From 47b6881fe726c904f87aa4be059b730ef77954d0 Mon Sep 17 00:00:00 2001 From: dartraiden Date: Thu, 22 Dec 2022 16:31:20 +0300 Subject: libcurl: update to 7.87.0 --- libs/libcurl/docs/CHANGES | 18739 +++++++++++++++++++++++--------------------- 1 file changed, 9874 insertions(+), 8865 deletions(-) (limited to 'libs/libcurl/docs/CHANGES') diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index d48ababb4f..c5152c1398 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -1,8865 +1,9874 @@ - _ _ ____ _ - ___| | | | _ \| | - / __| | | | |_) | | - | (__| |_| | _ <| |___ - \___|\___/|_| \_\_____| - - Changelog - -Version 7.86.0 (26 Oct 2022) - -Daniel Stenberg (26 Oct 2022) -- RELEASE: synced - - The 7.86.0 release - -- THANKS: added from the 7.86.0 release - -Viktor Szakats (25 Oct 2022) -- noproxy: include netinet/in.h for htonl() - - Solve the Amiga build warning by including `netinet/in.h`. - - `krb5.c` and `socketpair.c` are using `htonl()` too. This header is - already included in those sources. - - Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 - - Reviewed-by: Daniel Stenberg - Closes #9787 - -Marc Hoersken (24 Oct 2022) -- CI: fix AppVeyor status failing for starting jobs - -Daniel Stenberg (24 Oct 2022) -- test445: verifies the protocols-over-http-proxy flaw and fix - -- http_proxy: restore the protocol pointer on error - - Reported-by: Trail of Bits - - Closes #9790 - -- multi: remove duplicate include of connect.h - - Reported-by: Martin Strunz - Fixes #9794 - Closes #9795 - -Daniel Gustafsson (24 Oct 2022) -- idn: fix typo in test description - - s/enabked/enabled/i - -Daniel Stenberg (24 Oct 2022) -- url: use IDN decoded names for HSTS checks - - Reported-by: Hiroki Kurosawa - - Closes #9791 - -- unit1614: fix disabled-proxy build - - Follow-up to 1e9a538e05c01 - - Closes #9792 - -Daniel Gustafsson (24 Oct 2022) -- cookies: optimize control character check - - When checking for invalid octets the strcspn() call will return the - position of the first found invalid char or the first NULL byte. - This means that we can check the indicated position in the search- - string saving a strlen() call. - - Closes: #9736 - Reviewed-by: Jay Satiro - -Daniel Stenberg (24 Oct 2022) -- netrc: replace fgets with Curl_get_line - - Make the parser only accept complete lines and avoid problems with - overly long lines. - - Reported-by: Hiroki Kurosawa - - Closes #9789 - -- RELEASE-NOTES: add "Planned upcoming removals include" - - URL: https://curl.se/mail/archive-2022-10/0001.html - - Suggested-by: Dan Fandrich - -Viktor Szakats (23 Oct 2022) -- ci: bump to gcc-11 for macos - - Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-macos-latest-are-now-running-on-macos-12/ - Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12-Readme.md - - Reviewed-by: Max Dymond - Closes #9785 - -- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip] - - - Reintroduce `CROSSPREFIX`: - - If set, we add it to the `CC` and `AR` values, and to the _default_ - value of `RC`, which is `windres`. This allows to control each of - these individidually, while also allowing to simplify configuration - via `CROSSPREFIX`. - - This variable worked differently earlier. Hopefully this new solution - hits a better compromise in usefulness/complexity/flexibility. - - Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50 - - - Enable warnings again: - - This time with an option to override it via `CFLAGS`. Warnings are - also enabled by default in CMake, `makefile.dj` and `makefile.amiga` - builds (not in autotools though). - - Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 - - Closes #9784 - -- noproxy: silence unused variable warnings with no ipv6 - - Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d - - Reviewed-by: Daniel Stenberg - Closes #9782 - -Daniel Stenberg (22 Oct 2022) -- test644: verify --xattr (with redirect) - -- tool_xattr: save the original URL, not the final redirected one - - Adjusted test 1621 accordingly. - - Reported-by: Viktor Szakats - Fixes #9766 - Closes #9768 - -- docs: make sure libcurl opts examples pass in long arguments - - Reported-by: Sergey - Fixes #9779 - Closes #9780 - -Marc Hoersken (21 Oct 2022) -- CI: fix AppVeyor job links only working for most recent build - - Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916 - Reported-by: Daniel Stenberg - - Follow up to #9769 - -Viktor Szakats (21 Oct 2022) -- noproxy: fix builds without AF_INET6 - - Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 - - Reviewed-by: Daniel Stenberg - - Closes #9778 - -Daniel Stenberg (21 Oct 2022) -- noproxy: support proxies specified using cidr notation - - For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly" - and not with string comparisons. - - Split out the noproxy checks and functionality into noproxy.c - - Added unit test 1614 to verify checking functions. - - Reported-by: Mathieu Carbonneaux - - Fixes #9773 - Fixes #5745 - Closes #9775 - -- urlapi: remove two variable assigns - - To please scan-build: - - urlapi.c:1163:9: warning: Value stored to 'qlen' is never read - qlen = Curl_dyn_len(&enc); - ^ ~~~~~~~~~~~~~~~~~~ - urlapi.c:1164:9: warning: Value stored to 'query' is never read - query = u->query = Curl_dyn_ptr(&enc); - ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Follow-up to 7d6cf06f571d57 - - Closes #9777 - -- [Jeremy Maitin-Shepard brought this change] - - cmake: improve usability of CMake build as a sub-project - - - Renames `uninstall` -> `curl_uninstall` - - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET - - Closes #9638 - -- [Don J Olmstead brought this change] - - easy_lock: check for HAVE_STDATOMIC_H as well - - The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h` - header is present. - - Closes #9755 - -- RELEASE-NOTES: synced - -- [Brad Harder brought this change] - - CURLMOPT_PIPELINING.3: dedup manpage xref - - Closes #9776 - -Marc Hoersken (20 Oct 2022) -- CI: report AppVeyor build status for each job - - Also give each job on AppVeyor CI a human-readable name. - - This aims to make job and therefore build failures more visible. - - Reviewed-by: Marcel Raad - Closes #9769 - -Viktor Szakats (20 Oct 2022) -- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip] - - Reviewed-by: Daniel Stenberg - - Closes #9771 - -- connect: fix builds without AF_INET6 - - Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9 - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #9770 - -Daniel Stenberg (20 Oct 2022) -- test1105: adjust to work with a hyper build - - Closes #9767 - -- urlapi: fix parsing URL without slash with CURLU_URLENCODE - - When CURLU_URLENCODE is set, the parser would mistreat the path - component if the URL was specified without a slash like in - http://local.test:80?-123 - - Extended test 1560 to reproduce and verify the fix. - - Reported-by: Trail of Bits - - Closes #9763 - -Marc Hoersken (19 Oct 2022) -- tests: avoid CreateThread if _beginthreadex is available - - CreateThread is not threadsafe if mixed with CRT calls. - _beginthreadex on the other hand can be mixed with CRT. - - Reviewed-by: Marcel Raad - Closes #9705 - -Jay Satiro (19 Oct 2022) -- [Joel Depooter brought this change] - - schannel: Don't reset recv/send function pointers on renegotiation - - These function pointers will have been set when the initial TLS - handshake was completed. If they are unchanged, there is no need to set - them again. If they have been changed, as is the case with HTTP/2, we - don't want to override that change. That would result in the - http22_recv/send functions being completely bypassed. - - Prior to this change a connection that uses Schannel with HTTP/2 would - fail on renegotiation with error "Received HTTP/0.9 when not allowed". - - Fixes https://github.com/curl/curl/issues/9451 - Closes https://github.com/curl/curl/pull/9756 - -Viktor Szakats (18 Oct 2022) -- hostip: guard PF_INET6 use - - Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code - for these. - - ``` - hostip.c: In function 'fetch_addr': - hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function) - pf = PF_INET6; - ^~~~~~~~ - ``` - - Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d - - Reviewed-by: Daniel Stenberg - - Closes #9760 - -- amiga: do not hardcode openssl/zlib into the os config [ci skip] - - Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead. - - This allows builds without openssl and/or zlib. E.g. with the - cross-compiler. - - Reviewed-by: Daniel Stenberg - - Closes #9762 - -- amigaos: add missing curl header [ci skip] - - Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and - conditional local code need them. - - Reviewed-by: Daniel Stenberg - - Closes #9761 - -Daniel Stenberg (18 Oct 2022) -- cmdline/docs: add a required 'multi' keyword for each option - - The keyword specifies how option works when specified multiple times: - - - single: the last provided value replaces the earlier ones - - append: it supports being provided multiple times - - boolean: on/off values - - mutex: flag-like option that disable anoter flag - - The 'gen.pl' script then outputs the proper and unified language for - each option's multi-use behavior in the generated man page. - - The multi: header is requires in each .d file and will cause build error - if missing or set to an unknown value. - - Closes #9759 - -- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk - - Closes #9757 - -- mprintf: reject two kinds of precision for the same argument - - An input like "%.*1$.9999d" would first use the precision taken as an - argument *and* then the precision specified in the string, which is - confusing and wrong. pass1 will now instead return error on this double - use. - - Adjusted unit test 1398 to verify - - Reported-by: Peter Goodman - - Closes #9754 - -- ftp: remove redundant if - - Reported-by: Trail of Bits - - Closes #9753 - -- tool_operate: more transfer cleanup after parallel transfer fail - - In some circumstances when doing parallel transfers, the - single_transfer_cleanup() would not be called and then 'inglob' could - leak. - - Test 496 verifies - - Reported-by: Trail of Bits - Closes #9749 - -- mqtt: spell out CONNECT in comments - - Instead of calling it 'CONN' in several comments, use the full and - correct protocol packet name. - - Suggested by Trail of Bits - - Closes #9751 - -- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST - - Not the deprecated CURLOPT_HTTPPOST option. - - Also added two see-alsos. - - Reported-by: Trail of Bits - Closes #9752 - -- RELEASE-NOTES: synced - -Jay Satiro (17 Oct 2022) -- ngtcp2: Fix build errors due to changes in ngtcp2 library - - ngtcp2/ngtcp2@b0d86f60 changed: - - - ngtcp2_conn_get_max_udp_payload_size => - ngtcp2_conn_get_max_tx_udp_payload_size - - - ngtcp2_conn_get_path_max_udp_payload_size => - ngtcp2_conn_get_path_max_tx_udp_payload_size - - ngtcp2/ngtcp2@ec59b873 changed: - - - 'early_data_rejected' member added to ng_callbacks. - - Assisted-by: Daniel Stenberg - Reported-by: jurisuk@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9747 - Closes https://github.com/curl/curl/pull/9748 - -Daniel Stenberg (16 Oct 2022) -- curl_path: return error if given a NULL homedir - - Closes #9740 - -- libssh: if sftp_init fails, don't get the sftp error code - - This flow extracted the wrong code (sftp code instead of ssh code), and - the code is sometimes (erroneously) returned as zero anyway, so skip - getting it and set a generic error. - - Reported-by: David McLaughlin - Fixes #9737 - Closes #9740 - -- mqtt: return error for too long topic - - Closes #9744 - -- [Rickard Hallerbäck brought this change] - - tool_paramhlp: make the max argument a 'double' - - To fix compiler warnings "Implicit conversion from 'long' to 'double' - may lose precision" - - Closes #9700 - -Marc Hoersken (15 Oct 2022) -- [Philip Heiduck brought this change] - - cirrus-ci: add more macOS builds with m1 based on x86_64 builds - - Also refactor macOS builds to use task matrix. - - Assisted-by: Marc Hörsken - Closes #9565 - -Viktor Szakats (14 Oct 2022) -- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows - - `lib/config-win32.h` enables this configuration option unconditionally. - Make it apply to CMake builds as well. - - While here, delete a broken check for - `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with - the initial commit [1], but did not include the actual verification code - inside `CMake/CurlTests.c`, so it always failed. A later commit [2] - added a second test, for non-Windows platforms. - - Enabling this flag causes test 1056 to fail with CMake builds, as they - do with autotools builds. Let's apply the same solution and ignore the - results here as well. - - [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 - [2] aec7c5a87c8482b6ddffa352d7d220698652262e - - Reviewed-by: Daniel Stenberg - Assisted-by: Marcel Raad - - Closes #9726 - -- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows - - autotools enables this configuration option unconditionally for Windows - [^1]. Do the same in CMake. - - The above will make this work for all reasonably recent environments. - The logic present in `lib/config-win32.h` [^2] has the following - exceptions which we did not cover in this CMake update: - - - Builds targeting Windows 2000 and earlier - - MS Visual C++ 5.0 (1997) and earlier - - Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't - set, to avoid a broken build. We might want to handle that in the C - sources in a future commit. - - [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/m4/curl-functions.m4#L2067-L2070 - - [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/lib/config-win32.h#L511-L528 - - Closes #9727 - -- cmake: sync HAVE_SIGNAL detection with autotools - - `HAVE_SIGNAL` means the availability of the `signal()` function in - autotools, while in CMake it meant the availability of that function - _and_ the symbol `SIGALRM`. - - The latter is not available on Windows, but the function is, which means - on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not, - introducing a slight difference into the binaries. - - This patch syncs CMake behaviour with autotools to look for the function - only. - - The logic came with the initial commit adding CMake support to curl, so - the commit history doesn't reveal the reason behind it. In any case, - it's best to check the existence of `SIGALRM` directly in the source - before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and - `SIGALRM` missing. - - Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 - - Closes #9725 - -- cmake: delete duplicate HAVE_GETADDRINFO test - - A custom `HAVE_GETADDRINFO` check came with the initial CMake commit - [1]. A later commit [2] added a standard check for it as well. The - standard check run before the custom one, so CMake ignored the latter. - - The custom check was also non-portable, so this patch deletes it in - favor of the standard check. - - [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 - [2] aec7c5a87c8482b6ddffa352d7d220698652262e - - Closes #9731 - -Daniel Stenberg (14 Oct 2022) -- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros - - To make the code read more obvious - - Assisted-by: Jay Satiro - - Closes #9710 - -- [Christopher Sauer brought this change] - - docs/INSTALL: update Android Instructions for newer NDKs - - Closes #9732 - -- markdown-uppercase: ignore quoted sections - - Sections within the markdown ~~~ or ``` are now ignored. - - Closes #9733 - -- RELEASE-NOTES: synced - -- test8: update as cookies no longer can have "embedded" TABs in content - -- test1105: extend to verify TAB in name/content discarding cookies - -- cookie: reject cookie names or content with TAB characters - - TABs in name and content seem allowed by RFC 6265: "the algorithm strips - leading and trailing whitespace from the cookie name and value (but - maintains internal whitespace)" - - Cookies with TABs in the names are rejected by Firefox and Chrome. - - TABs in content are stripped out by Firefox, while Chrome discards the - whole cookie. - - TABs in cookies also cause issues in saved netscape cookie files. - - Reported-by: Trail of Bits - - URL: https://curl.se/mail/lib-2022-10/0032.html - URL: https://github.com/httpwg/http-extensions/issues/2262 - - Closes #9659 - -- curl/add_parallel_transfers: better error handling - - 1 - consider the transfer handled at once when in the function, to avoid - the same list entry to get added more than once in rare error - situations - - 2 - set the ERRORBUFFER for the handle first after it has been added - successfully - - Reported-by: Trail of Bits - - Closes #9729 - -- netrc: remove the two 'changed' arguments - - As no user of these functions used the returned content. - -- test495: verify URL encoded user name + netrc-optional - - Reproduced issue #9709 - -- netrc: use the URL-decoded user - - When the user name is provided in the URL it is URL encoded there, but - when used for authentication the encoded version should be used. - - Regression introduced after 7.83.0 - - Reported-by: Jonas Haag - Fixes #9709 - Closes #9715 - -- [Shaun Mirani brought this change] - - url: allow non-HTTPS HSTS-matching for debug builds - - Closes #9728 - -- test1275: remove the check of stderr - - To avoid the mysterious test failures on Windows, instead rely on the - error code returned on failure. - - Fixes #9716 - Closes #9723 - -Viktor Szakats (13 Oct 2022) -- lib: set more flags in config-win32.h - - The goal is to add any flag that affect the created binary, to get in - sync with the ones built with CMake and autotools. - - I took these flags from curl-for-win [0], where they've been tested with - mingw-w64 and proven to work well. - - This patch brings them to curl as follows: - - - Enable unconditionally those force-enabled via - `CMake/WindowsCache.cmake`: - - - `HAVE_SETJMP_H` - - `HAVE_STRING_H` - - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`) - - - Expand existing guards with mingw-w64: - - - `HAVE_STDBOOL_H` - - `HAVE_BOOL_T` - - - Enable Win32 API functions for Windows Vista and later: - - - `HAVE_INET_NTOP` - - `HAVE_INET_PTON` - - - Set sizes, if not already set: - - - `SIZEOF_OFF_T = 8` - - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set, - and using mingw-w64. - - - Add the remaining for mingw-w64 only. Feel free to expand as desired: - - - `HAVE_LIBGEN_H` - - `HAVE_FTRUNCATE` - - `HAVE_BASENAME` - - `HAVE_STRTOK_R` - - Future TODO: - - - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both - the `signal()` function and the `SIGALRM` macro are found. In - autotools and this header, it means the function only. For the - function alone, CMake uses `HAVE_SIGNAL_FUNC`. - - [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4dff0ca97a8c/curl-m32.sh#L53-L58 - - Reviewed-by: Daniel Stenberg - - Closes #9712 - -Daniel Stenberg (13 Oct 2022) -- tests: add tests/markdown-uppercase.pl to dist tarball - - Follow-up to aafb06c5928183d - - Closes #9722 - -- tool_paramhelp: asserts verify maximum sizes for string loading - - The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest - strings accepted when loading files into memory, but as the size is - later used as input to functions that take the size as 'int' as - argument, the sizes must not be larger than INT_MAX. - - These two new assert()s make the code error out if someone would bump - the sizes without this consideration. - - Reported-by Trail of Bits - - Closes #9719 - -- http: try parsing Retry-After: as a number first - - Since the date parser allows YYYYMMDD as a date format (due to it being - a bit too generic for parsing this particular header), a large integer - number could wrongly match that pattern and cause the parser to generate - a wrong value. - - No date format accepted for this header starts with a decimal number, so - by reversing the check and trying a number first we can deduct that if - that works, it was not a date. - - Reported-by Trail of Bits - - Closes #9718 - -- [Patrick Monnerat brought this change] - - doc: fix deprecation versions inconsistencies - - Ref: https://curl.se/mail/lib-2022-10/0026.html - - Closes #9711 - -- http_aws_sigv4: fix strlen() check - - The check was off-by-one leading to buffer overflow. - - Follow-up to 29c4aa00a16872 - - Detected by OSS-Fuzz - - Closes #9714 - -- curl/main_checkfds: check the fcntl return code better - - fcntl() can (in theory) return a non-zero number for success, so a - better test for error is checking for -1 explicitly. - - Follow-up to 41e1b30ea1b77e9ff - - Mentioned-by: Dominik Klemba - - Closes #9708 - -Viktor Szakats (12 Oct 2022) -- tidy-up: delete unused HAVE_STRUCT_POLLFD - - It was only defined in `lib/config-win32.h`, when building for Vista. - - It was only used in `select.h`, in a condition that also included a - check for `POLLIN` which is a superior choice for this detection and - which was already used by cmake and autotools builds. - - Delete both instances of this macro. - - Closes #9707 - -Daniel Stenberg (12 Oct 2022) -- test1275: verify upercase after period in markdown - - Script based on the #9474 pull-request logic, but implemented in perl. - - Updated docs/URL-SYNTAX.md accordingly. - - Suggested-by: Dan Fandrich - - Closes #9697 - -- [12932 brought this change] - - misc: nitpick grammar in comments/docs - - because the 'u' in URL is actually a consonant *sound* it is only - correct to write "a URL" - - sorry this is a bit nitpicky :P - - https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an - https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL - - Closes #9699 - -Viktor Szakats (11 Oct 2022) -- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip] - - This patch aimed to fix a regression [0], where `CC` initialization - moved beyond its first use. But, on closer inspection it turned out that - the `CC` initialization does not work as expected due to GNU Make - filling it with `cc` by default. So unless implicit values were - explicitly disabled via a GNU Make option, the default value of - `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit - value `cc` maps to `gcc` in (most/all?) MinGW envs. - - `AR` has the same issue, with a default value of `ar`. - - We could reintroduce a separate variable to fix this without ill - effects, but for simplicity and flexibility, it seems better to drop - support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and - require the caller to initialize `CC`, `AR` and `RC` to the full - (prefixed if necessary) names of these tools, as desired. - - We keep `RC ?= windres` because `RC` is empty by default. - - Also fix grammar in a comment. - - [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 - - Closes #9698 - -- smb: replace CURL_WIN32 with WIN32 - - PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the - `CURL_WIN32` macro, but that one is not defined here, while compiling - curl itself. This patch changes this to `WIN32`, assuming this was the - original intent. - - Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a - - Reviewed-by: Marcel Raad - - Closes #9701 - -Daniel Stenberg (11 Oct 2022) -- [Matthias Gatto brought this change] - - aws_sigv4: fix header computation - - Handle canonical headers and signed headers creation as explained here: - https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html - - The algo tells that signed and canonical must contain at last host and - x-amz-date. - - So we check whatever thoses are present in the curl http headers list. - If they are, we use the one enter by curl user, otherwise we generate - them. then we to lower, and remove space from each http headers plus - host and x-amz-date, then sort them all by alphabetical order. - - This patch also fix a bug with host header, which was ignoring the port. - - Closes #7966 - -Jay Satiro (11 Oct 2022) -- [Aftab Alam brought this change] - - README.md: link the curl logo to the website - - - Link the curl:// image to https://curl.se/ - - Closes https://github.com/curl/curl/pull/9675 - -- [Dustin Howett brought this change] - - schannel: when importing PFX, disable key persistence - - By default, the PFXImportCertStore API persists the key in the user's - key store (as though the certificate was being imported for permanent, - ongoing use.) - - The documentation specifies that keys that are not to be persisted - should be imported with the flag PKCS12_NO_PERSIST_KEY. - NOTE: this flag is only supported on versions of Windows newer than XP - and Server 2003. - - -- - - This is take 2 of the original fix. It extends the lifetime of the - client certificate store to that of the credential handle. The original - fix which landed in 70d010d and was later reverted in aec8d30 failed to - work properly because it did not do that. - - Minor changes were made to the schannel credential context to support - closing the client certificate store handle at the end of an SSL session. - - -- - - Reported-by: ShadowZzj@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9300 - Supersedes https://github.com/curl/curl/pull/9363 - Closes https://github.com/curl/curl/pull/9460 - -Viktor Szakats (11 Oct 2022) -- Makefile.m32: support more options [ci skip] - - - Add support for these options: - `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl` - - Caveats: - - `-wolfssh` requires `-wolfssl`. - - `-wolfssl` cannot be used with OpenSSL backends in parallel. - - `-libssh` has build issues with BoringSSL and LibreSSL, and also - what looks like a world-writable-config vulnerability on Windows. - Consider it experimental. - - `-psl` requires `-idn2` and extra libs passed via - `LIBS=-liconv -lunistring`. - - - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly. - - Generalize MultiSSL detection. - - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01). - - Document more customization options. - - This brings over some configuration logic from `curl-for-win`. - - Closes #9680 - -- cmake: enable more detection on Windows - - Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection - on Windows, instead of having predefined values. - - With these features detected correctly, CMake Windows builds get closer - to the autotools and `config-win32.h` ones. - - This also fixes detecting `HAVE_FTRUNCATE` correctly, which required - `unistd.h`. - - Fixing `ftruncate()` in turn causes a build warning/error with legacy - MinGW/MSYS1 due to an offset type size mismatch. This env misses to - detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch - force-disables `HAVE_FTRUNCATE` for this platform. - - Reviewed-by: Daniel Stenberg - - Closes #9687 - -- autotools: allow unix sockets on Windows - - Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00a9149fb39239/curl-autotools.sh#L44-L47 - - On Windows this feature is present, but not the header used in the - detection logic. It also requires an elaborate enabler logic - (as seen in `lib/curl_setup.h`). Let's always allow it and let the - lib code deal with the details. - - Closes #9688 - -- cmake: add missing inet_ntop check - - This adds the missing half of the check, next to the other half - already present in `lib/curl_config.h.cmake`. - - Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler - warnings. - - Reviewed-by: Daniel Stenberg - - Closes #9689 - -Daniel Stenberg (11 Oct 2022) -- RELEASE-NOTES: synced - -- [bsergean on github brought this change] - - asyn-ares: set hint flags when calling ares_getaddrinfo - - The hint flag is ARES_AI_NUMERICSERV, and it will save a call to - getservbyname or getservbyname_r to set it. - - Closes #9694 - -- header.d: add category smtp and imap - - They were previously (erroneously) added manually to tool_listhelp.c - which would make them get removed again when the file is updated next - time, unless added correctly here in header.d - - Follow-up to 2437fac01 - - Closes #9690 - -- curl/get_url_file_name: use libcurl URL parser - - To avoid URL tricks, use the URL parser for this. - - This update changes curl's behavior slightly in that it will ignore the - possible query part from the URL and only use the file name from the - actual path from the URL. I consider it a bugfix. - - "curl -O localhost/name?giveme-giveme" will now save the output in the - local file named 'name' - - Updated test 1210 to verify - - Assisted-by: Jay Satiro - - Closes #9684 - -- [Martin Ågren brought this change] - - docs: fix grammar around needing pass phrase - - "You never needed a pass phrase" reads like it's about to be followed by - something like "until version so-and-so", but that is not what is - intended. Change to "You never need a pass phrase". There are two - instances of this text, so make sure to update both. - -- [Xiang Xiao brought this change] - - cmake: add the check of HAVE_SOCKETPAIR - - which is used by Curl_socketpair - - Signed-off-by: Xiang Xiao - - Closes #9686 - -- curl/add_file_name_to_url: use the libcurl URL parser - - instead of the custom error-prone parser, to extract and update the path - of the given URL - - Closes #9683 - -- single_transfer: use the libcurl URL parser when appending query parts - - Instead of doing "manual" error-prone parsing in another place. - - Used when --data contents is added to the URL query when -G is provided. - - Closes #9681 - -- ws: fix buffer pointer use in the callback loop - - Closes #9678 - -- [Petr Štetiar brought this change] - - curl-wolfssl.m4: error out if wolfSSL is not usable - - When I explicitly declare, that I would like to have curl built with - wolfSSL support using `--with-wolfssl` configure option, then I would - expect, that either I endup with curl having that support, for example - in form of https support or it wouldn't be available at all. - - Downstream projects like for example OpenWrt build curl wolfSSL variant - with `--with-wolfssl` already, but in certain corner cases it does fail: - - configure:25299: checking for wolfSSL_Init in -lwolfssl - configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip] - In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33, - from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35, - from target-x86_64_musl/usr/include/wolfssl/ssl.h:35, - from conftest.c:47: - target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory - #include - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ - compilation terminated. - - and in the end thus produces curl without https support: - - curl: (1) Protocol "https" not supported or disabled in libcurl - - So fix it, by making the working wolfSSL mandatory and error out in - configure step when that's not the case: - - checking for wolfSSL_Init in -lwolfssl... no - configure: error: --with-wolfssl but wolfSSL was not found or doesn't work - - References: https://github.com/openwrt/packages/issues/19005 - References: https://github.com/openwrt/packages/issues/19547 - Signed-off-by: Petr Štetiar - - Closes #9682 - -- tool_getparam: pass in the snprintf("%.*s") string length as 'int' - - Reported by Coverity CID 1515928 - - Closes #9679 - -- [Paul Seligman brought this change] - - ws: minor fixes for web sockets without the CONNECT_ONLY flag - - - Fixed an issue where is_in_callback was getting cleared when using web - sockets with debug logging enabled - - Ensure the handle is is_in_callback when calling out to fwrite_func - - Change the write vs. send_data decision to whether or not the handle - is in CONNECT_ONLY mode. - - Account for buflen not including the header length in curl_ws_send - - Closes #9665 - -Marc Hoersken (8 Oct 2022) -- CI/cirrus: merge existing macOS jobs into a job matrix - - Ref: #9627 - Reviewed-by: Philip H. - - Closes #9672 - -Daniel Stenberg (8 Oct 2022) -- strcase: add and use Curl_timestrcmp - - This is a strcmp() alternative function for comparing "secrets", - designed to take the same time no matter the content to not leak - match/non-match info to observers based on how fast it is. - - The time this function takes is only a function of the shortest input - string. - - Reported-by: Trail of Bits - - Closes #9658 - -- tool_getparam: split out data_urlencode() into its own function - - Closes #9673 - -- connect: fix Curl_updateconninfo for TRNSPRT_UNIX - - Reported-by: Vasiliy Ulyanov - Fixes #9664 - Closes #9670 - -- ws: fix Coverity complaints - - Coverity pointed out several flaws where variables remained - uninitialized after forks. - - Follow-up to e3f335148adc6742728f - - Closes #9666 - -Marc Hoersken (7 Oct 2022) -- CI/GHA: merge msh3 and openssl3 builds into linux workflow - - Continue work on merging all Linux workflows into one file. - - Follow up to #9501 - Closes #9646 - -Daniel Stenberg (7 Oct 2022) -- curl_ws_send.3: call the argument 'fragsize' - - Since WebSocket works with "fragments" not "frames" - - Closes #9668 - -- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type - - Follow-up to e3f335148adc6742728ff8 - - Closes #9669 - -- tool_main: exit at once if out of file descriptors - - If the main_checkfds function cannot create new file descriptors in an - attempt to detect of stdin, stdout or stderr are closed. - - Also changed the check to use fcntl() to check if the descriptors are - open, which avoids superfluously calling pipe() if they all already are. - - Follow-up to facfa19cdd4d0094 - - Reported-by: Trail of Bits - - Closes #9663 - -- websockets: remodeled API to support 63 bit frame sizes - - curl_ws_recv() now receives data to fill up the provided buffer, but can - return a partial fragment. The function now also get a pointer to a - curl_ws_frame struct with metadata that also mentions the offset and - total size of the fragment (of which you might be receiving a smaller - piece). This way, large incoming fragments will be "streamed" to the - application. When the curl_ws_frame struct field 'bytesleft' is 0, the - final fragment piece has been delivered. - - curl_ws_recv() was also adjusted to work with a buffer size smaller than - the fragment size. (Possibly needless to say as the fragment size can - now be 63 bit large). - - curl_ws_send() now supports sending a piece of a fragment, in a - streaming manner, in addition to sending the entire fragment in a single - call if it is small enough. To send a huge fragment, curl_ws_send() can - be used to send it in many small calls by first telling libcurl about - the total expected fragment size, and then send the payload in N number - of separate invokes and libcurl will stream those over the wire. - - The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it - has been extended with two new fields: *offset* and *bytesleft*. To help - describe the passed on data chunk when a fragment is delivered in many - smaller pieces. - - The documentation has been updated accordingly. - - Closes #9636 - -- [Patrick Monnerat brought this change] - - docs/examples: avoid deprecated options in examples where possible - - Example programs targeting a deprecated feature/option are commented with - a warning about it. - Other examples are adapted to not use deprecated options. - - Closes #9661 - -Viktor Szakats (6 Oct 2022) -- cmake: fix enabling websocket support - - Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77 - - Closes #9660 - -- tidy-up: delete parallel/unused feature flags - - Detecting headers and lib separately makes sense when headers come in - variations or with extra ones, but this wasn't the case here. These were - duplicate/parallel macros that we had to keep in sync with each other - for a working build. This patch leaves a single macro for each of these - dependencies: - - - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`. - - Also delete CMake logic making sure these two were in sync, along with - a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`. - - Also delete stray `HAVE_ZLIB` defines. - - There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch - retains it for compatibility and deprecates it. - - - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`. - - Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from - `winbuild/MakefileBuild.vc`, these have a role when building libssh2 - itself. And `CURL_USE_LIBSSH`, which had no use at all. - - Also delete stray `HAVE_LIBSSH2` defines. - - - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`. - - Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from - `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the - libssh2 line, and were not having any use. - - - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`. - - Reviewed-by: Daniel Stenberg - - Closes #9652 - -Daniel Stenberg (6 Oct 2022) -- netrc: compare user name case sensitively - - User name comparisions in netrc need to match the case. - - Closes #9657 - -- CURLOPT_COOKIEFILE: insist on "" for enable-without-file - - The former way that also suggested using a non-existing file to just - enable the cookie engine could lead to developers maybe a bit carelessly - guessing a file name that will not exist, and then in a future due to - circumstances, such a file could be made to exist and then accidentally - libcurl would read cookies not actually meant to. - - Reported-by: Trail of bits - - Closes #9654 - -- tests/Makefile: remove run time stats from ci-test - - The ci-test is the normal makefile target invoked in CI jobs. This has - been using the -r option to runtests.pl since a long time, but I find - that it mostly just adds many lines to the test output report without - anyone caring much about those stats. - - Remove it. - - Closes #9656 - -- [Patrick Monnerat brought this change] - - tool: reorganize function c_escape around a dynbuf - - This is a bit shorter and a lot safer. - - Substrings of unescaped characters are added by a single call to reduce - overhead. - - Extend test 1465 to handle more kind of escapes. - - Closes #9653 - -Jay Satiro (5 Oct 2022) -- CURLOPT_HTTPPOST.3: bolden the deprecation notice - - Ref: https://github.com/curl/curl/pull/9621 - - Closes https://github.com/curl/curl/pull/9637 - -Daniel Stenberg (5 Oct 2022) -- [John Bampton brought this change] - - misc: fix spelling in docs and comments - - also: remove outdated sentence - - Closes #9644 - -- [Patrick Monnerat brought this change] - - tool: avoid generating ambiguous escaped characters in --libcurl - - C string hexadecimal-escaped characters may have more than 2 digits. - This results in a wrong C compiler interpretation of a 2-digit escaped - character when followed by an hex digit character. - - The solution retained here is to represent such characters as 3-digit - octal escapes. - - Adjust and extend test 1465 for this case. - - Closes #9643 - -- configure: the ngtcp2 option should default to 'no' - - While still experimental. - - Bug: https://curl.se/mail/lib-2022-10/0007.html - Reported-by: Daniel Hallberg - - Closes #9650 - -- CURLOPT_MIMEPOST.3: add an (inline) example - - Reported-by: Jay Satiro - Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723 - - Closes #9649 - -Viktor Szakats (5 Oct 2022) -- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip] - - Exclude linker flags specifying depedency libs and libpaths, when - building against `libcurl.dll`. In such case these options are not - necessary (but may cause errors if not/wrongly configured.) - - Also move and reword a comment on `CPPFLAGS` to not apply to - `UNICODE` options. These are necessary for all build targets. - - Closes #9651 - -Jay Satiro (5 Oct 2022) -- runtests: fix uninitialized value on ignored tests - - - Don't show TESTFAIL message (ie tests failed which aren't ignored) if - only ignored tests failed. - - Before: - IGNORED: failed tests: 571 612 1056 - TESTDONE: 1214 tests out of 1217 reported OK: 99% - Use of uninitialized value $failed in concatenation (.) or string at - ./runtests.pl line 6290. - TESTFAIL: These test cases failed: - - After: - IGNORED: failed tests: 571 612 1056 - TESTDONE: 1214 tests out of 1217 reported OK: 99% - - Closes https://github.com/curl/curl/pull/9648 - -- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS - - - Correct the use of -all-static for static Windows CI builds. - - curl_LDFLAGS was removed from the makefile when metalink support was - removed. LDFLAGS=-all-static is passed to make only, because it is not a - valid option for configure compilation tests. - - Closes https://github.com/curl/curl/pull/9633 - -Viktor Szakats (4 Oct 2022) -- Makefile.m32: fix regression with tool_hugehelp [ci skip] - - In a recent commit I mistakenly deleted this logic, after seeing a - reference to a filename ending with `.cvs` and thinking it must have - been long gone. Turns out this is an existing file. Restore the rule - and the necessary `COPY` definitions with it. - - The restored logic is required for a successful build on a bare source - tree (as opposed to a source release tarball). - - Also shorten an existing condition similar to the one added in this - patch. - - Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6 - - Closes #9645 - -- Makefile.m32: deduplicate build rules [ci skip] - - After this patch, we reduce the three copies of most `Makefile.m32` - logic to one. This now resides in `lib/Makefile.m32`. It makes future - updates easier, the code shorter, with a small amount of added - complexity. - - `Makefile.m32` reduction: - - | | bytes | LOC total | blank | comment | code | - |-------------------|-------:|----------:|-------:|---------:|------:| - | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 | - | before this patch | 17601 | 625 | 62 | 106 | 457 | - | after this patch | 11680 | 392 | 52 | 104 | 236 | - - Details: - - - Change rules to create objects for the `v*` subdirs in the `lib` dir. - This allows to use a shared compile rule and assumes that filenames - are not (and will not be) colliding across these directories. - `Makefile.m32` now also stores a list of these subdirs. They are - changing rarely though. - - - Sync as much as possible between the three `Makefile.m32` scripts' - rules and their source/target sections. - - - After this patch `CPPFLAGS` are all applied to the `src` sources once - again. This matches the behaviour of cmake/autotools. Only zlib ones - are actually required there. - - - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate. - - - Change examples to link `libcurl.dll` by default. This makes building - trivial, even as a cross-build: - `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32` - To run them, you need to move/copy or add-to-path `libcurl.dll`. - You can select static mode via `CFG=-static`. - - - List more of the `Makefile.m32` config variables. - - - Drop `.rc` support from examples. It made it fragile without much - benefit. - - - Include a necessary system lib for the `externalsocket.c` example. - - - Exclude unnecessary systems libs when building in `-dyn` mode. - - Closes #9642 - -Daniel Stenberg (4 Oct 2022) -- RELEASE-NOTES: synced - -- CURLOPT_COOKIELIST.3: fix formatting mistake - - Also, updated manpage-syntax.pl to make it detect this error in test - 1173. - - Reported-by: ProceduralMan on github - Fixes #9639 - Closes #9640 - -- [Jay Satiro brought this change] - - connect: change verbose IPv6 address:port to [address]:port - - - Use brackets for the IPv6 address shown in verbose message when the - format is address:port so that it is less confusing. - - Before: Trying 2606:4700:4700::1111:443... - After: Trying [2606:4700:4700::1111]:443... - - Bug: https://curl.se/mail/archive-2022-02/0041.html - Reported-by: David Hu - - Closes #9635 - -Viktor Szakats (3 Oct 2022) -- Makefile.m32: major rework [ci skip] - - This patch overhauls `Makefile.m32` scripts, fixing a list of quirks, - making its behaviour and customization envvars align better with other - build systems, aiming for less code, that is easier to read, use and - maintain. - - Details: - - Rename customization envvars: - `CURL_CC` -> `CC` - `CURL_RC` -> `RC` - `CURL_AR` -> `AR` - `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB` - `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN` - - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used. - - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars. - - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in - favor of the above. - - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional - with `libssh2`. - - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and - examples. - - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel` - instead. - - Avoid late evaluation where not necessary (`=` -> `:=`). - - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix. - Instead, use the standard naming scheme by default: `libcurl.dll.a`. - The toolchain recognizes the name, and selects it automatically when - asking for a `-shared` vs. `-static` build. - - Stop applying `strip` to `libcurl.a`. Follow-up from - 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to - strip since then. - - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to - `CFLAGS` as desired. - - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL, - to avoid that vulnerability on Windows. - - Add `-lbrotlicommon` to `LIBS` when using `brotli`. - - Do not enable `-nghttp3` without `-ngtcp2`. - - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend. - You need to set the backend explicitly. This scales better and avoids - issues with certain combinations (e.g. `libssh2` + `wolfssl` with no - `schannel`). - - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via - `NGTCP2_LIBS`. - - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer - supported. - - Delete `SPNEGO` references. They were no-ops. - - Drop support for Win9x environments. - - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`. - - Support autotools/CMake `libssh2` builds by default. - - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and - examples. - - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the - long gone embedded one.) - - Stop static linking with c-ares by default. Add - `CPPFLAGS=-DCARES_STATICLIB` to enable it. - - Reorganize internal layout to avoid redundancy and emit clean diffs - between src/lib and example make files. - - Delete unused variables. - - Code cleanups/rework. - - Comment and indentation fixes. - - Closes #9632 - -- scripts/release-notes.pl: strip ci skip tag [ci skip] - - Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303ae97#commitcomment-85637701 - - Reviewed-by: Daniel Stenberg - - Closes #9634 - -- Makefile.m32: delete legacy component bits [ci skip] - - - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting - to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL. - - - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been - using a standard file layout since 1.1.0, so this seems unnecessary - now. - - - Drop special logic to enable Novell LDAP SDK support. - - - Drop special logic to enable OpenLDAP LDAP SDK support. This seems - to be distinct from native OpenLDAP, with support implemented inside - `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist - yet in curl. - - - Add `-lwldap32` only if there is no other LDAP library (either native - OpenLDAP, or SDKs above) present. - - - Update `doc/INSTALL.md` accordingly. - - After this patch, it's necessary to make configration changes when using - OpenSSL 1.0.2 or earlier, or the two LDAP SDKs. - - OpenSSL 1.0.2 and earlier: - ``` - export OPENSSL_INCLUDE = /outinc - export OPENSSL_LIBPATH = /out - export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32 - ``` - - Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`: - ``` - export CURL_CFLAG_EXTRAS = -I/inc -DCURL_HAS_NOVELL_LDAPSDK - export CURL_LDFLAG_EXTRAS = -L/lib/mscvc -lldapsdk -lldapssl -lldapx - ``` - - OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`: - ``` - export CURL_CFLAG_EXTRAS = -I/include -DCURL_HAS_OPENLDAP_LDAPSDK - export CURL_LDFLAG_EXTRAS = -L/lib -lldap -llber - ``` - - I haven't tested these scenarios, and in general we recommend using - a recent OpenSSL release. Also, WinLDAP (the Windows default) and - OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on - in curl. - - Closes #9631 - -Daniel Stenberg (2 Oct 2022) -- vauth/ntlm.h: make line shorter than 80 columns - - Follow-up from 265fbd937 - -Viktor Szakats (1 Oct 2022) -- docs: update sourceforge project links [ci skip] - - SourceForge projects can now choose between two hostnames, with .io and - .net ending. Both support HTTPS by default now. Opening the other variant - will perm-redirected to the one chosen by the project. - - The .io -> .net redirection is done insecurely. - - Let's update the URLs to point to the current canonical endpoints to - avoid any redirects. - - Closes #9630 - -Daniel Stenberg (1 Oct 2022) -- curl_url_set.3: document CURLU_APPENDQUERY proper - - Listed among the other supported flags. - - Reported-by: Robby Simpson - Fixes #9628 - Closes #9629 - -Viktor Szakats (1 Oct 2022) -- Makefile.m32: cleanups and fixes [ci skip] - - - Add `-lcrypt32` once, and add it always for simplicity. - - Delete broken link and reference to the pre-Vista WinIDN add-on. - MS no longer distribute it. - - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista. - - Sync `LIBCARES_PATH` default with the rest of dependencies. - - Delete version numbers from dependency path defaults. - - `libgsasl` package is now called `gsasl`. - - Delete `libexpat` and `libxml2` references. No longer used by curl. - - Delete `Edit the path below...` comments. We recommend to predefine - those envvars instead. - - `libcares.a` is not an internal dependency anymore. Stop using it as - such. - - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability. - - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`. - They were never used. - - Stop to `clean` some objects twice in `src/Makefile.m32`. - - Delete cvs-specific leftovers. - - Finish resource support in examples make file. - - Delete `-I/lib` from examples make file. - - Fix copyright start year in examples make file. - - Delete duplicate `ftpuploadresume` input in examples make file. - - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path - defaults, variables names and other internal bits between the three - make files. - - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This - was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL` - envvar for the same effect. - - Fix linking `curl.exe` and examples to wrong static libs with - auto-detected OpenSSL 1.0.2 or earlier. - - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only. - - Add link to Novell LDAP SDK and use a relative default path. Latest - version is from 2016, linked to an outdated OpenSSL 1.0.1. - - Whitespace and comment cleanups. - - TODO in a next commit: - - Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell - LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the - necessary custom envvars to configure them. - - Closes #9616 - -Daniel Stenberg (30 Sep 2022) -- RELEASE-NOTES: synced - -- [Matt Holt brought this change] - - HTTP3.md: update Caddy example - - Closes #9623 - -- easy: fix the altsvc init for curl_easy_duphandle - - It was using the old #ifdef which nothing sets anymore - - Closes #9624 - -- GHA: build tests in a separate step from the running of them - - ... to make the output smaller for when you want to look at test - failures. - - Removed the examples build from msh3 - - Closes #9619 - -Viktor Szakats (29 Sep 2022) -- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference - - Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap - support. This is also the single mention of this constant in the source - tree and also in that commit. Based on these, it seems like an accident. - - Delete this reference. - - Reviewed-by: Daniel Stenberg - - Closes #9625 - -- docs: spelling nits - - - MingW -> MinGW (Minimalist GNU for Windows) - - f.e. -> e.g. - - some whitespace and punctuation. - - Reviewed-by: Daniel Stenberg - - Closes #9622 - -Daniel Stenberg (29 Sep 2022) -- [Philip Heiduck brought this change] - - cirrus-ci: add macOS build with m1 - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - - Closes #9565 - -- [Patrick Monnerat brought this change] - - lib: sanitize conditional exclusion around MIME - - The introduction of CURL_DISABLE_MIME came with some additional bugs: - - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled. - - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are - conditioned on HTTP, although also needed for SMTP and IMAP MIME mail - uploads. - - In addition, the CURLOPT_HTTPHEADER and --header documentation does not - mention their use for MIME mail. - - This commit fixes the problems above. - - Closes #9610 - -- [Thiago Suchorski brought this change] - - docs: minor grammar fixes - - Closes #9609 - -- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument - - Probably a copy and paste error from the lock function man page. - - Reported-by: Robby Simpson - Fixes #9612 - Closes #9613 - -- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five - - ... instead just list the supported encodings. - - Reported-by: ProceduralMan on github - Fixes #9614 - Closes #9615 - -Dan Fandrich (28 Sep 2022) -- tests: Remove a duplicated keyword - -- docs: document more server names for test files - -Daniel Stenberg (28 Sep 2022) -- altsvc: reject bad port numbers - - The existing code tried but did not properly reject alternative services - using negative or too large port numbers. - - With this fix, the logic now also flushes the old entries immediately - before adding a new one, making a following header with an illegal entry - not flush the already stored entry. - - Report from the ongoing source code audit by Trail of Bits. - - Adjusted test 356 to verify. - - Closes #9607 - -- functypes: provide the recv and send arg and return types - - This header is for providing the argument types for recv() and send() - when built to not use a dedicated config-[platfor].h file. - - Remove the slow brute-force checks from configure and cmake. - - This change also removes the use of the types for select, as they were - not used in code. - - Closes #9592 - -- urlapi: reject more bad characters from the host name field - - Extended test 1560 to verify - - Report from the ongoing source code audit by Trail of Bits. - - Closes #9608 - -- configure: deprecate builds with small curl_off_t - - If curl_off_t turns out to be smaller than 8 bytes, - --with-n64-deprecated needs to be used to allow the build to - continue. This is to highlight the fact that support for such builds is - going away next year. - - Also mentioned in DEPRECATED.md - - Closes #9605 - -- [Patrick Monnerat brought this change] - - http, vauth: always provide Curl_allow_auth_to_host() functionality - - This function is currently located in the lib/http.c module and is - therefore disabled by the CURL_DISABLE_HTTP conditional token. - - As it may be called by TLS backends, disabling HTTP results in an - undefined reference error at link time. - - Move this function to vauth/vauth.c to always provide it and rename it - as Curl_auth_allowed_to_host() to respect the vauth module naming - convention. - - Closes #9600 - -- ngtcp2: fix C89 compliance nit - -- openssl: make certinfo available for QUIC - - Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that - can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC - connections as well. - - The *certchain function was moved to the top of the file for this reason. - - Reported-by: Eloy Degen - Fixes #9584 - Closes #9597 - -- RELEASE-NOTES: synced - -- DEPRECATE.md: Support for systems without 64 bit data types - - Closes #9604 - -- [Patrick Monnerat brought this change] - - tests: skip mime/form tests when mime is not built-in - - Closes #9596 - -- url: rename function due to name-clash in Watt-32 - - Follow-up to 2481dbe5f4f58 and applies the change the way it was - intended. - -Viktor Szakats (26 Sep 2022) -- windows: adjust name of two internal public functions - - According to `docs/INTERNALS.md`, internal function names spanning source - files start with uppercase `Curl_`. Bring these two functions in - alignment with this. - - This also stops exporting them from `libcurl.dll` in autotools builds. - - Reviewed-by: Daniel Stenberg - - Closes #9598 - -Daniel Stenberg (26 Sep 2022) -- [Gisle Vanem brought this change] - - url: rename function due to name-clash in Watt-32 - - Since the commit 764c958c52edb427f39, there was a new function called - resolve_ip(). This clashes with an internal function in Watt-32. - - Closes #9585 - -Jay Satiro (26 Sep 2022) -- schannel: ban server ALPN change during recv renegotiation - - By the time schannel_recv is renegotiating the connection, libcurl has - already decided on a protocol and it is too late for the server to - select a protocol via ALPN except for the originally selected protocol. - - Ref: https://github.com/curl/curl/issues/9451 - - Closes https://github.com/curl/curl/pull/9463 - -Daniel Stenberg (26 Sep 2022) -- url: a zero-length userinfo part in the URL is still a (blank) user - - Adjusted test 1560 to verify - - Reported-by: Jay Satiro - - Fixes #9088 - Closes #9590 - -Viktor Szakats (25 Sep 2022) -- autotools: allow --enable-symbol-hiding with windows - - This local autotools logic was put in place in - 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for - Windows unconditionally. Testing reveals that it actually works with - tested toolchains (mingw-w64 and CI ones), so let's allow this build - feature on that platform. Bringing this in sync with CMake, which already - supported this. - - Reviewed-by: Jay Satiro - - Closes #9586 - -- autotools: reduce brute-force when detecting recv/send arg list - - autotools uses brute-force to detect `recv`/`send`/`select` argument - lists, by interating through _all_ argument type combinations on each - `./configure` run. This logic exists since - 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later - extended with Windows support. - - This results in a worst-case number of compile + link cycles as below: - - `recv`: 96 - - `send`: 192 - - `select`: 60 - Total: 348 (the number of curl C source files is 195, for comparison) - - Notice that e.g. curl-for-win autotools builds require two `./configure` - invocations, doubling these numbers. - - `recv` on Windows was especially unlucky because `SOCKET` (the correct - choice there) was listed _last_ in one of the outer trial loops. This - resulted in lengthy waits while autotools was trying all invalid - combinations first, wasting cycles, disk writes and slowing down - iteration. - - This patch reduces the amount of idle work by reordering the tests in - a way to succeed first on a well-known platform such as Windows, and - also on non-Windows by testing for POSIX prototypes first, on the - assumption that these are the most likely candidates these days. (We do - not touch `select`, where the order was already optimal for these - platforms.) - - For non-Windows, this means to try a return value of `ssize_t` first, - then `int`, reordering the buffer argument type to try `void *` first, - then `byte *`, and prefer the `const` flavor with `send`. If we are - here, also stop testing for `SOCKET` type in non-Windows builds. - - After the patch, detection on Windows is instantaneous. It should also be - faster on popular platforms such as Linux and BSD-based ones. - - If there are known-good variations for other platforms, they can also be - fast-tracked like above, given a way to check for that platform inside - the autotools logic. - - Reviewed-by: Daniel Stenberg - - Closes #9591 - -Daniel Stenberg (23 Sep 2022) -- TODO: Provide the error body from a CONNECT response - - Spellchecked-by: Jay Satiro - - Closes #9513 - Closes #9581 - -Viktor Szakats (23 Sep 2022) -- windows: autotools .rc warnings fixup - - Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing: - - - Warnings when running `autoreconf -fi`. - - - Warning when compiling .rc files: - libtool: compile: unable to infer tagged configuration - libtool: error: specify a tag with '--tag' - - Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057 - Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156 - - Suggested-by: Patrick Monnerat - Closes #9582 - -Daniel Stenberg (23 Sep 2022) -- [Randall S. Becker brought this change] - - curl_setup: disable use of FLOSS for 64-bit NonStop builds - - Older 32-bit builds currently need FLOSS. This dependency may be removed - in future OS releases. - - Signed-off-by: Randall S. Becker - - Closes #9575 - -- [Patrick Monnerat brought this change] - - tool: remove dead code - - Add a debug assertion to verify protocols included/excluded in a set - are always tokenized. - - Follow-up to commit 677266c. - - Closes #9576 - -- [Patrick Monnerat brought this change] - - lib: prepare the incoming of additional protocols - - Move the curl_prot_t to its own conditional block. Introduce symbol - PROTO_TYPE_SMALL to control it. - - Fix a cast in a curl_prot_t assignment. - Remove an outdated comment. - - Follow-up to cd5ca80. - - Closes #9534 - -- msh3: change the static_assert to make the code C89 - -- bearssl: make it proper C89 compliant - -- curl-compilers.m4: for gcc + want warnings, set gnu89 standard - - To better verify that the code is C89 - - Closes #9542 - -- [Patrick Monnerat brought this change] - - lib517: fix C89 constant signedness - - In C89, positive integer literals that overflow an int but not an - unsigned int may be understood as a negative int. - - lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90 - {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 }, - ^ - - Closes #9572 - -- mprintf: use snprintf if available - - This is the single place in libcurl code where it uses the "native" - s(n)printf() function. Used for writing floats. The use has been - reviewed and vetted and uses a HUGE target buffer, but switching to - snprintf() still makes this safer and removes build-time warnings. - - Reported-by: Philip Heiduck - - Fixes #9569 - Closes #9570 - -- docs: tag curl options better in man pages - - As it makes them links in the HTML versions. - - Verified by the extended test 1176 - -- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6 - -- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged - - ... as that makes them links to their corresponding man page. - - This script is used for test 1173. - - Closes #9574 - -- RELEASE-NOTES: synced - -- [Patrick Monnerat brought this change] - - tool: remove protocol count limitation - - Replace bit mask protocol sets by null-terminated arrays of protocol - tokens. These are the addresses of the protocol names returned by - curl_version_info(). - - Protocol names are sorted case-insensitively before output to satisfy CI - tests matches consistency. - - The protocol list returned by curl_version_info() is augmented with all - RTMP protocol variants. - - Test 1401 adjusted for new alpha ordered output. - - Closes #9546 - -- test972: verify the output without using external tool - - It seems too restrictive to assume and use an external tool to verify - the JSON. This now verifies the outut byte per byte. We could consider - building a local "JSON verifyer" in a future. - - Remove 'jsonlint' from the CI job. - - Reported-by: Marcel Raad - Fixes #9563 - Closes #9564 - -- hostip: lazily wait to figure out if IPv6 works until needed - - The check may take many milliseconds, so now it is performed once the - value is first needed. Also, this change makes sure that the value is - not used if the resolve is set to be IPv4-only. - - Closes #9553 - -- curl.h: fix mention of wrong error code in comment - - The same error and comment were also used and is now corrected in - CURLOPT_SSH_KEYFUNCTION.3 - -- symbol-scan.pl: scan and verify .3 man pages - - This script now also finds all .3 man pages in docs/include and - docs/include/opts, extracts all uses of CURL* symbols and verifies that all - symbols mentioned in docs are defined in public headers. - - A "global symbol" is one of those matching a known prefix and the script makes - an attempt to check all/most of them. Just using *all* symbols that match - CURL* proved matching a little too many other references as well and turned - difficult turning into something useful. - - Closes #9544 - -- symbols-in-versions: add missing LIBCURL* symbols - -- symbol-scan.pl: also check for LIBCURL* symbols - - Closes #9544 - -- docs/libcurl/symbols-in-versions: add several missing symbols - -- test1119: scan all public headers - - Previously this test only scanned a subset of the headers, which made us - accidentally miss symbols that were provided in the others. Now, the script - iterates over all headers present in include/curl. - - Closes #9544 - -- [Patrick Monnerat brought this change] - - examples/chkspeed: improve portability - - The example program chkspeed uses strncasecmp() which is not portable - across systems. Replace calls to this function by tests on characters. - - Closes #9562 - -- easy: fix the #include order - - The mentioned "last 3 includes" order should be respected. easy_lock.h should - be included before those three. - - Reported-by: Yuriy Chernyshov - Fixes #9560 - Closes #9561 - -- docs: spellfixes - - Pointed by the new CI job - -- GHA: spellcheck - - This spellchecker checks markdown files. For this reason this job - converts all man pages in the repository to markdown with pandoc before - the check runs. - - The perl script 'cleanspell' filters out details from the man page in - the process, to avoid the spellchecker trying to spellcheck things it - can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections - of libcurl man pages. - - The spell checker does not check words in sections that are within pre, - strong and em tags. - - 'spellcheck.words' is a custom word list with additional accepted words. - - Closes #9523 - -- connect: fix the wrong error message on connect failures - - The "Failed to connect to" message after a connection failure would - include the strerror message based on the presumed previous socket - error, but in times it seems that error number is not set when reaching - this code and therefore it would include the wrong error message. - - The strerror message is now removed from here and the curl_easy_strerror - error is used instead. - - Reported-by: Edoardo Lolletti - Fixes #9549 - Closes #9554 - -- httpput-postfields.c: shorten string for C89 compliance - - httpput-postfields.c:41:3: error: string length ‘522’ is greater than the length ‘509’ ISO C90 compilers are required to support [-Woverlength-strings] - 41 | "this chapter."; - | ^~~~~~~~~~~~~~~ - - Closes #9555 - -- ws: fix a C89 compliance nit - - Closes #9541 - -- [Patrick Monnerat brought this change] - - unit test 1655: make it C89-compliant - - Initializations performed in unit test 1655 use automatic variables in - aggregates and thus can only be computed at run-time. Using gcc in C89 - dialect mode produces warning messages like: - - unit1655.c:96:7: warning: initializer element is not computable at load time [-Wpedantic] - 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */ - | ^~~~~~~ - - Fix the problem by converting these automatic pointer variables to - static arrays. - - Closes #9551 - -- [Tobias Schaefer brought this change] - - curl_strequal.3: fix typo - - Closes #9548 - -- [Dmitry Karpov brought this change] - - resolve: make forced IPv4 resolve only use A queries - - This protects IPv4-only transfers from undesired bad IPv6-related side - effects and make IPv4 transfers in dual-stack libcurl behave the same - way as in IPv4 single-stack libcurl. - - Closes #9540 - -- RELEASE-NOTES: synced - -- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths - - Patched-by: Mark Itzcovitz - Bug: https://curl.se/mail/lib-2022-09/0038.html - - Closes #9536 - -- TODO: Reduce CA certificate bundle reparsing - - By adding some sort of cache. - - Reported-by: Michael Drake - Closes #9379 - Closes #9538 - -Marc Hoersken (19 Sep 2022) -- CI/GHA: cancel outdated CI runs on new PR changes - - Avoid letting outdated CI runs continue if a PR receives - new changes. Outside a PR we let them continue running - by tying the concurrency to the commit hash instead. - - Also only let one CodeQL or Hacktoberfest job run at a time. - - Other CI platforms we use have this build in, but GitHub - unfortunately neither by default nor with a simple option. - - This saves CI resources and therefore a little energy. - - Approved-by: Daniel Stenberg - Approved-by: Max Dymond - Closes #9533 - -Daniel Stenberg (19 Sep 2022) -- docs: fix proselint complaints - -- GHA: run proselint on markdown files - - Co-authored-by: Marc Hörsken - - Closes #9520 - -- lib: the number four in a sequence is the "fourth" - - Spelling is hard - - Closes #9535 - -- [John Bampton brought this change] - - misc: fix spelling in two source files - - Closes #9529 - -Viktor Szakats (18 Sep 2022) -- windows: add .rc support to autotools builds - - After this update autotools builds will compile and link `.rc` resources - to Windows executables. Bringing this feature on par with CMake and - Makefile.m32 builds. And also making it unnecessary to improvise these - steps manually, while monkey patching build files, e.g. [0]. - - You can customize the resource compiler via the `RC` envvar, and its - options via `RCFLAGS`. - - This harmless warning may appear throughout the build, even though the - autotools manual documents [1] `RC` as a valid tag, and it fails when - omitting one: - `libtool: error: ignoring unknown tag RC` - - [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce50baa1b84/curl-autotools.sh#L376-L382 - [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html - - Closes #9521 - -Marc Hoersken (18 Sep 2022) -- CI/linkcheck: only run if a Markdown file is changed - - This saves CI resources and therefore a little energy. - - Reviewed-by: Max Dymond - Closes #9531 - -- README.md: add GHA status badges for Linux and macOS builds - - This makes sense now that Linux builds are being consolidated. - - Approved-by: Daniel Stenberg - Closes #9530 - - [skip ci] - -Daniel Stenberg (17 Sep 2022) -- misc: null-terminate - - Make use of this term consistently. - - Closes #9527 - -Marc Hoersken (17 Sep 2022) -- CI/GHA: merge intel CC and more TLS libs into linux workflow - - Continue work on merging all Linux workflows into one file. - - Reviewed-by: Max Dymond - Follow up to #9501 - Closes #9514 - -Daniel Stenberg (17 Sep 2022) -- [Patrick Monnerat brought this change] - - lib1597: make it C89-compliant again - - Automatic variable addresses cannot be used in an initialisation - aggregate. - - Follow-up to 9d51329 - - Reported-by: Daniel Stenberg - Fixes: #9524 - Closes #9525 - -- tool_libinfo: silence "different 'const' qualifiers" in qsort() - - MSVC 15.0.30729.1 warned about it - - Follow-up to dd2a024323dcc - - Closes #9522 - -- [Patrick Monnerat brought this change] - - docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR. - - Disabled protocols are now handled as if they were unknown. - Also update the possible protocol list. - -- [Patrick Monnerat brought this change] - - cli tool: do not use disabled protocols - - As they are now rejected by the library, take care of not passing - disabled protocol names to CURLOPT_PROTOCOLS_STR and - CURLOPT_REDIR_PROTOCOLS_STR. - - Rather than using the CURLPROTO_* constants, dynamically assign protocol - numbers based on the order they are listed by curl_version_info(). - - New type proto_set_t implements prototype bit masks: it should therefore - be large enough to accomodate all library-enabled protocols. If not, - protocol numbers beyond the bit count of proto_set_t are recognized but - "inaccessible": when used, a warning is displayed and the value is - ignored. Should proto_set_t overflows, enabled protocols are reordered to - force those having a public CURLPROTO_* representation to be accessible. - - Code has been added to subordinate RTMP?* protocols to the presence of - RTMP in the enabled protocol list, being returned by curl_version_info() - or not. - -- [Patrick Monnerat brought this change] - - setopt: use the handler table for protocol name to number conversions - - This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than - CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found. - - A new schemelen parameter is added to Curl_builtin_scheme() to support - this extended use. - - Note that disabled protocols are not recognized anymore. - - Tests adapted accordingly. - - Closes #9472 - -- altsvc: use 'h3' for h3 - - Since the official and real version has been out for a while now and servers - are deployed out there using it, there is no point in sticking to h3-29. - - Reported-by: ウさん - Fixes #9515 - Closes #9516 - -Jay Satiro (16 Sep 2022) -- [chemodax brought this change] - - winbuild: Use NMake batch-rules for compilation - - - Invoke cl compiler once for each group of .c files. - - This is significantly improves compilation time. For example in my - environment: 40 s --> 20 s. - - Prior to this change cl was invoked per .c file. - - Closes https://github.com/curl/curl/pull/9512 - -Daniel Stenberg (16 Sep 2022) -- ws: the infof() flags should be %zu - - Follow-up to e5e9e0c5e49ae0 - - Closes #9518 - -- curl: warn for --ssl use, considered insecure - - Closes #9519 - -- [Sergey Bronnikov brought this change] - - curl_escape.3: fix typo - - lengthf -> length - - Closes #9517 - -- mailmap: merge Philip Heiduck's two addresses into one - -- test1948: verify PUT + POST reusing the same handle - - Reproduced #9507, verifies the fix - -- setopt: when POST is set, reset the 'upload' field - - Reported-by: RobBotic1 on github - Fixes #9507 - Closes #9511 - -Marc Hoersken (15 Sep 2022) -- github: initial CODEOWNERS setup for CI configuration - - Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad - Reviewed-by: Max Dymond - - Closes #9505 - - [skip ci] - -- [Philip Heiduck brought this change] - - CI: optimize some more dependencies install - - Signed-off-by: Philip Heiduck - - Closes #9500 - -- CI/GHA: merge event-based and NSS into new linux workflow - - Continue work on merging all Linux workflows into one file. - - Follow up to #9501 - Closes #9506 - -Daniel Stenberg (15 Sep 2022) -- include/curl/websockets.h: add extern "C" for C++ - - Reported-by: n0name321 on github - Fixes #9509 - Closes #9510 - -- lib1560: extended to verify detect/reject of unknown schemes - - ... when no guessing is allowed. - -- urlapi: detect scheme better when not guessing - - When the parser is not allowed to guess scheme, it should consider the - word ending at the first colon to be the scheme, independently of number - of slashes. - - The parser now checks that the scheme is known before it counts slashes, - to improve the error messge for URLs with unknown schemes and maybe no - slashes. - - When following redirects, no scheme guessing is allowed and therefore - this change effectively prevents redirects to unknown schemes such as - "data". - - Fixes #9503 - -- strerror: improve two URL API error messages - -Marc Hoersken (14 Sep 2022) -- CI/GHA: merge bearssl and hyper into initial linux workflow - - Begin work on merging all Linux workflows into one file. - - Closes #9501 - -Daniel Stenberg (14 Sep 2022) -- RELEASE-NOTES: synced - -- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h - - Since the config file might also get included by the tool code at times. - This syncs with how other builds do it. - - Closes #9498 - -- tool_hugehelp: make hugehelp a blank macro when disabled - - Closes #9485 - -- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled - - ... to improve the output in this situation. Now it doesn't say "option - unknown" anymore. - - Closes #9485 - -- setopt: fix compiler warning - - Follow-up to cd5ca80f00d2 - - closes #9502 - -- [Philip Heiduck brought this change] - - CI: skip make, do make install at once for dependencies - - Signed-off-by: Philip Heiduck - - Closes #9477 - -- formdata: typecast the va_arg return value - - To avoid "enumerated type mixed with another type" warnings - - Follow-up from 0f52dd5fd5aa3592691a - - Closes #9499 - -- RELEASE-PROCEDURE.md: mention patch releases - - - When to make them and how to argue for them - - Refreshed the release date list - - Closes #9495 - -- urldata: use a curl_prot_t type for storing protocol bits - - This internal-use-only storage type can be bumped to a curl_off_t once - we need to use bit 32 as the previous 'unsigned int' can no longer hold - them all then. - - The websocket protocols take bit 30 and 31 so they are the last ones - that fit within 32 bits - but cannot properly be exported through APIs - since those use *signed* 32 bit types (long) in places. - - Closes #9481 - -- [zhanghu on xiaomi brought this change] - - formdata: fix warning: 'CURLformoption' is promoted to 'int' - - curl/lib/formdata.c: In function 'FormAdd': - curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' when passed through '...' - 249 | option = va_arg(params, CURLformoption); - | ^ - curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformoption' to 'va_arg') - curl/lib/formdata.c:249:31: note: if this code is reached, the program will abort - - Closes #9484 - -- CURLOPT_CONNECT_ONLY.3: for ws(s) as well - - and correct the version number for when that support comes. Even if it - is still experimental for WebSocket. - - Closes #9487 - -- tool_operate: avoid a few #ifdefs for disabled-libcurl builds - - By providing empty macros in the header file instead, the code gets - easier to read and yet is disabled on demand. - - Closes #9486 - -- [a1346054 on github brought this change] - - scripts: use `grep -E` instead of `egrep` - - egrep is deprecated - - Closes #9491 - -- [Hayden Roche brought this change] - - wolfSSL: fix session management bug. - - Prior to this commit, non-persistent pointers were being used to store - sessions. When a WOLFSSL object was then freed, that freed the session - it owned, and thus invalidated the pointer held in curl's cache. This - commit makes it so we get a persistent (deep copied) session pointer - that we then add to the cache. Accordingly, wolfssl_session_free, which - was previously a no-op, now needs to actually call SSL_SESSION_free. - - This bug was discovered by a wolfSSL customer. - - Closes #9492 - -- docs: use "WebSocket" in singular - - This is how the RFC calls the protocol. Also rename the file in docs/ to - WEBSOCKET.md in uppercase to match how we have done it for many other - protocol docs in similar fashion. - - Add the WebSocket docs to the tarball. - - Closes #9496 - -Marcel Raad (12 Sep 2022) -- ws: fix build without `USE_WEBSOCKETS` - - The curl.h include is required unconditionally. - -- ws: add missing curl.h include - - A conflict between commits 664249d0952 and e5839f4ee70 broke the build. - -Daniel Stenberg (12 Sep 2022) -- ws: fix an infof() call to use %uz for size_t output - - Detected by Coverity, CID 1514665. - - Closes #9480 - -Marcel Raad (12 Sep 2022) -- curl_setup: include only system.h instead of curl.h - - As done before commit 9506d01ee50. - - Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158 - Closes https://github.com/curl/curl/pull/9453 - -- lib: add missing limits.h includes - - Closes https://github.com/curl/curl/pull/9453 - -- lib and tests: add missing curl.h includes - - Closes https://github.com/curl/curl/pull/9453 - -- curl_setup: include curl.h after platform setup headers - - The platform setup headers might set definitions required for the - includes in curl.h. - - Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269 - Closes https://github.com/curl/curl/pull/9453 - -Daniel Stenberg (12 Sep 2022) -- [Benjamin Loison brought this change] - - docs: correct missing uppercase in Markdown files - - To detect these typos I used: - - ``` - clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | grep -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --color=always '\. [a-z]' | grep '\.md' - ``` - - Closes #9474 - -- tool_setopt: use better English in --libcurl source comments - - Like this: - - XYZ was set to an object pointer - ABC was set to a function pointer - - Closes #9475 - -- setopt: make protocol2num use a curl_off_t for the protocol bit - - ... since WSS does not fit within 32 bit. - - Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887 - Closes #9476 - -- RELEASE-NOTES: synced - -- configure: polish the grep -E message a bit further - - Suggested-by: Emanuele Torre - Closes #9473 - -- GHA: add a gcc-11 -O3 build using OpenSSL - - Since -O3 might trigger other warnings - - Closes #9454 - -- [Patrick Monnerat brought this change] - - content_encoding: use writer struct subclasses for different encodings - - The variable-sized encoding-specific storage of a struct contenc_writer - currently relies on void * alignment that may be insufficient with - regards to the specific storage fields, although having not caused any - problems yet. - - In addition, gcc 11.3 issues a warning on access to fields of partially - allocated structures that can occur when the specific storage size is 0: - - content_encoding.c: In function ‘Curl_build_unencoding_stack’: - content_encoding.c:980:21: warning: array subscript ‘struct contenc_writer[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bounds] - 980 | writer->handler = handler; - | ~~~~~~~~~~~~~~~~^~~~~~~~~ - In file included from content_encoding.c:49: - memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘curl_dbg_calloc’ - 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__, __FILE__) - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - content_encoding.c:977:60: note: in expansion of macro ‘calloc’ - 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1, sz); - - To solve both these problems, the current commit replaces the - contenc_writer/params structure pairs by "subclasses" of struct - contenc_writer. These are structures that contain a contenc_writer at - offset 0. Proper field alignment is therefore handled by the compiler and - full structure allocation is performed, silencing the warnings. - - Closes #9455 - -- configure: correct the wording when checking grep -E - - The check first checks that grep -E works, and only as a fallback tries - to find and use egrep. egrep is deprecated. - - This change only corrects the output wording, not the checks themselves. - - Closes #9471 - -Viktor Szakats (10 Sep 2022) -- websockets: sync prototypes in docs with implementation [ci skip] - - Docs for the new send/recv functions synced with the committed versions - of these. - - Closes #9470 - -Daniel Stenberg (10 Sep 2022) -- setopt: make protocols2num() work with websockets - - So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can - specify those as well. - - Reported-by: Patrick Monnerat - Bug: https://curl.se/mail/lib-2022-09/0016.html - Closes #9467 - -- curl/websockets.h: remove leftover bad typedef - - Just a leftover trace of a development thing that did not stay like - that. - - Reported-by: Marc Hörsken - Fixes #9465 - Cloes #9466 - -Marcel Raad (10 Sep 2022) -- [Orgad Shaneh brought this change] - - fix Cygwin/MSYS compilation - - _getpid is Windows API. On Cygwin variants it should remain getpid. - - Fixes #8220 - Closes #9255 - -Marc Hoersken (10 Sep 2022) -- GHA: prepare workflow merge by aligning structure again - - Closes #9413 - -Daniel Stenberg (9 Sep 2022) -- docs: the websockets symbols are added in 7.86.0 - - Nothing else - - Closes #9459 - -- tests/libtest/Makefile.inc: fixup merge conflict mistake - -- EXPERIMENTAL.md: add WebSockets - -- appveyor: enable websockets - -- cirrus: enable websockets in the windows builds - -- GHA: add websockets to macos, openssl3 and hyper builds - -- tests: add websockets tests - - - add websockets support to sws - - 2300: first very basic websockets test - - 2301: first libcurl test for ws (not working yet) - - 2302: use the ws callback - - 2303: test refused upgrade - -- curl_ws_meta: initial implementation - -- curl_ws_meta.3: added docs - -- ws: initial websockets support - - Closes #8995 - -- version: add ws + wss - -- libtest/lib1560: test basic websocket URL parsing - -- configure: add --enable-websockets - -- docs/WebSockets.md: docs - -- test415: verify Content-Length parser with control code + negative value - -- strtoofft: after space, there cannot be a control code - - With the change from ISSPACE() to ISBLANK() this function no longer - deals with (ignores) control codes the same way, which could lead to - this function returning unexpected values like in the case of - "Content-Length: \r-12354". - - Follow-up to 6f9fb7ec2d7cb389a0da5 - - Detected by OSS-fuzz - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140 - Assisted-by: Max Dymond - Closes #9458 - -- headers: reset the requests counter at transfer start - - If not, reusing an easy handle to do a subsequent transfer would - continue the counter from the previous invoke, which then would make use - of the header API difficult/impossible as the request counter - mismatched. - - Add libtest 1947 to verify. - - Reported-by: Andrew Lambert - Fixes #9424 - Closes #9447 - -Jay Satiro (8 Sep 2022) -- header: define public API functions as extern c - - Prior to this change linker errors would occur if curl_easy_header or - curl_easy_nextheader was called from a C++ unit. - - Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007 - Reported-by: Andrew Lambert - - Closes https://github.com/curl/curl/pull/9446 - -Daniel Stenberg (8 Sep 2022) -- http2: make nghttp2 less picky about field whitespace - - In nghttp2 1.49.0 it returns error on leading and trailing whitespace in - header fields according to language in the recently shipped RFC 9113. - - nghttp2 1.50.0 introduces an option to switch off this strict check and - this change enables this option by default which should make curl behave - more similar to how it did with nghttp2 1.48.0 and earlier. - - We might want to consider making this an option in the future. - - Closes #9448 - -- RELEASE-NOTES: synced - - And bump to 7.86.0 for the pending next release - -- [Michael Heimpold brought this change] - - ftp: ignore a 550 response to MDTM - - The 550 is overused as a return code for multiple error case, e.g. - file not found and/or insufficient permissions to access the file. - - So we cannot fail hard in this case. - - Adjust test 511 since we now fail later. - Add new test 3027 which check that when MDTM failed, but the file could - actually be retrieved, that in this case no filetime is provided. - - Reported-by: Michael Heimpold - Fixes #9357 - Closes #9387 - -- urlapi: leaner with fewer allocs - - Slightly faster with more robust code. Uses fewer and smaller mallocs. - - - remove two fields from the URL handle struct - - reduce copies and allocs - - use dynbuf buffers more instead of custom malloc + copies - - uses dynbuf to build the host name in reduces serial alloc+free within - the same function. - - move dedotdotify into urlapi.c and make it static, not strdup the input - and optimize it by checking for . and / before using strncmp - - remove a few strlen() calls - - add Curl_dyn_setlen() that can "trim" an existing dynbuf - - Closes #9408 - -Jay Satiro (7 Sep 2022) -- setup-win32: no longer define UNICODE/_UNICODE implicitly - - - If UNICODE or _UNICODE is defined but the other isn't then error - instead of implicitly defining it. - - As Marcel pointed out it is too late at this point to make such a define - because Windows headers may already be included, so likely it never - worked. We never noticed because build systems that can make Windows - Unicode builds always define both. If one is defined but not the other - then something went wrong during the build configuration. - - Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272 - Reported-by: Marcel Raad - - Closes https://github.com/curl/curl/pull/9384 - -Dan Fandrich (6 Sep 2022) -- tests: fix tag syntax errors in test files - -Marc Hoersken (6 Sep 2022) -- lib: add required Win32 setup definitions in setup-win32.h - - Assisted-by: Jay Satiro - Reviewed-by: Marcel Raad - - Follow up to #9312 - Closes #9375 - -Daniel Stenberg (6 Sep 2022) -- pingpong: extend the response reading error with errno - - To help diagnosing the cause of the problem. - - See #9380 - Closes #9443 - -- curl-compilers.m4: use -O2 as default optimize for clang - - Not -Os - - Closes #9444 - -- tool_operate: fix msnprintfing the error message - - Follow-up to 7be53774c41c59b47075fba - - Coverity CID 1513717 pointed out that we cannot use sizeof() on the - error buffer anymore. - - Closes #9440 - -- [Emanuele Torre brought this change] - - curl_ctype: add space around <= operator in ISSPACE macro - - Follow-up to f65f750 - - Closes #9441 - -- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies - - The 'protocols' listed were previously wrong. - - Reported-by: ProceduralMan on github - Fixes #9434 - Closes #9435 - -- curl_ctype: convert to macros-only - - This no longer provide functions, only macros. Runs faster and produces - smaller output. - - The biggest precaution this change brings: - - DO NOT use post/pre-increments when passing arguments to the macros. - - Closes #9429 - -- misc: ISSPACE() => ISBLANK() - - Instances of ISSPACE() use that should rather use ISBLANK(). I think - somewhat carelessly used because it sounds as if it checks for space or - whitespace, but also includes %0a to %0d. - - For parsing purposes, we should only accept what we must and not be - overly liberal. It leads to surprises and surprises lead to bad things. - - Closes #9432 - -- ctype: remove all use of , use our own versions - - Except in the test servers. - - Closes #9433 - -Marc Hoersken (5 Sep 2022) -- cmake: skip superfluous hex2dec conversion using math expr - - CMake seems to be able to compare two hex values just fine. - Also make sure CURL_TARGET_WINDOWS_VERSION is respected. - - Assisted-by: Marcel Raad - Reviewed-by: Viktor Szakats - Reported-by: Keitagit-kun on github - - Follow up to #9312 - Fixes #9406 - Closes #9411 - -Daniel Stenberg (5 Sep 2022) -- curl_easy_pause.3: unpausing is as fast as possible - - Reported-by: ssdbest on github - Fixes #9410 - Closes #9430 - -- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols - - Except file. - - Reported-by: ProceduralMan on github - Fixes #9427 - Closes #9428 - -- NPN: remove support for and use of - - Next Protocol Negotiation is a TLS extension that was created and used - for agreeing to use the SPDY protocol (the precursor to HTTP/2) for - HTTPS. In the early days of HTTP/2, before the spec was finalized and - shipped, the protocol could be enabled using this extension with some - servers. - - curl supports the NPN extension with some TLS backends since then, with - a command line option `--npn` and in libcurl with - `CURLOPT_SSL_ENABLE_NPN`. - - HTTP/2 proper is made to use the ALPN (Application-Layer Protocol - Negotiation) extension and the NPN extension has no purposes - anymore. The HTTP/2 spec was published in May 2015. - - Today, use of NPN in the wild should be extremely rare and most likely - totally extinct. Chrome removed NPN support in Chrome 51, shipped in - June 2016. Removed in Firefox 53, April 2017. - - Closes #9307 - -- RELEASE-NOTES: synced - - and bump the tentative next release version to 7.85.1 - -- [Samuel Henrique brought this change] - - configure: fail if '--without-ssl' + explicit parameter for an ssl lib - - A side effect of a previous change to configure (576e507c78bdd2ec88) - exposed a non-critical issue that can happen if configure is called with - both '--without-ssl' and some parameter setting the use of a ssl library - (e.g. --with-gnutls). The configure script would end up assuming this is - a MultiSSL build, due to the way the case statement is written. - - I have changed the order of the variables in the string concatenation - for the case statement and also tweaked the options so that - --without-ssl never turns the build into a MultiSSL one and also clearly - stating that there are conflicting parameters if the user sets it like - described above. - - Closes #9414 - -- tests/certs/scripts: insert standard curl source headers - - ... including the SPDX-License-Identifier. - - These omissions were not detected by the RUEUSE CI job nor the copyright.pl - scanners because we have a general wildcard in .reuse/dep5 for - "tests/certs/*". - - Reported-by: Samuel Henrique - Fixes #9417 - Closes #9420 - -- [Samuel Henrique brought this change] - - docs: remove mentions of deprecated '--without-openssl' config parameter - - Closes #9415 - -- [Samuel Henrique brought this change] - - manpages: Fix spelling of "allows to" -> "allows one to" - - References: - https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual-page.tag - https://english.stackexchange.com/questions/60271/grammatical-complements-for-allow/60285#60285 - - Closes #9419 - -- [Samuel Henrique brought this change] - - CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes - - Lintian (on Debian) has been complaining about this for a while but - I didn't bother initially as the groff parser that we use is not - affected by this. - - But I have now noticed that the online manpage is affected by it: - https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html - - (I'm using double quotes for quoting-only down below) - - The section that should be parsed as "'\'" ends up being parsed as - "'´". - - This is due to roffit not parsing "'\\'" correctly, which is fine - as the "correct" way of writing "'\'" is "'\e'" instead. - - Note that this fix is not enough to fix the online manpage at - curl's website, as roffit seems to parse it wrongly either way. - - My intent is to at least fix the manpage so that roffit can - be changed to parse "'\e'" correctly (although I suggest making - roffit parse both ways correctly, since that's what groff does). - - More details at: - https://bugs.debian.org/966803 - https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a884cca7965c3/tags/a/acute-accent-in-manual-page.tag - - Closes #9418 - -- tool_operate: reduce errorbuffer allocs - - - parallel transfers: only alloc and keep errorbuffers in memory for - actual "live" transfers and not for the ones in the pending queue - - - serial transfers: reuse the same fixed buffer for all transfers, not - allocated at all. - - Closes #9394 - -Viktor Szakats (31 Aug 2022) -- misc: spelling fixes - - Found using codespell 2.2.1. - - Also delete the redundant protocol designator from an archive.org URL. - - Reviewed-by: Daniel Stenberg - Closes #9403 - -Daniel Stenberg (31 Aug 2022) -- tool_progress: remove 'Qd' from the parallel progress bar - - The "queued" value is no longer showing anything useful to the user. It - is an internal number of transfers waiting at that moment. - - Closes #9389 - -- tool_operate: prevent over-queuing in parallel mode - - When doing a huge amount of parallel transfers, we must not add them to - the per_transfer list frivolously since they all use memory after all. - This was previous done without really considering millions or billions - of transfers. Massive parallelism would use a lot of memory for no good - purpose. - - The queue is now limited to twice the paralleism number. - - This makes the 'Qd' value in the parallel progress meter mostly useless - for users, but works for now for us as a debug display. - - Reported-by: justchen1369 on github - Fixes #8933 - Closes #9389 - -Viktor Szakats (31 Aug 2022) -- cmake: fix original MinGW builds - - 1. Re-enable `HAVE_GETADDRINFO` detection on Windows - - Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic - that automatically assumed `getaddrinfo()` to be present for builds - with IPv6 enabled. As it turns out, certain toolchains (e.g. original - MinGW) by default target older Windows versions, and thus do not - support `getaddrinfo()` out of the box. The issue was masked for - a while by CMake builds forcing a newer Windows version, but that - logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761. - Since then, some CI builds started failing due to IPv6 enabled, - `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing. - - It also turns out that IPv6 works without `getaddrinfo()` since commit - 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So, - to resolve all this, we can now revert the initial commit, thus - restoring `getaddrinfo()` detection and support IPv6 regardless of its - outcome. - - Reported-by: Daniel Stenberg - - 2. Omit `bcrypt` with original MinGW - - Original (aka legacy/old) MinGW versions do not support `bcrypt` - (introduced with Vista). We already have logic to handle that in - `lib/rand.c` and autotools builds, where we do not call the - unsupported API and do not link `bcrypt`, respectively, when using - original MinGW. - - This patch ports that logic to CMake, fixing the link error: - `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: cannot find -lbcrypt` - - Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vle84cn4vle7s0#L508 - Regression since 76172511e7adcf720f4c77bd91f49278300ec97e - - Fixes #9214 - Fixes #9393 - Fixes #9395 - Closes #9396 - -Version 7.85.0 (31 Aug 2022) - -Daniel Stenberg (31 Aug 2022) -- RELEASE-NOTES: synced - - curl 7.85.0 release - -- THANKS: add contributors from the 7.85.0 release - -- getparam: correctly clean args - - Follow-up to bf7e887b2442783ab52 - - The previous fix for #9128 was incomplete and caused #9397. - - Fixes #9397 - Closes #9399 - -- zuul: remove the clang-tidy job - - Turns out we don't see the warnings, but the warnings right now are - plain ridiculous and unhelpful so we can just as well just kill this - job. - - Closes #9390 - -- cmake: set feature PSL if present - - ... make test 1014 pass when libpsl is used. - - Closes #9391 - -- lib530: simplify realloc failure exit path - - To make code analyzers happier - - Closes #9392 - -- [Orgad Shaneh brought this change] - - tests: add tests for netrc login/password combinations - - Covers the following PRs: - - - #9066 - - #9247 - - #9248 - - Closes #9256 - -- [Orgad Shaneh brought this change] - - url: really use the user provided in the url when netrc entry exists - - If the user is specified as part of the URL, and the same user exists - in .netrc, Authorization header was not sent at all. - - The user and password fields were assigned in conn->user and password - but the user was not assigned to data->state.aptr, which is the field - that is used in output_auth_headers and friends. - - Fix by assigning the user also to aptr. - - Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5. - - Fixes #9243 - -- [Orgad Shaneh brought this change] - - netrc: Use the password from lines without login - - If netrc entry has password with empty login, use it for any username. - - Example: - .netrc: - machine example.com password 123456 - - curl -vn http://user@example.com/ - - Fix it by initializing state_our_login to TRUE, and reset it only when - finding an entry with the same host and different login. - - Closes #9248 - -- [Jay Satiro brought this change] - - url: treat missing usernames in netrc as empty - - - If, after parsing netrc, there is a password with no username then - set a blank username. - - This used to be the case prior to 7d600ad (precedes 7.82). Note - parseurlandfillconn already does the same thing for URLs. - - Reported-by: Raivis - Testing-by: Domen Kožar - - Fixes https://github.com/curl/curl/issues/8653 - Closes #9334 - Closes #9066 - -- test8: verify that "ctrl-byte cookies" are ignored - -- cookie: reject cookies with "control bytes" - - Rejects 0x01 - 0x1f (except 0x09) plus 0x7f - - Reported-by: Axel Chong - - Bug: https://curl.se/docs/CVE-2022-35252.html - - CVE-2022-35252 - - Closes #9381 - -- libssh: ignore deprecation warnings - - libssh 0.10.0 marks all SCP functions as "deprecated" which causes - compiler warnings and errors in our CI jobs and elsewhere. Ignore - deprecation warnings if 0.10.0 or later is found in the build. - - If they actually remove the functions at a later point, then someone can - deal with that pain and functionality break then. - - Fixes #9382 - Closes #9383 - -- Revert "schannel: when importing PFX, disable key persistence" - - This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692. - - Due to further reports in #9300 that indicate this commit might - introduce problems. - -- multi: use larger dns hash table for multi interface - - Have curl_multi_init() use a much larger DNS hash table than used for - the easy interface to scale and perform better when used with _many_ - host names. - - curl_share_init() sets an in-between size. - - Inspired-by: Ivan Tsybulin - See #9340 - Closes #9376 - -Marc Hoersken (28 Aug 2022) -- CI/runtests.pl: add param for dedicated curl to talk to APIs - - This should make it possible to also report test failures - if our freshly build curl binary is not fully functional. - - Reviewed-by: Daniel Stenberg - Closes #9360 - -Daniel Stenberg (27 Aug 2022) -- [Jacob Tolar brought this change] - - openssl: add cert path in error message - - Closes #9349 - -- [Jacob Tolar brought this change] - - cert.d: clarify that escape character works for file paths - - Closes #9349 - -- gha: move over ngtcp2-gnutls CI job from zuul - - Closes #9331 - -Marc Hoersken (26 Aug 2022) -- cmake: add detection of threadsafe feature - - Avoids failing test 1014 by replicating configure checks - for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests. - - Reviewed-by: Marcel Raad - - Follow up to #8680 - Closes #9312 - -Daniel Stenberg (26 Aug 2022) -- RELEASE-NOTES: synced - -Marc Hoersken (26 Aug 2022) -- CI/azure: align torture shallowness with GHA - - There 25 is used with FTP tests skipped, and 20 for FTP tests. - This should make torture tests stay within the 60min timeout. - - Reviewed-by: Daniel Stenberg - Closes #9371 - -- multi_wait: fix and improve Curl_poll error handling on Windows - - First check for errors and return CURLM_UNRECOVERABLE_POLL - before moving forward and waiting on socket readiness events. - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - - Reported-by: Daniel Stenberg - Ref: #9361 - - Follow up to #8961 - Closes #9372 - -- multi_wait: fix skipping to populate revents for extra_fds - - On Windows revents was not populated for extra_fds if - multi_wait had to wait due to the Curl_poll pre-check - not signalling any readiness. This commit fixes that. - - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro - - Closes #9361 - -- CI/appveyor: disable TLS in msys2-native autotools builds - - Schannel cannot be used from msys2-native Linux-emulated builds. - - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg - - Follow up to #9367 - Closes #9370 - -Jay Satiro (25 Aug 2022) -- tests: fix http2 tests to use CRLF headers - - Prior to this change some tests that rely on nghttpx proxy did not use - CRLF headers everywhere. A recent change in nghttp2, which updated its - version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to - use CRLF headers. - - Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 - - Fixes https://github.com/curl/curl/issues/9364 - Closes https://github.com/curl/curl/pull/9365 - -Daniel Stenberg (25 Aug 2022) -- [rcombs brought this change] - - multi: use a pipe instead of a socketpair on apple platforms - - Sockets may be shut down by the kernel when the app is moved to the - background, but pipes are not. - - Removed from KNOWN_BUGS - - Fixes #6132 - Closes #9368 - -- [Somnath Kundu brought this change] - - libssh2: provide symlink name in SFTP dir listing - - When reading the symbolic link name for a file, we need to add the file - name to base path name. - - Closes #9369 - -- configure: if asked to use TLS, fail if no TLS lib was detected - - Previously the configure script would just warn about this fact and - continue with TLS disabled build which is not always helpful. TLS should - be explicitly disabled if that is what the user wants. - - Closes #9367 - -- [Dustin Howett brought this change] - - schannel: when importing PFX, disable key persistence - - By default, the PFXImportCertStore API persists the key in the user's - key store (as though the certificate was being imported for permanent, - ongoing use.) - - The documentation specifies that keys that are not to be persisted - should be imported with the flag `PKCS12_NO_PERSIST_KEY`. - NOTE: this flag is only supported on versions of Windows newer than XP - and Server 2003. - - Fixes #9300 - Closes #9363 - -- unit1303: four tests should have TRUE for 'connecting' - - To match the comments. - - Reported-by: Wu Zheng - - See #9355 - Closes #9356 - -- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also - - Closes #9354 - -- [Fabian Fischer brought this change] - - HTTP3.md: add missing autoreconf command for building with wolfssl - - Closes #9353 - -- RELEASE-NOTES: synced - -- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer - - Ẃhen it has been used in the multi interface, it is otherwise left in - the connection cache, can't be reused and nothing will close them since - the easy handle loses the association with the multi handle and thus the - connection cache - until the multi handle is closed or it gets pruned - because the cache is full. - - Reported-by: Dominik Thalhammer - Fixes #9335 - Closes #9342 - -- docs/cmdline-opts: remove \& escapes from all .d files - - gen.pl escapes them itself now - -- docs/cmdline-opts/gen.pl: encode leading single and double quotes - - As "(aq" and "(dq" to prevent them from implying a meaning in the nroff - output. This removes the need for using \& escapes in the .d files' - description parts. - - Closes #9352 - -Marc Hoersken (23 Aug 2022) -- tests/server/sockfilt.c: avoid race condition without a mutex - - Avoid loosing any triggered handles by first aborting and joining - the waiting threads before evaluating the individual signal state. - - This removes the race condition and therefore need for a mutex. - - Closes #9023 - -Daniel Stenberg (22 Aug 2022) -- [Emil Engler brought this change] - - url: output the maximum when rejecting a url - - This commit changes the failf message to output the maximum length, when - curl refuses to process a URL because it is too long. - - See: #9317 - Closes: #9327 - -- [Chris Paulson-Ellis brought this change] - - configure: fix broken m4 syntax in TLS options - - Commit b589696f added lines to some shell within AC_ARG_WITH macros, but - inadvertently failed to move the final closing ). - - Quote the script section using braces. - - So, if these problems have been around for a while, how did I find them? - Only because I did a configure including these options: - - $ ./configure --with-openssl --without-rustls - SSL: enabled (OpenSSL) - - Closes #9344 - -- tests/data/CMakeLists: remove making the 'show' makefile target - - It is not used by runtests since 3c0f462 - - Closes #9333 - -- tests/data/Makefile: remove 'filecheck' target - - No practical use anymore since 3c0f4622cdfd6 - - Closes #9332 - -- libssh2: make atime/mtime date overflow return error - - Closes #9328 - -- libssh: make atime/mtime date overflow return error - - Closes #9328 - -- examples/curlx.c: remove - - This example is a bit convoluted to use as an example, combined with the - special license for it makes it unsuitable. - - Closes #9330 - -- [Tobias Nygren brought this change] - - curl.h: include on SunOS - - It is needed for fd_set to be visible to downstream consumers that use - . Header is known to exist at least as far back as Solaris - 2.6. - - Closes #9329 - -- DEPRECATE.md: push the NSS deprecation date forward one year to 2023 - - URL: https://curl.se/mail/lib-2022-08/0016.html - -- libssh2: setting atime or mtime >32bit on 4-bytes-long systems - - Since the libssh2 API uses 'long' to store the timestamp, it cannot - transfer >32bit times on Windows and 32bit architecture builds. - - Avoid nasty surprises by instead not setting such time. - - Spotted by Coverity - - Closes #9325 - -- libssh: setting atime or mtime > 32bit is now just skipped - - The libssh API used caps the time to an unsigned 32bit variable. Avoid - nasty surprises by instead not setting such time. - - Spotted by Coverity. - - Closes #9324 - -Jay Satiro (16 Aug 2022) -- KNOWN_BUGS: Windows Unicode builds use homedir in current locale - - Bug: https://github.com/curl/curl/pull/7252 - Reported-by: dEajL3kA@users.noreply.github.com - - Ref: https://github.com/curl/curl/pull/7281 - - Closes https://github.com/curl/curl/pull/9305 - -Daniel Stenberg (16 Aug 2022) -- test399: switch it to use a config file instead - - ... as using a 65535 bytes host name in a URL does not fit on the - command line on some systems - like Windows. - - Reported-by: Marcel Raad - Fixes #9321 - Closes #9322 - -- RELEASE-NOTES: synced - -- asyn-ares: make a single alloc out of hostname + async data - - This saves one alloc per name resolve and simplifies the exit path. - - Closes #9310 - -- Curl_close: call Curl_resolver_cancel to avoid memory-leak - - There might be a pending (c-ares) resolve that isn't free'd up yet. - - Closes #9310 - -- asyn-thread: fix socket leak on OOM - - Closes #9310 - -- GHA: mv CI torture test from Zuul - - Closes #9310 - -- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL - - Closes #9318 - -- test399: verify check of too long host name - -- url: reject URLs with hostnames longer than 65535 bytes - - It *probably* causes other problems too since DNS can't resolve such - long names, but the SNI field in TLS is limited to 16 bits length. - - Closes #9317 - -- curl_multi_perform.3: minor language fix - - Closes #9316 - -- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC - - Follow-up to 8a13be227eede2 - - Closes #9315 - -- ngtcp2: remove leftover variable - - Mistake leftover from my edit before push. - - Follow-up from 8a13be227eede2601c2b3b - Reported-by: Viktor Szakats - Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167 - -Viktor Szakats (15 Aug 2022) -- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip] - - Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl` - was also enabled. `-ssl` meaning OpenSSL (and its forks). After - 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be - used together with wolfSSL. This patch adds the ability to enable - `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to - use it with wolfSSL or other, future TLS backends. - - Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2` - unconditionally. After this patch, this is no longer the case, and now - it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only - together with a compatible TLS backend. - - When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2 - library must be configured manually, e.g.: - `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl` - - (or via `NGTCP2_LIBS`) - - Closes #9314 - -Daniel Stenberg (15 Aug 2022) -- [Stefan Eissing brought this change] - - quic: add support via wolfSSL - - - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505 - - configure adapted to build against ngtcp2 wolfssl crypto lib - - quic code added for creation of WOLFSSL* instances - - Closes #9290 - -Marcel Raad (14 Aug 2022) -- [David Carlier brought this change] - - memdebug: add annotation attributes - - memory debug tracking annotates whether the returned pointer does not - `alias`, hints where the size required is, for Windows to be better - debugged via Visual Studio. - - Closes https://github.com/curl/curl/pull/9306 - -Daniel Stenberg (14 Aug 2022) -- GHA: move libressl CI from zuul to GitHub - - Closes #9309 - -- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel - - Closes #9161 - -- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel - - Closes #8741 - -- KNOWN_BUGS: libssh blocking and infinite loop problem - - Closes #8632 - -- RELEASE-NOTES: synced - -- msh3: fix the QUIC disconnect function - - And free request related memory better in 'done'. Fixes a memory-leak. - - Reported-by: Gisle Vanem - Fixes #8915 - Closes #9304 - -- connect: close the happy eyeballs loser connection when using QUIC - - Reviewed-by: Nick Banks - - Closes #9303 - -- [Emil Engler brought this change] - - refactor: split resolve_server() into functions - - This commit splits the branch-heavy resolve_server() function into - various sub-functions, in order to reduce the amount of nested - if/else-statements. - - Beside this, it also removes many else-sequences, by returning in the - previous if-statement. - - Closes #9283 - -- schannel: re-indent to use curl style better - - Only white space changes - - Closes #9301 - -- [Emanuele Torre brought this change] - - docs/cmdline-opts: fix example and categories for --form-escape - - The example was missing a "--form" argument - I also replaced "--form" with "-F" to shorten the line a bit since it - was already very long. - - And I also moved --form-escape from the "post" category to the "upload" - category (this is what I originally wanted to fix, before also noticing - the mistake in the example). - - Closes #9298 - -- [Nick Banks brought this change] - - HTTP3.md: update to msh3 v0.4.0 - - Closes #9297 - -- hostip: resolve *.localhost to 127.0.0.1/::1 - - Following the footsteps of other clients like Firefox/Chrome. RFC 6761 - says clients SHOULD do this. - - Add test 389 to verify. - - Reported-by: TheKnarf on github - Fixes #9192 - Closes #9296 - -Jay Satiro (11 Aug 2022) -- KNOWN_BUGS: long paths are not fully supported on Windows - - Bug: https://github.com/curl/curl/issues/8361 - Reported-by: Gisle Vanem - - Closes https://github.com/curl/curl/pull/9288 - -Daniel Stenberg (11 Aug 2022) -- config: remove the check for and use of SIZEOF_SHORT - - shorts are 2 bytes on all platforms curl runs and have ever run on. - - Closes #9291 - -- configure: introduce CURL_SIZEOF - - This is a rewrite of the previously used GPLv3+exception licensed - file. With this change, there is no more reference to GPL so we can - remove that from LICENSES/. - - Ref: #9220 - Closes #9291 - -- [Sean McArthur brought this change] - - hyper: customize test1274 to how hyper unfolds headers - - Closes #9217 - -- [Orgad Shaneh brought this change] - - curl-config: quote directories with potential space - - On Windows (at least with CMake), the default prefix is - C:/Program Files (x86)/CURL. - - Closes #9253 - -- [Oliver Roberts brought this change] - - amigaos: fix threaded resolver on AmigaOS 4.x - - Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime - feature detection and extra code to make it thread safe. - - Closes #9265 - -- [Emil Engler brought this change] - - imap: use ISALNUM() for alphanumeric checks - - This commit replaces a self-made character check for alphanumeric - characters within imap_is_bchar() with the ISALNUM() macro, as it is - reduces the size of the code and makes the performance better, due to - ASCII arithmetic. - - Closes #9289 - -- RELEASE-NOTES: synced - -- [Cering on github brought this change] - - connect: add quic connection information - - Fixes #9286 - Closes #9287 - -- [Philip Heiduck brought this change] - - cirrus/freebsd-ci: bootstrap the pip installer - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - - Closes #9213 - -- urldata: move smaller fields down in connectdata struct - - By (almost) sorting the struct fields in connectdata in a decending size - order, having the single char ones last, we reduce the number of holes - in the struct and thus the amount of storage needed. - - Closes #9280 - -- ldap: adapt to conn->port now being an 'int' - - Remove typecasts. Fix printf() formats. - - Follow-up from 764c6bd3bf. - Pointed out by Coverity CID 1507858. - - Closes #9281 - -- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS - - Closes #8264 - -- [Oliver Roberts brought this change] - - file: add handling of native AmigaOS paths - - On AmigaOS 4.x, handle native absolute paths, whilst blocking relative - paths. Also allow unix style paths if feature enabled at link time. - - Inspiration-from: Michael Trebilcock - - Closes #9259 - -- KNOWN_BUGS: cmake build is not thread-safe - - The cmake build does not check for and verify presence of a working - Atomic type, which then makes curl_global_init() to not build - thread-safe on non-Windows platforms. - - Closes https://github.com/curl/curl/issues/8973 - Closes https://github.com/curl/curl/pull/8982 - -- [Oliver Roberts brought this change] - - configure: fixup bsdsocket detection code for AmigaOS 4.x - - The code that detects bsdsocket.library for AmigaOS did not work - for AmigaOS 4.x. This has been fixed and also cleaned up a little - to reduce duplication. Wasn't technically necessary before, but is - required when building with AmiSSL instead of OpenSSL. - - Closes #9268 - -- [Oliver Roberts brought this change] - - tool: reintroduce set file comment code for AmigaOS - - Amiga specific code which put the URL in the file comment was perhaps - accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having - originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314. - Reworked to fit the code changes and added it back in. - - Reported-by: Michael Trebilcock - Originally-added-by: Chris Young - - Closes #9258 - -- urldata: make 'negnpn' use less storage - - The connectdata struct field 'negnpn' never holds a value larger than - 30, so an unsigned char saves 3 bytes struct space. - - Closes #9279 - -- urldata: make three *_proto struct fields smaller - - Use 'unsigned char' for storage instead of the enum, for three GSSAPI - related fields in the connectdata struct. - - Closes #9278 - -- connect: set socktype/protocol correctly - - So that an address used from the DNS cache that was previously used for - QUIC can be reused for TCP and vice versa. - - To make this possible, set conn->transport to "unix" for unix domain - connections ... and store the transport struct field in an unsigned char - to use less space. - - Reported-by: ウさん - Fixes #9274 - Closes #9276 - -- [Oliver Roberts brought this change] - - amissl: allow AmiSSL to be used with AmigaOS 4.x builds - - Enable AmiSSL to be used instead of static OpenSSL link libraries. - for AmigaOS 4.x, as it already is in the AmigaOS 3.x build. - - Closes #9269 - -- [opensignature on github brought this change] - - openssl: add details to "unable to set client certificate" error - - from: "curl: (58) unable to set client certificate" - - to: curl: (58) unable to set client certificate [error:0A00018F:SSL - routines::ee key too small] - - Closes #9228 - -- [Oliver Roberts brought this change] - - amissl: make AmiSSL v5 a minimum requirement - - AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0. - Support for previous OpenSSL 1.1.x versions has been dropped, so - makes sense to enforce v5 as the minimum requirement. This also - allows all the AmiSSL stub workarounds to be removed as they are - now provided in a link library in the AmiSSL SDK. - - Closes #9267 - -- [Oliver Roberts brought this change] - - configure: -pthread not available on AmigaOS 4.x - - The most recent GCC builds for AmigaOS 4.x do not allow -pthread and - exit with an error. Instead, need to explictly specify -lpthread. - - Closes #9266 - -- digest: pass over leading spaces in qop values - - When parsing the "qop=" parameter of the digest authentication, and the - value is provided within quotes, the list of values can have leading - white space which the parser previously did not handle correctly. - - Add test case 388 to verify. - - Reported-by: vlubart on github - Fixes #9264 - Closes #9270 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: reject broken header with session protocol but without qop - - Closes #9077 - -- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples - - Reported-by: jvvprasad78 on github - Assisted-by: Jay Satiro - Fixes #9239 - Closes #9241 - -- [Fabian Keil brought this change] - - test44[2-4]: add '--resolve' to the keywords - - ... so the tests can be automatically skipped when - using an external proxy like Privoxy. - - Closes #9250 - -- RELEASE-NOTES: synced - -- CURLOPT_CONNECT_ONLY.3: clarify multi API use - - Reported-by: Maxim Ivanov - Fixes #9244 - Closes #9262 - -- [Andrew Lambert brought this change] - - curl_easy_header: Add CURLH_PSEUDO to sanity check - - Fixes #9235 - Closes #9236 - -- [Emil Engler brought this change] - - docs: add dns category to --resolve - - This commit adds the dns category to the --resolve command line option, - because it can be interpreted as both: a low-level connection option and - an option related to the resolving of a hostname. - - It is also not common for dns options to belong to the connection - category and vice versa. --ipv4 and --ipv6 are both good examples. - - Closes #9229 - -Jay Satiro (2 Aug 2022) -- [Wyatt O'Day brought this change] - - schannel: Add TLS 1.3 support - - - Support TLS 1.3 as the default max TLS version for Windows Server 2022 - and Windows 11. - - - Support specifying TLS 1.3 ciphers via existing option - CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers). - - Closes https://github.com/curl/curl/pull/8419 - -Daniel Stenberg (2 Aug 2022) -- [Emil Engler brought this change] - - cmdline-opts/gen.pl: improve performance - - On some systems, the gen.pl script takes nearly two minutes for the - generation of the main-page, which is a completely unacceptable time. - - The slow performance has two causes: - 1. Use of a regex locale operator - 2. Useless invokations of loops - - The commit addresses the first issue by replacing the "\W" wiht - [^a-zA-Z0-9_], which is, according to regex101.com, functionally - equivalent to the previous operation, except that it is obviously - limited to ASCII only, which is fine, as the curl project is - English-only anyway. - - The second issue is being addressed by only running the loop if the line - contains a "--" in it. The loop may be completeley removed in the - future. - - Co-authored-by: Emanuele Torre - - See #8299 - Fixes #9230 - Closes #9232 - -- docs/cmdline: mark fail and fail-with-body as mutually exclusive - - Reported-by: Andreas Sommer - Fixes #9221 - Closes #9222 - -- [Nao Yonashiro brought this change] - - quiche: fix build failure - - Reviewed-by: Alessandro Ghedini - Closes #9223 - -Viktor Szakats (2 Aug 2022) -- configure.ac: drop references to deleted functions - - follow-up from 4d73854462f30948acab12984b611e9e33ee41e6 - - Reported-by: Oliver Roberts - Fixes #9238 - Closes #9240 - -Daniel Stenberg (28 Jul 2022) -- [Sean McArthur brought this change] - - hyper: enable obs-folded multiline headers - - Closes #9216 - -- connect: revert the use of IP*_RECVERR - - The options were added in #6341 and d13179d, but cause problems: Lots of - POLLIN event occurs but recvfrom read nothing. - - Reported-by: Tatsuhiro Tsujikawa - Fixes #9209 - Closes #9215 - -- [Marco Kamner brought this change] - - docs: remove him/her/he/she from documentation - - Closes #9208 - -- RELEASE-NOTES: synced - -- tool_getparam: make --doh-url "" switch it off - - A possible future addition could be to parse the URL first too to verify - that it is valid before trying to use it. - - Assisted-by: Jay Satiro - Closes #9207 - -- mailmap: add rzrymiak on github - -Jay Satiro (26 Jul 2022) -- ngtcp2: Fix build error due to change in nghttp3 prototypes - - ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and - nghttp3_conn_shutdown_stream_write return from int to void. - - Reported-by: jurisuk@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/9204 - Closes https://github.com/curl/curl/pull/9200 - -Daniel Stenberg (26 Jul 2022) -- [rzrymiak on github brought this change] - - BUGS.md: improve language - - Closes #9205 - -- [Philip Heiduck brought this change] - - cirrus.yml: replace py38-pip with py39-pip - - Reported-by: Jay Satiro - Fixes #9201 - Closes #9202 - -- tool_getparam: fix cleanarg() for unicode builds - - Use the correct type, and make cleanarg an empty macro if the cleaning - ability is absent. - - Fixes #9195 - Closes #9196 - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - -Marc Hoersken (25 Jul 2022) -- test3026: add support for Windows using native Win32 threads - - Reviewed-by: Viktor Szakats - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - - Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690 - Closes #9012 - -Jay Satiro (25 Jul 2022) -- [Evgeny Grin (Karlson2k) brought this change] - - digest: fix memory leak, fix not quoted 'opaque' - - Fix leak regression introduced by 3a6fe0c. - - Closes https://github.com/curl/curl/pull/9199 - -Daniel Stenberg (23 Jul 2022) -- tests: several enumerated type cleanups - - To please icc - - Closes #9179 - -- tool_paramhlp: fix "enumerated type mixed with another type" - - Warning by icc - - Closes #9179 - -- tool_writeout: fix enumerated type mixed with another type - - Closes #9179 - -- tool_cfgable: make 'synthetic_error' a plain bool - - The specific reason was not used. - - Closes #9179 - -- tool_paramhlp: make check_protocol return ParameterError - - "enumerated type mixed with another type" - - Closes #9179 - -- tool_formparse: fix variable may be used before its value is set - - Warning by icc - - Closes #9179 - -- sendf: skip storing HTTP headers if HTTP disabled - - Closes #9179 - -- url: enumerated type mixed with another type - - Follow-up to 1c58e7ae99ce2030213f28b - - Closes #9179 - -- urldata: change second proxytype field to unsigned char to match - - To avoid "enumerated type mixed with another type" - - Closes #9179 - -- http: typecast the httpreq assignment to avoid icc compiler warning - - error #188: enumerated type mixed with another type - - Closes #9179 - -- urldata: make state.httpreq an unsigned char - - To match set.method used for the same purpose. - - Closes #9179 - -- splay: avoid using -1 in unsigned variable - - To fix icc compiler warning integer conversion resulted in a change of sign - - Closes #9179 - -- sendf: store the header type in an usigned char to avoid icc warnings - - Closes #9179 - -- multi: fix the return code from Curl_pgrsDone() - - It does not return a CURLcode. Detected by the icc compiler warning - "enumerated type mixed with another type" - - Closes #9179 - -- sendf: make Curl_debug a void function - - As virtually no called checked the return code, and those that did - wrongly treated it as a CURLcode. Detected by the icc compiler warning: - enumerated type mixed with another type - - Closes #9179 - -- http_chunks: remove an assign + typecast - - As it caused icc to complain: "pointer cast involving 64-bit pointed-to - type" - - Closes #9179 - -- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend - - To fix the icc warning enumerated type mixed with another type - - Closes #9179 - -- curl-compilers.m4: make icc use -diag* options and disable two warnings - - -wd and -we are deprecated and are now -diag-disable and -diag-error - - Disable warning 1024 and 2259 - - Closes #9179 - -- [Matthew Thompson brought this change] - - GHA: add two Intel compiler CI jobs - - Closes #9179 - -- [Daniel Katz brought this change] - - curl-functions.m4: check whether atomics can link rather than just compile - - Some build toolchains support C11 atomics (i.e., _Atomic types), but - will not link the associated atomics runtime unless a flag is passed. In - such an environment, linking an application with libcurl.a can fail due - to undefined symbols for atomic load/store functions. - - I encountered this behavior when upgrading curl to 7.84.0 and attempting - to build with Solaris Studio 12.6. Solaris provides the flag - -xatomic=[gcc | studio], allowing users to link to one of two atomics - runtime implementations. However, if the user does not provide this - flag, then neither runtime is linked. This led to builds failing in CI. - - Closes #9190 - -- [Rosen Penev brought this change] - - curl-wolfssl.m4: add options header when building test code - - Needed for certain configurations of wolfSSL. Otherwise, missing header - error may occur. - - Tested with OpenWrt. - - Closes #9187 - -- ftp: use a correct expire ID for timer expiry - - This was an accurate error pointed out by the icc warning: enumerated - type mixed with another type - - Ref: #9179 - Closes #9184 - -- sendf: fix paused header writes since after the header API - - Regression since d1e4a67 - - Reported-by: Sergey Ogryzkov - Fixes #9180 - Closes #9182 - -- mprintf: fix *dyn_vprintf() when out-of-memory - - Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory - leak otherwise. - - Closes #9185 - -- curl-confopts: remove leftover AC_REQUIREs - - configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_defun'd - configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but not m4_defun'd - - follow-up from 4d73854462f30 - - Closes #9183 - -- file: fix icc enumerated type mixed with another type warning - - Ref: #9179 - Closes #9181 - -Viktor Szakats (19 Jul 2022) -- tidy-up: delete unused build configuration macros - - Most of them feature guards: - - - `CURL_INCLUDES_SYS_UIO` [1] - - `HAVE_ALLOCA_H` [2] - - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f8734dd0fb1bdc) - - `HAVE_DLFCN_H` - - `HAVE_DLOPEN` - - `HAVE_DOPRNT` - - `HAVE_FCNTL` - - `HAVE_GETHOSTBYNAME` [3] - - `HAVE_GETOPT_H` - - `HAVE_GETPASS` - - `HAVE_GETPROTOBYNAME` - - `HAVE_GETSERVBYNAME` - - `HAVE_IDN_FREE*` - - `HAVE_INET_ADDR` - - `HAVE_IOCTL` - - `HAVE_KRB4` - - `HAVE_KRB_GET_OUR_IP_FOR_REALM` - - `HAVE_KRB_H` - - `HAVE_LDAPSSL_H` - - `HAVE_LDAP_INIT_FD` - - `HAVE_LIBDL` - - `HAVE_LIBNSL` - - `HAVE_LIBRESOLV*` - - `HAVE_LIBUCB` - - `HAVE_LL` - - `HAVE_LOCALTIME_R` - - `HAVE_MALLOC_H` - - `HAVE_MEMCPY` - - `HAVE_MEMORY_H` - - `HAVE_NETINET_IF_ETHER_H` - - `HAVE_NI_WITHSCOPEID` - - `HAVE_OPENSSL_CRYPTO_H` - - `HAVE_OPENSSL_ERR_H` - - `HAVE_OPENSSL_PEM_H` - - `HAVE_OPENSSL_PKCS12_H` - - `HAVE_OPENSSL_RAND_H` - - `HAVE_OPENSSL_RSA_H` - - `HAVE_OPENSSL_SSL_H` - - `HAVE_OPENSSL_X509_H` - - `HAVE_PEM_H` - - `HAVE_POLL` - - `HAVE_RAND_SCREEN` - - `HAVE_RAND_STATUS` - - `HAVE_RECVFROM` - - `HAVE_SETSOCKOPT` - - `HAVE_SETVBUF` - - `HAVE_SIZEOF_LONG_DOUBLE` - - `HAVE_SOCKIO_H` - - `HAVE_SOCK_OPTS` - - `HAVE_STDIO_H` - - `HAVE_STRCASESTR` - - `HAVE_STRFTIME` - - `HAVE_STRLCAT` - - `HAVE_STRNCMPI` - - `HAVE_STRNICMP` - - `HAVE_STRSTR` - - `HAVE_STRUCT_IN6_ADDR` - - `HAVE_TLD_H` - - `HAVE_TLD_STRERROR` - - `HAVE_UNAME` - - `HAVE_USLEEP` - - `HAVE_WINBER_H` - - `HAVE_WRITEV` - - `HAVE_X509_H` - - `LT_OBJDIR` - - `NEED_BASENAME_PROTO` - - `NOT_NEED_LIBNSL` - - `OPENSSL_NO_KRB5` - - `RECVFROM_TYPE*` - - `SIZEOF_LONG_DOUBLE` - - `STRERROR_R_TYPE_ARG3` - - `USE_YASSLEMUL` - - `_USRDLL` (from CMake) [4] - - [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might - also be deleted. - - [2] Related comment can possibly be deleted in - `packages/vms/generate_config_vms_h_curl.com`. - - [3] There are more instances of this in autotools, but I did not dare to - touch those. Looked like it's used to detect socket support. - - [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to - force linking MFC components statically to the DLL. `libcurl.dll` - does not use MFC, so we can delete this define. - Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-to-mfc - - Script that can help finding unused settings like above: - ```shell - - autoheader configure.ac # generate lib/curl_config.h.in - - { - grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCache.cmake | sed -E 's|set\(||g' - grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h | sed -E 's|#define +||g' - grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake | sed -E 's|#cmakedefine +||g' - grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in | sed -E 's|#undef +||g' - } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do - c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cmake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^configure\.ac)')" - if [ "${c}" = '0' ]; then - echo "${def}" - fi - done - ``` - - Reviewed-by: Daniel Stenberg - Closes #9044 - -Daniel Stenberg (19 Jul 2022) -- RELEASE-NOTES: synced - -- cookie: treat a blank domain in Set-Cookie: as non-existing - - This matches what RFC 6265 section 5.2.3 says. - - Extended test 31 to verify. - - Fixes #9164 - Reported-by: Gwen Shapira - Closes #9177 - -- [Patrick Monnerat brought this change] - - base64: base64url encoding has no padding - - See RFC4648 section 5 and RFC7540 section 3.2.1. - - Suppress generation of '=' padding of base64url encoding. This is - accomplished by considering the string beginning at offset 64 in the - character table as the padding: this is "=" for base64, "" for base64url. - - Also use strchr() to replace character search loops where possible. - - Suppress erroneous comments about empty encoding results. - - Adjust unit test 1302 to unpadded base64url encoding and add tests for - empty results. - - Closes #9139 - -- easyoptions: fix icc warning - - easyoptions.c(360): error #188: enumerated type mixed with another type - - Ref: #9156 - Reported-by: Matthew Thompson - Closes #9176 - -- [lwthiker brought this change] - - h2h3: fix overriding the 'TE: Trailers' header - - A 'TE: Trailers' header is explicitly replaced by 'te: trailers' - (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or - HTTP/3 headers. However, this is then replaced again by the original - value due to a bug, resulting in the uppercased version being sent. Some - HTTP/2 servers reject the whole HTTP/2 stream when this is the case. - - Closes #9170 - -- lib3026: reduce the number of threads to 100 - - Down from 1000, to make it run and work in more systems. - - Fixes #9172 - Reported-by: Érico Nogueira Rolim - Closes #9173 - -- doh: move doh related struct definitions to doh.h - - and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compiler warning: - - doh.c(924): error #188: enumerated type mixed with another type - - Reported-by: Matthew Thompson - Ref #9156 - Closes #9174 - -Viktor Szakats (17 Jul 2022) -- Makefile.m32: stop trying to build libcares.a [ci skip] - - Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in - `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in - 2007 [1]. The commit message doesn't specifically address this particular - change. This logic comes from the times when c-ares was part of the curl - source tree, hence the special treatment. - - This feature creates problems when building c-ares first, using CMake - and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32` - is missing in such case. A sub-build for c-ares is undesired also when - c-ares had already been build via its own `Makefile.m32`. - - To avoid the sub-build, this patch deletes its Makefile rule. After this - patch `libcares.a` needs to be manually built before using it in - `Makefile.m32`. Aligning it with the rest of dependencies. - - [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31 - - Reviewed-by: Daniel Stenberg - Closes #9169 - -Daniel Stenberg (17 Jul 2022) -- curl: writeout: fix repeated header outputs - - The function stored a terminating zero into the buffer for convenience, - but when on repeated calls that would cause problems. Starting now, the - passed in buffer is not modified. - - Reported-by: highmtworks on github - Fixes #9150 - Closes #9152 - -- curl_multi_timeout.3: clarify usage - - Fixes #9155 - Closes #9157 - Reported-by: jvvprasad78 on github - -- mprintf: make dprintf_formatf never return negative - - This function no longer returns a negative value if the formatting - string is bad since the return value would sometimes be propagated as a - return code from the mprintf* functions and they are documented to - return the length of the output. Which cannot be negative. - - Fixes #9149 - Closes #9151 - Reported-by: yiyuaner on github - -Viktor Szakats (17 Jul 2022) -- trace: 0x7F character is non-printable - - `0x7F` is `DEL`, a non-printable symbol, so print it as - `UNPRINTABLE_CHAR`. - - Reported-by: MasterInQuestion on github - Fixes #9162 - Closes #9166 - -- doh: use https protocol by default - - The only allowed protocol is https, so it makes sense to use that - by default if not passed explicitly by the user. - - Reported-by: MasterInQuestion on github - Reviewed-by: Jay Satiro - Fixes #9163 - Closes #9165 - -- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel - - Same issue as here [1], but this time when building curl with BoringSSL - for Windows with LDAP(S) or Schannel support enabled. - - Apply the same fix [2] for these source files as well. - - This can also be fixed by moving `#include "urldata.h"` _before_ - including `winldap.h` and `schnlsp.h` respectively. This seems like - a cleaner fix, though I'm not sure why it works and if it has any - downside. - - [1] https://github.com/curl/curl/issues/5669 - [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029ab9 - - Co-authored-by: Jay Satiro - Closes #9110 - -Daniel Stenberg (13 Jul 2022) -- asyn-thread: make getaddrinfo_complete return CURLcode - - ... as the only caller that cares about what it returns assumes that - anyway. This caused icc to warn: - - asyn-thread.c(505): error #188: enumerated type mixed with another type - result = getaddrinfo_complete(data); - - Repoorted-by: Matthew Thompson - Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076 - Closes #9146 - -- easy_lock: fix build with icc - - The Intel compiler tries to look like GCC *and* clang *and* it lies in - its __has_builtin() function (returns true when it should return false), - so override it. - - Reported-by: Matthew Thompson - Fixes #9081 - Closes #9144 - -- configure: fix --disable-headers-api - - Reported-by: Michał Antoniak - Fixes #9134 - Closes #9143 - -- test3026: require 'threadsafe' - - Reported-by: Sukanya Hanumanthu - Fixes #9141 - Closes #9142 - -- [Even Rouault brought this change] - - CMake: link curl to its dependencies with PRIVATE - - The current PUBLIC visibility causes issues for downstream users. - Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986 - - Reviewed-by: Jakub Zakrzewski - Closes #9125 - -- [Even Rouault brought this change] - - CMake: remove APPEND in export(TARGETS) - - When running cmake several times, new content was appended to already - existing generated files, which is not appropriate - - Reviewed-by: Jakub Zakrzewski - Closes #9124 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks - - Closes #9135 - -- RELEASE-NOTES: synced - -Viktor Szakats (11 Jul 2022) -- build: improve OS string in CMake and `config-win32.h` - - This patch makes CMake fill the "OS string" with the value of - `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet, - the same we can pass to `./configure` via `--host=`. - - For non-CMake, non-autotools, Windows builds, this patch adds the ability - to override the default `OS` value in `lib/config-win32.h`. - - With these its possible to get the same OS string across the three build - systems. - - This patch supersedes the earlier, partial, CMake-only solution: - 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the - `CURL_OS_SUFFIX` CMake option. - - Reviewed-by: Jay Satiro - Closes #9117 - -- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip] - - They allow to override the hardcoded values for the `windres` and `strip` - tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables. - - `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and - `CURL_CC=clang` set on current latest debian:unstable or earlier, where - `llvm-windres` is missing, and a `CURL_RC=-windres` fixes it. - Hopefully this will be fixed in the llvm package. FWIW `llvm-windres` - does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw. - - Reviewed-by: Daniel Stenberg - Closes #9132 - -Daniel Stenberg (10 Jul 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data - - Fixes #9122 - Closes #9123 - -- [Xiaoke Wang brought this change] - - tool_operate: better cleanup of easy handle in exit path - - Closes #9114 - -- [Xiaoke Wang brought this change] - - getinfo: return better error on NULL as first argument - - Closes #9114 - -- tool_getparam: repair cleanarg - - Regression since 9e5669f. - - Make sure the "cleaning" of command line arguments is done on the - original argv[] pointers. As a bonus, it also exits better on out of - memory error. - - Reported-by: Litter White - Fixes #9128 - Closes #9130 - -Jay Satiro (10 Jul 2022) -- docs: explain curl_easy_escape/unescape curl handle is ignored - - 26101421 (precedes 7.82.0) removed character conversion support used by - very old legacy operating systems and since then the curl handle passed - to curl_easy_escape/unescape is always ignored. - - Bug: https://github.com/curl/curl/discussions/9115 - Reported-by: Ted Lyngmo - - Closes https://github.com/curl/curl/pull/9121 - -Viktor Szakats (8 Jul 2022) -- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL - - BoringSSL doesn't keep a version number, and doesn't self-identify itself - via any other revision number via its own headers. We can identify - BoringSSL revisions by their commit hash. This hash is typically known by - the builder. This patch adds a way to pass this hash to libcurl, so that - it can display in the curl version string: - - For example: - - `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"` - - ``` - curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) zlib/1.2.12 [...] - Release-Date: 2022-06-27 - Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 [...] - Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos [...] - ``` - - The setting is optional, and if not passed, BoringSSL will appear without - a version number, like before this patch. - - Closes #9113 - -Jay Satiro (8 Jul 2022) -- escape: remove outdated comment - - Bug: https://github.com/curl/curl/discussions/9115 - Reported-by: Ted Lyngmo - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Fix missing initialization of nghttp3_nv.flags - - Closes https://github.com/curl/curl/pull/9118 - -Daniel Stenberg (6 Jul 2022) -- [Brad Forschinger brought this change] - - netrc.d: remove spurious quote - - Closes #9111 - -Viktor Szakats (6 Jul 2022) -- Makefile.m32: add `NGTCP2_LIBS` option [ci skip] - - Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL. - Add `NGTCP2_LIBS` envvar to override them with a custom list, - making it possible to use BoringSSL, or any other backend. - - Closes #9109 - -Jay Satiro (6 Jul 2022) -- [Evgeny Grin (Karlson2k) brought this change] - - digest: fix missing increment of 'nc' value for auth-int - - - Increment nc regardless of qop type. - - Prior to this change nc was only incremented for qop type auth even - though libcurl sends nc with any qop. - - Closes https://github.com/curl/curl/pull/9090 - -Daniel Stenberg (5 Jul 2022) -- RELEASE-NOTES: synced - - Bumped to 7.85.0 - -- urldata: reduce size of four ftp related members - - ftp_filemethod, ftpsslauth and ftp_ccc are now uchars - - accepttimeout is now unsigned int - almost 50 days ought to be enough - for this value. - - Closes #9106 - -- urldata: reduce three type-members from int to uchar - - - timecondition - - proxytype - - method - - ... previously used their enum type in the struct, which made them - unnecesarily large. - - Closes #9105 - -- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name - - Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the - other way around. - - Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias - but since the option is for more protocols than FTP the more "correct" - version of the option is the "server" one so now we switch. - - Closes #9104 - -- urldata: make 'ftp_create_missing_dirs' a uchar - - It only ever holds the values 0-2. - - Closes #9103 - -- [Don J Olmstead brought this change] - - cmake: support ngtcp2 boringssl backend - - Update the ngtcp2 find module to detect the boringssl backend. Determine - if the underlying OpenSSL implementation is BoringSSL and if so use that - as the ngtcp2 backend. - - Reviewed-by: Jakub Zakrzewski - Closes #9065 - -- urldata: change 4 timeouts to unsigned int from long - - They're not used for that long times anyway, 32 bit milliseconds is long - enough. - - Closes #9101 - -- urldata: make 'use_netrc' a uchar - - Closes #9102 - -- urldata: make 'buffer_size' an unsigned int - - It is already capped at READBUFFER_MAX which fits easily in 32 bits. - - Closes #9098 - -- urldata: remove the unused 'rtspversion' struct member - - Closes #9100 - -- urldata: make 'use_port' an usigned short - - ... instead of a long. It is already enforced to not attempt to set any - value outside of 16 bits unsigned. - - Closes #9099 - -- urldata: store dns cache timeout in an int - - 68 years ought to be enough for most. - - Closes #9097 - -- curl: proto2num: make sure obuf is inited - - Detected by Coverity. CID 1507052. - - Closes #9096 - -- cookie: use %zu to infof() for size_t values - - Detected by Coverity. CID 1507051 - Closes #9095 - -Viktor Szakats (4 Jul 2022) -- makefile.m32: add support for custom ARCH [ci skip] - - When building curl for target platform other than x64 and x86, it is now - possible to pass `ARCH=custom`, that will omit all hardcoded logic for - setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be - customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly - added one for the resource compiler: `CURL_RCFLAG_EXTRAS`. - - This makes it possible to use `makefile.m32` to build for ARM64 for - example. - - Reviewed-by: Daniel Stenberg - Closes #9092 - -- cmake: do not force Windows target versions - - The goal of this patch is to avoid CMake forcing specific Windows - versions and rely on toolchain defaults or manual selection instead. - This gives back control to the user. This also brings CMake closer to - how autotools and `Makefile.m32` behaves in this regard. - - - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did - nothing else than fixing the Windows build target to Vista. This also - happened when the toolchain did not have Vista support (e.g. original - MinGW), breaking such builds. - - In other environments it did not make a user-facing difference, - because libcurl has its own pton() implementation, so it works well - with or without Vista's inet_pton(). - - This patch drops this setting. inet_pton() is now used whenever - building for Vista or newer, either when requested manually or by - default with modern toolchains (e.g. mingw-w64). Older envs will fall - back to curl's pton(). - - Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604 - Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155 - - - When the user did no select a Windows target version manually, stop - explicitly targeting Windows XP, and instead use the toolchain default. - - This may pose an issue with old toolchains defaulting to pre-XP - targets. In such case you must manually target Windows XP via: - `-DCURL_TARGET_WINDOWS_VERSION=0x0501` - or - `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501` - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - Closes #9046 - -- windows: improve random source - - - Use the Windows API to seed the fallback random generator. - - This ensures to always have a random seed, even when libcurl is built - with a vtls backend lacking a random generator API, such as rustls - (experimental), GSKit and certain mbedTLS builds, or, when libcurl is - built without a TLS backend. We reuse the Windows-specific random - function from the Schannel backend. - - - Implement support for `BCryptGenRandom()` [1] on Windows, as a - replacement for the deprecated `CryptGenRandom()` [2] function. - - It is used as the secure random generator for Schannel, and also to - provide entropy for libcurl's fallback random generator. The new - function is supported on Vista and newer via its `bcrypt.dll`. It is - used automatically when building for supported versions. It also works - in UWP apps (the old function did not). - - - Clear entropy buffer before calling the Windows random generator. - - This avoids using arbitrary application memory as entropy (with - `CryptGenRandom()`) and makes sure to return in a predictable state - when an API call fails. - - [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom - [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom - - Closes #9027 - -Daniel Stenberg (4 Jul 2022) -- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR - - ... as replacements for deprecated CURLOPT_PROTOCOLS and - CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the - 32 bit limit the old ones are facing. - - CURLINFO_PROTCOOL is now deprecated. - - The curl tool is updated to use the new options. - - Added test 1597 to verify the libcurl protocol parser. - - Closes #8992 - -- digest: simplify a switch() to a simple if - -- digest: provide a special bit for "sess" algos - - Also shortened the names and moved them to the .c file since they are - private for this source file only. Also made them #defines instead of - enum. - - Closes #9079 - -Jay Satiro (4 Jul 2022) -- [Thomas Weißschuh brought this change] - - select: do not return fatal error on EINTR from poll() - - The same was done for select() in 5912da25 but poll() was missed. - - Bug: https://bugs.archlinux.org/task/75201 - Reported-by: Alexandre Bury (gyscos at archlinux) - - Ref: https://github.com/curl/curl/issues/8921 - Ref: https://github.com/curl/curl/pull/8961 - Ref: https://github.com/curl/curl/commit/5912da25#r77584294 - - Closes https://github.com/curl/curl/pull/9091 - -- [Kai Pastor brought this change] - - cmake: fix build for mingw cross compile - - - Change normaliz lib name to all lowercase. - - This is from a standing patch in vcpkg: - Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross - builds from Linux), the spelling must match exactly. - - Closes https://github.com/curl/curl/pull/9084 - -- easy_lock: fix build for mingw - - - Define SRWLOCK symbols missing in some mingw environments. - - Closes https://github.com/curl/curl/pull/8997 - -Daniel Stenberg (2 Jul 2022) -- tool_progress: avoid division by zero in parallel progress meter - - Reported-by: Brian Carpenter - Fixes #9082 - Closes #9083 - -- http_aws_sigv4.c: remove two unusued includes - - Closes #9080 - -- .mailmap: additional edit - - Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git - logs even when using old email. - -- RELEASE-NOTES: synced - - bumped to 7.84.1 - -- [Evgeny Grin (Karlson2k) brought this change] - - .mailmap: updated - -- [Evgeny Grin (Karlson2k) brought this change] - - THANKS: merged two entries for Evgeny Grin - - Also updated THANKS-filter file - - Closes #9076 - -- [Jilayne Lovejoy brought this change] - - lib/curl_path.c: add ISC to license expression - - THe text of the ISC license is in this file, so the SPDX license - expression should be updated - - Closes #9073 - -- [Sean McArthur brought this change] - - hyper: use wakers for curl pause/resume - - Closes #9070 - -Viktor Szakats (30 Jun 2022) -- Makefile.m32: do not set the libcurl.rc debug flag [ci skip] - - Delete `-DDEBUGBUILD=0` windres option. This was likely meant to - disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled - it instead. Delete this unnecessary option and thus sync up with - how CMake compiles libcurl.rc by default. - - Reviewed-by: Jay Satiro - Closes #9069 - -Daniel Stenberg (29 Jun 2022) -- curl.h: CURLE_CONV_FAILED is obsoleted - - The last use was removed in 7.82.0. Updated some docs too to reflect the - current error code situation. - - Closes #9067 - -- curl: output warning when a cookie is dropped due to size - - Dropped from the request, that is. - - Closes #9064 - -- curl_mime_data.3: polish the wording - - Closes #9063 - -- configure: check for the stdatomic.h header in configure - - ... and only set HAVE_ATOMIC if that header exists since we use - typedefes set in it. - - Reported-by: Ryan Schmidt - Fixes #9059 - Closes #9060 - -- easy_lock: fix the #ifdef conditional for ia32_pause - - To work better with new and old clang compilers. - - Reported-by: Ryan Schmidt - Assisted-by: Joshua Root - - Fixes #9058 - Closes #9062 - -- easy_lock: switch to using atomic_int instead of bool - - To work with more compilers without requiring separate libs to - link. Like with gcc-12 for RISC-V on Linux. - - Reported-by: Adam Sampson - Fixes #9055 - Closes #9061 - -- [vvb2060 brought this change] - - ngtcp2: fix incompatible function pointer types - - Closes #9056 - -- [vvb2060 brought this change] - - easy_lock.h: use __asm__ instead of asm to fix build - - Closes #9056 - -- [Samuel Henrique brought this change] - - libcurl-security.3: fix typo on macro "SH_" - - During the packaging of the latest curl release for Debian, Lintian - warned me about a typo which causes the section name "Secrets in memory" - to not be rendered in the manpage due to "SH_" not being recognized as a - header. - - Closes #9057 - -- easy_lock.h: include sched.h if available to fix build - - Patched-by: Harry Sintonen - - Closes #9054 - -Version 7.84.0 (27 Jun 2022) - -Daniel Stenberg (27 Jun 2022) -- RELEASE-NOTES: synced - - Version 7.84.0 release - -- THANKS: contributors from 7.84.0 release notes - -- hsts: use Curl_fopen() - -- altsvc: use Curl_fopen() - -- fopen: add Curl_fopen() for better overwriting of files - - Bug: https://curl.se/docs/CVE-2022-32207.html - CVE-2022-32207 - Reported-by: Harry Sintonen - Closes #9050 - -- test444: test many received Set-Cookie: - - The amount of sent cookies in the test is limited to 80 because hyper - has its own strict limits in how many headers it allows to be received - which triggers at some point beyond this number. - -- test442/443: test cookie caps - - 442 - verify that only 150 cookies are sent - 443 - verify that the cookie: header remains less than 8K in size - -- cookie: apply limits - - - Send no more than 150 cookies per request - - Cap the max length used for a cookie: header to 8K - - Cap the max number of received Set-Cookie: headers to 50 - - Bug: https://curl.se/docs/CVE-2022-32205.html - CVE-2022-32205 - Reported-by: Harry Sintonen - Closes #9048 - -- test387: verify rejection of compression chain attack - -- content_encoding: return error on too many compression steps - - The max allowed steps is arbitrarily set to 5. - - Bug: https://curl.se/docs/CVE-2022-32206.html - CVE-2022-32206 - Reported-by: Harry Sintonen - Closes #9049 - -- krb5: return error properly on decode errors - - Bug: https://curl.se/docs/CVE-2022-32208.html - CVE-2022-32208 - Reported-by: Harry Sintonen - Closes #9051 - -- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro - - clang 14 warns about its use. It is being deprecated by the working - group for the programming language C: "The macro ATOMIC_VAR_INIT is - basically useless for the purpose for which it was designed" - - Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm - - Reported-by: Tatsuhiro Tsujikawa - Fixes #9041 - Closes #9042 - -- [Stefan Eissing brought this change] - - ngtcp2: avoid supplying 0 length `msg_control` to sendmsg() - - Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control - buffer is provided in sengmsg(), even though msg_controllen was set to - 0. - - Initialize msg.msg_controllen just as needed and also perform the size - assertion only when needed. - - Closes #9039 - -- [Tom Eccles brought this change] - - ftp: restore protocol state after http proxy CONNECT - - connect_init() (lib/http_proxy.c) swaps out the protocol state while - working on the proxy connection, this is then restored by - Curl_connect_done() after the connection completes. - - ftp_do_more() extracted the protocol state pointer to a local variable - at the start of the function then calls Curl_proxy_connect(). If the proxy - connection completes, Curl_proxy_connect() will call Curl_connect_done() - (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp - protocol state instead of the http proxy protocol state, but the local - variable in ftp_do_more still pointed to the old value. - - Ultimately this meant that the state worked on by ftp_do_more() was the - http proxy state not the ftp state initialised by ftp_connect(), but - subsequent calls to any ftp_ function would use the original state. - - For my use-case, the visible consequence was that ftp->downloadsize was - never set and so downloaded data was never returned to the application. - - This commit updates the ftp protocol state pointer in ftp_do_more() after - Curl_proxy_connect() returns, ensuring that the correct state pointer is - used. - - Fixes #8737 - Closes #9043 - -Jay Satiro (23 Jun 2022) -- THANKS: add contributor missing from aea8ac1 - - aea8ac1 fixed #8980 which was reported by Sgharat on github, but that - info was not included in the commit message. - -- curl_setup: include _mingw.h - - Prior to this change _mingw.h needed to be included in each unit before - evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It - is included only in some mingw headers (eg stdio.h) and not others - (eg windows.h) so it's better to explicitly include it once. - - Closes https://github.com/curl/curl/pull/9036 - -Viktor Szakats (22 Jun 2022) -- rand: stop detecting /dev/urandom in cross-builds - - - Prevent CMake to auto-detect /dev/urandom when cross-building. - Before this patch, it would detect it in a cross-build scenario on *nix - hosts with this device present. This was a problem for example with - Windows builds, but it could affect any target system with this device - missing. This also syncs detection behaviour with autotools, which also - skips it for cross-builds. - - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's - fallback random number generator on Windows. Windows does not have the - concept of reading a random stream from a filename, nor any guaranteed - non-world-writable path on disk. With this, a manual misconfiguration or - an overeager auto-detection can no longer result in a user-controllable - seed source. - - Reviewed-by: Daniel Stenberg - Closes #9038 - -Daniel Stenberg (22 Jun 2022) -- [Emanuele Torre brought this change] - - ci: avoid `cmake -Hpath` - - This is an undocumented option similar to the `-Spath' option introduced - in cmake 3.13. - Replace all instances of `-Hpath' with `-Spath' in macos workflow. - Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul - scripts since it runs an older version of cmake. - - Fixes #9008 - Closes #9014 - -- INTERNALS: bring back the "Library symbols" section - - Most contents was moved, but this text should remain here. - - Follow-up to: d324ac8 - Reported-by: Viktor Szakats - Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326 - Closes #9037 - -Viktor Szakats (22 Jun 2022) -- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] - - Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows - XP when the `-ipv6` option is selected. Maybe this was added to support - pre-XP Windows versions (?). These days libcurl builds fine for both XP - and post-XP versions with IPv6 support enabled. The relevance of pre-XP - version is also low by now. Other build methods also do not impose such - limitation for a similar configuration. So, drop this hard-wired - `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default - Windows version set by the compiler. This is Vista for recent MinGW - versions. - - Old behaviour can be restored by setting this envvar: - export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501 - - [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7 - - Closes #9035 - -Daniel Stenberg (21 Jun 2022) -- CONTRIBUTE: mention how we maintain REUSE compliance - - for copyright and license information of all files stored in git - - Closes #9032 - -- CURLOPT_ALTSVC.3: document the file format - - Closes #9033 - -Jay Satiro (21 Jun 2022) -- runtests: add "threadsafe" to detected features - - Follow-up to recent commits which added thread-safety support. - - Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782 - Reported-by: Marc Hörsken - - Closes https://github.com/curl/curl/pull/9030 - -Daniel Stenberg (20 Jun 2022) -- easy: remove dead code - - Follow-up from 5912da253b64d - - Detected by Coverity (CID 1506519) - - Closes #9029 - -- [Glenn Strauss brought this change] - - transfer: upload performance; avoid tiny send - - Append to the upload buffer when only small amount remains in buffer - rather than performing a separate tiny send to empty buffer. - - Avoid degenerative upload behavior which might cause curl to send mostly - 1-byte DATA frames after exhausing the h2 send window size - - Related discussion: https://github.com/nghttp2/nghttp2/issues/1722 - - Signed-off-by: Glenn Strauss - Closes #8965 - -- [Steve Holme brought this change] - - projects: fix third-party SSL library build paths for Visual Studio - - The paths used by the build batch files were inconsistent with those in - the Visual Studio project files. - - Closes #8991 - -- [Pierrick Charron brought this change] - - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts - - As per the documentation : - - > Setting a part to a NULL pointer will effectively remove that - > part's contents from the CURLU handle. - - But currently clearing CURLUPART_URL does nothing and returns - CURLUE_OK. This change will clear all parts of the URL at once. - - Closes #9028 - -- [Philip Heiduck brought this change] - - CI: bump FreeBSD 13.0 to 13.1 - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - Closes #8815 - -- RELEASE-NOTES: synced - - and updated release date in RELEASE-PROCEDURE.md - -- [divinity76 brought this change] - - CURLOPT_HTTPHEADER.3: improve comment in example - - Closes #9025 - -Marc Hoersken (16 Jun 2022) -- CI/azure: reduce flakiness by retrying install/prepare steps - - Closes #9010 - -- CI/cirrus: align Windows timeout with Azure CI at 120 minutes - - Closes #9009 - -Jay Satiro (16 Jun 2022) -- vtls: make curl_global_sslset thread-safe - - .. and update some docs to explain curl_global_* is now thread-safe. - - Follow-up to 23af112 which made curl_global_init/cleanup thread-safe. - - Closes https://github.com/curl/curl/pull/9016 - -- curl_easy_pause.3: remove explanation of progress function - - - Remove misleading text that says progress function "gets called at - least once per second, even if the connection is paused." - - The progress function behavior is more nuanced and the user is better - served reading the progress function doc rather than attempt to explain - it in the curl_easy_pause doc. - - The progress function can only be called at least once per second if an - appropriate multi transfer function is called (eg curl_multi_perform) in - that time. For a paused transfer there may not be such a call. Rather - than explain this in detail in the curl_easy_pause doc, rely on the user - reading the CURLOPT_PROGRESSFUNCTION doc. - - Ref: https://github.com/curl/curl/issues/8983 - - Closes https://github.com/curl/curl/pull/9015 - -Daniel Stenberg (15 Jun 2022) -- libssh: skip the fake-close when libssh does the right thing - - Starting in libssh 0.10.0 ssh_disconnect() will no longer close our - socket. Instead it will be kept alive as we want it, and it is our - responsibility to close it later. - - Ref: #8718 - Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240 - Closes #9021 - -- configure: warn about rustls being experimental - - Right now a dozen test cases are disabled because they don't work with - rustls. - - Closes #9019 - -- runtests: skip starting the ssh server if user name is lacking - - Because the ssh server startup script *requires* a user name there's no - point in invoking it if no name was found. - - Reported-by: Ricardo M. Correia - Ref: #9007 - Closes #9013 - -- copyright.pl: parse and use .reuse/dep5 for skips - - Also scan skipped files to be able to find superfluous ignores, shown with -v. - - Closes #9006 - -- reuse/dep5: adjusted to parse better - - ... adjusted a few files to contain copyright and license info. - - Closes #9006 - -- buildconf.bat: update copyright year range - - Closes #9006 - -- README.md: use the common "Copyright" style formatting - - Closes #9006 - -- reuse: move license info from .mailmap.license to .reuse/dep5 - - Closes #9006 - -- README.md: add a REUSE badge - - Closes #9004 - -- .reuse/dep5: remove recursive docs ignore, only skip markdown files - - ... and some additional non-markdown individual files in docs/ - - Closes #9005 - -- docs/cmdline-opts: add copyright and license identifier to each file - - gen.pl now insists on C: and SPDX-License-Identifier: fields to be - present in all files. - - Closes #9002 - -- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md - - Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that - file broke site functionality. - - Closes #9001 - -- bug_report.md: revert the REUSE template to see if it works again - -Viktor Szakats (13 Jun 2022) -- version: rename threadsafe-init to threadsafe - - Referring to Daniel's article [1], making the init function thread-safe - was the last bit to make libcurl thread-safe as a whole. So the name of - the feature may as well be the more concise 'threadsafe', also telling - the story that libcurl is now fully thread-safe, not just its init - function. Chances are high that libcurl wants to remain so in the - future, so there is little likelihood of ever needing any other distinct - `threadsafe-` feature flags. - - For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to - `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's - thread safety documentation. - - [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/ - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - Closes #8989 - -Daniel Stenberg (13 Jun 2022) -- test3026: disable on win32 - - ... as it's not likely to have working pthreads - - Closes #8996 - -- GHA: shorten the reuse CI job name - - "REUSE compliance / check" should be good enough - - Closes #9000 - -- misc: add missing SPDX-License-Identifier info - - For some reason the REUSE CI job did not find these. - - Closes #8999 - -- copyright: verify SPDX-License-Identifier presence as well - -- easy_lock: add SPDX license identifier - - Closes #8998 - -- mailmap: Max Mehl - -- [Max Mehl brought this change] - - git: ignore large commit making the curl REUSE compliant - -- [Max Mehl brought this change] - - copyright: make repository REUSE compliant - - Add licensing and copyright information for all files in this repository. This - either happens in the file itself as a comment header or in the file - `.reuse/dep5`. - - This commit also adds a Github workflow to check pull requests and adapts - copyright.pl to the changes. - - Closes #8869 - -- curl_url_set.3: clarify by default using known schemes only - - Closes #8994 - -- scripts/copyright.pl: ignore leading spaces - -Viktor Szakats (10 Jun 2022) -- ngtcp2: fix typo in preprocessor condition - - Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7 - - Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185 - Reported-by: Emil Engler - Closes #8987 - -Daniel Stenberg (10 Jun 2022) -- RELEASE-NOTES: synced - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: build without sendmsg - - Closes #8981 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: use handshake helper funcs to simplify TLS handshake integration - - Closes #8968 - -- test390: verify --parallel - - Closes #8985 - -- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set - - Triggered by a bug report from Adam Light: - https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly - a misunderstanding of how CURLINFO_EFFECTIVE_URL works. - - Closes #8971 - -- url: URL encode the path when extracted, if spaces were set - -- urlapi: support CURLU_URLENCODE for curl_url_get() - -- server/sws: support spaces in the HTTP request path - -- tests/getpart: fix getpartattr to work with "data" and "data2" - -- select: return error from "lethal" poll/select errors - - Adds two new error codes: CURLE_UNRECOVERABLE_POLL and - CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces. - - Reported-by: Harry Sintonen - Fixes #8921 - Closes #8961 - -- test3026: add missing control file - - Follow-up from 2ed101256414ea5 - - Makes the test run, makes 'make dist' work - - This single test takes 24-25 seconds on my machine (with valgrind). For - this reason I tag it with a "slow" keyword. - - Closes #8976 - -- runtests: fix skipping tests not done event-based - - ... and call timestampskippedevents() to avoid the flood of - uninitialized variable warnings. - - Closes #8977 - -- transfer: maintain --path-as-is after redirects - - Reported-by: Marcus T - Fixes #8974 - Closes #8975 - -- test391: verify --path-as-is with redirect - -Jay Satiro (8 Jun 2022) -- curl_global_init.3: Separate the Windows loader lock warning - - This is a slight correction of the parent commit which implied the - loader lock warning only applied if not thread-safe. In fact the loader - lock warning applies either way. - - Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030 - -Daniel Stenberg (8 Jun 2022) -- curl_global_init.3: this is now (usually) thread-safe - - Follow-up to 23af112f5556 - - Closes #8972 - -Jay Satiro (8 Jun 2022) -- [Haxatron brought this change] - - libcurl-security.3: Document CRLF header injection - - - Document that user input to header options is not sanitized, which - could result in CRLF used to modify the request in a way other than - what was intended. - - Ref: https://hackerone.com/reports/1589877 - Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545 - - Closes https://github.com/curl/curl/pull/8964 - -- CURLOPT_RANGE.3: remove ranged upload advice - - The e-mail link in the advice contains instructions that are prone to - error. We need an example that works and can demonstrate how to properly - perform a ranged upload, and then we can refer to that example instead. - - Bug: https://github.com/curl/curl/issues/8969 - Reported-by: Simon Berger - - Closes https://github.com/curl/curl/pull/8970 - -Daniel Stenberg (7 Jun 2022) -- [Thomas Guillem brought this change] - - curl_version_info: add CURL_VERSION_THREADSAFE_INIT - - This flag can be used to make sure that curl_global_init() is - thread-safe. - - This can be useful for libraries that can't control what other - dependencies are doing with Curl. - - Closes #8680 - -- [Thomas Guillem brought this change] - - lib: make curl_global_init() threadsafe when possible - - Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and - curl_global_cleanup(). - - Closes #8680 - -- RELEASE-NOTES: synced - -- [Fabian Keil brought this change] - - test414: add the '--resolve' keyword - - ... so the test can be automatically skipped when - using an external proxy like Privoxy. - - Closes #8959 - -- [Fabian Keil brought this change] - - test{440,441,493,977}: add "HTTP proxy" keywords - - ... so the tests can be automatically skipped when - using an external proxy like Privoxy. - - Closes #8959 - -- [Fabian Keil brought this change] - - runtests.pl: add the --repeat parameter to the --help output - - Closes #8959 - -- [Fabian Keil brought this change] - - test 2081: add a valid reply for the second request - - ... so the test works when using a HTTP proxy like - Privoxy that sends an error message if the server - doesn't send data. - - Closes #8959 - -- [Fabian Keil brought this change] - - test 675: add missing CR so the test passes when run through Privoxy - - Closes #8959 - -- ftp: when failing to do a secure GSSAPI login, fail hard - - ... instead of switching to cleartext. For the sake of security. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1590102 - Closes #8963 - -- http2: reject overly many push-promise headers - - Getting more than a thousand of them is rather a sign of some kind of - attack. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1589847 - Closes #8962 - -- [Fabian Keil brought this change] - - misc: spelling improvements - - Closes #8956 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix assertion failure on EMSGSIZE - - Closes #8958 - -- easy/transfer: fix cookie-disabled build - - Follow-up from 45de940cebf6a - Reported-by: Marcel Raad - Fixes #8953 - Closes #8954 - -- examples/crawler.c: use the curl license - - With permission from Jeroen Ooms - - URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731 - Closes #8950 - -- speed-limit/time.d: mention these affect transfers in either direction - - Reported-by: Ladar Levison - Fixes #8948 - Closes #8951 - -- scripts/copyright.pl: fix the exclusion to not ignore man pages - - Ref: #8869 - Closes #8952 - -- examples: remove fopen.c and rtsp.c - - To simplify the license situation, as they were the only files in the - source tree using these specific BSD-3 clause licenses. - - For an fopen style API, we recommend instead going - https://github.com/curl/fcurl - - Ref: #8869 - Closes #8949 - -- [Wolf Vollprecht brought this change] - - netrc: check %USERPROFILE% as well on Windows - - Closes #8855 - -- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish - -- [michael musset brought this change] - - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - - The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check - wether or not the connection should continue. - - The host key is passed in argument with a custom handle for the - application. - - It overrides CURLOPT_SSH_KNOWNHOSTS - - Closes #7959 - -- docs/CONTRIBUTE.md: document the 'needs-votes' concept - - A pull request sent to the project might get labeled `needs-votes` by a - project maintainer. This label means that in addition to meeting all - other checks and qualifications this pull request must also receive - proven support/thumbs-ups from more community members to be considered - for merging. - - Closes #8910 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: tolerate missing "realm" - - Server headers may not define "realm", avoid NULL pointer dereference - in such cases. - - Closes #8912 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: added detection of more syntax error in server headers - - Invalid headers should not be processed otherwise they may create - a security risk. - - Closes #8912 - -- [Evgeny Grin (Karlson2k) brought this change] - - digest: unquote realm and nonce before processing - - RFC 7616 (and 2617) requires values to be "unquoted" before used for - digest calculations. The only place where unquoting can be done - correctly is header parsing function (realm="DOMAIN\\host" and - realm=DOMAN\\host are different realms). - - This commit adds unquoting (de-escaping) of all values during header - parsing and quoting of the values during header forming. This approach - should be most straightforward and easy to read/maintain as all values - are processed in the same way as required by RFC. - - Closes #8912 - -- headers: handle unfold of space-cleansed headers - - Detected by OSS-fuzz - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767 - - Updated test 1274 - - Closes #8947 - -- lib: make more protocol specific struct fields #ifdefed - - ... so that they don't take up space if the protocols are disabled in - the build. - - Closes #8944 - -- DISABLED: disable 1021 for hyper again - - due to flakiness in the CI builds - -- urldata: store tcp_keepidle and tcp_keepintvl as ints - - They can't be set larger than INT_MAX in the setsocket API calls. - - Also document the max values in their respective man pages. - - Closes #8940 - -- urldata: reduce size of a few struct fields - - When the values are never larger than 32 bit, ints are better than longs. - - Closes #8940 - -- urldata: remove three unused booleans from struct UserDefined - - - is_fwrite_set - - free_referer - - strip_path_slash - - Closes #8940 - -- remote-name.d: mention --output-dir - - plus add two see-alsos - - Closes #8945 - -Jay Satiro (1 Jun 2022) -- configure: skip libidn2 detection when winidn is used - - Prior to this change --with-winidn could be overridden by libidn2 - detection. - - Closes https://github.com/curl/curl/pull/8934 - -Daniel Stenberg (31 May 2022) -- CURLOPT_FILETIME.3: fix the protocols this works with - -- test681: verify --no-remote-name - - Follow-up to 83ee5c428d960 (from #8931) - - Closes #8942 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: enable Linux GSO - - Enable Linux GSO in ngtcp2 QUIC. In order to recover from the - EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write, - packet buffer is now held by struct quicsocket. GSO write might fail in - runtime depending on NIC. Disable GSO if sendmsg returns EIO. - - Closes #8909 - -- CURLOPT_PORT.3: We discourage using this option - - Closes #8941 - -- RELEASE-NOTES: synced - -- headers_push: error out if a folded header has no previous header - - As that would indicate an illegal header. The fuzzer reached the assert - in unfold_value() proving that this case can happen. - - Follow-up to c9b60f005358a364 - - Closes #8939 - -- [Boris Verkhovskiy brought this change] - - curl: re-enable --no-remote-name - - Closes #8931 - -- test680: require 'http' since it uses such a URL - - Follow-up to d1b376c03524 - -- CURLOPT_NETRC.3: document the .netrc file format - -- test680: verify rejection of malformatted .netrc quoted password - -- test679: verify netrc quoted string - -- netrc: support quoted strings - - The .netrc parser now accepts strings within double-quotes in order to - deal with for example passwords containing white space - which - previously was not possible. - - A password that starts with a double-quote also ends with one, and - double-quotes themselves are escaped with backslashes, like \". It also - supports \n, \r and \t for newline, carriage return and tabs - respectively. - - If the password does not start with a double quote, it will end at first - white space and no escaping is performed. - - WARNING: this change is not entirely backwards compatible. If anyone - previously used a double-quote as the first letter of their password, - the parser will now get it differently compared to before. This is - highly unfortunate but hard to avoid. - - Reported-by: ImpatientHippo on GitHub - Fixes #8908 - Closes #8937 - -- curl_getdate.3: document that some illegal dates pass through - - Closes #8938 - -- CI: remove configure --enable-headers-api flags - -- headers api: remove EXPERIMENTAL tag - - Closes #8900 - -Daniel Gustafsson (30 May 2022) -- cookies: fix documentation comment - - Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but - missed updating the documentation comment at the head of the file. - -Daniel Stenberg (30 May 2022) -- [Marc Hoersken brought this change] - - tests/data/test1940: use binary mode for expected stdout - - The generated stdout data is written in binary mode with [LF] - line endings, therefore we also need to do a binary comparison. - - Assisted-by: Jay Satiro - Assisted-by: Daniel Stenberg - - Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84 - Fixes #8920 - Closes #8936 - -- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation - - Spell out the multi-TLS situation. - - Reported-by: Dan Fandrich - Fixes #8926 - Closes #8932 - -Jay Satiro (28 May 2022) -- [JustAnotherArchivist brought this change] - - tool_getparam: fix --parallel-max maximum value constraint - - - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to - default value. - - Previously, --parallel-max 300 would use 300 concurrent transfers, but - --parallel-max 301 would unexpectedly use only 50. This change clamps - higher values to the maximum (ie --parallel-max 301 would use 300). - - Closes https://github.com/curl/curl/pull/8930 - -Daniel Stenberg (27 May 2022) -- curl.1: add a few see also --tls-max - - Closes #8929 - -Viktor Szakats (26 May 2022) -- cmake: do not add libcurl.rc to the static libcurl library - - Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855 - - Reviewed-By: Karlson2k@users.noreply.github.com - Closes #8923 - -- cmake: support adding a suffix to the OS value - - CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS - string appearing in the --version output after the curl version number, - for example: - - 'curl 7.83.1 (Windows)' - - This patchs adds the ability to pass a suffix that is appended to this - value. It's useful to add CPU info or other platform details, - for example: - - 'curl 7.83.1 (Windows-x64)' - - Closes #8919 - -- cmake: enable curl.rc for all Windows targets - - Before this patch, it was only enabled for MSVC. This syncs this - configuration with libcurl.rc, which was already included with - every Windows compiler. - - Closes #8918 - -- cmake: fix detecting libidn2 - - Without this patch, libidn2 detection doesn't even seem to be - attempted. With this patch, cmake can be configured to pick it - up and enable it. Necessary configuration remains manual and - differs from most other dependencies. - - If you are aware of a better fix, we're glad hearing about it - in a new Issue. - - Closes #8917 - -- version: allow stricmp() for sorting the feature list - - In CMakeLists.txt there is an attempt to detect `stricmp()`, and in - certain cases, this attempt is the only successful one to detect a - case-insensitive comparison function. `HAVE_STRICMP` is defined as - a result, but this macro wasn't used anywhere in the source. This - patch makes use of it as an alternative when alpha-sorting the - `--version` feature list. - - Reviewed-by: Daniel Stenberg - Closes #8916 - -Daniel Stenberg (25 May 2022) -- DISABLED: add six tests that fail with hyper - - 1117 1274 1940 1941 1942 1943 - -- c-hyper: mark status line as status for Curl_client_write() - - To make sure the headers API can filter it out as not a regular header. - - Reported-by: Gisle Vanem - Fixes #8894 - Closes #8914 - -Marc Hoersken (25 May 2022) -- tests/data/test1501: kill ftp server after slow LIST response - - This test is contributing to flakiness on the Windows CI runs. - Killing the ftp server after the test run like other slowness - tests already do may help resolve or reduce the flakiness. - - Closes #8907 - -Daniel Stenberg (25 May 2022) -- headers: fix the unfold realloc to use proper new size - - Previously it didn't take the old name length into acount - - Follow-up to: c9b60f005358a364 - Closes #8913 - -Marc Hoersken (25 May 2022) -- GHA: align all install, configure and build steps again - - First step towards more unified build steps on GitHub Actions. - - Closes #8873 - -- CI/azure: remove obsolete strategy for single builds - - This shortens these CI job names on GitHub even more. - Follow up to #8906 which also increased their timeout. - - Closes #8911 - -- CI/azure: shorten names of Windows CI jobs - - Suggested-by: Daniel Stenberg - Closes #8906 - -Daniel Stenberg (24 May 2022) -- http: restore header folding behavior - - Folded header lines will now get passed through like before. The headers - API is adapted and will provide the content unfolded. - - Added test 1274 and extended test 1940 to verify. - - Reported-by: Petr Pisar - Fixes #8844 - Closes #8899 - -Viktor Szakats (24 May 2022) -- Makefile.m32: delete obsolete options, improve -On [ci