec 2019) +- url2file.c: fix copyright year - Fixes https://github.com/curl/curl/issues/4565 - Closes https://github.com/curl/curl/pull/4566 + Follow-up to 525787269599b5 -- [Leonardo Taccari brought this change] +- [Rickard Hallerbäck brought this change] - configure: avoid unportable `==' test(1) operator + examples/url2file.c: corrected a comment - Closes https://github.com/curl/curl/pull/4567 + The comment was confusing and suggested that setting CURLOPT_NOPROGRESS + to 0L would both enable and disable debug output at the same time, like + a Schrödinger's cat of CURLOPTs. + + Closes #4745 -Version 7.67.0 (5 Nov 2019) +- HISTORY: OSS-Fuzz started fuzzing libcurl in 2017 -Daniel Stenberg (5 Nov 2019) - RELEASE-NOTES: synced - - The 7.67.0 release - -- THANKS: add new names from 7.67.0 -- configure: only say ipv6 enabled when the variable is set +Jay Satiro (20 Dec 2019) +- ngtcp2: Support the latest update key callback type - Previously it could say "IPv6: enabled" at the end of the configure run - but the define wasn't set because of a missing getaddrinfo(). + - Remove our cb_update_key in favor of ngtcp2's new + ngtcp2_crypto_update_key_cb which does the same thing. - Reported-by: Marcel Raad - Fixes #4555 - Closes #4560 - -Marcel Raad (2 Nov 2019) -- certs/Server-localhost-lastSAN-sv: regenerate with sha256 + Several days ago the ngtcp2_update_key callback function prototype was + changed in ngtcp2/ngtcp2@42ce09c. Though it would be possible to + fix up our cb_update_key for that change they also added + ngtcp2_crypto_update_key_cb which does the same thing so we'll use that + instead. - All other certificates were regenerated in commit ba782baac30, but - this one was missed. - Fixes test3001 on modern systems. + Ref: https://github.com/ngtcp2/ngtcp2/commit/42ce09c - Closes https://github.com/curl/curl/pull/4551 - -Daniel Stenberg (2 Nov 2019) -- [Vilhelm Prytz brought this change] + Closes https://github.com/curl/curl/pull/4735 - copyrights: update all copyright notices to 2019 on files changed this year +Daniel Stenberg (19 Dec 2019) +- sws: search for "Testno:" header uncondtionally if no testno - Closes #4547 - -- [Bastien Bouclet brought this change] - - mbedtls: add error message for cert validity starting in the future + Even if the initial request line wasn't found. With the fix to 1455, the + test number is now detected correctly. - Closes #4552 - -Jay Satiro (1 Nov 2019) -- schannel_verify: Fix concurrent openings of CA file + (Problem found when running tests in random order.) - - Open the CA file using FILE_SHARE_READ mode so that others can read - from it as well. + Closes #4744 + +- tests: set LC_ALL in more tests - Prior to this change our schannel code opened the CA file without - sharing which meant concurrent openings (eg an attempt from another - thread or process) would fail during the time it was open without - sharing, which in curl's case would cause error: - "schannel: failed to open CA file". + Follow-up to 23208e330ac0c21 - Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html - Reported-by: Richard Alcock + Closes #4743 -Daniel Stenberg (31 Oct 2019) -- gtls: make gnutls_bye() not wait for response on shutdown +- test165: set LC_ALL=en_US.UTF-8 too - ... as it can make it wait there for a long time for no good purpose. + On my current Debian Unstable with libidn2 2.2.0, I get an error if + LC_ALL is set to blank. Then curl errors out with: - Patched-by: Jay Satiro - Reported-by: Bylon2 on github - Adviced-by: Nikos Mavrogiannopoulos + curl: (3) Failed to convert www.åäö.se to ACE; could not convert string to UTF-8 - Fixes #4487 - Closes #4541 - -- [Michał Janiszewski brought this change] + Closes #4738 - appveyor: publish artifacts on appveyor +- curl.h: add two defines for the "pre ISO C" case - This allows obtaining upstream builds of curl directly from appveyor for - all the available configurations + Without this fix, this caused a compilation failure on AIX with IBM xlc + 13.1.3 compiler. - Closes #4509 + Reported-by: Ram Krushna Mishra + Fixes #4739 + Closes #4740 -- url: make Curl_close() NULLify the pointer too +- create_conn: prefer multiplexing to using new connections - This is the common pattern used in the code and by a unified approach we - avoid mistakes. + ... as it would previously prefer new connections rather than + multiplexing in most conditions! The (now removed) code was a leftover + from the Pipelining code that was translated wrongly into a + multiplex-only world. - Closes #4534 - -- [Trivikram Kamat brought this change] + Reported-by: Kunal Ekawde + Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html + Closes #4732 - INSTALL: add missing space for configure commands +- test1456: remove the use of a fixed local port - Closes #4539 - -- url: Curl_free_request_state() should also free doh handles + Fixup the test to instead not compare the port number. It sometimes + caused problems like this: - ... or risk DoH memory leaks. + "curl: (45) bind failed with errno 98: Address already in use" - Reported-by: Paul Dreik - Fixes #4463 - Closes #4527 + Closes #4733 -- examples: remove the "this exact code has not been verified" +Jay Satiro (18 Dec 2019) +- CURLOPT_QUOTE.3: fix typos - ... as really confuses the reader to not know what to believe! - -- [Trivikram Kamat brought this change] - - HTTP3: fix typo somehere1 > somewhere1 + Prior to this change the EXAMPLE in the QUOTE/PREQUOTE/POSTQUOTE man + pages would not compile because a variable name was incorrect. - Closes #4535 + Reported-by: Bylon2@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/4736 -Jay Satiro (28 Oct 2019) -- [Javier Blazquez brought this change] +- [Gisle Vanem brought this change] - HTTP3: fix invalid use of sendto for connected UDP socket + strerror: Fix compiler warning "empty expression" - On macOS/BSD, trying to call sendto on a connected UDP socket fails - with a EISCONN error. Because the singleipconnect has already called - connect on the socket when we're trying to use it for QUIC transfers - we need to use plain send instead. + - Remove the final semi-colon in the SEC2TXT() macro definition. - Fixes #4529 - Closes https://github.com/curl/curl/pull/4533 - -Daniel Stenberg (28 Oct 2019) -- RELEASE-NOTES: synced - -- [Javier Blazquez brought this change] - - HTTP3: fix Windows build + Before: #define SEC2TXT(sec) case sec: txt = #sec; break; - The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv - in order to perform nonblocking operations. On Windows this flag does - not exist. Instead, the socket must be set to nonblocking mode via - ioctlsocket. + After: #define SEC2TXT(sec) case sec: txt = #sec; break - This change sets the nonblocking flag on UDP sockets used for QUIC on - all platforms so the use of MSG_DONTWAIT is not needed. + Prior to this change SEC2TXT(foo); would generate break;; which caused + the empty expression warning. - Fixes #4531 - Closes #4532 + Ref: https://github.com/curl/curl/commit/5b22e1a#r36458547 -Marcel Raad (27 Oct 2019) -- appveyor: add --disable-proxy autotools build - - This would have caught issue #3926. - - Also make formatting more consistent. +Daniel Stenberg (18 Dec 2019) +- curl/parseconfig: use curl_free() to free memory allocated by libcurl - Closes https://github.com/curl/curl/pull/4526 + Reported-by: bxac on github + Fixes #4730 + Closes #4731 -Daniel Stenberg (25 Oct 2019) -- appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017 - - ... and invoke "curl -V" once done +- curl/parseconfig: fix mem-leak - Co-Authored-By: Jay Satiro + When looping, first trying '.curlrc' and then '_curlrc', the function + would not free the first string. - Closes #4523 - -- [Francois Rivard brought this change] + Closes #4731 - schannel: reverse the order of certinfo insertions +- CURLOPT_URL.3: "curl supports SMB version 1 (only)" - Fixes #4518 - Closes #4519 + [skip ci] -Marcel Raad (24 Oct 2019) -- test1591: fix spelling of http feature - - The test never got run because the feature name is `http` in lowercase. +- test1270: a basic -w redirect_url test - Closes https://github.com/curl/curl/pull/4520 + Closes #4728 -Daniel Stenberg (23 Oct 2019) -- [Michał Janiszewski brought this change] +- HISTORY: the SMB(S) support landed in 2014 - appveyor: Use two parallel compilation on appveyor with CMake - - Appveyor provides 2 CPUs for each builder[1], make sure to use parallel - compilation, when running with CMake. CMake learned this new option in - version 3.12[2] and the version provided by appveyor is fresh enough. +- define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore - Curl doesn't really take that long to build and it is using the slowest - builder available, msbuild, so expect only a moderate improvement in - build times. + It is covered by USE_OPENSSL_ENGINE now. - [1] https://www.appveyor.com/docs/build-environment/ - [2] https://cmake.org/cmake/help/v3.12/release/3.12.html + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/87b9337c8f76c21c57b204e88b68c6ecf3bd1ac0#commitcomment-36447951 - Closes #4508 + Closes #4725 -- conn-reuse: requests wanting NTLM can reuse non-NTLM connections +- lib: remove ASSIGNWITHINCONDITION exceptions, use our code style - Added test case 338 to verify. + ... even for macros - Reported-by: Daniel Silverstone - Fixes #4499 - Closes #4514 - -Marcel Raad (23 Oct 2019) -- tests: add missing proxy features + Reviewed-by: Daniel Gustafsson + Reviewed-by: Jay Satiro + Reported-by: Jay Satiro + Fixes #4683 + Closes #4722 -Daniel Stenberg (22 Oct 2019) -- RELEASE-NOTES: synced +- tests: make sure checksrc runs on header files too -Marcel Raad (21 Oct 2019) -- tests: use %FILE_PWD for file:// URLs +- Revert "checksrc: fix regexp for ASSIGNWITHINCONDITION" - This way, we always have exactly one slash after the host name, making - the tests pass when curl is compiled with the MSYS GCC. + This reverts commit ba82673dac3e8d00a76aa5e3779a0cb80e7442af. - Closes https://github.com/curl/curl/pull/4512 + Bug: #4683 -- tests: add `connect to non-listen` keywords - - These tests try to connect to ports nothing is listening on. +- KNOWN_BUGS: TLS session cache doesn't work with TFO - Closes https://github.com/curl/curl/pull/4511 + [skip ci] + Closes #4301 -- runtests: get textaware info from curl instead of perl +- KNOWN_BUGS: Connection information when using TCP Fast Open - The MSYS system on Windows can run the test suite for curl built with - any toolset. When built with the MSYS GCC, curl uses Unix line endings, - while it uses Windows line endings when built with the MinGW GCC, and - `^O` reports 'msys' in both cases. Use the curl executable itself to - determine the line endings instead, which reports 'x86_64-pc-msys' when - built with the MSYS GCC. + Also point to #4296 for more details + Closes #4296 + +- KNOWN_BUGS: LDAP on Windows doesn't work - Closes https://github.com/curl/curl/pull/4506 + Closes #4261 -Daniel Stenberg (20 Oct 2019) -- [Michał Janiszewski brought this change] +- docs: TLS SRP doesn't work with TLS 1.3 + + Reported-by: sayrer on github + Closes #4262 + [skip ci] - appveyor: Add MSVC ARM64 build +Dan Fandrich (16 Dec 2019) +- cirrus: Switch to the FreeBSD 12.1 point release & enable more tests. - Closes #4507 + A few tests are now passing on FreeBSD, so no longer skip them. + [skip ci] -- http2_recv: a closed stream trumps pause state +Daniel Stenberg (16 Dec 2019) +- azure: the macos cmake doesn't need to install cmake - ... and thus should return 0, not EAGAIN. + Error: cmake 3.15.5 is already installed + To upgrade to 3.16.1, run `brew upgrade cmake`. - Reported-by: Tom van der Woerdt - Fixes #4496 - Closes #4505 + Closes #4723 -- http2: expire a timeout at end of stream +Jay Satiro (15 Dec 2019) +- winbuild: Document CURL_STATICLIB requirement for static libcurl - To make sure that transfer is being dealt with. Streams without - Content-Length need a final read to notice the end-of-stream state. + A static libcurl (ie winbuild mode=static) requires that the user define + CURL_STATICLIB when using it in their application. This is already + covered in the FAQ and INSTALL.md, but is a pretty important point so + now it's noted in the BUILD.WINDOWS.txt as well. - Reported-by: Tom van der Woerdt - Fixes #4496 - -Dan Fandrich (18 Oct 2019) -- travis: Add an ARM64 build + Assisted-by: Michael Vittiglio - Test 323 is failing for some reason, so disable it there for now. + Closes https://github.com/curl/curl/pull/4721 -Marcel Raad (18 Oct 2019) -- examples/sslbackend: fix -Wchar-subscripts warning - - With the `isdigit` implementation that comes with MSYS2, the argument - is used as an array subscript, resulting in a -Wchar-subscripts - warning. `isdigit`'s behavior is undefined if the argument is negative - and not EOF [0]. As done in lib/curl_ctype.h, cast the `char` variable - to `unsigned char` to avoid that. +Daniel Stenberg (15 Dec 2019) +- [Santino Keupp brought this change] + + libssh2: add support for ECDSA and ed25519 knownhost keys - [0] https://en.cppreference.com/w/c/string/byte/isdigit + ... if a new enough libssh2 version is present. - Closes https://github.com/curl/curl/pull/4503 + Source: https://curl.haxx.se/mail/archive-2019-12/0023.html + Co-Authored-by: Daniel Stenberg + Closes #4714 -Daniel Stenberg (18 Oct 2019) -- configure: remove all cyassl references +- lib1591: free memory properly on OOM, in the trailers callback - In particular, this removes the case where configure would find an old - cyall installation rather than a wolfssl one if present. The library is - named wolfssl in modern days so there's no real need to keep support for - the former. + Detected by torture tests. - Reported-by: Jacob Barthelmeh - Closes #4502 + Closes #4720 -Marcel Raad (17 Oct 2019) -- test1162: disable MSYS2's POSIX path conversion +- runtests: --repeat=[num] to repeat tests - This avoids MSYS2 converting the backslasb in the URL to a slash, - causing the test to fail. + Closes #4715 -Daniel Stenberg (17 Oct 2019) - RELEASE-NOTES: synced -Jay Satiro (16 Oct 2019) -- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time - - Prior to this change some users did not understand that the "request" - starts when the handle is added to the multi handle, or probably they - did not understand that some of those transfers may be queued and that - time is included in timeout. +- azure: add a torture test on mac - Reported-by: Jeroen Ooms + Uses --shallow=25 to keep it small enough to get through in time. - Fixes https://github.com/curl/curl/issues/4486 - Closes https://github.com/curl/curl/pull/4489 - -- [Stian Soiland-Reyes brought this change] + Closes #4712 - tool_operate: Fix retry sleep time shown to user when Retry-After +- multi: free sockhash on OOM - - If server header Retry-After is being used for retry sleep time then - show that value to the user instead of the normal retry sleep time. + This would otherwise leak memory in the error path. - This is a follow-up to 640b973 (7.66.0) which changed curl tool so that - the value from Retry-After header overrides other retry timing options. + Detected by torture test 1540. - Closes https://github.com/curl/curl/pull/4498 + Closes #4713 -Daniel Stenberg (16 Oct 2019) -- url: normalize CURLINFO_EFFECTIVE_URL - - The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as - input in most cases, which made it not get a scheme prefixed like before - if the URL was given without one, and it didn't remove dotdot sequences - etc. - - Added test case 1907 to verify that this now works as intended and as - before 7.62.0. +Marcel Raad (13 Dec 2019) +- tests: use DoH feature for DoH tests - Regression introduced in 7.62.0 + Previously, http/2 was used instead. - Reported-by: Christophe Dervieux - Fixes #4491 - Closes #4493 + Assisted-by: Jay Satiro + Closes https://github.com/curl/curl/pull/4692 -Marcel Raad (16 Oct 2019) -- tests: line ending fixes for Windows +- hostip: suppress compiler warning - Mark some files as text. + With `--disable-doh --disable-threaded-resolver`, the `dns` parameter + is not used. - Closes https://github.com/curl/curl/pull/4490 + Closes https://github.com/curl/curl/pull/4692 -- tests: use proxy feature - - This makes the tests succeed when using --disable-proxy. +- tests: fix build with `CURL_DISABLE_DOH` - Closes https://github.com/curl/curl/pull/4488 + Closes https://github.com/curl/curl/pull/4692 -- smbserver: fix Python 3 compatibility +Daniel Stenberg (13 Dec 2019) +- azure: add a torture test - Python 2's `ConfigParser` module is spelled `configparser` in Python 3. + Skipping all FTP tests for speed reasons. - Closes https://github.com/curl/curl/pull/4484 + Closes #4697 -- security: silence conversion warning +- azure: make the default build use --enable-debug --enable-werror + +- ntlm_wb: fix double-free in OOM - With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer, - while `read` expects a 32 bit signed integer. - Use `sread` instead of `read` to use the correct parameter type. + Detected by torture testing test 1310 - Closes https://github.com/curl/curl/pull/4483 + Closes #4710 -- connect: silence sign-compare warning - - With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the - result of `sizeof` is unsigned. +Dan Fandrich (13 Dec 2019) +- cirrus: Drop the FreeBSD 10.4 build - Closes https://github.com/curl/curl/pull/4483 + Upstream support for 10.4 ended a year ago, and it looks like the image + is now gone, too. + [skip ci] -Daniel Stenberg (13 Oct 2019) -- TODO: Handle growing SFTP files +Daniel Stenberg (13 Dec 2019) +- unit1620: fix bad free in OOM - Closes #4344 + Closes #4709 -- KNOWN_BUGS: remove "CURLFORM_CONTENTLEN in an array" +- unit1609: fix mem-leak in OOM - The curl_formadd() function is deprecated and shouldn't be used so the - real fix for applications is to switch to the curl_mime_* API. + Closes #4709 -- KNOWN_BUGS: "LDAP on Windows does authentication wrong" +- unit1607: fix mem-leak in OOM - Closes #3116 + Closes #4709 -- appveyor: add a winbuild that uses VS2017 +- lib1559: fix mem-leak in OOM - Closes #4482 + Closes #4709 -- [Harry Sintonen brought this change] +- lib1557: fix mem-leak in OOM + + Closes #4709 - socketpair: fix include and define for older TCP header systems +- altsvc: make the save function ignore NULL filenames - fixed build for systems that need netinet/in.h for IPPROTO_TCP and are - missing INADDR_LOOPBACK + It might happen in OOM situations. Detected bv torture tests. - Closes #4480 + Closes #4707 -- socketpair: fix double-close in error case +- curl: fix memory leak in OOM in etags logic - Follow-up to bc2dbef0afc08 - -- gskit: use the generic Curl_socketpair - -- asyn-thread: make use of Curl_socketpair() where available + Detected by torture tests + + Closes #4706 -- socketpair: an implemention for Windows and more +- doh: make it behave when built without proxy support - Curl_socketpair() is designed to be used and work everywhere if there's - no native version or the native version isn't good enough. + Reported-by: Marcel Raad + Bug: https://github.com/curl/curl/pull/4692#issuecomment-564115734 - Closes #4466 - -- RELEASE-NOTES: synced + Closes #4704 -- connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT - - Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no - matter what errno said. +- curl: improved cleanup in upload error path - This makes for example --retry work on these transfer failures. + Memory leak found by torture test 58 - Reported-by: Nathaniel J. Smith - Fixes #4461 - Clsoes #4462 + Closes #4705 -- cirrus: switch off blackhole status on the freebsd CI machines +- mailmap: fix Andrew Ishchuk -- tests: use port 2 instead of 60000 for a safer non-listening port +- travis: make torture use --shallow=40 - ... when the tests want "connection refused". + As a first step to enable it to run over a more diverse set of tests in + a reasonable time. -- KNOWN_BUGS: IDN tests failing on Windows +- runtests: introduce --shallow to reduce huge torture tests - Closes #3747 - -Dan Fandrich (9 Oct 2019) -- cirrus: Increase the git clone depth. + When set, shallow mode limits runtests -t to make no more than NUM fails + per test case. If more are found, it will randomly discard entries until + the number is right. The random seed can also be set. - If more commits are submitted to master between the time of triggering - the first Cirrus build and the time the final build gets started, the - desired commit is no longer at HEAD and the build will error out. - [skip ci] - -Daniel Stenberg (9 Oct 2019) -- docs: make sure the --no-progress-meter docs file is in dist too + This is particularly useful when running MANY tests as then most torture + failures will already fail the same functions over and over and make the + total operation painfully tedious. + + Closes #4699 -- docs: document it as --no-progress-meter instead of the reverse +- conncache: CONNECT_ONLY connections assumed always in-use - Follow-up to 93373a960c3bb4 + This makes them never to be considered "the oldest" to be discarded when + reaching the connection cache limit. The reasoning here is that + CONNECT_ONLY is primarily used in combination with using the + connection's socket post connect and since that is used outside of + curl's knowledge we must assume that it is in use until explicitly + closed. - Reported-by: infinnovation-dev on github - Fixes #4474 - Closes #4475 + Reported-by: Pavel Pavlov + Reported-by: Pavel Löbl + Fixes #4426 + Fixes #4369 + Closes #4696 -Dan Fandrich (9 Oct 2019) -- cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build. - - Also, select the images using image_family to get the latest snapshots - automatically. - [skip ci] +- [Gisle Vanem brought this change] -Daniel Stenberg (8 Oct 2019) -- curl: --no-progress-meter + vtls: make BearSSL possible to set with CURL_SSL_BACKEND - New option that allows a user to ONLY switch off curl's progress meter - and leave everything else in "talkative" mode. + Ref: https://github.com/curl/curl/commit/9b879160df01e7ddbb4770904391d3b74114302b#commitcomment-36355622 - Reported-by: Piotr Komborski - Fixes #4422 - Closes #4470 + Closes #4698 -- TODO: Consult %APPDATA% also for .netrc - - Closes #4016 +- RELEASE-NOTES: synced -- CURLOPT_TIMEOUT.3: remove the mention of "minutes" +- travis: remove "coverage", make it "torture" - ... just say that limiting operations risk aborting otherwise fine - working transfers. If that means seconds, minutes or hours, we leave to - the user. + The coveralls service and test coverage numbers are just too unreliable. + Removed badge from README.md as well. - Reported-by: Martin Gartner - Closes #4469 - -- [Andrei Valeriu BICA brought this change] + Fixes #4694 + Closes #4695 - docs: added multi-event.c example +- azure: add libssh2 and cmake macos builds - Similar to multi-uv.c but using libevent 2. This is a simpler libevent - integration example then hiperfifo.c. + Removed the macos libssh2 build from travis - Closes #4471 - -Jay Satiro (5 Oct 2019) -- [Nicolas brought this change] + Closes #4686 - ldap: fix OOM error on missing query string +- curl: use errorf() better - - Allow missing queries, don't return NO_MEMORY error in such a case. + Change series of error outputs to use errorf(). - It is acceptable for there to be no specified query string, for example: + Only errors that are due to mistakes in command line option usage should + use helpf(), other types of errors in the tool should rather use + errorf(). - curl ldap://ldap.forumsys.com + Closes #4691 + +Jay Satiro (9 Dec 2019) +- [Marc Hoersken brought this change] + + tests: make it possible to set executable extensions - A regression bug in 1b443a7 caused this issue. + This enables the use of Windows Subsystem for Linux (WSL) to run the + testsuite against Windows binaries while using Linux servers. - This is a partial fix for #4261. + This commit introduces the following environment variables: + - CURL_TEST_EXE_EXT: set the executable extension for all components + - CURL_TEST_EXE_EXT_TOOL: set it for the curl tool only + - CURL_TEST_EXE_EXT_SSH: set it for the SSH tools only - Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077 - Reported-by: Jojojov@users.noreply.github.com - Analyzed-by: Samuel Surtees + Later testcurl.pl could be adjusted to make use of those variables. + - CURL_TEST_EXE_EXT_SRV: set it for the test servers only - Closes https://github.com/curl/curl/pull/4467 + (This is one of several commits to support use of WSL for the tests.) + + Closes https://github.com/curl/curl/pull/3899 -- [Paul B. Omta brought this change] +- [Marc Hoersken brought this change] - build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines + tests: fix permissions of ssh keys in WSL - Closes https://github.com/curl/curl/pull/4460 - -Daniel Stenberg (5 Oct 2019) -- RELEASE-NOTES: synced + Keys created on Windows Subsystem for Linux (WSL) require it for some + reason. + + (This is one of several commits to support use of WSL for the tests.) + + Ref: https://github.com/curl/curl/pull/3899 -- [Stian Soiland-Reyes brought this change] +- [Marc Hoersken brought this change] - curl: ensure HTTP 429 triggers --retry + tests: use \r\n for log messages in WSL - This completes #3794. + Bash in Windows Subsystem for Linux (WSL) requires it for some reason. - Also make sure the new tests from #4195 are enabled + (This is one of several commits to support use of WSL for the tests.) - Closes #4465 + Ref: https://github.com/curl/curl/pull/3899 -Marcel Raad (4 Oct 2019) -- [apique brought this change] +- [Andrew Ishchuk brought this change] - winbuild: add ENABLE_UNICODE option + winbuild: Define CARES_STATICLIB when WITH_CARES=static - Fixes https://github.com/curl/curl/issues/4308 - Closes https://github.com/curl/curl/pull/4309 - -Daniel Stenberg (4 Oct 2019) -- ngtcp2: adapt to API change + When libcurl is built with MODE=static, c-ares is forced into static + linkage too. That doesn't happen when MODE=dll so linker would break + over undefined symbols. - Closes #4457 + closes https://github.com/curl/curl/pull/4688 -- cookies: change argument type for Curl_flush_cookies - - The second argument is really a 'bool' so use that and pass in TRUE/FALSE - to make it clear. +Daniel Stenberg (9 Dec 2019) +- conn: always set bits.close with connclose() - Closes #4455 + Closes #4690 -- http2: move state-init from creation to pre-transfer - - To make sure that the HTTP/2 state is initialized correctly for - duplicated handles. It would otherwise easily generate "spurious" - PRIORITY frames to get sent over HTTP/2 connections when duplicated easy - handles were used. - - Reported-by: Daniel Silverstone - Fixes #4303 - Closes #4442 +- cirrus: enable clang sanitizers on freebsd 13 -- urlapi: fix use-after-free bug - - Follow-up from 2c20109a9b5d04 - - Added test 663 to verify. +- conncache: fix multi-thread use of shared connection cache - Reported by OSS-Fuzz - Bug: https://crbug.com/oss-fuzz/17954 + It could accidentally let the connection get used by more than one + thread, leading to double-free and more. - Closes #4453 - -- [Paul Dreik brought this change] + Reported-by: Christopher Reid + Fixes #4544 + Closes #4557 - cookie: avoid harmless use after free - - This fix removes a use after free which can be triggered by - the internal cookie fuzzer, but otherwise is probably - impossible to trigger from an ordinary application. - - The following program reproduces it: - - curl_global_init(CURL_GLOBAL_DEFAULT); - CURL* handle=curl_easy_init(); - CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); - curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); - Curl_flush_cookies(handle, true); - Curl_cookie_cleanup(info); - curl_easy_cleanup(handle); - curl_global_cleanup(); - - This was found through fuzzing. +- azure: add a vanilla macos build - Closes #4454 - -- [Denis Chaplygin brought this change] + Closes #4685 - docs: add note on failed handles not being counted by curl_multi_perform +- curl: make the etag load logic work without fseek - Closes #4446 + The fseek()s were unnecessary and caused Coverity warning CID 1456554 + + Closes #4681 -- CURLMOPT_MAX_CONCURRENT_STREAMS.3: fix SEE ALSO typo +- mailmap: Mohammad Hasbini -- [Niall O'Reilly brought this change] +- [Mohammad Hasbini brought this change] - ESNI: initial build/setup + docs: fix some typos - Closes #4011 + Closes #4680 - RELEASE-NOTES: synced -- redirect: when following redirects to an absolute URL, URL encode it +Jay Satiro (5 Dec 2019) +- lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAIN - ... to make it handle for example (RFC violating) embeded spaces. + Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS + and OS400 package spec. - Reported-by: momala454 on github - Fixes #4445 - Closes #4447 - -- urlapi: fix URL encoding when setting a full URL - -- tool_operate: rename functions to make more sense - -- curl: create easy handles on-demand and not ahead of time + Also I added the option to the NameValue list in the tool even though it + isn't exposed as a command-line option (...yet?). (NameValue stringizes + the option name for the curl cmd -> libcurl source generator) - This should again enable crazy-large download ranges of the style - [1-10000000] that otherwise easily ran out of memory starting in 7.66.0 - when this new handle allocating scheme was introduced. + Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN. - Reported-by: Peter Sumatra - Fixes #4393 - Closes #4438 + Ref: https://github.com/curl/curl/pull/4655 -- [Kunal Ekawde brought this change] +- setopt: Fix ALPN / NPN user option when built without HTTP2 + + - Stop treating lack of HTTP2 as an unknown option error result for + CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN. + + Prior to this change it was impossible to disable ALPN / NPN if libcurl + was built without HTTP2. Setting either option would result in + CURLE_UNKNOWN_OPTION and the respective internal option would not be + set. That was incorrect since ALPN and NPN are used independent of + HTTP2. + + Reported-by: Shailesh Kapse + + Fixes https://github.com/curl/curl/issues/4668 + Closes https://github.com/curl/curl/pull/4672 - CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt +Daniel Stenberg (5 Dec 2019) +- etag: allow both --etag-compare and --etag-save in same cmdline - Closes #4410 + Fixes #4669 + Closes #4678 -- chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error +Marcel Raad (5 Dec 2019) +- curl_setup: fix `CURLRES_IPV6` condition - Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the - response is chunked-encoded. + Move the definition of `CURLRES_IPV6` to before undefining + `HAVE_GETADDRINFO`. Regression from commit 67a08dca27a which caused + some tests to fail and others to be skipped with c-ares. - Reported-by: Ilya Kosarev - Fixes #4310 - Closes #4449 + Fixes https://github.com/curl/curl/issues/4673 + Closes https://github.com/curl/curl/pull/4677 -Marcel Raad (1 Oct 2019) -- checksrc: fix uninitialized variable warning +Daniel Stenberg (5 Dec 2019) +- test342: make it return a 304 as the tag matches + +Peter Wu (4 Dec 2019) +- CMake: add support for building with the NSS vtls backend - The loop doesn't need to be executed without a file argument. + Options are cross-checked with configure.ac and acinclude.m4. + Tested on Arch Linux, untested on other platforms like Windows or macOS. - Closes https://github.com/curl/curl/pull/4444 + Closes #4663 + Reviewed-by: Kamil Dudka -- urlapi: fix unused variable warning +Daniel Stenberg (4 Dec 2019) +- azure: add more builds - `dest` is only used with `ENABLE_IPV6`. + ... removed two from travis (that now runs on azure instead) - Closes https://github.com/curl/curl/pull/4444 + Closes #4671 -- lib: silence conversion warnings - - Closes https://github.com/curl/curl/pull/4444 +- CURLOPT_VERBOSE.3: see also ERRORBUFFER -- AppVeyor: add 32-bit MinGW-w64 build +- hostip4.c: bump copyright year range + +Marcel Raad (3 Dec 2019) +- configure: enable IPv6 support without `getaddrinfo` - With WinSSL and testing enabled so that it would have detected most of - the warnings fixed in [0] and [1]. + This makes it possible to recognize and connect to literal IPv6 + addresses when `getaddrinfo` is not available, which is already the + case for the CMake build. This affects e.g. classic MinGW because it + still targets Windows 2000 by default, where `getaddrinfo` is not + available, but general IPv6 support is. - [0] https://github.com/curl/curl/pull/4398 - [1] https://github.com/curl/curl/pull/4415 + Instead of checking for `getaddrinfo`, check for `sockaddr_in6` as the + CMake build does. - Closes https://github.com/curl/curl/pull/4433 + Closes https://github.com/curl/curl/pull/4662 -- AppVeyor: remove MSYS2_ARG_CONV_EXCL for winbuild +- curl_setup: disable IPv6 resolver without `getaddrinfo` - It's only used for MSYS2 with MinGW. + Also, use `CURLRES_IPV6` only for actual DNS resolution, not for IPv6 + address support. This makes it possible to connect to IPv6 literals by + setting `ENABLE_IPV6` even without `getaddrinfo` support. It also fixes + the CMake build when using the synchronous resolver without + `getaddrinfo` support. - Closes + Closes https://github.com/curl/curl/pull/4662 -Daniel Stenberg (30 Sep 2019) -- [Emil Engler brought this change] +Daniel Stenberg (3 Dec 2019) +- github action/azure pipeline: run 'make test-nonflaky' for tests + + To match travis and give more info on failures. - git: add tests/server/disabled to .gitignore +- openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains - Closes #4441 + Closes #4655 -- altsvc: accept quoted ma and persist values +- openssl: set X509_V_FLAG_PARTIAL_CHAIN - As mandated by the spec. Test 1654 is extended to verify. + Have intermediate certificates in the trust store be treated as + trust-anchors, in the same way as self-signed root CA certificates + are. This allows users to verify servers using the intermediate cert + only, instead of needing the whole chain. - Closes #4443 + Other TLS backends already accept partial chains. + + Reported-by: Jeffrey Walton + Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html -- mailmap: a Lucas fix +- curl: show better error message when no homedir is found + + Reported-by: Vlastimil Ovčáčík + Fixes #4644 + Closes #4665 -Alessandro Ghedini (29 Sep 2019) -- [Lucas Pardue brought this change] +- OPENSOCKETFUNCTION.3: correct the purpose description + + Reported-by: Jeff Mears + Bug: https://curl.haxx.se/mail/lib-2019-12/0007.html + + Closes #4667 - quiche: update HTTP/3 config creation to new API +- [Peter Wu brought this change] -Daniel Stenberg (29 Sep 2019) -- BINDINGS: PureBasic, Net::Curl for perl and Nim + travis: do not use OVERRIDE_CC or OVERRIDE_CXX