skip] - - - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now. - - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and - I used this with VxWorks in another project, but otherwise this isn't - necessary anymore as a default. If a target still needs it, it can be - added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing` - - bump up default optimization level to `-O3` (from `-O2`), and also rearrange - option order so the default can now be overridden via - `CURL_CFLAG_EXTRAS`. - - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS` - (strip debug info). They were working against each other. Now, if someone - needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g` - - Closes #8904 - -Daniel Gustafsson (24 May 2022) -- ntlm: fix one more hostname test fallout - - This fixup was missed in commit 5a41abef6dca19. - - Closes: #8901 - Reviewed-by: Daniel Stenberg - -- doh: remove UNITTEST macro definition - - The UNITTEST macro is defined by curl_setup.h so there is no use in - carry a local copy of the logic. - - Closes: #8902 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (24 May 2022) -- cookie: fix false positive "potentially uninitialized local variable" - - Reviewed-by: Daniel Gustafsson - Closes #8903 - -- curl: add --rate to set max request rate per time unit - - --rate "12/m" - for 12 per minute or - --rate "5/h" - for 5 per hour - - Removed from TODO - - Closes #8671 - -- [Jay Satiro brought this change] - - max-time.d: clarify max-time sets max transfer time - - Prior to this change the doc said --max-time set the maximum time of the - 'whole operation' which is not accurate. The option maps to - CURLOPT_TIMEOUT_MS which sets maximum transfer time. - - For example, the maximum time on a transfer is reset if the transfer is - retried (--retry). - - Reported-by: Nuru@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/8877 - Closes #8879 - -- GHA/hyper: enable debug in the build - -- hyper: use 'alt-used' - - Makes test 412+413 work - - Closes #8898 - -- RELEASE-NOTES: synced - -- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl - - Closes #8888 - -- links: update dead links - - The wiki pages are gone, remove and link to more long-living docs. - - Closes #8897 - -- ntlm: (void) typecast msnprintf() where we ignore return code - - Follow-up to 5a41abef6, to please Coverity - -Daniel Gustafsson (22 May 2022) -- ntlm: copy NTLM_HOSTNAME to host buffer - - Commit 709ae2454f43 added a fake hostname to avoid leaking the local - hostname, but omitted copying it to the host buffer. Fix by copying - and adjust the test fallout. - - Closes: #8895 - Fixes: #8893 - Reported-by: Patrick Monnerat - Reviewed-by: Daniel Stenberg - -- configure: use the SED value to invoke sed - - Rather than assuming sed in PATH, use the resolved $SED variable - like in all other invocations of sed in configure. - - Closes: #8891 - Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad - -Daniel Stenberg (20 May 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Allow curl to send larger UDP datagrams - - Allow curl to send larger UDP datagram if Path MTU Discovery finds the - availability of larger path MTU. To make it work and not to send - fragmented packet, we need to set DF bit. That makes send(2) fail with - EMSGSIZE if UDP datagram is too large. In that case, just let it be - lost. This patch enables DF bit for Linux only. - - Closes #8883 - -- libcurl-security.3: add "Secrets in memory" - - Closes #8881 - -- tests: update NTLM tests to use new host name - - Also drop the debug requirement, remove the setenv sections, remove - prechecks and add NTLM to the top keywords. - - Closes #8889 - -- ntlm: provide a fixed fake host name - - The NTLM protocol includes providing the local host name, but apparently - other implementations already provide a fixed fake name instead to avoid - leaking the real local name. - - The exact name used is 'WORKSTATION', because Firefox uses that. - - The change is written to allow someone to "back-pedal" fairly easy in - case of need. - - Reported-by: Carlo Alberto - Fixes #8859 - Closes #8889 - -Daniel Gustafsson (20 May 2022) -- KNOWN_BUGS: fix typo in problem description - - s/TSL/TLS/ - -- FEATURES: remove yassl as TLS library for NTLM - - yassl was added in commit 9d904ee41b880b but is no longer available - and is thus not a library to use for NTLM. This aligns the FEATURES - doc with the FAQ. - - Closes: #8886 - Reviewed-by: Daniel Stenberg - -- FEATURES: reorder footnotes - - The empty left-behind footnote confused the website rendering into - creating a nested emoty list, making the resulting page look quite - odd. Remove and re-order the remaining ones to avoid a gap in the - sequence. - - Closes: #8886 - Reviewed-by: Daniel Stenberg - -- FAQ: remove opinionated sentence on NTLM - - curl is a tool that support many different things, and it doesn't - really seem like our job to tell other what to use (as they might - not have much say in the matter even). Also tidy up wording. - - Closes: #8886 - Reviewed-by: Daniel Stenberg - -Viktor Szakats (20 May 2022) -- log2changes: do not indent empty lines [ci skip] - - This will omit two spaces of indentation from lines with no content, - thus avoiding 'spaces @ EOL'. - - Reviewed-by: Daniel Stenberg - Closes #8887 - -Daniel Stenberg (19 May 2022) -- wolfssl: correct the failf() message when a handle can't be made - - Closes #8885 - -Viktor Szakats (19 May 2022) -- Makefile.m32: delete two obsolete OpenSSL options [ci skip] - - - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or - LibreSSL 3.5.x, yet it collides with the latter, which defines - it unconditionally, resulting in this warning: - ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_NO_KRB5' macro redefined [-Wmacro-redefined] - It was originally added to curl in 2004. - - - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or - LibreSSL back to at least 2.5.5. Originally added in the same - commit as the above, in 2004. - - Closes #8884 - -Daniel Stenberg (19 May 2022) -- RELEASE-NOTES: synced - - bump to 7.84.0 - -- [Christian Weisgerber via curl-library brought this change] - - Makefile.am: fix portability issues - - Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that - there is a portability issue in curl's top-level Makefile.am. - - $< can only be used in rules that deal with .SUFFIXES. Its use - for general prerequisites is a GNU make extension. - - $< could be replaced by $?, but I think in an autotools context, - something like this is better: - - Bug: https://curl.se/mail/lib-2022-05/0024.html - Closes #8861 - -- [Balakrishnan Balasubramanian brought this change] - - socks: support unix sockets for socks proxy - - Usage: - curl -x "socks5h://localhost/run/tor/socks" "https://example.com" - - Updated runtests.pl to run a socksd server listening on unix socket - - Added tests test1467 test1468 - - Added documentation for proxy command line option and socks proxy - options - - Closes #8668 - -- [Vincent Torri brought this change] - - cmake: add libpsl support - - Fixes #8865 - Closes #8867 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: extend QUIC transport parameters buffer - - Extend QUIC transport parameters buffer because 64 bytes are too - short for the ever increasing parameters. - - Closes #8872 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data - - Closes #8871 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: send appropriate connection close error code - - Closes #8870 - -- test1561: adjusted for the cookie fix - -- test414: verify secure cookie domain overlay - -- [Harry Sintonen brought this change] - - cookie: address secure domain overlay - - Bug: https://hackerone.com/reports/1560324 - Co-authored-by: Daniel Stenberg - Closes #8840 - -- [Frank Gevaerts brought this change] - - strcase: some optimisations - - Lookup tables for toupper() and tolower() make Curl_strcasecompare() - about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit - early then also allows simplifying the check at the end, for another - 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7 - times faster. - - Note that these optimisation assume ASCII. The original - Curl_raw_toupper() and raw_tolower() look like they already made that - assumption. - - Closes #8875 - -- BUG-BOUNTY.md: mention the audit exception - - Dedicated - paid for - security audits that are performed in - collaboration with curl developers are not eligible for bounties. - - (plus I changed the sub-titles to use ## instead of # in the markdown) - - Closes #8880 - -- lib/vssh/wolfssh.h: removed - - Unused header file - - Reported-by: Illarion Taev - Fixes #8863 - Closes #8866 - -- [Elms brought this change] - - wolfSSL: explicitly use compatibility layer - - This change removes adding an include `$prefix/wolfssl` or similar to - allow for openssl include aliasing. Include paths of `wolfssl/openssl/` - are used to explicitly use wolfSSL includes. This fixes cmake builds as - well as avoiding potentially using openSSL headers since include path - order is not guaranteed. - - Closes #8864 - -- curl: deprecate --random-file and --egd-file - - As libcurl no longer has any functionality for them, the tool now does - nothing with them. - - Closes #8670 - -- opts: deprecate RANDOM_FILE and EGDSOCKET - - These two options were only ever used for the OpenSSL backend for - versions before 1.1.0. They were never used for other backends and they - are not used with recent OpenSSL versions. They were never used much by - applications. - - The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time - for ancient EOL OpenSSL versions. - - Closes #8670 - -- [Harry Sintonen brought this change] - - bindlocal: don't use a random port if port number would wrap - - Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port - 65535 the code would fall back to random port rather than giving up. - - Closes #8862 - -Daniel Gustafsson (16 May 2022) -- transfer: Fix potential NULL pointer dereference - - Commit 0ef54abf5208 accidentally used the conn variable before the - assertion for it being NULL. Fix by moving the assignment which use - conn to after the assertion. - - Closes: #8857 - Reviewed-by: Daniel Stenberg - -- docs: clarify data replacement policy for MIME API - - The API documentation for the MIME functions specify that the parts - can be set twice, with the last call winning. While true, the user - can set the parts n times for n > 2, reword to specify multiple API - calls instead. - - Closes: #8860 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (16 May 2022) -- [vvb2060 on github brought this change] - - ngtcp2: support boringssl crypto backend - - Closes #8789 - -- [Tatsuhiro Tsujikawa brought this change] - - quic: add Curl_quic_idle - - Add Curl_quic_idle which is called when no HTTP level read or write is - performed. It is a good place to handle timer expiry for QUIC transport - (.e.g, retransmission). - - Closes #8698 - -- [Gregor Jasny brought this change] - - mprintf: ignore clang non-literal format string - - Closes #8740 - -- [Nick Zitzmann brought this change] - - sectransp: check for a function defined when __BLOCKS__ is undefined - - SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it - requires Grand Central Dispatch to be supported by the compiler, and - some third-party macOS compilers do not support Grand Central Dispatch. - SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't - adversely affect anything. - - Fixes #8846 - Reported-by: Egor Pugin - Closes #8854 - -Daniel Gustafsson (16 May 2022) -- test412/413: Use version macro for User-Agent - - Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test - output file which breaks when curlver is updated. Shift to using - the %VERSION macro instead. - - Closes: #8856 - -- macos9: remove partial support - - The support for compiling on Mac OS 9 hasn't been modified since 2001 - and has no active maintainer or packager, so it's time to remove it as - it's incredibly unlikely to work. If a maintainer re-emerges it can be - resurrected from Git history. - - Closes: #8836 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (16 May 2022) -- test1635: verify --fail-with-body with --retry - - Almost a dupe of 1634 - - Closes #8847 - -- tool_operate: make sure --fail-with-body works with --retry - - ... in the same way --fail already does. - - Reported-by: Jakub Bochenski - Fixes #8845 - Closes #8847 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types - - Closes #8851 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Fix alert_read_func return value - - Closes #8852 - -- [Harry Sintonen brought this change] - - Curl_parsenetrc: don't access local pwbuf outside of scope - - Accessing local variables outside of the scope is forbidden and - depending on the compiler can result in the value being - overwritten. Fixed by moving the pwbuf to be in scope. - - Closes #8850 - -- RELEASE-NOTES: synced - - and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon) - -- [Frazer Smith brought this change] - - ci: update github actions - - - bump actions/checkout from 2 to 3 - - bump actions/upload-artifact from 1 to 3 - - bump github/codeql-actions from 1 to 2 - - use version tag for actions/checkout - - Closes #8843 - -- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix - -- url: free old conn better on reuse - - Make use of conn_free() better and avoid duplicate code. - - Reported-by: Andrea Pappacoda - Fixes #8841 - Closes #8842 - -Jay Satiro (14 May 2022) -- FAQ: Clarify Windows double quote usage - - - Windows command prompt doesn't use literal quoting via single quotes. - - - Windows command prompt inner double quotes are escaped with a - backslash. - - - Windows powershell does use single quotes but curl is not a powershell - script so the arguments may not be passed on correctly. - - - Windows powershell inner double quotes seems can be passed to curl if - the outer quotes are double quotes and an escape of backslash-backtick - is used. - - Command prompt example: - - ~~~ - getargs -v -d "\"a\"" - - argv[0]: getargs - argv[1]: -v - argv[2]: -d - argv[3]: "a" - ~~~ - - Ref: https://github.com/curl/curl/issues/8818 - Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c - - Reported-by: KotlinIsland@users.noreply.github.com - - Closes https://github.com/curl/curl/pull/8823 - -Daniel Stenberg (12 May 2022) -- github/workflows/nss: apt update first - - Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found" - - Closes #8837 - -- page-footer: mention exit code zero too - - Success (zero) is also an "exit code" worth mentioning. - - Closes #8833 - -Daniel Gustafsson (12 May 2022) -- gssapi: initialize gss_buffer_desc strings - - Explicitly initialize gss_buffer_desc strings such that a call to - freeing resources will succeed even if no data has been allocated - to it. - - Reported-by: Jay Satiro - -- gssapi: improve handling of errors from gss_display_status - - In case gss_display_status() returns an error, avoid trying to add - it to the buffer as the message may well be a NULL pointer. - - Originally this fix comes from a discussion in issue #8816. - - Closes: #8832 - Reviewed-by: Jay Satiro - -Jay Satiro (12 May 2022) -- [steini2000 brought this change] - - http2: always debug print stream id in decimal with %u - - Prior to this change the stream id shown could be hex or decimal which - was inconsistent and confusing. - - Closes https://github.com/curl/curl/pull/8808 - -Kamil Dudka (11 May 2022) -- url: remove redundant #ifdefs in allocate_conn() - - No change in behavior intended by this commit. - -Daniel Stenberg (11 May 2022) -- [Fabian Keil brought this change] - - tests 266, 116 and 1540: add a small write delay - - This makes it more likely that the trailer is received - seperately from the last-chunk. - - curl doesn't seem to care about this but it makes the tests - more useful when testing external proxies like Privoxy. - -- [Fabian Keil brought this change] - - tests 1117,1238,1523: adjust writedelay servercmds - - ... so the delays are the same now that the unit - is in milliseconds. - -- [Fabian Keil brought this change] - - tests/server/sws.c: change the HTTP writedelay unit to milliseconds - - This allows to use write delays for large responses without - resulting in the test taking an unreasonable amount of time. - - In many cases delaying writes by a whole second or more isn't - necessary for the desired effect. - - Closes #8827 - -Daniel Gustafsson (11 May 2022) -- aws-sigv4: fix potentional NULL pointer arithmetic - - We need to check if the strchr() call returns NULL (due to missing - char) before we use the returned value in arithmetic. There is no - live bug here, but fixing it before it can become for hygiene. - - Closes: #8814 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (11 May 2022) -- quiche: support ca-fallback - - Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl - - Removed from KNOWN_BUGS - - Fixes #8696 - Closes #8830 - -Daniel Gustafsson (11 May 2022) -- x509asn1: mark msnprintf return as unchecked - - We have lots of unchecked msnprintf calls, and this particular msnprintf - call isn't more interesting than the others, but this one yields a Coverity - warning so let's implicitly silence it. Going over the other invocations - is probably a worthwhile project, but for now let's keep the static - analyzers happy. - - Closes: #8831 - Reviewed-by: Daniel Stenberg - -Version 7.83.1 (11 May 2022) - -Daniel Stenberg (11 May 2022) -- RELEASE-NOTES: synced - - curl 7.83.1 release - -- THANKS: added contributors from 7.83.1 - -- zuul: fix the ngtcp2-gnutls build - - Add packages and tweak the configure options. - - Use the GnuTLS 3.7.4 branch (not main). - - Closes #8829 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: add ca-fallback support for OpenSSL backend - - Closes #8828 - -- url: check SSH config match on connection reuse - - CVE-2022-27782 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27782.html - Closes #8825 - -- tls: check more TLS details for connection reuse - - CVE-2022-27782 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27782.html - Closes #8825 - -- cookies: make bad_domain() not consider a trailing dot fine - - The check for a dot in the domain must not consider a single trailing - dot to be fine, as then TLD + trailing dot is fine and curl will accept - setting cookies for it. - - CVE-2022-27779 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-27779.html - Closes #8820 - -- test977: reproduce ability to set cookie on TLD - - When PSL is not enabled - -- scripts/contributors.sh: correct the copyright range - -- docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates - -- test379: verify --remove-on-error with --no-clobber - -- post_per_transfer: remove the updated file name - - When --remove-on-error is used with --no-clobber, it might have an - updated file name to remove. - - Bug: https://curl.se/docs/CVE-2022-27778.html - - CVE-2022-27778 - - Reported-by: Harry Sintonen - - Closes #8824 - -- hsts: ignore trailing dots when comparing hosts names - - CVE-2022-30115 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-30115.html - Closes #8821 - -- test440/441: verify HSTS with trailing dots - -- libtest/lib1560: verify the host name percent decode fix - -- urlapi: reject percent-decoding host name into separator bytes - - CVE-2022-27780 - - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-27780.html - Closes #8826 - -- nss: return error if seemingly stuck in a cert loop - - CVE-2022-27781 - - Reported-by: Florian Kohnhäuser - Bug: https://curl.se/docs/CVE-2022-27781.html - Closes #8822 - -- test412/413: verify alt-svc with trailing dots - -- altsvc: fix host name matching for trailing dots - - Closes #8819 - -- [Garrett Squire brought this change] - - hyper: fix test 357 - - This change fixes the hyper API such that PUT requests that receive a - 417 response can retry without the Expect header. - - Closes #8811 - -- [Harry Sintonen brought this change] - - sectransp: bail out if SSLSetPeerDomainName fails - - Before the code would just warn about SSLSetPeerDomainName() errors. - - Closes #8798 - -- http_proxy/hyper: handle closed connections - - Enable test 1021 for hyper builds. - - Patched-by: Prithvi MK - Fixes #8700 - Closes #8806 - -- KNOWN_BUGS: timeout when reusing a http3 connection - - Closes #8764 - -- KNOWN_BUGS: configure --with-ca-fallback is not supported by h3 - - Closes #8696 - -- [Ryan Schmidt brought this change] - - Makefile: fix "make ca-firefox" - - Closes #8804 - -Daniel Gustafsson (5 May 2022) -- tests: fix markdown formatting in README - - The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be - escaped to not mean start of italic formatting. This is consistent - with docs/RELEASE-PROCEDURE.md. - - Closes: #8802 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (5 May 2022) -- TODO: expand on "Expose tried IP addresses that failed" - - Ref: #8794 - -Daniel Gustafsson (5 May 2022) -- [Fabian Keil brought this change] - - tests/server: declare variable 'reqlogfile' static - - Silences the warning: - - CC socksd-socksd.o - socksd.c:143:13: warning: no previous extern declaration for - non-static variable 'reqlogfile' [-Wmissing-variable-declarations] - const char *reqlogfile = DEFAULT_REQFILE; - ^ - socksd.c:143:7: note: declare 'static' if the variable is not - intended to be used outside of this translation unit - const char *reqlogfile = DEFAULT_REQFILE; - ^ - 1 warning generated. - - ... when compiling with clang 13. - - Closes: #8799 - Reviewed-by: Daniel Gustafsson - -- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION - - Commit 980a47b42 added support for ignoring session cookies, but it - was never added to the documentation. - - Closes: #8795 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (5 May 2022) -- docs/THANKS: remove name duplicate - -- [Philip Heiduck brought this change] - - .mailmap: update - - Closes #8800 - -Jay Satiro (5 May 2022) -- mbedtls: fix some error messages - - Prior to this change some of the error messages misidentified the - function that failed. - -Daniel Stenberg (5 May 2022) -- RELEASE-NOTES: synced - -- [Sergey Markelov brought this change] - - x509asn1: make do_pubkey handle EC public keys - - Closes #8757 - -- [Harry Sintonen brought this change] - - mbedtls: bail out if rng init fails - - There was a failf() call but no actual error return. - - Closes #8796 - -- [Sergey Markelov brought this change] - - urlapi: address (harmless) UndefinedBehavior sanitizer warning - - `while(i--)` causes runtime error: unsigned integer overflow: 0 - 1 - cannot be represented in type 'size_t' (aka 'unsigned long') - - Closes #8797 - -- [Fabian Keil brought this change] - - test{898,974,976}: add 'HTTP proxy' keywords - - ... so the tests can be automatically skipped when - testing external HTTP proxies like Privoxy. - - Closes #8791 - -- [Harry Sintonen brought this change] - - gskit_connect_step1: fixed bogus setsockopt calls - - setsockopt takes a reference to value, not value. With the current - code this just leads to -1 return value with errno EFAULT. - - Closes #8793 - -- CURLOPT_SSH_AUTH_TYPES.3: fix the default - - The default is all possible methods. - - Closes #8792 - -- CURLOPT_DOH_URL.3: mention the known bug - - It is mostly duplicating info from KNOWN_BUGS but make it easier to find - for users of this option. - - Closes #8790 - -- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well - - Reviewed-By: Daniel Gustafsson - Closes #8788 - -- docs/SECURITY-PROCESS.md: "Visible command line arguments" - -- SECURITY-PROCESS: mention "URL inconsistencies" - - ... as common problems that are *not* vulns. - -Daniel Gustafsson (2 May 2022) -- contributors: strip off final comma - - The final row of contributors should not end with a comma as it's the - end of the list. - - Closes: #8785 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (2 May 2022) -- [Philip Heiduck brought this change] - - misc: use "autoreconf -fi" instead buildconf - - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - Closes #8777 - -Daniel Gustafsson (2 May 2022) -- [Philip Heiduck brought this change] - - cirrus: Use pip for Python packages on FreeBSD - - Using pip instead of easy_install is more in line with how other - CI images are being maintained. - - Closes: #8783 - Reviewed-by: Daniel Gustafsson - -- [Philip Heiduck brought this change] - - cirrus: Update to FreeBSD 12.3 - - Closes: #8783 - Reviewed-by: Daniel Gustafsson - -- tool_getparam: simplify conditional statement - - param_place cannot be NULL here since we immediately efter this block - perform arithmetic on it (and use it in order to get here) so there is - little reason to check. - - Closes: #8786 - Reviewed-by: Daniel Stenberg - -- RELEASE-NOTES: synced - -- gskit: remove unused function set_callback - - This function has been unused since the initial commit of the GSKit - backend in 0eba02fd4. The motivation for the code was getting the - whole certificate chain: the only place where the latter is available - is as a callback parameter. Unfortunately it is not possible to pass - a user pointer to this callback, which precludes the possibility to - associate the cert chain with a data/conn structure. - - For further information, search for pgsk_cert_validation_callback on: - https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm - - As the upstream library never added a parameter like that to the API, - we give up the wait and remove the dead code. - - Closes: #8782 - Reviewed-by: Patrick Monnerat - -- curl: free resource in error path - - If the new filename cannot be generated due to memory pressure, free - the allocated aname on the way out to avoid a small leak. - - Closes: #8770 - Reviewed-by: Daniel Stenberg - -- curl: guard against size_t wraparound in no-clobber code - - When generating the new filename, make sure we aren't overflowing the - size_t limit when calculating the new length. This is mostly academic - but good code hygeine nonetheless. - - Closes: #8771 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (30 Apr 2022) -- gha: build msh3 - - Closes #8779 - -- scripts/cijobs.pl: try "current branch" first then "master" - -- [Yusuke Nakamura brought this change] - - msh3: get msh3 version from MsH3Version - - Closes #8762 - -- [Yusuke Nakamura brought this change] - - msh3: psss remote_port to MsH3ConnectionOpen - - MsH3 supported additional "Port" parameter to connect not hosted on - 443 port QUIC website. - - * https://github.com/nibanks/msh3/releases/tag/v0.3.0 - * https://github.com/nibanks/msh3/pull/37 - - Closes #8762 - -- [Christian Weisgerber brought this change] - - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl - - SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3, - released five years ago. - - Bug: https://curl.se/mail/lib-2022-04/0059.html - Closes #8773 - -- http: move Curl_allow_auth_to_host() - - It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef - - Reported-by: Michael Olbrich - Fixes #8772 - Closes #8775 - -Daniel Gustafsson (29 Apr 2022) -- msh3: print boolean value as text representation - - Print the boolean value as its string representation instead of with - %hhu which isn't a format we typically use. - - Closes: #8763 - Reviewed-by: Nick Banks - -Daniel Stenberg (29 Apr 2022) -- data/test376: set a proper name - -- GHA/mbedtls: enabled nghttp2 in the build - - Closes #8767 - -- mbedtls: fix compile when h2-enabled - - Fixes #8766 - Reported-by: LigH-de on github - Closes #8768 - -- RELEASE-NOTES: synced - - bumped curlver to 7.83.1-dev - -- SECURITY-PROCESS: extended - - Also clarify BUG-BOUNTY.md with IBB details. - - Closes #8754 - -- [Adam Rosenfield brought this change] - - conn: fix typo 'connnection' -> 'connection' in two function names - - Closes #8759 - -Version 7.83.0 (27 Apr 2022) - -Daniel Stenberg (27 Apr 2022) -- RELEASE-NOTES: synced - - The 7.83.0 release - -- docs/THANKS: contributors from 7.83.0 - -- test 898/974/976: require proxy to run - - Fixes #8755 - Reported-by: Marc Hörsken - Closes #8756 - -- gnutls: don't leak the SRP credentials in redirects - - Follow-up to 620ea21410030 and 139a54ed0a172a - - Reported-by: Harry Sintonen - Closes #8752 - -- CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS - - Closes #8753 - -- openssl: don't leak the SRP credentials in redirects either - - Follow-up to 620ea21410030 - - Reported-by: Harry Sintonen - Closes #8751 - -- [Liam Warfield brought this change] - - hyper: fix tests 580 and 581 for hyper - - Hyper now has the ability to preserve header order. This commit adds a - few lines setting the connection options for this feature. - - Related to issue #8617 - Closes #8707 - -- conncache: remove name arg from Curl_conncache_find_bundle - - To simplify, and also since the returned name is not the full actual - name used for the check. The port number and zone id is also involved, - so just showing the name is misleading. - - Closes #8750 - -- tests: verify the fix for CVE-2022-27774 - - - Test 973 redirects from HTTP to FTP, clear auth - - Test 974 redirects from HTTP to HTTP different port, clear auth - - Test 975 redirects from HTTP to FTP, permitted to keep auth - - Test 976 redirects from HTTP to HTTP different port, permitted to keep - auth - -- transfer: redirects to other protocols or ports clear auth - - ... unless explicitly permitted. - - Bug: https://curl.se/docs/CVE-2022-27774.html - Reported-by: Harry Sintonen - Closes #8748 - -- connect: store "conn_remote_port" in the info struct - - To make it available after the connection ended. - -- cookie.d: clarify when cookies are always sent - -- test898: verify the fix for CVE-2022-27776 - - Do not pass on Authorization headers on redirects to another port - -- http: avoid auth/cookie on redirects same host diff port - - CVE-2022-27776 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27776.html - Closes #8749 - -- libssh2: make the md5 comparison fail if wrong length - - Making it just skip the check unless exactly 32 is too brittle. Even if - the docs says it needs to be exactly 32, it is be safer to make the - comparison fail here instead. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1549461 - Closes #8745 - -- conncache: include the zone id in the "bundle" hashkey - - Make connections to two separate IPv6 zone ids create separate - connections. - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27775.html - Closes #8747 - -- [Patrick Monnerat brought this change] - - url: check sasl additional parameters for connection reuse. - - Also move static function safecmp() as non-static Curl_safecmp() since - its purpose is needed at several places. - - Bug: https://curl.se/docs/CVE-2022-22576.html - - CVE-2022-22576 - - Closes #8746 - -- libssh2: compare sha256 strings case sensitively - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1549435 - Closes #8744 - -- tool_getparam: error out on missing -K file - - Add test 411 to verify. - - Reported-by: Median Median Stride - Bug: https://hackerone.com/reports/1542881 - Closes #8731 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: deal with sub-millisecond timeout - - Closes #8738 - -- misc: update copyright year ranges - -- c_escape: escape '?' in generated --libcurl code - - In order to avoid the risk of it being used in an accidental trigraph in - the generated code. - - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1548535 - Closes #8742 - -- [Philip Heiduck brought this change] - - mlc: curl.zuul.vexxhost.dev is reachable again - - remove it from ignorelist for linkcheck - - Closes #8736 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: avoid busy loop in low CWND situation - - Closes #8739 - -- TODO: telnet - exit immediately upon connection if stdin is /dev/null - - Suggested-by: Robin A. Meade - URL: https://curl.se/mail/archive-2022-04/0027.html - -- [Kushal Das brought this change] - - docs: updates spellings with full words - - Closes #8730 - -- tests/FILEFORMAT.md: spellfix - -Daniel Gustafsson (21 Apr 2022) -- misc: fix typos - - Fix a few random typos is comments and workflow names. - -- macos: fix .plist installation into framework - - The copy command introduced in e498a9b1f had leftover '>' from the - previous sed command it replaced, which broke its syntax. Fix by - removing. - - Reported-by: Emanuele Torre - -Daniel Stenberg (21 Apr 2022) -- [Christopher Degawa brought this change] - - Makefile: fix ca-bundle due to mk-ca-bundle.pl being moved - - The script was moved in 8e22fc68e7dda43e9f but the lines that called it - was not changed to reflect it's new position - - Signed-off-by: Christopher Degawa - - Closes #8728 - -Daniel Gustafsson (20 Apr 2022) -- macos: set .plist version in autoconf - - Set the libcurl version in libcurl.plist like how libcurl.vers is - created. - - Closes: #8692 - Reviewed-by: Daniel Stenberg - Reviewed-by: Nick Zitzmann - -- cookies: Improve errorhandling for reading cookiefile - - The existing programming had some issues with errorhandling for reading - the cookie file. If the file failed to open, we would silently ignore it - and continue as if there was no file (or stdin) passed. In this case, we - would also call fclose() on the NULL FILE pointer, which is undefined - behavior. Fix by ensuring that the FILE pointer is set before calling - fclose on it, and issue a warning in case the file cannot be opened. - Erroring out on nonexisting file would break backwards compatibility of - very old behavior so we can't really go there. - - Closes: #8699 - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - -Daniel Stenberg (20 Apr 2022) -- libcurl-tutorial.3: spellfix and minor polish - -- CURLINFO_PRIMARY_PORT.3: spellfix - - Reported-by: Patrick Monnerat - -- [Jay Dommaschk brought this change] - - libssh: fix double close - - libssh closes the socket in ssh_diconnect() so make sure that libcurl - does not also close it. - - Fixes #8708 - Closes #8718 - -Jay Satiro (20 Apr 2022) -- [Gisle Vanem brought this change] - - unit1620: call global_init before calling Curl_open - - Curl_open calls the resolver init and on Windows if the resolver backend - is c-ares then the Windows sockets library (winsock) must already have - been initialized (via global init). - - Ref: https://github.com/curl/curl/pull/8540#issuecomment-1059771800 - - Closes https://github.com/curl/curl/pull/8719 - -Daniel Stenberg (19 Apr 2022) -- CURLINFO_PRIMARY_PORT.3: clarify which port this is - - As it was not entirely clear previously. - - Closes #8725 - -- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation - - Include details about Authentication headers. - - Reported-by: Brad Spencer - Fixes #8724 - Closes #8726 - -- .github/workflows/macos.yml: add a libssh job with c-ares - - ... to enable the memdebug system - - Closes #8720 - -- RELEASE-NOTES: synced - -Jay Satiro (17 Apr 2022) -- [Gisle Vanem brought this change] - - docs/HTTP3.md: fix typo - - also fix msh3 section formatting - - Ref: https://github.com/curl/curl/commit/37492ebb#r70980087 - -Marc Hoersken (17 Apr 2022) -- timediff.[ch]: add curlx helper functions for timeval conversions - - Also move timediff_t definitions from timeval.h to timediff.h and - then make timeval.h include the new standalone-capable timediff.h. - - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - - Supersedes #5888 - Closes #8595 - -Daniel Stenberg (17 Apr 2022) -- [Balakrishnan Balasubramanian brought this change] - - tests: refactor server/socksd.c to support --unix-socket - - Closes #8687 - -- [Emanuele Torre brought this change] - - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) - - This loop was using the number of bytes read from the file as condition - to keep reading. - - From Linux's fread(3) man page: - > On success, fread() and fwrite() return the number of items read or - > written. This number equals the number of bytes transferred only when - > size is 1. If an error occurs, or the end of the file is reached, the - > return value is a short item count (or zero). - > - > The file position indicator for the stream is advanced by the number - > of bytes successfully read or written. - > - > fread() does not distinguish between end-of-file and error, and - > callers must use feof(3) and ferror(3) to determine which occurred. - - This means that nread!=0 doesn't make much sense as an end condition for - the loop: nread==0 doesn't necessarily mean that EOF has been reached or - an error has occured (but that is usually the case) and nread!=0 doesn't - necessarily mean that EOF has not been reached or that no read errors - have occured. feof(3) and ferror(3) should be uses when using fread(3). - - Currently curl has to performs an extra fread(3) call to get a return - value equal to 0 to stop looping. - - This usually "works" (even though nread==0 shouldn't be interpreted as - EOF) if stdin is a pipe because EOF usually marks the "real" end of the - stream, so the extra fread(3) call will return immediately and the extra - read syscall won't be noticeable: - - bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 | - > tail -n 5 - read(0, "a\n", 4096) = 2 - read(0, "", 4096) = 0 - read(0, "", 4096) = 0 - http://0x0.st/oRs.txt - +++ exited with 0 +++ - bash-5.1$ - - But this doesn't work if curl is reading from stdin, stdin is a - terminal, and the EOF is being emulated using a shell with ^D. Two - consecutive ^D will be required in this case to actually make curl stop - reading: - - bash-5.1$ curl -F file=@- 0x0.st - a - ^D^D - http://0x0.st/oRs.txt - bash-5.1$ - - A possible workaround to this issue is to use a program that handles EOF - correctly to indirectly send data to curl's stdin: - - bash-5.1$ cat - | curl -F file=@- 0x0.st - a - ^D - http://0x0.st/oRs.txt - bash-5.1$ - - This patch makes curl handle EOF properly when using fread(3) in - file2memory() so that the workaround is not necessary. - - Since curl was previously ignoring read errors caused by this fread(3), - ferror(3) is also used in the condition of the loop: read errors and EOF - will have the same meaning; this is done to somewhat preserve the old - behaviour instead of making the command fail when a read error occurs. - - Closes #8701 - -- gen.pl: change wording for mutexed options - - Instead of saying "This option overrides NNN", now say "This option is - mutually exclusive to NNN" in the generated man page ouput, as the - option does not in all cases actually override the others but they are - always mutually exclusive. - - Ref: #8704 - Closes #8716 - -- curl: error out if -T and -d are used for the same URL - - As one implies PUT and the other POST, both cannot be used - simultaneously. - - Add test 378 to verify. - - Reported-by: Boris Verkhovskiy - Fixes #8704 - Closes #8715 - -- lib: remove exclamation marks - - ... from infof() and failf() calls. Make them less attention seeking. - - Closes #8713 - -- fail.d: tweak the description - - Reviewed-by: Daniel Gustafsson - Suggested-by: Robert Charles Muir - Ref: https://twitter.com/rcmuir/status/1514915401574010887 - - Closes #8714 - -Daniel Gustafsson (15 Apr 2022) -- docs: Fix missing semicolon in example code - - Multiple share examples were missing a semicolon on the line defining - the CURLSHcode variable. - - Closes: #8697 - Reported-by: Michael Kaufmann - Reviewed-by: Daniel Stenberg - -- infof: consistent capitalization of warning messages - - Ensure that all infof calls with a warning message are capitalized - in the same way. At some point we should probably set up a style- - guide for infof but until then let's aim for a little consistenncy - where we can. - - Closes: #8711 - Reviewed-by: Daniel Stenberg - -- RELEASE-NOTES: synced - -- [Matteo Baccan brought this change] - - perl: removed a double semicolon at end of line - - Remove double semicolons at end of line in Perl code. - - Closes: #8709 - Reviewed-by: Daniel Gustafsson - -- curl_easy_header: fix typos in documentation - - Closes: #8694 - Reviewed-by: Daniel Stenberg - -Marcel Raad (11 Apr 2022) -- appveyor: add Cygwin build - - Closes https://github.com/curl/curl/pull/8693 - -- appveyor: only add MSYS2 to PATH where required - - Closes https://github.com/curl/curl/pull/8693 - -Daniel Stenberg (10 Apr 2022) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix memory leak - - Closes #8691 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: remove remote_addr which is not used in a meaningful way - - Closes #8689 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: enlarge H3_SEND_SIZE - - Make h3_SEND_SIZE larger because current value (20KiB) is too small - for the high latency environment. - - Closes #8690 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix HTTP/3 upload stall and avoid busy loop - - This commit fixes HTTP/3 upload stall if upload data is larger than - H3_SEND_SIZE. Only check writability of socket if a stream is - writable to avoid busy loop when QUIC flow control window is filled - up, or upload buffer is full. - - Closes #8688 - -- [Nick Banks brought this change] - - msh3: add support for QUIC and HTTP/3 using msh3 - - Considered experimental, as the other HTTP/3 backends. - - Closes #8517 - -- TODO: "SFTP with SCP://" - -- GHA: move bearssl jobs over from zuul - - Closes #8684 - -- data/DISABLED: disable test 313 on bearssl builds - - Closes #8684 - -- runtests: add 'bearssl' as testable feature - - Closes #8684 - -- GHA: add openssl3 jobs moved over from zuul - - Closes #8683 - -- schannel: remove dead code that will never run - - As the condition can't ever evaluate true - - Reported-by: Andrey Alifanov - Ref: #8675 - Closes #8677 - -- connecache: remove duplicate connc->closure_handle check - - The superfluous extra check could cause analyzer false positives - and doesn't serve any purpose. - - Closes #8676 - -- [Michał Antoniak brought this change] - - mbedtls: remove server_fd from backend - - Closes #8682 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: use token when detecting :status header field - - Closes #8679 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: make curl 1ms faster - - Pass 0 for an already expired timer. - - Closes #8678 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix QUIC_IDLE_TIMEOUT - - QUIC_IDLE_TIMEOUT should be of type ngtcp2_duration which is - nanoseconds resolution. - - Closes #8678 - -- English: use American spelling consistently - - Authorization, Initialization, Organization etc. - - Closes #8673 - -Daniel Gustafsson (5 Apr 2022) -- [Sascha Zengler brought this change] - - BUGS: Fix incorrect punctuation - - Closes #8672 - Reviewed-by: Daniel Gustafsson - -Daniel Stenberg (4 Apr 2022) -- tool_listhelp.c: uppercase URL - -- RELEASE-NOTES: synced - -- http: streamclose "already downloaded" - - Instead of connclose()ing, since when HTTP/2 is used it doesn't need to - close the connection as stopping the current transfer is enough. - - Reported-by: Evangelos Foutras - Closes #8665 - -Jay Satiro (1 Apr 2022) -- ftp: fix error message for partial file upload - - - Show the count of bytes written on partial file upload. - - Prior to this change the error message mistakenly showed the count of - bytes read, not written. - - Bug: https://github.com/curl/curl/discussions/8637 - Reported-by: Taras Kushnir - - Closes https://github.com/curl/curl/pull/8649 - -Daniel Stenberg (1 Apr 2022) -- http: correct the header error message to say colon - - Not semicolon - - Reported-by: Gisle Vanem - Ref: #8666 - Closes #8667 - -- lib: #ifdef on USE_HTTP2 better - - ... as nghttp2 might not be the library that provides HTTP/2 support. - - Closes #8661 - -- [Michał Antoniak brought this change] - - mbedtls: remove 'protocols' array from backend when ALPN is not used - - Closes #8663 - -- http2: RST the stream if we stop it on our own will - - For the "simulated 304" case the done-call isn't considered "premature" - but since the server didn't close the stream it needs to be reset to - stop delivering data. - - Closes #8664 - -- http: close the stream (not connection) on time condition abort - - Closes #8664 - -- http2: handle DONE called for the paused stream - - As it could otherwise stall all streams on the connection - - Reported-by: Evangelos Foutras - Fixes #8626 - Closes #8664 - -- tls: make mbedtls and NSS check for h2, not nghttp2 - - This makes them able to also negotiate HTTP/2 even when built to use - hyper for h2. - - Closes #8656 - -- tests/libtest/lib670.c: fixup the copyright year range - - follow-up to b54e18640ea4b7 - -- [Leandro Coutinho brought this change] - - lib670: avoid double check result - - Closes #8660 - -- vtls: use a generic "ALPN, server accepted" message - - Closes #8657 - -- vtls: use a backend standard message for "ALPN: offers %s" - - I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the - infof() call also needs a string argument: the ALPN ID. - - Closes #8657 - -- [Christian Schmitz brought this change] - - strcase.h: add comment about the return code - - Tool often we run into expecting this to work like strcmp, but it - returns 1 instead of 0 for match. - - Closes #8658 - -- vtls: provide a unified APLN-disagree string for all backends - - Also rephrase to make it sound less dangerous: - - "ALPN: server did not agree on a protocol. Uses default." - - Reported-by: Nick Coghlan - Fixes #8643 - Closes #8651 - -- projects/README: converted to markdown - - Closes #8652 - -- misc: spelling fixes - - Mostly in comments but also in the -w documentation for headers_json. - - Closes #8647 - -- KNOW_BUGS: HTTP3/Transfer closed with n bytes remaining to read - - "HTTP/3 does not support client certs" considered fixed, at least with - the ngtcp2 backend. - - Closes #8523 - -- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs - - Also add to quote.d. Add to TODO as something to add in a future. - - Reported-by: anon00000000 on github - Closes #8602 - Closes #8648 - -- RELEASE-NOTES: synced - -- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood - - This leaves the CURLE_RECV_ERROR error code for explicit failure to - receive network data and allows users to better separate the problems. - - Ref #8356 - Reported-by: Rianov Viacheslav - Closes #8506 - -- docs: lots of minor language polish - - Mostly based on recent language decisions from "everything curl": - - - remove contractions (isn't => is not) - - *an* HTTP (consistency) - - runtime (no hyphen) - - backend (no hyphen) - - URL is uppercase - - Closes #8646 - -Jay Satiro (29 Mar 2022) -- projects: Update VC version names for VS2017, VS2022 - - - Rename VC15 -> VC14.10, VC17 -> VC14.30. - - The projects directory that holds the pre-generated Visual Studio - project files uses VC to indicate the MSVC version. At some point - support for Visual Studio 2017 (Visual Studio version 15 which uses MSVC - 14.10) was added as VC15. Visual Studio 2022 (Visual Studio version 17 - which uses MSVC 14.30) project files were recently added and followed - that same format using VC17. - - There is no such MSVC version (yet) as VC15 or VC17. - - For VS 2017 for example, the name we use is correct as either VS17, - VS2017, VC14.10. I opted for the latter since we use VC for earlier - versions (eg VC10, VC12, etc). - - Ref: https://github.com/curl/curl/pull/8438#issuecomment-1037070192 - - Closes https://github.com/curl/curl/pull/8447 - -Daniel Stenberg (29 Mar 2022) -- mqtt: better handling of TCP disconnect mid-message - - Reported-by: Jenny Heino - Bug: https://hackerone.com/reports/1521610 - Closes #8644 - -- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL - -- [Ian Blanes brought this change] - - docs/DYNBUF: clarify documentation for Curl_dyn_ptr and Curl_dyn_uptr - - Closes #8606 - -- [Ian Blanes brought this change] - - curl: fix segmentation fault for empty output file names. - - Function glob_match_url set *result to NULL when called with filename = - "", producing an indirect NULL pointer dereference. - - Closes #8606 - -- TODO: Read keys from ~/.ssh/id_ecdsa, id_ed25519 - - It would be nice to expand the list of key locations curl uses for the - newer key types supported by libssh2. - - Closes #8586 - -- ngtcp2: update to work after recent ngtcp2 updates - - Assisted-by: Tatsuhiro Tsujikawa - Reported-by: jurisuk on github - Fixes #8638 - Closes #8639 - -- [Farzin brought this change] - - CURLOPT_PROGRESSFUNCTION.3: fix typo in example - - Closes #8636 - -- curl/header_json: output the header names in lowercase - - To better allow json[“header”]. - - Reported-by: Peter Korsgaard - Bug: https://daniel.haxx.se/blog/2022/03/24/easier-header-picking-with-curl/comment-page-1/#comment-25878 - Closes #8633 - -- RELEASE-NOTES: synced - -- headers.h: make Curl_headers_push() be CURLE_OK when not built - - ... to avoid errors when the function isn't there. - - Reported-by: Marcel Raad - Fixes #8627 - Closes #8628 - -- scripts: move three scripts from lib/ to scripts/ - - Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't - particularly belong in lib/ - - Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying - those files in the root Makefile.am - - Closes #8625 - -Marc Hoersken (23 Mar 2022) -- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 - - curl_setup.h automatically defines WIN32 if just _WIN32 is defined. - - Therefore make sure curl_setup.h is included through warnless.h. - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #8594 - -- tests/server/util.h: align WIN32 condition with util.c - - There is no need to test for both _WIN32 and WIN32 as curl_setup.h - automatically defines the later if the first one is defined. - - Also tests/server/util.c is only checking for WIN32 arouund the - implementation of win32_perror, so just defining _WIN32 - would not be sufficient for a successful compilation. - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Closes #8594 - -Daniel Stenberg (22 Mar 2022) -- [Philip Heiduck brought this change] - - firefox-db2pem.sh: make the shell script safer - - Reported by lift - - Closes #8616 - -Jay Satiro (22 Mar 2022) -- gtls: fix build for disabled TLS-SRP - - Prior to this change if, at build time, the GnuTLS backend was found to - have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl - via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. - - Bug: https://curl.se/mail/lib-2022-03/0046.html - Reported-by: Robert Brose - - Closes https://github.com/curl/curl/pull/8604 - -- winbuild: Add a Visual Studio example to the README - - - Add an example that explains in detail how the user can add libcurl to - their Visual Studio project. - - Ref: https://github.com/curl/curl/issues/8591 - - Closes https://github.com/curl/curl/pull/8592 - -- docs/opts: Mention Schannel client cert type is P12 - - Schannel backend code behaves same as Secure Transport, it expects a P12 - certificate file or the name of a certificate already in the user's OS - key store. Also, both backends ignore CURLOPT_SSLKEY (tool: --key) - because they expect the private key to already be available from the - keystore or P12 certificate. - - Ref: https://github.com/curl/curl/discussions/8581#discussioncomment-2337260 - - Closes https://github.com/curl/curl/pull/8587 - -Daniel Stenberg (22 Mar 2022) -- lib1945: fix compiler warning 4706 on MSVC - - Follow-up from d1e4a677340c - - Closes #8623 - -- [Philip Heiduck brought this change] - - ci/event-based.yml: improve impacket install - - skip python3-pip - install impacket with library module - - Closes #8621 - -- test1459: disable for oldlibssh - - This test with libssh 0.9.3 works fine on github but fails on circleci. - Might as well disable this test for oldlibssh installations. - - Closes #8622 - -- test1135: sync with recent API updates - - This test verifies that the order of functions in public headers remain - the same but hasn't been updated to care for recently added header - files. The order is important for some few platforms - or VERSIONINFO - needs to updated. - - This fix also updates VERSIONINFO to be sure. - - Closes #8620 - -- curl_easy_nextheader.3: fix two typos - - Reported-by: Timothe Litt - Bug: https://curl.se/mail/lib-2022-03/0060.html - -- options: remove mistaken space before paren in prototype - -- cirrus: add --enable-headers-api for some windows builds - -- GHA: --enable-headers-api in all workflows - -- lib: make the headers API depend on --enable-headers-api - -- configure: add --enable-headers-api to enable the headers API - - Defaults to disabled while labeled EXPERIMENTAL. - - Make all the headers API tests require 'headers-api' to run. - -- test1671: verify -w '%{header_json} - -- test1670: verify -w %header{} - -- curl: add %{header_json} support in -w handling - - Outputs all response headers as a JSON object. - -- curl: add %header{name} support in -w handling - - Outputs the response header 'name' - -- header api: add curl_easy_header and curl_easy_nextheader - - Add test 1940 to 1946 to verify. - - Closes #8593 - -- test1459: remove the different exit code for oldlibssh - - When using libssh/0.9.3/openssl/zlib, we seem to be getting the "right" - error code. - - Closes #8490 - -- libssh: unstick SFTP transfers when done event-based - - Test 604 and 606 (at least). - - Closes #8490 - -- gha: move the event-based test over from Zuul - - Switched libssh2 to libssh - - Closes #8490 - -- RELEASE-NOTES: synced - -- http: return error on colon-less HTTP headers - - It's a protocol violation and accepting them leads to no good. - - Add test case 398 to verify - - Closes #8610 - -- test718: edited slightly to return better HTTP - - Since hyper is picky and won't play ball otherwise. - - Bug: https://github.com/hyperium/hyper/issues/2783 - Reported-by: Daniel Valenzuela - Closes #8614 - -- hyper: no h2c support - - Make tests require h2c feature present to run, and only set h2c if - nghttp2 is used in the build. Hyper does not support it. - - Remove those tests from DISABLED - - Fixes #8605 - Closes #8613 - -- configure: bump the copyright year range int the generated output - -- [Andreas Falkenhahn brought this change] - - BINDINGS.md: add Hollywood binding - - Closes #8609 - -- HISTORY: add some 2022 data - -- scripts/copyright.pl: ignore the new mlc_config.json file - -- [Philip Heiduck brought this change] - - mlc_config.json: add file to ignore known troublesome URLs - - This is the config file for the CI markdown link checker and lets us - filter URLs that are known to cause problems. Like - https://curl.zuul.vexxhost.dev/ for now. - - Closes #8597 - -- [Philip Heiduck brought this change] - - winbuild/README.md: fixup dead link - - Closes #8597 - -Jay Satiro (18 Mar 2022) -- rtsp: don't let CSeq error override earlier errors - - - When done, if an error has already occurred then don't check the - sequence numbers for mismatch. - - A sequence number may not have been received if an error occurred. - - Prior to this change a sequence mismatch error would override earlier - errors. For example, a server that returns nothing would cause error - CURLE_GOT_NOTHING in Curl_http_done which was then overridden by - CURLE_RTSP_CSEQ_ERROR in rtsp_done. - - Closes https://github.com/curl/curl/pull/8525 - -- lib: fix some misuse of curlx_convert_wchar_to_UTF8 - - curlx_convert_wchar_to_UTF8 must be freed by curlx_unicodefree, but - prior to this change some uses mistakenly called free. - - I've reviewed all other uses of curlx_convert_wchar_to_UTF8 and - curlx_convert_UTF8_to_wchar. - - Ref: https://github.com/curl/curl/commit/1d5d0ae - - Closes https://github.com/curl/curl/pull/8521 - -- mk-ca-bundle.pl: Use stricter logic to process the certificates - - .. and bump version to 1.29. - - This change makes the script properly ignore unknown blocks and - otherwise fail when Mozilla changes the certdata format in ways we - don't expect. Though this is less flexible behavior it makes it far less - likely that an invalid certificate can slip through. - - Prior to this change the state machine did not always properly reset, - and it was possible that a certificate marked as invalid could then - later be marked as valid when there was conflicting trust info or - an unknown block was erroneously processed as part of the certificate. - - Ref: https://github.com/curl/curl/pull/7801#pullrequestreview-768384569 - - Closes https://github.com/curl/curl/pull/8411 - -Marcel Raad (17 Mar 2022) -- test375: fix line endings on Windows - - Closes https://github.com/curl/curl/pull/8599 - -Daniel Stenberg (17 Mar 2022) -- http: reject header contents with nul bytes - - They are not allowed by the protocol and allowing them risk that curl - misbehaves somewhere where C functions are used but won't work on the - full contents. Further, they are not supported by hyper and they cause - problems for the new coming headers API work. - - Updated test 262 to verify and enabled it for hyper as well - - Closes #8601 - -- [Philip Heiduck brought this change] - - CI: Do not use buildconf. Instead, just use: autoreconf -fi - - Closes #8596 - -- RELEASE-NOTES: synced - -Jay Satiro (14 Mar 2022) -- libssh: Improve fix for missing SSH_S_ stat macros - - - If building libcurl against an old libssh version missing SSH_S_IFMT - and SSH_S_IFLNK then use the values from a supported version. - - Prior to this change if libssh did not define SSH_S_IFMT and SSH_S_IFLNK - then S_IFMT and S_IFLNK, respectively, were used instead. The problem - with that is the user's S_ stat macros don't have the same values across - platforms. For example Windows has values different from Linux. - - Follow-up to 7b0fd39. - - Ref: https://github.com/curl/curl/pull/8511#discussion_r815292391 - Ref: https://github.com/curl/curl/pull/8574 - - Closes https://github.com/curl/curl/pull/8588 - -Marc Hoersken (13 Mar 2022) -- tool and tests: force flush of all buffers at end of program - - On Windows data can be lost in buffers in case of abnormal program - termination, especially in process chains as seen due to flaky tests. - Therefore flushing all buffers manually should avoid this data loss. - - In the curl tool we play the safe game by only flushing write buffers, - but in the testsuite where we manage all buffers, we flush everything. - - This should drastically reduce Windows CI and testsuite flakiness. - - Reviewed-by: Daniel Stenberg - - Supersedes #7833 and #6064 - Closes #8516 - -Daniel Stenberg (12 Mar 2022) -- [Jan Venekamp brought this change] - - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - - Closes #8478 - -- [Jan Venekamp brought this change] - - BearSSL: add CURLOPT_SSL_CIPHER_LIST support - - Closes #8477 - -Dan Fandrich (11 Mar 2022) -- tool_cb_hdr: Turn the Location: into a terminal hyperlink - - This turns even relative URLs into clickable hyperlinks in a supported - terminal when --styled-output is enabled. Many terminals already turn - URLs into clickable links but there is not enough information in a - relative URL to do this automatically otherwise. - -- keepalive-time.d: It takes many probes to detect brokenness - -Daniel Stenberg (11 Mar 2022) -- [HexTheDragon brought this change] - - curl: add --no-clobber - - Does not overwrite output files if they already exist - - Closes #7708 - Co-authored-by: Daniel Stenberg - -- RELEASE-NOTES: synced - - also bump next pending version to become 7.83.0 - -- [Jean-Philippe Menil brought this change] - - openssl: check SSL_get_peer_cert_chain return value - - Signed-off-by: Jean-Philippe Menil - Closes #8579 - -- [Jay Satiro brought this change] - - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl - - mk-ca-bundle.vbs is a Windows-specific script for Mozilla certificate - extraction, similar to mk-ca-bundle.pl which runs on any platform. The - vbs version has not been maintained while the perl version has been - maintained with improvements and security fixes. I don't think it's - worth the work to maintain both versions. Windows users should be able - to use mk-ca-bundle.pl without any problems, as long as they have perl. - - Closes #8412 - -- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype - - Copy and paste error - - Reported-by: Francisco Olarte - Fixes #8573 - Closes #8577 - -- remove-on-error.d: typo - - Reported-by: Colin Leroy - Bug: https://github.com/curl/curl/pull/8503#pullrequestreview-906520081 - -- curl: add --remove-on-error - - If a transfer returns an error, using this option makes curl remove the - leftover downloded (partial) local file before exiting. - - Added test 376 to verify - - Closes #8503 - -- libssh: fix build with old libssh versions - - ... that don't have the SSH_S_* defines. Spotted on a machine using - libssh 0.7.3 - - Closes #8574 - -- hyper: fix status_line() return code - - Detected while working on #7708 that happened to trigger an error here - with a new test case. - - Closes #8572 - -- [Alejandro R. Sedeño brought this change] - - configure.ac: move -pthread CFLAGS setting back where it used to be - - The fix for #8276 proposed in #8374 set `CFLAGS="$CFLAGS -pthead"` - earlier than it used to be set, applying it in cases where it should not - have been applied. - - This moves the AIX XLC check to a new `case $host in` block inside of - the `if test "$USE_THREADS_POSIX" != "1"` block, where `CFLAGS="$CFLAGS - -pthead"` used to happen. - - Fixes #8541 - Closes #8542 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: add client certificate authentication for OpenSSL - - Closes #8522 - -- tool_operate: fix a scan-build warning - - ... and avoid the temp storing of the return code in a diff variable. - - Closes #8565 - -- test375: verify that --proxy errors out if proxy is disabled in the build - - Closes #8565 - -- curl: error out when options need features not present in libcurl - - Trying to use a proxy when libcurl was built with proxy support disabled - should make curl error out properly. - - Remove knowledge of disabled features from the tool code and instead - make it properly respond to what libcurl returns. Update all tests to - properly require the necessary features to be present/absent so that the - test suite can still be run even with libcurl builds with disabled - features. - - Ref: https://curl.se/mail/archive-2022-03/0013.html - Closes #8565 - -- ngtcp2: disconnect the QUIC connection proper - - Reported-by: mehatzri on github - Reviewed-by: Tatsuhiro Tsujikawa - Fixes #8534 - closes #8569 - -Dan Fandrich (9 Mar 2022) -- test386: Fix an incorrect test markup tag - -Daniel Stenberg (9 Mar 2022) -- [Don J Olmstead brought this change] - - nonblock: restore setsockopt method to curlx_nonblock - - The implementation using setsockopt was removed when BeOS support was - purged. However this functionality wasn't BeOS specific, it is still - used by for example Orbis OS (Playstation 4/5 OS). - - Closes #8562 - -- openssl: fix CN check error code - - Due to a missing 'else' this returns error too easily. - - Regressed in: d15692ebb - - Reported-by: Kristoffer Gleditsch - Fixes #8559 - Closes #8560 - -- [Frank Meier brought this change] - - connect: make Curl_getconnectinfo work with conn cache from share handle - - Closes #8524 + _ _ ____ _ + ___| | | | _ \| | + / __| | | | |_) | | + | (__| |_| | _ <| |___ + \___|\___/|_| \_\_____| + + Changelog + +Version 7.87.0 (21 Dec 2022) + +Daniel Stenberg (21 Dec 2022) + +- RELEASE-NOTES: synced + + The curl 7.87.0 release + +- THANKS: 40 new contributors from 7.87.0 + +- http: fix the ::1 comparison for IPv6 localhost for cookies + + When checking if there is a "secure context", which it is if the + connection is to localhost even if the protocol is HTTP, the comparison + for ::1 was done incorrectly and included brackets. + + Reported-by: BratSinot on github + + Fixes #10120 + Closes #10121 + +Philip Heiduck (19 Dec 2022) + +- CI/spell: actions/checkout@v2 > actions/checkout@v3 + +Daniel Stenberg (19 Dec 2022) + +- smb/telnet: do not free the protocol struct in *_done() + + It is managed by the generic layer. + + Reported-by: Trail of Bits + + Closes #10112 + +- http: use the IDN decoded name in HSTS checks + + Otherwise it stores the info HSTS into the persistent cache for the IDN + name which will not match when the HSTS status is later checked for + using the decoded name. + + Reported-by: Hiroki Kurosawa + + Closes #10111 + +- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw" + + Closes #10106 + +Xì Gà (16 Dec 2022) + +- socks: fix username max size is 255 (0xFF) + + Closes #10105 + + Reviewed-by: Daniel Gustafsson + +Daniel Stenberg (16 Dec 2022) + +- limit-rate.d: see also --rate + +- lib1560: add some basic IDN host name tests + + Closes #10094 + +- idn: rename the files to idn.[ch] and hold all IDN functions + + Closes #10094 + +- idn: remove Curl_win32_ascii_to_idn + + It was not used. Introduce a new IDN header for the prototype(s). + + Closes #10094 + +- RELEASE-NOTES: synced + +- curl_url_get.3: remove spurious backtick + + Put there by mistake. + + Follow-up from 9a8564a92 + + Closes #10101 + +- socks: fix infof() flag for outputing a char + + It used to be a 'long', %lu is no longer correct. + + Follow-up to 57d2d9b6bed33d + Detected by Coverity CID 1517663 + + Closes #10100 + +- ssl-reqd.d: clarify that this is for upgrading connections only + + Closes #10093 + +- curl_url_set.3: document CURLU_DISALLOW_USER + + Closes #10099 + +- cmake: set the soname on the shared library + + Set SONAME and VERSION for platforms we think this works on. Remove + issue from KNOWN_BUGS. + + Assisted-by: Jakub Zakrzewski + + Closes #10023 + +- tool_paramhlp: free the proto strings on exit + + And also make sure that repeated use of the options free the previous + string before it stores a new. + + Follow-up from e6f8445edef8e7996d + + Closes #10098 + +- tool_cfgable: free the ssl_ec_curves on exit + + Follow-up to ede125b7b + + Closes #10097 + +- urlapi: reject more bad letters from the host name: &+() + + Follow-up from eb0167ff7d31d3a5 + + Extend test 1560 to verify + + Closes #10096 + +- altsvc: fix rejection of negative port numbers + + Follow-up to ac612dfeee95 + + strtoul() accepts a leading minus so better make sure there is none + + Extended test 356 somewhat to use a huge negative 64 bit number that + otherwise becomes a low positive number. + + Closes #10095 + +- lib: use size_t or int etc instead of longs + + Since long is not using a consistent data size in curl builds, making it + often "waste" 32 bits. + + Closes #10088 + +- azure: use "unversioned" clang and clang-tools for scanbuild job + + To make it less fragile + + Closes #10092 + +Daniel Gustafsson (14 Dec 2022) + +- x509asn1: avoid freeing unallocated pointers + + When utf8asn1str fails there is no allocation returned, so freeing + the return pointer in **to is at best a no-op and at worst a double- + free bug waiting to happen. The current coding isn't hiding any such + bugs but to future proof, avoid freeing the return value pointer iff + the function failed. + + Closes: #10087 + Reviewed-by: Daniel Stenberg + +Emil Engler (13 Dec 2022) + +- curl_url_set.3: fix typo + + Closes: #10089 + Reviewed-by: Daniel Gustafsson + +Daniel Stenberg (13 Dec 2022) + +- test2304: verify websocket handling when connection is closed + +- server/sws: if asked to close connection, skip the websocket handling + +- ws: if no connection is around, return error + + - curl_ws_send returns CURLE_SEND_ERROR if data->conn is gone + + - curl_ws_recv returns CURLE_GOT_NOTHING on connection close + + - curl_ws_recv.3: mention new return code for connection close + example + embryo + + Closes #10084 + +Emil Engler (13 Dec 2022) + +- docs: extend the dump-header documentation + + This commit extends the documentation of the --dump-header command-line + option to reflect the behavior introduced in 8b1e5df7. + + See #10079 + Closes #10085 + +Daniel Stenberg (12 Dec 2022) + +- RELEASE-NOTES: synced + +- styled-output.d: this option does not work on Windows + + Reported-by: u20221022 on github + + Fixes #10082 + Closes #10083 + +Emil Engler (12 Dec 2022) + +- tool: determine the correct fopen option for -D + + This commit fixes a bug in the dump-header feature regarding the + determination of the second fopen(3) option. + + Reported-by: u20221022 on github + + See #4753 + See #4762 + Fixes #10074 + Closes #10079 + +Christian Schmitz (11 Dec 2022) + +- docs/curl_ws_send: Fixed typo in websocket docs + + Replace as with is in relevant sentences. + + Closes: #10081 + Reviewed-by: Daniel Gustafsson + +Prithvi MK (11 Dec 2022) + +- c-hyper: fix multi-request mechanism + + It makes test 565 run fine. + + Fixes #8896 + Closes #10080 + Assisted-by: Daniel Stenberg + +Andy Alt (11 Dec 2022) + +- page-header: grammar improvement (display transfer rate) + + Closes #10068 + +- docs/DEPRECATE.md: grammar improvement and sp correction + + The main thing I wanted to do was fix the spelling of "spent", but I + think this rewording improves the flow of the paragraph. + + Closes #10067 + +Boris Verkhovskiy (11 Dec 2022) + +- tool_cfgable: make socks5_gssapi_nec a boolean + + Closes #10078 + +Frank Gevaerts (9 Dec 2022) + +- contributors.sh: actually use $CURLWWW instead of just setting it. + + The script was all set up for flexibility where curl-www is elsewhere in + the filesystem, but then hard-coded ../curl-www anyway... + + Closes #10064 + +Daniel Stenberg (9 Dec 2022) + +- KNOWN_BUGS: remove items not considered bugs any more + + - CURL_GLOBAL_SSL + + This option was changed in libcurl 7.57.0 and clearly it has not caused + too many issues and a lot of time has passed. + + - Store TLS context per transfer instead of per connection + + This is a possible future optimization. One that is much less important + and interesting since the added support for CA caching. + + - Microsoft telnet server + + This bug was filed in May 2007 against curl 7.16.1 and we have not + received further reports. + + - active FTP over a SOCKS + + Actually, proxies in general is not working with active FTP mode. This + is now added in proxy documentation. + + - DICT responses show the underlying protocol + + curl still does this, but since this is now an established behavior + since forever we cannot change it easily and adding an option for it + seems crazy as this protocol is not so little its not worth it. Let's + just live with it. + + - Secure Transport disabling hostname validation also disables SNI + + This is an already documented restriction in Secure Transport. + + - CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM + + The curl_formadd() function is marked and documented as deprecated. No + point in collecting bugs for it. It should not be used further. + + - STARTTRANSFER time is wrong for HTTP POSTs + + After close source code inspection I cannot see how this is true or that + there is any special treatment for different HTTP methods. We also have + not received many further reports on this, making me strongly suspect + that this is no (longer an) issue. + + - multipart formposts file name encoding + + The once proposed RFC 5987-encoding is since RFC 7578 documented as MUST + NOT be used. The since then implemented MIME API allows the user to set + the name on their own and can thus provide it encoded as it wants. + + - DoH is not used for all name resolves when enabled + + It is questionable if users actually want to use DoH for interface and + FTP port name resolving. This restriction is now documented and we + advice users against using name resolving at all for these functions. + + Closes #10043 + +- CURLOPT_COOKIEFILE.3: advice => advise + + Closes #10063 + + Reviewed-by: Daniel Gustafsson + +Daniel Gustafsson (9 Dec 2022) + +- curl.h: reword comment to not use deprecated option + + CURLOPT_INFILE was replaced by CURLOPT_READDATA in 7.9.7, reword the + comment mentioning it to make code grepping easier as well as improve + the documentation. + + Closes: #10062 + Reviewed-by: Daniel Stenberg + +Ryan Schmidt (9 Dec 2022) + +- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS + + Change "__MWERKS__" to "macintosh". When this block was originally added + in 3ac6929 it was probably intended to handle classic Mac OS since the + previous classic Mac OS build procedure for curl (which was removed in + bf327a9) used Metrowerks CodeWarrior. + + But there are other classic Mac OS compilers, such as the MPW compilers, + that were not handled by this case. For classic Mac OS, + CURL_TYPEOF_CURL_SOCKLEN_T needs to match what's provided by the + third-party GUSI library, which does not vary by compiler. + + Meanwhile CodeWarrior works on platforms other than classic Mac OS, and + they may need different definitions. Separate blocks could be added + later for any of those platforms that curl doesn't already support. + + Closes #10049 + +- vms: remove SIZEOF_SHORT + + The rest of SIZEOF_SHORT was removed in d48dd15. + + See #9291 + Closes #10061 + +Daniel Gustafsson (8 Dec 2022) + +- tool_formparse: avoid clobbering on function params + + While perfectly legal to do, clobbering function parameters and using + them as local variables is confusing at best and rarely improves code + readability. Fix by using a local variable instead, no functionality + is changed. + + This also renames the parameter from data to mime_data since the term + data is (soft) reserved for the easy handle struct. + + Closes: #10046 + Reviewed-by: Daniel Stenberg + +- noproxy: guard against empty hostnames in noproxy check + + When checking for a noproxy setting we need to ensure that we get + a hostname passed in. If there is no hostname then there cannot be + a matching noproxy rule for it by definition. + + Closes: #10057 + Reported-by: Geeknik Labs + Reviewed-by: Daniel Stenberg + +Daniel Stenberg (8 Dec 2022) + +- c-hyper: CONNECT respones are not server responses + + Together with d31915a8dbbd it makes test 265 run fine. + + Fixes #8853 + Assisted-by: Prithvi MK + Assisted-by: Sean McArthur + Closes #10060 + +- test265: Use "connection: keep-alive" response header + + When it answers as HTTP/1.0, so that clients (hyper) knows properly that + the connection remains intact. + +- RELEASE-NOTES: synced + +Stefan Eissing (8 Dec 2022) + +- cfilter: improve SSL connection checks + + - fixes `Curl_ssl_cf_get_ssl()` to detect also the first filter instance + as ssl (refs #10053) + + - replaces `Curl_ssl_use()` with the correct `Curl_conn_is_ssl()` + + Closes #10054 + Fixes #10053 + + Reported-by: Patrick Monnerat + +Daniel Stenberg (8 Dec 2022) + +- runtests: silence nghttpx errors + + Also, move the output of the nghttpx_h3 info to the general "Env:" line + in the test output header. + + Reported-by: Marcel Raad + Ref: https://github.com/curl/curl/commit/ca15b7512e8d1199e55fbaa206ef01e64b8f + 147d#commitcomment-92015094 + Closes #10044 + +Ryan Schmidt (7 Dec 2022) + +- config-mac: define HAVE_SYS_IOCTL_H + + This is needed to compile nonblock.c on classic Mac OS with Grand + Unified Socket Interface (GUSI) because nonblock.c uses FIONBIO which is + defined in which is included by . + + Ref: https://sourceforge.net/projects/gusi/ + + Closes https://github.com/curl/curl/pull/10042 + +Philip Heiduck (7 Dec 2022) + +- CI: Change FreeBSD image from 12.3 to 12.4 + + Ref: https://www.phoronix.com/news/FreeBSD-12.4-Released + + Closes https://github.com/curl/curl/pull/10051 + +Ryan Schmidt (7 Dec 2022) + +- test1421: fix typo + + Closes https://github.com/curl/curl/pull/10055 + +Jay Satiro (7 Dec 2022) + +- build: assume errno.h is always available + + - Remove errno.h detection from all build configurations. + + errno.h is a standard header according to C89. + + Closes https://github.com/curl/curl/pull/9986 + +- build: assume assert.h is always available + + - Remove assert.h detection from all build configurations. + + assert.h is a standard header according to C89. + + I had proposed this several years ago as part of a larger change that + was abandoned. + + Ref: https://github.com/curl/curl/issues/1237#issuecomment-277500720 + + Closes https://github.com/curl/curl/pull/9985 + +Philip Heiduck (7 Dec 2022) + +- CI: LGTM.com will be shut down in December 2022 + + Closes #10052 + +Daniel Stenberg (6 Dec 2022) + +- mailmap: Andy Alt + +Andy Alt (6 Dec 2022) + +- misc: Fix incorrect spelling + + Fix various uses of connnect by replacing them with connect. + + Closes: #10045 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson + +Stefan Eissing (6 Dec 2022) + +- wolfssl: remove special BIO return code handling + + - rely solely on the retry flag in BIO, similar to OpenSSL vtls + implementation. + + Ref: https://github.com/curl/curl/pull/10021#issuecomment-1336147053 + + Closes #10033 + +Daniel Stenberg (6 Dec 2022) + +- openssl: return -1 on error in the BIO callbacks + + BIO_read and BIO_write return negative numbers on error, including + retryable ones. A regression from 55807e6. Both branches should be + returning -1. + + The APIs are patterned after POSIX read and write which, similarly, + return -1 on errors, not zero, with EAGAIN treated as an error. + + Bug: https://github.com/curl/curl/issues/10013#issuecomment-1335308146 + Reported-by: David Benjamin + Closes #10021 + +Ryan Schmidt (6 Dec 2022) + +- config-mac: remove HAVE_SYS_SELECT_H + + When compiling for classic Mac OS with GUSI, there is no sys/select.h. + GUSI provides the "select" function prototype in sys/time.h. + + Closes #10039 + +- setup: do not require __MRC__ defined for Mac OS 9 builds + + Partially reverts "somewhat protect Mac OS X users from using Mac OS 9 + config file", commit 62519bfe059251af2914199f284c736553ff0489. + + Do things that are specific to classic Mac OS (i.e. include config-mac.h + in curl_setup.h and rename "main" to "curl_main" in tool_setup.h) when + only "macintosh" is defined. Remove the additional condition that + "__MRC__" should be defined since that would only be true with the MPW + MrC compiler which prevents the use of other reasonable compilers like + the MPW SC compiler and especially the Metrowerks CodeWarrior compilers. + "macintosh" is only defined by classic Mac OS compilers so this change + should not affect users of Mac OS X / OS X / macOS / any other OS. + + Closes #10037 + +- curl.h: name all public function parameters + + Most public function parameters already have names; this adds those + that were missing. + + Closes #10036 + +Andy Alt (6 Dec 2022) + +- docs/examples: spell correction ('Retrieve') + + Closes #10040 + +Daniel Stenberg (6 Dec 2022) + +- unit1302: slightly extended + + To test more base64 decoding + +- base64: faster base64 decoding + + - by using a lookup table instead of strchr() + - by doing full quantums first, then padding + + Closes #10032 + +Michael Musset (6 Dec 2022) + +- libssh2: return error when ssh_hostkeyfunc returns error + + return CURLE_PEER_FAILED_VERIFICATION if verification with the callback + return a result different than CURLKHMATCH_OK + + Closes #10034 + +Viktor Szakats (5 Dec 2022) + +- Makefile.mk: improve a GNU Make hack [ci skip] + + Replace the hack of using `$() ` to represent a single space. The new + method silences the `--warn-undefined-variables` debug warning and it's + also a better-known form of solving this problem. + + Reviewed-by: Jay Satiro + Closes #10031 + +Daniel Stenberg (5 Dec 2022) + +- tests/unit/.gitignore: ignore all unit + 4 digits files + +- base64: encode without using snprintf + + For speed. In some tests, this approch is 29 times faster! + + Closes #10026 + +- base64: better alloc size + + The previous algorithm allocated more bytes than necessary. + + Suggested-by: xtonik on github + Fixes #10024 + Closes #10025 + +Ryan Schmidt (5 Dec 2022) + +- config-mac: fix typo: size_T -> size_t + + Both MPW and CodeWarrior compilers complained about this. + + Closes #10029 + +Daniel Stenberg (3 Dec 2022) + +- RELEASE-NOTES: synced + +Jakub Zakrzewski (2 Dec 2022) + +- CMake: fix build with `CURL_USE_GSSAPI` + + CMAKE_*_LINKER_FLAGS must be a string but GSS_LINKER_FLAGS is a list, so + we need to replace semicolons with spaces when setting those. + + Fixes #9017 + Closes #1022 + +Max Dymond (2 Dec 2022) + +- ci: Reuse fuzzing snippet from curl-fuzzer project + +Diogo Teles Sant'Anna (2 Dec 2022) + +- GHA: clarify workflows permissions, set least possible privilege + + Set top-level permissions to None on all workflows, setting per-job + permissions. This avoids that new jobs inherit unwanted permissions. + + Discussion: https://curl.se/mail/lib-2022-11/0028.html + + Signed-off-by: Diogo Teles Sant'Anna + + Closes #9928 + +Viktor Szakats (2 Dec 2022) + +- Makefile.mk: address minor issues + + - Fix `NROFF` auto-detection with certain shell/make-build combinations: + + When a non-MSYS2 GNU Make runs inside an MSYS2 shell, Make executes + the detection command as-is via `CreateProcess()`. It fails because + `command` is an `sh` built-in. Ensure to explicitly invoke the shell. + + - Initialize user-customizable variables: + + Silences a list of warnings when running GNU Make with the option + `--warn-undefined-variables`. Another benefit is that it's now easy + to look up all user-customizable `Makefile.mk` variables by grepping + for ` ?=` in the curl source tree. + + Suggested-by: Gisle Vanem + Ref: https://github.com/curl/curl/pull/9764#issuecomment-1330674433 + + - Fix `MKDIR` invocation: + + Avoid a warning and potential issue in envs without forward-slash + support. + + Closes #10000 + +Rob de Wit (2 Dec 2022) + +- curl_get_line: allow last line without newline char + + improve backwards compatibility + + Test 3200 verifies + + Closes #9973 + +Daniel Stenberg (2 Dec 2022) + +- cookie: open cookie jar as a binary file + + On Windows there is a difference and for text files, ^Z means end of + file which is not desirable. + + Ref: #9973 + Closes #10017 + +- runtests: only do CRLF replacements for hyper if it is HTTP + + Closes #10016 + +Stefan Eissing (1 Dec 2022) + +- openssl: fix for BoringSSL BIO result interpretation mixups + + Reported-by: Robin Marx + Fixes #10013 + Closes #10015 + +Max Dymond (1 Dec 2022) + +- ci: Remove zuul fuzzing job as it's superseded by CIFuzz + +Daniel Stenberg (1 Dec 2022) + +- runtests: do CRLF replacements per section only + + The `crlf="yes"` attribute and "hyper mode" are now only applied on a + subset of dedicated sections: data, datacheck, stdout and protocol. + + Updated test 2500 accordingly. + + Also made test1 use crlf="yes" for , mostly because it is + often used as a template test case. Going forward, using this attribute + we should be able to write test cases using linefeeds only and avoid + mixed line ending encodings. + + Follow-up to ca15b7512e8d11 + + Fixes #10009 + Closes #10010 + +Stefan Eissing (1 Dec 2022) + +- gnutls: use common gnutls init and verify code for ngtcp2 + + Closes #10007 + +Baitinq on github (1 Dec 2022) + +- aws_sigv4: fix typos in aws_sigv4.c + + Closes #10008 + +Kenneth Myhra (30 Nov 2022) + +- curl.h: include on SerenityOS + + Closes #10006 + +Daniel Stenberg (30 Nov 2022) + +- openssl: prefix errors with '[lib]/[version]: ' + + To help users understand where this (cryptic) error message comes from. + + Suggested-by: Philip Sanetra + Ref: #10002 + Closes #10004 + +Stefan Eissing (30 Nov 2022) + +- tests: add HTTP/3 test case, custom location for proper nghttpx + + - adding support for HTTP/3 test cases via a nghttpx server that is + build with ngtcp2 and nghttp3. + - test2500 is the first test case, performing a simple GET. + - nghttpx is checked for support and the 'feature' nghttpx-h3 + is set accordingly. test2500 will only run, when supported. + - a specific nghttpx location can be given in the environment + variable NGHTTPX or via the configure option + --with-test-nghttpx= + + Extend NGHTTPX config to H2 tests as well + + * use $ENV{NGHTTPX} and the configured default also in http2 server starts + * always provide the empty test/nghttpx.conf to nghttpx. as it defaults to + reading /etc/nghttpx/nghttpx.conf otherwise. + + Added nghttpx to CI ngtcp2 jobs to run h3 tests. + + Closes #9031 + +Daniel Stenberg (30 Nov 2022) + +- RELEASE-NOTES: synced + + Removed duplicate after contributors.sh fix: 9967c10b6daa1 + +- scripts/contributors.sh: strip one OR MORE leading spaces + + From names found credited in commit logs + +- RELEASE-NOTES: synced + +- openssl/mbedtls: use %d for outputing port with failf (int) + + Coverity CID 1517100 + + Also, remove some int typecasts in vtls.c for the port number + + Closes #10001 + +- KNOWN_BUGS: remove "Multi perform hangs waiting for threaded resolver" + + We now offer a way to avoid that hang, using CURLOPT_QUICK_EXIT. + + Follow-up to 49798cac832ab1 fixed via #9147 + + Closes #9999 + +- KNOWN_BUGS: remove "--interface for ipv6 binds to unusable IP address" + + Since years back the "if2ip" function verifies that it binds to a local IPv6 + address that uses the same scope as the remote address. + + This is not a bug. + + Fixes #686 + Closes #9998 + +- test1276: verify lib/optiontable.pl + + Checks that it generates an output identical to the file. + +- lib/optiontable.pl: adapt to CURLOPTDEPRECATED() + + Follow-up from 6967571bf20624bc + + Reported-by: Gisle Vanem + + Fixes #9992 + Closes #9993 + +- docs/INSTALL.md: list OSes and CPUs quoted + + to make them skip spellcheck. Also added a new CPU. + + Follow-up to 4506cbf7f24a2a + + Closes #9997 + +Ikko Ashimine (28 Nov 2022) + +- vtls: fix typo in vtls_int.h + + paramter -> parameter + + Closes: #9996 + Reviewed-by: Daniel Gustafsson + +Daniel Stenberg (28 Nov 2022) + +- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS + + As OpenSSL's include files are all included using in curl + source code, we just risk that existing openssl files will "shadow" + include files without path if that path is provided. + + Fixes #9989 + Closes #9988 + +- INSTALL: update operating systems and CPU archs + + Update after recent runs on Twitter/Mastodon and my blog + + Closes #9994 + +Stefan Eissing (28 Nov 2022) + +- tls: backends use connection filters for IO, enabling HTTPS-proxy + + - OpenSSL (and compatible) + - BearSSL + - gnutls + - mbedtls + - rustls + - schannel + - secure-transport + - wolfSSL (v5.0.0 and newer) + + This leaves only the following without HTTPS-proxy support: + - gskit + - nss + - wolfSSL (versions earlier than v5.0.0) + + Closes #9962 + +Daniel Stenberg (28 Nov 2022) + +- include/curl/curl.h: bump the deprecated requirements to gcc 6.1 + + Reported-by: Michael Kaufmann + Fixes #9917 + Closes #9987 + +Patrick Monnerat (28 Nov 2022) + +- mime: relax easy/mime structures binding + + Deprecation and removal of codeset conversion support from the library + have released the strict need for an early binding of mime structures to + an easy handle (https://github.com/curl/curl/commit/2610142). + + This constraint currently forces to create the handle before the mime + structure and the latter cannot be attached to another handle once + created (see https://curl.se/mail/lib-2022-08/0027.html). + + This commit removes the handle pointers from the mime structures + allowing more flexibility on their use. + + When an easy handle is duplicated, bound mime structures must however + still be duplicated too as their components hold send-time dynamic + information. + + Closes #9927 + +fractal-access (26 Nov 2022) + +- test416: verify growing FTP file support + + Added setting: RETRSIZE [size] in the section. When set this + will cause the test FTP server to return the size set (rather than the + actual size) in the acknowledgement from a RETR request. + + Closes #9772 + +- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH + + When using the option CURLOPT_IGNORE_CONTENT_LENGTH (set.ignorecl in + code) to support growing files in FTP, the code should ignore the + initial size it gets from the server as this will not be the final size + of the file. This is done in ftp_state_quote() to prevent a size request + being issued in the initial sequence. However, in a later call to + ftp_state_get_resp() the code attempts to get the size of the content + again if it doesn't already have it, by parsing the response from the + RETR request. This fix prevents this parsing of the response to get the + size when the set.ignorecl option is set. This should maintain the size + value as -1, unknown, in this situation. + + Closes #9772 + +Stefan Eissing (26 Nov 2022) + +- cfilter: re-add `conn` as parameter to cfilter setup methods + + - `Curl_ssl_get_config()` now returns the first config if no SSL proxy + filter is active + + - socket filter starts connection only on first invocation of its + connect method + + Fixes #9982 + Closes #9983 + +Daniel Stenberg (26 Nov 2022) + +- KNOWN_BUGS: remove five FTP related issues + + - "FTP with CONNECT and slow server" + + I believe this is not a problem these days. + + - "FTP with NULs in URL parts" + + The FTP protocol does not support them properly anyway. + + - remove "FTP and empty path parts in the URL" + + I don't think this has ever been reported as a real problem but was only + a hypothetical one. + + - "Premature transfer end but healthy control channel" + + This is not a bug, this is an optimization that *could* be performed but is + not an actual problem. + + - "FTP without or slow 220 response" + + Instead add to the documentation of the connect timeout that the + connection is considered complete at TCP/TLS/QUIC layer. + + Closes #9979 + +Stefan Eissing (26 Nov 2022) + +- tests: add authorityInfoAccess to generated certs + + Generate stunnel.pem as well + + Closes #9980 + +Daniel Stenberg (25 Nov 2022) + +- runtests: --no-debuginfod now disables DEBUGINFOD_URLS + + Prior to this change, DEBUGINFOD_URLS was always disabled by runtests + due to a report of it slowing down tests. However, some setups need it + to fetch debug symbols, and if it is disabled on those systems then curl + tests with valgrind will fail. + + Reported-by: Mark Gaiser + + Ref: #8805 + Closes #9950 + +Casey Bodley (25 Nov 2022) + +- test/aws_sigv4: test cases for content-sha256 + + 1956 adds the sha256 value corresponding to an empty buffer + 1957 adds an arbitrary value and confirms that the signature differs from 195 + 6 + 1958 adds whitespace to 1957 and confirms that the signature matches 1957 + 1959 adds a value longer than 'char sha_hex[65]' in Curl_output_aws_sigv4() + + Signed-off-by: Casey Bodley + + Closes #9804 + +- aws_sigv4: consult x-%s-content-sha256 for payload hash + + `Curl_output_aws_sigv4()` doesn't always have the whole payload in + memory to generate a real payload hash. this commit allows the user to + pass in a header like `x-amz-content-sha256` to provide their desired + payload hash + + some services like s3 require this header, and may support other values + like s3's `UNSIGNED-PAYLOAD` and `STREAMING-AWS4-HMAC-SHA256-PAYLOAD` + with special semantics. servers use this header's value as the payload + hash during signature validation, so it must match what the client uses + to generate the signature + + CURLOPT_AWS_SIGV4.3 now describes the content-sha256 interaction + + Signed-off-by: Casey Bodley + + Closes #9804 + +Philip Heiduck (25 Nov 2022) + +- GHA: NSS use clang instead of clang-9 + + Closes #9978 + +Daniel Stenberg (25 Nov 2022) + +- RELEASE-NOTES: synced + +- tool_operate: override the numeric locale and set "C" by force + + Makes curl always use dot as decimal separator for options, + independently of what the locale says. Makes scripts and command lines + portable. + + Updated docs accordingly. + + Reported-by: Daniel Faust + + Fixes #9969 + Closes #9972 + +- test1662: verify formpost, 301 redirect, no rewind possible + + Reproduces #9735 and verifies the subsequent fix. The original issue + uses a pipe that cannot be rewound, but this test case instead sets a + callback without rewind ability to get roughly the same properties but + being a much more portable test. + +- lib: rewind BEFORE request instead of AFTER previous + + This makes a big difference for cases when the rewind is not actually + necessary to perofm (for example HTTP response code 301 converts to GET) + and therefore the rewind can be avoided. In particular for situations + when that rewind fails, for example when reading from a pipe or similar. + + Reported-by: Ali Utku Selen + + Fixes #9735 + Closes #9958 + +- vtls: repair build with disabled proxy + + Closes #9974 + +Daniel Gustafsson (23 Nov 2022) + +- packaging: remove traces of deleted files + + Commit a8861b6cc removed packages/DOS but left a few traces of it + which broke the distcheck CI. Remove all traces. + + Closes: #9971 + Reviewed-by: Daniel Stenberg + +- openssl: silence compiler warning when not using IPv6 + + In non-IPv6 builds the conn parameter is unused, and compilers which + run with "-Werror=unused-parameter" (or similar) warnings turned on + fails to build. Below is an excerpt from a CI job: + + vtls/openssl.c: In function ‘Curl_ossl_verifyhost’: + vtls/openssl.c:2016:75: error: unused parameter ‘conn’ [-Werror=unused- + parameter] + 2016 | CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connec + tdata *conn, + | ~~~~~~~~~~~~~ + ~~~~~~~^~~~ + + Closes: #9970 + Reviewed-by: Daniel Stenberg + +- netware: remove leftover traces + + Commit 3b16575ae938dec2a29454631a12aa52b6ab9c67 removed support for + building on Novell Netware, but a few leftover traces remained. This + removes the last bits. + + Closes: #9966 + Reviewed-by: Daniel Stenberg + +Ryan Schmidt (23 Nov 2022) + +- curl_endian: remove Curl_write64_le from header + + The actual function was already removed in 4331c6dc. + + See #7280 + Closes #9968 + +Daniel Stenberg (22 Nov 2022) + +- docs: add more "SEE ALSO" links to CA related pages + + Closes #9959 + +- examples: update descriptions + + Make them not say "this is an example showing..." and instead just say + what the example shows. + + Closes #9960 + +Stefan Eissing (22 Nov 2022) + +- vtls: localization of state data in filters + + - almost all backend calls pass the Curl_cfilter intance instead of + connectdata+sockindex + - ssl_connect_data is remove from struct connectdata and made internal + to vtls + - ssl_connect_data is allocated in the added filter, kept at cf->ctx + + - added function to let a ssl filter access its ssl_primary_config and + ssl_config_data this selects the propert subfields in conn and data, + for filters added as plain or proxy + - adjusted all backends to use the changed api + - adjusted all backends to access config data via the exposed + functions, no longer using conn or data directly + + cfilter renames for clear purpose: + + - methods `Curl_conn_*(data, conn, sockindex)` work on the complete + filter chain at `sockindex` and connection `conn`. + - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter + instance. + - methods `Curl_conn_cf()` work on/with filter instances at a + connection. + - rebased and resolved some naming conflicts + - hostname validation (und session lookup) on SECONDARY use the same + name as on FIRST (again). + + new debug macros and removing connectdata from function signatures where not + needed. + + adapting schannel for new Curl_read_plain paramter. + + Closes #9919 + +Daniel Stenberg (22 Nov 2022) + +- examples/10-at-a-time: fix possible skipped final transfers + + Prior to this change if curl_multi_perform returned 0 running handles + and then all remaining transfers were added, then the perform loop would + end immediately without performing those transfers. + + Reported-by: Mikhail Kuznetsov + + Fixes https://github.com/curl/curl/issues/9953 + Closes https://github.com/curl/curl/pull/9954 + +Viktor Szakats (22 Nov 2022) + +- Makefile.mk: portable Makefile.m32 + + Update bare GNU Make `Makefile.m32` to: + + - Move objects into a subdirectory. + - Add support for MS-DOS. Tested with DJGPP. + - Add support for Watt-32 (on MS-DOS). + - Add support for AmigaOS. + - Rename `Makefile.m32` to `Makefile.mk` + - Replace `ARCH` with `TRIPLET`. + - Build `tool_hugehelp.c` proper (when tools are available). + - Drop MS-DOS compatibility macro `USE_ZLIB` (replaced by `HAVE_LIBZ`) + - Add support for `ZLIB_LIBS` to override `-lz`. + - Omit object files when building examples. + - Default `CC` to `gcc` once again, for convenience. (Caveat: compiler + name `cc` cannot be set now.) + - Set `-DCURL_NO_OLDIES` for examples, like autotools does. + - Delete `makefile.dj` files. Notice the configuration details and + defaults are not retained with the new method. + - Delete `makefile.amiga` files. A successful build needs a few custom + options. We're also not retaining all build details from the existing + Amiga make files. + - Rename `Makefile.m32` to `Makefile.mk` to reflect that they are not + Windows/MinGW32-specific anymore. + - Add support for new `CFG` options: `-map`, `-debug`, `-trackmem` + - Set `-DNDEBUG` by default. + - Allow using `-DOS=...` in all `lib/config-*.h` headers, syncing this + with `config-win32.h`. + - Look for zlib parts in `ZLIB_PATH/include` and `ZLIB_PATH/lib` + instead of bare `ZLIB_PATH`. + + Note that existing build configurations for MS-DOS and AmigaOS likely + become incompatible with this change. + + Example AmigaOS configuration: + ``` + export CROSSPREFIX=/opt/amiga/bin/m68k-amigaos- + export CC=gcc + export CPPFLAGS='-DHAVE_PROTO_BSDSOCKET_H' + export CFLAGS='-mcrt=clib2' + export LDFLAGS="${CFLAGS}" + export LIBS='-lnet -lm' + make -C lib -f Makefile.mk + make -C src -f Makefile.mk + ``` + + Example MS-DOS configuration: + ``` + export CROSSPREFIX=/opt/djgpp/bin/i586-pc-msdosdjgpp- + export WATT_PATH=/opt/djgpp/net/watt + export ZLIB_PATH=/opt/djgpp + export OPENSSL_PATH=/opt/djgpp + export OPENSSL_LIBS='-lssl -lcrypt' + export CFG=-zlib-ssl + make -C lib -f Makefile.mk + make -C src -f Makefile.mk + ``` + + Closes #9764 + +Stefan Eissing (22 Nov 2022) + +- cfiler: filter types have flags indicating what they do + + - Adding Curl_conn_is_ip_connected() to check if network connectivity + has been reached + + - having ftp wait for network connectivity before proceeding with + transfers. + + Fixes test failures 1631 and 1632 with hyper. + + Closes #9952 + +Daniel Stenberg (21 Nov 2022) + +- RELEASE-NOTES: synced + +Jay Satiro (20 Nov 2022) + +- sendf: change Curl_read_plain to wrap Curl_recv_plain (take 2) + + Prior to this change Curl_read_plain would attempt to read the + socket directly. On Windows that's a problem because recv data may be + cached by libcurl and that data is only drained using Curl_recv_plain. + + Rather than rewrite Curl_read_plain to handle cached recv data, I + changed it to wrap Curl_recv_plain, in much the same way that + Curl_write_plain already wraps Curl_send_plain. + + Curl_read_plain -> Curl_recv_plain + Curl_write_plain -> Curl_send_plain + + This fixes a bug in the schannel backend where decryption of arbitrary + TLS records fails because cached recv data is never drained. We send + data (TLS records formed by Schannel) using Curl_write_plain, which + calls Curl_send_plain, and that may do a recv-before-send + ("pre-receive") to cache received data. The code calls Curl_read_plain + to read data (TLS records from the server), which prior to this change + did not call Curl_recv_plain and therefore cached recv data wasn't + retrieved, resulting in malformed TLS records and decryption failure + (SEC_E_DECRYPT_FAILURE). + + The bug has only been observed during Schannel TLS 1.3 handshakes. Refer + to the issue and PR for more information. + + -- + + This is take 2 of the original fix. It preserves the original behavior + of Curl_read_plain to write 0 to the bytes read parameter on error, + since apparently some callers expect that (SOCKS tests were hanging). + The original fix which landed in 12e1def5 and was later reverted in + 18383fbf failed to work properly because it did not do that. + + Also, it changes Curl_write_plain the same way to complement + Curl_read_plain, and it changes Curl_send_plain to return -1 instead of + 0 on CURLE_AGAIN to complement Curl_recv_plain. + + Behavior on error with these changes: + + Curl_recv_plain returns -1 and *code receives error code. + Curl_send_plain returns -1 and *code receives error code. + Curl_read_plain returns error code and *n (bytes read) receives 0. + Curl_write_plain returns error code and *written receives 0. + + -- + + Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361 + + Assisted-by: Joel Depooter + Reported-by: Egor Pugin + + Fixes https://github.com/curl/curl/issues/9431 + Closes https://github.com/curl/curl/pull/9949 + +Sean McArthur (19 Nov 2022) + +- hyper: classify headers as CONNECT and 1XX + + Closes #9947 + +Stefan Eissing (19 Nov 2022) + +- ftp: fix "AUTH TLS" on primary conn and for SSL in PASV second conn + + Follow-up to dafdb20a26d0c89 + + Reported-by: Anthony Hu + Closes #9948 + +Jay Satiro (19 Nov 2022) + +- CURLOPT_POST.3: Explain setting to 0 changes request type + + Bug: https://github.com/curl/curl/issues/9849 + Reported-by: MonkeybreadSoftware@users.noreply.github.com + + Closes https://github.com/curl/curl/pull/9942 + +Daniel Stenberg (19 Nov 2022) + +- docs/INSTALL.md: expand on static builds + + Remove from KNOWN_BUGS + + Closes #9944 + +Stefan Eissing (19 Nov 2022) + +- http: restore h3 to working condition after connection filter introduction + + Follow-up to dafdb20a26d0c + + HTTP/3 needs a special filter chain, since it does the TLS handling + itself. This PR adds special setup handling in the HTTP protocol handler + that takes are of it. + + When a handler, in its setup method, installs filters, the default + behaviour for managing the filter chain is overridden. + + Reported-by: Karthikdasari0423 on github + + Fixes #9931 + Closes #9945 + +Daniel Stenberg (18 Nov 2022) + +- urldata: change port num storage to int and unsigned short + + Instead of long. + + Closes #9946 + +- Revert "sendf: change Curl_read_plain to wrap Curl_recv_plain" + + This reverts commit 12e1def51a75392df62e65490416007d7e68dab9. + + It introduced SOCKS proxy fails, like test 700 never ending. + + Reopens #9431 + +- HTTP-COOKIES.md: update the 6265bis link to draft-11 + + Closes #9940 + +- docs/WEBSOCKET.md: explain the URL use + + Fixes #9936 + Closes #9941 + +Jay Satiro (18 Nov 2022) + +- sendf: change Curl_read_plain to wrap Curl_recv_plain + + Prior to this change Curl_read_plain would attempt to read the + socket directly. On Windows that's a problem because recv data may be + cached by libcurl and that data is only drained using Curl_recv_plain. + + Rather than rewrite Curl_read_plain to handle cached recv data, I + changed it to wrap Curl_recv_plain, in much the same way that + Curl_write_plain already wraps Curl_send_plain. + + Curl_read_plain -> Curl_recv_plain + Curl_write_plain -> Curl_send_plain + + This fixes a bug in the schannel backend where decryption of arbitrary + TLS records fails because cached recv data is never drained. We send + data (TLS records formed by Schannel) using Curl_write_plain, which + calls Curl_send_plain, and that may do a recv-before-send + ("pre-receive") to cache received data. The code calls Curl_read_plain + to read data (TLS records from the server), which prior to this change + did not call Curl_recv_plain and therefore cached recv data wasn't + retrieved, resulting in malformed TLS records and decryption failure + (SEC_E_DECRYPT_FAILURE). + + The bug has only been observed during Schannel TLS 1.3 handshakes. Refer + to the issue and PR for more information. + + Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361 + + Assisted-by: Joel Depooter + Reported-by: Egor Pugin + + Fixes https://github.com/curl/curl/issues/9431 + Closes https://github.com/curl/curl/pull/9904 + +- test3026: reduce runtime in legacy mingw builds + + - Load Windows system libraries secur32 and iphlpapi beforehand, so + that libcurl's repeated global init/cleanup only increases/decreases + the library's refcount rather than causing it to load/unload. + + Assisted-by: Marc Hoersken + + Closes https://github.com/curl/curl/pull/9412 + +Daniel Stenberg (18 Nov 2022) + +- url: move back the IDN conversion of proxy names + + Regression: in commit 53bcf55 we moved the IDN conversion calls to + happen before the HSTS checks. But the HSTS checks are only done on the + server host name, not the proxy names. By moving the proxy name IDN + conversions, we accidentally broke the verbose output showing the proxy + name. + + This change moves back the IDN conversions for the proxy names to the + place in the code path they were before 53bcf55. + + Reported-by: Andy Stamp + Fixes #9937 + Closes #9939 + +Alexandre Ferrieux (18 Nov 2022) + +- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit + + Fixes #2975 + Closes #9147 + +Daniel Stenberg (17 Nov 2022) + +- HTTP-COOKIES.md: mention that http://localhost is a secure context + + Reported-by: Trail of Bits + + Closes #9938 + +- lib: parse numbers with fixed known base 10 + + ... instead of using 0 argument that allows decimal, hex or octal when + the number is documented and assumed to use base 10. + + Closes #9933 + +- RELEASE-NOTES: synced + +- scripts/delta: adapt to curl.h changes for the opt counter + +- cookie: expire cookies at once when max-age is negative + + Update test 329 to verify + + Reported-by: godmar on github + Fixes #9930 + Closes #9932 + +Stefan Eissing (17 Nov 2022) + +- proxy: haproxy filter is only available when PROXY and HTTP are + + Closes #9935 + +Daniel Stenberg (16 Nov 2022) + +- OtherTests.cmake: check for cross-compile, not for toolchain + + Build systems like vcpkg alway sets `CMAKE_TOOLCHAIN_FILE` so it should + not be used as a sign that this is a cross-compile. + + Also indented the function correctly. + + Reported-by: Philip Chan + Fixes #9921 + Closes #9923 + +- ntlm: improve comment for encrypt_des + + Reported-by: Andrei Rybak + Fixes #9903 + Closes #9925 + +- include/curl/curl.h: bump the deprecated requirements to gcc 5.3 + + Reported-by: Stephan Guilloux + Fixes #9917 + Closes #9918 + +Stefan Eissing (15 Nov 2022) + +- proxy: refactor haproxy protocol handling as connection filter + + Closes #9893 + +Patrick Monnerat (15 Nov 2022) + +- lib: feature deprecation warnings in gcc >= 4.3 + + Add a deprecated attribute to functions and enum values that should not + be used anymore. + This uses a gcc 4.3 dialect, thus is only available for this version of + gcc and newer. Note that the _Pragma() keyword is introduced by C99, but + is available as part of the gcc dialect even when compiling in C89 mode. + + It is still possible to disable deprecation at a calling module compile + time by defining CURL_DISABLE_DEPRECATION. + + Gcc type checking macros are made aware of possible deprecations. + + Some testing support Perl programs are adapted to the extended + declaration syntax. + + Several test and unit test C programs intentionally use deprecated + functions/options and are annotated to not generate a warning. + + New test 1222 checks the deprecation status in doc and header files. + + Closes #9667 + +Daniel Stenberg (15 Nov 2022) + +- log2changes.pl: wrap long lines at 80 columns + + Also, only use author names in the output. + + Fixes #9896 + Reported-by: John Sherrill + Closes #9897 + +- cfilters: use %zu for outputting size_t + + Detected by Coverity CID 1516894 + + Closes #9907 + +- Curl_closesocket: avoid using 'conn' if NULL + + ... in debug-only code. + + Reported by Coverity CID 1516896 + + Closes #9907 + +- url: only acknowledge fresh_reuse for non-followed transfers + + ... to make sure NTLM auth sticks to the connection it needs, as + verified by 2032. + + Follow-up to fa0b9227616e + + Assisted-by: Stefan Eissing + Closes #9905 + +- netrc.d: provide mutext info + + Reported-by: xianghongai on github + Fixes #9899 + Closes #9901 + +- cmdline-opts/page-footer: remove long option nroff formatting + + As gen.pl adds them + +- nroff-scan.pl: detect double highlights + +- cmdline-opts/gen.pl: fix the linkifier + + Improved logic for finding existing --options in text and replacing with + the full version with nroff syntax. This also makes the web version link + options better. + + Reported-by: xianghongai on github + Fixes #9899 + Closes #9902 + +Patrick Monnerat (14 Nov 2022) + +- tool: use feature names instead of bit mask, when possible + + If the run-time libcurl is too old to support feature names, the name + array is created locally from the bit masks. This is the only sequence + left that uses feature bit masks. + + Closes #9583 + +- docs: curl_version_info is not thread-safe before libcurl initialization + + Closes #9583 + +- version: add a feature names array to curl_version_info_data + + Field feature_names contains a null-terminated sorted array of feature + names. Bitmask field features is deprecated. + + Documentation is updated. Test 1177 and tests/version-scan.pl updated to + match new documentation format and extended to check feature names too. + + Closes #9583 + +Stefan Eissing (14 Nov 2022) + +- negtelnetserver.py: have it call its close() method + + Closes #9894 + +Nathan Moinvaziri (13 Nov 2022) + +- ntlm: silence ubsan warning about copying from null target_info pointer. + + runtime error: null pointer passed as argument 2, which is declared to + never be null + + Closes #9898 + +Daniel Stenberg (12 Nov 2022) + +- RELEASE-NOTES: synced + +Stefan Eissing (12 Nov 2022) + +- Websocket: fixes for partial frames and buffer updates. + + - buffers updated correctly when handling partial frames + - callbacks no longer invoked for incomplete payload data of 0 length + - curl_ws_recv no longer returns with 0 length partial payload + + Closes #9890 + +Daniel Stenberg (12 Nov 2022) + +- tool_operate: provide better errmsg for -G with bad URL + + If the URL that -G would try to add a query to could not be parsed, it would + display + + curl: (27) Out of memory + + It now instead shows: + + curl: (2) Could not parse the URL, failed to set query + + Reported-by: Alex Xu + Fixes #9889 + Closes #9892 + +- vtls: fix build without proxy support + + Follow-up to dafdb20a26d0c890 + + Closes #9895 + +- tool_getparam: make --no-get work as the opposite of --get + + ... as documented. + + Closes #9891 + +- http: mark it 'this_is_a_follow' in the Location: logic + + To make regular auth "reloads" to not count as redirects. + + Verified by test 3101 + + Fixes #9885 + Closes #9887 + +Viktor Szakats (11 Nov 2022) + +- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW + + The previously set default value of 8 (64-bit) is only correct for + mingw-w64 and only when we set `_FILE_OFFSET_BITS` to 64 (the default + when building curl). For MSVC, old MinGW and other Windows compilers, + the correct value is 4 (32-bit). Adjust condition accordingly. Also + drop the manual override option. + + Regression in 7.86.0 (from 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6) + + Bug: https://github.com/curl/curl/pull/9712#issuecomment-1307330551 + + Reported-by: Peter Piekarski + Reviewed-by: Jay Satiro + + Closes #9872 + +Daniel Stenberg (11 Nov 2022) + +- lib: remove bad set.opt_no_body assignments + + This struct field MUST remain what the application set it to, so that + handle reuse and handle duplication work. + + Instead, the request state bit 'no_body' is introduced for code flows + that need to change this in run-time. + + Closes #9888 + +Stefan Eissing (11 Nov 2022) + +- lib: connection filters (cfilter) addition to curl: + + - general construct/destroy in connectdata + - default implementations of callback functions + - connect: cfilters for connect and accept + - socks: cfilter for socks proxying + - http_proxy: cfilter for http proxy tunneling + - vtls: cfilters for primary and proxy ssl + - change in general handling of data/conn + - Curl_cfilter_setup() sets up filter chain based on data settings, + if none are installed by the protocol handler setup + - Curl_cfilter_connect() boot straps filters into `connected` status, + used by handlers and multi to reach further stages + - Curl_cfilter_is_connected() to check if a conn is connected, + e.g. all filters have done their work + - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE + indicators for multi select to work + - Curl_cfilter_data_pending() asks filters if the have incoming + data pending for recv + - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks + installed in conn->recv/conn->send for io handling + - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters + and addition/removal of a `data` from their connection + - adding vtl functions to prevent use of Curl_ssl globals directly + in other parts of the code. + + Reviewed-by: Daniel Stenberg + Closes #9855 + +- curl-rustls.m4: on macOS, rustls also needs the Security framework + + Closes #9883 + +Daniel Stenberg (10 Nov 2022) + +- rtsp: only store first_host once + + Suggested-by: Erik Janssen + URL: https://github.com/curl/curl/pull/9870#issuecomment-1309499744 + Closes #9882 + +Fata Nugraha (10 Nov 2022) + +- test3028: verify PROXY + +- http: do not send PROXY more than once + + Unlike `CONNECT`, currently we don't keep track whether `PROXY` is + already sent or not. This causes `PROXY` header to be sent twice during + `MSTATE_TUNNELING` and `MSTATE_PROTOCONNECT`. + + Closes #9878 + Fixes #9442 + +Jay Satiro (10 Nov 2022) + +- lib: add CURL_WRITEFUNC_ERROR to signal write callback error + + Prior to this change if the user wanted to signal an error from their + write callbacks they would have to use logic to return a value different + from the number of bytes (nmemb) passed to the callback. Also, the + inclination of some users has been to just return 0 to signal error, + which is incorrect as that may be the number of bytes passed to the + callback. + + To remedy this the user can now return CURL_WRITEFUNC_ERROR instead. + + Ref: https://github.com/curl/curl/issues/9873 + + Closes https://github.com/curl/curl/pull/9874 + +Daniel Stenberg (9 Nov 2022) + +- Revert "GHA: add scorecard.yml" + + This reverts commit ca76c79b34f9d90105674a2151bf228ff7b13bef. + +- GHA: add scorecard.yml + + add a "scorecard" scanner job + +Lorenzo Miniero (9 Nov 2022) + +- test3100: RTSP Basic authentication + + Closes #9449 + +Daniel Stenberg (9 Nov 2022) + +- rtsp: fix RTSP auth + + Verified with test 3100 + + Fixes #4750 + Closes #9870 + +- KNOWN_BUGS: remove eight entries + + - 1.2 Multiple methods in a single WWW-Authenticate: header + + This is not considered a bug anymore but a restriction and one that we + keep because we have NEVER gotten this reported by users in the wild and + because of this I consider this a fringe edge case we don't need to + support. + + - 1.6 Unnecessary close when 401 received waiting for 100 + + This is not a bug, but possibly an optimization that *can* be done. + + - 1.7 Deflate error after all content was received + + This is not a curl bug. This happens due to broken servers. + + - 2.1 CURLINFO_SSL_VERIFYRESULT has limited support + + This is not a bug. This is just the nature of the implementation. + + - 2.2 DER in keychain + + This is not a bug. + + - 5.7 Visual Studio project gaps + + This is not a bug. + + - 15.14 cmake build is not thread-safe + + Fixed in 109e9730ee5e2b + + - 11.3 Disconnects do not do verbose + + This is not a bug. + + Closes #9871 + +Hirotaka Tagawa (9 Nov 2022) + +- headers: add endif comments + + Closes #9853 + +Daniel Stenberg (8 Nov 2022) + +- test1221: verify --url-query + +- curl: add --url-query + + This option adds a piece of data, usually a name + value pair, to the + end of the URL query part. The syntax is identical to that used for + --data-urlencode with one extension: + + If the argument starts with a '+' (plus), the rest of the string is + provided as-is unencoded. + + This allows users to "build" query parts with options and URL encoding + even when not doing GET requests, which the already provided option -G + (--get) is limited to. + + This idea was born in a Twitter thread. + + Closes #9691 + +- maketgz: set the right version in lib/libcurl.plist + + Follow-up to e498a9b1fe5964a18eb2a3a99dc52 + + Make sure the tarball gets a version of the libcurl.plist file that is + updated with the new version string. + + Reported-by: jvreelanda on github + Fixes #9866 + Closes #9867 + +- RELEASE-NOTES: synced + + Bumped version to 7.87.0 + +Michael Drake (8 Nov 2022) + +- curl.h: add CURLOPT_CA_CACHE_TIMEOUT option + + Adds a new option to control the maximum time that a cached + certificate store may be retained for. + + Currently only the OpenSSL backend implements support for + caching certificate stores. + + Closes #9620 + +- openssl: reduce CA certificate bundle reparsing by caching + + Closes #9620 + +Rose (8 Nov 2022) + +- lib: fix some type mismatches and remove unneeded typecasts + + Many of these castings are unneeded if we change the variables to work + better with each other. + + Ref: https://github.com/curl/curl/pull/9823 + + Closes https://github.com/curl/curl/pull/9835 + +Daniel Stenberg (8 Nov 2022) + +- cookie: compare cookie prefixes case insensitively + + Adapted to language in rfc6265bis draft-11. + + Closes #9863 + + Reviewed-by: Daniel Gustafsson + +- tool_operate: when aborting, make sure there is a non-NULL error buffer + + To store custom errors in. Or SIGSEGVs will follow. + + Reported-by: Trail of Bits + Closes #9865 + +- WEBSOCKET.md: fix broken link + + Reported-by: Felipe Gasper + Bug: https://curl.se/mail/lib-2022-10/0097.html + Closes #9864 + +- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example + + Reported-by: Oskar Sigvardsson + + Bug: https://curl.se/mail/lib-2022-11/0016.html + + Closes #9862 + +Stefan Eissing (7 Nov 2022) + +- websockets: fix handling of partial frames + + buffer used and send length calculations are fixed when a partial + websocket frame has been received. + + Closes #9861 + +Daniel Stenberg (7 Nov 2022) + +- mailmap: unify Stefan Eissing + +Stefan Eissing (7 Nov 2022) + +- hyper: fix handling of hyper_task's when reusing the same address + + Fixes #9840 + Closes #9860 + +Jay Satiro (7 Nov 2022) + +- ws: return CURLE_NOT_BUILT_IN when websockets not built in + + - Change curl_ws_recv & curl_ws_send to return CURLE_NOT_BUILT_IN when + websockets support is not built in. + + Prior to this change they returned CURLE_OK. + + Closes #9851 + +Daniel Stenberg (7 Nov 2022) + +- noproxy: tailmatch like in 7.85.0 and earlier + + A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work + differently than before. This restores the logic to how it used to work: + + All names listed in NO_PROXY are tailmatched against the used domain + name, if the lengths are identical it needs a full match. + + Update the docs, update test 1614. + + Reported-by: Stuart Henderson + Fixes #9842 + Closes #9858 + +- configure: require fork for NTLM-WB + + Reported-by: ウさん + + Fixes #9847 + Closes #9856 + +- docs/EARLY-RELEASE.md: how to determine an early release + + URL: https://curl.se/mail/lib-2022-10/0079.html + + Closes #9820 + +- RELEASE-NOTES: synced + +Zespre Schmidt (3 Nov 2022) + +- docs: add missing parameters for --retry flag + + Closes #9848 + +Adam Averay (3 Nov 2022) + +- libcurl-errors.3: remove duplicate word + + Closes #9846 + +Eric Vigeant (3 Nov 2022) + +- cur_path: do not add '/' if homedir ends with one + + When using SFTP and a path relative to the user home, do not add a + trailing '/' to the user home dir if it already ends with one. + + Closes #9844 + +Viktor Szakats (1 Nov 2022) + +- windows: fail early with a missing windres in autotools + + `windres` is not always auto-detected by autotools when building for + Windows. When this happened, the build failed with a confusing error due + to the empty `RC` command: + + ``` + /bin/bash ../libtool --tag=RC --mode=compile -I../include -DCURL_EMBED_MANIF + EST -i curl.rc -o curl.o + [...] + Usage: /sandbox/curl/libtool [OPTION]... [MODE-ARG]... + Try 'libtool --help' for more information. + libtool: error: unrecognised option: '-I../include' + ``` + + Improve this by verifying if `RC` is set, and fail with a clear error + otherwise. + + Follow-up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057 + + Ref: https://curl.se/mail/lib-2022-10/0049.html + Reported-by: Thomas Glanzmann + Closes #9781 + +- lib: sync guard for Curl_getaddrinfo_ex() definition and use + + `Curl_getaddrinfo_ex()` gets _defined_ with `HAVE_GETADDRINFO` set. But, + `hostip4.c` _used_ it with `HAVE_GETADDRINFO_THREADSAFE` set alone. It + meant a build with the latter, but without the former flag could result + in calling this function but not defining it, and failing to link. + + Patch this by adding an extra check for `HAVE_GETATTRINFO` around the + call. + + Before this patch, build systems prevented this condition. Now they + don't need to. + + While here, simplify the related CMake logic on Windows by setting + `HAVE_GETADDRINFO_THREADSAFE` to the detection result of + `HAVE_GETADDRINFO`. This expresses the following intent clearer than + the previous patch and keeps the logic in a single block of code: + When we have `getaddrinfo()` on Windows, it's always threadsafe. + + Follow-up to 67d88626d44ec04b9e11dca4cfbf62cd29fe9781 + + Reviewed-by: Jay Satiro + Closes #9734 + +- tidy-up: process.h detection and use + + This patch aims to cleanup the use of `process.h` header and the macro + `HAVE_PROCESS_H` associated with it. + + - `process.h` is always available on Windows. In curl, it is required + only for `_beginthreadex()` in `lib/curl_threads.c`. + + - `process.h` is also available in MS-DOS. In curl, its only use was in + `lib/smb.c` for `getpid()`. But `getpid()` is in fact declared by + `unistd.h`, which is always enabled via `lib/config-dos.h`. So the + header is not necessary. + + - `HAVE_PROCESS_H` was detected by CMake, forced to 1 on Windows and + left to real detection for other platforms. + It was also set to always-on in `lib/config-win32.h` and + `lib/config-dos.h`. + In autotools builds, there was no detection and the macro was never + set. + + Based on these observations, in this patch we: + + - Rework Windows `getpid` logic in `lib/smb.c` to