if empty + + Fixes the macOS builds where OVERRIDE_CC and OVERRIDE_CXX are not set. + + Reported-by: Jay Satiro + Fixes #4659 + Closes #4661 + Closes #4664 -- BINDINGS: Kapito is an Erlang library, basically a binding +- azure-pipelines: fix the test script -- BINDINGS: added clj-curl +- Azure Pipelines: initial CI setup - Reported-by: Lucas Severo + [skip ci] -- [Jay Satiro brought this change] +- docs: add "added: 7.68.0" to the --etag-* docs - docs: disambiguate CURLUPART_HOST is for host name (ie no port) +- copyright: fix the year ranges for two files - Closes #4424 + Follow-up to 9c1806ae -- cookies: using a share with cookies shouldn't enable the cookie engine +Jay Satiro (1 Dec 2019) +- build: Disable Visual Studio warning "conditional expression is constant" - The 'share object' only sets the storage area for cookies. The "cookie - engine" still needs to be enabled or activated using the normal cookie - options. + - Disable warning C4127 "conditional expression is constant" globally + in curl_setup.h for when building with Microsoft's compiler. - This caused the curl command line tool to accidentally use cookies - without having been told to, since curl switched to using shared cookies - in 7.66.0. + This mainly affects building with the Visual Studio project files found + in the projects dir. - Test 1166 verifies + Prior to this change the cmake and winbuild build systems already + disabled 4127 globally for when building with Microsoft's compiler. + Also, 4127 was already disabled for all build systems in the limited + circumstance of the WHILE_FALSE macro which disabled the warning + specifically for while(0). This commit removes the WHILE_FALSE macro and + all other cruft in favor of disabling globally in curl_setup. - Updated test 506 + Background: - Fixes #4429 - Closes #4434 - -- setopt: handle ALTSVC set to NULL - -- RELEASE-NOTES: synced - -- [grdowns brought this change] - - INSTALL: add vcpkg installation instructions + We have various macros that cause 0 or 1 to be evaluated, which would + cause warning C4127 in Visual Studio. For example this causes it: - Closes #4435 - -- [Zenju brought this change] - - FTP: add test for FTPFILE_NOCWD: Avoid redundant CWDs + #define Curl_resolver_asynch() 1 - Add libtest 661 + Full behavior is not clearly defined and inconsistent across versions. + However it is documented that since VS 2015 Update 3 Microsoft has + addressed this somewhat but not entirely, not warning on while(true) for + example. - Closes #4417 - -- [Zenju brought this change] - - FTP: url-decode path before evaluation + Prior to this change some C4127 warnings occurred when I built with + Visual Studio using the generated projects in the projects dir. - Closes #4428 + Closes https://github.com/curl/curl/pull/4658 -Marcel Raad (27 Sep 2019) -- tests: fix narrowing conversion warnings +- openssl: retrieve reported LibreSSL version at runtime - `timediff_t` is 64 bits wide also on 32-bit systems since - commit b1616dad8f0. + - Retrieve LibreSSL runtime version when supported (>= 2.7.1). - Closes https://github.com/curl/curl/pull/4415 - -Jay Satiro (27 Sep 2019) -- [julian brought this change] - - vtls: Fix comment typo about macosx-version-min compiler flag + For earlier versions we continue to use the compile-time version. - Closes https://github.com/curl/curl/pull/4425 - -Daniel Stenberg (26 Sep 2019) -- [Yechiel Kalmenson brought this change] - - README: minor grammar fix + Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3 - Closes #4431 - -- [Spezifant brought this change] + Closes https://github.com/curl/curl/pull/2425 - HTTP3: fix prefix parameter for ngtcp2 build +- strerror: Add Curl_winapi_strerror for Win API specific errors - Closes #4430 - -- quiche: don't close connection at end of stream! - -- quiche: set 'drain' when returning without having drained the queues - -- Revert "FTP: url-decode path before evaluation" + - In all code call Curl_winapi_strerror instead of Curl_strerror when + the error code is known to be from Windows GetLastError. - This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2. + Curl_strerror prefers CRT error codes (errno) over Windows API error + codes (GetLastError) when the two overlap. When we know the error code + is from GetLastError it is more accurate to prefer the Windows API error + messages. + + Reported-by: Richard Alcock + + Fixes https://github.com/curl/curl/issues/4550 + Closes https://github.com/curl/curl/pull/4581 -- HTTP3: merged and simplified the two 'running' sections +Daniel Stenberg (2 Dec 2019) +- global_init: undo the "intialized" bump in case of failure + + ... so that failures in the global init function don't count as a + working init and it can then be called again. + + Reported-by: Paul Groke + Fixes #4636 + Closes #4653 -- HTTP3: show an --alt-svc using example too +- parsedate: offer a getdate_capped() alternative + + ... and use internally. This function will return TIME_T_MAX instead of + failure if the parsed data is found to be larger than what can be + represented. TIME_T_MAX being the largest value curl can represent. + + Reviewed-by: Daniel Gustafsson + Reported-by: JanB on github + Fixes #4152 + Closes #4651 -- [Zenju brought this change] +- docs: add more references to curl_multi_poll + + Fixes #4643 + Closes #4652 - FTP: url-decode path before evaluation +- sha256: bump the copyright year range - Closes #4423 + Follow-up from 66e21520f -- openssl: use strerror on SSL_ERROR_SYSCALL +Daniel Gustafsson (28 Nov 2019) +- curl_setup_once: consistently use WHILE_FALSE in macros - Instead of showing the somewhat nonsensical errno number, use strerror() - to provide a more relatable error message. + The WHILE_FALSE construction is used to avoid compiler warnings in + macro constructions. This fixes a few instances where it was not + used in order to keep the code consistent. - Closes #4411 + Closes #4649 + Reviewed-by: Daniel Stenberg -- HTTP3: update quic.aiortc.org + add link to server list - - Reported-by: Jeremy Lainé +Daniel Stenberg (28 Nov 2019) +- [Steve Holme brought this change] -Jay Satiro (26 Sep 2019) -- url: don't set appconnect time for non-ssl/non-ssh connections + http_ntlm: Remove duplicate NSS initialisation - Prior to this change non-ssl/non-ssh connections that were reused set - TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH - handshake took place. + Given that this is performed by the NTLM code there is no need to + perform the initialisation in the HTTP layer. This also keeps the + initialisation the same as the SASL based protocols and also fixes a + possible compilation issue if both NSS and SSPI were to be used as + multiple SSL backends. - [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in - libcurl and %{time_appconnect} in the curl tool. It is documented as - "the time until the SSL/SSH handshake is completed". + Reviewed-by: Kamil Dudka + Closes #3935 + +Daniel Gustafsson (28 Nov 2019) +- checksrc: fix regexp for ASSIGNWITHINCONDITION - Reported-by: Marcel Hernandez + The regexp looking for assignments within conditions was too greedy + and matched a too long string in the case of multiple conditionals + on the same line. This is basically only a problem in single line + macros, and the code which exemplified this was essentially: - Ref: https://github.com/curl/curl/issues/3760 + do { if((x) != NULL) { x = NULL; } } while(0) - Closes https://github.com/curl/curl/pull/3773 - -Daniel Stenberg (25 Sep 2019) -- ngtcp2: remove fprintf() calls + ..where the final parenthesis of while(0) matched the regexp, and + the legal assignment in the block triggered the warning. Fix by + making the regexp less greedy by matching for the tell-tale signs + of the if statement ending. - - convert some of them to H3BUF() calls to infof() - - remove some of them completely - - made DEBUG_HTTP3 defined only if CURLDEBUG is set for now + Also remove the one occurrence where the warning was disabled due + to a construction like the above, where the warning didn't apply + when fixed. - Closes #4421 + Closes #4647 + Reviewed-by: Daniel Stenberg -- [Jay Satiro brought this change] +Daniel Stenberg (28 Nov 2019) +- RELEASE-NOTES: synced - url: fix the NULL hostname compiler warning case +- [Maros Priputen brought this change] + + curl: two new command line options for etags - Closes #4403 + --etag-compare and --etag-save + + Suggested-by: Paul Hoffman + Fixes #4277 + Closes #4543 -- [Jay Satiro brought this change] +Daniel Gustafsson (28 Nov 2019) +- docs: fix typos - travis: move the go install to linux-only - - ... to repair the build again - Closes #4403 +Daniel Stenberg (28 Nov 2019) +- mailmap: Niall O'Reilly's name -- altsvc: correct the #ifdef for the ngtcp2 backend +- [Niall O'Reilly brought this change] -- altsvc: save h3 as h3-23 + doh: use dedicated probe slots - Follow-up to d176a2c7e5 - -- urlapi: question mark within fragment is still fragment + ... to easier allow additional DNS transactions. - The parser would check for a query part before fragment, which caused it - to do wrong when the fragment contains a question mark. + Closes #4629 + +- travis: build ngtcp2 with --enable-lib-only - Extended test 1560 to verify. + ... makes it skip the examples and other stuff we don't neeed. - Reported-by: Alex Konev - Fixes #4412 - Closes #4413 + Closes #4646 -- [Alex Samorukov brought this change] +- [David Benjamin brought this change] - HTTP3.md: move -p for mkdir, remove -j for make + ngtcp2: fix thread-safety bug in error-handling - - mkdir on OSX/Darwin requires `-p` argument before dir + ERR_error_string(NULL) should never be called. It places the error in a + global buffer, which is not thread-safe. Use ERR_error_string_n with a + local buffer instead. - - portabbly figuring out number of cores is an exercise for somewhere - else + Closes #4645 + +- travis: export the CC/CXX variables when set - Closes #4407 + Suggested-by: Peter Wu + Fixes #4637 + Closes #4640 -Patrick Monnerat (24 Sep 2019) -- os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr, +Marcel Raad (26 Nov 2019) +- dist: add error-codes.pl - As libcurl now uses these 2 system functions, wrappers are needed on os400 - to convert returned AF_UNIX sockaddrs to ascii. + Follow-up to commit 74f441c6d31. + This should fix test 1175 when run via the daily source tarballs. - This is a follow-up to commit 7fb54ef. - See also #4037. - Closes #4214 + Closes https://github.com/curl/curl/pull/4638 -Jay Satiro (24 Sep 2019) -- [Lucas Pardue brought this change] +Daniel Stenberg (26 Nov 2019) +- [John Schroeder brought this change] - strcase: fix raw lowercasing the letter X - - Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to - this change. + curl: fix --upload-file . hangs if delay in STDIN - Follow-up to 0023fce which added the function several days ago. + Attempt to unpause a busy read in the CURLOPT_XFERINFOFUNCTION. - Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546 + When uploading from stdin in non-blocking mode, a delay in reading + the stream (EAGAIN) causes curl to pause sending data + (CURL_READFUNC_PAUSE). Prior to this change, a busy read was + detected and unpaused only in the CURLOPT_WRITEFUNCTION handler. + This change performs the same busy read handling in a + CURLOPT_XFERINFOFUNCTION handler. - Closes https://github.com/curl/curl/pull/4408 + Fixes #2051 + Closes #4599 + Reported-by: bdry on github -Daniel Stenberg (23 Sep 2019) -- http2: Expression 'stream->stream_id != - 1' is always true - - PVS-Studio warning - Fixes #4402 +- [John Schroeder brought this change] -- http2: A value is being subtracted from the unsigned variable + XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE - PVS-Studio warning - Fixes #4402 - -- libssh: part of conditional expression is always true: !result + (also for PROGRESSFUNCTION) - PVS-Studio warning - Fixed #4402 - -- libssh: part of conditional expression is always true + By returning this value from the callback, the internal progress + function call is still called afterward. - PVS-Studio warning - Fixes #4402 + Closes #4599 -- libssh: The expression is excessive or contains a misprint - - PVS-Studio warning - Fixes #4402 +- [Michael Forney brought this change] -- quiche: The expression must be surrounded by parentheses + TLS: add BearSSL vtls implementation - PVS-Studio warning - Fixes #4402 + Closes #4597 -- vauth: The parameter 'status' must be surrounded by parentheses +- curl_multi_wakeup.3: add example and AVAILABILITY - PVS-Studio warning - Fixes #4402 + Reviewed-by: Gergely Nagy + Closes #4635 -- [Paul Dreik brought this change] +- [Gergely Nagy brought this change] - doh: allow only http and https in debug mode + multi: add curl_multi_wakeup() - Otherwise curl may be told to use for instance pop3 to - communicate with the doh server, which most likely - is not what you want. + This commit adds curl_multi_wakeup() which was previously in the TODO + list under the curl_multi_unblock name. - Found through fuzzing. + On some platforms and with some configurations this feature might not be + available or can fail, in these cases a new error code + (CURLM_WAKEUP_FAILURE) is returned from curl_multi_wakeup(). - Closes #4406 + Fixes #4418 + Closes #4608 -- [Paul Dreik brought this change] +Jay Satiro (24 Nov 2019) +- [Xiaoyin Liu brought this change] - doh: return early if there is no time left + schannel: fix --tls-max for when min is --tlsv1 or default - Closes #4406 - -- [Barry Pollard brought this change] - - http: lowercase headernames for HTTP/2 and HTTP/3 + Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_ + macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS + (CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always. - Closes #4401 - Fixes #4400 + Closes https://github.com/curl/curl/pull/4633 -Marcel Raad (23 Sep 2019) -- vtls: fix narrowing conversion warnings - - Curl_timeleft returns `timediff_t`, which is 64 bits wide also on - 32-bit systems since commit b1616dad8f0. +- checksrc.bat: Add a check for vquic and vssh directories - Closes https://github.com/curl/curl/pull/4398 - -Daniel Stenberg (23 Sep 2019) -- [Joel Depooter brought this change] + Ref: https://github.com/curl/curl/pull/4607 - winbuild: Add manifest to curl.exe for proper OS version detection +- projects: Fix Visual Studio projects SSH builds - This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898 - in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to - CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is - overwritten. The fix is to append values to CURL_RC_FLAGS instead of - overwriting + - Generate VQUIC and VSSH filenames in Visual Studio project files. - Closes #4399 + Prior to this change generated Visual Studio project configurations that + enabled SSH did not build properly. Broken since SSH files were moved to + lib/vssh 3 months ago in 5b2d703. + + Fixes https://github.com/curl/curl/issues/4492 + Fixes https://github.com/curl/curl/issues/4630 + Closes https://github.com/curl/curl/pull/4607 +Daniel Stenberg (23 Nov 2019) - RELEASE-NOTES: synced -Marcel Raad (22 Sep 2019) -- openssl: fix compiler warning with LibreSSL - - It was already fixed for BoringSSL in commit a0f8fccb1e0. - LibreSSL has had the second argument to SSL_CTX_set_min_proto_version - as uint16_t ever since the function was added in [0]. - - [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda - - Closes https://github.com/curl/curl/pull/4397 - -Daniel Stenberg (22 Sep 2019) -- curl: exit the create_transfers loop on errors - - When looping around the ranges and given URLs to create transfers, all - errors should exit the loop and return. Previously it would keep - looping. +Jay Satiro (22 Nov 2019) +- openssl: Revert to less sensitivity for SYSCALL errors - Reported-by: SumatraPeter on github - Bug: #4393 - Closes #4396 - -Jay Satiro (21 Sep 2019) -- socks: Fix destination host shown on SOCKS5 error + - Disable the extra sensitivity except in debug builds (--enable-debug). - Prior to this change when a server returned a socks5 connect error then - curl would parse the destination address:port from that data and show it - to the user as the destination: + - Improve SYSCALL error message logic in ossl_send and ossl_recv so that + "No error" / "Success" socket error text isn't shown on SYSCALL error. - curld -v --socks5 10.0.3.1:1080 http://google.com:99 - * SOCKS5 communication to google.com:99 - * SOCKS5 connect to IPv4 172.217.12.206 (locally resolved) - * Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) - curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) + Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity + of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were + also considered errors. For example, a server that does not send a known + protocol termination point (eg HTTP content length or chunked encoding) + _and_ does not send a TLS termination point (close_notify alert) would + cause an error if it closed the connection. - That's incorrect because the address:port included in the connect error - is actually a bind address:port (typically unused) and not the - destination address:port. This fix changes curl to show the destination - information that curl sent to the server instead: + To be clear that behavior made it into release build 7.67.0 + unintentionally. Several users have reported it as an issue. - curld -v --socks5 10.0.3.1:1080 http://google.com:99 - * SOCKS5 communication to google.com:99 - * SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved) - * Can't complete SOCKS5 connection to 172.217.7.14:99. (1) - curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1) + Ultimately the idea is a good one, since it can help prevent against a + truncation attack. Other SSL backends may already behave similarly (such + as Windows native OS SSL Schannel). However much more of our user base + is using OpenSSL and there is a mass of legacy users in that space, so I + think that behavior should be partially reverted and then rolled out + slowly. - curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99 - * SOCKS5 communication to google.com:99 - * SOCKS5 connect to google.com:99 (remotely resolved) - * Can't complete SOCKS5 connection to google.com:99. (1) - curl: (7) Can't complete SOCKS5 connection to google.com:99. (1) + This commit changes the behavior so that the increased sensitivity is + disabled in all curl builds except curl debug builds (DEBUGBUILD). If + after a period of time there are no major issues then it can be enabled + in dev and release builds with the newest OpenSSL (1.1.1+), since users + using the newest OpenSSL are the least likely to have legacy problems. - Ref: https://tools.ietf.org/html/rfc1928#section-6 + Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794 + Reported-by: Bjoern Franke - Closes https://github.com/curl/curl/pull/4394 + Fixes https://github.com/curl/curl/issues/4624 + Closes https://github.com/curl/curl/pull/4623 -Daniel Stenberg (21 Sep 2019) -- travis: enable ngtcp2 h3-23 builds +- [Daniel Stenberg brought this change] -- altsvc: both backends run h3-23 now + openssl: improve error message for SYSCALL during connect - Closes #4395 - -- http: fix warning on conversion from int to bit + Reported-by: Paulo Roberto Tomasi + Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html - Follow-up from 03ebe66d70 + Closes https://github.com/curl/curl/pull/4593 -- urldata: use 'bool' for the bit type on MSVC compilers +Daniel Stenberg (22 Nov 2019) +- test1175: verify symbols-in-versions and libcurl-errors.3 in sync - Closes #4387 - Fixes #4379 + Closes #4628 -- appveyor: upgrade VS2017 to VS2019 +- include: make CURLE_HTTP3 use a new error code - Closes #4383 + To avoid potential issues with error code reuse. + + Reported-by: Christoph M. Becker + Assisted-by: Dan Fandrich + Fixes #4601 + Closes #4627 -- [Zenju brought this change] +- bump: next release will be 7.68.0 - FTP: FTPFILE_NOCWD: avoid redundant CWDs +- curl: add --parallel-immediate - Closes #4382 - -- cookie: pass in the correct cookie amount to qsort() + Starting with this change when doing parallel transfers, without this + option set, curl will prefer to create new transfers multiplexed on an + existing connection rather than creating a brand new one. - As the loop discards cookies without domain set. This bug would lead to - qsort() trying to sort uninitialized pointers. We have however not found - it a security problem. + --parallel-immediate can be set to tell curl to prefer to use new + connections rather than to wait and try to multiplex. - Reported-by: Paul Dreik - Closes #4386 + libcurl-wise, this means that curl will set CURLOPT_PIPEWAIT by default + on parallel transfers. + + Suggested-by: Tom van der Woerdt + Closes #4500 -- [Paul Dreik brought this change] +Daniel Gustafsson (20 Nov 2019) +- [Victor Magierski brought this change] - urlapi: avoid index underflow for short ipv6 hostnames - - If the input hostname is "[", hlen will underflow to max of size_t when - it is subtracted with 2. + docs: fix typos - hostname[hlen] will then cause a warning by ubsanitizer: + Change 'experiemental' to 'experimental'. - runtime error: addition of unsigned offset to 0x overflowed to - 0x + Closes #4618 + Reviewed-by: Daniel Gustafsson + +Jay Satiro (18 Nov 2019) +- projects: Fix Visual Studio wolfSSL configurations - I think that in practice, the generated code will work, and the output - of hostname[hlen] will be the first character "[". + - s/USE_CYASSL/USE_WOLFSSL/ - This can be demonstrated by the following program (tested in both clang - and gcc, with -O3) + - Remove old compatibility macros. - int main() { - char* hostname=strdup("["); - size_t hlen = strlen(hostname); - - hlen-=2; - hostname++; - printf("character is %d\n",+hostname[hlen]); - free(hostname-1); - } - - I found this through fuzzing, and even if it seems harmless, the proper - thing is to return early with an error. - - Closes #4389 + Follow-up to 1c6c59a from several months ago when CyaSSL named symbols + were renamed to wolfSSL. The wolfSSL library was formerly named CyaSSL + and we kept using their old name for compatibility reasons, until + earlier this year. -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (18 Nov 2019) +- RELEASE-NOTES: synced - ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 - - Closes #4392 +- [Javier Blazquez brought this change] -- THANKS-filter: deal with my typos 'Jat' => 'Jay' + ngtcp2: use overflow buffer for extra HTTP/3 data + + Fixes #4525 + Closes #4603 -- travis: use go master +- altsvc: bump to h3-24 - ... as the boringssl builds needs a very recent version + ... as both ngtcp2 and quiche now support that in their master branches - Co-authored-by: Jat Satiro - Closes #4361 + Closes #4604 -- tool_operate: removed unused variable 'done' +- ngtcp2: free used resources on disconnect - Fixes warning detected by PVS-Studio - Fixes #4374 + Fixes #4614 + Closes #4615 -- tool_operate: Expression 'config->resume_from' is always true +- ngtcp2: handle key updates as ngtcp2 master branch tells us - Fixes warning detected by PVS-Studio - Fixes #4374 - -- tool_getparam: remove duplicate switch case + Reviewed-by: Tatsuhiro Tsujikawa - Fixes warning detected by PVS-Studio - Fixes #4374 + Fixes #4612 + Closes #4613 -- libssh2: part of conditional expression is always true: !result - - Fixes warning detected by PVS-Studio - Fixes #4374 +Jay Satiro (17 Nov 2019) +- [Gergely Nagy brought this change] -- urlapi: Expression 'storep' is always true + multi: Fix curl_multi_poll wait when extra_fds && !extra_nfds - Fixes warning detected by PVS-Studio - Fixes #4374 - -- urlapi: 'scheme' is always true + Prior to this change: - Fixes warning detected by PVS-Studio - Fixes #4374 - -- urlapi: part of conditional expression is always true: (relurl[0] == '/') + The check if an extra wait is necessary was based not on the + number of extra fds but on the pointer. - Fixes warning detected by PVS-Studio - Fixes #4374 - -- setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly + If a non-null pointer was given in extra_fds, but extra_nfds + was zero, then the wait was skipped even though poll was not + called. - Fixes bug detected by PVS-Studio - Fixes #4374 + Closes https://github.com/curl/curl/pull/4610 -- mime: make Curl_mime_duppart() assert if called without valid dst +- lib: Move lib/ssh.h -> lib/vssh/ssh.h - Fixes warning detected by PVS-Studio - Fixes #4374 - -- http_proxy: part of conditional expression is always true: !error + Follow-up to 5b2d703 which moved ssh source files to vssh. - Fixes warning detected by PVS-Studio - Fixes #4374 + Closes https://github.com/curl/curl/pull/4609 -- imap: merged two case-branches performing the same action - - Fixes warning detected by PVS-Studio - Fixes #4374 +Daniel Stenberg (16 Nov 2019) +- [Andreas Falkenhahn brought this change] -- multi: value '2L' is assigned to a boolean + INSTALL.md: provide Android build instructions - Fixes warning detected by PVS-Studio - Fixes #4374 + Closes #4606 -- easy: part of conditional expression is always true: !result - - Fixes warning detected by PVS-Studio - Fixes #4374 +- [Niall O'Reilly brought this change] -- netrc: part of conditional expression is always true: !done + doh: improced both encoding and decoding - Fixes warning detected by PVS-Studio - Fixes #4374 - -- version: Expression 'left > 1' is always true + Improved estimation of expected_len and updated related comments; + increased strictness of QNAME-encoding, adding error detection for empty + labels and names longer than the overall limit; avoided treating DNAME + as unexpected; - Fixes warning detected by PVS-Studio - Fixes #4374 - -- url: remove dead code + updated unit test 1655 with more thorough set of proofs and tests - Fixes warning detected by PVS-Studio - Fixes #4374 + Closes #4598 -- url: part of expression is always true: (bundle->multiuse == 0) +- ngtcp2: increase QUIC window size when data is consumed - Fixes warning detected by PVS-Studio - Fixes #4374 + Assisted-by: Javier Blazquez + Ref #4525 (partial fix) + Closes #4600 -- ftp: the conditional expression is always true +- [Melissa Mears brought this change] + + config-win32: cpu-machine-OS for Windows on ARM - ... both !result and (ftp->transfer != FTPTRANSFER_BODY)! + Define the OS macro properly for Windows on ARM builds. Also, we might + as well add the GCC-style IA-64 macro. - Fixes warning detected by PVS-Studio - Fixes #4374 + Closes #4590 -- ftp: Expression 'ftpc->wait_data_conn' is always false +- examples: add multi-poll.c - Fixes warning detected by PVS-Studio - Fixes #4374 - -- ftp: Expression 'ftpc->wait_data_conn' is always true + Show how curl_multi_poll() makes it even easier to use the multi + interface. - Fixes warning detected by PVS-Studio - Fixes #4374 + Closes #4596 -- ftp: part of conditional expression is always true: !result +- multi_poll: avoid busy-loop when called without easy handles attached - Fixes warning detected by PVS-Studio - Fixes #4374 + Fixes #4594 + Closes #4595 + Reported-by: 3dyd on github -- http: fix Expression 'http->postdata' is always false +- curl: fix -T globbing - Fixes warning detected by PVS-Studio - Fixes #4374 - Reported-by: Valerii Zapodovnikov - -- [Niall O'Reilly brought this change] - - doh: avoid truncating DNS QTYPE to lower octet + Regression from e59371a4936f8 (7.67.0) - Closes #4381 - -- [Jens Finkhaeuser brought this change] - - urlapi: CURLU_NO_AUTHORITY allows empty authority/host part + Added test 490, 491 and 492 to verify the functionality. - CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not - "file:///") to override cURL's default demand that an authority exists. + Reported-by: Kamil Dudka + Reported-by: Anderson Sasaki - Closes #4349 - -- version: next release will be 7.67.0 + Fixes #4588 + Closes #4591 -- RELEASE-NOTES: synced +- HISTORY: added cmake, HTTP/3 and parallel downloads with curl -- url: only reuse TLS connections with matching pinning - - If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the - connection should not be reused. +- quiche: reject headers in the wrong order - Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html - Reported-by: Sebastian Haglund + Pseudo header MUST come before regular headers or cause an error. - Closes #4347 + Reported-by: Cynthia Coan + Fixes #4571 + Closes #4584 -- README: add OSS-Fuzz badge [skip ci] +- openssl: prevent recursive function calls from ctx callbacks - Closes #4380 - -Michael Kaufmann (18 Sep 2019) -- http: merge two "case" statements - -Daniel Stenberg (18 Sep 2019) -- [Zenju brought this change] - - FTP: remove trailing slash from path for LIST/MLSD + Follow the pattern of many other callbacks. - Closes #4348 + Ref: #4546 + Closes #4585 -- mime: when disabled, avoid C99 macro +- CURL-DISABLE: initial docs for the CURL_DISABLE_* defines - Closes #4368 - -- url: cleanup dangling DOH request headers too + The disable-scan script used in test 1165 is extended to also verify + that the docs cover all used defines and all defines offered by + configure. - Follow-up to 9bc44ff64d9081 + Reported-by: SLDiggie on github + Fixes #4545 + Closes #4587 + +- remove_handle: clear expire timers after multi_done() - Credit to OSS-Fuzz - Bug: https://crbug.com/oss-fuzz/17269 + Since 59041f0, a new timer might be set in multi_done() so the clearing + of the timers need to happen afterwards! - Closes #4372 - -- [Christoph M. Becker brought this change] + Reported-by: Max Kellermann + Fixes #4575 + Closes #4583 - http2: relax verification of :authority in push promise requests - - If the :authority pseudo header field doesn't contain an explicit port, - we assume it is valid for the default port, instead of rejecting the - request for all ports. +Marcel Raad (10 Nov 2019) +- test1558: use double slash after file: - Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html + Classic MinGW / MSYS 1 doesn't support `MSYS2_ARG_CONV_EXCL`, so this + test unnecessarily failed when using `file:/` instead of `file:///`. - Closes #4365 + Closes https://github.com/curl/curl/pull/4554 -- doh: clean up dangling DOH handles and memory on easy close +Daniel Stenberg (10 Nov 2019) +- pause: avoid updating socket if done was already called - If you set the same URL for target as for DoH (and it isn't a DoH - server), like "https://example.com" in both, the easy handles used for - the DoH requests could be left "dangling" and end up not getting freed. + ... avoids unnecesary recursive risk when the transfer is already done. - Reported-by: Paul Dreik - Closes #4366 + Reported-by: Richard Bowker + Fixes #4563 + Closes #4574 -- unit1655: make it C90 compliant +Jay Satiro (9 Nov 2019) +- strerror: Fix an error looking up some Windows error strings - Unclear why this was not detected in the CI. + - Use FORMAT_MESSAGE_IGNORE_INSERTS to ignore format specifiers in + Windows error strings. - Follow-up to b7666027296a - -- smb: check for full size message before reading message details + Since we are not in control of the error code we don't know what + information may be needed by the error string's format specifiers. - To avoid reading of uninitialized data. + Prior to this change Windows API error strings which contain specifiers + (think specifiers like similar to printf specifiers) would not be shown. + The FormatMessage Windows API call which turns a Windows error code into + a string could fail and set error ERROR_INVALID_PARAMETER if that error + string contained a format specifier. FormatMessage expects a va_list for + the specifiers, unless inserts are ignored in which case no substitution + is attempted. - Assisted-by: Max Dymond - Bug: https://crbug.com/oss-fuzz/16907 - Closes #4363 + Ref: https://devblogs.microsoft.com/oldnewthing/20071128-00/?p=24353 -- quiche: persist connection details - - ... like we do for other protocols at connect time. This makes "curl -I" - and other things work. - - Reported-by: George Liu - Fixes #4358 - Closes #4360 +- [r-a-sattarov brought this change] -- openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version + system.h: fix for MCST lcc compiler - Follow-up to ffe34b7b59 - Closes #4359 - -- [Paul Dreik brought this change] - - doh: fix undefined behaviour and open up for gcc and clang optimization + Fixed build by MCST lcc compiler on MCST Elbrus 2000 architecture and do + some code cleanup. - The undefined behaviour is annoying when running fuzzing with - sanitizers. The codegen is the same, but the meaning is now not up for - dispute. See https://cppinsights.io/s/516a2ff4 + e2k (Elbrus 2000) - this is VLIW/EPIC architecture, like Intel Itanium + architecture. - By incrementing the pointer first, both gcc and clang recognize this as - a bswap and optimizes it to a single instruction. See - https://godbolt.org/z/994Zpx + Ref: https://en.wikipedia.org/wiki/Elbrus_2000 - Closes #4350 - -- [Paul Dreik brought this change] + Closes https://github.com/curl/curl/pull/4576 - doh: fix (harmless) buffer overrun - - Added unit test case 1655 to verify. - Close #4352 +Daniel Stenberg (8 Nov 2019) +- TODO: curl_multi_unblock - the code correctly finds the flaws in the old code, - if one temporarily restores doh.c to the old version. - -Alessandro Ghedini (15 Sep 2019) -- docs: remove trailing ':' from section names in CURLOPT_TRAILER* man - -- docs: fix typo in CURLOPT_HTTP_VERSION man - -GitHub (14 Sep 2019) -- [Daniel Stenberg brought this change] + Closes #4418 - CI: inintial github action job +- TODO: Run web-platform-tests url tests - First shot at a CI build on github actions + Closes #4477 -Daniel Stenberg (13 Sep 2019) -- appveyor: add a winbuild - - Assisted-by: Marcel Raad - Assisted-by: Jay Satiro +- TODO: 1.4 alt-svc sharing - Closes #4324 + Closes #4476 -- FTP: allow "rubbish" prepended to the SIZE response - - This is a protocol violation but apparently there are legacy proprietary - servers doing this. +- test1560: require IPv6 for IPv6 aware URL parsing - Added test 336 and 337 to verify. + The URL parser function can't reject a bad IPv6 address properly when + curl was built without IPv6 support. - Reported-by: Philippe Marguinaud - Closes #4339 - -- [Zenju brought this change] + Reported-by: Marcel Raad + Fixes #4556 + Closes #4572 - FTP: skip CWD to entry dir when target is absolute +- checksrc: repair the copyrightyear check - Closes #4332 - -Kamil Dudka (13 Sep 2019) -- curl: fix memory leaked by parse_metalink() + - Consider a modified file to be committed this year. - This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. - Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind - and libmetalink enabled. + - Make the travis CHECKSRC also do COPYRIGHTYEAR scan in examples and + includes - Closes #4326 - -Daniel Stenberg (13 Sep 2019) -- parsedate: still provide the name arrays when disabled + - Ignore 0 parents when getting latest commit date of file. - If FILE or FTP are enabled, since they also use them! + since in the CI we're dealing with a truncated repo of last 50 commits, + the file's most recent commit may not be available. when this happens + git log and rev-list show the initial commit (ie first commit not to be + truncated) but that's incorrect so ignore it. - Reported-by: Roland Hieber - Fixes #4325 - Closes #4343 - -- [Gilles Vollant brought this change] - - curl:file2string: load large files much faster + Ref: https://github.com/curl/curl/pull/4547 - ... by using a more efficient realloc scheme. + Closes https://github.com/curl/curl/pull/4549 - Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html - Closes #4336 + Co-authored-by: Jay Satiro -- openssl: close_notify on the FTP data connection doesn't mean closure - - For FTPS transfers, curl gets close_notify on the data connection - without that being a signal to close the control connection! +- copyrights: fix copyright year range - Regression since 3f5da4e59a556fc (7.65.0) + .. because checksrc's copyright year check stopped working. - Reported-by: Zenju on github - Reviewed-by: Jay Satiro - Fixes #4329 - Closes #4340 - -- [Jimmy Gaussen brought this change] - - docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag + Ref: https://github.com/curl/curl/pull/4547 - Closes #4338 + Closes https://github.com/curl/curl/pull/4549 - RELEASE-NOTES: synced -- curlver: bump to 7.66.1 +- curlver: bump to 7.67.1 -- [Zenju brought this change] +- mailmap: fixup Massimiliano Fantuzzi - setopt: make it easier to add new enum values - - ... by using the *_LAST define names better. +- scripts/contributors: make committers get included too - Closes #4321 + in addition to authors -- asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris +Jay Satiro (8 Nov 2019) +- [Massimiliano Fantuzzi brought this change] + + configure: fix typo in help text - Reported-by: Dagobert Michelsen - Fixes #4328 - Closes #4333 + Closes https://github.com/curl/curl/pull/4570 -- [Bernhard Walle brought this change] +Daniel Stenberg (7 Nov 2019) +- [Christian Schmitz brought this change] - winbuild/MakefileBuild.vc: Add vssh - - Without that modification, the Windows build using the makefiles doesn't - work. + ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set - Signed-off-by: Bernhard Walle + Closes #3704 + +Jay Satiro (6 Nov 2019) +- [Wyatt O'Day brought this change] + + build: fix for CURL_DISABLE_DOH - Fixes #4322 - Closes #4323 + Fixes https://github.com/curl/curl/issues/4565 + Closes https://github.com/curl/curl/pull/4566 -Bernhard Walle (11 Sep 2019) -- winbuild/MakefileBuild.vc: Fix line endings +- [Leonardo Taccari brought this change] + + configure: avoid unportable `==' test(1) operator - The file had mixed line endings. + Closes https://github.com/curl/curl/pull/4567 + +Version 7.67.0 (5 Nov 2019) + +Daniel Stenberg (5 Nov 2019) +- RELEASE-NOTES: synced - Signed-off-by: Bernhard Walle + The 7.67.0 release -Jay Satiro (11 Sep 2019) -- ldap: Stop using wide char version of ldapp_err2string +- THANKS: add new names from 7.67.0 + +- configure: only say ipv6 enabled when the variable is set - Despite ldapp_err2string being documented by MS as returning a - PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and - returns PWCHAR (wchar_t *). + Previously it could say "IPv6: enabled" at the end of the configure run + but the define wasn't set because of a missing getaddrinfo(). - We have lots of code that expects ldap_err2string to return char *, - most of it failf used like this: + Reported-by: Marcel Raad + Fixes #4555 + Closes #4560 + +Marcel Raad (2 Nov 2019) +- certs/Server-localhost-lastSAN-sv: regenerate with sha256 - failf(data, "LDAP local: Some error: %s", ldap_err2string(rc)); + All other certificates were regenerated in commit ba782baac30, but + this one was missed. + Fixes test3001 on modern systems. - Closes https://github.com/curl/curl/pull/4272 + Closes https://github.com/curl/curl/pull/4551 -Version 7.66.0 (10 Sep 2019) +Daniel Stenberg (2 Nov 2019) +- [Vilhelm Prytz brought this change] -Daniel Stenberg (10 Sep 2019) -- RELEASE-NOTES: curl 7.66.0 + copyrights: update all copyright notices to 2019 on files changed this year + + Closes #4547 -- THANKS: from the 7.66.0 release +- [Bastien Bouclet brought this change] -- curl: make sure the parallel transfers do them all - - The logic could erroneously break the loop too early before all - transfers had been transferred. + mbedtls: add error message for cert validity starting in the future - Reported-by: Tom van der Woerdt - Fixes #4316 - Closes #4317 + Closes #4552 -- urlapi: one colon is enough for the strspn() input (typo) +Jay Satiro (1 Nov 2019) +- schannel_verify: Fix concurrent openings of CA file + + - Open the CA file using FILE_SHARE_READ mode so that others can read + from it as well. + + Prior to this change our schannel code opened the CA file without + sharing which meant concurrent openings (eg an attempt from another + thread or process) would fail during the time it was open without + sharing, which in curl's case would cause error: + "schannel: failed to open CA file". + + Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html + Reported-by: Richard Alcock -- urlapi: verify the IPv6 numerical address +Daniel Stenberg (31 Oct 2019) +- gtls: make gnutls_bye() not wait for response on shutdown - It needs to parse correctly. Otherwise it could be tricked into letting - through a-f using host names that libcurl would then resolve. Like - '[ab.be]'. + ... as it can make it wait there for a long time for no good purpose. - Reported-by: Thomas Vegas - Closes #4315 + Patched-by: Jay Satiro + Reported-by: Bylon2 on github + Adviced-by: Nikos Mavrogiannopoulos + + Fixes #4487 + Closes #4541 -- [Clément Notin brought this change] +- [Michał Janiszewski brought this change] - openssl: use SSL_CTX_set__proto_version() when available + appveyor: publish artifacts on appveyor - OpenSSL 1.1.0 adds SSL_CTX_set__proto_version() that we now use - when available. Existing code is preserved for older versions of - OpenSSL. + This allows obtaining upstream builds of curl directly from appveyor for + all the available configurations - Closes #4304 - -- [Clément Notin brought this change] + Closes #4509 - openssl: indent, re-organize and add comments +- url: make Curl_close() NULLify the pointer too + + This is the common pattern used in the code and by a unified approach we + avoid mistakes. + + Closes #4534 -- [migueljcrum brought this change] +- [Trivikram Kamat brought this change] - sspi: fix memory leaks + INSTALL: add missing space for configure commands - Closes #4299 - -- travis: disable ngtcp2 builds (again) + Closes #4539 -- Curl_fillreadbuffer: avoid double-free trailer buf on error +- url: Curl_free_request_state() should also free doh handles - Reviewed-by: Jay Satiro - Reported-by: Thomas Vegas + ... or risk DoH memory leaks. - Closes #4307 + Reported-by: Paul Dreik + Fixes #4463 + Closes #4527 -- tool_setopt: handle a libcurl build without netrc support +- examples: remove the "this exact code has not been verified" - Reported-by: codesniffer13 on github - Fixes #4302 - Closes #4305 + ... as really confuses the reader to not know what to believe! -- security:read_data fix bad realloc() - - ... that could end up a double-free +- [Trivikram Kamat brought this change] + + HTTP3: fix typo somehere1 > somewhere1 - CVE-2019-5481 - Bug: https://curl.haxx.se/docs/CVE-2019-5481.html + Closes #4535 -- [Thomas Vegas brought this change] +Jay Satiro (28 Oct 2019) +- [Javier Blazquez brought this change] - tftp: Alloc maximum blksize, and use default unless OACK is received + HTTP3: fix invalid use of sendto for connected UDP socket - Fixes potential buffer overflow from 'recvfrom()', should the server - return an OACK without blksize. + On macOS/BSD, trying to call sendto on a connected UDP socket fails + with a EISCONN error. Because the singleipconnect has already called + connect on the socket when we're trying to use it for QUIC transfers + we need to use plain send instead. - Bug: https://curl.haxx.se/docs/CVE-2019-5482.html - CVE-2019-5482 - -- [Thomas Vegas brought this change] - - tftp: return error when packet is too small for options - -- KNOWN_BUGS/TODO: cleanup and remove outdated issues + Fixes #4529 + Closes https://github.com/curl/curl/pull/4533 +Daniel Stenberg (28 Oct 2019) - RELEASE-NOTES: synced -- netrc: free 'home' on error +- [Javier Blazquez brought this change] + + HTTP3: fix Windows build - Follow-up to f9c7ba9096ec2 + The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv + in order to perform nonblocking operations. On Windows this flag does + not exist. Instead, the socket must be set to nonblocking mode via + ioctlsocket. - Coverity CID 1453474 + This change sets the nonblocking flag on UDP sockets used for QUIC on + all platforms so the use of MSG_DONTWAIT is not needed. - Closes #4291 + Fixes #4531 + Closes #4532 -- urldata: avoid 'generic', use dedicated pointers +Marcel Raad (27 Oct 2019) +- appveyor: add --disable-proxy autotools build - For the 'proto' union within the connectdata struct. + This would have caught issue #3926. - Closes #4290 - -- cleanup: move functions out of url.c and make them static + Also make formatting more consistent. - Closes #4289 + Closes https://github.com/curl/curl/pull/4526 -- smtp: check for and bail out on too short EHLO response - - Otherwise, a three byte response would make the smtp_state_ehlo_resp() - function misbehave. +Daniel Stenberg (25 Oct 2019) +- appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017 - Credit to OSS-Fuzz - Bug: https://crbug.com/oss-fuzz/16918 + ... and invoke "curl -V" once done - Assisted-by: Max Dymond + Co-Authored-By: Jay Satiro - Closes #4287 + Closes #4523 -- smb: init *msg to NULL in smb_send_and_recv() - - ... it might otherwise return OK from this function leaving that pointer - uninitialized. - - Bug: https://crbug.com/oss-fuzz/16907 +- [Francois Rivard brought this change] + + schannel: reverse the order of certinfo insertions - Closes #4286 + Fixes #4518 + Closes #4519 -- ROADMAP: updated after recent user poll +Marcel Raad (24 Oct 2019) +- test1591: fix spelling of http feature - In rough prio order + The test never got run because the feature name is `http` in lowercase. + + Closes https://github.com/curl/curl/pull/4520 -- THANKS: remove duplicate +Daniel Stenberg (23 Oct 2019) +- [Michał Janiszewski brought this change] -- Curl_addr2string: take an addrlen argument too + appveyor: Use two parallel compilation on appveyor with CMake - This allows the function to figure out if a unix domain socket has a - file name or not associated with it! When a socket is created with - socketpair(), as done in the fuzzer testing, the path struct member is - uninitialized and must not be accessed. + Appveyor provides 2 CPUs for each builder[1], make sure to use parallel + compilation, when running with CMake. CMake learned this new option in + version 3.12[2] and the version provided by appveyor is fresh enough. - Bug: https://crbug.com/oss-fuzz/16699 + Curl doesn't really take that long to build and it is using the slowest + builder available, msbuild, so expect only a moderate improvement in + build times. - Closes #4283 - -- [Rolf Eike Beer brought this change] - - CMake: remove needless newlines at end of gss variables - -- [Rolf Eike Beer brought this change] - - CI: remove duplicate configure flag for LGTM.com - -- [Rolf Eike Beer brought this change] - - CMake: use platform dependent name for dlopen() library + [1] https://www.appveyor.com/docs/build-environment/ + [2] https://cmake.org/cmake/help/v3.12/release/3.12.html - Closes #4279 + Closes #4508 -- quiche: expire when poll returned data +- conn-reuse: requests wanting NTLM can reuse non-NTLM connections - ... to make sure we continue draining the queue until empty + Added test case 338 to verify. - Closes #4281 + Reported-by: Daniel Silverstone + Fixes #4499 + Closes #4514 -- quiche: decrease available buffer size, don't assign it! - - Found-by: Jeremy Lainé +Marcel Raad (23 Oct 2019) +- tests: add missing proxy features +Daniel Stenberg (22 Oct 2019) - RELEASE-NOTES: synced -- [Kyohei Kadota brought this change] - - curl: fix include conditions - -- [Kyohei Kadota brought this change] - - plan9: fix installation instructions +Marcel Raad (21 Oct 2019) +- tests: use %FILE_PWD for file:// URLs - Closes #4276 + This way, we always have exactly one slash after the host name, making + the tests pass when curl is compiled with the MSYS GCC. + + Closes https://github.com/curl/curl/pull/4512 -- ngtcp2: on h3 stream close, call expire +- tests: add `connect to non-listen` keywords - ... to trigger a new read to detect the stream close! + These tests try to connect to ports nothing is listening on. - Closes #4275 - -- [Tatsuhiro Tsujikawa brought this change] + Closes https://github.com/curl/curl/pull/4511 - ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl +- runtests: get textaware info from curl instead of perl - Closes #4278 - -- ngtcp2: set flow control window to stream buffer size + The MSYS system on Windows can run the test suite for curl built with + any toolset. When built with the MSYS GCC, curl uses Unix line endings, + while it uses Windows line endings when built with the MinGW GCC, and + `^O` reports 'msys' in both cases. Use the curl executable itself to + determine the line endings instead, which reports 'x86_64-pc-msys' when + built with the MSYS GCC. - Closes #4274 + Closes https://github.com/curl/curl/pull/4506 -- [Christopher Head brought this change] +Daniel Stenberg (20 Oct 2019) +- [Michał Janiszewski brought this change] - CURLOPT_HEADERFUNCTION.3: clarify + appveyor: Add MSVC ARM64 build - Closes #4273 + Closes #4507 -- CURLINFO docs: mention that in redirects times are added +- http2_recv: a closed stream trumps pause state - Suggested-by: Brandon Dong - Fixes #4250 - Closes #4269 - -- travis: enable ngtcp2 builds again - - Switched to the openssl-quic-draft-22 openssl branch. - - Closes #4271 - -- HTTP3: switched openssl branch to use - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl + ... and thus should return 0, not EAGAIN. - Closes #4270 + Reported-by: Tom van der Woerdt + Fixes #4496 + Closes #4505 -- http2: when marked for closure and wanted to close == OK +- http2: expire a timeout at end of stream - It could otherwise return an error even when closed correctly if GOAWAY - had been received previously. + To make sure that transfer is being dealt with. Streams without + Content-Length need a final read to notice the end-of-stream state. Reported-by: Tom van der Woerdt - Fixes #4267 - Closes #4268 - -- RELEASE-NOTES: synced + Fixes #4496 -- build-openssl: fix build with Visual Studio 2019 +Dan Fandrich (18 Oct 2019) +- travis: Add an ARM64 build - Reviewed-by: Marcel Raad - Contributed-by: osabc on github - Fixes #4188 - Closes #4266 + Test 323 is failing for some reason, so disable it there for now. -Kamil Dudka (26 Aug 2019) -- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure - - This is a follow-up to https://github.com/curl/curl/pull/3864 . +Marcel Raad (18 Oct 2019) +- examples/sslbackend: fix -Wchar-subscripts warning - Closes #4224 - -Daniel Stenberg (26 Aug 2019) -- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows + With the `isdigit` implementation that comes with MSYS2, the argument + is used as an array subscript, resulting in a -Wchar-subscripts + warning. `isdigit`'s behavior is undefined if the argument is negative + and not EOF [0]. As done in lib/curl_ctype.h, cast the `char` variable + to `unsigned char` to avoid that. - Closes #4040 - -- quiche: send the HTTP body correctly on callback uploads + [0] https://en.cppreference.com/w/c/string/byte/isdigit - Closes #4265 + Closes https://github.com/curl/curl/pull/4503 -- travis: disable ngtcp2 builds (temporarily) - - Just too many API changes right now +Daniel Stenberg (18 Oct 2019) +- configure: remove all cyassl references - Closes #4264 - -- ngtcp2: add support for SSLKEYLOGFILE + In particular, this removes the case where configure would find an old + cyall installation rather than a wolfssl one if present. The library is + named wolfssl in modern days so there's no real need to keep support for + the former. - Closes #4260 + Reported-by: Jacob Barthelmeh + Closes #4502 -- ngtcp2: improve h3 response receiving +Marcel Raad (17 Oct 2019) +- test1162: disable MSYS2's POSIX path conversion - Closes #4259 + This avoids MSYS2 converting the backslasb in the URL to a slash, + causing the test to fail. -- ngtcp2: use nghttp3_version() +Daniel Stenberg (17 Oct 2019) +- RELEASE-NOTES: synced -- ngtcp2: sync with upstream API changes +Jay Satiro (16 Oct 2019) +- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time - Assisted-by: Tatsuhiro Tsujikawa - -- [Kyle Abramowitz brought this change] - - scp: fix directory name length used in memcpy + Prior to this change some users did not understand that the "request" + starts when the handle is added to the multi handle, or probably they + did not understand that some of those transfers may be queued and that + time is included in timeout. - Fix read off end of array due to bad pointer math in getworkingpath for - SCP home directory case. + Reported-by: Jeroen Ooms - Closes #4258 + Fixes https://github.com/curl/curl/issues/4486 + Closes https://github.com/curl/curl/pull/4489 -- http: the 'closed' struct field is used by both ngh2 and ngh3 - - and remove 'header_recvbuf', not used for anything +- [Stian Soiland-Reyes brought this change] + + tool_operate: Fix retry sleep time shown to user when Retry-After - Reported-by: Jeremy Lainé + - If server header Retry-After is being used for retry sleep time then + show that value to the user instead of the normal retry sleep time. - Closes #4257 - -- ngtcp2: accept upload via callback + This is a follow-up to 640b973 (7.66.0) which changed curl tool so that + the value from Retry-After header overrides other retry timing options. - Closes #4256 + Closes https://github.com/curl/curl/pull/4498 -- defines: avoid underscore-prefixed defines +Daniel Stenberg (16 Oct 2019) +- url: normalize CURLINFO_EFFECTIVE_URL - Double-underscored or underscore plus uppercase letter at least. + The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as + input in most cases, which made it not get a scheme prefixed like before + if the URL was given without one, and it didn't remove dotdot sequences + etc. - ... as they're claimed to be reserved. + Added test case 1907 to verify that this now works as intended and as + before 7.62.0. - Reported-by: patnyb on github + Regression introduced in 7.62.0 - Fixes #4254 - Closes #4255 + Reported-by: Christophe Dervieux + Fixes #4491 + Closes #4493 -- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) - - Runs no tests +Marcel Raad (16 Oct 2019) +- tests: line ending fixes for Windows - Closes #4253 - -- travis: bump to using nghttp2 version 1.39.2 + Mark some files as text. - Closes #4252 - -- [Gisle Vanem brought this change] + Closes https://github.com/curl/curl/pull/4490 - docs/examples/curlx: fix errors +- tests: use proxy feature - Initialise 'mimetype' and require the -p12 arg. + This makes the tests succeed when using --disable-proxy. - Closes #4248 + Closes https://github.com/curl/curl/pull/4488 -- cleanup: remove DOT_CHAR completely +- smbserver: fix Python 3 compatibility - Follow-up to f9c7ba9096ec + Python 2's `ConfigParser` module is spelled `configparser` in Python 3. - The use of DOT_CHAR for ".ssh" was probably a mistake and is removed - now. + Closes https://github.com/curl/curl/pull/4484 + +- security: silence conversion warning - Pointed-out-by: Gisle Vanem - Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 + With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer, + while `read` expects a 32 bit signed integer. + Use `sread` instead of `read` to use the correct parameter type. - Closes #4247 + Closes https://github.com/curl/curl/pull/4483 -- spnego_sspi: add typecast to fix build warning +- connect: silence sign-compare warning - Reported in build "Win32 target on Debian Stretch (64-bit) - - i686-w64-mingw32 - gcc-20170516" + With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the + result of `sizeof` is unsigned. - Closes #4245 + Closes https://github.com/curl/curl/pull/4483 -- openssl: build warning free with boringssl +Daniel Stenberg (13 Oct 2019) +- TODO: Handle growing SFTP files - Closes #4244 + Closes #4344 -- curl: make --libcurl use CURL_HTTP_VERSION_3 +- KNOWN_BUGS: remove "CURLFORM_CONTENTLEN in an array" - Closes #4243 + The curl_formadd() function is deprecated and shouldn't be used so the + real fix for applications is to switch to the curl_mime_* API. -- ngtcp2: make postfields-set posts work +- KNOWN_BUGS: "LDAP on Windows does authentication wrong" - Closes #4242 + Closes #3116 -- http: remove chunked-encoding and expect header use for HTTP/3 +- appveyor: add a winbuild that uses VS2017 + + Closes #4482 -- [Alessandro Ghedini brought this change] +- [Harry Sintonen brought this change] - configure: use pkg-config to detect quiche + socketpair: fix include and define for older TCP header systems - This removes the need to hard-code the quiche target path in - configure.ac. + fixed build for systems that need netinet/in.h for IPPROTO_TCP and are + missing INADDR_LOOPBACK - This depends on https://github.com/cloudflare/quiche/pull/128 + Closes #4480 + +- socketpair: fix double-close in error case - Closes #4237 + Follow-up to bc2dbef0afc08 -- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 +- gskit: use the generic Curl_socketpair + +- asyn-thread: make use of Curl_socketpair() where available + +- socketpair: an implemention for Windows and more - For a long time (since 7.28.1) we've returned error when setting the - value to 1 to make applications notice that we stopped supported the old - behavior for 1. Starting now, we treat 1 and 2 exactly the same. + Curl_socketpair() is designed to be used and work everywhere if there's + no native version or the native version isn't good enough. - Closes #4241 + Closes #4466 -- curl: use .curlrc (with a dot) on Windows as well +- RELEASE-NOTES: synced + +- connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT - Fall-back to _curlrc if the dot-version is missing. + Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no + matter what errno said. - Co-Authored-By: Steve Holme + This makes for example --retry work on these transfer failures. - Closes #4230 + Reported-by: Nathaniel J. Smith + Fixes #4461 + Clsoes #4462 -- netrc: make the code try ".netrc" on Windows as well - - ... but fall back and try "_netrc" too if the dot version didn't work. - - Co-Authored-By: Steve Holme +- cirrus: switch off blackhole status on the freebsd CI machines -- ngtcp2: use ngtcp2_version() to get the run-time version - - ... which of course doesn't have to be the same used at build-time. +- tests: use port 2 instead of 60000 for a safer non-listening port - Function just recently merged in ngtcp2. + ... when the tests want "connection refused". -- ngtcp2: move the h3 initing to immediately after the rx key - - To fix a segfault and to better deal with 0-RTT +- KNOWN_BUGS: IDN tests failing on Windows - Assisted-by: Tatsuhiro Tsujikawa - -- [Alessandro Ghedini brought this change] + Closes #3747 - quiche: register debug callback once and earlier +Dan Fandrich (9 Oct 2019) +- cirrus: Increase the git clone depth. - The quiche debug callback is global and can only be initialized once, so - make sure we don't do it multiple times (e.g. if multiple requests are - executed). + If more commits are submitted to master between the time of triggering + the first Cirrus build and the time the final build gets started, the + desired commit is no longer at HEAD and the build will error out. + [skip ci] + +Daniel Stenberg (9 Oct 2019) +- docs: make sure the --no-progress-meter docs file is in dist too + +- docs: document it as --no-progress-meter instead of the reverse - In addition this initializes the callback before the connection is - created, so we get logs for the handshake as well. + Follow-up to 93373a960c3bb4 - Closes #4236 + Reported-by: infinnovation-dev on github + Fixes #4474 + Closes #4475 -- ssh: add a generic Curl_ssh_version function for SSH backends +Dan Fandrich (9 Oct 2019) +- cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build. - Closes #4235 - -- base64: check for SSH, not specific SSH backends - -- vssh: move ssh init/cleanup functions into backend code - -- vssh: create directory for SSH backend code + Also, select the images using image_family to get the latest snapshots + automatically. + [skip ci] -- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 +Daniel Stenberg (8 Oct 2019) +- curl: --no-progress-meter - HTTP3 is now already in full progress + New option that allows a user to ONLY switch off curl's progress meter + and leave everything else in "talkative" mode. - Downgrade redirects can be achived almost exactly like that by setting - CURLOPT_REDIR_PROTOCOLS. - -- RELEASE-NOTES: synced + Reported-by: Piotr Komborski + Fixes #4422 + Closes #4470 -- travis: add a quiche build +- TODO: Consult %APPDATA% also for .netrc - Closes #4207 + Closes #4016 -- http: fix use of credentials from URL when using HTTP proxy - - When a username and password are provided in the URL, they were wrongly - removed from the stored URL so that subsequent uses of the same URL - wouldn't find the crendentials. This made doing HTTP auth with multiple - connections (like Digest) mishave. +- CURLOPT_TIMEOUT.3: remove the mention of "minutes" - Regression from 46e164069d1a5230 (7.62.0) + ... just say that limiting operations risk aborting otherwise fine + working transfers. If that means seconds, minutes or hours, we leave to + the user. - Test case 335 added to verify. + Reported-by: Martin Gartner + Closes #4469 + +- [Andrei Valeriu BICA brought this change] + + docs: added multi-event.c example - Reported-by: Mike Crowe + Similar to multi-uv.c but using libevent 2. This is a simpler libevent + integration example then hiperfifo.c. - Fixes #4228 - Closes #4229 + Closes #4471 -- [Mike Crowe brought this change] +Jay Satiro (5 Oct 2019) +- [Nicolas brought this change] - tests: Replace outdated test case numbering documentation + ldap: fix OOM error on missing query string - Tests are no longer grouped by numeric range[1]. Let's stop saying that - and provide some alternative advice for numbering tests. + - Allow missing queries, don't return NO_MEMORY error in such a case. - [1] https://curl.haxx.se/mail/lib-2019-08/0043.html + It is acceptable for there to be no specified query string, for example: - Closes #4227 - -- travis: reduce number of torture tests in 'coverage' + curl ldap://ldap.forumsys.com - ... to make it complete in time. This cut seems not almost not affect - the coverage percentage and yet completes within 35 minutes on travis - where the previous runs recently always timed out after 50. + A regression bug in 1b443a7 caused this issue. - Closes #4223 - -- [Igor Makarov brought this change] - - configure: use -lquiche to link to quiche + This is a partial fix for #4261. - Closes #4226 - -- ngtcp2: provide the callbacks as a static struct + Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077 + Reported-by: Jojojov@users.noreply.github.com + Analyzed-by: Samuel Surtees - ... instead of having them in quicsocket + Closes https://github.com/curl/curl/pull/4467 -- [Tatsuhiro Tsujikawa brought this change] +- [Paul B. Omta brought this change] - ngtcp2: add missing nghttp3_conn_add_write_offset call + build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines - Closes #4225 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: deal with stream close - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Consume QUIC STREAM data properly + Closes https://github.com/curl/curl/pull/4460 -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (5 Oct 2019) +- RELEASE-NOTES: synced - ngtcp2: don't reinitialize SSL on Retry +- [Stian Soiland-Reyes brought this change] -- multi: getsock improvements for QUIC connecting + curl: ensure HTTP 429 triggers --retry + + This completes #3794. + + Also make sure the new tests from #4195 are enabled + + Closes #4465 -- connect: connections are persistent by default for HTTP/3 +Marcel Raad (4 Oct 2019) +- [apique brought this change] -- quiche: happy eyeballs + winbuild: add ENABLE_UNICODE option - Closes #4220 - -- ngtcp2: do QUIC connections happy-eyeballs friendly + Fixes https://github.com/curl/curl/issues/4308 + Closes https://github.com/curl/curl/pull/4309 -- curl_version: bump string buffer size to 250 +Daniel Stenberg (4 Oct 2019) +- ngtcp2: adapt to API change - With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which - causes a truncated output). + Closes #4457 -- CURLOPT_ALTSVC.3: use a "" file name to not load from a file +- cookies: change argument type for Curl_flush_cookies + + The second argument is really a 'bool' so use that and pass in TRUE/FALSE + to make it clear. + + Closes #4455 -Jay Satiro (14 Aug 2019) -- vauth: Use CURLE_AUTH_ERROR for auth function errors +- http2: move state-init from creation to pre-transfer - - Add new error code CURLE_AUTH_ERROR. + To make sure that the HTTP/2 state is initialized correctly for + duplicated handles. It would otherwise easily generate "spurious" + PRIORITY frames to get sent over HTTP/2 connections when duplicated easy + handles were used. - Prior to this change auth function errors were signaled by - CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was - technically correct. + Reported-by: Daniel Silverstone + Fixes #4303 + Closes #4442 + +- urlapi: fix use-after-free bug - Ref: https://github.com/curl/curl/pull/3848 + Follow-up from 2c20109a9b5d04 - Co-authored-by: Dominik Hölzl + Added test 663 to verify. - Closes https://github.com/curl/curl/pull/3864 + Reported by OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/17954 + + Closes #4453 -Daniel Stenberg (13 Aug 2019) -- curl_version_info: make the quic_version a const +- [Paul Dreik brought this change] + + cookie: avoid harmless use after free - Follow-up from 1a2df1518ad8653f + This fix removes a use after free which can be triggered by + the internal cookie fuzzer, but otherwise is probably + impossible to trigger from an ordinary application. - Closes #4222 - -- examples: add http3.c, altsvc.c and http3-present.c + The following program reproduces it: - Closes #4221 - -Peter Wu (13 Aug 2019) -- nss: use TLSv1.3 as default if supported + curl_global_init(CURL_GLOBAL_DEFAULT); + CURL* handle=curl_easy_init(); + CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); + curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); + Curl_flush_cookies(handle, true); + Curl_cookie_cleanup(info); + curl_easy_cleanup(handle); + curl_global_cleanup(); - SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported - range in NSS 3.45. It looks like the intention is to raise the minimum - version rather than lowering the maximum, so adjust accordingly. Note - that the caller (nss_setup_connect) initializes the version range to - (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. + This was found through fuzzing. - Closes #4187 - Reviewed-by: Daniel Stenberg - Reviewed-by: Kamil Dudka + Closes #4454 -Daniel Stenberg (13 Aug 2019) -- quic.h: remove unused proto +- [Denis Chaplygin brought this change] -- curl_version_info.3: mentioned ALTSVC and HTTP3 + docs: add note on failed handles not being counted by curl_multi_perform - ... and sorted the list alphabetically - -- lib/quic.c: unused - removed + Closes #4446 -- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED - - Follow-up to 98c3f148 that removed it from the header file +- CURLMOPT_MAX_CONCURRENT_STREAMS.3: fix SEE ALSO typo -- [Junho Choi brought this change] +- [Niall O'Reilly brought this change] - docs/HTTP3: simplify quiche build instruction - - Use --recursive to get boringssl in one line + ESNI: initial build/setup - Closes #4219 + Closes #4011 -- altsvc: make it use h3-22 with ngtcp2 as well +- RELEASE-NOTES: synced -- ngtcp2: initial h3 request work +- redirect: when following redirects to an absolute URL, URL encode it - Closes #4217 - -- curl_version_info: offer quic (and h3) library info + ... to make it handle for example (RFC violating) embeded spaces. - Closes #4216 + Reported-by: momala454 on github + Fixes #4445 + Closes #4447 -- HTTP3: use ngtcp2's draft-22 branch +- urlapi: fix URL encoding when setting a full URL -- RELEASE-NOTES: synced +- tool_operate: rename functions to make more sense -- CURLOPT_READFUNCTION.3: provide inline example +- curl: create easy handles on-demand and not ahead of time - ... instead of mentioning one in another place - -- [Tatsuhiro Tsujikawa brought this change] + This should again enable crazy-large download ranges of the style + [1-10000000] that otherwise easily ran out of memory starting in 7.66.0 + when this new handle allocating scheme was introduced. + + Reported-by: Peter Sumatra + Fixes #4393 + Closes #4438 - ngtcp2: send HTTP/3 request with nghttp3 +- [Kunal Ekawde brought this change] + + CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt - This commit makes sending HTTP/3 request with nghttp3 work. It - minimally receives HTTP response and calls nghttp3 callbacks, but no - processing is made at the moment. + Closes #4410 + +- chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error - Closes #4215 + Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the + response is chunked-encoded. + + Reported-by: Ilya Kosarev + Fixes #4310 + Closes #4449 -- nghttp3: initial h3 template code added +Marcel Raad (1 Oct 2019) +- checksrc: fix uninitialized variable warning + + The loop doesn't need to be executed without a file argument. + + Closes https://github.com/curl/curl/pull/4444 -- nghttp3: required when ngtcp2 is used for QUIC +- urlapi: fix unused variable warning - - checked for by configure - - updated docs/HTTP3.md - - shown in the version string + `dest` is only used with `ENABLE_IPV6`. - Closes #4210 + Closes https://github.com/curl/curl/pull/4444 -- [Eric Wong brought this change] +- lib: silence conversion warnings + + Closes https://github.com/curl/curl/pull/4444 - asyn-thread: issue CURL_POLL_REMOVE before closing socket +- AppVeyor: add 32-bit MinGW-w64 build - This avoids EBADF errors from