always use the + equivalent direct Win32 API function `GetCurrentProcessId()`, as we + already did for Windows UWP apps. This makes `process.h` unnecessary + here on Windows. + + - Stop #including `process.h` into files where it was not necessary. + This is everywhere, except `lib/curl_threads.c`. + + > Strangely enough, `lib/curl_threads.c` compiled fine with autotools + > because `process.h` is also indirecty included via `unistd.h`. This + > might have been broken in autotools MSVC builds, where the latter + > header is missing. + + - Delete all remaining `HAVE_PROCESS_H` feature guards, for they were + unnecessary. + + - Delete `HAVE_PROCESS_H` detection from CMake and predefined values + from `lib/config-*.h` headers. + + Reviewed-by: Jay Satiro + Closes #9703 + +Daniel Stenberg (1 Nov 2022) + +- lib1301: unit103 turned into a libtest + + It is not a unit test so moved over to libtests. + +- strcase: use curl_str(n)equal for case insensitive matches + + No point in having two entry points for the same functions. + + Also merged the *safe* function treatment into these so that they can + also be used when one or both pointers are NULL. + + Closes #9837 + +- README.md: remove badges and xmas-tree garnish + + URL: https://curl.se/mail/lib-2022-10/0050.html + + Closes #9833 + +Patrick Monnerat (1 Nov 2022) + +- gen.pl: do not generate CURLHELP bitmask lines > 79 characters + + If a command line option is in many help categories, there is a risk + that CURLHELP bitmask source lines generated for listhelp are longer + than 79 characters. + + This change takes care of folding such long lines. + + Cloes #9834 + +Marc Hoersken (30 Oct 2022) + +- CI/cirrus: remove superfluous double-quotes and sudo + + Follow up to #9565 and #9677 + Closes #9738 + +- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+ + + Ref: #9738 + +Daniel Stenberg (30 Oct 2022) + +- style: use space after comment start and before comment end + + /* like this */ + + /*not this*/ + + checksrc is updated accordingly + + Closes #9828 + +Patrick Schlangen (30 Oct 2022) + +- docs: remove performance note in CURLOPT_SSL_VERIFYPEER + + This note became obsolete since PR #7892 (see also discussion in the PR + comments). + + Closes #9832 + +Daniel Stenberg (30 Oct 2022) + +- tests/server: make use of strcasecompare from lib/ + + ... instead of having a second private implementation. + + Idea triggered by #9830 + + Closes #9831 + +- curl: timeout in the read callback + + The read callback can timeout if there's nothing to read within the + given maximum period. Example use case is when doing "curl -m 3 + telnet://example.com" or anything else that expects input on stdin or + similar that otherwise would "hang" until something happens and then not + respect the timeout. + + This fixes KNOWN_BUG 8.1, first filed in July 2009. + + Bug: https://sourceforge.net/p/curl/bugs/846/ + + Closes #9815 + +- noproxy: fix tail-matching + + Also ignore trailing dots in both host name and comparison pattern. + + Regression in 7.86.0 (from 1e9a538e05c0) + + Extended test 1614 to verify better. + + Reported-by: Henning Schild + Fixes #9821 + Closes #9822 + +- docs: explain the noproxy CIDR notation support + + Follow-up to 1e9a538e05c0107c + + Closes #9818 + +Jon Rumsey (27 Oct 2022) + +- os400: use platform socklen_t in Curl_getnameinfo_a + + Curl_getnameinfo_a() is prototyped before including curl.h as an + ASCII'fied wrapper for getnameinfo(), which itself is prototyped with + socklen_t arguments, so this should use the platform socklen_t and not + curl_socklen_t too. + + Update setup-os400.h + + Fixes #9811 + Closes #9812 + +Daniel Stenberg (27 Oct 2022) + +- noproxy: also match with adjacent comma + + If the host name is an IP address and the noproxy string contained that + IP address with a following comma, it would erroneously not match. + + Extended test 1614 to verify this combo as well. + + Reported-by: Henning Schild + + Fixes #9813 + Closes #9814 + +Randall S. Becker (27 Oct 2022) + +- build: fix for NonStop + + - Include arpa/inet.h in all units where htonl is called. + + Signed-off-by: Randall S. Becker + + Closes https://github.com/curl/curl/pull/9816 + +- system.h: support 64-bit curl_off_t for NonStop 32-bit + + - Correctly define curl_off_t on NonStop (ie __TANDEM) ia64 and x86 for + 32-bit builds. + + Signed-off-by: Randall S. Becker + + Closes https://github.com/curl/curl/pull/9817 + +Daniel Stenberg (27 Oct 2022) + +- spellcheck.words: remove 'github' as an accepted word + + Prefer the properly cased version: GitHub + + Use markdown for links and GitHub in text. + + Closes #9810 + +Ayesh Karunaratne (27 Oct 2022) + +- misc: typo and grammar fixes + + - Replace `Github` with `GitHub`. + - Replace `windows` with `Windows` + - Replace `advice` with `advise` where a verb is used. + - A few fixes on removing repeated words. + - Replace `a HTTP` with `an HTTP` + + Closes #9802 + +Viktor Szakats (27 Oct 2022) + +- windows: fix linking .rc to shared curl with autotools + + `./configure --enable-shared --disable-static` fails when trying to link + a shared `curl.exe`, due to `libtool` magically changing the output + filename of `windres` to one that it doesn't find when linking: + + ``` + /bin/sh ../libtool --tag=RC --mode=compile windres -I../../curl/include -DCUR + L_EMBED_MANIFEST -i ../../curl/src/curl.rc -o curl.o + libtool: compile: windres -I../../curl/include -DCURL_EMBED_MANIFEST -i ../. + ./curl/src/curl.rc -o .libs/curl.o + [...] + CCLD curl.exe + clang: error: no such file or directory: 'curl.o' + ``` + + Let's resolve this by skipping `libtool` and calling `windres` directly + when building `src` (aka `curl.exe`). Leave `lib` unchanged, as it does + need the `libtool` magic. This solution is compatible with building + a static `curl.exe`. + + This build scenario is not CI-tested. + + While here, delete an obsolete comment about a permanent `libtool` + warning that we've resolved earlier. + + Regression from 6de7322c03d5b4d91576a7d9fc893e03cc9d1057 + + Reported-by: Christoph Reiter + Fixes #9803 + Closes #9805 + +- cmake: really enable warnings with clang + + Even though `PICKY_COMPILER=ON` is the default, warnings were not + enabled when using llvm/clang, because `CMAKE_COMPILER_IS_CLANG` was + always false (in my tests at least). + + This is the single use of this variable in curl, and in a different + place we already use `CMAKE_C_COMPILER_ID MATCHES "Clang"`, which works + as expected, so change the condition to use that instead. + + Also fix the warnings uncovered by the above: + + - lib: add casts to silence clang warnings + + - schannel: add casts to silence clang warnings in ALPN code + + Assuming the code is correct, solve the warnings with a cast. + This particular build case isn't CI tested. + + There is a chance the warning is relevant for some platforms, perhaps + Windows 32-bit ARM7. + + Closes #9783 + +Joel Depooter (26 Oct 2022) + +- sendf: remove unnecessary if condition + + At this point, the psnd->buffer will always exist. We have already + allocated a new buffer if one did not previously exist, and returned + from the function if the allocation failed. + + Closes #9801 + +Viktor Szakats (26 Oct 2022) + +- winidn: drop WANT_IDN_PROTOTYPES + + `WANT_IDN_PROTOTYPES` was necessary to avoid using a header that came + via an optional package. MS stopped distributing this package some + years ago and the winidn definitions are part of standard headers (via + `windows.h`) since Vista. + + Auto-detect Vista inside `lib/idn_win32.c` and enable the manual + definitions if building for an older Windows. + + This allows to delete this manual knob from all build-systems. + + Also drop the `_SAL_VERSION` sub-case: + + Our manual definitions are now only enabled with old systems. We assume + that code analysis is not run on such systems, allowing us to delete the + SAL-friendly flavour of these. + + Reviewed-by: Jay Satiro + Closes #9793 + +Daniel Stenberg (26 Oct 2022) + +- misc: remove duplicated include files + + Closes #9796 + +- scripts/checksrc.pl: detect duplicated include files + + After an idea by Dan Fandrich in #9794 + + Closes #9796 + +- RELEASE-NOTES: synced + + And bumped version to 7.86.1 for now + +- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE + + The removal is brief or long, don't assume. + + Reported-by: Luca Niccoli + + Fixes #9799 + Closes #9800 + +Version 7.86.0 (26 Oct 2022) + +Daniel Stenberg (26 Oct 2022) + +- RELEASE: synced + + The 7.86.0 release + +- THANKS: added from the 7.86.0 release + +Viktor Szakats (25 Oct 2022) + +- noproxy: include netinet/in.h for htonl() + + Solve the Amiga build warning by including `netinet/in.h`. + + `krb5.c` and `socketpair.c` are using `htonl()` too. This header is + already included in those sources. + + Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 + + Reviewed-by: Daniel Stenberg + Closes #9787 + +Marc Hoersken (24 Oct 2022) + +- CI: fix AppVeyor status failing for starting jobs + +Daniel Stenberg (24 Oct 2022) + +- test445: verifies the protocols-over-http-proxy flaw and fix + +- http_proxy: restore the protocol pointer on error + + Reported-by: Trail of Bits + + Closes #9790 + +- multi: remove duplicate include of connect.h + + Reported-by: Martin Strunz + Fixes #9794 + Closes #9795 + +Daniel Gustafsson (24 Oct 2022) + +- idn: fix typo in test description + + s/enabked/enabled/i + +Daniel Stenberg (24 Oct 2022) + +- url: use IDN decoded names for HSTS checks + + Reported-by: Hiroki Kurosawa + + Closes #9791 + +- unit1614: fix disabled-proxy build + + Follow-up to 1e9a538e05c01 + + Closes #9792 + +Daniel Gustafsson (24 Oct 2022) + +- cookies: optimize control character check + + When checking for invalid octets the strcspn() call will return the + position of the first found invalid char or the first NULL byte. + This means that we can check the indicated position in the search- + string saving a strlen() call. + + Closes: #9736 + Reviewed-by: Jay Satiro + +Daniel Stenberg (24 Oct 2022) + +- netrc: replace fgets with Curl_get_line + + Make the parser only accept complete lines and avoid problems with + overly long lines. + + Reported-by: Hiroki Kurosawa + + Closes #9789 + +- RELEASE-NOTES: add "Planned upcoming removals include" + + URL: https://curl.se/mail/archive-2022-10/0001.html + + Suggested-by: Dan Fandrich + +Viktor Szakats (23 Oct 2022) + +- ci: bump to gcc-11 for macos + + Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on- + macos-latest-are-now-running-on-macos-12/ + Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12 + -Readme.md + + Reviewed-by: Max Dymond + Closes #9785 + +- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip] + + - Reintroduce `CROSSPREFIX`: + + If set, we add it to the `CC` and `AR` values, and to the _default_ + value of `RC`, which is `windres`. This allows to control each of + these individidually, while also allowing to simplify configuration + via `CROSSPREFIX`. + + This variable worked differently earlier. Hopefully this new solution + hits a better compromise in usefulness/complexity/flexibility. + + Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50 + + - Enable warnings again: + + This time with an option to override it via `CFLAGS`. Warnings are + also enabled by default in CMake, `makefile.dj` and `makefile.amiga` + builds (not in autotools though). + + Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 + + Closes #9784 + +- noproxy: silence unused variable warnings with no ipv6 + + Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d + + Reviewed-by: Daniel Stenberg + Closes #9782 + +Daniel Stenberg (22 Oct 2022) + +- test644: verify --xattr (with redirect) + +- tool_xattr: save the original URL, not the final redirected one + + Adjusted test 1621 accordingly. + + Reported-by: Viktor Szakats + Fixes #9766 + Closes #9768 + +- docs: make sure libcurl opts examples pass in long arguments + + Reported-by: Sergey + Fixes #9779 + Closes #9780 + +Marc Hoersken (21 Oct 2022) + +- CI: fix AppVeyor job links only working for most recent build + + Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916 + Reported-by: Daniel Stenberg + + Follow up to #9769 + +Viktor Szakats (21 Oct 2022) + +- noproxy: fix builds without AF_INET6 + + Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 + + Reviewed-by: Daniel Stenberg + + Closes #9778 + +Daniel Stenberg (21 Oct 2022) + +- noproxy: support proxies specified using cidr notation + + For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly" + and not with string comparisons. + + Split out the noproxy checks and functionality into noproxy.c + + Added unit test 1614 to verify checking functions. + + Reported-by: Mathieu Carbonneaux + + Fixes #9773 + Fixes #5745 + Closes #9775 + +- urlapi: remove two variable assigns + + To please scan-build: + + urlapi.c:1163:9: warning: Value stored to 'qlen' is never read + qlen = Curl_dyn_len(&enc); + ^ ~~~~~~~~~~~~~~~~~~ + urlapi.c:1164:9: warning: Value stored to 'query' is never read + query = u->query = Curl_dyn_ptr(&enc); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Follow-up to 7d6cf06f571d57 + + Closes #9777 + +Jeremy Maitin-Shepard (21 Oct 2022) + +- cmake: improve usability of CMake build as a sub-project + + - Renames `uninstall` -> `curl_uninstall` + - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET + + Closes #9638 + +Don J Olmstead (21 Oct 2022) + +- easy_lock: check for HAVE_STDATOMIC_H as well + + The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h` + header is present. + + Closes #9755 + +Daniel Stenberg (21 Oct 2022) + +- RELEASE-NOTES: synced + +Brad Harder (20 Oct 2022) + +- CURLMOPT_PIPELINING.3: dedup manpage xref + + Closes #9776 + +Marc Hoersken (20 Oct 2022) + +- CI: report AppVeyor build status for each job + + Also give each job on AppVeyor CI a human-readable name. + + This aims to make job and therefore build failures more visible. + + Reviewed-by: Marcel Raad + Closes #9769 + +Viktor Szakats (20 Oct 2022) + +- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip] + + Reviewed-by: Daniel Stenberg + + Closes #9771 + +- connect: fix builds without AF_INET6 + + Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9 + + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro + + Closes #9770 + +Daniel Stenberg (20 Oct 2022) + +- test1105: adjust to work with a hyper build + + Closes #9767 + +- urlapi: fix parsing URL without slash with CURLU_URLENCODE + + When CURLU_URLENCODE is set, the parser would mistreat the path + component if the URL was specified without a slash like in + http://local.test:80?-123 + + Extended test 1560 to reproduce and verify the fix. + + Reported-by: Trail of Bits + + Closes #9763 + +Marc Hoersken (19 Oct 2022) + +- tests: avoid CreateThread if _beginthreadex is available + + CreateThread is not threadsafe if mixed with CRT calls. + _beginthreadex on the other hand can be mixed with CRT. + + Reviewed-by: Marcel Raad + Closes #9705 + +Joel Depooter (19 Oct 2022) + +- schannel: Don't reset recv/send function pointers on renegotiation + + These function pointers will have been set when the initial TLS + handshake was completed. If they are unchanged, there is no need to set + them again. If they have been changed, as is the case with HTTP/2, we + don't want to override that change. That would result in the + http22_recv/send functions being completely bypassed. + + Prior to this change a connection that uses Schannel with HTTP/2 would + fail on renegotiation with error "Received HTTP/0.9 when not allowed". + + Fixes https://github.com/curl/curl/issues/9451 + Closes https://github.com/curl/curl/pull/9756 + +Viktor Szakats (18 Oct 2022) + +- hostip: guard PF_INET6 use + + Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code + for these. + + ``` + hostip.c: In function 'fetch_addr': + hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function) + pf = PF_INET6; + ^~~~~~~~ + ``` + + Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d + + Reviewed-by: Daniel Stenberg + + Closes #9760 + +- amiga: do not hardcode openssl/zlib into the os config [ci skip] + + Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead. + + This allows builds without openssl and/or zlib. E.g. with the + cross-compiler. + + Reviewed-by: Daniel Stenberg + + Closes #9762 + +- amigaos: add missing curl header [ci skip] + + Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and + conditional local code need them. + + Reviewed-by: Daniel Stenberg + + Closes #9761 + +Daniel Stenberg (18 Oct 2022) + +- cmdline/docs: add a required 'multi' keyword for each option + + The keyword specifies how option works when specified multiple times: + + - single: the last provided value replaces the earlier ones + - append: it supports being provided multiple times + - boolean: on/off values + - mutex: flag-like option that disable anoter flag + + The 'gen.pl' script then outputs the proper and unified language for + each option's multi-use behavior in the generated man page. + + The multi: header is requires in each .d file and will cause build error + if missing or set to an unknown value. + + Closes #9759 + +- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk + + Closes #9757 + +- mprintf: reject two kinds of precision for the same argument + + An input like "%.*1$.9999d" would first use the precision taken as an + argument *and* then the precision specified in the string, which is + confusing and wrong. pass1 will now instead return error on this double + use. + + Adjusted unit test 1398 to verify + + Reported-by: Peter Goodman + + Closes #9754 + +- ftp: remove redundant if + + Reported-by: Trail of Bits + + Closes #9753 + +- tool_operate: more transfer cleanup after parallel transfer fail + + In some circumstances when doing parallel transfers, the + single_transfer_cleanup() would not be called and then 'inglob' could + leak. + + Test 496 verifies + + Reported-by: Trail of Bits + Closes #9749 + +- mqtt: spell out CONNECT in comments + + Instead of calling it 'CONN' in several comments, use the full and + correct protocol packet name. + + Suggested by Trail of Bits + + Closes #9751 + +- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST + + Not the deprecated CURLOPT_HTTPPOST option. + + Also added two see-alsos. + + Reported-by: Trail of Bits + Closes #9752 + +- RELEASE-NOTES: synced + +Jay Satiro (17 Oct 2022) + +- ngtcp2: Fix build errors due to changes in ngtcp2 library + + ngtcp2/ngtcp2@b0d86f60 changed: + + - ngtcp2_conn_get_max_udp_payload_size => + ngtcp2_conn_get_max_tx_udp_payload_size + + - ngtcp2_conn_get_path_max_udp_payload_size => + ngtcp2_conn_get_path_max_tx_udp_payload_size + + ngtcp2/ngtcp2@ec59b873 changed: + + - 'early_data_rejected' member added to ng_callbacks. + + Assisted-by: Daniel Stenberg + Reported-by: jurisuk@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/9747 + Closes https://github.com/curl/curl/pull/9748 + +Daniel Stenberg (16 Oct 2022) + +- curl_path: return error if given a NULL homedir + + Closes #9740 + +- libssh: if sftp_init fails, don't get the sftp error code + + This flow extracted the wrong code (sftp code instead of ssh code), and + the code is sometimes (erroneously) returned as zero anyway, so skip + getting it and set a generic error. + + Reported-by: David McLaughlin + Fixes #9737 + Closes #9740 + +- mqtt: return error for too long topic + + Closes #9744 + +Rickard Hallerbäck (16 Oct 2022) + +- tool_paramhlp: make the max argument a 'double' + + To fix compiler warnings "Implicit conversion from 'long' to 'double' + may lose precision" + + Closes #9700 + +Philip Heiduck (15 Oct 2022) + +- cirrus-ci: add more macOS builds with m1 based on x86_64 builds + + Also refactor macOS builds to use task matrix. + + Assisted-by: Marc Hörsken + Closes #9565 + +Viktor Szakats (14 Oct 2022) + +- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows + + `lib/config-win32.h` enables this configuration option unconditionally. + Make it apply to CMake builds as well. + + While here, delete a broken check for + `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with + the initial commit [1], but did not include the actual verification code + inside `CMake/CurlTests.c`, so it always failed. A later commit [2] + added a second test, for non-Windows platforms. + + Enabling this flag causes test 1056 to fail with CMake builds, as they + do with autotools builds. Let's apply the same solution and ignore the + results here as well. + + [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 + [2] aec7c5a87c8482b6ddffa352d7d220698652262e + + Reviewed-by: Daniel Stenberg + Assisted-by: Marcel Raad + + Closes #9726 + +- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows + + autotools enables this configuration option unconditionally for Windows + [^1]. Do the same in CMake. + + The above will make this work for all reasonably recent environments. + The logic present in `lib/config-win32.h` [^2] has the following + exceptions which we did not cover in this CMake update: + + - Builds targeting Windows 2000 and earlier + - MS Visual C++ 5.0 (1997) and earlier + + Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't + set, to avoid a broken build. We might want to handle that in the C + sources in a future commit. + + [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a5 + 1f6/m4/curl-functions.m4#L2067-L2070 + + [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a5 + 1f6/lib/config-win32.h#L511-L528 + + Closes #9727 + +- cmake: sync HAVE_SIGNAL detection with autotools + + `HAVE_SIGNAL` means the availability of the `signal()` function in + autotools, while in CMake it meant the availability of that function + _and_ the symbol `SIGALRM`. + + The latter is not available on Windows, but the function is, which means + on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not, + introducing a slight difference into the binaries. + + This patch syncs CMake behaviour with autotools to look for the function + only. + + The logic came with the initial commit adding CMake support to curl, so + the commit history doesn't reveal the reason behind it. In any case, + it's best to check the existence of `SIGALRM` directly in the source + before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and + `SIGALRM` missing. + + Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 + + Closes #9725 + +- cmake: delete duplicate HAVE_GETADDRINFO test + + A custom `HAVE_GETADDRINFO` check came with the initial CMake commit + [1]. A later commit [2] added a standard check for it as well. The + standard check run before the custom one, so CMake ignored the latter. + + The custom check was also non-portable, so this patch deletes it in + favor of the standard check. + + [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 + [2] aec7c5a87c8482b6ddffa352d7d220698652262e + + Closes #9731 + +Daniel Stenberg (14 Oct 2022) + +- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros + + To make the code read more obvious + + Assisted-by: Jay Satiro + + Closes #9710 + +Christopher Sauer (14 Oct 2022) + +- docs/INSTALL: update Android Instructions for newer NDKs + + Closes #9732 + +Daniel Stenberg (14 Oct 2022) + +- markdown-uppercase: ignore quoted sections + + Sections within the markdown ~~~ or ``` are now ignored. + + Closes #9733 + +- RELEASE-NOTES: synced + +- test8: update as cookies no longer can have "embedded" TABs in content + +- test1105: extend to verify TAB in name/content discarding cookies + +- cookie: reject cookie names or content with TAB characters + + TABs in name and content seem allowed by RFC 6265: "the algorithm strips + leading and trailing whitespace from the cookie name and value (but + maintains internal whitespace)" + + Cookies with TABs in the names are rejected by Firefox and Chrome. + + TABs in content are stripped out by Firefox, while Chrome discards the + whole cookie. + + TABs in cookies also cause issues in saved netscape cookie files. + + Reported-by: Trail of Bits + + URL: https://curl.se/mail/lib-2022-10/0032.html + URL: https://github.com/httpwg/http-extensions/issues/2262 + + Closes #9659 + +- curl/add_parallel_transfers: better error handling + + 1 - consider the transfer handled at once when in the function, to avoid + the same list entry to get added more than once in rare error + situations + + 2 - set the ERRORBUFFER for the handle first after it has been added + successfully + + Reported-by: Trail of Bits + + Closes #9729 + +- netrc: remove the two 'changed' arguments + + As no user of these functions used the returned content. + +- test495: verify URL encoded user name + netrc-optional + + Reproduced issue #9709 + +- netrc: use the URL-decoded user + + When the user name is provided in the URL it is URL encoded there, but + when used for authentication the encoded version should be used. + + Regression introduced after 7.83.0 + + Reported-by: Jonas Haag + Fixes #9709 + Closes #9715 + +Shaun Mirani (13 Oct 2022) + +- url: allow non-HTTPS HSTS-matching for debug builds + + Closes #9728 + +Daniel Stenberg (13 Oct 2022) + +- test1275: remove the check of stderr + + To avoid the mysterious test failures on Windows, instead rely on the + error code returned on failure. + + Fixes #9716 + Closes #9723 + +Viktor Szakats (13 Oct 2022) + +- lib: set more flags in config-win32.h + + The goal is to add any flag that affect the created binary, to get in + sync with the ones built with CMake and autotools. + + I took these flags from curl-for-win [0], where they've been tested with + mingw-w64 and proven to work well. + + This patch brings them to curl as follows: + + - Enable unconditionally those force-enabled via + `CMake/WindowsCache.cmake`: + + - `HAVE_SETJMP_H` + - `HAVE_STRING_H` + - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`) + + - Expand existing guards with mingw-w64: + + - `HAVE_STDBOOL_H` + - `HAVE_BOOL_T` + + - Enable Win32 API functions for Windows Vista and later: + + - `HAVE_INET_NTOP` + - `HAVE_INET_PTON` + + - Set sizes, if not already set: + + - `SIZEOF_OFF_T = 8` + - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set, + and using mingw-w64. + + - Add the remaining for mingw-w64 only. Feel free to expand as desired: + + - `HAVE_LIBGEN_H` + - `HAVE_FTRUNCATE` + - `HAVE_BASENAME` + - `HAVE_STRTOK_R` + + Future TODO: + + - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both + the `signal()` function and the `SIGALRM` macro are found. In + autotools and this header, it means the function only. For the + function alone, CMake uses `HAVE_SIGNAL_FUNC`. + + [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4df + f0ca97a8c/curl-m32.sh#L53-L58 + + Reviewed-by: Daniel Stenberg + + Closes #9712 + +Daniel Stenberg (13 Oct 2022) + +- tests: add tests/markdown-uppercase.pl to dist tarball + + Follow-up to aafb06c5928183d + + Closes #9722 + +- tool_paramhelp: asserts verify maximum sizes for string loading + + The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest + strings accepted when loading files into memory, but as the size is + later used as input to functions that take the size as 'int' as + argument, the sizes must not be larger than INT_MAX. + + These two new assert()s make the code error out if someone would bump + the sizes without this consideration. + + Reported-by Trail of Bits + + Closes #9719 + +- http: try parsing Retry-After: as a number first + + Since the date parser allows YYYYMMDD as a date format (due to it being + a bit too generic for parsing this particular header), a large integer + number could wrongly match that pattern and cause the parser to generate + a wrong value. + + No date format accepted for this header starts with a decimal number, so + by reversing the check and trying a number first we can deduct that if + that works, it was not a date. + + Reported-by Trail of Bits + + Closes #9718 + +Patrick Monnerat (13 Oct 2022) + +- doc: fix deprecation versions inconsistencies + + Ref: https://curl.se/mail/lib-2022-10/0026.html + + Closes #9711 + +Daniel Stenberg (13 Oct 2022) + +- http_aws_sigv4: fix strlen() check + + The check was off-by-one leading to buffer overflow. + + Follow-up to 29c4aa00a16872 + + Detected by OSS-Fuzz + + Closes #9714 + +- curl/main_checkfds: check the fcntl return code better + + fcntl() can (in theory) return a non-zero number for success, so a + better test for error is checking for -1 explicitly. + + Follow-up to 41e1b30ea1b77e9ff + + Mentioned-by: Dominik Klemba + + Closes #9708 + +Viktor Szakats (12 Oct 2022) + +- tidy-up: delete unused HAVE_STRUCT_POLLFD + + It was only defined in `lib/config-win32.h`, when building for Vista. + + It was only used in `select.h`, in a condition that also included a + check for `POLLIN` which is a superior choice for this detection and + which was already used by cmake and autotools builds. + + Delete both instances of this macro. + + Closes #9707 + +Daniel Stenberg (12 Oct 2022) + +- test1275: verify upercase after period in markdown + + Script based on the #9474 pull-request logic, but implemented in perl. + + Updated docs/URL-SYNTAX.md accordingly. + + Suggested-by: Dan Fandrich + + Closes #9697 + +12932 (12 Oct 2022) + +- misc: nitpick grammar in comments/docs + + because the 'u' in URL is actually a consonant *sound* it is only + correct to write "a URL" + + sorry this is a bit nitpicky :P + + https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an + https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL + + Closes #9699 + +Viktor Szakats (11 Oct 2022) + +- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip] + + This patch aimed to fix a regression [0], where `CC` initialization + moved beyond its first use. But, on closer inspection it turned out that + the `CC` initialization does not work as expected due to GNU Make + filling it with `cc` by default. So unless implicit values were + explicitly disabled via a GNU Make option, the default value of + `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit + value `cc` maps to `gcc` in (most/all?) MinGW envs. + + `AR` has the same issue, with a default value of `ar`. + + We could reintroduce a separate variable to fix this without ill + effects, but for simplicity and flexibility, it seems better to drop + support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and + require the caller to initialize `CC`, `AR` and `RC` to the full + (prefixed if necessary) names of these tools, as desired. + + We keep `RC ?= windres` because `RC` is empty by default. + + Also fix grammar in a comment. + + [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 + + Closes #9698 + +- smb: replace CURL_WIN32 with WIN32 + + PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the + `CURL_WIN32` macro, but that one is not defined here, while compiling + curl itself. This patch changes this to `WIN32`, assuming this was the + original intent. + + Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a + + Reviewed-by: Marcel Raad + + Closes #9701 + +Matthias Gatto (11 Oct 2022) + +- aws_sigv4: fix header computation + + Handle canonical headers and signed headers creation as explained here: + https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request. + html + + The algo tells that signed and canonical must contain at last host and + x-amz-date. + + So we check whatever thoses are present in the curl http headers list. + If they are, we use the one enter by curl user, otherwise we generate + them. then we to lower, and remove space from each http headers plus + host and x-amz-date, then sort them all by alphabetical order. + + This patch also fix a bug with host header, which was ignoring the port. + + Closes #7966 + +Aftab Alam (11 Oct 2022) + +- README.md: link the curl logo to the website + + - Link the curl:// image to https://curl.se/ + + Closes https://github.com/curl/curl/pull/9675 + +Dustin Howett (11 Oct 2022) + +- schannel: when importing PFX, disable key persistence + + By default, the PFXImportCertStore API persists the key in the user's + key store (as though the certificate was being imported for permanent, + ongoing use.) + + The documentation specifies that keys that are not to be persisted + should be imported with the flag PKCS12_NO_PERSIST_KEY. + NOTE: this flag is only supported on versions of Windows newer than XP + and Server 2003. + + -- + + This is take 2 of the original fix. It extends the lifetime of the + client certificate store to that of the credential handle. The original + fix which landed in 70d010d and was later reverted in aec8d30 failed to + work properly because it did not do that. + + Minor changes were made to the schannel credential context to support + closing the client certificate store handle at the end of an SSL session. + + -- + + Reported-by: ShadowZzj@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/9300 + Supersedes https://github.com/curl/curl/pull/9363 + Closes https://github.com/curl/curl/pull/9460 + +Viktor Szakats (11 Oct 2022) + +- Makefile.m32: support more options [ci skip] + + - Add support for these options: + `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl` + + Caveats: + - `-wolfssh` requires `-wolfssl`. + - `-wolfssl` cannot be used with OpenSSL backends in parallel. + - `-libssh` has build issues with BoringSSL and LibreSSL, and also + what looks like a world-writable-config vulnerability on Windows. + Consider it experimental. + - `-psl` requires `-idn2` and extra libs passed via + `LIBS=-liconv -lunistring`. + + - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly. + - Generalize MultiSSL detection. + - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01). + - Document more customization options. + + This brings over some configuration logic from `curl-for-win`. + + Closes #9680 + +- cmake: enable more detection on Windows + + Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection + on Windows, instead of having predefined values. + + With these features detected correctly, CMake Windows builds get closer + to the autotools and `config-win32.h` ones. + + This also fixes detecting `HAVE_FTRUNCATE` correctly, which required + `unistd.h`. + + Fixing `ftruncate()` in turn causes a build warning/error with legacy + MinGW/MSYS1 due to an offset type size mismatch. This env misses to + detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch + force-disables `HAVE_FTRUNCATE` for this platform. + + Reviewed-by: Daniel Stenberg + + Closes #9687 + +- autotools: allow unix sockets on Windows + + Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00 + a9149fb39239/curl-autotools.sh#L44-L47 + + On Windows this feature is present, but not the header used in the + detection logic. It also requires an elaborate enabler logic + (as seen in `lib/curl_setup.h`). Let's always allow it and let the + lib code deal with the details. + + Closes #9688 + +- cmake: add missing inet_ntop check + + This adds the missing half of the check, next to the other half + already present in `lib/curl_config.h.cmake`. + + Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler + warnings. + + Reviewed-by: Daniel Stenberg + + Closes #9689 + +Daniel Stenberg (11 Oct 2022) + +- RELEASE-NOTES: synced + +bsergean on github (11 Oct 2022) + +- asyn-ares: set hint flags when calling ares_getaddrinfo + + The hint flag is ARES_AI_NUMERICSERV, and it will save a call to + getservbyname or getservbyname_r to set it. + + Closes #9694 + +Daniel Stenberg (11 Oct 2022) + +- header.d: add category smtp and imap + + They were previously (erroneously) added manually to tool_listhelp.c + which would make them get removed again when the file is updated next + time, unless added correctly here in header.d + + Follow-up to 2437fac01 + + Closes #9690 + +- curl/get_url_file_name: use libcurl URL parser + + To avoid URL tricks, use the URL parser for this. + + This update changes curl's behavior slightly in that it will ignore the + possible query part from the URL and only use the file name from the + actual path from the URL. I consider it a bugfix. + + "curl -O localhost/name?giveme-giveme" will now save the output in the + local file named 'name' + + Updated test 1210 to verify + + Assisted-by: Jay Satiro + + Closes #9684 + +Martin Ågren (11 Oct 2022) + +- docs: fix grammar around needing pass phrase + + "You never needed a pass phrase" reads like it's about to be followed by + something like "until version so-and-so", but that is not what is + intended. Change to "You never need a pass phrase". There are two + instances of this text, so make sure to update both. + +Xiang Xiao (10 Oct 2022) + +- cmake: add the check of HAVE_SOCKETPAIR + + which is used by Curl_socketpair + + Signed-off-by: Xiang Xiao + + Closes #9686 + +Daniel Stenberg (10 Oct 2022) + +- curl/add_file_name_to_url: use the libcurl URL parser + + instead of the custom error-prone parser, to extract and update the path + of the given URL + + Closes #9683 + +- single_transfer: use the libcurl URL parser when appending query parts + + Instead of doing "manual" error-prone parsing in another place. + + Used when --data contents is added to the URL query when -G is provided. + + Closes #9681 + +- ws: fix buffer pointer use in the callback loop + + Closes #9678 + +Petr Štetiar (10 Oct 2022) + +- curl-wolfssl.m4: error out if wolfSSL is not usable + + When I explicitly declare, that I would like to have curl built with + wolfSSL support using `--with-wolfssl` configure option, then I would + expect, that either I endup with curl having that support, for example + in form of https support or it wouldn't be available at all. + + Downstream projects like for example OpenWrt build curl wolfSSL variant + with `--with-wolfssl` already, but in certain corner cases it does fail: + + configure:25299: checking for wolfSSL_Init in -lwolfssl + configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip] + In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa. + h:33, + from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_ + public.h:35, + from target-x86_64_musl/usr/include/wolfssl/ssl.h:35, + from conftest.c:47: + target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal err + or: wolfssl/wolfcrypt/sp_int.h: No such file or directory + #include + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + compilation terminated. + + and in the end thus produces curl without https support: + + curl: (1) Protocol "https" not supported or disabled in libcurl + + So fix it, by making the working wolfSSL mandatory and error out in + configure step when that's not the case: + + checking for wolfSSL_Init in -lwolfssl... no + configure: error: --with-wolfssl but wolfSSL was not found or doesn't work + + References: https://github.com/openwrt/packages/issues/19005 + References: https://github.com/openwrt/packages/issues/19547 + Signed-off-by: Petr Štetiar + + Closes #9682 + +Daniel Stenberg (10 Oct 2022) + +- tool_getparam: pass in the snprintf("%.*s") string length as 'int' + + Reported by Coverity CID 1515928 + + Closes #9679 + +Paul Seligman (9 Oct 2022) + +- ws: minor fixes for web sockets without the CONNECT_ONLY flag + + - Fixed an issue where is_in_callback was getting cleared when using web + sockets with debug logging enabled + - Ensure the handle is is_in_callback when calling out to fwrite_func + - Change the write vs. send_data decision to whether or not the handle + is in CONNECT_ONLY mode. + - Account for buflen not including the header length in curl_ws_send + + Closes #9665 + +Marc Hoersken (8 Oct 2022) + +- CI/cirrus: merge existing macOS jobs into a job matrix + + Ref: #9627 + Reviewed-by: Philip H. + + Closes #9672 + +Daniel Stenberg (8 Oct 2022) + +- strcase: add and use Curl_timestrcmp + + This is a strcmp() alternative function for comparing "secrets", + designed to take the same time no matter the content to not leak + match/non-match info to observers based on how fast it is. + + The time this function takes is only a function of the shortest input + string. + + Reported-by: Trail of Bits + + Closes #9658 + +- tool_getparam: split out data_urlencode() into its own function + + Closes #9673 + +- connect: fix Curl_updateconninfo for TRNSPRT_UNIX + + Reported-by: Vasiliy Ulyanov + Fixes #9664 + Closes #9670 + +- ws: fix Coverity complaints + + Coverity pointed out several flaws where variables remained + uninitialized after forks. + + Follow-up to e3f335148adc6742728f + + Closes #9666 + +Marc Hoersken (7 Oct 2022) + +- CI/GHA: merge msh3 and openssl3 builds into linux workflow + + Continue work on merging all Linux workflows into one file. + + Follow up to #9501 + Closes #9646 + +Daniel Stenberg (7 Oct 2022) + +- curl_ws_send.3: call the argument 'fragsize' + + Since WebSocket works with "fragments" not "frames" + + Closes #9668 + +- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type + + Follow-up to e3f335148adc6742728ff8 + + Closes #9669 + +- tool_main: exit at once if out of file descriptors + + If the main_checkfds function cannot create new file descriptors in an + attempt to detect of stdin, stdout or stderr are closed. + + Also changed the check to use fcntl() to check if the descriptors are + open, which avoids superfluously calling pipe() if they all already are. + + Follow-up to facfa19cdd4d0094 + + Reported-by: Trail of Bits + + Closes #9663 + +- websockets: remodeled API to support 63 bit frame sizes + + curl_ws_recv() now receives data to fill up the provided buffer, but can + return a partial fragment. The function now also get a pointer to a + curl_ws_frame struct with metadata that also mentions the offset and + total size of the fragment (of which you might be receiving a smaller + piece). This way, large incoming fragments will be "streamed" to the + application. When the curl_ws_frame struct field 'bytesleft' is 0, the + final fragment piece has been delivered. + + curl_ws_recv() was also adjusted to work with a buffer size smaller than + the fragment size. (Possibly needless to say as the fragment size can + now be 63 bit large). + + curl_ws_send() now supports sending a piece of a fragment, in a + streaming manner, in addition to sending the entire fragment in a single + call if it is small enough. To send a huge fragment, curl_ws_send() can + be used to send it in many small calls by first telling libcurl about + the total expected fragment size, and then send the payload in N number + of separate invokes and libcurl will stream those over the wire. + + The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it + has been extended with two new fields: *offset* and *bytesleft*. To help + describe the passed on data chunk when a fragment is delivered in many + smaller pieces. + + The documentation has been updated accordingly. + + Closes #9636 + +Patrick Monnerat (7 Oct 2022) + +- docs/examples: avoid deprecated options in examples where possible + + Example programs targeting a deprecated feature/option are commented with + a warning about it. + Other examples are adapted to not use deprecated options. + + Closes #9661 + +Viktor Szakats (6 Oct 2022) + +- cmake: fix enabling websocket support + + Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77 + + Closes #9660 + +- tidy-up: delete parallel/unused feature flags + + Detecting headers and lib separately makes sense when headers come in + variations or with extra ones, but this wasn't the case here. These were + duplicate/parallel macros that we had to keep in sync with each other + for a working build. This patch leaves a single macro for each of these + dependencies: + + - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`. + + Also delete CMake logic making sure these two were in sync, along with + a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`. + + Also delete stray `HAVE_ZLIB` defines. + + There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch + retains it for compatibility and deprecates it. + + - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`. + + Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from + `winbuild/MakefileBuild.vc`, these have a role when building libssh2 + itself. And `CURL_USE_LIBSSH`, which had no use at all. + + Also delete stray `HAVE_LIBSSH2` defines. + + - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`. + + Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from + `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the + libssh2 line, and were not having any use. + + - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`. + + Reviewed-by: Daniel Stenberg + + Closes #9652 + +Daniel Stenberg (6 Oct 2022) + +- netrc: compare user name case sensitively + + User name comparisions in netrc need to match the case. + + Closes #9657 + +- CURLOPT_COOKIEFILE: insist on "" for enable-without-file + + The former way that also suggested using a non-existing file to just + enable the cookie engine could lead to developers maybe a bit carelessly + guessing a file name that will not exist, and then in a future due to + circumstances, such a file could be made to exist and then accidentally + libcurl would read cookies not actually meant to. + + Reported-by: Trail of bits + + Closes #9654 + +- tests/Makefile: remove run time stats from ci-test + + The ci-test is the normal makefile target invoked in CI jobs. This has + been using the -r option to runtests.pl since a long time, but I find + that it mostly just adds many lines to the test output report without + anyone caring much about those stats. + + Remove it. + + Closes #9656 + +Patrick Monnerat (6 Oct 2022) + +- tool: reorganize function c_escape around a dynbuf + + This is a bit shorter and a lot safer. + + Substrings of unescaped characters are added by a single call to reduce + overhead. + + Extend test 1465 to handle more kind of escapes. + + Closes #9653 + +Jay Satiro (5 Oct 2022) + +- CURLOPT_HTTPPOST.3: bolden the deprecation notice + + Ref: https://github.com/curl/curl/pull/9621 + + Closes https://github.com/curl/curl/pull/9637 + +John Bampton (5 Oct 2022) + +- misc: fix spelling in docs and comments + + also: remove outdated sentence + + Closes #9644 + +Patrick Monnerat (5 Oct 2022) + +- tool: avoid generating ambiguous escaped characters in --libcurl + + C string hexadecimal-escaped characters may have more than 2 digits. + This results in a wrong C compiler interpretation of a 2-digit escaped + character when followed by an hex digit character. + + The solution retained here is to represent such characters as 3-digit + octal escapes. + + Adjust and extend test 1465 for this case. + + Closes #9643 + +Daniel Stenberg (5 Oct 2022) + +- configure: the ngtcp2 option should default to 'no' + + While still experimental. + + Bug: https://curl.se/mail/lib-2022-10/0007.html + Reported-by: Daniel Hallberg + + Closes #9650 + +- CURLOPT_MIMEPOST.3: add an (inline) example + + Reported-by: Jay Satiro + Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723 + + Closes #9649 + +Viktor Szakats (5 Oct 2022) + +- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip] + + Exclude linker flags specifying depedency libs and libpaths, when + building against `libcurl.dll`. In such case these options are not + necessary (but may cause errors if not/wrongly configured.) + + Also move and reword a comment on `CPPFLAGS` to not apply to + `UNICODE` options. These are necessary for all build targets. + + Closes #9651 + +Jay Satiro (5 Oct 2022) + +- runtests: fix uninitialized value on ignored tests + + - Don't show TESTFAIL message (ie tests failed which aren't ignored) if + only ignored tests failed. + + Before: + IGNORED: failed tests: 571 612 1056 + TESTDONE: 1214 tests out of 1217 reported OK: 99% + Use of uninitialized value $failed in concatenation (.) or string at + ./runtests.pl line 6290. + TESTFAIL: These test cases failed: + + After: + IGNORED: failed tests: 571 612 1056 + TESTDONE: 1214 tests out of 1217 reported OK: 99% + + Closes https://github.com/curl/curl/pull/9648 + +- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS + + - Correct the use of -all-static for static Windows CI builds. + + curl_LDFLAGS was removed from the makefile when metalink support was + removed. LDFLAGS=-all-static is passed to make only, because it is not a + valid option for configure compilation tests. + + Closes https://github.com/curl/curl/pull/9633 + +Viktor Szakats (4 Oct 2022) + +- Makefile.m32: fix regression with tool_hugehelp [ci skip] + + In a recent commit I mistakenly deleted this logic, after seeing a + reference to a filename ending with `.cvs` and thinking it must have + been long gone. Turns out this is an existing file. Restore the rule + and the necessary `COPY` definitions with it. + + The restored logic is required for a successful build on a bare source + tree (as opposed to a source release tarball). + + Also shorten an existing condition similar to the one added in this + patch. + + Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6 + + Closes #9645 + +- Makefile.m32: deduplicate build rules [ci skip] + + After this patch, we reduce the three copies of most `Makefile.m32` + logic to one. This now resides in `lib/Makefile.m32`. It makes future + updates easier, the code shorter, with a small amount of added + complexity. + + `Makefile.m32` reduction: + + | | bytes | LOC total | blank | comment | code | + |-------------------|-------:|----------:|-------:|---------:|------:| + | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 | + | before this patch | 17601 | 625 | 62 | 106 | 457 | + | after this patch | 11680 | 392 | 52 | 104 | 236 | + + Details: + + - Change rules to create objects for the `v*` subdirs in the `lib` dir. + This allows to use a shared compile rule and assumes that filenames + are not (and will not be) colliding across these directories. + `Makefile.m32` now also stores a list of these subdirs. They are + changing rarely though. + + - Sync as much as possible between the three `Makefile.m32` scripts' + rules and their source/target sections. + + - After this patch `CPPFLAGS` are all applied to the `src` sources once + again. This matches the behaviour of cmake/autotools. Only zlib ones + are actually required there. + + - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate. + + - Change examples to link `libcurl.dll` by default. This makes building + trivial, even as a cross-build: + `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32` + To run them, you need to move/copy or add-to-path `libcurl.dll`. + You can select static mode via `CFG=-static`. + + - List more of the `Makefile.m32` config variables. + + - Drop `.rc` support from examples. It made it fragile without much + benefit. + + - Include a necessary system lib for the `externalsocket.c` example. + + - Exclude unnecessary systems libs when building in `-dyn` mode. + + Closes #9642 + +Daniel Stenberg (4 Oct 2022) + +- RELEASE-NOTES: synced + +- CURLOPT_COOKIELIST.3: fix formatting mistake + + Also, updated manpage-syntax.pl to make it detect this error in test + 1173. + + Reported-by: ProceduralMan on github + Fixes #9639 + Closes #9640 + +Jay Satiro (4 Oct 2022) + +- connect: change verbose IPv6 address:port to [address]:port + + - Use brackets for the IPv6 address shown in verbose message when the + format is address:port so that it is less confusing. + + Before: Trying 2606:4700:4700::1111:443... + After: Trying [2606:4700:4700::1111]:443... + + Bug: https://curl.se/mail/archive-2022-02/0041.html + Reported-by: David Hu + + Closes #9635 + +Viktor Szakats (3 Oct 2022) + +- Makefile.m32: major rework [ci skip] + + This patch overhauls `Makefile.m32` scripts, fixing a list of quirks, + making its behaviour and customization envvars align better with other + build systems, aiming for less code, that is easier to read, use and + maintain. + + Details: + - Rename customization envvars: + `CURL_CC` -> `CC` + `CURL_RC` -> `RC` + `CURL_AR` -> `AR` + `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB` + `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN` + - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used. + - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars. + - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in + favor of the above. + - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional + with `libssh2`. + - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and + examples. + - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel` + instead. + - Avoid late evaluation where not necessary (`=` -> `:=`). + - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix. + Instead, use the standard naming scheme by default: `libcurl.dll.a`. + The toolchain recognizes the name, and selects it automatically when + asking for a `-shared` vs. `-static` build. + - Stop applying `strip` to `libcurl.a`. Follow-up from + 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to + strip since then. + - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to + `CFLAGS` as desired. + - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL, + to avoid that vulnerability on Windows. + - Add `-lbrotlicommon` to `LIBS` when using `brotli`. + - Do not enable `-nghttp3` without `-ngtcp2`. + - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend. + You need to set the backend explicitly. This scales better and avoids + issues with certain combinations (e.g. `libssh2` + `wolfssl` with no + `schannel`). + - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via + `NGTCP2_LIBS`. + - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer + supported. + - Delete `SPNEGO` references. They were no-ops. + - Drop support for Win9x environments. + - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`. + - Support autotools/CMake `libssh2` builds by default. + - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and + examples. + - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the + long gone embedded one.) + - Stop static linking with c-ares by default. Add + `CPPFLAGS=-DCARES_STATICLIB` to enable it. + - Reorganize internal layout to avoid redundancy and emit clean diffs + between src/lib and example make files. + - Delete unused variables. + - Code cleanups/rework. + - Comment and indentation fixes. + + Closes #9632 + +- scripts/release-notes.pl: strip ci skip tag [ci skip] + + Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303 + ae97#commitcomment-85637701 + + Reviewed-by: Daniel Stenberg + + Closes #9634 + +- Makefile.m32: delete legacy component bits [ci skip] + + - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting + to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL. + + - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been + using a standard file layout since 1.1.0, so this seems unnecessary + now. + + - Drop special logic to enable Novell LDAP SDK support. + + - Drop special logic to enable OpenLDAP LDAP SDK support. This seems + to be distinct from native OpenLDAP, with support implemented inside + `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist + yet in curl. + + - Add `-lwldap32` only if there is no other LDAP library (either native + OpenLDAP, or SDKs above) present. + + - Update `doc/INSTALL.md` accordingly. + + After this patch, it's necessary to make configration changes when using + OpenSSL 1.0.2 or earlier, or the two LDAP SDKs. + + OpenSSL 1.0.2 and earlier: + ``` + export OPENSSL_INCLUDE = /outinc + export OPENSSL_LIBPATH = /out + export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32 + ``` + + Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`: + ``` + export CURL_CFLAG_EXTRAS = -I/inc -DCURL_HAS_NOVELL_LDAPSDK + export CURL_LDFLAG_EXTRAS = -L/lib/mscvc -lldapsdk -lldapssl -ll + dapx + ``` + + OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`: + ``` + export CURL_CFLAG_EXTRAS = -I/include -DCURL_HAS_OPENLDAP_LDAPSD + K + export CURL_LDFLAG_EXTRAS = -L/lib -lldap -llber + ``` + + I haven't tested these scenarios, and in general we recommend using + a recent OpenSSL release. Also, WinLDAP (the Windows default) and + OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on + in curl. + + Closes #9631 + +Daniel Stenberg (2 Oct 2022) + +- vauth/ntlm.h: make line shorter than 80 columns + + Follow-up from 265fbd937 + +Viktor Szakats (1 Oct 2022) + +- docs: update sourceforge project links [ci skip] + + SourceForge projects can now choose between two hostnames, with .io and + .net ending. Both support HTTPS by default now. Opening the other variant + will perm-redirected to the one chosen by the project. + + The .io -> .net redirection is done insecurely. + + Let's update the URLs to point to the current canonical endpoints to + avoid any redirects. + + Closes #9630 + +Daniel Stenberg (1 Oct 2022) + +- curl_url_set.3: document CURLU_APPENDQUERY proper + + Listed among the other supported flags. + + Reported-by: Robby Simpson + Fixes #9628 + Closes #9629 + +Viktor Szakats (1 Oct 2022) + +- Makefile.m32: cleanups and fixes [ci skip] + + - Add `-lcrypt32` once, and add it always for simplicity. + - Delete broken link and reference to the pre-Vista WinIDN add-on. + MS no longer distribute it. + - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista. + - Sync `LIBCARES_PATH` default with the rest of dependencies. + - Delete version numbers from dependency path defaults. + - `libgsasl` package is now called `gsasl`. + - Delete `libexpat` and `libxml2` references. No longer used by curl. + - Delete `Edit the path below...