EPOLL_CTL_DEL operations in the - ephiperfifo.c example. EBADF is dangerous in multi-threaded - applications where I rely on epoll_ctl to operate on the same - epoll description from different threads. + With WinSSL and testing enabled so that it would have detected most of + the warnings fixed in [0] and [1]. - Follow-up to eb9a604f8d7db8 + [0] https://github.com/curl/curl/pull/4398 + [1] https://github.com/curl/curl/pull/4415 - Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html - Closes #4211 - -- [Carlo Marcelo Arenas Belón brought this change] + Closes https://github.com/curl/curl/pull/4433 - configure: avoid undefined check_for_ca_bundle +- AppVeyor: remove MSYS2_ARG_CONV_EXCL for winbuild - instead of using a "greater than 0" test, check for variable being - set, as it is always set to 1, and could be left unset if non of - OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. + It's only used for MSYS2 with MinGW. - Closes #4213 + Closes -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (30 Sep 2019) +- [Emil Engler brought this change] - ngtcp2: Send ALPN h3-22 + git: add tests/server/disabled to .gitignore - Closes #4212 + Closes #4441 -- [Tatsuhiro Tsujikawa brought this change] +- altsvc: accept quoted ma and persist values + + As mandated by the spec. Test 1654 is extended to verify. + + Closes #4443 - ngtcp2: use ngtcp2_settings_default and specify initial_ts +- mailmap: a Lucas fix -- curl_global_init_mem.3: mention it was added in 7.12.0 +Alessandro Ghedini (29 Sep 2019) +- [Lucas Pardue brought this change] -- [Tatsuhiro Tsujikawa brought this change] + quiche: update HTTP/3 config creation to new API - ngtcp2: make the QUIC handshake work - - Closes #4209 +Daniel Stenberg (29 Sep 2019) +- BINDINGS: PureBasic, Net::Curl for perl and Nim -- [Alex Mayorga brought this change] +- BINDINGS: Kapito is an Erlang library, basically a binding - HTTP3.md: Update quiche build instructions - - Added cloning for quiche and BoringSSL and modified the build - instructions so they work on a clean folder. +- BINDINGS: added clj-curl - Closes #4208 + Reported-by: Lucas Severo -- CURLOPT_H3: removed - - There's no use for this anymore and it was never in a release. - - Closes #4206 +- [Jay Satiro brought this change] -- http3: make connection reuse work + docs: disambiguate CURLUPART_HOST is for host name (ie no port) - Closes #4204 - -- quiche: add SSLKEYLOGFILE support + Closes #4424 -- cleanup: s/curl_debug/curl_dbg_debug in comments and docs +- cookies: using a share with cookies shouldn't enable the cookie engine - Leftovers from the function rename back in 76b63489495 + The 'share object' only sets the storage area for cookies. The "cookie + engine" still needs to be enabled or activated using the normal cookie + options. - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com - mitcomment-34601751 + This caused the curl command line tool to accidentally use cookies + without having been told to, since curl switched to using shared cookies + in 7.66.0. - Closes #4203 + Test 1166 verifies + + Updated test 506 + + Fixes #4429 + Closes #4434 + +- setopt: handle ALTSVC set to NULL - RELEASE-NOTES: synced -- alt-svc: add protocol version selection masking - - So that users can mask in/out specific HTTP versions when Alt-Svc is - used. - - - Removed "h2c" and updated test case accordingly - - Changed how the altsvc struct is laid out - - Added ifdefs to make the unittest run even in a quiche-tree - - Closes #4201 +- [grdowns brought this change] -- http3: fix the HTTP/3 in the request, make alt-svc set right versions + INSTALL: add vcpkg installation instructions - Closes #4200 + Closes #4435 -- alt-svc: send Alt-Used: in redirected requests - - RFC 7838 section 5: - - When using an alternative service, clients SHOULD include an Alt-Used - header field in all requests. - - Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus - this is deemed ok). - - You can disable sending this header just like you disable any other HTTP - header in libcurl. - - Closes #4199 +- [Zenju brought this change] -- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly - - Even though it cannot fall-back to a lower HTTP version automatically. The - safer way to upgrade remains via CURLOPT_ALTSVC. - - CURLOPT_H3 no longer has any bits that do anything and might be removed - before we remove the experimental label. + FTP: add test for FTPFILE_NOCWD: Avoid redundant CWDs - Updated the curl tool accordingly to use "--http3". + Add libtest 661 - Closes #4197 + Closes #4417 -- docs/ALTSVC: remove what works and the experimental explanation - - Also, put the TODO items at the bottom. - - Closes #4198 +- [Zenju brought this change] -- docs/EXPERIMENTAL: explain what it means and what's experimental now + FTP: url-decode path before evaluation + + Closes #4428 -- curl: make use of CURLINFO_RETRY_AFTER when retrying +Marcel Raad (27 Sep 2019) +- tests: fix narrowing conversion warnings - If a Retry-After: header was used in the response, that value overrides - other retry timing options. + `timediff_t` is 64 bits wide also on 32-bit systems since + commit b1616dad8f0. - Fixes #3794 - Closes #4195 + Closes https://github.com/curl/curl/pull/4415 -- curl: use CURLINFO_PROTOCOL to check for HTTP(s) - - ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. +Jay Satiro (27 Sep 2019) +- [julian brought this change] -- CURLINFO_RETRY_AFTER: parse the Retry-After header value - - This is only the libcurl part that provides the information. There's no - user of the parsed value. This change includes three new tests for the - parser. + vtls: Fix comment typo about macosx-version-min compiler flag - Ref: #3794 + Closes https://github.com/curl/curl/pull/4425 -- docs/ALTSVC.md: first basic file format description +Daniel Stenberg (26 Sep 2019) +- [Yechiel Kalmenson brought this change] -- curl: have -w's 'http_version' show '3' for HTTP/3 + README: minor grammar fix - Closes #4196 + Closes #4431 -- curl.h: add CURL_HTTP_VERSION_3 to the version enum +- [Spezifant brought this change] + + HTTP3: fix prefix parameter for ngtcp2 build - It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with - CURLINFO_HTTP_VERSION. + Closes #4430 -- quiche: make use of the connection timeout API properly +- quiche: don't close connection at end of stream! -- quiche: make POSTFIELDS posts work +- quiche: set 'drain' when returning without having drained the queues -- quiche: improved error handling and memory cleanups +- Revert "FTP: url-decode path before evaluation" + + This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2. -- quiche: flush egress in h3_stream_recv() too +- HTTP3: merged and simplified the two 'running' sections -- RELEASE-NOTES: synced +- HTTP3: show an --alt-svc using example too -Jay Satiro (6 Aug 2019) -- [Patrick Monnerat brought this change] +- [Zenju brought this change] - os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). + FTP: url-decode path before evaluation - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 + Closes #4423 + +- openssl: use strerror on SSL_ERROR_SYSCALL - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + Instead of showing the somewhat nonsensical errno number, use strerror() + to provide a more relatable error message. - Closes https://github.com/curl/curl/pull/4186 + Closes #4411 -- tests: Fix the line endings for the SASL alt-auth tests +- HTTP3: update quic.aiortc.org + add link to server list - - Change data and protocol sections to CRLF line endings. + Reported-by: Jeremy Lainé + +Jay Satiro (26 Sep 2019) +- url: don't set appconnect time for non-ssl/non-ssh connections - Prior to this change the tests would fail or hang, which is because - certain sections such as protocol require CRLF line endings. + Prior to this change non-ssl/non-ssh connections that were reused set + TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH + handshake took place. - Follow-up to grandparent commit which added the tests. + [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in + libcurl and %{time_appconnect} in the curl tool. It is documented as + "the time until the SSL/SSH handshake is completed". - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 + Reported-by: Marcel Hernandez - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + Ref: https://github.com/curl/curl/issues/3760 - Closes https://github.com/curl/curl/pull/4186 - -- [Steve Holme brought this change] + Closes https://github.com/curl/curl/pull/3773 - examples: Added SASL PLAIN authorisation identity (authzid) examples - - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 +Daniel Stenberg (25 Sep 2019) +- ngtcp2: remove fprintf() calls - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + - convert some of them to H3BUF() calls to infof() + - remove some of them completely + - made DEBUG_HTTP3 defined only if CURLDEBUG is set for now - Closes https://github.com/curl/curl/pull/4186 + Closes #4421 -- [Steve Holme brought this change] +- [Jay Satiro brought this change] - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 - - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + url: fix the NULL hostname compiler warning case - Closes https://github.com/curl/curl/pull/4186 + Closes #4403 -- [Steve Holme brought this change] +- [Jay Satiro brought this change] - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - - Added the ability for the calling program to specify the authorisation - identity (authzid), the identity to act as, in addition to the - authentication identity (authcid) and password when using SASL PLAIN - authentication. - - Fixes #3653 - Closes #3790 - - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + travis: move the go install to linux-only - Closes https://github.com/curl/curl/pull/4186 - -Daniel Stenberg (6 Aug 2019) -- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested + ... to repair the build again + Closes #4403 -- [Yiming Jing brought this change] +- altsvc: correct the #ifdef for the ngtcp2 backend - mesalink: implement client authentication +- altsvc: save h3 as h3-23 - Closes #4184 + Follow-up to d176a2c7e5 -- curl_multi_poll: a sister to curl_multi_wait() that waits more +- urlapi: question mark within fragment is still fragment - Repeatedly we see problems where using curl_multi_wait() is difficult or - just awkward because if it has no file descriptor to wait for - internally, it returns immediately and leaves it to the caller to wait - for a small amount of time in order to avoid occasional busy-looping. + The parser would check for a query part before fragment, which caused it + to do wrong when the fragment contains a question mark. - This is often missed or misunderstood, leading to underperforming - applications. + Extended test 1560 to verify. - This change introduces curl_multi_poll() as a replacement drop-in - function that accepts the exact same set of arguments. This function - works identically to curl_multi_wait() - EXCEPT - for the case when - there's nothing to wait for internally, as then this function will by - itself wait for a "suitable" short time before it returns. This - effectiely avoids all risks of busy-looping and should also make it less - likely that apps "over-wait". + Reported-by: Alex Konev + Fixes #4412 + Closes #4413 + +- [Alex Samorukov brought this change] + + HTTP3.md: move -p for mkdir, remove -j for make - This also changes the curl tool to use this funtion internally when - doing parallel transfers and changes curl_easy_perform() to use it - internally. + - mkdir on OSX/Darwin requires `-p` argument before dir - Closes #4163 - -- quiche:h3_stream_recv return 0 at end of stream + - portabbly figuring out number of cores is an exercise for somewhere + else - ... and remove some verbose messages we don't need. Made transfers from - facebook.com work better. + Closes #4407 -- altsvc: make quiche use h3-22 now +Patrick Monnerat (24 Sep 2019) +- os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr, + + As libcurl now uses these 2 system functions, wrappers are needed on os400 + to convert returned AF_UNIX sockaddrs to ascii. + + This is a follow-up to commit 7fb54ef. + See also #4037. + Closes #4214 -- quiche: show the actual version number +Jay Satiro (24 Sep 2019) +- [Lucas Pardue brought this change] -- quiche: first working HTTP/3 request + strcase: fix raw lowercasing the letter X - - enable debug log - - fix use of quiche API - - use download buffer - - separate header/body + Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to + this change. - Closes #4193 - -- http09: disable HTTP/0.9 by default in both tool and library + Follow-up to 0023fce which added the function several days ago. - As the plan has been laid out in DEPRECATED. Update docs accordingly and - verify in test 1174. Now requires the option to be set to allow HTTP/0.9 - responses. + Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546 - Closes #4191 - -- quiche: initial h3 request send/receive - -- lib/Makefile.am: make checksrc run in vquic too + Closes https://github.com/curl/curl/pull/4408 -- altsvc: fix removal of expired cache entry +Daniel Stenberg (23 Sep 2019) +- http2: Expression 'stream->stream_id != - 1' is always true - Closes #4192 - -- RELEASE-NOTES: synced + PVS-Studio warning + Fixes #4402 -Steve Holme (4 Aug 2019) -- md4: Use our own MD4 implementation when no crypto libraries are available +- http2: A value is being subtracted from the unsigned variable - Closes #3780 - -- md4: No need to include Curl_md4.h for each TLS library + PVS-Studio warning + Fixes #4402 -- md4: No need for the NTLM code to call Curl_md4it() for each TLS library +- libssh: part of conditional expression is always true: !result - As the NTLM code no longer calls any of TLS libraries' specific MD4 - functions, there is no need to call this function for each #ifdef. - -- md4: Move the mbed TLS MD4 implementation out of the NTLM code + PVS-Studio warning + Fixed #4402 -- md4: Move the WinCrypt implementation out of the NTLM code +- libssh: part of conditional expression is always true + + PVS-Studio warning + Fixes #4402 -- md4: Move the SecureTransport implementation out of the NTLM code +- libssh: The expression is excessive or contains a misprint + + PVS-Studio warning + Fixes #4402 -- md4: Use the Curl_md4it() function for OpenSSL based NTLM +- quiche: The expression must be surrounded by parentheses + + PVS-Studio warning + Fixes #4402 -- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code +- vauth: The parameter 'status' must be surrounded by parentheses + + PVS-Studio warning + Fixes #4402 -- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code +- [Paul Dreik brought this change] -Jay Satiro (4 Aug 2019) -- OS400: Add CURLOPT_H3 symbols + doh: allow only http and https in debug mode - Follow-up to 3af0e76 which added experimental H3 support. + Otherwise curl may be told to use for instance pop3 to + communicate with the doh server, which most likely + is not what you want. - Closes https://github.com/curl/curl/pull/4185 + Found through fuzzing. + + Closes #4406 -Daniel Stenberg (3 Aug 2019) -- url: make use of new HTTP version if alt-svc has one +- [Paul Dreik brought this change] -- url: set conn->transport to default TCP at init time + doh: return early if there is no time left + + Closes #4406 -- altsvc: with quiche, use the quiche h3 alpn string +- [Barry Pollard brought this change] + + http: lowercase headernames for HTTP/2 and HTTP/3 - Closes #4183 + Closes #4401 + Fixes #4400 -- alt-svc: more liberal ALPN name parsing +Marcel Raad (23 Sep 2019) +- vtls: fix narrowing conversion warnings - Allow pretty much anything to be part of the ALPN identifier. In - particular minus, which is used for "h3-20" (in-progress HTTP/3 - versions) etc. + Curl_timeleft returns `timediff_t`, which is 64 bits wide also on + 32-bit systems since commit b1616dad8f0. - Updated test 356. - Closes #4182 + Closes https://github.com/curl/curl/pull/4398 -- quiche: use the proper HTTP/3 ALPN +Daniel Stenberg (23 Sep 2019) +- [Joel Depooter brought this change] -- quiche: add failf() calls for two error cases + winbuild: Add manifest to curl.exe for proper OS version detection - To aid debugging + This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898 + in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to + CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is + overwritten. The fix is to append values to CURL_RC_FLAGS instead of + overwriting - Closes #4181 + Closes #4399 -- mailmap: added Kyohei Kadota +- RELEASE-NOTES: synced -Kamil Dudka (1 Aug 2019) -- http_negotiate: improve handling of gss_init_sec_context() failures - - If HTTPAUTH_GSSNEGOTIATE was used for a POST request and - gss_init_sec_context() failed, the POST request was sent - with empty body. This commit also restores the original - behavior of `curl --fail --negotiate`, which was changed - by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. +Marcel Raad (22 Sep 2019) +- openssl: fix compiler warning with LibreSSL - Add regression tests 2077 and 2078 to cover this. + It was already fixed for BoringSSL in commit a0f8fccb1e0. + LibreSSL has had the second argument to SSL_CTX_set_min_proto_version + as uint16_t ever since the function was added in [0]. - Fixes #3992 - Closes #4171 - -Daniel Stenberg (1 Aug 2019) -- mailmap: added 4 more names + [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda - Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli - -- mailmap: add Giorgos Oikonomou + Closes https://github.com/curl/curl/pull/4397 -- src/makefile: fix uncompressed hugehelp.c generation +Daniel Stenberg (22 Sep 2019) +- curl: exit the create_transfers loop on errors - Regression from 5cf5d57ab9 (7.64.1) + When looping around the ranges and given URLs to create transfers, all + errors should exit the loop and return. Previously it would keep + looping. - Fixed-by: Lance Ware - Fixes #4176 - Closes #4177 - -- appveyor: pass on -k to make + Reported-by: SumatraPeter on github + Bug: #4393 + Closes #4396 -- timediff: make it 64 bit (if possible) even with 32 bit time_t +Jay Satiro (21 Sep 2019) +- socks: Fix destination host shown on SOCKS5 error - ... to make it hold microseconds too. + Prior to this change when a server returned a socks5 connect error then + curl would parse the destination address:port from that data and show it + to the user as the destination: - Fixes #4165 - Closes #4168 + curld -v --socks5 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to IPv4 172.217.12.206 (locally resolved) + * Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) + curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) + + That's incorrect because the address:port included in the connect error + is actually a bind address:port (typically unused) and not the + destination address:port. This fix changes curl to show the destination + information that curl sent to the server instead: + + curld -v --socks5 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved) + * Can't complete SOCKS5 connection to 172.217.7.14:99. (1) + curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1) + + curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to google.com:99 (remotely resolved) + * Can't complete SOCKS5 connection to google.com:99. (1) + curl: (7) Can't complete SOCKS5 connection to google.com:99. (1) + + Ref: https://tools.ietf.org/html/rfc1928#section-6 + + Closes https://github.com/curl/curl/pull/4394 -- ROADMAP: parallel transfers are merged now +Daniel Stenberg (21 Sep 2019) +- travis: enable ngtcp2 h3-23 builds -- getenv: support up to 4K environment variable contents on windows +- altsvc: both backends run h3-23 now - Reported-by: Michal Čaplygin - Fixes #4174 - Closes #4175 - -- [Kyohei Kadota brought this change] + Closes #4395 - plan9: add support for running on Plan 9 +- http: fix warning on conversion from int to bit - Closes #3701 + Follow-up from 03ebe66d70 -- [Kyohei Kadota brought this change] +- urldata: use 'bool' for the bit type on MSVC compilers + + Closes #4387 + Fixes #4379 - ntlm: explicit type casting +- appveyor: upgrade VS2017 to VS2019 + + Closes #4383 -- [Justin brought this change] +- [Zenju brought this change] - curl.h: fix outdated comment + FTP: FTPFILE_NOCWD: avoid redundant CWDs - Closes #4167 + Closes #4382 -- curl: remove outdated comment +- cookie: pass in the correct cookie amount to qsort() - Turned bad with commit b8894085000 + As the loop discards cookies without domain set. This bug would lead to + qsort() trying to sort uninitialized pointers. We have however not found + it a security problem. - Reported-by: niallor on github - Fixes #4172 - Closes #4173 + Reported-by: Paul Dreik + Closes #4386 -- cleanup: remove the 'numsocks' argument used in many places +- [Paul Dreik brought this change] + + urlapi: avoid index underflow for short ipv6 hostnames - It was used (intended) to pass in the size of the 'socks' array that is - also passed to these functions, but was rarely actually checked/used and - the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries - that should be used instead. + If the input hostname is "[", hlen will underflow to max of size_t when + it is subtracted with 2. - Closes #4169 - -- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp + hostname[hlen] will then cause a warning by ubsanitizer: - Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) + runtime error: addition of unsigned offset to 0x overflowed to + 0x - Reported-by: Jonathan Cardoso Machado - Assisted-by: Jay Satiro + I think that in practice, the generated code will work, and the output + of hostname[hlen] will be the first character "[". - Fixes #4136 - Closes #4162 + This can be demonstrated by the following program (tested in both clang + and gcc, with -O3) + + int main() { + char* hostname=strdup("["); + size_t hlen = strlen(hostname); + + hlen-=2; + hostname++; + printf("character is %d\n",+hostname[hlen]); + free(hostname-1); + } + + I found this through fuzzing, and even if it seems harmless, the proper + thing is to return early with an error. + + Closes #4389 -- mailmap: Amit Katyal +- [Tatsuhiro Tsujikawa brought this change] -- asyn-thread: removed unused variable + ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 - Follow-up to eb9a604f. Mistake caused by me when I edited the commit - before push... - -- RELEASE-NOTES: synced + Closes #4392 -- [Amit Katyal brought this change] +- THANKS-filter: deal with my typos 'Jat' => 'Jay' - asyn-thread: create a socketpair to wait on +- travis: use go master - Closes #4157 + ... as the boringssl builds needs a very recent version + + Co-authored-by: Jat Satiro + Closes #4361 -- curl: cap the maximum allowed values for retry time arguments +- tool_operate: removed unused variable 'done' - ... to avoid integer overflows later when multiplying with 1000 to - convert seconds to milliseconds. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- tool_operate: Expression 'config->resume_from' is always true - Added test 1269 to verify. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- tool_getparam: remove duplicate switch case - Reported-by: Jason Lee - Closes #4166 + Fixes warning detected by PVS-Studio + Fixes #4374 -- progress: reset download/uploaded counter +- libssh2: part of conditional expression is always true: !result - ... to make CURLOPT_MAX_RECV_SPEED_LARGE and - CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that - reuse the same handle. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- urlapi: Expression 'storep' is always true - Fixed-by: Ironbars13 on github - Fixes #4084 - Closes #4161 + Fixes warning detected by PVS-Studio + Fixes #4374 -- http2_recv: trigger another read when the last data is returned +- urlapi: 'scheme' is always true - ... so that end-of-stream is detected properly. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- urlapi: part of conditional expression is always true: (relurl[0] == '/') - Reported-by: Tom van der Woerdt - Fixes #4043 - Closes #4160 + Fixes warning detected by PVS-Studio + Fixes #4374 -- curl: avoid uncessary libcurl timeouts (in parallel mode) +- setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly - When curl_multi_wait() returns OK without file descriptors to wait for, - it might already have done a long timeout. + Fixes bug detected by PVS-Studio + Fixes #4374 + +- mime: make Curl_mime_duppart() assert if called without valid dst - Closes #4159 + Fixes warning detected by PVS-Studio + Fixes #4374 -- [Balazs Kovacsics brought this change] +- http_proxy: part of conditional expression is always true: !error + + Fixes warning detected by PVS-Studio + Fixes #4374 - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown +- imap: merged two case-branches performing the same action - If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, - automatically add a Transfer-Encoding: chunked header, same as it is - already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update - test 1514 according to the new behaviour. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- multi: value '2L' is assigned to a boolean - Closes #4138 + Fixes warning detected by PVS-Studio + Fixes #4374 -Jay Satiro (29 Jul 2019) -- [Daniel Stenberg brought this change] +- easy: part of conditional expression is always true: !result + + Fixes warning detected by PVS-Studio + Fixes #4374 - winbuild: add vquic to list of build directories +- netrc: part of conditional expression is always true: !done - This fixes the winbuild build method which broke several days ago - when experimental quic support was added in 3af0e76. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- version: Expression 'left > 1' is always true - Reported-by: Michael Lee + Fixes warning detected by PVS-Studio + Fixes #4374 + +- url: remove dead code - Fixes https://github.com/curl/curl/issues/4158 + Fixes warning detected by PVS-Studio + Fixes #4374 -- easy: resize receive buffer on easy handle reset +- url: part of expression is always true: (bundle->multiuse == 0) - - In curl_easy_reset attempt to resize the receive buffer to its default - size. If realloc fails then continue using the previous size. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- ftp: the conditional expression is always true - Prior to this change curl_easy_reset did not properly handle resetting - the receive buffer (data->state.buffer). It reset the variable holding - its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) - but then did not actually resize the buffer. If a user resized the - buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the - default, later called curl_easy_reset and attempted to reuse the handle - then a heap overflow would very likely occur during that handle's next - transfer. + ... both !result and (ftp->transfer != FTPTRANSFER_BODY)! - Reported-by: Felix Hädicke + Fixes warning detected by PVS-Studio + Fixes #4374 + +- ftp: Expression 'ftpc->wait_data_conn' is always false - Fixes https://github.com/curl/curl/issues/4143 - Closes https://github.com/curl/curl/pull/4145 + Fixes warning detected by PVS-Studio + Fixes #4374 -- [Brad Spencer brought this change] +- ftp: Expression 'ftpc->wait_data_conn' is always true + + Fixes warning detected by PVS-Studio + Fixes #4374 - examples: Avoid reserved names in hiperfifo examples +- ftp: part of conditional expression is always true: !result - - Trade in __attribute__((unused)) for the classic (void)x to silence - unused symbols. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- http: fix Expression 'http->postdata' is always false - Because the classic way is not gcc specific. Also because the prior - method mapped to symbol _Unused, which starts with _ and a capital - letter which is reserved. + Fixes warning detected by PVS-Studio + Fixes #4374 + Reported-by: Valerii Zapodovnikov + +- [Niall O'Reilly brought this change] + + doh: avoid truncating DNS QTYPE to lower octet - Assisted-by: The Infinnovation team + Closes #4381 + +- [Jens Finkhaeuser brought this change] + + urlapi: CURLU_NO_AUTHORITY allows empty authority/host part - Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 + CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not + "file:///") to override cURL's default demand that an authority exists. - Closes https://github.com/curl/curl/pull/4153 + Closes #4349 -Daniel Stenberg (25 Jul 2019) -- RELEASE-NOTES: synced +- version: next release will be 7.67.0 -- [Felix Hädicke brought this change] +- RELEASE-NOTES: synced - ssh-libssh: do not specify O_APPEND when not in append mode +- url: only reuse TLS connections with matching pinning - Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not - make much sense. And this combination of flags is not accepted by all - SFTP servers (at least not Apache SSHD). + If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the + connection should not be reused. - Fixes #4147 - Closes #4148 + Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html + Reported-by: Sebastian Haglund + + Closes #4347 -- [Gergely Nagy brought this change] +- README: add OSS-Fuzz badge [skip ci] + + Closes #4380 - multi: call detach_connection before Curl_disconnect +Michael Kaufmann (18 Sep 2019) +- http: merge two "case" statements + +Daniel Stenberg (18 Sep 2019) +- [Zenju brought this change] + + FTP: remove trailing slash from path for LIST/MLSD - Curl_disconnect bails out if conn->easyq is not empty, detach_connection - needs to be called first to remove the current easy from the queue. + Closes #4348 + +- mime: when disabled, avoid C99 macro - Fixes #4144 - Closes #4151 + Closes #4368 -Jay Satiro (23 Jul 2019) -- tool_operate: fix implicit call to easysrc_cleanup +- url: cleanup dangling DOH request headers too - easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not - defined, and prior to this change would be called regardless. + Follow-up to 9bc44ff64d9081 - Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 - Reported-by: Marcel Raad + Credit to OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/17269 - Closes https://github.com/curl/curl/pull/4142 + Closes #4372 -Daniel Stenberg (22 Jul 2019) -- curl:create_transfers check return code from curl_easy_setopt +- [Christoph M. Becker brought this change] + + http2: relax verification of :authority in push promise requests - From commit b8894085 + If the :authority pseudo header field doesn't contain an explicit port, + we assume it is valid for the default port, instead of rejecting the + request for all ports. - Pointed out by Coverity CID 1451703 + Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html - Closes #4134 + Closes #4365 -- HTTP3: initial (experimental) support - - USe configure --with-ngtcp2 or --with-quiche +- doh: clean up dangling DOH handles and memory on easy close - Using either option will enable a HTTP3 build. - Co-authored-by: Alessandro Ghedini + If you set the same URL for target as for DoH (and it isn't a DoH + server), like "https://example.com" in both, the easy handles used for + the DoH requests could be left "dangling" and end up not getting freed. - Closes #3500 + Reported-by: Paul Dreik + Closes #4366 -- curl: remove dead code +- unit1655: make it C90 compliant - The loop never loops (since b889408500), pointed out by Coverity (CID - 1451702) + Unclear why this was not detected in the CI. - Closes #4133 - -- docs/PARALLEL-TRANSFERS: correct the version number - -- docs/PARALLEL-TRANSFERS: added + Follow-up to b7666027296a -- curl: support parallel transfers +- smb: check for full size message before reading message details - This is done by making sure each individual transfer is first added to a - linked list as then they can be performed serially, or at will, in - parallel. + To avoid reading of uninitialized data. - Closes #3804 + Assisted-by: Max Dymond + Bug: https://crbug.com/oss-fuzz/16907 + Closes #4363 -- docs/MANUAL.md: converted to markdown from plain text +- quiche: persist connection details - ... will make it render as a nicer web page. + ... like we do for other protocols at connect time. This makes "curl -I" + and other things work. - Closes #4131 + Reported-by: George Liu + Fixes #4358 + Closes #4360 -- curl_version_info: provide nghttp2 details - - Introducing CURLVERSION_SIXTH with nghttp2 info. +- openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version - Closes #4121 + Follow-up to ffe34b7b59 + Closes #4359 -- bump: start working on 7.66.0 +- [Paul Dreik brought this change] -- source: remove names from source comments + doh: fix undefined behaviour and open up for gcc and clang optimization - Several reasons: + The undefined behaviour is annoying when running fuzzing with + sanitizers. The codegen is the same, but the meaning is now not up for + dispute. See https://cppinsights.io/s/516a2ff4 - - we can't add everyone who's helping out so its unfair to just a few - selected ones. - - we already list all helpers in THANKS and in RELEASE-NOTES for each - release - - we don't want to give the impression that some parts of the code is - "owned" or "controlled" by specific persons + By incrementing the pointer first, both gcc and clang recognize this as + a bswap and optimizes it to a single instruction. See + https://godbolt.org/z/994Zpx - Assisted-by: Daniel Gustafsson - Closes #4129 - -Version 7.65.3 (19 Jul 2019) - -Daniel Stenberg (19 Jul 2019) -- RELEASE-NOTES: 7.65.3 + Closes #4350 -- THANKS: 7.65.3 status +- [Paul Dreik brought this change] -- progress: make the progress meter appear again + doh: fix (harmless) buffer overrun - Fix regression caused by 21080e1 + Added unit test case 1655 to verify. + Close #4352 - Reported-by: Chih-Hsuan Yen - Fixes #4122 - Closes #4124 - -- version: bump to 7.65.3 - -- RELEASE-NOTES: Contributors or now 1990 + the code correctly finds the flaws in the old code, + if one temporarily restores doh.c to the old version. -Version 7.65.2 (17 Jul 2019) +Alessandro Ghedini (15 Sep 2019) +- docs: remove trailing ':' from section names in CURLOPT_TRAILER* man -Daniel Stenberg (17 Jul 2019) -- RELEASE-NOTES: 7.65.2 +- docs: fix typo in CURLOPT_HTTP_VERSION man -- THANKS: add contributors from 7.65.2 +GitHub (14 Sep 2019) +- [Daniel Stenberg brought this change] -Jay Satiro (17 Jul 2019) -- [aasivov brought this change] + CI: inintial github action job + + First shot at a CI build on github actions - cmake: Fix finding Brotli on case-sensitive file systems +Daniel Stenberg (13 Sep 2019) +- appveyor: add a winbuild - - Find package "Brotli" instead of "BROTLI" since the former is the - casing used for CMake/FindBrotli.cmake, and otherwise find_package - may fail on a case-sensitive file system. + Assisted-by: Marcel Raad + Assisted-by: Jay Satiro - Fixes https://github.com/curl/curl/issues/4117 + Closes #4324 -- CURLOPT_RANGE.3: Caution against using it for HTTP PUT +- FTP: allow "rubbish" prepended to the SIZE response - AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've - cautioned against using it for that purpose and included a workaround. + This is a protocol violation but apparently there are legacy proprietary + servers doing this. - Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html - Reported-by: Christopher Head + Added test 336 and 337 to verify. - Closes https://github.com/curl/curl/issues/3814 - -- [Stefano Simonelli brought this change] - - CURLOPT_SEEKDATA.3: fix variable name - - Closes https://github.com/curl/curl/pull/4118 + Reported-by: Philippe Marguinaud + Closes #4339 -- [Giorgos Oikonomou brought this change] +- [Zenju brought this change] - CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH - - If the SSL backend is Schannel and the user specifies an Schannel CALG_ - that is not supported by the protocol or the server then curl returns - CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. + FTP: skip CWD to entry dir when target is absolute - Fixes https://github.com/curl/curl/issues/3389 - Closes https://github.com/curl/curl/pull/4106 - -- [Daniel Gustafsson brought this change] + Closes #4332 - nss: inspect returnvalue of token check +Kamil Dudka (13 Sep 2019) +- curl: fix memory leaked by parse_metalink() - PK11_IsPresent() checks for the token for the given slot is available, - and sets needlogin flags for the PK11_Authenticate() call. Should it - return false, we should however treat it as an error and bail out. + This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. + Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind + and libmetalink enabled. - Closes https://github.com/curl/curl/pull/4110 + Closes #4326 -- docs: Explain behavior change in --tlsv1. options since 7.54 +Daniel Stenberg (13 Sep 2019) +- parsedate: still provide the name arrays when disabled - Since 7.54 --tlsv1. options use the specified version or later, however - older versions of curl documented it as using just the specified version - which may or may not have happened depending on the TLS library. - Document this discrepancy to allay confusion for users familiar with the - old documentation that expect just the specified version. + If FILE or FTP are enabled, since they also use them! - Fixes https://github.com/curl/curl/issues/4097 - Closes https://github.com/curl/curl/pull/4119 + Reported-by: Roland Hieber + Fixes #4325 + Closes #4343 -- libcurl: Restrict redirect schemes (follow-up) +- [Gilles Vollant brought this change] + + curl:file2string: load large files much faster - - Allow FTPS on redirect. + ... by using a more efficient realloc scheme. - - Update default allowed redirect protocols in documentation. + Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html + Closes #4336 + +- openssl: close_notify on the FTP data connection doesn't mean closure - Follow-up to 6080ea0. + For FTPS transfers, curl gets close_notify on the data connection + without that being a signal to close the control connection! - Ref: https://github.com/curl/curl/pull/4094 + Regression since 3f5da4e59a556fc (7.65.0) - Closes https://github.com/curl/curl/pull/4115 + Reported-by: Zenju on github + Reviewed-by: Jay Satiro + Fixes #4329 + Closes #4340 -Daniel Stenberg (16 Jul 2019) -- test1173: make it also check all libcurl option man pages - - ... and adjust those that cause errors +- [Jimmy Gaussen brought this change] + + docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag - Closes #4116 + Closes #4338 -- curl: only accept COLUMNS less than 10000 +- RELEASE-NOTES: synced + +- curlver: bump to 7.66.1 + +- [Zenju brought this change] + + setopt: make it easier to add new enum values - ... as larger values would rather indicate something silly (and could - potentially cause buffer problems). + ... by using the *_LAST define names better. - Reported-by: pendrek at hackerone - Closes #4114 + Closes #4321 -- dist: add manpage-syntax.pl +- asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris - follow-up to 7fb66c403 + Reported-by: Dagobert Michelsen + Fixes #4328 + Closes #4333 -- test1173: detect some basic man page format mistakes +- [Bernhard Walle brought this change] + + winbuild/MakefileBuild.vc: Add vssh - Triggered by PR #4111 + Without that modification, the Windows build using the makefiles doesn't + work. - Closes #4113 - -Jay Satiro (15 Jul 2019) -- [Bjarni Ingi Gislason brought this change] + Signed-off-by: Bernhard Walle + + Fixes #4322 + Closes #4323 - docs: Fix missing lines caused by undefined macros +Bernhard Walle (11 Sep 2019) +- winbuild/MakefileBuild.vc: Fix line endings - - Escape apostrophes at line start. + The file had mixed line endings. - Some lines begin with a "'" (apostrophe, single quote), which is then - interpreted as a control character in *roff. + Signed-off-by: Bernhard Walle + +Jay Satiro (11 Sep 2019) +- ldap: Stop using wide char version of ldapp_err2string - Such lines are interpreted as being a call to a macro, and if - undefined, the lines are removed from the output. + Despite ldapp_err2string being documented by MS as returning a + PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and + returns PWCHAR (wchar_t *). - Bug: https://bugs.debian.org/926352 - Signed-off-by: Bjarni Ingi Gislason + We have lots of code that expects ldap_err2string to return char *, + most of it failf used like this: - Submitted-by: Alessandro Ghedini + failf(data, "LDAP local: Some error: %s", ldap_err2string(rc)); - Closes https://github.com/curl/curl/pull/4111 + Closes https://github.com/curl/curl/pull/4272 -Daniel Stenberg (14 Jul 2019) -- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults - - follow-up to 6080ea098 +Version 7.66.0 (10 Sep 2019) -- [Linos Giannopoulos brought this change] +Daniel Stenberg (10 Sep 2019) +- RELEASE-NOTES: curl 7.66.0 - libcurl: Add testcase for gopher redirects - - The testcase ensures that redirects to CURLPROTO_GOPHER won't be - allowed, by default, in the future. Also, curl is being used - for convenience while keeping the testcases DRY. +- THANKS: from the 7.66.0 release + +- curl: make sure the parallel transfers do them all - The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is - redirected to CURLPROTO_GOPHER + The logic could erroneously break the loop too early before all + transfers had been transferred. - Signed-off-by: Linos Giannopoulos + Reported-by: Tom van der Woerdt + Fixes #4316 + Closes #4317 -- [Linos Giannopoulos brought this change] +- urlapi: one colon is enough for the strspn() input (typo) - libcurl: Restrict redirect schemes - - All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS - counterpart were allowed for redirect. This vastly broadens the - exploitation surface in case of a vulnerability such as SSRF [1], where - libcurl-based clients are forced to make requests to arbitrary hosts. - - For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based - protocol by URL-encoding a payload in the URI. Gopher will open a TCP - connection and send the payload. +- urlapi: verify the IPv6 numerical address - Only HTTP/HTTPS and FTP are allowed. All other protocols have to be - explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. + It needs to parse correctly. Otherwise it could be tricked into letting + through a-f using host names that libcurl would then resolve. Like + '[ab.be]'. - [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ + Reported-by: Thomas Vegas + Closes #4315 + +- [Clément Notin brought this change] + + openssl: use SSL_CTX_set__proto_version() when available - Signed-off-by: Linos Giannopoulos + OpenSSL 1.1.0 adds SSL_CTX_set__proto_version() that we now use + when available. Existing code is preserved for older versions of + OpenSSL. - Closes #4094 + Closes #4304 -- [Zenju brought this change] +- [Clément Notin brought this change] - openssl: define HAVE_SSL_GET_SHUTDOWN based on version number + openssl: indent, re-organize and add comments + +- [migueljcrum brought this change] + + sspi: fix memory leaks - Closes #4100 + Closes #4299 -- [Peter Simonyi brought this change] +- travis: disable ngtcp2 builds (again) - http: allow overriding timecond with custom header +- Curl_fillreadbuffer: avoid double-free trailer buf on error - With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. - If-Modified-Since). Allow this to be replaced or suppressed with - CURLOPT_HTTPHEADER. + Reviewed-by: Jay Satiro + Reported-by: Thomas Vegas - Fixes #4103 - Closes #4109 - -Jay Satiro (11 Jul 2019) -- [Juergen Hoetzel brought this change] + Closes #4307 - smb: Use the correct error code for access denied on file open +- tool_setopt: handle a libcurl build without netrc support - - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. + Reported-by: codesniffer13 on github + Fixes #4302 + Closes #4305 + +- security:read_data fix bad realloc() - Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. + ... that could end up a double-free - Closes https://github.com/curl/curl/pull/4095 + CVE-2019-5481 + Bug: https://curl.haxx.se/docs/CVE-2019-5481.html -- [Daniel Gustafsson brought this change] +- [Thomas Vegas brought this change] - DEPRECATE: fixup versions and spelling + tftp: Alloc maximum blksize, and use default unless OACK is received - Correctly set the July 17 version to 7.65.2, and update spelling to - be consistent. Also fix a typo. + Fixes potential buffer overflow from 'recvfrom()', should the server + return an OACK without blksize. - Closes https://github.com/curl/curl/pull/4107 + Bug: https://curl.haxx.se/docs/CVE-2019-5482.html + CVE-2019-5482 -- [Gisle Vanem brought this change] +- [Thomas Vegas brought this change] - system_win32: fix clang warning + tftp: return error when packet is too small for options + +- KNOWN_BUGS/TODO: cleanup and remove outdated issues + +- RELEASE-NOTES: synced + +- netrc: free 'home' on error - - Declare variable in header as extern. + Follow-up to f9c7ba9096ec2 - Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 - -Daniel Gustafsson (10 Jul 2019) -- headers: Remove no longer exported functions + Coverity CID 1453474 - There were a leftover few prototypes of Curl_ functions that we used to - export but no longer do, this removes those prototypes and cleans up any - comments still referring to them. - - Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() - Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() - were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. - Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. + Closes #4291 + +- urldata: avoid 'generic', use dedicated pointers - For the remainder, I didn't trawl the Git logs hard enough to capture - their exact time of deletion, but they were all gone: Curl_splayprint(), - Curl_http2_send_request(), Curl_global_host_cache_dtor(), - Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), - Curl_http_auth_stage() and Curl_close_connections(). + For the 'proto' union within the connectdata struct. - Closes #4096 - Reviewed-by: Daniel Stenberg - -- CMake: fix typos and spelling + Closes #4290 -- [Kyle Edwards brought this change] +- cleanup: move functions out of url.c and make them static + + Closes #4289 - CMake: Convert errant elseif() to else() +- smtp: check for and bail out on too short EHLO response - CMake interprets an elseif() with no arguments as elseif(FALSE), - resulting in the elseif() block not being executed. That is not what - was intended here. Change the empty elseif() to an else() as it was - intended. + Otherwise, a three byte response would make the smtp_state_ehlo_resp() + function misbehave. - Closes #4101 - Reported-by: Artalus - Reviewed-by: Daniel Gustafsson + Credit to OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/16918 + + Assisted-by: Max Dymond + + Closes #4287 -- buildconf: fix header filename +- smb: init *msg to NULL in smb_send_and_recv() - The header file inclusion had a typo, it should be .h and not .hd. - Fix by renaming. + ... it might otherwise return OK from this function leaving that pointer + uninitialized. - Fixes #4102 - Reported-by: AceCrow on Github + Bug: https://crbug.com/oss-fuzz/16907 + + Closes #4286 -- [Jan Chren brought this change] +- ROADMAP: updated after recent user poll + + In rough prio order - configure: fix --disable-code-coverage +- THANKS: remove duplicate + +- Curl_addr2string: take an addrlen argument too - This fixes the case when --disable-code-coverage supplied to ./configure - would result in coverage="yes" being set. + This allows the function to figure out if a unix domain socket has a + file name or not associated with it! When a socket is created with + socketpair(), as done in the fuzzer testing, the path struct member is + uninitialized and must not be accessed. - Closes #4099 - Reviewed-by: Daniel Gustafsson + Bug: https://crbug.com/oss-fuzz/16699 + + Closes #4283 -- cleanup: fix typo in comment +- [Rolf Eike Beer brought this change] -- RELEASE-NOTES: synced + CMake: remove needless newlines at end of gss variables -Jay Satiro (6 Jul 2019) -- [Daniel Gustafsson brought this change] +- [Rolf Eike Beer brought this change] - nss: support using libnss on macOS - - The file suffix for dynamically loadable objects on macOS is .dylib, - which need to be added for the module definitions in order to get the - NSS TLS backend to work properly on macOS. - - Closes https://github.com/curl/curl/pull/4046 + CI: remove duplicate configure flag for LGTM.com -- [Daniel Gustafsson brought this change] +- [Rolf Eike Beer brought this change] - nss: don't set unused parameter - - The value of the maxPTDs parameter to PR_Init() has since at least - NSPR 2.1, which was released sometime in 1998, been marked ignored - as is accordingly not used in the initialization code. Setting it - to a value when calling PR_Init() is thus benign, but indicates an - intent which may be misleading. Reset the value to zero to improve - clarity. + CMake: use platform dependent name for dlopen() library - Closes https://github.com/curl/curl/pull/4054 - -- [Daniel Gustafsson brought this change] + Closes #4279 - nss: only cache valid CRL entries +- quiche: expire when poll returned data - Change the logic around such that we only keep CRLs that NSS actually - ended up caching around for later deletion. If CERT_CacheCRL() fails - then there is little point in delaying the freeing of the CRL as it - is not used. + ... to make sure we continue draining the queue until empty - Closes https://github.com/curl/curl/pull/4053 - -- [Gergely Nagy brought this change] + Closes #4281 - lib: Use UTF-8 encoding in comments - - Some editors and IDEs assume that source files use UTF-8 file encodings. - It also fixes the build with MSVC when /utf-8 command line option is - used (this option is mandatory for some other open-source projects, this - is useful when using the same options is desired for building all - libraries of a project). +- quiche: decrease available buffer size, don't assign it! - Closes https://github.com/curl/curl/pull/4087 + Found-by: Jeremy Lainé -- [Caleb Raitto brought this change] +- RELEASE-NOTES: synced - CURLOPT_HEADEROPT.3: Fix example - - Fix an issue where example builds a curl_slist, but fails to actually - use it, or free it. - - Closes https://github.com/curl/curl/pull/4090 +- [Kyohei Kadota brought this change] -- [Shankar Jadhavar brought this change] + curl: fix include conditions - winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - - - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. +- [Kyohei Kadota brought this change] + + plan9: fix installation instructions - - Also removed some ^M chars from file. + Closes #4276 + +- ngtcp2: on h3 stream close, call expire - Prior to this change while building on Windows platform even if we pass - the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does - not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. + ... to trigger a new read to detect the stream close! - Closes https://github.com/curl/curl/pull/4086 + Closes #4275 -Daniel Stenberg (4 Jul 2019) -- doh-url.d: added in 7.62.0 +- [Tatsuhiro Tsujikawa brought this change] -Jay Satiro (30 Jun 2019) -- docs: Fix links to OpenSSL docs + ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl - OpenSSL changed their manual locations and does not redirect to the new - locations. + Closes #4278 + +- ngtcp2: set flow control window to stream buffer size - Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html - Reported-by: Daniel Stenberg + Closes #4274 -Daniel Stenberg (26 Jun 2019) -- [Gaël PORTAY brought this change] +- [Christopher Head brought this change] - curl_multi_wait.3: escape backslash in example - - The backslash in the character Line Feed must be escaped. + CURLOPT_HEADERFUNCTION.3: clarify - The current man-page outputs the code as following: + Closes #4273 + +- CURLINFO docs: mention that in redirects times are added - fprintf(stderr, "curl_multi failed, code %d.0, mc); + Suggested-by: Brandon Dong + Fixes #4250 + Closes #4269 + +- travis: enable ngtcp2 builds again - The commit fixes it as follow: + Switched to the openssl-quic-draft-22 openssl branch. - fprintf(stderr, "curl_multi failed, code %d\n", mc); + Closes #4271 + +- HTTP3: switched openssl branch to use + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl - Closes #4079 + Closes #4270 -- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined +- http2: when marked for closure and wanted to close == OK - ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is - built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for - UWP (with "VC-WIN32-UWP"). + It could otherwise return an error even when closed correctly if GOAWAY + had been received previously. - Reported-by: Vasily Lobaskin - Fixes #4073 - Closes #4077 + Reported-by: Tom van der Woerdt + Fixes #4267 + Closes #4268 -- test1521: adapt to SLISTPOINT +- RELEASE-NOTES: synced + +- build-openssl: fix build with Visual Studio 2019 - The header now has the slist-using options marked as SLISTPOINT so this - makes sure test 1521 understands that. + Reviewed-by: Marcel Raad + Contributed-by: osabc on github + Fixes #4188 + Closes #4266 + +Kamil Dudka (26 Aug 2019) +- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure - Follow-up to ae99b4de1c443ae989 + This is a follow-up to https://github.com/curl/curl/pull/3864 . - Closes #4074 + Closes #4224 -- win32: make DLL loading a no-op for UWP +Daniel Stenberg (26 Aug 2019) +- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows - Reported-by: Michael Brehm - Fixes #4060 - Closes #4072 - -- [1ocalhost brought this change] + Closes #4040 - configure: fix typo '--disable-http-uath' +- quiche: send the HTTP body correctly on callback uploads - Closes #4076 - -- [Niklas Hambüchen brought this change] + Closes #4265 - docs: fix string suggesting HTTP/2 is not the default +- travis: disable ngtcp2 builds (temporarily) - Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the - man page that new default is mentioned, but the section at the top - contradicted it until now. + Just too many API changes right now - Also remove claim that setting the HTTP version is not sensible. + Closes #4264 + +- ngtcp2: add support for SSLKEYLOGFILE - Closes #4075 + Closes #4260 -- RELEASE-NOTES: synced +- ngtcp2: improve h3 response receiving + + Closes #4259 -- [Stephan Szabo brought this change] +- ngtcp2: use nghttp3_version() - tests: update fixed IP for hostip/clientip split - - These tests give differences for me on linux when using a hostip - pointing to the external ip address for the local machine. +- ngtcp2: sync with upstream API changes - Closes #4070 + Assisted-by: Tatsuhiro Tsujikawa -Daniel Gustafsson (24 Jun 2019) -- http: clarify header buffer size calculation - - The header buffer size calculation can from static analysis seem to - overlow as it performs an addition between two size_t variables and - stores the result in a size_t variable. Overflow is however guarded - against elsewhere since the input to the addition is regulated by - the maximum read buffer size. Clarify this with a comment since the - question was asked. - - Reviewed-by: Daniel Stenberg +- [Kyle Abramowitz brought this change] -Daniel Stenberg (24 Jun 2019) -- KNOWN_BUGS: Don't clear digest for single realm + scp: fix directory name length used in memcpy - Closes #3267 - -- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname + Fix read off end of array due to bad pointer math in getworkingpath for + SCP home directory case. - Closes #3284 + Closes #4258 -- http2: call done_sending on end of upload +- http: the 'closed' struct field is used by both ngh2 and ngh3 - To make sure a HTTP/2 stream registers the end of stream. + and remove 'header_recvbuf', not used for anything - Bug #4043 made me find this problem but this fix doesn't correct the - reported issue. + Reported-by: Jeremy Lainé - Closes #4068 + Closes #4257 -- [James Brown brought this change] +- ngtcp2: accept upload via callback + + Closes #4256 - c-ares: honor port numbers in CURLOPT_DNS_SERVERS +- defines: avoid underscore-prefixed defines - By using ares_set_servers_ports_csv on new enough c-ares. + Double-underscored or underscore plus uppercase letter at least. - Fixes #4066 - Closes #4067 - -Daniel Gustafsson (24 Jun 2019) -- CURLMOPT_SOCKETFUNCTION.3: fix typo - -Daniel Stenberg (24 Jun 2019) -- [Koen Dergent brought this change] - - curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds + ... as they're claimed to be reserved. - Closes #4061 - -- test153: fix content-length to avoid occasional hang + Reported-by: patnyb on github - Closes #4065 - -- RELEASE-NOTES: synced + Fixes #4254 + Closes #4255 -- multi: enable multiplexing by default (again) +- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) - It was originally made default in d7c4213bd0c (7.62.0) but mistakenly - reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. + Runs no tests - Closes #4051 + Closes #4253 -- typecheck: add 3 missing strings and a callback data pointer +- travis: bump to using nghttp2 version 1.39.2 - Closes #4050 + Closes #4252 -- tests: add disable-scan.pl to dist - - follow-up from 29177f422a5 - - Closes #4059 +- [Gisle Vanem brought this change] -- http2: don't call stream-close on already closed streams + docs/examples/curlx: fix errors - Closes #4055 - -Marcel Raad (20 Jun 2019) -- travis: enable alt-svc for coverage build + Initialise 'mimetype' and require the -p12 arg. - Closes + Closes #4248 -- travis: enable libssh2 for coverage build +- cleanup: remove DOT_CHAR completely - It was enabled by default before commit c92d2e14cfb. + Follow-up to f9c7ba9096ec - Disable torture tests 600 and 601 because of - https://github.com/curl/curl/issues/1678. + The use of DOT_CHAR for ".ssh" was probably a mistake and is removed + now. - Closes + Pointed-out-by: Gisle Vanem + Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 + + Closes #4247 -- travis: disable threaded resolver for coverage build +- spnego_sspi: add typecast to fix build warning - This enables more tests. + Reported in build "Win32 target on Debian Stretch (64-bit) - + i686-w64-mingw32 - gcc-20170516" - Closes + Closes #4245 -- travis: enable brotli for all xenial jobs +- openssl: build warning free with boringssl - There's no need for a separate job, and no need to build it from source - with Xenial. + Closes #4244 + +- curl: make --libcurl use CURL_HTTP_VERSION_3 - Closes + Closes #4243 -- travis: enable warnings-as-errors for coverage build +- ngtcp2: make postfields-set posts work - Closes + Closes #4242 -GitHub (20 Jun 2019) -- [Gisle Vanem brought this change] +- http: remove chunked-encoding and expect header use for HTTP/3 - system_win32: fix typo +- [Alessandro Ghedini brought this change] -Daniel Stenberg (20 Jun 2019) -- typecheck: CURLOPT_CONNECT_TO takes an slist too + configure: use pkg-config to detect quiche - Additionally, add an alias in curl.h for slist-using options so that - we can grep/parse those out at will. + This removes the need to hard-code the quiche target path in + configure.ac. - Closes #4042 + This depends on https://github.com/cloudflare/quiche/pull/128 + + Closes #4237 -- [Stephan Szabo brought this change] +- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 + + For a long time (since 7.28.1) we've returned error when setting the + value to 1 to make applications notice that we stopped supported the old + behavior for 1. Starting now, we treat 1 and 2 exactly the same. + + Closes #4241 - tests: support non-localhost HOSTIP for dict/smb servers +- curl: use .curlrc (with a dot) on Windows as well - smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for - binding the server which when we were running the tests with a separate - HOSTIP and CLIENTIP had failures verifying the server from the device we - were testing. + Fall-back to _curlrc if the dot-version is missing. - This changes them to take the address from runtests.py and default to - localhost/127.0.0.1 if none is given. + Co-Authored-By: Steve Holme - Closes #4048 - -- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT + Closes #4230 -- configure: --disable-progress-meter +- netrc: make the code try ".netrc" on Windows as well - Builds libcurl without support for the built-in progress meter. + ... but fall back and try "_netrc" too if the dot version didn't work. - Closes #4023 + Co-Authored-By: Steve Holme -- curl: improved skip-setopt-options when built with disabled features +- ngtcp2: use ngtcp2_version() to get the run-time version - Reduces #ifdefs in src/tool_operate.c + ... which of course doesn't have to be the same used at build-time. - Follow-up from 4e86f2fc4e6 - Closes #3936 + Function just recently merged in ngtcp2. -Steve Holme (18 Jun 2019) -- netrc: Return the correct error code when out of memory +- ngtcp2: move the h3 initing to immediately after the rx key - Introduced in 763c5178. + To fix a segfault and to better deal with 0-RTT - Closes #4036 + Assisted-by: Tatsuhiro Tsujikawa -Daniel Stenberg (18 Jun 2019) -- config-os400: add getpeername and getsockname defines - - Reported-by: jonrumsey on github - Fixes #4037 - Closes #4039 +- [Alessandro Ghedini brought this change] -- runtests: keep logfiles around by default + quiche: register debug callback once and earlier - Make '-k' a no-op. The singletest function now clears the log directory - BEFORE each individual test and not after, which makes it possible to - always keep the logfiles around after a test has been run. No need to - specify -k anymore. Keeping the option parsing around to work with users - of old habits. + The quiche debug callback is global and can only be initialized once, so + make sure we don't do it multiple times (e.g. if multiple requests are + executed). - Some tests also didn't work properly when -k was used (since the old - logs would be kep when a new test starts) which this change also fixes. + In addition this initializes the callback before the connection is + created, so we get logs for the handshake as well. - Closes #4035 - -- [Gergely Nagy brought this change] + Closes #4236 - openssl: fix pubkey/signature algorithm detection in certinfo - - Certinfo gives the same result for all OpenSSL versions. - Also made printing RSA pubkeys consistent with older versions. +- ssh: add a generic Curl_ssh_version function for SSH backends - Reported-by: Michael Wallner - Fixes #3706 - Closes #4030 + Closes #4235 -- conn_maxage: move the check to prune_dead_connections() - - ... and avoid the locking issue. - - Reported-by: Kunal Ekawde - Fixes #4029 - Closes #4032 +- base64: check for SSH, not specific SSH backends -- tests: have runtests figure out disabled features - - ... so that runtests can skip individual test cases that test features - that are explicitly disabled in this build. This new logic is intended - for disabled features that aren't otherwise easily visible through the - curl_version_info() or other API calls. - - tests/server/disabled is a newly built executable that will output a - list of disabled features. Outputs nothing for a default build. - - Closes #3950 +- vssh: move ssh init/cleanup functions into backend code -- test188/189: fix Content-Length +- vssh: create directory for SSH backend code + +- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 - This cures the flaky test results + HTTP3 is now already in full progress - Closes #4034 + Downgrade redirects can be achived almost exactly like that by setting + CURLOPT_REDIR_PROTOCOLS. -- [Thomas Gamper brought this change] +- RELEASE-NOTES: synced - winbuild: use WITH_PREFIX if given +- travis: add a quiche build - Closes #4031 + Closes #4207 -Daniel Gustafsson (17 Jun 2019) -- openssl: remove outdated comment +- http: fix use of credentials from URL when using HTTP proxy - OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), - which is why we switched to CONF_modules_load_file() and introduced - a comment stating why. This behavior was however changed in OpenSSL - commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now - outdated and incorrect comment. The mentioned commit also declares - OPENSSL_config() deprecated so keep the current coding. + When a username and password are provided in the URL, they were wrongly + removed from the stored URL so that subsequent uses of the same URL + wouldn't find the crendentials. This made doing HTTP auth with multiple + connections (like Digest) mishave. - Closes #4033 - Reviewed-by: Daniel Stenberg + Regression from 46e164069d1a5230 (7.62.0) + + Test case 335 added to verify. + + Reported-by: Mike Crowe + + Fixes #4228 + Closes #4229 + +- [Mike Crowe brought this change] + + tests: Replace outdated test case numbering documentation + + Tests are no longer grouped by numeric range[1]. Let's stop saying that + and provide some alternative advice for numbering tests. + + [1] https://curl.haxx.se/mail/lib-2019-08/0043.html + + Closes #4227 + +- travis: reduce number of torture tests in 'coverage' + + ... to make it complete in time. This cut seems not almost not affect + the coverage percentage and yet completes within 35 minutes on travis + where the previous runs recently always timed out after 50. + + Closes #4223 + +- [Igor Makarov brought this change] + + configure: use -lquiche to link to quiche + + Closes #4226 + +- ngtcp2: provide the callbacks as a static struct + + ... instead of having them in quicsocket + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: add missing nghttp3_conn_add_write_offset call + + Closes #4225 + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: deal with stream close + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Consume QUIC STREAM data properly + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: don't reinitialize SSL on Retry + +- multi: getsock improvements for QUIC connecting + +- connect: connections are persistent by default for HTTP/3 + +- quiche: happy eyeballs + + Closes #4220 + +- ngtcp2: do QUIC connections happy-eyeballs friendly + +- curl_version: bump string buffer size to 250 + + With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which + causes a truncated output). + +- CURLOPT_ALTSVC.3: use a "" file name to not load from a file + +Jay Satiro (14 Aug 2019) +- vauth: Use CURLE_AUTH_ERROR for auth function errors + + - Add new error code CURLE_AUTH_ERROR. + + Prior to this change auth function errors were signaled by + CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was + technically correct. + + Ref: https://github.com/curl/curl/pull/3848 + + Co-authored-by: Dominik Hölzl + + Closes https://github.com/curl/curl/pull/3864 + +Daniel Stenberg (13 Aug 2019) +- curl_version_info: make the quic_version a const + + Follow-up from 1a2df1518ad8653f + + Closes #4222 + +- examples: add http3.c, altsvc.c and http3-present.c + + Closes #4221 + +Peter Wu (13 Aug 2019) +- nss: use TLSv1.3 as default if supported + + SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported + range in NSS 3.45. It looks like the intention is to raise the minimum + version rather than lowering the maximum, so adjust accordingly. Note + that the caller (nss_setup_connect) initializes the version range to + (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. + + Closes #4187 + Reviewed-by: Daniel Stenberg + Reviewed-by: Kamil Dudka + +Daniel Stenberg (13 Aug 2019) +- quic.h: remove unused proto + +- curl_version_info.3: mentioned ALTSVC and HTTP3 + + ... and sorted the list alphabetically + +- lib/quic.c: unused - removed + +- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED + + Follow-up to 98c3f148 that removed it from the header file + +- [Junho Choi brought this change] + + docs/HTTP3: simplify quiche build instruction + + Use --recursive to get boringssl in one line + + Closes #4219 + +- altsvc: make it use h3-22 with ngtcp2 as well + +- ngtcp2: initial h3 request work + + Closes #4217 + +- curl_version_info: offer quic (and h3) library info + + Closes #4216 + +- HTTP3: use ngtcp2's draft-22 branch -Daniel Stenberg (16 Jun 2019) - RELEASE-NOTES: synced -Patrick Monnerat (16 Jun 2019) -- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. +- CURLOPT_READFUNCTION.3: provide inline example - Use it in curl_easy_setopt_ccsid(). + ... instead of mentioning one in another place + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: send HTTP/3 request with nghttp3 - Reported-by: jonrumsey on github - Fixes #3833 - Closes #4028 + This commit makes sending HTTP/3 request with nghttp3 work. It + minimally receives HTTP response and calls nghttp3 callbacks, but no + processing is made at the moment. + + Closes #4215 -Daniel Stenberg (15 Jun 2019) -- runtests: report single test time + total duration +- nghttp3: initial h3 template code added + +- nghttp3: required when ngtcp2 is used for QUIC - ... after each successful test. + - checked for by configure + - updated docs/HTTP3.md + - shown in the version string - Closes #4027 + Closes #4210 -- multi: fix the transfer hash function +- [Eric Wong brought this change] + + asyn-thread: issue CURL_POLL_REMOVE before closing socket - Follow-up from 8b987cc7eb + This avoids EBADF errors from EPOLL_CTL_DEL operations in the + ephiperfifo.c example. EBADF is dangerous in multi-threaded + applications where I rely on epoll_ctl to operate on the same + epoll description from different threads. - Reported-by: Tom van der Woerdt - Fixes #4018 - Closes #4024 + Follow-up to eb9a604f8d7db8 + + Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html + Closes #4211 -- unit1654: cleanup on memory failure +- [Carlo Marcelo Arenas Belón brought this change] + + configure: avoid