` comments. We recommend to predefine + those envvars instead. + - `libcares.a` is not an internal dependency anymore. Stop using it as + such. + - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability. + - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`. + They were never used. + - Stop to `clean` some objects twice in `src/Makefile.m32`. + - Delete cvs-specific leftovers. + - Finish resource support in examples make file. + - Delete `-I/lib` from examples make file. + - Fix copyright start year in examples make file. + - Delete duplicate `ftpuploadresume` input in examples make file. + - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path + defaults, variables names and other internal bits between the three + make files. + - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This + was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL` + envvar for the same effect. + - Fix linking `curl.exe` and examples to wrong static libs with + auto-detected OpenSSL 1.0.2 or earlier. + - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only. + - Add link to Novell LDAP SDK and use a relative default path. Latest + version is from 2016, linked to an outdated OpenSSL 1.0.1. + - Whitespace and comment cleanups. + + TODO in a next commit: + + Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell + LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the + necessary custom envvars to configure them. + + Closes #9616 + +Daniel Stenberg (30 Sep 2022) + +- RELEASE-NOTES: synced + +Matt Holt (30 Sep 2022) + +- HTTP3.md: update Caddy example + + Closes #9623 + +Daniel Stenberg (30 Sep 2022) + +- easy: fix the altsvc init for curl_easy_duphandle + + It was using the old #ifdef which nothing sets anymore + + Closes #9624 + +- GHA: build tests in a separate step from the running of them + + ... to make the output smaller for when you want to look at test + failures. + + Removed the examples build from msh3 + + Closes #9619 + +Viktor Szakats (29 Sep 2022) + +- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference + + Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap + support. This is also the single mention of this constant in the source + tree and also in that commit. Based on these, it seems like an accident. + + Delete this reference. + + Reviewed-by: Daniel Stenberg + + Closes #9625 + +- docs: spelling nits + + - MingW -> MinGW (Minimalist GNU for Windows) + - f.e. -> e.g. + - some whitespace and punctuation. + + Reviewed-by: Daniel Stenberg + + Closes #9622 + +Philip Heiduck (29 Sep 2022) + +- cirrus-ci: add macOS build with m1 + + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> + + Closes #9565 + +Patrick Monnerat (29 Sep 2022) + +- lib: sanitize conditional exclusion around MIME + + The introduction of CURL_DISABLE_MIME came with some additional bugs: + - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled. + - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are + conditioned on HTTP, although also needed for SMTP and IMAP MIME mail + uploads. + + In addition, the CURLOPT_HTTPHEADER and --header documentation does not + mention their use for MIME mail. + + This commit fixes the problems above. + + Closes #9610 + +Thiago Suchorski (29 Sep 2022) + +- docs: minor grammar fixes + + Closes #9609 + +Daniel Stenberg (28 Sep 2022) + +- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument + + Probably a copy and paste error from the lock function man page. + + Reported-by: Robby Simpson + Fixes #9612 + Closes #9613 + +- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five + + ... instead just list the supported encodings. + + Reported-by: ProceduralMan on github + Fixes #9614 + Closes #9615 + +Dan Fandrich (28 Sep 2022) + +- tests: Remove a duplicated keyword + +- docs: document more server names for test files + +Daniel Stenberg (28 Sep 2022) + +- altsvc: reject bad port numbers + + The existing code tried but did not properly reject alternative services + using negative or too large port numbers. + + With this fix, the logic now also flushes the old entries immediately + before adding a new one, making a following header with an illegal entry + not flush the already stored entry. + + Report from the ongoing source code audit by Trail of Bits. + + Adjusted test 356 to verify. + + Closes #9607 + +- functypes: provide the recv and send arg and return types + + This header is for providing the argument types for recv() and send() + when built to not use a dedicated config-[platfor].h file. + + Remove the slow brute-force checks from configure and cmake. + + This change also removes the use of the types for select, as they were + not used in code. + + Closes #9592 + +- urlapi: reject more bad characters from the host name field + + Extended test 1560 to verify + + Report from the ongoing source code audit by Trail of Bits. + + Closes #9608 + +- configure: deprecate builds with small curl_off_t + + If curl_off_t turns out to be smaller than 8 bytes, + --with-n64-deprecated needs to be used to allow the build to + continue. This is to highlight the fact that support for such builds is + going away next year. + + Also mentioned in DEPRECATED.md + + Closes #9605 + +Patrick Monnerat (27 Sep 2022) + +- http, vauth: always provide Curl_allow_auth_to_host() functionality + + This function is currently located in the lib/http.c module and is + therefore disabled by the CURL_DISABLE_HTTP conditional token. + + As it may be called by TLS backends, disabling HTTP results in an + undefined reference error at link time. + + Move this function to vauth/vauth.c to always provide it and rename it + as Curl_auth_allowed_to_host() to respect the vauth module naming + convention. + + Closes #9600 + +Daniel Stenberg (27 Sep 2022) + +- ngtcp2: fix C89 compliance nit + +- openssl: make certinfo available for QUIC + + Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that + can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC + connections as well. + + The *certchain function was moved to the top of the file for this reason. + + Reported-by: Eloy Degen + Fixes #9584 + Closes #9597 + +- RELEASE-NOTES: synced + +- DEPRECATE.md: Support for systems without 64 bit data types + + Closes #9604 + +Patrick Monnerat (27 Sep 2022) + +- tests: skip mime/form tests when mime is not built-in + + Closes #9596 + +Daniel Stenberg (27 Sep 2022) + +- url: rename function due to name-clash in Watt-32 + + Follow-up to 2481dbe5f4f58 and applies the change the way it was + intended. + +Viktor Szakats (26 Sep 2022) + +- windows: adjust name of two internal public functions + + According to `docs/INTERNALS.md`, internal function names spanning source + files start with uppercase `Curl_`. Bring these two functions in + alignment with this. + + This also stops exporting them from `libcurl.dll` in autotools builds. + + Reviewed-by: Daniel Stenberg + + Closes #9598 + +Gisle Vanem (26 Sep 2022) + +- url: rename function due to name-clash in Watt-32 + + Since the commit 764c958c52edb427f39, there was a new function called + resolve_ip(). This clashes with an internal function in Watt-32. + + Closes #9585 + +Jay Satiro (26 Sep 2022) + +- schannel: ban server ALPN change during recv renegotiation + + By the time schannel_recv is renegotiating the connection, libcurl has + already decided on a protocol and it is too late for the server to + select a protocol via ALPN except for the originally selected protocol. + + Ref: https://github.com/curl/curl/issues/9451 + + Closes https://github.com/curl/curl/pull/9463 + +Daniel Stenberg (26 Sep 2022) + +- url: a zero-length userinfo part in the URL is still a (blank) user + + Adjusted test 1560 to verify + + Reported-by: Jay Satiro + + Fixes #9088 + Closes #9590 + +Viktor Szakats (25 Sep 2022) + +- autotools: allow --enable-symbol-hiding with windows + + This local autotools logic was put in place in + 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for + Windows unconditionally. Testing reveals that it actually works with + tested toolchains (mingw-w64 and CI ones), so let's allow this build + feature on that platform. Bringing this in sync with CMake, which already + supported this. + + Reviewed-by: Jay Satiro + + Closes #9586 + +- autotools: reduce brute-force when detecting recv/send arg list + + autotools uses brute-force to detect `recv`/`send`/`select` argument + lists, by interating through _all_ argument type combinations on each + `./configure` run. This logic exists since + 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later + extended with Windows support. + + This results in a worst-case number of compile + link cycles as below: + - `recv`: 96 + - `send`: 192 + - `select`: 60 + Total: 348 (the number of curl C source files is 195, for comparison) + + Notice that e.g. curl-for-win autotools builds require two `./configure` + invocations, doubling these numbers. + + `recv` on Windows was especially unlucky because `SOCKET` (the correct + choice there) was listed _last_ in one of the outer trial loops. This + resulted in lengthy waits while autotools was trying all invalid + combinations first, wasting cycles, disk writes and slowing down + iteration. + + This patch reduces the amount of idle work by reordering the tests in + a way to succeed first on a well-known platform such as Windows, and + also on non-Windows by testing for POSIX prototypes first, on the + assumption that these are the most likely candidates these days. (We do + not touch `select`, where the order was already optimal for these + platforms.) + + For non-Windows, this means to try a return value of `ssize_t` first, + then `int`, reordering the buffer argument type to try `void *` first, + then `byte *`, and prefer the `const` flavor with `send`. If we are + here, also stop testing for `SOCKET` type in non-Windows builds. + + After the patch, detection on Windows is instantaneous. It should also be + faster on popular platforms such as Linux and BSD-based ones. + + If there are known-good variations for other platforms, they can also be + fast-tracked like above, given a way to check for that platform inside + the autotools logic. + + Reviewed-by: Daniel Stenberg + + Closes #9591 + +Daniel Stenberg (23 Sep 2022) + +- TODO: Provide the error body from a CONNECT response + + Spellchecked-by: Jay Satiro + + Closes #9513 + Closes #9581 + +Viktor Szakats (23 Sep 2022) + +- windows: autotools .rc warnings fixup + + Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing: + + - Warnings when running `autoreconf -fi`. + + - Warning when compiling .rc files: + libtool: compile: unable to infer tagged configuration + libtool: error: specify a tag with '--tag' + + Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057 + Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156 + + Suggested-by: Patrick Monnerat + Closes #9582 + +Randall S. Becker (23 Sep 2022) + +- curl_setup: disable use of FLOSS for 64-bit NonStop builds + + Older 32-bit builds currently need FLOSS. This dependency may be removed + in future OS releases. + + Signed-off-by: Randall S. Becker + + Closes #9575 + +Patrick Monnerat (23 Sep 2022) + +- tool: remove dead code + + Add a debug assertion to verify protocols included/excluded in a set + are always tokenized. + + Follow-up to commit 677266c. + + Closes #9576 + +- lib: prepare the incoming of additional protocols + + Move the curl_prot_t to its own conditional block. Introduce symbol + PROTO_TYPE_SMALL to control it. + + Fix a cast in a curl_prot_t assignment. + Remove an outdated comment. + + Follow-up to cd5ca80. + + Closes #9534 + +Daniel Stenberg (23 Sep 2022) + +- msh3: change the static_assert to make the code C89 + +- bearssl: make it proper C89 compliant + +- curl-compilers.m4: for gcc + want warnings, set gnu89 standard + + To better verify that the code is C89 + + Closes #9542 + +Patrick Monnerat (22 Sep 2022) + +- lib517: fix C89 constant signedness + + In C89, positive integer literals that overflow an int but not an + unsigned int may be understood as a negative int. + + lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90 + {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 }, + ^ + + Closes #9572 + +Daniel Stenberg (22 Sep 2022) + +- mprintf: use snprintf if available + + This is the single place in libcurl code where it uses the "native" + s(n)printf() function. Used for writing floats. The use has been + reviewed and vetted and uses a HUGE target buffer, but switching to + snprintf() still makes this safer and removes build-time warnings. + + Reported-by: Philip Heiduck + + Fixes #9569 + Closes #9570 + +- docs: tag curl options better in man pages + + As it makes them links in the HTML versions. + + Verified by the extended test 1176 + +- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6 + +- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged + + ... as that makes them links to their corresponding man page. + + This script is used for test 1173. + + Closes #9574 + +- RELEASE-NOTES: synced + +Patrick Monnerat (22 Sep 2022) + +- tool: remove protocol count limitation + + Replace bit mask protocol sets by null-terminated arrays of protocol + tokens. These are the addresses of the protocol names returned by + curl_version_info(). + + Protocol names are sorted case-insensitively before output to satisfy CI + tests matches consistency. + + The protocol list returned by curl_version_info() is augmented with all + RTMP protocol variants. + + Test 1401 adjusted for new alpha ordered output. + + Closes #9546 + +Daniel Stenberg (22 Sep 2022) + +- test972: verify the output without using external tool + + It seems too restrictive to assume and use an external tool to verify + the JSON. This now verifies the outut byte per byte. We could consider + building a local "JSON verifyer" in a future. + + Remove 'jsonlint' from the CI job. + + Reported-by: Marcel Raad + Fixes #9563 + Closes #9564 + +- hostip: lazily wait to figure out if IPv6 works until needed + + The check may take many milliseconds, so now it is performed once the + value is first needed. Also, this change makes sure that the value is + not used if the resolve is set to be IPv4-only. + + Closes #9553 + +- curl.h: fix mention of wrong error code in comment + + The same error and comment were also used and is now corrected in + CURLOPT_SSH_KEYFUNCTION.3 + +- symbol-scan.pl: scan and verify .3 man pages + + This script now also finds all .3 man pages in docs/include and + docs/include/opts, extracts all uses of CURL* symbols and verifies that all + symbols mentioned in docs are defined in public headers. + + A "global symbol" is one of those matching a known prefix and the script make + s + an attempt to check all/most of them. Just using *all* symbols that match + CURL* proved matching a little too many other references as well and turned + difficult turning into something useful. + + Closes #9544 + +- symbols-in-versions: add missing LIBCURL* symbols + +- symbol-scan.pl: also check for LIBCURL* symbols + + Closes #9544 + +- docs/libcurl/symbols-in-versions: add several missing symbols + +- test1119: scan all public headers + + Previously this test only scanned a subset of the headers, which made us + accidentally miss symbols that were provided in the others. Now, the script + iterates over all headers present in include/curl. + + Closes #9544 + +Patrick Monnerat (21 Sep 2022) + +- examples/chkspeed: improve portability + + The example program chkspeed uses strncasecmp() which is not portable + across systems. Replace calls to this function by tests on characters. + + Closes #9562 + +Daniel Stenberg (21 Sep 2022) + +- easy: fix the #include order + + The mentioned "last 3 includes" order should be respected. easy_lock.h should + be included before those three. + + Reported-by: Yuriy Chernyshov + Fixes #9560 + Closes #9561 + +- docs: spellfixes + + Pointed by the new CI job + +- GHA: spellcheck + + This spellchecker checks markdown files. For this reason this job + converts all man pages in the repository to markdown with pandoc before + the check runs. + + The perl script 'cleanspell' filters out details from the man page in + the process, to avoid the spellchecker trying to spellcheck things it + can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections + of libcurl man pages. + + The spell checker does not check words in sections that are within pre, + strong and em tags. + + 'spellcheck.words' is a custom word list with additional accepted words. + + Closes #9523 + +- connect: fix the wrong error message on connect failures + + The "Failed to connect to" message after a connection failure would + include the strerror message based on the presumed previous socket + error, but in times it seems that error number is not set when reaching + this code and therefore it would include the wrong error message. + + The strerror message is now removed from here and the curl_easy_strerror + error is used instead. + + Reported-by: Edoardo Lolletti + Fixes #9549 + Closes #9554 + +- httpput-postfields.c: shorten string for C89 compliance + + httpput-postfields.c:41:3: error: string length ‘522’ is greater than the + length ‘509’ ISO C90 compilers are required to support [-Woverlength-str + ings] + 41 | "this chapter."; + | ^~~~~~~~~~~~~~~ + + Closes #9555 + +- ws: fix a C89 compliance nit + + Closes #9541 + +Patrick Monnerat (21 Sep 2022) + +- unit test 1655: make it C89-compliant + + Initializations performed in unit test 1655 use automatic variables in + aggregates and thus can only be computed at run-time. Using gcc in C89 + dialect mode produces warning messages like: + + unit1655.c:96:7: warning: initializer element is not computable at load time + [-Wpedantic] + 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */ + | ^~~~~~~ + + Fix the problem by converting these automatic pointer variables to + static arrays. + + Closes #9551 + +Tobias Schaefer (20 Sep 2022) + +- curl_strequal.3: fix typo + + Closes #9548 + +Dmitry Karpov (20 Sep 2022) + +- resolve: make forced IPv4 resolve only use A queries + + This protects IPv4-only transfers from undesired bad IPv6-related side + effects and make IPv4 transfers in dual-stack libcurl behave the same + way as in IPv4 single-stack libcurl. + + Closes #9540 + +Daniel Stenberg (20 Sep 2022) + +- RELEASE-NOTES: synced + +- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths + + Patched-by: Mark Itzcovitz + Bug: https://curl.se/mail/lib-2022-09/0038.html + + Closes #9536 + +- TODO: Reduce CA certificate bundle reparsing + + By adding some sort of cache. + + Reported-by: Michael Drake + Closes #9379 + Closes #9538 + +Marc Hoersken (19 Sep 2022) + +- CI/GHA: cancel outdated CI runs on new PR changes + + Avoid letting outdated CI runs continue if a PR receives + new changes. Outside a PR we let them continue running + by tying the concurrency to the commit hash instead. + + Also only let one CodeQL or Hacktoberfest job run at a time. + + Other CI platforms we use have this build in, but GitHub + unfortunately neither by default nor with a simple option. + + This saves CI resources and therefore a little energy. + + Approved-by: Daniel Stenberg + Approved-by: Max Dymond + Closes #9533 + +Daniel Stenberg (19 Sep 2022) + +- docs: fix proselint complaints + +- GHA: run proselint on markdown files + + Co-authored-by: Marc Hörsken + + Closes #9520 + +- lib: the number four in a sequence is the "fourth" + + Spelling is hard + + Closes #9535 + +John Bampton (19 Sep 2022) + +- misc: fix spelling in two source files + + Closes #9529 + +Viktor Szakats (18 Sep 2022) + +- windows: add .rc support to autotools builds + + After this update autotools builds will compile and link `.rc` resources + to Windows executables. Bringing this feature on par with CMake and + Makefile.m32 builds. And also making it unnecessary to improvise these + steps manually, while monkey patching build files, e.g. [0]. + + You can customize the resource compiler via the `RC` envvar, and its + options via `RCFLAGS`. + + This harmless warning may appear throughout the build, even though the + autotools manual documents [1] `RC` as a valid tag, and it fails when + omitting one: + `libtool: error: ignoring unknown tag RC` + + [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce + 50baa1b84/curl-autotools.sh#L376-L382 + [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html + + Closes #9521 + +Marc Hoersken (18 Sep 2022) + +- CI/linkcheck: only run if a Markdown file is changed + + This saves CI resources and therefore a little energy. + + Reviewed-by: Max Dymond + Closes #9531 + +- README.md: add GHA status badges for Linux and macOS builds + + This makes sense now that Linux builds are being consolidated. + + Approved-by: Daniel Stenberg + Closes #9530 + + [skip ci] + +Daniel Stenberg (17 Sep 2022) + +- misc: null-terminate + + Make use of this term consistently. + + Closes #9527 + +Marc Hoersken (17 Sep 2022) + +- CI/GHA: merge intel CC and more TLS libs into linux workflow + + Continue work on merging all Linux workflows into one file. + + Reviewed-by: Max Dymond + Follow up to #9501 + Closes #9514 + +Patrick Monnerat (17 Sep 2022) + +- lib1597: make it C89-compliant again + + Automatic variable addresses cannot be used in an initialisation + aggregate. + + Follow-up to 9d51329 + + Reported-by: Daniel Stenberg + Fixes: #9524 + Closes #9525 + +Daniel Stenberg (17 Sep 2022) + +- tool_libinfo: silence "different 'const' qualifiers" in qsort() + + MSVC 15.0.30729.1 warned about it + + Follow-up to dd2a024323dcc + + Closes #9522 + +Patrick Monnerat (16 Sep 2022) + +- docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR. + + Disabled protocols are now handled as if they were unknown. + Also update the possible protocol list. + +- cli tool: do not use disabled protocols + + As they are now rejected by the library, take care of not passing + disabled protocol names to CURLOPT_PROTOCOLS_STR and + CURLOPT_REDIR_PROTOCOLS_STR. + + Rather than using the CURLPROTO_* constants, dynamically assign protocol + numbers based on the order they are listed by curl_version_info(). + + New type proto_set_t implements prototype bit masks: it should therefore + be large enough to accomodate all library-enabled protocols. If not, + protocol numbers beyond the bit count of proto_set_t are recognized but + "inaccessible": when used, a warning is displayed and the value is + ignored. Should proto_set_t overflows, enabled protocols are reordered to + force those having a public CURLPROTO_* representation to be accessible. + + Code has been added to subordinate RTMP?* protocols to the presence of + RTMP in the enabled protocol list, being returned by curl_version_info() + or not. + +- setopt: use the handler table for protocol name to number conversions + + This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than + CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found. + + A new schemelen parameter is added to Curl_builtin_scheme() to support + this extended use. + + Note that disabled protocols are not recognized anymore. + + Tests adapted accordingly. + + Closes #9472 + +Daniel Stenberg (16 Sep 2022) + +- altsvc: use 'h3' for h3 + + Since the official and real version has been out for a while now and servers + are deployed out there using it, there is no point in sticking to h3-29. + + Reported-by: ウさん + Fixes #9515 + Closes #9516 + +chemodax (16 Sep 2022) + +- winbuild: Use NMake batch-rules for compilation + + - Invoke cl compiler once for each group of .c files. + + This is significantly improves compilation time. For example in my + environment: 40 s --> 20 s. + + Prior to this change cl was invoked per .c file. + + Closes https://github.com/curl/curl/pull/9512 + +Daniel Stenberg (16 Sep 2022) + +- ws: the infof() flags should be %zu + + Follow-up to e5e9e0c5e49ae0 + + Closes #9518 + +- curl: warn for --ssl use, considered insecure + + Closes #9519 + +Sergey Bronnikov (16 Sep 2022) + +- curl_escape.3: fix typo + + lengthf -> length + + Closes #9517 + +Daniel Stenberg (16 Sep 2022) + +- mailmap: merge Philip Heiduck's two addresses into one + +- test1948: verify PUT + POST reusing the same handle + + Reproduced #9507, verifies the fix + +- setopt: when POST is set, reset the 'upload' field + + Reported-by: RobBotic1 on github + Fixes #9507 + Closes #9511 + +Marc Hoersken (15 Sep 2022) + +- github: initial CODEOWNERS setup for CI configuration + + Reviewed-by: Daniel Stenberg + Reviewed-by: Marcel Raad + Reviewed-by: Max Dymond + + Closes #9505 + + [skip ci] + +Philip Heiduck (15 Sep 2022) + +- CI: optimize some more dependencies install + + Signed-off-by: Philip Heiduck + + Closes #9500 + +Marc Hoersken (15 Sep 2022) + +- CI/GHA: merge event-based and NSS into new linux workflow + + Continue work on merging all Linux workflows into one file. + + Follow up to #9501 + Closes #9506 + +Daniel Stenberg (15 Sep 2022) + +- include/curl/websockets.h: add extern "C" for C++ + + Reported-by: n0name321 on github + Fixes #9509 + Closes #9510 + +- lib1560: extended to verify detect/reject of unknown schemes + + ... when no guessing is allowed. + +- urlapi: detect scheme better when not guessing + + When the parser is not allowed to guess scheme, it should consider the + word ending at the first colon to be the scheme, independently of number + of slashes. + + The parser now checks that the scheme is known before it counts slashes, + to improve the error messge for URLs with unknown schemes and maybe no + slashes. + + When following redirects, no scheme guessing is allowed and therefore + this change effectively prevents redirects to unknown schemes such as + "data". + + Fixes #9503 + +- strerror: improve two URL API error messages + +Marc Hoersken (14 Sep 2022) + +- CI/GHA: merge bearssl and hyper into initial linux workflow + + Begin work on merging all Linux workflows into one file. + + Closes #9501 + +Daniel Stenberg (14 Sep 2022) + +- RELEASE-NOTES: synced + +- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h + + Since the config file might also get included by the tool code at times. + This syncs with how other builds do it. + + Closes #9498 + +- tool_hugehelp: make hugehelp a blank macro when disabled + + Closes #9485 + +- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled + + ... to improve the output in this situation. Now it doesn't say "option + unknown" anymore. + + Closes #9485 + +- setopt: fix compiler warning + + Follow-up to cd5ca80f00d2 + + closes #9502 + +Philip Heiduck (13 Sep 2022) + +- CI: skip make, do make install at once for dependencies + + Signed-off-by: Philip Heiduck + + Closes #9477 + +Daniel Stenberg (13 Sep 2022) + +- formdata: typecast the va_arg return value + + To avoid "enumerated type mixed with another type" warnings + + Follow-up from 0f52dd5fd5aa3592691a + + Closes #9499 + +- RELEASE-PROCEDURE.md: mention patch releases + + - When to make them and how to argue for them + - Refreshed the release date list + + Closes #9495 + +- urldata: use a curl_prot_t type for storing protocol bits + + This internal-use-only storage type can be bumped to a curl_off_t once + we need to use bit 32 as the previous 'unsigned int' can no longer hold + them all then. + + The websocket protocols take bit 30 and 31 so they are the last ones + that fit within 32 bits - but cannot properly be exported through APIs + since those use *signed* 32 bit types (long) in places. + + Closes #9481 + +zhanghu on xiaomi (13 Sep 2022) + +- formdata: fix warning: 'CURLformoption' is promoted to 'int' + + curl/lib/formdata.c: In function 'FormAdd': + curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' wh + en passed through '...' + 249 | option = va_arg(params, CURLformoption); + | ^ + curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformopti + on' to 'va_arg') + curl/lib/formdata.c:249:31: note: if this code is reached, the program will a + bort + + Closes #9484 + +Daniel Stenberg (13 Sep 2022) + +- CURLOPT_CONNECT_ONLY.3: for ws(s) as well + + and correct the version number for when that support comes. Even if it + is still experimental for WebSocket. + + Closes #9487 + +- tool_operate: avoid a few #ifdefs for disabled-libcurl builds + + By providing empty macros in the header file instead, the code gets + easier to read and yet is disabled on demand. + + Closes #9486 + +a1346054 on github (13 Sep 2022) + +- scripts: use `grep -E` instead of `egrep` + + egrep is deprecated + + Closes #9491 + +Hayden Roche (13 Sep 2022) + +- wolfSSL: fix session management bug. + + Prior to this commit, non-persistent pointers were being used to store + sessions. When a WOLFSSL object was then freed, that freed the session + it owned, and thus invalidated the pointer held in curl's cache. This + commit makes it so we get a persistent (deep copied) session pointer + that we then add to the cache. Accordingly, wolfssl_session_free, which + was previously a no-op, now needs to actually call SSL_SESSION_free. + + This bug was discovered by a wolfSSL customer. + + Closes #9492 + +Daniel Stenberg (13 Sep 2022) + +- docs: use "WebSocket" in singular + + This is how the RFC calls the protocol. Also rename the file in docs/ to + WEBSOCKET.md in uppercase to match how we have done it for many other + protocol docs in similar fashion. + + Add the WebSocket docs to the tarball. + + Closes #9496 + +Marcel Raad (12 Sep 2022) + +- ws: fix build without `USE_WEBSOCKETS` + + The curl.h include is required unconditionally. + +- ws: add missing curl.h include + + A conflict between commits 664249d0952 and e5839f4ee70 broke the build. + +Daniel Stenberg (12 Sep 2022) + +- ws: fix an infof() call to use %uz for size_t output + + Detected by Coverity, CID 1514665. + + Closes #9480 + +Marcel Raad (12 Sep 2022) + +- curl_setup: include only system.h instead of curl.h + + As done before commit 9506d01ee50. + + Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158 + Closes https://github.com/curl/curl/pull/9453 + +- lib: add missing limits.h includes + + Closes https://github.com/curl/curl/pull/9453 + +- lib and tests: add missing curl.h includes + + Closes https://github.com/curl/curl/pull/9453 + +- curl_setup: include curl.h after platform setup headers + + The platform setup headers might set definitions required for the + includes in curl.h. + + Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269 + Closes https://github.com/curl/curl/pull/9453 + +Benjamin Loison (12 Sep 2022) + +- docs: correct missing uppercase in Markdown files + + To detect these typos I used: + + ``` + clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [ + a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | gre + p -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --col + or=always '\. [a-z]' | grep '\.md' + ``` + + Closes #9474 + +Daniel Stenberg (12 Sep 2022) + +- tool_setopt: use better English in --libcurl source comments + + Like this: + + XYZ was set to an object pointer + ABC was set to a function pointer + + Closes #9475 + +- setopt: make protocol2num use a curl_off_t for the protocol bit + + ... since WSS does not fit within 32 bit. + + Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887 + Closes #9476 + +- RELEASE-NOTES: synced + +- configure: polish the grep -E message a bit further + + Suggested-by: Emanuele Torre + Closes #9473 + +- GHA: add a gcc-11 -O3 build using OpenSSL + + Since -O3 might trigger other warnings + + Closes #9454 + +Patrick Monnerat (11 Sep 2022) + +- content_encoding: use writer struct subclasses for different encodings + + The variable-sized encoding-specific storage of a struct contenc_writer + currently relies on void * alignment that may be insufficient with + regards to the specific storage fields, although having not caused any + problems yet. + + In addition, gcc 11.3 issues a warning on access to fields of partially + allocated structures that can occur when the specific storage size is 0: + + content_encoding.c: In function ‘Curl_build_unencoding_stack’: + content_encoding.c:980:21: warning: array subscript ‘struct contenc_write + r[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bo + unds] + 980 | writer->handler = handler; + | ~~~~~~~~~~~~~~~~^~~~~~~~~ + In file included from content_encoding.c:49: + memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘c + url_dbg_calloc’ + 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__, + __FILE__) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ~~~~~~~~~~ + content_encoding.c:977:60: note: in expansion of macro ‘calloc’ + 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1 + , sz); + + To solve both these problems, the current commit replaces the + contenc_writer/params structure pairs by "subclasses" of struct + contenc_writer. These are structures that contain a contenc_writer at + offset 0. Proper field alignment is therefore handled by the compiler and + full structure allocation is performed, silencing the warnings. + + Closes #9455 + +Daniel Stenberg (11 Sep 2022) + +- configure: correct the wording when checking grep -E + + The check first checks that grep -E works, and only as a fallback tries + to find and use egrep. egrep is deprecated. + + This change only corrects the output wording, not the checks themselves. + + Closes #9471 + +Viktor Szakats (10 Sep 2022) + +- websockets: sync prototypes in docs with implementation [ci skip] + + Docs for the new send/recv functions synced with the committed versions + of these. + + Closes #9470 + +Daniel Stenberg (10 Sep 2022) + +- setopt: make protocols2num() work with websockets + + So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can + specify those as well. + + Reported-by: Patrick Monnerat + Bug: https://curl.se/mail/lib-2022-09/0016.html + Closes #9467 + +- curl/websockets.h: remove leftover bad typedef + + Just a leftover trace of a development thing that did not stay like + that. + + Reported-by: Marc Hörsken + Fixes #9465 + Cloes #9466 + +Orgad Shaneh (10 Sep 2022) + +- fix Cygwin/MSYS compilation + + _getpid is Windows API. On Cygwin variants it should remain getpid. + + Fixes #8220 + Closes #9255 + +Marc Hoersken (10 Sep 2022) + +- GHA: prepare workflow merge by aligning structure again + + Closes #9413 + +Daniel Stenberg (9 Sep 2022) + +- docs: the websockets symbols are added in 7.86.0 + + Nothing else + + Closes #9459 + +- tests/libtest/Makefile.inc: fixup merge conflict mistake + +- EXPERIMENTAL.md: add WebSockets + +- appveyor: enable websockets + +- cirrus: enable websockets in the windows builds + +- GHA: add websockets to macos, openssl3 and hyper builds + +- tests: add websockets tests + + - add websockets support to sws + - 2300: first very basic websockets test + - 2301: first libcurl test for ws (not working yet) + - 2302: use the ws callback + - 2303: test refused upgrade + +- curl_ws_meta: initial implementation + +- curl_ws_meta.3: added docs + +- ws: initial websockets support + + Closes #8995 + +- version: add ws + wss + +- libtest/lib1560: test basic websocket URL parsing + +- configure: add --enable-websockets + +- docs/WebSockets.md: docs + +- test415: verify Content-Length parser with control code + negative value + +- strtoofft: after space, there cannot be a control code + + With the change from ISSPACE() to ISBLANK() this function no longer + deals with (ignores) control codes the same way, which could lead to + this function returning unexpected values like in the case of + "Content-Length: \r-12354". + + Follow-up to 6f9fb7ec2d7cb389a0da5 + + Detected by OSS-fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140 + Assisted-by: Max Dymond + Closes #9458 + +- headers: reset the requests counter at transfer start + + If not, reusing an easy handle to do a subsequent transfer would + continue the counter from the previous invoke, which then would make use + of the header API difficult/impossible as the request counter + mismatched. + + Add libtest 1947 to verify. + + Reported-by: Andrew Lambert + Fixes #9424 + Closes #9447 + +Jay Satiro (8 Sep 2022) + +- header: define public API functions as extern c + + Prior to this change linker errors would occur if curl_easy_header or + curl_easy_nextheader was called from a C++ unit. + + Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007 + Reported-by: Andrew Lambert + + Closes https://github.com/curl/curl/pull/9446 + +Daniel Stenberg (8 Sep 2022) + +- http2: make nghttp2 less picky about field whitespace + + In nghttp2 1.49.0 it returns error on leading and trailing whitespace in + header fields according to language in the recently shipped RFC 9113. + + nghttp2 1.50.0 introduces an option to switch off this strict check and + this change enables this option by default which should make curl behave + more similar to how it did with nghttp2 1.48.0 and earlier. + + We might want to consider making this an option in the future. + + Closes #9448 + +- RELEASE-NOTES: synced + + And bump to 7.86.0 for the pending next release + +Michael Heimpold (7 Sep 2022) + +- ftp: ignore a 550 response to MDTM + + The 550 is overused as a return code for multiple error case, e.g. + file not found and/or insufficient permissions to access the file. + + So we cannot fail hard in this case. + + Adjust test 511 since we now fail later. + Add new test 3027 which check that when MDTM failed, but the file could + actually be retrieved, that in this case no filetime is provided. + + Reported-by: Michael Heimpold + Fixes #9357 + Closes #9387 + +Daniel Stenberg (7 Sep 2022) + +- urlapi: leaner with fewer allocs + + Slightly faster with more robust code. Uses fewer and smaller mallocs. + + - remove two fields from the URL handle struct + - reduce copies and allocs + - use dynbuf buffers more instead of custom malloc + copies + - uses dynbuf to build the host name in reduces serial alloc+free within + the same function. + - move dedotdotify into urlapi.c and make it static, not strdup the input + and optimize it by checking for . and / before using strncmp + - remove a few strlen() calls + - add Curl_dyn_setlen() that can "trim" an existing dynbuf + + Closes #9408 + +Jay Satiro (7 Sep 2022) + +- setup-win32: no longer define UNICODE/_UNICODE implicitly + + - If UNICODE or _UNICODE is defined but the other isn't then error + instead of implicitly defining it. + + As Marcel pointed out it is too late at this point to make such a define + because Windows headers may already be included, so likely it never + worked. We never noticed because build systems that can make Windows + Unicode builds always define both. If one is defined but not the other + then something went wrong during the build configuration. + + Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272 + Reported-by: Marcel Raad + + Closes https://github.com/curl/curl/pull/9384 + +Dan Fandrich (6 Sep 2022) + +- tests: fix tag syntax errors in test files + +Marc Hoersken (6 Sep 2022) + +- lib: add required Win32 setup definitions in setup-win32.h + + Assisted-by: Jay Satiro + Reviewed-by: Marcel Raad + + Follow up to #9312 + Closes #9375 + +Daniel Stenberg (6 Sep 2022) + +- pingpong: extend the response reading error with errno + + To help diagnosing the cause of the problem. + + See #9380 + Closes #9443 + +- curl-compilers.m4: use -O2 as default optimize for clang + + Not -Os + + Closes #9444 + +- tool_operate: fix msnprintfing the error message + + Follow-up to 7be53774c41c59b47075fba + + Coverity CID 1513717 pointed out that we cannot use sizeof() on the + error buffer anymore. + + Closes #9440 + +Emanuele Torre (6 Sep 2022) + +- curl_ctype: add space around <= operator in ISSPACE macro + + Follow-up to f65f750 + + Closes #9441 + +Daniel Stenberg (6 Sep 2022) + +- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies + + The 'protocols' listed were previously wrong. + + Reported-by: ProceduralMan on github + Fixes #9434 + Closes #9435 + +- curl_ctype: convert to macros-only + + This no longer provide functions, only macros. Runs faster and produces + smaller output. + + The biggest precaution this change brings: + + DO NOT use post/pre-increments when passing arguments to the macros. + + Closes #9429 + +- misc: ISSPACE() => ISBLANK() + + Instances of ISSPACE() use that should rather use ISBLANK(). I think + somewhat carelessly used because it sounds as if it checks for space or + whitespace, but also includes %0a to %0d. + + For parsing purposes, we should only accept what we must and not be + overly liberal. It leads to surprises and surprises lead to bad things. + + Closes #9432 + +- ctype: remove all use of , use our own versions + + Except in the test servers. + + Closes #9433 + +Marc Hoersken (5 Sep 2022) + +- cmake: skip superfluous hex2dec conversion using math expr + + CMake seems to be able to compare two hex values just fine. + Also make sure CURL_TARGET_WINDOWS_VERSION is respected. + + Assisted-by: Marcel Raad + Reviewed-by: Viktor Szakats + Reported-by: Keitagit-kun on github + + Follow up to #9312 + Fixes #9406 + Closes #9411 + +Daniel Stenberg (5 Sep 2022) + +- curl_easy_pause.3: unpausing is as fast as possible + + Reported-by: ssdbest on github + Fixes #9410 + Closes #9430 + +- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols + + Except file. + + Reported-by: ProceduralMan on github + Fixes #9427 + Closes #9428 + +- NPN: remove support for and use of + + Next Protocol Negotiation is a TLS extension that was created and used + for agreeing to use the SPDY protocol (the precursor to HTTP/2) for + HTTPS. In the early days of HTTP/2, before the spec was finalized and + shipped, the protocol could be enabled using this extension with some + servers. + + curl supports the NPN extension with some TLS backends since then, with + a command line option `--npn` and in libcurl with + `CURLOPT_SSL_ENABLE_NPN`. + + HTTP/2 proper is made to use the ALPN (Application-Layer Protocol + Negotiation) extension and the NPN extension has no purposes + anymore. The HTTP/2 spec was published in May 2015. + + Today, use of NPN in the wild should be extremely rare and most likely + totally extinct. Chrome removed NPN support in Chrome 51, shipped in + June 2016. Removed in Firefox 53, April 2017. + + Closes #9307 + +- RELEASE-NOTES: synced + + and bump the tentative next release version to 7.85.1 + +Samuel Henrique (4 Sep 2022) + +- configure: fail if '--without-ssl' + explicit parameter for an ssl lib + + A side effect of a previous change to configure (576e507c78bdd2ec88) + exposed a non-critical issue that can happen if configure is called with + both '--without-ssl' and some parameter setting the use of a ssl library + (e.g. --with-gnutls). The configure script would end up assuming this is + a MultiSSL build, due to the way the case statement is written. + + I have changed the order of the variables in the string concatenation + for the case statement and also tweaked the options so that + --without-ssl never turns the build into a MultiSSL one and also clearly + stating that there are conflicting parameters if the user sets it like + described above. + + Closes #9414 + +Daniel Stenberg (4 Sep 2022) + +- tests/certs/scripts: insert standard curl source headers + + ... including the SPDX-License-Identifier. + + These omissions were not detected by the RUEUSE CI job nor the copyright.pl + scanners because we have a general wildcard in .reuse/dep5 for + "tests/certs/*". + + Reported-by: Samuel Henrique + Fixes #9417 + Closes #9420 + +Samuel Henrique (2 Sep 2022) + +- docs: remove mentions of deprecated '--without-openssl' config parameter + + Closes #9415 + +- manpages: Fix spelling of "allows to" -> "allows one to" + + References: + https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual + -page.tag + https://english.stackexchange.com/questions/60271/grammatical-complements-fo + r-allow/60285#60285 + + Closes #9419 + +- CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes + + Lintian (on Debian) has been complaining about this for a while but + I didn't bother initially as the groff parser that we use is not + affected by this. + + But I have now noticed that the online manpage is affected by it: + https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html + + (I'm using double quotes for quoting-only down below) + + The section that should be parsed as "'\'" ends up being parsed as + "'´". + + This is due to roffit not parsing "'\\'" correctly, which is fine + as the "correct" way of writing "'\'" is "'\e'" instead. + + Note that this fix is not enough to fix the online manpage at + curl's website, as roffit seems to parse it wrongly either way. + + My intent is to at least fix the manpage so that roffit can + be changed to parse "'\e'" correctly (although I suggest making + roffit parse both ways correctly, since that's what groff does). + + More details at: + https://bugs.debian.org/966803 + https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a + 884cca7965c3/tags/a/acute-accent-in-manual-page.tag + + Closes #9418 + +Daniel Stenberg (1 Sep 2022) + +- tool_operate: reduce errorbuffer allocs + + - parallel transfers: only alloc and keep errorbuffers in memory for + actual "live" transfers and not for the ones in the pending queue + + - serial transfers: reuse the same fixed buffer for all transfers, not + allocated at all. + + Closes #9394 + +Viktor Szakats (31 Aug 2022) + +- misc: spelling fixes + + Found using codespell 2.2.1. + + Also delete the redundant protocol designator from an archive.org URL. + + Reviewed-by: Daniel Stenberg + Closes #9403 + +Daniel Stenberg (31 Aug 2022) + +- tool_progress: remove 'Qd' from the parallel progress bar + + The "queued" value is no longer showing anything useful to the user. It + is an internal number of transfers waiting at that moment. + + Closes #9389 + +- tool_operate: prevent over-queuing in parallel mode + + When doing a huge amount of parallel transfers, we must not add them to + the per_transfer list frivolously since they all use memory after all. + This was previous done without really considering millions or billions + of transfers. Massive parallelism would use a lot of memory for no good + purpose. + + The queue is now limited to twice the paralleism number. + + This makes the 'Qd' value in the parallel progress meter mostly useless + for users, but works for now for us as a debug display. + + Reported-by: justchen1369 on github + Fixes #8933 + Closes #9389 + +Viktor Szakats (31 Aug 2022) + +- cmake: fix original MinGW builds + + 1. Re-enable `HAVE_GETADDRINFO` detection on Windows + + Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic + that automatically assumed `getaddrinfo()` to be present for builds + with IPv6 enabled. As it turns out, certain toolchains (e.g. original + MinGW) by default target older Windows versions, and thus do not + support `getaddrinfo()` out of the box. The issue was masked for + a while by CMake builds forcing a newer Windows version, but that + logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761. + Since then, some CI builds started failing due to IPv6 enabled, + `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing. + + It also turns out that IPv6 works without `getaddrinfo()` since commit + 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So, + to resolve all this, we can now revert the initial commit, thus + restoring `getaddrinfo()` detection and support IPv6 regardless of its + outcome. + + Reported-by: Daniel Stenberg + + 2. Omit `bcrypt` with original MinGW + + Original (aka legacy/old) MinGW versions do not support `bcrypt` + (introduced with Vista). We already have logic to handle that in + `lib/rand.c` and autotools builds, where we do not call the + unsupported API and do not link `bcrypt`, respectively, when using + original MinGW. + + This patch ports that logic to CMake, fixing the link error: + `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: can + not find -lbcrypt` + + Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vl + e84cn4vle7s0#L508 + Regression since 76172511e7adcf720f4c77bd91f49278300ec97e + + Fixes #9214 + Fixes #9393 + Fixes #9395 + Closes #9396 + +Version 7.85.0 (31 Aug 2022) + +Daniel Stenberg (31 Aug 2022) + +- RELEASE-NOTES: synced + + curl 7.85.0 release + +- THANKS: add contributors from the 7.85.0 release + +- getparam: correctly clean args + + Follow-up to bf7e887b2442783ab52 + + The previous fix for #9128 was incomplete and caused #9397. + + Fixes #9397 + Closes #9399 + +- zuul: remove the clang-tidy job + + Turns out we don't see the warnings, but the warnings right now are + plain ridiculous and unhelpful so we can just as well just kill this + job. + + Closes #9390 + +- cmake: set feature PSL if present + + ... make test 1014 pass when libpsl is used. + + Closes #9391 + +- lib530: simplify realloc failure exit path + + To make code analyzers happier + + Closes #9392 + +Orgad Shaneh (29 Aug 2022) + +- tests: add tests for netrc login/password combinations + + Covers the following PRs: + + - #9066 + - #9247 + - #9248 + + Closes #9256 + +- url: really use the user provided in the url when netrc entry exists + + If the user is specified as part of the URL, and the same user exists + in .netrc, Authorization header was not sent at all. + + The user and password fields were assigned in conn->user and password + but the user was not assigned to data->state.aptr, which is the field + that is used in output_auth_headers and friends. + + Fix by assigning the user also to aptr. + + Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5. + + Fixes #9243 + +- netrc: Use the password from lines without login + + If netrc entry has password with empty login, use it for any username. + + Example: + .netrc: + machine example.com password 123456 + + curl -vn http://user@example.com/ + + Fix it by initializing state_our_login to TRUE, and reset it only when + finding an entry with the same host and different login. + + Closes #9248 + +Jay Satiro (29 Aug 2022) + +- url: treat missing usernames in netrc as empty + + - If, after parsing netrc, there is a password with no username then + set a blank username. + + This used to be the case prior to 7d600ad (precedes 7.82). Note + parseurlandfillconn already does the same thing for URLs. + + Reported-by: Raivis + Testing-by: Domen Kožar + + Fixes https://github.com/curl/curl/issues/8653 + Closes #9334 + Closes #9066 + +Daniel Stenberg (29 Aug 2022) + +- test8: verify that "ctrl-byte cookies" are ignored + +- cookie: reject cookies with "control bytes" + + Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + + Reported-by: Axel Chong + + Bug: https://curl.se/docs/CVE-2022-35252.html + + CVE-2022-35252 + + Closes #9381 + +- libssh: ignore deprecation warnings + + libssh 0.10.0 marks all SCP functions as "deprecated" which causes + compiler warnings and errors in our CI jobs and elsewhere. Ignore + deprecation warnings if 0.10.0 or later is found in the build. + + If they actually remove the functions at a later point, then someone can + deal with that pain and functionality break then. + + Fixes #9382 + Closes #9383 + +- Revert "schannel: when importing PFX, disable key persistence" + + This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692. + + Due to further reports in #9300 that indicate this commit might + introduce problems. + +- multi: use larger dns hash table for multi interface + + Have curl_multi_init() use a much larger DNS hash table than used for + the easy interface to scale and perform better when used with _many_ + host names. + + curl_share_init() sets an in-between size. + + Inspired-by: Ivan Tsybulin + See #9340 + Closes #9376 + +Marc Hoersken (28 Aug 2022) + +- CI/runtests.pl: add param for dedicated curl to talk to APIs + + This should make it possible to also report test failures + if our freshly build curl binary is not fully functional. + + Reviewed-by: Daniel Stenberg + Closes #9360 + +Jacob Tolar (27 Aug 2022) + +- openssl: add cert path in error message + + Closes #9349 + +- cert.d: clarify that escape character works for file paths + + Closes #9349 + +Daniel Stenberg (27 Aug 2022) + +- gha: move over ngtcp2-gnutls CI job from zuul + + Closes #9331 + +Marc Hoersken (26 Aug 2022) + +- cmake: add detection of threadsafe feature + + Avoids failing test 1014 by replicating configure checks + for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests. + + Reviewed-by: Marcel Raad + + Follow up to #8680 + Closes #9312 + +Daniel Stenberg (26 Aug 2022) + +- RELEASE-NOTES: synced + +Marc Hoersken (26 Aug 2022) + +- CI/azure: align torture shallowness with GHA + + There 25 is used with FTP tests skipped, and 20 for FTP tests. + This should make torture tests stay within the 60min timeout. + + Reviewed-by: Daniel Stenberg + Closes #9371 + +- multi_wait: fix and improve Curl_poll error handling on Windows + + First check for errors and return CURLM_UNRECOVERABLE_POLL + before moving forward and waiting on socket readiness events. + + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + + Reported-by: Daniel Stenberg + Ref: #9361 + + Follow up to #8961 + Closes #9372 + +- multi_wait: fix skipping to populate revents for extra_fds + + On Windows revents was not populated for extra_fds if + multi_wait had to wait due to the Curl_poll pre-check + not signalling any readiness. This commit fixes that. + + Reviewed-by: Marcel Raad + Reviewed-by: Jay Satiro + + Closes #9361 + +- CI/appveyor: disable TLS in msys2-native autotools builds + + Schannel cannot be used from msys2-native Linux-emulated builds. + + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg + + Follow up to #9367 + Closes #9370 + +Jay Satiro (25 Aug 2022) + +- tests: fix http2 tests to use CRLF headers + + Prior to this change some tests that rely on nghttpx proxy did not use + CRLF headers everywhere. A recent change in nghttp2, which updated its + version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to + use CRLF headers. + + Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 + + Fixes https://github.com/curl/curl/issues/9364 + Closes https://github.com/curl/curl/pull/9365 + +rcombs (25 Aug 2022) + +- multi: use a pipe instead of a socketpair on apple platforms + + Sockets may be shut down by the kernel when the app is moved to the + background, but pipes are not. + + Removed from KNOWN_BUGS + + Fixes #6132 + Closes #9368 + +Somnath Kundu (25 Aug 2022) + +- libssh2: provide symlink name in SFTP dir listing + + When reading the symbolic link name for a file, we need to add the file + name to base path name. + + Closes #9369 + +Daniel Stenberg (25 Aug 2022) + +- configure: if asked to use TLS, fail if no TLS lib was detected + + Previously the configure script would just warn about this fact and + continue with TLS disabled build which is not always helpful. TLS should + be explicitly disabled if that is what the user wants. + + Closes #9367 + +Dustin Howett (25 Aug 2022) + +- schannel: when importing PFX, disable key persistence + + By default, the PFXImportCertStore API persists the key in the user's + key store (as though the certificate was being imported for permanent, + ongoing use.) + + The documentation specifies that keys that are not to be persisted + should be imported with the flag `PKCS12_NO_PERSIST_KEY`. + NOTE: this flag is only supported on versions of Windows newer than XP + and Server 2003. + + Fixes #9300 + Closes #9363 + +Daniel Stenberg (23 Aug 2022) + +- unit1303: four tests should have TRUE for 'connecting' + + To match the comments. + + Reported-by: Wu Zheng + + See #9355 + Closes #9356 + +- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also + + Closes #9354 + +Fabian Fischer (23 Aug 2022) + +- HTTP3.md: add missing autoreconf command for building with wolfssl + + Closes #9353 + +Daniel Stenberg (23 Aug 2022) + +- RELEASE-NOTES: synced + +- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer + + Ẃhen it has been used in the multi interface, it is otherwise left in + the connection cache, can't be reused and nothing will close them since + the easy handle loses the association with the multi handle and thus the + connection cache - until the multi handle is closed or it gets pruned + because the cache is full. + + Reported-by: Dominik Thalhammer + Fixes #9335 + Closes #9342 + +- docs/cmdline-opts: remove \& escapes from all .d files + + gen.pl escapes them itself now + +- docs/cmdline-opts/gen.pl: encode leading single and double quotes + + As "(aq" and "(dq" to prevent them from implying a meaning in the nroff + output. This removes the need for using \& escapes in the .d files' + description parts. + + Closes #9352 + +Marc Hoersken (23 Aug 2022) + +- tests/server/sockfilt.c: avoid race condition without a mutex + + Avoid loosing any triggered handles by first aborting and joining + the waiting threads before evaluating the individual signal state. + + This removes the race condition and therefore need for a mutex. + + Closes #9023 + +Emil Engler (22 Aug 2022) + +- url: output the maximum when rejecting a url + + This commit changes the failf message to output the maximum length, when + curl refuses to process a URL because it is too long. + + See: #9317 + Closes: #9327 + +Chris Paulson-Ellis (22 Aug 2022) + +- configure: fix broken m4 syntax in TLS options + + Commit b589696f added lines to some shell within AC_ARG_WITH macros, but + inadvertently failed to move the final closing ). + + Quote the script section using braces. + + So, if these problems have been around for a while, how did I find them? + Only because I did a configure including these options: + + $ ./configure --with-openssl --without-rustls + SSL: enabled (OpenSSL) + + Closes #9344 + +Daniel Stenberg (18 Aug 2022) + +- tests/data/CMakeLists: remove making the 'show' makefile target + + It is not used by runtests since 3c0f462 + + Closes #9333 + +- tests/data/Makefile: remove 'filecheck' target + + No practical use anymore since 3c0f4622cdfd6 + + Closes #9332 + +- libssh2: make atime/mtime date overflow return error + + Closes #9328 + +- libssh: make atime/mtime date overflow return error + + Closes #9328 + +- examples/curlx.c: remove + + This example is a bit convoluted to use as an example, combined with the + special license for it makes it unsuitable. + + Closes #9330 + +Tobias Nygren (17 Aug 2022) + +- curl.h: include on SunOS + + It is needed for fd_set to be visible to downstream consumers that use + . Header is known to exist at least as far back as Solaris + 2.6. + + Closes #9329 + +Daniel Stenberg (17 Aug 2022) + +- DEPRECATE.md: push the NSS deprecation date forward one year to 2023 + + URL: https://curl.se/mail/lib-2022-08/0016.html + +- libssh2: setting atime or mtime >32bit on 4-bytes-long systems + + Since the libssh2 API uses 'long' to store the timestamp, it cannot + transfer >32bit times on Windows and 32bit architecture builds. + + Avoid nasty surprises by instead not setting such time. + + Spotted by Coverity + + Closes #9325 + +- libssh: setting atime or mtime > 32bit is now just skipped + + The libssh API used caps the time to an unsigned 32bit variable. Avoid + nasty surprises by instead not setting such time. + + Spotted by Coverity. + + Closes #9324 + +Jay Satiro (16 Aug 2022) + +- KNOWN_BUGS: Windows Unicode builds use homedir in current locale + + Bug: https://github.com/curl/curl/pull/7252 + Reported-by: dEajL3kA@users.noreply.github.com + + Ref: https://github.com/curl/curl/pull/7281 + + Closes https://github.com/curl/curl/pull/9305 + +Daniel Stenberg (16 Aug 2022) + +- test399: switch it to use a config file instead + + ... as using a 65535 bytes host name in a URL does not fit on the + command line on some systems - like Windows. + + Reported-by: Marcel Raad + Fixes #9321 + Closes #9322 + +- RELEASE-NOTES: synced + +- asyn-ares: make a single alloc out of hostname + async data + + This saves one alloc per name resolve and simplifies the exit path. + + Closes #9310 + +- Curl_close: call Curl_resolver_cancel to avoid memory-leak + + There might be a pending (c-ares) resolve that isn't free'd up yet. + + Closes #9310 + +- asyn-thread: fix socket leak on OOM + + Closes #9310 + +- GHA: mv CI torture test from Zuul + + Closes #9310 + +- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL + + Closes #9318 + +- test399: verify check of too long host name + +- url: reject URLs with hostnames longer than 65535 bytes + + It *probably* causes other problems too since DNS can't resolve such + long names, but the SNI field in TLS is limited to 16 bits length. + + Closes #9317 + +- curl_multi_perform.3: minor language fix + + Closes #9316 + +- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC + + Follow-up to 8a13be227eede2 + + Closes #9315 + +- ngtcp2: remove leftover variable + + Mistake leftover from my edit before push. + + Follow-up from 8a13be227eede2601c2b3b + Reported-by: Viktor Szakats + Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167 + +Viktor Szakats (15 Aug 2022) + +- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip] + + Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl` + was also enabled. `-ssl` meaning OpenSSL (and its forks). After + 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be + used together with wolfSSL. This patch adds the ability to enable + `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to + use it with wolfSSL or other, future TLS backends. + + Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2` + unconditionally. After this patch, this is no longer the case, and now + it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only + together with a compatible TLS backend. + + When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2 + library must be configured manually, e.g.: + `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl` + + (or via `NGTCP2_LIBS`) + + Closes #9314 + +Stefan Eissing (15 Aug 2022) + +- quic: add support via wolfSSL + + - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505 + - configure adapted to build against ngtcp2 wolfssl crypto lib + - quic code added for creation of WOLFSSL* instances + + Closes #9290 + +David Carlier (14 Aug 2022) + +- memdebug: add annotation attributes + + memory debug tracking annotates whether the returned pointer does not + `alias`, hints where the size required is, for Windows to be better + debugged via Visual Studio. + + Closes https://github.com/curl/curl/pull/9306 + +Daniel Stenberg (14 Aug 2022) + +- GHA: move libressl CI from zuul to GitHub + + Closes #9309 + +- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel + + Closes #9161 + +- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel + + Closes #8741 + +- KNOWN_BUGS: libssh blocking and infinite loop problem + + Closes #8632 + +- RELEASE-NOTES: synced + +- msh3: fix the QUIC disconnect function + + And free request related memory better in 'done'. Fixes a memory-leak. + + Reported-by: Gisle Vanem + Fixes #8915 + Closes #9304 + +- connect: close the happy eyeballs loser connection when using QUIC + + Reviewed-by: Nick Banks + + Closes #9303 + +Emil Engler (12 Aug 2022) + +- refactor: split resolve_server() into functions + + This commit splits the branch-heavy resolve_server() function into + various sub-functions, in order to reduce the amount of nested + if/else-statements. + + Beside this, it also removes many else-sequences, by returning in the + previous if-statement. + + Closes #9283 + +Daniel Stenberg (12 Aug 2022) + +- schannel: re-indent to use curl style better + + Only white space changes + + Closes #9301 + +Emanuele Torre (12 Aug 2022) + +- docs/cmdline-opts: fix example and categories for --form-escape + + The example was missing a "--form" argument + I also replaced "--form" with "-F" to shorten the line a bit since it + was already very long. + + And I also moved --form-escape from the "post" category to the "upload" + category (this is what I originally wanted to fix, before also noticing + the mistake in the example). + + Closes #9298 + +Nick Banks (11 Aug 2022) + +- HTTP3.md: update to msh3 v0.4.0 + + Closes #9297 + +Daniel Stenberg (11 Aug 2022) + +- hostip: resolve *.localhost to 127.0.0.1/::1 + + Following the footsteps of other clients like Firefox/Chrome. RFC 6761 + says clients SHOULD do this. + + Add test 389 to verify. + + Reported-by: TheKnarf on github + Fixes #9192 + Closes #9296 + +Jay Satiro (11 Aug 2022) + +- KNOWN_BUGS: long paths are not fully supported on Windows + + Bug: https://github.com/curl/curl/issues/8361 + Reported-by: Gisle Vanem + + Closes https://github.com/curl/curl/pull/9288 + +Daniel Stenberg (11 Aug 2022) + +- config: remove the check for and use of SIZEOF_SHORT + + shorts are 2 bytes on all platforms curl runs and have ever run on. + + Closes #9291 + +- configure: introduce CURL_SIZEOF + + This is a rewrite of the previously used GPLv3+exception licensed + file. With this