undefined check_for_ca_bundle - ... to make it handle torture tests properly. + instead of using a "greater than 0" test, check for variable being + set, as it is always set to 1, and could be left unset if non of + OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. - Reported-by: Marcel Raad - Fixes #4021 - Closes #4022 + Closes #4213 -Marcel Raad (13 Jun 2019) -- krb5: fix compiler warning +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Send ALPN h3-22 - Even though the variable was used in a DEBUGASSERT, GCC 8 warned in - debug mode: - krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] + Closes #4212 + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: use ngtcp2_settings_default and specify initial_ts + +- curl_global_init_mem.3: mention it was added in 7.12.0 + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: make the QUIC handshake work - Just suppress the warning and declare the variable unconditionally - instead of only for DEBUGBUILD (which also missed the check for - HAVE_ASSERT_H). + Closes #4209 + +- [Alex Mayorga brought this change] + + HTTP3.md: Update quiche build instructions - Closes https://github.com/curl/curl/pull/4020 + Added cloning for quiche and BoringSSL and modified the build + instructions so they work on a clean folder. + + Closes #4208 -Daniel Stenberg (13 Jun 2019) -- quote.d: asterisk prefix works for SFTP as well +- CURLOPT_H3: removed - Reported-by: Ben Voris - Fixes #4017 - Closes #4019 + There's no use for this anymore and it was never in a release. + + Closes #4206 -- multi: fix the transfer hashes in the socket hash entries +- http3: make connection reuse work - - The transfer hashes weren't using the correct keys so removing entries - failed. + Closes #4204 + +- quiche: add SSLKEYLOGFILE support + +- cleanup: s/curl_debug/curl_dbg_debug in comments and docs - - Simplified the iteration logic over transfers sharing the same socket and - they now simply are set to expire and thus get handled in the "regular" - timer loop instead. + Leftovers from the function rename back in 76b63489495 - Reported-by: Tom van der Woerdt - Fixes #4012 - Closes #4014 + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com + mitcomment-34601751 + + Closes #4203 -Jay Satiro (12 Jun 2019) -- [Cliff Crosland brought this change] +- RELEASE-NOTES: synced - url: Fix CURLOPT_MAXAGE_CONN time comparison +- alt-svc: add protocol version selection masking - Old connections are meant to expire from the connection cache after - CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x - that value. This occurs because a time value measured in milliseconds is - accidentally divided by 1M instead of by 1,000. + So that users can mask in/out specific HTTP versions when Alt-Svc is + used. - Closes https://github.com/curl/curl/pull/4013 + - Removed "h2c" and updated test case accordingly + - Changed how the altsvc struct is laid out + - Added ifdefs to make the unittest run even in a quiche-tree + + Closes #4201 -Daniel Stenberg (11 Jun 2019) -- test1165: verify that CURL_DISABLE_ symbols are in sync +- http3: fix the HTTP/3 in the request, make alt-svc set right versions - between configure.ac and source code. They should be possible to switch - on/off in configure AND be used in source code. + Closes #4200 -- configure: remove CURL_DISABLE_TLS_SRP +- alt-svc: send Alt-Used: in redirected requests - It isn't used by code so stop providing the define. + RFC 7838 section 5: - Closes #4010 + When using an alternative service, clients SHOULD include an Alt-Used + header field in all requests. + + Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus + this is deemed ok). + + You can disable sending this header just like you disable any other HTTP + header in libcurl. + + Closes #4199 -- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" +- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly + + Even though it cannot fall-back to a lower HTTP version automatically. The + safer way to upgrade remains via CURLOPT_ALTSVC. + + CURLOPT_H3 no longer has any bits that do anything and might be removed + before we remove the experimental label. + + Updated the curl tool accordingly to use "--http3". + + Closes #4197 + +- docs/ALTSVC: remove what works and the experimental explanation + + Also, put the TODO items at the bottom. + + Closes #4198 + +- docs/EXPERIMENTAL: explain what it means and what's experimental now + +- curl: make use of CURLINFO_RETRY_AFTER when retrying + + If a Retry-After: header was used in the response, that value overrides + other retry timing options. + + Fixes #3794 + Closes #4195 + +- curl: use CURLINFO_PROTOCOL to check for HTTP(s) + + ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. + +- CURLINFO_RETRY_AFTER: parse the Retry-After header value + + This is only the libcurl part that provides the information. There's no + user of the parsed value. This change includes three new tests for the + parser. + + Ref: #3794 + +- docs/ALTSVC.md: first basic file format description + +- curl: have -w's 'http_version' show '3' for HTTP/3 + + Closes #4196 + +- curl.h: add CURL_HTTP_VERSION_3 to the version enum + + It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with + CURLINFO_HTTP_VERSION. + +- quiche: make use of the connection timeout API properly + +- quiche: make POSTFIELDS posts work + +- quiche: improved error handling and memory cleanups + +- quiche: flush egress in h3_stream_recv() too + +- RELEASE-NOTES: synced + +Jay Satiro (6 Aug 2019) +- [Patrick Monnerat brought this change] + + os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). + + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 + + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 + +- tests: Fix the line endings for the SASL alt-auth tests + + - Change data and protocol sections to CRLF line endings. + + Prior to this change the tests would fail or hang, which is because + certain sections such as protocol require CRLF line endings. + + Follow-up to grandparent commit which added the tests. + + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 + + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 + +- [Steve Holme brought this change] + + examples: Added SASL PLAIN authorisation identity (authzid) examples + + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 + + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 + +- [Steve Holme brought this change] + + curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool + + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 + + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 + +- [Steve Holme brought this change] + + sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID + + Added the ability for the calling program to specify the authorisation + identity (authzid), the identity to act as, in addition to the + authentication identity (authcid) and password when using SASL PLAIN + authentication. + + Fixes #3653 + Closes #3790 + + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 + +Daniel Stenberg (6 Aug 2019) +- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested + +- [Yiming Jing brought this change] + + mesalink: implement client authentication + + Closes #4184 + +- curl_multi_poll: a sister to curl_multi_wait() that waits more + + Repeatedly we see problems where using curl_multi_wait() is difficult or + just awkward because if it has no file descriptor to wait for + internally, it returns immediately and leaves it to the caller to wait + for a small amount of time in order to avoid occasional busy-looping. + + This is often missed or misunderstood, leading to underperforming + applications. + + This change introduces curl_multi_poll() as a replacement drop-in + function that accepts the exact same set of arguments. This function + works identically to curl_multi_wait() - EXCEPT - for the case when + there's nothing to wait for internally, as then this function will by + itself wait for a "suitable" short time before it returns. This + effectiely avoids all risks of busy-looping and should also make it less + likely that apps "over-wait". + + This also changes the curl tool to use this funtion internally when + doing parallel transfers and changes curl_easy_perform() to use it + internally. + + Closes #4163 + +- quiche:h3_stream_recv return 0 at end of stream + + ... and remove some verbose messages we don't need. Made transfers from + facebook.com work better. + +- altsvc: make quiche use h3-22 now + +- quiche: show the actual version number + +- quiche: first working HTTP/3 request + + - enable debug log + - fix use of quiche API + - use download buffer + - separate header/body + + Closes #4193 + +- http09: disable HTTP/0.9 by default in both tool and library - This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. + As the plan has been laid out in DEPRECATED. Update docs accordingly and + verify in test 1174. Now requires the option to be set to allow HTTP/0.9 + responses. - Apparently several of the appveyor windows builds broke. + Closes #4191 -- [sergey-raevskiy brought this change] +- quiche: initial h3 request send/receive - cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified +- lib/Makefile.am: make checksrc run in vquic too + +- altsvc: fix removal of expired cache entry - Reviewed-by: Jakub Zakrzewski - Closes #3770 + Closes #4192 - RELEASE-NOTES: synced -- http2: remove CURL_DISABLE_TYPECHECK define +Steve Holme (4 Aug 2019) +- md4: Use our own MD4 implementation when no crypto libraries are available - ... in http2-less builds as it served no use. + Closes #3780 -- configure: more --disable switches to toggle off individual features - - ... actual support in the code for disabling these has already landed. - - Closes #4009 +- md4: No need to include Curl_md4.h for each TLS library -- wolfssl: fix key pinning build error +- md4: No need for the NTLM code to call Curl_md4it() for each TLS library - follow-up from deb9462ff2de8 + As the NTLM code no longer calls any of TLS libraries' specific MD4 + functions, there is no need to call this function for each #ifdef. -- CURLMOPT_SOCKETFUNCTION.3: clarified - - Moved away the callback explanation from curl_multi_socket_action.3 and - expanded it somewhat. - - Closes #4006 +- md4: Move the mbed TLS MD4 implementation out of the NTLM code -- wolfssl: fixup for SNI use - - follow-up from deb9462ff2de8 - - Closes #4007 +- md4: Move the WinCrypt implementation out of the NTLM code -- CURLOPT_CAINFO.3: polished wording - - Clarify the functionality when built to use Schannel and Secure - Transport and stop calling it the "recommended" or "preferred" way and - instead rather call it the default. - - Removed the reference to the ssl comparison table as it isn't necessary. - - Reported-by: Richard Alcock - Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html - Closes #4005 +- md4: Move the SecureTransport implementation out of the NTLM code -GitHub (10 Jun 2019) -- [Daniel Stenberg brought this change] +- md4: Use the Curl_md4it() function for OpenSSL based NTLM - SECURITY.md: created - - Brief security policy description for use/display on github. +- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code -Daniel Gustafsson (10 Jun 2019) -- tool_cb_prg: Fix integer overflow in progress bar - - Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar - width calculation to avoid integer overflow, but failed to account for - the fact that initial_size is initialized to -1 when the file size is - retrieved from the remote on an upload, causing another signed integer - overflow. Fix by separately checking for this case before the width - calculation. - - Closes #3984 - Reported-by: Brian Carpenter (Geeknik Labs) - Reviewed-by: Daniel Stenberg +- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code -Daniel Stenberg (10 Jun 2019) -- wolfssl: refer to it as wolfSSL only - - Remove support for, references to and use of "cyaSSL" from the source - and docs. wolfSSL is the current name and there's no point in keeping - references to ancient history. +Jay Satiro (4 Aug 2019) +- OS400: Add CURLOPT_H3 symbols - Assisted-by: Daniel Gustafsson + Follow-up to 3af0e76 which added experimental H3 support. - Closes #3903 + Closes https://github.com/curl/curl/pull/4185 -- RELEASE-NOTES: synced +Daniel Stenberg (3 Aug 2019) +- url: make use of new HTTP version if alt-svc has one -- bindlocal: detect and avoid IP version mismatches in bind() - - Reported-by: Alex Grebenschikov - Fixes #3993 - Closes #4002 +- url: set conn->transport to default TCP at init time -- multi: make sure 'data' can present in several sockhash entries +- altsvc: with quiche, use the quiche h3 alpn string - Since more than one socket can be used by each transfer at a given time, - each sockhash entry how has its own hash table with transfers using that - socket. + Closes #4183 + +- alt-svc: more liberal ALPN name parsing - In addition, the sockhash entry can now be marked 'blocked = TRUE'" - which then makes the delete function just set 'removed = TRUE' instead - of removing it "for real", as a way to not rip out the carpet under the - feet of a parent function that iterates over the transfers of that same - sockhash entry. + Allow pretty much anything to be part of the ALPN identifier. In + particular minus, which is used for "h3-20" (in-progress HTTP/3 + versions) etc. - Reported-by: Tom van der Woerdt - Fixes #3961 - Fixes #3986 - Fixes #3995 - Fixes #4004 - Closes #3997 + Updated test 356. + Closes #4182 -- [Sorcus brought this change] +- quiche: use the proper HTTP/3 ALPN - libcurl-tutorial.3: Fix small typo (mutipart -> multipart) +- quiche: add failf() calls for two error cases - Fixed-by: MrSorcus on github - Closes #4000 + To aid debugging + + Closes #4181 -- unpause: trigger a timeout for event-based transfers +- mailmap: added Kyohei Kadota + +Kamil Dudka (1 Aug 2019) +- http_negotiate: improve handling of gss_init_sec_context() failures - ... so that timeouts or other state machine actions get going again - after a changing pause state. For example, if the last delivery was - paused there's no pending socket activity. + If HTTPAUTH_GSSNEGOTIATE was used for a POST request and + gss_init_sec_context() failed, the POST request was sent + with empty body. This commit also restores the original + behavior of `curl --fail --negotiate`, which was changed + by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. - Reported-by: sstruchtrup on github - Fixes #3994 - Closes #4001 - -Marcel Raad (9 Jun 2019) -- travis: use xenial LLVM package for scan-build + Add regression tests 2077 and 2078 to cover this. - I missed that in commit 99a49d6. + Fixes #3992 + Closes #4171 -- travis: update scan-build job to xenial +Daniel Stenberg (1 Aug 2019) +- mailmap: added 4 more names - Closes https://github.com/curl/curl/pull/3999 + Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli -Daniel Stenberg (8 Jun 2019) -- bump: start working on 7.65.2 +- mailmap: add Giorgos Oikonomou -Marcel Raad (5 Jun 2019) -- examples/htmltitle: use C++ casts between pointer types +- src/makefile: fix uncompressed hugehelp.c generation - Compilers and static analyzers warn about using C-style casts here. + Regression from 5cf5d57ab9 (7.64.1) - Closes https://github.com/curl/curl/pull/3975 + Fixed-by: Lance Ware + Fixes #4176 + Closes #4177 -- examples/fopen: fix comparison - - As want is size_t, (file->buffer_pos - want) is unsigned, so checking - if it's less than zero makes no sense. - Check if file->buffer_pos is less than want instead to avoid the - unsigned integer wraparound. - - Closes https://github.com/curl/curl/pull/3975 +- appveyor: pass on -k to make -- build: fix Codacy warnings +- timediff: make it 64 bit (if possible) even with 32 bit time_t - Reduce variable scopes and remove redundant variable stores. + ... to make it hold microseconds too. - Closes https://github.com/curl/curl/pull/3975 + Fixes #4165 + Closes #4168 -- sws: remove unused variables - - Unused since commit 2f44e94. +- ROADMAP: parallel transfers are merged now + +- getenv: support up to 4K environment variable contents on windows - Closes https://github.com/curl/curl/pull/3975 + Reported-by: Michal Čaplygin + Fixes #4174 + Closes #4175 -Version 7.65.1 (4 Jun 2019) +- [Kyohei Kadota brought this change] -Daniel Stenberg (4 Jun 2019) -- RELEASE-NOTES: 7.65.1 + plan9: add support for running on Plan 9 + + Closes #3701 -- THANKS: new contributors from 7.65.1 +- [Kyohei Kadota brought this change] -Steve Holme (4 Jun 2019) -- [Frank Gevaerts brought this change] + ntlm: explicit type casting - ssl: Update outdated "openssl-only" comments for supported backends - - These are for features that used to be openssl-only but were expanded - over time to support other SSL backends. - - Closes #3985 +- [Justin brought this change] -Daniel Stenberg (4 Jun 2019) -- curl_share_setopt.3: improve wording [ci ship] + curl.h: fix outdated comment - Reported-by: Carlos ORyan + Closes #4167 -Steve Holme (4 Jun 2019) -- tool_parsecfg: Use correct return type for GetModuleFileName() - - GetModuleFileName() returns a DWORD which is a typedef of an unsigned - long and not an int. +- curl: remove outdated comment - Closes #3980 - -Daniel Stenberg (3 Jun 2019) -- TODO: "at least N milliseconds between requests" [ci skip] + Turned bad with commit b8894085000 - Suggested-by: dkwolfe4 on github - Closes #3920 + Reported-by: niallor on github + Fixes #4172 + Closes #4173 -Steve Holme (2 Jun 2019) -- tests/server/.gitignore: Add socksd to the ignore list +- cleanup: remove the 'numsocks' argument used in many places - Missed in 04fd6755. + It was used (intended) to pass in the size of the 'socks' array that is + also passed to these functions, but was rarely actually checked/used and + the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries + that should be used instead. - Closes #3978 + Closes #4169 -- tool_parsecfg: Fix control flow issue (DEADCODE) +- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp - Follow-up to 8144ba38. + Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) - Detected by Coverity CID 1445663 - Closes #3976 + Reported-by: Jonathan Cardoso Machado + Assisted-by: Jay Satiro + + Fixes #4136 + Closes #4162 -Daniel Stenberg (2 Jun 2019) -- [Sergey Ogryzkov brought this change] +- mailmap: Amit Katyal - NTLM: reset proxy "multipass" state when CONNECT request is done +- asyn-thread: removed unused variable - Closes #3972 + Follow-up to eb9a604f. Mistake caused by me when I edited the commit + before push... -- test334: verify HTTP 204 response with chunked coding header - - Verifies that a bodyless response don't parse this content-related - header. +- RELEASE-NOTES: synced -- [Michael Kaufmann brought this change] +- [Amit Katyal brought this change] - http: don't parse body-related headers bodyless responses + asyn-thread: create a socketpair to wait on - Responses with status codes 1xx, 204 or 304 don't have a response body. For - these, don't parse these headers: + Closes #4157 + +- curl: cap the maximum allowed values for retry time arguments - - Content-Encoding - - Content-Length - - Content-Range - - Last-Modified - - Transfer-Encoding + ... to avoid integer overflows later when multiplying with 1000 to + convert seconds to milliseconds. - This change ensures that HTTP/2 upgrades work even if a - "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. + Added test 1269 to verify. - Co-authored-by: Daniel Stenberg - Closes #3702 - Fixes #3968 - Closes #3977 + Reported-by: Jason Lee + Closes #4166 -- tls13-docs: mention it is only for OpenSSL >= 1.1.1 +- progress: reset download/uploaded counter - Reported-by: Jay Satiro - Co-authored-by: Jay Satiro - Fixes #3938 - Closes #3946 - -- dump-header.d: spell out that no headers == empty file [ci skip] + ... to make CURLOPT_MAX_RECV_SPEED_LARGE and + CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that + reuse the same handle. - Reported-by: wesinator at github - Fixes #3964 - Closes #3974 + Fixed-by: Ironbars13 on github + Fixes #4084 + Closes #4161 -- singlesocket: use separate variable for inner loop +- http2_recv: trigger another read when the last data is returned - An inner loop within the singlesocket() function wrongly re-used the - variable for the outer loop which then could cause an infinite - loop. Change to using a separate variable! + ... so that end-of-stream is detected properly. - Reported-by: Eric Wu - Fixes #3970 - Closes #3973 - -- RELEASE-NOTES: synced - -- [Josie Huddleston brought this change] + Reported-by: Tom van der Woerdt + Fixes #4043 + Closes #4160 - http2: Stop drain from being permanently set on - - Various functions called within Curl_http2_done() can have the - side-effect of setting the Easy connection into drain mode (by calling - drain_this()). However, the last time we unset this for a transfer (by - calling drained_transfer()) is at the beginning of Curl_http2_done(). - If the Curl_easy is reused for another transfer, it is then stuck in - drain mode permanently, which in practice makes it unable to write any - data in the new transfer. +- curl: avoid uncessary libcurl timeouts (in parallel mode) - This fix moves the last call to drained_transfer() to later in - Curl_http2_done(), after the functions that could potentially call for a - drain. + When curl_multi_wait() returns OK without file descriptors to wait for, + it might already have done a long timeout. - Fixes #3966 - Closes #3967 - Reported-by: Josie-H + Closes #4159 -Steve Holme (29 May 2019) -- conncache: Remove the DEBUGASSERT on length check +- [Balazs Kovacsics brought this change] + + HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown - We trust the calling code as this is an internal function. + If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, + automatically add a Transfer-Encoding: chunked header, same as it is + already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update + test 1514 according to the new behaviour. - Closes #3962 + Closes #4138 -Jay Satiro (29 May 2019) -- [Gisle Vanem brought this change] +Jay Satiro (29 Jul 2019) +- [Daniel Stenberg brought this change] - system_win32: fix function prototype - - - Change if_nametoindex parameter type from char * to const char *. + winbuild: add vquic to list of build directories - Follow-up to 09eef8af from this morning. + This fixes the winbuild build method which broke several days ago + when experimental quic support was added in 3af0e76. - Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 - -Marcel Raad (29 May 2019) -- appveyor: add Visual Studio solution build + Reported-by: Michael Lee - Closes https://github.com/curl/curl/pull/3941 + Fixes https://github.com/curl/curl/issues/4158 -- appveyor: add support for other build systems - - Introduce BUILD_SYSTEM variable, which is currently always CMake. +- easy: resize receive buffer on easy handle reset - Closes https://github.com/curl/curl/pull/3941 - -Steve Holme (29 May 2019) -- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows + - In curl_easy_reset attempt to resize the receive buffer to its default + size. If realloc fails then continue using the previous size. - This fixes the static dependency on iphlpapi.lib and allows curl to - build for targets prior to Windows Vista. + Prior to this change curl_easy_reset did not properly handle resetting + the receive buffer (data->state.buffer). It reset the variable holding + its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) + but then did not actually resize the buffer. If a user resized the + buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the + default, later called curl_easy_reset and attempted to reuse the handle + then a heap overflow would very likely occur during that handle's next + transfer. - This partially reverts 170bd047. + Reported-by: Felix Hädicke - Fixes #3960 - Closes #3958 + Fixes https://github.com/curl/curl/issues/4143 + Closes https://github.com/curl/curl/pull/4145 -Daniel Stenberg (29 May 2019) -- http: fix "error: equality comparison with extraneous parentheses" +- [Brad Spencer brought this change] -- parse_proxy: make sure portptr is initialized - - Reported-by: Benbuck Nason + examples: Avoid reserved names in hiperfifo examples - fixes #3959 - -- url: default conn->port to the same as conn->remote_port + - Trade in __attribute__((unused)) for the classic (void)x to silence + unused symbols. - ... so that it has a sensible value when ConnectionExists() is called which - needs it set to differentiate host "bundles" correctly on port number! + Because the classic way is not gcc specific. Also because the prior + method mapped to symbol _Unused, which starts with _ and a capital + letter which is reserved. - Also, make conncache:hashkey() use correct port for bundles that are proxy vs - host connections. + Assisted-by: The Infinnovation team - Probably a regression from 7.62.0 + Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 - Reported-by: Tom van der Woerdt - Fixes #3956 - Closes #3957 + Closes https://github.com/curl/curl/pull/4153 -- conncache: make "bundles" per host name when doing proxy tunnels +Daniel Stenberg (25 Jul 2019) +- RELEASE-NOTES: synced + +- [Felix Hädicke brought this change] + + ssh-libssh: do not specify O_APPEND when not in append mode - Only HTTP proxy use where multiple host names can be used over the same - connection should use the proxy host name for bundles. + Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not + make much sense. And this combination of flags is not accepted by all + SFTP servers (at least not Apache SSHD). - Reported-by: Tom van der Woerdt - Fixes #3951 - Closes #3955 + Fixes #4147 + Closes #4148 -- multi: track users of a socket better +- [Gergely Nagy brought this change] + + multi: call detach_connection before Curl_disconnect - They need to be removed from the socket hash linked list with more care. + Curl_disconnect bails out if conn->easyq is not empty, detach_connection + needs to be called first to remove the current easy from the queue. - When sh_delentry() is called to remove a sockethash entry, remove all - individual transfers from the list first. To enable this, each Curl_easy struct - now stores a pointer to the sockethash entry to know how to remove itself. + Fixes #4144 + Closes #4151 + +Jay Satiro (23 Jul 2019) +- tool_operate: fix implicit call to easysrc_cleanup - Reported-by: Tom van der Woerdt and Kunal Ekawde + easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not + defined, and prior to this change would be called regardless. - Fixes #3952 - Fixes #3904 - Closes #3953 + Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 + Reported-by: Marcel Raad + + Closes https://github.com/curl/curl/pull/4142 -Steve Holme (28 May 2019) -- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version +Daniel Stenberg (22 Jul 2019) +- curl:create_transfers check return code from curl_easy_setopt - Microsoft added support for Unix Domain Sockets in Windows 10 1803 - (RS4). Rather than expect the user to enable Unix Domain Sockets by - uncommenting the #define that was added in 0fd6221f we use the RS4 - pre-processor variable that is present in newer versions of the - Windows SDK. + From commit b8894085 - Closes #3939 - -Daniel Stenberg (28 May 2019) -- [Jonas Vautherin brought this change] - - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables + Pointed out by Coverity CID 1451703 - Closes #3945 + Closes #4134 -Marcel Raad (27 May 2019) -- HAProxy tests: add keywords +- HTTP3: initial (experimental) support - Add the proxy and haproxy keywords in order to be able to exclude or - run these specific tests. + USe configure --with-ngtcp2 or --with-quiche - Closes https://github.com/curl/curl/pull/3949 - -Daniel Stenberg (27 May 2019) -- [Maksim Stsepanenka brought this change] - - tests: make test 1420 and 1406 work with rtsp-disabled libcurl + Using either option will enable a HTTP3 build. + Co-authored-by: Alessandro Ghedini - Closes #3948 - -Kamil Dudka (27 May 2019) -- [Hubert Kario brought this change] + Closes #3500 - nss: allow to specify TLS 1.3 ciphers if supported by NSS +- curl: remove dead code + + The loop never loops (since b889408500), pointed out by Coverity (CID + 1451702) - Closes #3916 + Closes #4133 -Daniel Stenberg (26 May 2019) -- RELEASE-NOTES: synced +- docs/PARALLEL-TRANSFERS: correct the version number -- [Jay Satiro brought this change] +- docs/PARALLEL-TRANSFERS: added - Revert all SASL authzid (new feature) commits - - - Revert all commits related to the SASL authzid feature since the next - release will be a patch release, 7.65.1. - - Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined - for the next release, assuming it would be a feature release 7.66.0. - However instead the next release will be a patch release, 7.65.1 and - will not contain any new features. - - After the patch release after the reverted commits can be restored by - using cherry-pick: - - git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 +- curl: support parallel transfers - Details for all reverted commits: + This is done by making sure each individual transfer is first added to a + linked list as then they can be performed serially, or at will, in + parallel. - Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." + Closes #3804 + +- docs/MANUAL.md: converted to markdown from plain text - This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. + ... will make it render as a nicer web page. - Revert "tests: Fix the line endings for the SASL alt-auth tests" + Closes #4131 + +- curl_version_info: provide nghttp2 details - This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. + Introducing CURLVERSION_SIXTH with nghttp2 info. - Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" + Closes #4121 + +- bump: start working on 7.66.0 + +- source: remove names from source comments - This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. + Several reasons: - Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" + - we can't add everyone who's helping out so its unfair to just a few + selected ones. + - we already list all helpers in THANKS and in RELEASE-NOTES for each + release + - we don't want to give the impression that some parts of the code is + "owned" or "controlled" by specific persons - This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. + Assisted-by: Daniel Gustafsson + Closes #4129 + +Version 7.65.3 (19 Jul 2019) + +Daniel Stenberg (19 Jul 2019) +- RELEASE-NOTES: 7.65.3 + +- THANKS: 7.65.3 status + +- progress: make the progress meter appear again - Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" + Fix regression caused by 21080e1 - This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. + Reported-by: Chih-Hsuan Yen + Fixes #4122 + Closes #4124 -- [dbrowndan brought this change] +- version: bump to 7.65.3 - FAQ: more minor updates and spelling fixes - - Closes #3937 +- RELEASE-NOTES: Contributors or now 1990 -- RELEASE-NOTES: synced +Version 7.65.2 (17 Jul 2019) -- sectransp: handle errSSLPeerAuthCompleted from SSLRead() - - Reported-by: smuellerDD on github - Fixes #3932 - Closes #3933 +Daniel Stenberg (17 Jul 2019) +- RELEASE-NOTES: 7.65.2 -GitHub (24 May 2019) -- [Gisle Vanem brought this change] +- THANKS: add contributors from 7.65.2 - Fix typo. +Jay Satiro (17 Jul 2019) +- [aasivov brought this change] -Daniel Stenberg (23 May 2019) -- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() + cmake: Fix finding Brotli on case-sensitive file systems - Reported-by: Marcel Raad - Fixes #3926 - Closes #3929 - -Steve Holme (23 May 2019) -- winbuild: Use two space indentation + - Find package "Brotli" instead of "BROTLI" since the former is the + casing used for CMake/FindBrotli.cmake, and otherwise find_package + may fail on a case-sensitive file system. - Closes #3930 - -GitHub (23 May 2019) -- [Gisle Vanem brought this change] + Fixes https://github.com/curl/curl/issues/4117 - tool_parse_cfg: Avoid 2 fopen() for WIN32 +- CURLOPT_RANGE.3: Caution against using it for HTTP PUT + + AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've + cautioned against using it for that purpose and included a workaround. - Using the memdebug.h mem-leak feature, I noticed 2 calls like: - FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") - FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html + Reported-by: Christopher Head - No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. + Closes https://github.com/curl/curl/issues/3814 -Daniel Stenberg (23 May 2019) -- md4: include the mbedtls config.h to get the MD4 info +- [Stefano Simonelli brought this change] -- md4: build correctly with openssl without MD4 + CURLOPT_SEEKDATA.3: fix variable name - Reported-by: elsamuko at github - Fixes #3921 - Closes #3922 + Closes https://github.com/curl/curl/pull/4118 -Patrick Monnerat (23 May 2019) -- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). +- [Giorgos Oikonomou brought this change] -Daniel Stenberg (23 May 2019) -- .github/FUNDING: mention our opencollective "home" [ci skip] + CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH + + If the SSL backend is Schannel and the user specifies an Schannel CALG_ + that is not supported by the protocol or the server then curl returns + CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. + + Fixes https://github.com/curl/curl/issues/3389 + Closes https://github.com/curl/curl/pull/4106 -Marcel Raad (23 May 2019) -- [Zenju brought this change] +- [Daniel Gustafsson brought this change] - config-win32: add support for if_nametoindex and getsockname + nss: inspect returnvalue of token check + + PK11_IsPresent() checks for the token for the given slot is available, + and sets needlogin flags for the PK11_Authenticate() call. Should it + return false, we should however treat it as an error and bail out. - Closes https://github.com/curl/curl/pull/3923 + Closes https://github.com/curl/curl/pull/4110 -Jay Satiro (23 May 2019) -- tests: Fix the line endings for the SASL alt-auth tests +- docs: Explain behavior change in --tlsv1. options since 7.54 - - Change data and protocol sections to CRLF line endings. + Since 7.54 --tlsv1. options use the specified version or later, however + older versions of curl documented it as using just the specified version + which may or may not have happened depending on the TLS library. + Document this discrepancy to allay confusion for users familiar with the + old documentation that expect just the specified version. - Prior to this change the tests would fail or hang, which is because - certain sections such as protocol require CRLF line endings. + Fixes https://github.com/curl/curl/issues/4097 + Closes https://github.com/curl/curl/pull/4119 + +- libcurl: Restrict redirect schemes (follow-up) - Follow-up to a9499ff from today which added the tests. + - Allow FTPS on redirect. - Ref: https://github.com/curl/curl/pull/3790 - -Daniel Stenberg (23 May 2019) -- url: fix bad #ifdef + - Update default allowed redirect protocols in documentation. + + Follow-up to 6080ea0. - Regression since e91e48161235272ff485. + Ref: https://github.com/curl/curl/pull/4094 - Reported-by: Tom Greenslade - Fixes #3924 - Closes #3925 + Closes https://github.com/curl/curl/pull/4115 -- Revert "progress: CURL_DISABLE_PROGRESS_METER" +Daniel Stenberg (16 Jul 2019) +- test1173: make it also check all libcurl option man pages - This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + ... and adjust those that cause errors - Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + - CURLOPT_LOW_SPEED_TIME + Closes #4116 + +- curl: only accept COLUMNS less than 10000 - Reported-by: Dave Reisner + ... as larger values would rather indicate something silly (and could + potentially cause buffer problems). - Fixes #3927 - Closes #3928 - -Steve Holme (22 May 2019) -- examples: Added SASL PLAIN authorisation identity (authzid) examples - -- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool + Reported-by: pendrek at hackerone + Closes #4114 -- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - - Added the ability for the calling program to specify the authorisation - identity (authzid), the identity to act as, in addition to the - authentication identity (authcid) and password when using SASL PLAIN - authentication. +- dist: add manpage-syntax.pl - Fixed #3653 - Closes #3790 + follow-up to 7fb66c403 -Marc Hoersken (22 May 2019) -- tests: add support to test against OpenSSH for Windows +- test1173: detect some basic man page format mistakes + + Triggered by PR #4111 - Testing against OpenSSH for Windows requires v7.7.0.0 or newer - due to the use of AllowUsers and DenyUsers. For more info see: - https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config + Closes #4113 -Daniel Stenberg (22 May 2019) -- bump: start on the next release +Jay Satiro (15 Jul 2019) +- [Bjarni Ingi Gislason brought this change] -Marcel Raad (22 May 2019) -- examples: fix "clarify calculation precedence" warnings + docs: Fix missing lines caused by undefined macros - Closes https://github.com/curl/curl/pull/3919 - -- hiperfifo: remove unused variable + - Escape apostrophes at line start. - Closes https://github.com/curl/curl/pull/3919 - -- examples: remove dead variable stores + Some lines begin with a "'" (apostrophe, single quote), which is then + interpreted as a control character in *roff. - Closes https://github.com/curl/curl/pull/3919 - -- examples: reduce variable scopes + Such lines are interpreted as being a call to a macro, and if + undefined, the lines are removed from the output. + + Bug: https://bugs.debian.org/926352 + Signed-off-by: Bjarni Ingi Gislason - Closes https://github.com/curl/curl/pull/3919 + Submitted-by: Alessandro Ghedini + + Closes https://github.com/curl/curl/pull/4111 -- http2-download: fix format specifier +Daniel Stenberg (14 Jul 2019) +- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults - Closes https://github.com/curl/curl/pull/3919 + follow-up to 6080ea098 + +- [Linos Giannopoulos brought this change] -Daniel Stenberg (22 May 2019) -- PolarSSL: deprecate support step 1. Removed from configure. + libcurl: Add testcase for gopher redirects - Also removed mentions from most docs. + The testcase ensures that redirects to CURLPROTO_GOPHER won't be + allowed, by default, in the future. Also, curl is being used + for convenience while keeping the testcases DRY. - Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html + The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is + redirected to CURLPROTO_GOPHER - Closes #3888 + Signed-off-by: Linos Giannopoulos + +- [Linos Giannopoulos brought this change] -- configure/cmake: check for if_nametoindex() + libcurl: Restrict redirect schemes - - adds the check to cmake + All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS + counterpart were allowed for redirect. This vastly broadens the + exploitation surface in case of a vulnerability such as SSRF [1], where + libcurl-based clients are forced to make requests to arbitrary hosts. - - fixes the configure check to work for cross-compiled windows builds + For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based + protocol by URL-encoding a payload in the URI. Gopher will open a TCP + connection and send the payload. - Closes #3917 - -- parse_proxy: use the IPv6 zone id if given + Only HTTP/HTTPS and FTP are allowed. All other protocols have to be + explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. - If the proxy string is given as an IPv6 numerical address with a zone - id, make sure to use that for the connect to the proxy. + [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ - Reported-by: Edmond Yu + Signed-off-by: Linos Giannopoulos - Fixes #3482 - Closes #3918 + Closes #4094 -Version 7.65.0 (22 May 2019) +- [Zenju brought this change] -Daniel Stenberg (22 May 2019) -- RELEASE-NOTES: 7.65.0 release + openssl: define HAVE_SSL_GET_SHUTDOWN based on version number + + Closes #4100 -- THANKS: from the 7.65.0 release-notes +- [Peter Simonyi brought this change] -- url: convert the zone id from a IPv6 URL to correct scope id + http: allow overriding timecond with custom header + + With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. + If-Modified-Since). Allow this to be replaced or suppressed with + CURLOPT_HTTPHEADER. - Reported-by: GitYuanQu on github - Fixes #3902 - Closes #3914 + Fixes #4103 + Closes #4109 + +Jay Satiro (11 Jul 2019) +- [Juergen Hoetzel brought this change] -- configure: detect getsockname and getpeername on windows too + smb: Use the correct error code for access denied on file open - Made detection macros for these two functions in the same style as other - functions possibly in winsock in the hope this will work better to - detect these functions when cross-compiling for Windows. + - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. - Follow-up to e91e4816123 + Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. - Fixes #3913 - Closes #3915 + Closes https://github.com/curl/curl/pull/4095 + +- [Daniel Gustafsson brought this change] -Marcel Raad (21 May 2019) -- examples: remove unused variables + DEPRECATE: fixup versions and spelling - Fixes Codacy/CppCheck warnings. + Correctly set the July 17 version to 7.65.2, and update spelling to + be consistent. Also fix a typo. - Closes + Closes https://github.com/curl/curl/pull/4107 + +- [Gisle Vanem brought this change] -Daniel Gustafsson (21 May 2019) -- udpateconninfo: mark variable unused + system_win32: fix clang warning - When compiling without getpeername() or getsockname(), the sockfd - paramter to Curl_udpateconninfo() became unused after commit e91e481612 - added ifdef guards. + - Declare variable in header as extern. - Closes #3910 - Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 - Reviewed-by: Marcel Raad, Daniel Stenberg + Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 -- ftp: move ftp_ccc in under featureflag +Daniel Gustafsson (10 Jul 2019) +- headers: Remove no longer exported functions - Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under - the FTP featureflag in the UserDefined struct, but vtls callsites were - still using it unprotected. + There were a leftover few prototypes of Curl_ functions that we used to + export but no longer do, this removes those prototypes and cleans up any + comments still referring to them. - Closes #3912 - Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 - Reviewed-by: Daniel Stenberg, Marcel Raad - -Daniel Stenberg (20 May 2019) -- curl: report error for "--no-" on non-boolean options + Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() + Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() + were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. + Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. - Reported-by: Olen Andoni - Fixes #3906 - Closes #3907 - -- [Guy Poizat brought this change] - - mbedtls: enable use of EC keys + For the remainder, I didn't trawl the Git logs hard enough to capture + their exact time of deletion, but they were all gone: Curl_splayprint(), + Curl_http2_send_request(), Curl_global_host_cache_dtor(), + Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), + Curl_http_auth_stage() and Curl_close_connections(). - Closes #3892 + Closes #4096 + Reviewed-by: Daniel Stenberg -- lib1560: add tests for parsing URL with too long scheme - - Ref: #3905 +- CMake: fix typos and spelling -- [Omar Ramadan brought this change] +- [Kyle Edwards brought this change] - urlapi: increase supported scheme length to 40 bytes + CMake: Convert errant elseif() to else() - The longest currently registered URI scheme at IANA is 36 bytes long. + CMake interprets an elseif() with no arguments as elseif(FALSE), + resulting in the elseif() block not being executed. That is not what + was intended here. Change the empty elseif() to an else() as it was + intended. - Closes #3905 - Closes #3900 + Closes #4101 + Reported-by: Artalus + Reviewed-by: Daniel Gustafsson -Marcel Raad (20 May 2019) -- lib: reduce variable scopes +- buildconf: fix header filename - Fixes Codacy/CppCheck warnings. + The header file inclusion had a typo, it should be .h and not .hd. + Fix by renaming. - Closes https://github.com/curl/curl/pull/3872 + Fixes #4102 + Reported-by: AceCrow on Github -- tool_formparse: remove redundant assignment - - Just initialize word_begin with the correct value. - - Closes https://github.com/curl/curl/pull/3873 +- [Jan Chren brought this change] -- ssh: move variable declaration to where it's used + configure: fix --disable-code-coverage - This way, we need only one call to free. + This fixes the case when --disable-code-coverage supplied to ./configure + would result in coverage="yes" being set. - Closes https://github.com/curl/curl/pull/3873 + Closes #4099 + Reviewed-by: Daniel Gustafsson -- ssh-libssh: remove unused variable - - sock was only used to be assigned to fd_read. - - Closes https://github.com/curl/curl/pull/3873 +- cleanup: fix typo in comment -Daniel Stenberg (20 May 2019) -- test332: verify the blksize fix +- RELEASE-NOTES: synced -- tftp: use the current blksize for recvfrom() - - bug: https://curl.haxx.se/docs/CVE-2019-5436.html - Reported-by: l00p3r on hackerone - CVE-2019-5436 +Jay Satiro (6 Jul 2019) +- [Daniel Gustafsson brought this change] -Daniel Gustafsson (19 May 2019) -- version: make ssl_version buffer match for multi_ssl + nss: support using libnss on macOS - When running a multi TLS backend build the version string needs more - buffer space. Make the internal ssl_buffer stack buffer match the one - in Curl_multissl_version() to allow for the longer string. For single - TLS backend builds there is no use in extended to buffer. This is a - fallout from #3863 which fixes up the multi_ssl string generation to - avoid a buffer overflow when the buffer is too small. + The file suffix for dynamically loadable objects on macOS is .dylib, + which need to be added for the module definitions in order to get the + NSS TLS backend to work properly on macOS. - Closes #3875 - Reviewed-by: Daniel Stenberg + Closes https://github.com/curl/curl/pull/4046 -Steve Holme (18 May 2019) -- http_ntlm_wb: Handle auth for only a single request - - Currently when the server responds with 401 on NTLM authenticated - connection (re-used) we consider it to have failed. However this is - legitimate and may happen when for example IIS is set configured to - 'authPersistSingleRequest' or when the request goes thru a proxy (with - 'via' header). +- [Daniel Gustafsson brought this change] + + nss: don't set unused parameter - Implemented by imploying an additional state once a connection is - re-used to indicate that if we receive 401 we need to restart - authentication. + The value of the maxPTDs parameter to PR_Init() has since at least + NSPR 2.1, which was released sometime in 1998, been marked ignored + as is accordingly not used in the initialization code. Setting it + to a value when calling PR_Init() is thus benign, but indicates an + intent which may be misleading. Reset the value to zero to improve + clarity. - Missed in fe6049f0. + Closes https://github.com/curl/curl/pull/4054 -- http_ntlm_wb: Cleanup handshake after clean NTLM failure - - Missed in 50b87c4e. +- [Daniel Gustafsson brought this change] -- http_ntlm_wb: Return the correct error on receiving an empty auth message - - Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. + nss: only cache valid CRL entries - Closes #3894 - -Daniel Stenberg (18 May 2019) -- curl: make code work with protocol-disabled libcurl + Change the logic around such that we only keep CRLs that NSS actually + ended up caching around for later deletion. If CERT_CacheCRL() fails + then there is little point in delaying the freeing of the CRL as it + is not used. - Closes #3844 - -- libcurl: #ifdef away more code for disabled features/protocols - -- progress: CURL_DISABLE_PROGRESS_METER - -- hostip: CURL_DISABLE_SHUFFLE_DNS + Closes https://github.com/curl/curl/pull/4053 -- netrc: CURL_DISABLE_NETRC +- [Gergely Nagy brought this change] -Viktor Szakats (16 May 2019) -- docs: Markdown and misc improvements [ci skip] + lib: Use UTF-8 encoding in comments - Approved-by: Daniel Stenberg - Closes #3896 - -- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] + Some editors and IDEs assume that source files use UTF-8 file encodings. + It also fixes the build with MSVC when /utf-8 command line option is + used (this option is mandatory for some other open-source projects, this + is useful when using the same options is desired for building all + libraries of a project). - Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 - Approved-by: Daniel Stenberg - Closes #3895 + Closes https://github.com/curl/curl/pull/4087 -Daniel Stenberg (16 May 2019) -- travis: add an osx http-only build - - Closes #3887 +- [Caleb Raitto brought this change] -- cleanup: remove FIXME and TODO comments + CURLOPT_HEADEROPT.3: Fix example - They serve very little purpose and mostly just add noise. Most of them - have been around for a very long time. I read them all before removing - or rephrasing them. + Fix an issue where example builds a curl_slist, but fails to actually + use it, or free it. - Ref: #3876 - Closes #3883 + Closes https://github.com/curl/curl/pull/4090 + +- [Shankar Jadhavar brought this change] -- curl: don't set FTP options for FTP-disabled builds + winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - ... since libcurl has started to be totally unaware of options for - disabled protocols they now return error. + - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. - Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 + - Also removed some ^M chars from file. - Reported-by: Marcel Raad - Closes #3886 + Prior to this change while building on Windows platform even if we pass + the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does + not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. + + Closes https://github.com/curl/curl/pull/4086 + +Daniel Stenberg (4 Jul 2019) +- doh-url.d: added in 7.62.0 -Steve Holme (16 May 2019) -- http_ntlm_wb: Move the type-2 message processing into a dedicated function +Jay Satiro (30 Jun 2019) +- docs: Fix links to OpenSSL docs - This brings the code inline with the other HTTP authentication mechanisms. + OpenSSL changed their manual locations and does not redirect to the new + locations. - Closes #3890 - -Daniel Stenberg (15 May 2019) -- RELEASE-NOTES: synced + Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html + Reported-by: Daniel Stenberg -- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] +Daniel Stenberg (26 Jun 2019) +- [Gaël PORTAY brought this change] -- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] + curl_multi_wait.3: escape backslash in example - Reported-by: Roy Bellingan - Bug: #3885 - -- parse_proxy: use the URL parser API + The backslash in the character Line Feed must be escaped. - As we treat a given proxy as a URL we should use the unified URL parser - to extract the parts out of it. + The current man-page outputs the code as following: - Closes #3878 - -Steve Holme (15 May 2019) -- http_negotiate: Move the Negotiate state out of the negotiatedata structure + fprintf(stderr, "curl_multi failed, code %d.0, mc); - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. + The commit fixes it as follow: - Closes #3882 - -- http_ntlm: Move the NTLM state out of the ntlmdata structure + fprintf(stderr, "curl_multi failed, code %d\n", mc); - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. - -- url: Move the negotiate state type into a dedicated enum + Closes #4079 -- url: Remove duplicate clean up of the winbind variables in conn_shutdown() +- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined - Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior - to calling conn_shutdown() and it in turn performs this, there is no - need to perform the same action in conn_shutdown(). + ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is + built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for + UWP (with "VC-WIN32-UWP"). - Closes #3881 + Reported-by: Vasily Lobaskin + Fixes #4073 + Closes #4077 -Daniel Stenberg (14 May 2019) -- urlapi: require a non-zero host name length when parsing URL +- test1521: adapt to SLISTPOINT - Updated test 1560 to verify. + The header now has the slist-using options marked as SLISTPOINT so this + makes sure test 1521 understands that. - Closes #3880 - -- configure: error out if OpenSSL wasn't detected when asked for + Follow-up to ae99b4de1c443ae989 - If --with-ssl is used and configure still couldn't enable SSL this - creates an error instead of just silently ignoring the fact. + Closes #4074 + +- win32: make DLL loading a no-op for UWP - Suggested-by: Isaiah Norton - Fixes #3824 - Closes #3830 + Reported-by: Michael Brehm + Fixes #4060 + Closes #4072 -Daniel Gustafsson (14 May 2019) -- imap: Fix typo in comment +- [1ocalhost brought this change] -Steve Holme (14 May 2019) -- url: Remove unnecessary initialisation from allocate_conn() - - No need to set variables to zero as calloc() does this for us. + configure: fix typo '--disable-http-uath' - Closes #3879 + Closes #4076 -Daniel Stenberg (14 May 2019) -- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] - - Clues-provided-by: Jay Satiro - Clues-provided-by: Jeroen Ooms - Fixes #3711 - Closes #3874 +- [Niklas Hambüchen brought this change] -Daniel Gustafsson (13 May 2019) -- vtls: fix potential ssl_buffer stack overflow + docs: fix string suggesting HTTP/2 is not the default + + Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the + man page that new default is mentioned, but the section at the top + contradicted it until now. - In Curl_multissl_version() it was possible to overflow the passed in - buffer if the generated version string exceeded the size of the buffer. - Fix by inverting the logic, and also make sure to not exceed the local - buffer during the string generation. + Also remove claim that setting the HTTP version is not sensible. - Closes #3863 - Reported-by: nevv on HackerOne/curl - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg + Closes #4075 -Daniel Stenberg (13 May 2019) - RELEASE-NOTES: synced -- appveyor: also build "/ci" branches like travis - -- pingpong: disable more when no pingpong enabled - -- proxy: acknowledge DISABLE_PROXY more - -- parsedate: CURL_DISABLE_PARSEDATE - -- sasl: only enable if there's a protocol enabled using it - -- mime: acknowledge CURL_DISABLE_MIME - -- wildcard: disable from build when FTP isn't present - -- http: CURL_DISABLE_HTTP_AUTH - -- base64: build conditionally if there are users - -- doh: CURL_DISABLE_DOH +- [Stephan Szabo brought this change] -Steve Holme (12 May 2019) -- auth: Rename the various authentication clean up functions + tests: update fixed IP for hostip/clientip split - For consistency and to a avoid confusion. + These tests give differences for me on linux when using a hostip + pointing to the external ip address for the local machine. - Closes #3869 - -Daniel Stenberg (12 May 2019) -- [Jay Satiro brought this change] + Closes #4070 - docs/INSTALL: fix broken link [ci skip] +Daniel Gustafsson (24 Jun 2019) +- http: clarify header buffer size calculation - Reported-by: Joombalaya on github - Fixes #3818 - -Marcel Raad (12 May 2019) -- easy: fix another "clarify calculation precedence" warning + The header buffer size calculation can from static analysis seem to + overlow as it performs an addition between two size_t variables and + stores the result in a size_t variable. Overflow is however guarded + against elsewhere since the input to the addition is regulated by + the maximum read buffer size. Clarify this with a comment since the + question was asked. - I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. + Reviewed-by: Daniel Stenberg -- build: fix "clarify calculation precedence" warnings - - Codacy/CppCheck warns about this. Consistently use parentheses as we - already do in some places to silence the warning. +Daniel Stenberg (24 Jun 2019) +- KNOWN_BUGS: Don't clear digest for single realm - Closes https://github.com/curl/curl/pull/3866 + Closes #3267 -- cmake: restore C89 compatibility of CurlTests.c - - I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and - 97de97daefc2ed084c91eff34af2426f2e55e134. +- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname - Reported-by: Viktor Szakats - Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 - Closes https://github.com/curl/curl/pull/3868 + Closes #3284 -Steve Holme (11 May 2019) -- http_ntlm: Corrected the name of the include guard +- http2: call done_sending on end of upload - Missed in f0bdd72c. + To make sure a HTTP/2 stream registers the end of stream. - Closes #3867 - -- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled + Bug #4043 made me find this problem but this fix doesn't correct the + reported issue. - Closes #3861 - -- http_negotiate: Don't expose functions when HTTP is disabled - -Daniel Stenberg (11 May 2019) -- SECURITY-PROCESS: fix links [ci skip] + Closes #4068 -Marcel Raad (11 May 2019) -- CMake: suppress unused variable warnings - - I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. +- [James Brown brought this change] -Daniel Stenberg (11 May 2019) -- doh: disable DOH for the cases it doesn't work - - Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for - DOH resolves. This fix disables DOH for those. + c-ares: honor port numbers in CURLOPT_DNS_SERVERS - Limitation added to KNOWN_BUGS. + By using ares_set_servers_ports_csv on new enough c-ares. - Fixes #3850 - Closes #3857 + Fixes #4066 + Closes #4067 -Jay Satiro (11 May 2019) -- checksrc.bat: Ignore snprintf warnings in docs/examples - - .. because we allow snprintf use in docs/examples. - - Closes https://github.com/curl/curl/pull/3862 +Daniel Gustafsson (24 Jun 2019) +- CURLMOPT_SOCKETFUNCTION.3: fix typo -Steve Holme (10 May 2019) -- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() - - ...and misalignment of these comments. From a78c61a4. - - Closes #3860 +Daniel Stenberg (24 Jun 2019) +- [Koen Dergent brought this change] -Jay Satiro (10 May 2019) -- Revert "multi: support verbose conncache closure handle" - - This reverts commit b0972bc. - - - No longer show verbose output for the conncache closure handle. - - The offending commit was added so that the conncache closure handle - would inherit verbose mode from the user's easy handle. (Note there is - no way for the user to set options for the closure handle which is why - that was necessary.) Other debug settings such as the debug function - were not also inherited since we determined that could lead to crashes - if the user's per-handle private data was used on an unexpected handle. - - The reporter here says he has a debug function to capture the verbose - output, and does not expect or want any output to stderr; however - because the conncache closure handle does not inherit the debug function - the verbose output for that handle does go to stderr. - - There are other plausible scenarios as well such as the user redirects - stderr on their handle, which is also not inherited since it could lead - to crashes when used on an unexpected handle. - - Short of allowing the user to set options for the conncache closure - handle I don't think there's much we can safely do except no longer - inherit the verbose setting. - - Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html - Reported-by: Kristoffer Gleditsch - - Ref: https://github.com/curl/curl/pull/3598 - Ref: https://github.com/curl/curl/pull/3618 + curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds - Closes https://github.com/curl/curl/pull/3856 + Closes #4061 -Steve Holme (10 May 2019) -- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() - - From 6012fa5a. +- test153: fix content-length to avoid occasional hang - Closes #3858 - -Daniel Stenberg (9 May 2019) -- BUG-BOUNTY: minor formatting fixes [ci skip] + Closes #4065 - RELEASE-NOTES: synced -- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] +- multi: enable multiplexing by default (again) - Closes #3839 - -Kamil Dudka (9 May 2019) -- http_negotiate: do not treat failure of gss_init_sec_context() as fatal + It was originally made default in d7c4213bd0c (7.62.0) but mistakenly + reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. - Fixes #3726 - Closes #3849 + Closes #4051 -- spnego_gssapi: fix return code on gss_init_sec_context() failure +- typecheck: add 3 missing strings and a callback data pointer - Fixes #3726 - Closes #3849 + Closes #4050 -Steve Holme (9 May 2019) -- gen_resp_file.bat: Removed unnecessary @ from all but the first command +- tests: add disable-scan.pl to dist - There is need to use @ on every command once echo has been turned off. + follow-up from 29177f422a5 - Closes #3854 + Closes #4059 -Jay Satiro (8 May 2019) -- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies - - - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to - the destination host. - - We already do something similar for HTTPS proxies by not sending h2. [1] +- http2: don't call stream-close on already closed streams - Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would - incorrectly use HTTP/2 to talk to the proxy, which is not something we - support (yet?). Also it's debatable whether or not that setting should - apply to HTTP/2 proxies. + Closes #4055 + +Marcel Raad (20 Jun 2019) +- travis: enable alt-svc for coverage build - [1]: https://github.com/curl/curl/commit/17c5d05 + Closes + +- travis: enable libssh2 for coverage build - Bug: https://github.com/curl/curl/issues/3570 - Bug: https://github.com/curl/curl/issues/3832 + It was enabled by default before commit c92d2e14cfb. - Closes https://github.com/curl/curl/pull/3853 - -Marcel Raad (8 May 2019) -- travis: update mesalink build to xenial + Disable torture tests 600 and 601 because of + https://github.com/curl/curl/issues/1678. - Closes https://github.com/curl/curl/pull/3842 - -Daniel Stenberg (8 May 2019) -- [Ricky Leverence brought this change] + Closes - OpenSSL: Report -fips in version if OpenSSL is built with FIPS +- travis: disable threaded resolver for coverage build - Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS - define. It uses this define to determine whether to publish -fips at - the end of the version displayed. Applications that utilize the version - reported by OpenSSL will see a mismatch if they compare it to what curl - reports, as curl is not modifying the version in the same way. This - change simply adds a check to see if OPENSSL_FIPS is defined, and will - alter the reported version to match what OpenSSL itself provides. This - only appears to be applicable in versions of OpenSSL <1.1.1 + This enables more tests. - Closes #3771 - -Kamil Dudka (7 May 2019) -- [Frank Gevaerts brought this change] + Closes - nss: allow fifos and character devices for certificates. - - Currently you can do things like --cert <(cat ./cert.crt) with (at least) the - openssl backend, but that doesn't work for nss because is_file rejects fifos. +- travis: enable brotli for all xenial jobs - I don't actually know if this is sufficient, nss might do things internally - (like seeking back) that make this not work, so actual testing is needed. + There's no need for a separate job, and no need to build it from source + with Xenial. - Closes #3807 - -Daniel Gustafsson (6 May 2019) -- test2100: Fix typos in test description + Closes -Daniel Stenberg (6 May 2019) -- ssh: define USE_SSH if SSH is enabled (any backend) +- travis: enable warnings-as-errors for coverage build - Closes #3846 + Closes -Steve Holme (5 May 2019) -- winbuild: Add our standard copyright header to the winbuild batch files +GitHub (20 Jun 2019) +- [Gisle Vanem brought this change] -- makedebug: Fix ERRORLEVEL detection after running where.exe - - Closes #3838 + system_win32: fix typo -Daniel Stenberg (5 May 2019) -- urlapi: add CURLUPART_ZONEID to set and get - - The zoneid can be used with IPv6 numerical addresses. +Daniel Stenberg (20 Jun 2019) +- typecheck: CURLOPT_CONNECT_TO takes an slist too - Updated test 1560 to verify. + Additionally, add an alias in curl.h for slist-using options so that + we can grep/parse those out at will. - Closes #3834 + Closes #4042 -- [Taiyu Len brought this change] +- [Stephan Szabo brought this change] - WRITEFUNCTION: add missing set_in_callback around callback + tests: support non-localhost HOSTIP for dict/smb servers + + smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for + binding the server which when we were running the tests with a separate + HOSTIP and CLIENTIP had failures verifying the server from the device we + were testing. - Closes #3837 + This changes them to take the address from runtests.py and default to + localhost/127.0.0.1 if none is given. + + Closes #4048 -- RELEASE-NOTES: synced +- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT -- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] +- configure: --disable-progress-meter - Reported-by: Ricardo Gomes + Builds libcurl without support for the built-in progress meter. - Bug: #3537 - Closes #3836 + Closes #4023 -- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value +- curl: improved skip-setopt-options when built with disabled features - The time field in the curl_fileinfo struct will always be zero. No code - was ever implemented to actually convert the date string to a time_t. + Reduces #ifdefs in src/tool_operate.c - Fixes #3829 - Closes #3835 - -- OS400/ccsidcurl.c: code style fixes + Follow-up from 4e86f2fc4e6 + Closes #3936 -- OS400/ccsidcurl: replace use of Curl_vsetopt +Steve Holme (18 Jun 2019) +- netrc: Return the correct error code when out of memory - (and make the code style comply) + Introduced in 763c5178. - Fixes #3833 + Closes #4036 + +Daniel Stenberg (18 Jun 2019) +- config-os400: add getpeername and getsockname defines + + Reported-by: jonrumsey on github + Fixes #4037 + Closes #4039 -- urlapi: strip off scope id from numerical IPv6 addresses +- runtests: keep logfiles around by default - ... to make the host name "usable". Store the scope id and put it back - when extracting a URL out of it. + Make '-k' a no-op. The singletest function now clears the log directory + BEFORE each individual test and not after, which makes it possible to + always keep the logfiles around after a test has been run. No need to + specify -k anymore. Keeping the option parsing around to work with users + of old habits. - Also makes curl_url_set() syntax check CURLUPART_HOST. + Some tests also didn't work properly when -k was used (since the old + logs would be kep when a new test starts) which this change also fixes. - Fixes #3817 - Closes #3822 + Closes #4035 -- RELEASE-NOTES: synced +- [Gergely Nagy brought this change] -- multiif.h: remove unused protos + openssl: fix pubkey/signature algorithm detection in certinfo - ... for functions related to pipelining. Those functions were removed in - 2f44e94efb3df. + Certinfo gives the same result for all OpenSSL versions. + Also made printing RSA pubkeys consistent with older versions. - Closes #3828 - -- [Yiming Jing brought this change] + Reported-by: Michael Wallner + Fixes #3706 + Closes #4030 - travis: mesalink: temporarily disable test 3001 +- conn_maxage: move the check to prune_dead_connections() - ... due to SHA-1 signatures in test certs - -- [Yiming Jing brought this change] - - travis: upgrade the MesaLink TLS backend to v1.0.0 + ... and avoid the locking issue. - Closes #3823 - Closes #3776 + Reported-by: Kunal Ekawde + Fixes #4029 + Closes #4032 -- ConnectionExists: improve non-multiplexing use case +- tests: have runtests figure out disabled features - - better log output + ... so that runtests can skip individual test cases that test features + that are explicitly disabled in this build. This new logic is intended + for disabled features that aren't otherwise easily visible through the + curl_version_info() or other API calls. - - make sure multiplex is enabled for it to be used - -- multi: provide Curl_multiuse_state to update information + tests/server/disabled is a newly built executable that will output a + list of disabled features. Outputs nothing for a default build. - As soon as a TLS backend gets ALPN conformation about the specific HTTP - version it can now set the multiplex situation for the "bundle" and - trigger moving potentially queued up transfers to the CONNECT state. + Closes #3950 -- process_pending_handles: mark queued transfers as previously pending +- test188/189: fix Content-Length + + This cures the flaky test results - With transfers being queued up, we only move one at a a time back to the - CONNECT state but now we mark moved transfers so that when a moved - transfer is confirmed "successful" (it connected) it will trigger the - move of another pending transfer. Previously, it would otherwise wait - until the transfer was done before doing this. This makes queued up - pending transfers get processed (much) faster. + Closes #4034 + +- [Thomas Gamper brought this change] -- http: mark bundle as not for multiuse on < HTTP/2 response + winbuild: use WITH_PREFIX if given - Fixes #3813 - Closes #3815 + Closes #4031 -Daniel Gustafsson (1 May 2019) -- cookie: Guard against possible NULL ptr deref +Daniel Gustafsson (17 Jun 2019) +- openssl: remove outdated comment - In case the name pointer isn't set (due to memory pressure most likely) - we need to skip the prefix matching and reject with a badcookie to avoid - a possible NULL pointer dereference. + OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), + which is why we switched to CONF_modules_load_file() and introduced + a comment stating why. This behavior was however changed in OpenSSL + commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now + outdated and incorrect comment. The mentioned commit also declares + OPENSSL_config() deprecated so keep the current coding. - Closes #3820 #3821 - Reported-by: Jonathan Moerman + Closes #4033 Reviewed-by: Daniel Stenberg -Patrick Monnerat (30 Apr 2019) -- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings +Daniel Stenberg (16 Jun 2019) +- RELEASE-NOTES: synced -Kamil Dudka (29 Apr 2019) -- nss: provide more specific error messages on failed init +Patrick Monnerat (16 Jun 2019) +- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. - Closes #3808 - -Daniel Stenberg (29 Apr 2019) -- [Reed Loden brought this change] - - docs: minor polish to the bug bounty / security docs + Use it in curl_easy_setopt_ccsid(). - Closes #3811 + Reported-by: jonrumsey on github + Fixes #3833 + Closes #4028 -- CURL_MAX_INPUT_LENGTH: largest acceptable string input size - - This limits all accepted input strings passed to libcurl to be less than - CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: - curl_easy_setopt() and curl_url_set(). +Daniel Stenberg (15 Jun 2019) +- runtests: report single test time + total duration - The 8000000 number is arbitrary picked and is meant to detect mistakes - or abuse, not to limit actual practical use cases. By limiting the - acceptable string lengths we also reduce the risk of integer overflows - all over. + ... after each successful test. - NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + Closes #4027 + +- multi: fix the transfer hash function - Test 1559 verifies. + Follow-up from 8b987cc7eb - Closes #3805 - -- [Tseng Jun brought this change] + Reported-by: Tom van der Woerdt + Fixes #4018 + Closes #4024 - curlver.h: use parenthesis in CURL_VERSION_BITS macro +- unit1654: cleanup on memory failure - Closes #3809 - -Marcel Raad (27 Apr 2019) -- [Simon Warta brought this change] - - cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP + ... to make it handle torture tests properly. - Closes https://github.com/curl/curl/pull/3769 - -Steve Holme (23 Apr 2019) -- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 + Reported-by: Marcel Raad + Fixes #4021 + Closes #4022 -- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 +Marcel Raad (13 Jun 2019) +- krb5: fix compiler warning - Just like we do for mbed TLS, use our local implementation of MD4 when - OpenSSL doesn't support it. This allows a type-3 message to include the - NT response. - -Daniel Gustafsson (23 Apr 2019) -- INTERNALS: fix misindentation of ToC item + Even though the variable was used in a DEBUGASSERT, GCC 8 warned in + debug mode: + krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] + + Just suppress the warning and declare the variable unconditionally + instead of only for DEBUGBUILD (which also missed the check for + HAVE_ASSERT_H). - Kerberos was incorrectly indented as a subsection under FTP, which is - incorrect as they are both top level sections. A fix for this was first - attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that - was a few paddles short of being complete. + Closes https://github.com/curl/curl/pull/4020 -- [Aron Bergman brought this change] +Daniel Stenberg (13 Jun 2019) +- quote.d: asterisk prefix works for SFTP as well + + Reported-by: Ben Voris + Fixes #4017 + Closes #4019 - INTERNALS: Add structs to ToC +- multi: fix the transfer hashes in the socket hash entries - Add the subsections under "Structs in libcurl" to the table of contents. + - The transfer hashes weren't using the correct keys so removing entries + failed. - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson + - Simplified the iteration logic over transfers sharing the same socket and + they now simply are set to expire and thus get handled in the "regular" + timer loop instead. + + Reported-by: Tom van der Woerdt + Fixes #4012 + Closes #4014 -- [Aron Bergman brought this change] +Jay Satiro (12 Jun 2019) +- [Cliff Crosland brought this change] - INTERNALS: Add code highlighting + url: Fix CURLOPT_MAXAGE_CONN time comparison - Make all struct members under the Curl_handler section - print in monospace font. + Old connections are meant to expire from the connection cache after + CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x + that value. This occurs because a time value measured in milliseconds is + accidentally divided by 1M instead of by 1,000. - Closes #3801 - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson + Closes https://github.com/curl/curl/pull/4013 -Daniel Stenberg (22 Apr 2019) -- docs/BUG-BOUNTY: bug bounty time [skip ci] - - Introducing the curl bug bounty program on hackerone. We now recommend - filing security issues directly in the hackerone ticket system which - only is readable to curl security team members. - - Assisted-by: Daniel Gustafsson +Daniel Stenberg (11 Jun 2019) +- test1165: verify that CURL_DISABLE_ symbols are in sync - Closes #3488 + between configure.ac and source code. They should be possible to switch + on/off in configure AND be used in source code. -Steve Holme (22 Apr 2019) -- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 +- configure: remove CURL_DISABLE_TLS_SRP - RFC 4616 specifies the authzid is optional in the client authentication - message and that the server will derive the authorisation identity - (authzid) from the authentication identity (authcid) when not specified - by the client. - -Jay Satiro (22 Apr 2019) -- [Gisle Vanem brought this change] + It isn't used by code so stop providing the define. + + Closes #4010 - memdebug: fix variable name +- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" - Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. + This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. - Ref: https://github.com/curl/curl/commit/76b6348#r33259088 + Apparently several of the appveyor windows builds broke. -Steve Holme (21 Apr 2019) -- vauth/cleartext: Don't send the authzid if it is empty - - Follow up to 762a292f. +- [sergey-raevskiy brought this change] -Daniel Stenberg (21 Apr 2019) -- test 196,197,198: add 'retry' keyword [skip ci] + cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified + + Reviewed-by: Jakub Zakrzewski + Closes #3770 - RELEASE-NOTES: synced -- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - - ... and disconnect too old ones instead of trying to reuse. - - Default max age is set to 118 seconds. +- http2: remove CURL_DISABLE_TYPECHECK define - Ref: #3722 - Closes #3782 - -Daniel Gustafsson (20 Apr 2019) -- [Po-Chuan Hsieh brought this change] + ... in http2-less builds as it served no use. - altsvc: Fix building with cookies disables +- configure: more --disable switches to toggle off individual features - ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if - check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is - disabled. Fix by splitting out the function into a separate file which can - be included where needed. + ... actual support in the code for disabling these has already landed. - Closes #3717 - Reviewed-by: Daniel Gustafsson - Reviewed-by: Marcel Raad - -Daniel Stenberg (20 Apr 2019) -- test1002: correct the name [skip ci] + Closes #4009 -- test660: verify CONNECT_ONLY with IMAP +- wolfssl: fix key pinning build error - which basically just makes sure LOGOUT is *not* issued on disconnect + follow-up from deb9462ff2de8 -- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - - Since the connection has been used by the "outside" we don't know the - state of it anymore and curl should not use it anymore. +- CURLMOPT_SOCKETFUNCTION.3: clarified - Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html + Moved away the callback explanation from curl_multi_socket_action.3 and + expanded it somewhat. - Closes #3795 + Closes #4006 -- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) +- wolfssl: fixup for SNI use - The list of names must be in sync with the defined states in the header - file! - -Steve Holme (16 Apr 2019) -- openvms: Remove pre-processors for Windows as VMS cannot support them - -- openvms: Remove pre-processor for SecureTransport as VMS cannot support it + follow-up from deb9462ff2de8 - Fixes #3768 - Closes #3785 - -Jay Satiro (16 Apr 2019) -- TODO: Add issue link to an existing entry - -Daniel Stenberg (16 Apr 2019) -- RELEASE-NOTES: synced + Closes #4007 -Jay Satiro (16 Apr 2019) -- tool_help: Warn if curl and libcurl versions do not match - - .. because functionality may be affected if the versions differ. +- CURLOPT_CAINFO.3: polished wording - This commit implements TODO 18.7 "warning if curl version is not in sync - with libcurl version". + Clarify the functionality when built to use Schannel and Secure + Transport and stop calling it the "recommended" or "preferred" way and + instead rather call it the default. - Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 + Removed the reference to the ssl comparison table as it isn't necessary. - Closes https://github.com/curl/curl/pull/3774 - -Steve Holme (16 Apr 2019) -- md5: Update the function signature following d84da52d + Reported-by: Richard Alcock + Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html + Closes #4005 -- md5: Forgot to update the code alignment in d84da52d +GitHub (10 Jun 2019) +- [Daniel Stenberg brought this change] -- md5: Return CURLcode from the internally accessible functions + SECURITY.md: created - Following 28f826b3 to return CURLE_OK instead of numeric 0. + Brief security policy description for use/display on github. -Daniel Gustafsson (15 Apr 2019) -- tests: Run global cleanup at end of tests - - Make sure to run curl_global_cleanup() when shutting down the test - suite to release any resources allocated in the SSL setup. This is - clearly visible when running tests with PolarSSL where the thread - lock calloc() memory which isn't released when not running cleanup. - Below is an excerpt from the autobuild logs: +Daniel Gustafsson (10 Jun 2019) +- tool_cb_prg: Fix integer overflow in progress bar - ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 - ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) - ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) - ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup - (polarssl_threadlock.c:54) - ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) - ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) - ==12368== by 0x118B4C: global_init (easy.c:158) - ==12368== by 0x118BF5: curl_global_init (easy.c:221) - ==12368== by 0x118D0B: curl_easy_init (easy.c:299) - ==12368== by 0x114E96: test (lib1906.c:32) - ==12368== by 0x115495: main (first.c:174) + Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar + width calculation to avoid integer overflow, but failed to account for + the fact that initial_size is initialized to -1 when the file size is + retrieved from the remote on an upload, causing another signed integer + overflow. Fix by separately checking for this case before the width + calculation. - Closes #3783 - Reviewed-by: Marcel Raad + Closes #3984 + Reported-by: Brian Carpenter (Geeknik Labs) Reviewed-by: Daniel Stenberg -Marcel Raad (15 Apr 2019) -- travis: use mbedtls from Xenial - - No need to build it from source anymore. +Daniel Stenberg (10 Jun 2019) +- wolfssl: refer to it as wolfSSL only - Closes https://github.com/curl/curl/pull/3779 - -- travis: use libpsl from Xenial + Remove support for, references to and use of "cyaSSL" from the source + and docs. wolfSSL is the current name and there's no point in keeping + references to ancient history. - This makes building libpsl and libidn2 from source unnecessary and - removes the need for the autopoint and libunistring-dev packages. + Assisted-by: Daniel Gustafsson - Closes https://github.com/curl/curl/pull/3779 + Closes #3903 -Daniel Stenberg (15 Apr 2019) -- runtests: start socksd like other servers - - ... without a $srcdir prefix. Triggered by the failures in several - autobuilds. - - Closes #3781 +- RELEASE-NOTES: synced -Daniel Gustafsson (14 Apr 2019) -- socksd: Fix typos +- bindlocal: detect and avoid IP version mismatches in bind() - Reviewed-by: Daniel Stenberg + Reported-by: Alex Grebenschikov + Fixes #3993 + Closes #4002 -- socksd: Properly decorate static variables +- multi: make sure 'data' can present in several sockhash entries - Mark global variables static to avoid compiler warning in Clang when - using -Wmissing-variable-declarations. + Since more than one socket can be used by each transfer at a given time, + each sockhash entry how has its own hash table with transfers using that + socket. - Closes #3778 - Reviewed-by: Daniel Stenberg - -Steve Holme (14 Apr 2019) -- md(4|5): Fixed indentation oddities with the importation of replacement code + In addition, the sockhash entry can now be marked 'blocked = TRUE'" + which then makes the delete function just set 'removed = TRUE' instead + of removing it "for real", as a way to not rip out the carpet under the + feet of a parent function that iterates over the transfers of that same + sockhash entry. - The indentation from 211d5329 and 57d6d253 was a little strange as - parts didn't align correctly, uses 4 spaces rather than 2. Checked - the indentation of the original source so it aligns, albeit, using - curl style. - -- md5: Code style to return CURLE_OK rather than numeric 0 + Reported-by: Tom van der Woerdt + Fixes #3961 + Fixes #3986 + Fixes #3995 + Fixes #4004 + Closes #3997 -- md5: Corrected code style for some pointer arguments +- [Sorcus brought this change] -Marcel Raad (13 Apr 2019) -- travis: update some builds to xenial - - Xenial comes with more up-to-date software versions and more available - packages, some of which we currently build from source. Unfortunately, - some builds would fail with Xenial because of assertion failures in - Valgrind when using OpenSSL, so leave these at Trusty. + libcurl-tutorial.3: Fix small typo (mutipart -> multipart) - Closes https://github.com/curl/curl/pull/3777 + Fixed-by: MrSorcus on github + Closes #4000 -Daniel Stenberg (13 Apr 2019) -- test: make tests and test scripts use socksd for SOCKS +- unpause: trigger a timeout for event-based transfers + + ... so that timeouts or other state machine actions get going again + after a changing pause state. For example, if the last delivery was + paused there's no pending socket activity. - Make all SOCKS tests use socksd instead of ssh. + Reported-by: sstruchtrup on github + Fixes #3994 + Closes #4001 -- socksd: new SOCKS 4+5 server for tests +Marcel Raad (9 Jun 2019) +- travis: use xenial LLVM package for scan-build - Closes #3752 + I missed that in commit 99a49d6. -- singleipconnect: show port in the verbose "Trying ..." message +- travis: update scan-build job to xenial - To aid debugging better. + Closes https://github.com/curl/curl/pull/3999 -- [tmilburn brought this change] +Daniel Stenberg (8 Jun 2019) +- bump: start working on 7.65.2 - CURLOPT_ADDRESS_SCOPE: fix range check and more - - Commit 9081014 fixed most of the confusing issues between scope id and - scope however 844896d added bad limits checking assuming that the scope - is being set and not the scope id. - - I have fixed the documentation so it all refers to scope ids. - - In addition Curl_if2ip refered to the scope id as remote_scope_id which - is incorrect, so I renamed it to local_scope_id. +Marcel Raad (5 Jun 2019) +- examples/htmltitle: use C++ casts between pointer types - Adjusted-by: Daniel Stenberg + Compilers and static analyzers warn about using C-style casts here. - Closes #3655 - Closes #3765 - Fixes #3713 + Closes https://github.com/curl/curl/pull/3975 -- urlapi: stricter CURLUPART_PORT parsing - - Only allow well formed decimal numbers in the input. - - Document that the number MUST be between 1 and 65535. +- examples/fopen: fix comparison - Add tests to test 1560 to verify the above. + As want is size_t, (file->buffer_pos - want) is unsigned, so checking + if it's less than zero makes no sense. + Check if file->buffer_pos is less than want instead to avoid the + unsigned integer wraparound. - Ref: https://github.com/curl/curl/issues/3753 - Closes #3762 - -Jay Satiro (13 Apr 2019) -- [Jan Ehrhardt brought this change] + Closes https://github.com/curl/curl/pull/3975 - winbuild: Support MultiSSL builds - - - Remove the lines in winbuild/Makefile.vc that generate an error with - multiple SSL backends. +- build: fix Codacy warnings - - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL - backends are set. + Reduce variable scopes and remove redundant variable stores. - Closes https://github.com/curl/curl/pull/3772 + Closes https://github.com/curl/curl/pull/3975 -Daniel Stenberg (12 Apr 2019) -- travis: remove mesalink builds (temporarily?) +- sws: remove unused variables - Since the mesalink build started to fail on travis, even though we build - a fixed release version, we disable it to prevent it from blocking - progress. + Unused since commit 2f44e94. - Closes #3767 + Closes https://github.com/curl/curl/pull/3975 -- openssl: mark connection for close on TLS close_notify - - Without this, detecting and avoid reusing a closed TLS connection - (without a previous GOAWAY) when doing HTTP/2 is tricky. - - Reported-by: Tom van der Woerdt - Fixes #3750 - Closes #3763 +Version 7.65.1 (4 Jun 2019) -- RELEASE-NOTES: synced +Daniel Stenberg (4 Jun 2019) +- RELEASE-NOTES: 7.65.1 -Steve Holme (11 Apr 2019) -- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 - - Functionally this doesn't change anything as we still use the username - for both the authorisation identity and the authentication identity. - - Closes #3757 +- THANKS: new contributors from 7.65.1 -Daniel Stenberg (11 Apr 2019) -- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage - - Based-on-code-by: Poul T Lomholt +Steve Holme (4 Jun 2019) +- [Frank Gevaerts brought this change] -- url: always clone the CUROPT_CURLU handle - - Since a few code paths actually update that data. + ssl: Update outdated "openssl-only" comments for supported backends - Fixes #3753 - Closes #3761 + These are for features that used to be openssl-only but were expanded + over time to support other SSL backends. - Reported-by: Poul T Lomholt + Closes #3985 -- CURLOPT_DNS_USE_GLOBAL_CACHE: remove - - Remove the code too. The functionality has been disabled in code since - 7.62.0. Setting this option will from now on simply be ignored and have - no function. +Daniel Stenberg (4 Jun 2019) +- curl_share_setopt.3: improve wording [ci ship] - Closes #3654 + Reported-by: Carlos ORyan -Marcel Raad (11 Apr 2019) -- travis: install libgnutls28-dev only for --with-gnutls build +Steve Holme (4 Jun 2019) +- tool_parsecfg: Use correct return type for GetModuleFileName() - Reduces the time needed for the other jobs a little. + GetModuleFileName() returns a DWORD which is a typedef of an unsigned + long and not an int. - Closes https://github.com/curl/curl/pull/3721 + Closes #3980 -- travis: install libnss3-dev only for --with-nss build - - Reduces the time needed for the other jobs a little. +Daniel Stenberg (3 Jun 2019) +- TODO: "at least N milliseconds between requests" [ci skip] - Closes https://github.com/curl/curl/pull/3721 + Suggested-by: dkwolfe4 on github + Closes #3920 -- travis: install libssh2-dev only for --with-libssh2 build +Steve Holme (2 Jun 2019) +- tests/server/.gitignore: Add socksd to the ignore list - Reduces the time needed for the other jobs a little. + Missed in 04fd6755. - Closes https://github.com/curl/curl/pull/3721 + Closes #3978 -- travis: install libssh-dev only for --with-libssh build +- tool_parsecfg: Fix control flow issue (DEADCODE) - Reduces the time needed for the other jobs a little. + Follow-up to 8144ba38. - Closes https://github.com/curl/curl/pull/3721 + Detected by Coverity CID 1445663 + Closes #3976 -- travis: install krb5-user only for --with-gssapi build - - Reduces the time needed for the other jobs a little. - - Closes https://github.com/curl/curl/pull/3721 +Daniel Stenberg (2 Jun 2019) +- [Sergey Ogryzkov brought this change] -- travis: install lcov only for the coverage job - - Reduces the time needed for the other jobs a little. + NTLM: reset proxy "multipass" state when CONNECT request is done - Closes https://github.com/curl/curl/pull/3721 + Closes #3972 -- travis: install clang only when needed - - This reduces the GCC job runtimes a little and it's needed to - selectively update clang builds to xenial. +- test334: verify HTTP 204 response with chunked coding header - Closes https://github.com/curl/curl/pull/3721 + Verifies that a bodyless response don't parse this content-related + header. -- AppVeyor: enable testing for WinSSL build - - Closes https://github.com/curl/curl/pull/3725 +- [Michael Kaufmann brought this change] -- build: fix Codacy/CppCheck warnings - - - remove unused variables - - declare conditionally used variables conditionally - - suppress unused variable warnings in the CMake tests - - remove dead variable stores - - consistently use WIN32 macro to detect Windows + http: don't parse body-related headers bodyless responses - Closes https://github.com/curl/curl/pull/3739 - -- polarssl_threadlock: remove conditionally unused code + Responses with status codes 1xx, 204 or 304 don't have a response body. For + these, don't parse these headers: - Make functions no-ops if neither both USE_THREADS_POSIX and - HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are - defined. Previously, if only one of them was defined, there was either - code compiled that did nothing useful or the wrong header included for - the functions used. + - Content-Encoding + - Content-Length + - Content-Range + - Last-Modified + - Transfer-Encoding - Also, move POLARSSL_MUTEX_T define to implementation file as it's not - used externally. + This change ensures that HTTP/2 upgrades work even if a + "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. - Closes https://github.com/curl/curl/pull/3739 + Co-authored-by: Daniel Stenberg + Closes #3702 + Fixes #3968 + Closes #3977 -- lib557: initialize variables - - These variables are only conditionally initialized. +- tls13-docs: mention it is only for OpenSSL >= 1.1.1 - Closes https://github.com/curl/curl/pull/3739 + Reported-by: Jay Satiro + Co-authored-by: Jay Satiro + Fixes #3938 + Closes #3946 -- lib509: add missing include for strdup +- dump-header.d: spell out that no headers == empty file [ci skip] - Closes https://github.com/curl/curl/pull/3739 + Reported-by: wesinator at github + Fixes #3964 + Closes #3974 -- README.md: fix no-consecutive-blank-lines Codacy warning +- singlesocket: use separate variable for inner loop - Consistently use one blank line between blocks. + An inner loop within the singlesocket() function wrongly re-used the + variable for the outer loop which then could cause an infinite + loop. Change to using a separate variable! - Closes https://github.com/curl/curl/pull/3739 + Reported-by: Eric Wu + Fixes #3970 + Closes #3973 -- tests/server/util: fix Windows Unicode build - - Always use the ANSI version of FormatMessage as we don't have the - curl_multibyte gear available here. - - Closes https://github.com/curl/curl/pull/3758 +- RELEASE-NOTES: synced -Daniel Stenberg (11 Apr 2019) -- curl_easy_getinfo.3: fix minor formatting mistake +- [Josie Huddleston brought this change] -Daniel Gustafsson (11 Apr 2019) -- xattr: skip unittest on unsupported platforms - - The stripcredentials unittest fails to compile on platforms without - xattr support, for example the Solaris member in the buildfarm which - fails with the following: - - CC unit1621-unit1621.o - CC ../libtest/unit1621-first.o - CCLD unit1621 - Undefined first referenced - symbol in file - stripcredentials unit1621-unit1621.o - goto problem 2 - ld: fatal: symbol referencing errors. No output written to .libs/unit1621 - collect2: error: ld returned 1 exit status - gmake[2]: *** [Makefile:996: unit1621] Error 1 + http2: Stop drain from being permanently set on - Fix by excluding the test on such platforms by using the reverse - logic from where stripcredentials() is defined. + Various functions called within Curl_http2_done() can have the + side-effect of setting the Easy connection into drain mode (by calling + drain_this()). However, the last time we unset this for a transfer (by + calling drained_transfer()) is at the beginning of Curl_http2_done(). + If the Curl_easy is reused for another transfer, it is then stuck in + drain mode permanently, which in practice makes it unable to write any + data in the new transfer. - Closes #3759 - Reviewed-by: Daniel Stenberg - -Steve Holme (11 Apr 2019) -- emailL Added reference to RFC8314 for implicit TLS - -- README: Schannel, stop calling it "winssl" + This fix moves the last call to drained_transfer() to later in + Curl_http2_done(), after the functions that could potentially call for a + drain. - Stick to "Schannel" everywhere - follow up to 180501cb. + Fixes #3966 + Closes #3967 + Reported-by: Josie-H -Jakub Zakrzewski (10 Apr 2019) -- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use +Steve Holme (29 May 2019) +- conncache: Remove the DEBUGASSERT on length check - This fixes GSSAPI builds with the libraries in a non-standard location. - The testing for recv() were failing because it failed to link - the Kerberos libraries, which are not needed for this or subsequent - tests. + We trust the calling code as this is an internal function. - fixes #3743 - closes #3744 + Closes #3962 -- cmake: avoid linking executable for some tests with cmake 3.6+ - - With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() - (which is used by check_c_source_compiles()) will build static library - instead of executable. This avoids linking additional libraries in and thus - speeds up those checks a little. - - This commit also avoids #3743 (GSSAPI build errors) on itself with cmake - 3.6 or above. That issue was fixed separately for all versions. - - Ref: #3744 +Jay Satiro (29 May 2019) +- [Gisle Vanem brought this change] -- cmake: minor cleanup - - - Remove nneeded include_regular_expression. - It was setting what is already a default. + system_win32: fix function prototype - - Remove duplicated include. + - Change if_nametoindex parameter type from char * to const char *. - - Don't check for pre-3.0.0 CMake version. - We already require at least 3.0.0, so it's just clutter. + Follow-up to 09eef8af from this morning. - Ref: #3744 - -Steve Holme (8 Apr 2019) -- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ - -- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) - -- build-openssl.bat: Perform the install for each build type directly after the build - -- build-openssl.bat: Split the install of static and shared build types - -- build-openssl.bat: Split the building of static and shared build types - -- build-openssl.bat: Move the installation into a separate function - -- build-openssl.bat: Move the build step into a separate function - -- build-openssl.bat: Move the OpenSSL configuration into a separate function + Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 -- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised +Marcel Raad (29 May 2019) +- appveyor: add Visual Studio solution build - Should the parent environment set this variable then the build might - not be performed as the user intended. - -Daniel Stenberg (8 Apr 2019) -- socks: fix error message + Closes https://github.com/curl/curl/pull/3941 -- config.d: clarify that initial : and = might need quoting [skip ci] +- appveyor: add support for other build systems - Fixes #3738 - Closes #3749 - -- RELEASE-NOTES: synced + Introduce BUILD_SYSTEM variable, which is currently always CMake. - bumped to 7.65.0 for next release + Closes https://github.com/curl/curl/pull/3941 -- socks5: user name and passwords must be shorter than 256 +Steve Holme (29 May 2019) +- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows - bytes... since the protocol needs to store the length in a single byte field. + This fixes the static dependency on iphlpapi.lib and allows curl to + build for targets prior to Windows Vista. - Reported-by: XmiliaH on github - Fixes #3737 - Closes #3740 - -- [Jakub Zakrzewski brought this change] - - test: urlapi: urlencode characters above 0x7f correctly - -- [Jakub Zakrzewski brought this change] - - urlapi: urlencode characters above 0x7f correctly + This partially reverts 170bd047. - fixes #3741 - Closes #3742 + Fixes #3960 + Closes #3958 -- [Even Rouault brought this change] +Daniel Stenberg (29 May 2019) +- http: fix "error: equality comparison with extraneous parentheses" - multi_runsingle(): fix use-after-free +- parse_proxy: make sure portptr is initialized - Fixes #3745 - Closes #3746 + Reported-by: Benbuck Nason - The following snippet - ``` + fixes #3959 + +- url: default conn->port to the same as conn->remote_port - int main() - { - CURL* hCurlHandle = curl_easy_init(); - curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); - curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); - curl_easy_perform(hCurlHandle); - curl_easy_cleanup(hCurlHandle); - return 0; - } - ``` - triggers the following Valgrind warning + ... so that it has a sensible value when ConnectionExists() is called which + needs it set to differentiate host "bundles" correctly on port number! - ``` - ==4125== Invalid read of size 8 - ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) - ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) - ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd - ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) - ==4125== by 0x4E62C36: conn_free (url.c:756) - ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) - ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) - ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Block was alloc'd at - ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) - ==4125== by 0x4E6438E: allocate_conn (url.c:1654) - ==4125== by 0x4E685B4: create_conn (url.c:3496) - ==4125== by 0x4E6968F: Curl_connect (url.c:4023) - ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ``` + Also, make conncache:hashkey() use correct port for bundles that are proxy vs + host connections. - This has been bisected to commit 2f44e94 + Probably a regression from 7.62.0 - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 - Credit to OSS Fuzz + Reported-by: Tom van der Woerdt + Fixes #3956 + Closes #3957 -- pipelining: removed - - As previously planned and documented in DEPRECATE.md, all pipelining - code is removed. +- conncache: make "bundles" per host name when doing proxy tunnels - Closes #3651 - -- [cclauss brought this change] - - tests: make Impacket (SMB server) Python 3 compatible + Only HTTP proxy use where multiple host names can be used over the same + connection should use the proxy host name for bundles. - Closes #3731 - Fixes #3289 - -Marcel Raad (6 Apr 2019) -- [Simon Warta brought this change] + Reported-by: Tom van der Woerdt + Fixes #3951 + Closes #3955 - cmake: set SSL_BACKENDS +- multi: track users of a socket better - This groups all SSL backends into the feature "SSL" and sets the - SSL_BACKENDS analogue to configure.ac + They need to be removed from the socket hash linked list with more care. - Closes https://github.com/curl/curl/pull/3736 - -- [Simon Warta brought this change] - - cmake: don't run SORT on empty list + When sh_delentry() is called to remove a sockethash entry, remove all + individual transfers from the list first. To enable this, each Curl_easy struct + now stores a pointer to the sockethash entry to know how to remove itself. - In case of an empty list, SORTing leads to the cmake error "list - sub-command SORT requires list to be present." + Reported-by: Tom van der Woerdt and Kunal Ekawde - Closes https://github.com/curl/curl/pull/3736 - -Daniel Gustafsson (5 Apr 2019) -- [Eli Schwartz brought this change] + Fixes #3952 + Fixes #3904 + Closes #3953 - configure: fix default location for fish completions - - Fish defines a vendor completions directory for completions that are not - installed as part of the fish project itself, and the vendor completions - are preferred if they exist. This prevents trying to overwrite the - builtin curl.fish completion (or creating file conflicts in distro - packaging). +Steve Holme (28 May 2019) +- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version - Prefer the pkg-config defined location exported by fish, if it can be - found, and fall back to the correct directory defined by most systems. + Microsoft added support for Unix Domain Sockets in Windows 10 1803 + (RS4). Rather than expect the user to enable Unix Domain Sockets by + uncommenting the #define that was added in 0fd6221f we use the RS4 + pre-processor variable that is present in newer versions of the + Windows SDK. - Closes #3723 - Reviewed-by: Daniel Gustafsson + Closes #3939 -Marcel Raad (5 Apr 2019) -- ftplistparser: fix LGTM alert "Empty block without comment" - - Removing the block is consistent with line 954/957. +Daniel Stenberg (28 May 2019) +- [Jonas Vautherin brought this change] + + cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables - Closes https://github.com/curl/curl/pull/3732 + Closes #3945 -- transfer: fix LGTM alert "Comparison is always true" +Marcel Raad (27 May 2019) +- HAProxy tests: add keywords - Just remove the redundant condition, which also makes it clear that - k->buf is always 0-terminated if this break is not hit. + Add the proxy and haproxy keywords in order to be able to exclude or + run these specific tests. - Closes https://github.com/curl/curl/pull/3732 + Closes https://github.com/curl/curl/pull/3949 -Jay Satiro (4 Apr 2019) -- [Rikard Falkeborn brought this change] +Daniel Stenberg (27 May 2019) +- [Maksim Stsepanenka brought this change] - smtp: fix compiler warning - - - Fix clang string-plus-int warning. - - Clang 8 warns about adding a string to an int does not append to the - string. Indeed it doesn't, but that was not the intention either. Use - array indexing as suggested to silence the warning. There should be no - functional changes. - - (In other words clang warns about "foo"+2 but not &"foo"[2] so use the - latter.) - - smtp.c:1221:29: warning: adding 'int' to a string does not append to the - string [-Wstring-plus-int] - eob = strdup(SMTP_EOB + 2); - ~~~~~~~~~~~~~~~~^~~~ + tests: make test 1420 and 1406 work with rtsp-disabled libcurl - Closes https://github.com/curl/curl/pull/3729 + Closes #3948 -- cgit v1.2.3