change, there is no more reference to GPL so we can + remove that from LICENSES/. + + Ref: #9220 + Closes #9291 + +Sean McArthur (10 Aug 2022) + +- hyper: customize test1274 to how hyper unfolds headers + + Closes #9217 + +Orgad Shaneh (10 Aug 2022) + +- curl-config: quote directories with potential space + + On Windows (at least with CMake), the default prefix is + C:/Program Files (x86)/CURL. + + Closes #9253 + +Oliver Roberts (10 Aug 2022) + +- amigaos: fix threaded resolver on AmigaOS 4.x + + Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime + feature detection and extra code to make it thread safe. + + Closes #9265 + +Emil Engler (10 Aug 2022) + +- imap: use ISALNUM() for alphanumeric checks + + This commit replaces a self-made character check for alphanumeric + characters within imap_is_bchar() with the ISALNUM() macro, as it is + reduces the size of the code and makes the performance better, due to + ASCII arithmetic. + + Closes #9289 + +Daniel Stenberg (10 Aug 2022) + +- RELEASE-NOTES: synced + +Cering on github (10 Aug 2022) + +- connect: add quic connection information + + Fixes #9286 + Closes #9287 + +Philip Heiduck (8 Aug 2022) + +- cirrus/freebsd-ci: bootstrap the pip installer + + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> + + Closes #9213 + +Daniel Stenberg (8 Aug 2022) + +- urldata: move smaller fields down in connectdata struct + + By (almost) sorting the struct fields in connectdata in a decending size + order, having the single char ones last, we reduce the number of holes + in the struct and thus the amount of storage needed. + + Closes #9280 + +- ldap: adapt to conn->port now being an 'int' + + Remove typecasts. Fix printf() formats. + + Follow-up from 764c6bd3bf. + Pointed out by Coverity CID 1507858. + + Closes #9281 + +- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS + + Closes #8264 + +Oliver Roberts (8 Aug 2022) + +- file: add handling of native AmigaOS paths + + On AmigaOS 4.x, handle native absolute paths, whilst blocking relative + paths. Also allow unix style paths if feature enabled at link time. + + Inspiration-from: Michael Trebilcock + + Closes #9259 + +Daniel Stenberg (8 Aug 2022) + +- KNOWN_BUGS: cmake build is not thread-safe + + The cmake build does not check for and verify presence of a working + Atomic type, which then makes curl_global_init() to not build + thread-safe on non-Windows platforms. + + Closes https://github.com/curl/curl/issues/8973 + Closes https://github.com/curl/curl/pull/8982 + +Oliver Roberts (8 Aug 2022) + +- configure: fixup bsdsocket detection code for AmigaOS 4.x + + The code that detects bsdsocket.library for AmigaOS did not work + for AmigaOS 4.x. This has been fixed and also cleaned up a little + to reduce duplication. Wasn't technically necessary before, but is + required when building with AmiSSL instead of OpenSSL. + + Closes #9268 + +- tool: reintroduce set file comment code for AmigaOS + + Amiga specific code which put the URL in the file comment was perhaps + accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having + originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314. + Reworked to fit the code changes and added it back in. + + Reported-by: Michael Trebilcock + Originally-added-by: Chris Young + + Closes #9258 + +Daniel Stenberg (8 Aug 2022) + +- urldata: make 'negnpn' use less storage + + The connectdata struct field 'negnpn' never holds a value larger than + 30, so an unsigned char saves 3 bytes struct space. + + Closes #9279 + +- urldata: make three *_proto struct fields smaller + + Use 'unsigned char' for storage instead of the enum, for three GSSAPI + related fields in the connectdata struct. + + Closes #9278 + +- connect: set socktype/protocol correctly + + So that an address used from the DNS cache that was previously used for + QUIC can be reused for TCP and vice versa. + + To make this possible, set conn->transport to "unix" for unix domain + connections ... and store the transport struct field in an unsigned char + to use less space. + + Reported-by: ウさん + Fixes #9274 + Closes #9276 + +Oliver Roberts (8 Aug 2022) + +- amissl: allow AmiSSL to be used with AmigaOS 4.x builds + + Enable AmiSSL to be used instead of static OpenSSL link libraries. + for AmigaOS 4.x, as it already is in the AmigaOS 3.x build. + + Closes #9269 + +opensignature on github (8 Aug 2022) + +- openssl: add details to "unable to set client certificate" error + + from: "curl: (58) unable to set client certificate" + + to: curl: (58) unable to set client certificate [error:0A00018F:SSL + routines::ee key too small] + + Closes #9228 + +Oliver Roberts (8 Aug 2022) + +- amissl: make AmiSSL v5 a minimum requirement + + AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0. + Support for previous OpenSSL 1.1.x versions has been dropped, so + makes sense to enforce v5 as the minimum requirement. This also + allows all the AmiSSL stub workarounds to be removed as they are + now provided in a link library in the AmiSSL SDK. + + Closes #9267 + +- configure: -pthread not available on AmigaOS 4.x + + The most recent GCC builds for AmigaOS 4.x do not allow -pthread and + exit with an error. Instead, need to explictly specify -lpthread. + + Closes #9266 + +Daniel Stenberg (8 Aug 2022) + +- digest: pass over leading spaces in qop values + + When parsing the "qop=" parameter of the digest authentication, and the + value is provided within quotes, the list of values can have leading + white space which the parser previously did not handle correctly. + + Add test case 388 to verify. + + Reported-by: vlubart on github + Fixes #9264 + Closes #9270 + +Evgeny Grin (Karlson2k) (7 Aug 2022) + +- digest: reject broken header with session protocol but without qop + + Closes #9077 + +Daniel Stenberg (7 Aug 2022) + +- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples + + Reported-by: jvvprasad78 on github + Assisted-by: Jay Satiro + Fixes #9239 + Closes #9241 + +Fabian Keil (7 Aug 2022) + +- test44[2-4]: add '--resolve' to the keywords + + ... so the tests can be automatically skipped when + using an external proxy like Privoxy. + + Closes #9250 + +Daniel Stenberg (7 Aug 2022) + +- RELEASE-NOTES: synced + +- CURLOPT_CONNECT_ONLY.3: clarify multi API use + + Reported-by: Maxim Ivanov + Fixes #9244 + Closes #9262 + +Andrew Lambert (6 Aug 2022) + +- curl_easy_header: Add CURLH_PSEUDO to sanity check + + Fixes #9235 + Closes #9236 + +Emil Engler (6 Aug 2022) + +- docs: add dns category to --resolve + + This commit adds the dns category to the --resolve command line option, + because it can be interpreted as both: a low-level connection option and + an option related to the resolving of a hostname. + + It is also not common for dns options to belong to the connection + category and vice versa. --ipv4 and --ipv6 are both good examples. + + Closes #9229 + +Wyatt O'Day (2 Aug 2022) + +- schannel: Add TLS 1.3 support + + - Support TLS 1.3 as the default max TLS version for Windows Server 2022 + and Windows 11. + + - Support specifying TLS 1.3 ciphers via existing option + CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers). + + Closes https://github.com/curl/curl/pull/8419 + +Emil Engler (2 Aug 2022) + +- cmdline-opts/gen.pl: improve performance + + On some systems, the gen.pl script takes nearly two minutes for the + generation of the main-page, which is a completely unacceptable time. + + The slow performance has two causes: + 1. Use of a regex locale operator + 2. Useless invokations of loops + + The commit addresses the first issue by replacing the "\W" wiht + [^a-zA-Z0-9_], which is, according to regex101.com, functionally + equivalent to the previous operation, except that it is obviously + limited to ASCII only, which is fine, as the curl project is + English-only anyway. + + The second issue is being addressed by only running the loop if the line + contains a "--" in it. The loop may be completeley removed in the + future. + + Co-authored-by: Emanuele Torre + + See #8299 + Fixes #9230 + Closes #9232 + +Daniel Stenberg (2 Aug 2022) + +- docs/cmdline: mark fail and fail-with-body as mutually exclusive + + Reported-by: Andreas Sommer + Fixes #9221 + Closes #9222 + +Nao Yonashiro (2 Aug 2022) + +- quiche: fix build failure + + Reviewed-by: Alessandro Ghedini + Closes #9223 + +Viktor Szakats (2 Aug 2022) + +- configure.ac: drop references to deleted functions + + follow-up from 4d73854462f30948acab12984b611e9e33ee41e6 + + Reported-by: Oliver Roberts + Fixes #9238 + Closes #9240 + +Sean McArthur (28 Jul 2022) + +- hyper: enable obs-folded multiline headers + + Closes #9216 + +Daniel Stenberg (28 Jul 2022) + +- connect: revert the use of IP*_RECVERR + + The options were added in #6341 and d13179d, but cause problems: Lots of + POLLIN event occurs but recvfrom read nothing. + + Reported-by: Tatsuhiro Tsujikawa + Fixes #9209 + Closes #9215 + +Marco Kamner (27 Jul 2022) + +- docs: remove him/her/he/she from documentation + + Closes #9208 + +Daniel Stenberg (27 Jul 2022) + +- RELEASE-NOTES: synced + +- tool_getparam: make --doh-url "" switch it off + + A possible future addition could be to parse the URL first too to verify + that it is valid before trying to use it. + + Assisted-by: Jay Satiro + Closes #9207 + +- mailmap: add rzrymiak on github + +Jay Satiro (26 Jul 2022) + +- ngtcp2: Fix build error due to change in nghttp3 prototypes + + ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and + nghttp3_conn_shutdown_stream_write return from int to void. + + Reported-by: jurisuk@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/9204 + Closes https://github.com/curl/curl/pull/9200 + +rzrymiak on github (26 Jul 2022) + +- BUGS.md: improve language + + Closes #9205 + +Philip Heiduck (26 Jul 2022) + +- cirrus.yml: replace py38-pip with py39-pip + + Reported-by: Jay Satiro + Fixes #9201 + Closes #9202 + +Daniel Stenberg (25 Jul 2022) + +- tool_getparam: fix cleanarg() for unicode builds + + Use the correct type, and make cleanarg an empty macro if the cleaning + ability is absent. + + Fixes #9195 + Closes #9196 + + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + +Marc Hoersken (25 Jul 2022) + +- test3026: add support for Windows using native Win32 threads + + Reviewed-by: Viktor Szakats + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg + + Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690 + Closes #9012 + +Evgeny Grin (Karlson2k) (25 Jul 2022) + +- digest: fix memory leak, fix not quoted 'opaque' + + Fix leak regression introduced by 3a6fe0c. + + Closes https://github.com/curl/curl/pull/9199 + +Daniel Stenberg (23 Jul 2022) + +- tests: several enumerated type cleanups + + To please icc + + Closes #9179 + +- tool_paramhlp: fix "enumerated type mixed with another type" + + Warning by icc + + Closes #9179 + +- tool_writeout: fix enumerated type mixed with another type + + Closes #9179 + +- tool_cfgable: make 'synthetic_error' a plain bool + + The specific reason was not used. + + Closes #9179 + +- tool_paramhlp: make check_protocol return ParameterError + + "enumerated type mixed with another type" + + Closes #9179 + +- tool_formparse: fix variable may be used before its value is set + + Warning by icc + + Closes #9179 + +- sendf: skip storing HTTP headers if HTTP disabled + + Closes #9179 + +- url: enumerated type mixed with another type + + Follow-up to 1c58e7ae99ce2030213f28b + + Closes #9179 + +- urldata: change second proxytype field to unsigned char to match + + To avoid "enumerated type mixed with another type" + + Closes #9179 + +- http: typecast the httpreq assignment to avoid icc compiler warning + + error #188: enumerated type mixed with another type + + Closes #9179 + +- urldata: make state.httpreq an unsigned char + + To match set.method used for the same purpose. + + Closes #9179 + +- splay: avoid using -1 in unsigned variable + + To fix icc compiler warning integer conversion resulted in a change of sign + + Closes #9179 + +- sendf: store the header type in an usigned char to avoid icc warnings + + Closes #9179 + +- multi: fix the return code from Curl_pgrsDone() + + It does not return a CURLcode. Detected by the icc compiler warning + "enumerated type mixed with another type" + + Closes #9179 + +- sendf: make Curl_debug a void function + + As virtually no called checked the return code, and those that did + wrongly treated it as a CURLcode. Detected by the icc compiler warning: + enumerated type mixed with another type + + Closes #9179 + +- http_chunks: remove an assign + typecast + + As it caused icc to complain: "pointer cast involving 64-bit pointed-to + type" + + Closes #9179 + +- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend + + To fix the icc warning enumerated type mixed with another type + + Closes #9179 + +- curl-compilers.m4: make icc use -diag* options and disable two warnings + + -wd and -we are deprecated and are now -diag-disable and -diag-error + + Disable warning 1024 and 2259 + + Closes #9179 + +Matthew Thompson (23 Jul 2022) + +- GHA: add two Intel compiler CI jobs + + Closes #9179 + +Daniel Katz (21 Jul 2022) + +- curl-functions.m4: check whether atomics can link rather than just compile + + Some build toolchains support C11 atomics (i.e., _Atomic types), but + will not link the associated atomics runtime unless a flag is passed. In + such an environment, linking an application with libcurl.a can fail due + to undefined symbols for atomic load/store functions. + + I encountered this behavior when upgrading curl to 7.84.0 and attempting + to build with Solaris Studio 12.6. Solaris provides the flag + -xatomic=[gcc | studio], allowing users to link to one of two atomics + runtime implementations. However, if the user does not provide this + flag, then neither runtime is linked. This led to builds failing in CI. + + Closes #9190 + +Rosen Penev (20 Jul 2022) + +- curl-wolfssl.m4: add options header when building test code + + Needed for certain configurations of wolfSSL. Otherwise, missing header + error may occur. + + Tested with OpenWrt. + + Closes #9187 + +Daniel Stenberg (20 Jul 2022) + +- ftp: use a correct expire ID for timer expiry + + This was an accurate error pointed out by the icc warning: enumerated + type mixed with another type + + Ref: #9179 + Closes #9184 + +- sendf: fix paused header writes since after the header API + + Regression since d1e4a67 + + Reported-by: Sergey Ogryzkov + Fixes #9180 + Closes #9182 + +- mprintf: fix *dyn_vprintf() when out-of-memory + + Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory + leak otherwise. + + Closes #9185 + +- curl-confopts: remove leftover AC_REQUIREs + + configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_ + defun'd + configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but no + t m4_defun'd + + follow-up from 4d73854462f30 + + Closes #9183 + +- file: fix icc enumerated type mixed with another type warning + + Ref: #9179 + Closes #9181 + +Viktor Szakats (19 Jul 2022) + +- tidy-up: delete unused build configuration macros + + Most of them feature guards: + + - `CURL_INCLUDES_SYS_UIO` [1] + - `HAVE_ALLOCA_H` [2] + - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f + 8734dd0fb1bdc) + - `HAVE_DLFCN_H` + - `HAVE_DLOPEN` + - `HAVE_DOPRNT` + - `HAVE_FCNTL` + - `HAVE_GETHOSTBYNAME` [3] + - `HAVE_GETOPT_H` + - `HAVE_GETPASS` + - `HAVE_GETPROTOBYNAME` + - `HAVE_GETSERVBYNAME` + - `HAVE_IDN_FREE*` + - `HAVE_INET_ADDR` + - `HAVE_IOCTL` + - `HAVE_KRB4` + - `HAVE_KRB_GET_OUR_IP_FOR_REALM` + - `HAVE_KRB_H` + - `HAVE_LDAPSSL_H` + - `HAVE_LDAP_INIT_FD` + - `HAVE_LIBDL` + - `HAVE_LIBNSL` + - `HAVE_LIBRESOLV*` + - `HAVE_LIBUCB` + - `HAVE_LL` + - `HAVE_LOCALTIME_R` + - `HAVE_MALLOC_H` + - `HAVE_MEMCPY` + - `HAVE_MEMORY_H` + - `HAVE_NETINET_IF_ETHER_H` + - `HAVE_NI_WITHSCOPEID` + - `HAVE_OPENSSL_CRYPTO_H` + - `HAVE_OPENSSL_ERR_H` + - `HAVE_OPENSSL_PEM_H` + - `HAVE_OPENSSL_PKCS12_H` + - `HAVE_OPENSSL_RAND_H` + - `HAVE_OPENSSL_RSA_H` + - `HAVE_OPENSSL_SSL_H` + - `HAVE_OPENSSL_X509_H` + - `HAVE_PEM_H` + - `HAVE_POLL` + - `HAVE_RAND_SCREEN` + - `HAVE_RAND_STATUS` + - `HAVE_RECVFROM` + - `HAVE_SETSOCKOPT` + - `HAVE_SETVBUF` + - `HAVE_SIZEOF_LONG_DOUBLE` + - `HAVE_SOCKIO_H` + - `HAVE_SOCK_OPTS` + - `HAVE_STDIO_H` + - `HAVE_STRCASESTR` + - `HAVE_STRFTIME` + - `HAVE_STRLCAT` + - `HAVE_STRNCMPI` + - `HAVE_STRNICMP` + - `HAVE_STRSTR` + - `HAVE_STRUCT_IN6_ADDR` + - `HAVE_TLD_H` + - `HAVE_TLD_STRERROR` + - `HAVE_UNAME` + - `HAVE_USLEEP` + - `HAVE_WINBER_H` + - `HAVE_WRITEV` + - `HAVE_X509_H` + - `LT_OBJDIR` + - `NEED_BASENAME_PROTO` + - `NOT_NEED_LIBNSL` + - `OPENSSL_NO_KRB5` + - `RECVFROM_TYPE*` + - `SIZEOF_LONG_DOUBLE` + - `STRERROR_R_TYPE_ARG3` + - `USE_YASSLEMUL` + - `_USRDLL` (from CMake) [4] + + [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might + also be deleted. + + [2] Related comment can possibly be deleted in + `packages/vms/generate_config_vms_h_curl.com`. + + [3] There are more instances of this in autotools, but I did not dare to + touch those. Looked like it's used to detect socket support. + + [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to + force linking MFC components statically to the DLL. `libcurl.dll` + does not use MFC, so we can delete this define. + Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked- + to-mfc + + Script that can help finding unused settings like above: + ```shell + + autoheader configure.ac # generate lib/curl_config.h.in + + { + grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCac + he.cmake | sed -E 's|set\(||g' + grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h + | sed -E 's|#define +||g' + grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake + | sed -E 's|#cmakedefine +||g' + grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in + | sed -E 's|#undef +||g' + } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do + c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-| + ^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cm + ake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^config + ure\.ac)')" + if [ "${c}" = '0' ]; then + echo "${def}" + fi + done + ``` + + Reviewed-by: Daniel Stenberg + Closes #9044 + +Daniel Stenberg (19 Jul 2022) + +- RELEASE-NOTES: synced + +- cookie: treat a blank domain in Set-Cookie: as non-existing + + This matches what RFC 6265 section 5.2.3 says. + + Extended test 31 to verify. + + Fixes #9164 + Reported-by: Gwen Shapira + Closes #9177 + +Patrick Monnerat (19 Jul 2022) + +- base64: base64url encoding has no padding + + See RFC4648 section 5 and RFC7540 section 3.2.1. + + Suppress generation of '=' padding of base64url encoding. This is + accomplished by considering the string beginning at offset 64 in the + character table as the padding: this is "=" for base64, "" for base64url. + + Also use strchr() to replace character search loops where possible. + + Suppress erroneous comments about empty encoding results. + + Adjust unit test 1302 to unpadded base64url encoding and add tests for + empty results. + + Closes #9139 + +Daniel Stenberg (19 Jul 2022) + +- easyoptions: fix icc warning + + easyoptions.c(360): error #188: enumerated type mixed with another type + + Ref: #9156 + Reported-by: Matthew Thompson + Closes #9176 + +lwthiker (19 Jul 2022) + +- h2h3: fix overriding the 'TE: Trailers' header + + A 'TE: Trailers' header is explicitly replaced by 'te: trailers' + (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or + HTTP/3 headers. However, this is then replaced again by the original + value due to a bug, resulting in the uppercased version being sent. Some + HTTP/2 servers reject the whole HTTP/2 stream when this is the case. + + Closes #9170 + +Daniel Stenberg (18 Jul 2022) + +- lib3026: reduce the number of threads to 100 + + Down from 1000, to make it run and work in more systems. + + Fixes #9172 + Reported-by: Érico Nogueira Rolim + Closes #9173 + +- doh: move doh related struct definitions to doh.h + + and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compil + er warning: + + doh.c(924): error #188: enumerated type mixed with another type + + Reported-by: Matthew Thompson + Ref #9156 + Closes #9174 + +Viktor Szakats (17 Jul 2022) + +- Makefile.m32: stop trying to build libcares.a [ci skip] + + Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in + `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in + 2007 [1]. The commit message doesn't specifically address this particular + change. This logic comes from the times when c-ares was part of the curl + source tree, hence the special treatment. + + This feature creates problems when building c-ares first, using CMake + and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32` + is missing in such case. A sub-build for c-ares is undesired also when + c-ares had already been build via its own `Makefile.m32`. + + To avoid the sub-build, this patch deletes its Makefile rule. After this + patch `libcares.a` needs to be manually built before using it in + `Makefile.m32`. Aligning it with the rest of dependencies. + + [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31 + + Reviewed-by: Daniel Stenberg + Closes #9169 + +Daniel Stenberg (17 Jul 2022) + +- curl: writeout: fix repeated header outputs + + The function stored a terminating zero into the buffer for convenience, + but when on repeated calls that would cause problems. Starting now, the + passed in buffer is not modified. + + Reported-by: highmtworks on github + Fixes #9150 + Closes #9152 + +- curl_multi_timeout.3: clarify usage + + Fixes #9155 + Closes #9157 + Reported-by: jvvprasad78 on github + +- mprintf: make dprintf_formatf never return negative + + This function no longer returns a negative value if the formatting + string is bad since the return value would sometimes be propagated as a + return code from the mprintf* functions and they are documented to + return the length of the output. Which cannot be negative. + + Fixes #9149 + Closes #9151 + Reported-by: yiyuaner on github + +Viktor Szakats (17 Jul 2022) + +- trace: 0x7F character is non-printable + + `0x7F` is `DEL`, a non-printable symbol, so print it as + `UNPRINTABLE_CHAR`. + + Reported-by: MasterInQuestion on github + Fixes #9162 + Closes #9166 + +- doh: use https protocol by default + + The only allowed protocol is https, so it makes sense to use that + by default if not passed explicitly by the user. + + Reported-by: MasterInQuestion on github + Reviewed-by: Jay Satiro + Fixes #9163 + Closes #9165 + +- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel + + Same issue as here [1], but this time when building curl with BoringSSL + for Windows with LDAP(S) or Schannel support enabled. + + Apply the same fix [2] for these source files as well. + + This can also be fixed by moving `#include "urldata.h"` _before_ + including `winldap.h` and `schnlsp.h` respectively. This seems like + a cleaner fix, though I'm not sure why it works and if it has any + downside. + + [1] https://github.com/curl/curl/issues/5669 + [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029 + ab9 + + Co-authored-by: Jay Satiro + Closes #9110 + +Daniel Stenberg (13 Jul 2022) + +- asyn-thread: make getaddrinfo_complete return CURLcode + + ... as the only caller that cares about what it returns assumes that + anyway. This caused icc to warn: + + asyn-thread.c(505): error #188: enumerated type mixed with another type + result = getaddrinfo_complete(data); + + Repoorted-by: Matthew Thompson + Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076 + Closes #9146 + +- easy_lock: fix build with icc + + The Intel compiler tries to look like GCC *and* clang *and* it lies in + its __has_builtin() function (returns true when it should return false), + so override it. + + Reported-by: Matthew Thompson + Fixes #9081 + Closes #9144 + +- configure: fix --disable-headers-api + + Reported-by: Michał Antoniak + Fixes #9134 + Closes #9143 + +- test3026: require 'threadsafe' + + Reported-by: Sukanya Hanumanthu + Fixes #9141 + Closes #9142 + +Even Rouault (12 Jul 2022) + +- CMake: link curl to its dependencies with PRIVATE + + The current PUBLIC visibility causes issues for downstream users. + Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986 + + Reviewed-by: Jakub Zakrzewski + Closes #9125 + +- CMake: remove APPEND in export(TARGETS) + + When running cmake several times, new content was appended to already + existing generated files, which is not appropriate + + Reviewed-by: Jakub Zakrzewski + Closes #9124 + +Tatsuhiro Tsujikawa (12 Jul 2022) + +- ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks + + Closes #9135 + +Daniel Stenberg (11 Jul 2022) + +- RELEASE-NOTES: synced + +Viktor Szakats (11 Jul 2022) + +- build: improve OS string in CMake and `config-win32.h` + + This patch makes CMake fill the "OS string" with the value of + `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet, + the same we can pass to `./configure` via `--host=`. + + For non-CMake, non-autotools, Windows builds, this patch adds the ability + to override the default `OS` value in `lib/config-win32.h`. + + With these its possible to get the same OS string across the three build + systems. + + This patch supersedes the earlier, partial, CMake-only solution: + 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the + `CURL_OS_SUFFIX` CMake option. + + Reviewed-by: Jay Satiro + Closes #9117 + +- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip] + + They allow to override the hardcoded values for the `windres` and `strip` + tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables. + + `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and + `CURL_CC=clang` set on current latest debian:unstable or earlier, where + `llvm-windres` is missing, and a `CURL_RC=-windres` fixes it. + Hopefully this will be fixed in the llvm package. FWIW `llvm-windres` + does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw. + + Reviewed-by: Daniel Stenberg + Closes #9132 + +Tatsuhiro Tsujikawa (10 Jul 2022) + +- ngtcp2: fix stall or busy loop on STOP_SENDING with upload data + + Fixes #9122 + Closes #9123 + +Xiaoke Wang (10 Jul 2022) + +- tool_operate: better cleanup of easy handle in exit path + + Closes #9114 + +- getinfo: return better error on NULL as first argument + + Closes #9114 + +Daniel Stenberg (10 Jul 2022) + +- tool_getparam: repair cleanarg + + Regression since 9e5669f. + + Make sure the "cleaning" of command line arguments is done on the + original argv[] pointers. As a bonus, it also exits better on out of + memory error. + + Reported-by: Litter White + Fixes #9128 + Closes #9130 + +Jay Satiro (10 Jul 2022) + +- docs: explain curl_easy_escape/unescape curl handle is ignored + + 26101421 (precedes 7.82.0) removed character conversion support used by + very old legacy operating systems and since then the curl handle passed + to curl_easy_escape/unescape is always ignored. + + Bug: https://github.com/curl/curl/discussions/9115 + Reported-by: Ted Lyngmo + + Closes https://github.com/curl/curl/pull/9121 + +Viktor Szakats (8 Jul 2022) + +- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL + + BoringSSL doesn't keep a version number, and doesn't self-identify itself + via any other revision number via its own headers. We can identify + BoringSSL revisions by their commit hash. This hash is typically known by + the builder. This patch adds a way to pass this hash to libcurl, so that + it can display in the curl version string: + + For example: + + `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"` + + ``` + curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) + zlib/1.2.12 [...] + Release-Date: 2022-06-27 + Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps + mqtt pop3 [...] + Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv + 6 Kerberos [...] + ``` + + The setting is optional, and if not passed, BoringSSL will appear without + a version number, like before this patch. + + Closes #9113 + +Jay Satiro (8 Jul 2022) + +- escape: remove outdated comment + + Bug: https://github.com/curl/curl/discussions/9115 + Reported-by: Ted Lyngmo + +Tatsuhiro Tsujikawa (8 Jul 2022) + +- ngtcp2: Fix missing initialization of nghttp3_nv.flags + + Closes https://github.com/curl/curl/pull/9118 + +Brad Forschinger (6 Jul 2022) + +- netrc.d: remove spurious quote + + Closes #9111 + +Viktor Szakats (6 Jul 2022) + +- Makefile.m32: add `NGTCP2_LIBS` option [ci skip] + + Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL. + Add `NGTCP2_LIBS` envvar to override them with a custom list, + making it possible to use BoringSSL, or any other backend. + + Closes #9109 + +Evgeny Grin (Karlson2k) (6 Jul 2022) + +- digest: fix missing increment of 'nc' value for auth-int + + - Increment nc regardless of qop type. + + Prior to this change nc was only incremented for qop type auth even + though libcurl sends nc with any qop. + + Closes https://github.com/curl/curl/pull/9090 + +Daniel Stenberg (5 Jul 2022) + +- RELEASE-NOTES: synced + + Bumped to 7.85.0 + +- urldata: reduce size of four ftp related members + + ftp_filemethod, ftpsslauth and ftp_ccc are now uchars + + accepttimeout is now unsigned int - almost 50 days ought to be enough + for this value. + + Closes #9106 + +- urldata: reduce three type-members from int to uchar + + - timecondition + - proxytype + - method + + ... previously used their enum type in the struct, which made them + unnecesarily large. + + Closes #9105 + +- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name + + Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the + other way around. + + Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias + but since the option is for more protocols than FTP the more "correct" + version of the option is the "server" one so now we switch. + + Closes #9104 + +- urldata: make 'ftp_create_missing_dirs' a uchar + + It only ever holds the values 0-2. + + Closes #9103 + +Don J Olmstead (5 Jul 2022) + +- cmake: support ngtcp2 boringssl backend + + Update the ngtcp2 find module to detect the boringssl backend. Determine + if the underlying OpenSSL implementation is BoringSSL and if so use that + as the ngtcp2 backend. + + Reviewed-by: Jakub Zakrzewski + Closes #9065 + +Daniel Stenberg (5 Jul 2022) + +- urldata: change 4 timeouts to unsigned int from long + + They're not used for that long times anyway, 32 bit milliseconds is long + enough. + + Closes #9101 + +- urldata: make 'use_netrc' a uchar + + Closes #9102 + +- urldata: make 'buffer_size' an unsigned int + + It is already capped at READBUFFER_MAX which fits easily in 32 bits. + + Closes #9098 + +- urldata: remove the unused 'rtspversion' struct member + + Closes #9100 + +- urldata: make 'use_port' an usigned short + + ... instead of a long. It is already enforced to not attempt to set any + value outside of 16 bits unsigned. + + Closes #9099 + +- urldata: store dns cache timeout in an int + + 68 years ought to be enough for most. + + Closes #9097 + +- curl: proto2num: make sure obuf is inited + + Detected by Coverity. CID 1507052. + + Closes #9096 + +- cookie: use %zu to infof() for size_t values + + Detected by Coverity. CID 1507051 + Closes #9095 + +Viktor Szakats (4 Jul 2022) + +- makefile.m32: add support for custom ARCH [ci skip] + + When building curl for target platform other than x64 and x86, it is now + possible to pass `ARCH=custom`, that will omit all hardcoded logic for + setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be + customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly + added one for the resource compiler: `CURL_RCFLAG_EXTRAS`. + + This makes it possible to use `makefile.m32` to build for ARM64 for + example. + + Reviewed-by: Daniel Stenberg + Closes #9092 + +- cmake: do not force Windows target versions + + The goal of this patch is to avoid CMake forcing specific Windows + versions and rely on toolchain defaults or manual selection instead. + This gives back control to the user. This also brings CMake closer to + how autotools and `Makefile.m32` behaves in this regard. + + - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did + nothing else than fixing the Windows build target to Vista. This also + happened when the toolchain did not have Vista support (e.g. original + MinGW), breaking such builds. + + In other environments it did not make a user-facing difference, + because libcurl has its own pton() implementation, so it works well + with or without Vista's inet_pton(). + + This patch drops this setting. inet_pton() is now used whenever + building for Vista or newer, either when requested manually or by + default with modern toolchains (e.g. mingw-w64). Older envs will fall + back to curl's pton(). + + Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604 + Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155 + + - When the user did no select a Windows target version manually, stop + explicitly targeting Windows XP, and instead use the toolchain default. + + This may pose an issue with old toolchains defaulting to pre-XP + targets. In such case you must manually target Windows XP via: + `-DCURL_TARGET_WINDOWS_VERSION=0x0501` + or + `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501` + + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + Closes #9046 + +- windows: improve random source + + - Use the Windows API to seed the fallback random generator. + + This ensures to always have a random seed, even when libcurl is built + with a vtls backend lacking a random generator API, such as rustls + (experimental), GSKit and certain mbedTLS builds, or, when libcurl is + built without a TLS backend. We reuse the Windows-specific random + function from the Schannel backend. + + - Implement support for `BCryptGenRandom()` [1] on Windows, as a + replacement for the deprecated `CryptGenRandom()` [2] function. + + It is used as the secure random generator for Schannel, and also to + provide entropy for libcurl's fallback random generator. The new + function is supported on Vista and newer via its `bcrypt.dll`. It is + used automatically when building for supported versions. It also works + in UWP apps (the old function did not). + + - Clear entropy buffer before calling the Windows random generator. + + This avoids using arbitrary application memory as entropy (with + `CryptGenRandom()`) and makes sure to return in a predictable state + when an API call fails. + + [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenra + ndom + [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptge + nrandom + + Closes #9027 + +Daniel Stenberg (4 Jul 2022) + +- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR + + ... as replacements for deprecated CURLOPT_PROTOCOLS and + CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the + 32 bit limit the old ones are facing. + + CURLINFO_PROTCOOL is now deprecated. + + The curl tool is updated to use the new options. + + Added test 1597 to verify the libcurl protocol parser. + + Closes #8992 + +- digest: simplify a switch() to a simple if + +- digest: provide a special bit for "sess" algos + + Also shortened the names and moved them to the .c file since they are + private for this source file only. Also made them #defines instead of + enum. + + Closes #9079 + +Thomas Weißschuh (4 Jul 2022) + +- select: do not return fatal error on EINTR from poll() + + The same was done for select() in 5912da25 but poll() was missed. + + Bug: https://bugs.archlinux.org/task/75201 + Reported-by: Alexandre Bury (gyscos at archlinux) + + Ref: https://github.com/curl/curl/issues/8921 + Ref: https://github.com/curl/curl/pull/8961 + Ref: https://github.com/curl/curl/commit/5912da25#r77584294 + + Closes https://github.com/curl/curl/pull/9091 + +Kai Pastor (3 Jul 2022) + +- cmake: fix build for mingw cross compile + + - Change normaliz lib name to all lowercase. + + This is from a standing patch in vcpkg: + Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross + builds from Linux), the spelling must match exactly. + + Closes https://github.com/curl/curl/pull/9084 + +Jay Satiro (2 Jul 2022) + +- easy_lock: fix build for mingw + + - Define SRWLOCK symbols missing in some mingw environments. + + Closes https://github.com/curl/curl/pull/8997 + +Daniel Stenberg (2 Jul 2022) + +- tool_progress: avoid division by zero in parallel progress meter + + Reported-by: Brian Carpenter + Fixes #9082 + Closes #9083 + +- http_aws_sigv4.c: remove two unusued includes + + Closes #9080 + +- .mailmap: additional edit + + Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git + logs even when using old email. + +- RELEASE-NOTES: synced + + bumped to 7.84.1 + +Evgeny Grin (Karlson2k) (1 Jul 2022) + +- .mailmap: updated + +- THANKS: merged two entries for Evgeny Grin + + Also updated THANKS-filter file + + Closes #9076 + +Jilayne Lovejoy (1 Jul 2022) + +- lib/curl_path.c: add ISC to license expression + + THe text of the ISC license is in this file, so the SPDX license + expression should be updated + + Closes #9073 + +Sean McArthur (30 Jun 2022) + +- hyper: use wakers for curl pause/resume + + Closes #9070 + +Viktor Szakats (30 Jun 2022) + +- Makefile.m32: do not set the libcurl.rc debug flag [ci skip] + + Delete `-DDEBUGBUILD=0` windres option. This was likely meant to + disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled + it instead. Delete this unnecessary option and thus sync up with + how CMake compiles libcurl.rc by default. + + Reviewed-by: Jay Satiro + Closes #9069 + +Daniel Stenberg (29 Jun 2022) + +- curl.h: CURLE_CONV_FAILED is obsoleted + + The last use was removed in 7.82.0. Updated some docs too to reflect the + current error code situation. + + Closes #9067 + +- curl: output warning when a cookie is dropped due to size + + Dropped from the request, that is. + + Closes #9064 + +- curl_mime_data.3: polish the wording + + Closes #9063 + +- configure: check for the stdatomic.h header in configure + + ... and only set HAVE_ATOMIC if that header exists since we use + typedefes set in it. + + Reported-by: Ryan Schmidt + Fixes #9059 + Closes #9060 + +- easy_lock: fix the #ifdef conditional for ia32_pause + + To work better with new and old clang compilers. + + Reported-by: Ryan Schmidt + Assisted-by: Joshua Root + + Fixes #9058 + Closes #9062 + +- easy_lock: switch to using atomic_int instead of bool + + To work with more compilers without requiring separate libs to + link. Like with gcc-12 for RISC-V on Linux. + + Reported-by: Adam Sampson + Fixes #9055 + Closes #9061 + +vvb2060 (28 Jun 2022) + +- ngtcp2: fix incompatible function pointer types + + Closes #9056 + +- easy_lock.h: use __asm__ instead of asm to fix build + + Closes #9056 + +Samuel Henrique (27 Jun 2022) + +- libcurl-security.3: fix typo on macro "SH_" + + During the packaging of the latest curl release for Debian, Lintian + warned me about a typo which causes the section name "Secrets in memory" + to not be rendered in the manpage due to "SH_" not being recognized as a + header. + + Closes #9057 + +Daniel Stenberg (27 Jun 2022) + +- easy_lock.h: include sched.h if available to fix build + + Patched-by: Harry Sintonen + + Closes #9054 + +Version 7.84.0 (27 Jun 2022) + +Daniel Stenberg (27 Jun 2022) + +- RELEASE-NOTES: synced + + Version 7.84.0 release + +- THANKS: contributors from 7.84.0 release notes + +- hsts: use Curl_fopen() + +- altsvc: use Curl_fopen() + +- fopen: add Curl_fopen() for better overwriting of files + + Bug: https://curl.se/docs/CVE-2022-32207.html + CVE-2022-32207 + Reported-by: Harry Sintonen + Closes #9050 + +- test444: test many received Set-Cookie: + + The amount of sent cookies in the test is limited to 80 because hyper + has its own strict limits in how many headers it allows to be received + which triggers at some point beyond this number. + +- test442/443: test cookie caps + + 442 - verify that only 150 cookies are sent + 443 - verify that the cookie: header remains less than 8K in size + +- cookie: apply limits + + - Send no more than 150 cookies per request + - Cap the max length used for a cookie: header to 8K + - Cap the max number of received Set-Cookie: headers to 50 + + Bug: https://curl.se/docs/CVE-2022-32205.html + CVE-2022-32205 + Reported-by: Harry Sintonen + Closes #9048 + +- test387: verify rejection of compression chain attack + +- content_encoding: return error on too many compression steps + + The max allowed steps is arbitrarily set to 5. + + Bug: https://curl.se/docs/CVE-2022-32206.html + CVE-2022-32206 + Reported-by: Harry Sintonen + Closes #9049 + +- krb5: return error properly on decode errors + + Bug: https://curl.se/docs/CVE-2022-32208.html + CVE-2022-32208 + Reported-by: Harry Sintonen + Closes #9051 + +- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro + + clang 14 warns about its use. It is being deprecated by the working + group for the programming language C: "The macro ATOMIC_VAR_INIT is + basically useless for the purpose for which it was designed" + + Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm + + Reported-by: Tatsuhiro Tsujikawa + Fixes #9041 + Closes #9042 + +Stefan Eissing (23 Jun 2022) + +- ngtcp2: avoid supplying 0 length `msg_control` to sendmsg() + + Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control + buffer is provided in sengmsg(), even though msg_controllen was set to + 0. + + Initialize msg.msg_controllen just as needed and also perform the size + assertion only when needed. + + Closes #9039 + +Tom Eccles (23 Jun 2022) + +- ftp: restore protocol state after http proxy CONNECT + + connect_init() (lib/http_proxy.c) swaps out the protocol state while + working on the proxy connection, this is then restored by + Curl_connect_done() after the connection completes. + + ftp_do_more() extracted the protocol state pointer to a local variable + at the start of the function then calls Curl_proxy_connect(). If the proxy + connection completes, Curl_proxy_connect() will call Curl_connect_done() + (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp + protocol state instead of the http proxy protocol state, but the local + variable in ftp_do_more still pointed to the old value. + + Ultimately this meant that the state worked on by ftp_do_more() was the + http proxy state not the ftp state initialised by ftp_connect(), but + subsequent calls to any ftp_ function would use the original state. + + For my use-case, the visible consequence was that ftp->downloadsize was + never set and so downloaded data was never returned to the application. + + This commit updates the ftp protocol state pointer in ftp_do_more() after + Curl_proxy_connect() returns, ensuring that the correct state pointer is + used. + + Fixes #8737 + Closes #9043 + +Jay Satiro (23 Jun 2022) + +- THANKS: add contributor missing from aea8ac1 + + aea8ac1 fixed #8980 which was reported by Sgharat on github, but that + info was not included in the commit message. + +- curl_setup: include _mingw.h + + Prior to this change _mingw.h needed to be included in each unit before + evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It + is included only in some mingw headers (eg stdio.h) and not others + (eg windows.h) so it's better to explicitly include it once. + + Closes https://github.com/curl/curl/pull/9036 + +Viktor Szakats (22 Jun 2022) + +- rand: stop detecting /dev/urandom in cross-builds + + - Prevent CMake to auto-detect /dev/urandom when cross-building. + Before this patch, it would detect it in a cross-build scenario on *nix + hosts with this device present. This was a problem for example with + Windows builds, but it could affect any target system with this device + missing. This also syncs detection behaviour with autotools, which also + skips it for cross-builds. + - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's + fallback random number generator on Windows. Windows does not have the + concept of reading a random stream from a filename, nor any guaranteed + non-world-writable path on disk. With this, a manual misconfiguration or + an overeager auto-detection can no longer result in a user-controllable + seed source. + + Reviewed-by: Daniel Stenberg + Closes #9038 + +Emanuele Torre (22 Jun 2022) + +- ci: avoid `cmake -Hpath` + + This is an undocumented option similar to the `-Spath' option introduced + in cmake 3.13. + Replace all instances of `-Hpath' with `-Spath' in macos workflow. + Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul + scripts since it runs an older version of cmake. + + Fixes #9008 + Closes #9014 + +Daniel Stenberg (22 Jun 2022) + +- INTERNALS: bring back the "Library symbols" section + + Most contents was moved, but this text should remain here. + + Follow-up to: d324ac8 + Reported-by: Viktor Szakats + Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326 + Closes #9037 + +Viktor Szakats (22 Jun 2022) + +- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] + + Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows + XP when the `-ipv6` option is selected. Maybe this was added to support + pre-XP Windows versions (?). These days libcurl builds fine for both XP + and post-XP versions with IPv6 support enabled. The relevance of pre-XP + version is also low by now. Other build methods also do not impose such + limitation for a similar configuration. So, drop this hard-wired + `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default + Windows version set by the compiler. This is Vista for recent MinGW + versions. + + Old behaviour can be restored by setting this envvar: + export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501 + + [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7 + + Closes #9035 + +Daniel Stenberg (21 Jun 2022) + +- CONTRIBUTE: mention how we maintain REUSE compliance + + for copyright and license information of all files stored in git + + Closes #9032 + +- CURLOPT_ALTSVC.3: document the file format + + Closes #9033 + +Jay Satiro (21 Jun 2022) + +- runtests: add "threadsafe" to detected features + + Follow-up to recent commits which added thread-safety support. + + Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782 + Reported-by: Marc Hörsken + + Closes https://github.com/curl/curl/pull/9030 + +Daniel Stenberg (20 Jun 2022) + +- easy: remove dead code + + Follow-up from 5912da253b64d + + Detected by Coverity (CID 1506519) + + Closes #9029 + +Glenn Strauss (20 Jun 2022) + +- transfer: upload performance; avoid tiny send + + Append to the upload buffer when only small amount remains in buffer + rather than performing a separate tiny send to empty buffer. + + Avoid degenerative upload behavior which might cause curl to send mostly + 1-byte DATA frames after exhausing the h2 send window size + + Related discussion: https://github.com/nghttp2/nghttp2/issues/1722 + + Signed-off-by: Glenn Strauss + Closes #8965 + +Steve Holme (20 Jun 2022) + +- projects: fix third-party SSL library build paths for Visual Studio + + The paths used by the build batch files were inconsistent with those in + the Visual Studio project files. + + Closes #8991 + +Pierrick Charron (20 Jun 2022) + +- urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts + + As per the documentation : + + > Setting a part to a NULL pointer will effectively remove that + > part's contents from the CURLU handle. + + But currently clearing CURLUPART_URL does nothing and returns + CURLUE_OK. This change will clear all parts of the URL at once. + + Closes #9028 + +Philip Heiduck (18 Jun 2022) + +- CI: bump FreeBSD 13.0 to 13.1 + + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> + Closes #8815 + +Daniel Stenberg (18 Jun 2022) + +- RELEASE-NOTES: synced + + and updated release date in RELEASE-PROCEDURE.md + +divinity76 (17 Jun 2022) + +- CURLOPT_HTTPHEADER.3: improve comment in example + + Closes #9025 + +Marc Hoersken (16 Jun 2022) + +- CI/azure: reduce flakiness by retrying install/prepare steps + + Closes #9010 + +- CI/cirrus: align Windows timeout with Azure CI at 120 minutes + + Closes #9009 + +Jay Satiro (16 Jun 2022) + +- vtls: make curl_global_sslset thread-safe + + .. and update some docs to explain curl_global_* is now thread-safe. + + Follow-up to 23af112 which made curl_global_init/cleanup thread-safe. + + Closes https://github.com/curl/curl/pull/9016 + +- curl_easy_pause.3: remove explanation of progress function + + - Remove misleading text that says progress function "gets called at + least once per second, even if the connection is paused." + + The progress function behavior is more nuanced and the user is better + served reading the progress function doc rather than attempt to explain + it in the curl_easy_pause doc. + + The progress function can only be called at least once per second if an + appropriate multi transfer function is called (eg curl_multi_perform) in + that time. For a paused transfer there may not be such a call. Rather + than explain this in detail in the curl_easy_pause doc, rely on the user + reading the CURLOPT_PROGRESSFUNCTION doc. + + Ref: https://github.com/curl/curl/issues/8983 + + Closes https://github.com/curl/curl/pull/9015 + +Daniel Stenberg (15 Jun 2022) + +- libssh: skip the fake-close when libssh does the right thing + + Starting in libssh 0.10.0 ssh_disconnect() will no longer close our + socket. Instead it will be kept alive as we want it, and it is our + responsibility to close it later. + + Ref: #8718 + Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240 + Closes #9021 + +- configure: warn about rustls being experimental + + Right now a dozen test cases are disabled because they don't work with + rustls. + + Closes #9019 + +- runtests: skip starting the ssh server if user name is lacking + + Because the ssh server startup script *requires* a user name there's no + point in invoking it if no name was found. + + Reported-by: Ricardo M. Correia + Ref: #9007 + Closes #9013 + +- copyright.pl: parse and use .reuse/dep5 for skips + + Also scan skipped files to be able to find superfluous ignores, shown with -v + . + + Closes #9006 + +- reuse/dep5: adjusted to parse better + + ... adjusted a few files to contain copyright and license info. + + Closes #9006 + +- buildconf.bat: update copyright year range + + Closes #9006 + +- README.md: use the common "Copyright" style formatting + + Closes #9006 + +- reuse: move license info from .mailmap.license to .reuse/dep5 + + Closes #9006 + +- README.md: add a REUSE badge + + Closes #9004 + +- .reuse/dep5: remove recursive docs ignore, only skip markdown files + + ... and some additional non-markdown individual files in docs/ + + Closes #9005 + +- docs/cmdline-opts: add copyright and license identifier to each file + + gen.pl now insists on C: and SPDX-License-Identifier: fields to be + present in all files. + + Closes #9002 + +- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md + + Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that + file broke site functionality. + + Closes #9001 + +- bug_report.md: revert the REUSE template to see if it works again + +Viktor Szakats (13 Jun 2022) + +- version: rename threadsafe-init to threadsafe + + Referring to Daniel's article [1], making the init function thread-safe + was the last bit to make libcurl thread-safe as a whole. So the name of + the feature may as well be the more concise 'threadsafe', also telling + the story that libcurl is now fully thread-safe, not just its init + function. Chances are high that libcurl wants to remain so in the + future, so there is little likelihood of ever needing any other distinct + `threadsafe-` feature flags. + + For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to + `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's + thread safety documentation. + + [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-s + afe/ + + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro + Closes #8989 + +Daniel Stenberg (13 Jun 2022) + +- test3026: disable on win32 + + ... as it's not likely to have working pthreads + + Closes #8996 + +- GHA: shorten the reuse CI job name + + "REUSE compliance / check" should be good enough + + Closes #9000 + +- misc: add missing SPDX-License-Identifier info + + For some reason the REUSE CI job did not find these. + + Closes #8999 + +- copyright: verify SPDX-License-Identifier presence as well + +- easy_lock: add SPDX license identifier + + Closes #8998 + +- mailmap: Max Mehl + +Max Mehl (13 Jun 2022) + +- git: ignore large commit making the curl REUSE compliant + +- copyright: make repository REUSE compliant + + Add licensing and copyright information for all files in this repository. Thi + s + either happens in the file itself as a comment header or in the file + `.reuse/dep5`. + + This commit also adds a Github workflow to check pull requests and adapts + copyright.pl to the changes. + + Closes #8869 + +Daniel Stenberg (12 Jun 2022) + +- curl_url_set.3: clarify by default using known schemes only + + Closes #8994 + +- scripts/copyright.pl: ignore leading spaces + +Viktor Szakats (10 Jun 2022) + +- ngtcp2: fix typo in preprocessor condition + + Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7 + + Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185 + Reported-by: Emil Engler + Closes #8987 + +Daniel Stenberg (10 Jun 2022) + +- RELEASE-NOTES: synced + +Tatsuhiro Tsujikawa (10 Jun 2022) + +- ngtcp2: build without sendmsg + + Closes #8981 + +- ngtcp2: use handshake helper funcs to simplify TLS handshake integration + + Closes #8968 + +Daniel Stenberg (10 Jun 2022) + +- test390: verify --parallel + + Closes #8985 + +- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set + + Triggered by a bug report from Adam Light: + https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly + a misunderstanding of how CURLINFO_EFFECTIVE_URL works. + + Closes #8971 + +- url: URL encode the path when extracted, if spaces were set + +- urlapi: support CURLU_URLENCODE for curl_url_get() + +- server/sws: support spaces in the HTTP request path + +- tests/getpart: fix getpartattr to work with "data" and "data2" + +- select: return error from "lethal" poll/select errors + + Adds two new error codes: CURLE_UNRECOVERABLE_POLL and + CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces. + + Reported-by: Harry Sintonen + Fixes #8921 + Closes #8961 + +- test3026: add missing control file + + Follow-up from 2ed101256414ea5 + + Makes the test run, makes 'make dist' work + + This single test takes 24-25 seconds on my machine (with valgrind). For + this reason I tag it with a "slow" keyword. + + Closes #8976 + +- runtests: fix skipping tests not done event-based + + ... and call timestampskippedevents() to avoid the flood of + uninitialized variable warnings. + + Closes #8977 + +- transfer: maintain --path-as-is after redirects + + Reported-by: Marcus T + Fixes #8974 + Closes #8975 + +- test391: verify --path-as-is with redirect + +Jay Satiro (8 Jun 2022) + +- curl_global_init.3: Separate the Windows loader lock warning + + This is a slight correction of the parent commit which implied the + loader lock warning only applied if not thread-safe. In fact the loader + lock warning applies either way. + + Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030 + +Daniel Stenberg (8 Jun 2022) + +- curl_global_init.3: this is now (usually) thread-safe + + Follow-up to 23af112f5556 + + Closes #8972 + +Haxatron (8 Jun 2022) + +- libcurl-security.3: Document CRLF header injection + + - Document that user input to header options is not sanitized, which + could result in CRLF used to modify the request in a way other than + what was intended. + + Ref: https://hackerone.com/reports/1589877 + Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0 + d7cfe545 + + Closes https://github.com/curl/curl/pull/8964 + +Jay Satiro (8 Jun 2022) + +- CURLOPT_RANGE.3: remove ranged upload advice + + The e-mail link in the advice contains instructions that are prone to + error. We need an example that works and can demonstrate how to properly + perform a ranged upload, and then we can refer to that example instead. + + Bug: https://github.com/curl/curl/issues/8969 + Reported-by: Simon Berger + + Closes https://github.com/curl/curl/pull/8970 + +Thomas Guillem (7 Jun 2022) + +- curl_version_info: add CURL_VERSION_THREADSAFE_INIT + + This flag can be used to make sure that curl_global_init() is + thread-safe. + + This can be useful for libraries that can't control what other + dependencies are doing with Curl. + + Closes #8680 + +- lib: make curl_global_init() threadsafe when possible + + Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and + curl_global_cleanup(). + + Closes #8680 + +Daniel Stenberg (6 Jun 2022) + +- RELEASE-NOTES: synced + +Fabian Keil (6 Jun 2022) + +- test414: add the '--resolve' keyword + + ... so the test can be automatically skipped when + using an external proxy like Privoxy. + + Closes #8959 + +- test{440,441,493,977}: add "HTTP proxy" keywords + + ... so the tests can be automatically skipped when + using an external proxy like Privoxy. + + Closes #8959 + +- runtests.pl: add the --repeat parameter to the --help output + + Closes #8959 + +- test 2081: add a valid reply for the second request + + ... so the test works when using a HTTP proxy like + Privoxy that sends an error message if the server + doesn't send data. + + Closes #8959 + +- test 675: add missing CR so the test passes when run through Privoxy + + Closes #8959 + +Daniel Stenberg (6 Jun 2022) + +- ftp: when failing to do a secure GSSAPI login, fail hard + + ... instead of switching to cleartext. For the sake of security. + + Reported-by: Harry Sintonen + Bug: https://hackerone.com/reports/1590102 + Closes #8963 + +- http2: reject overly many push-promise headers + + Getting more than a thousand of them is rather a sign of some kind of + attack. + + Reported-by: Harry Sintonen + Bug: https://hackerone.com/reports/1589847 + Closes #8962 + +Fabian Keil (5 Jun 2022) + +- misc: spelling improvements + + Closes #8956 + +Tatsuhiro Tsujikawa (5 Jun 2022) + +- ngtcp2: fix assertion failure on EMSGSIZE + + Closes #8958 + +Daniel Stenberg (2 Jun 2022) + +- easy/transfer: fix cookie-disabled build + + Follow-up from 45de940cebf6a + Reported-by: Marcel Raad + Fixes #8953 + Closes #8954 + +- examples/crawler.c: use the curl license + + With permission from Jeroen Ooms + + URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731 + Closes #8950 + +- speed-limit/time.d: mention these affect transfers in either direction + + Reported-by: Ladar Levison + Fixes #8948 + Closes #8951 + +- scripts/copyright.pl: fix the exclusion to not ignore man pages + + Ref: #8869 + Closes #8952 + +- examples: remove fopen.c and rtsp.c + + To simplify the license situation, as they were the only files in the + source tree using these specific BSD-3 clause licenses. + + For an fopen style API, we recommend instead going + https://github.com/curl/fcurl + + Ref: #8869 + Closes #8949 + +Wolf Vollprecht (2 Jun 2022) + +- netrc: check %USERPROFILE% as well on Windows + + Closes #8855 + +Daniel Stenberg (2 Jun 2022) + +- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish + +Michael Musset (2 Jun 2022) + +- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION + + The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check + wether or not the connection should continue. + + The host key is passed in argument with a custom handle for the + application. + + It overrides CURLOPT_SSH_KNOWNHOSTS + + Closes #7959 + +Daniel Stenberg (2 Jun 2022) + +- docs/CONTRIBUTE.md: document the 'needs-votes' concept + + A pull request sent to the project might get labeled `needs-votes` by a + project maintainer. This label means that in addition to meeting all + other checks and qualifications this pull request must also receive + proven support/thumbs-ups from more community members to be considered + for merging. + + Closes #8910 + +Evgeny Grin (Karlson2k) (2 Jun 2022) + +- digest: tolerate missing "realm" + + Server headers may not define "realm", avoid NULL pointer dereference + in such cases. + + Closes #8912 + +- digest: added detection of more syntax error in server headers + + Invalid headers should not be processed otherwise they may create + a security risk. + + Closes #8912 + +- digest: unquote realm and nonce before processing + + RFC 7616 (and 2617) requires values to be "unquoted" before used for + digest calculations. The only place where unquoting can be done + correctly is header parsing function (realm="DOMAIN\\host" and + realm=DOMAN\\host are different realms). + + This commit adds unquoting (de-escaping) of all values during header + parsing and quoting of the values during header forming. This approach + should be most straightforward and easy to read/maintain as all values + are processed in the same way as required by RFC. + + Closes #8912 + +Daniel Stenberg (1 Jun 2022) + +- headers: handle unfold of space-cleansed headers + + Detected by OSS-fuzz + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767 + + Updated test 1274 + + Closes #8947 + +- lib: make more protocol specific struct fields #ifdefed + + ... so that they don't take up space if the protocols are disabled in + the build. + + Closes #8944 + +- DISABLED: disable 1021 for hyper again + + due to flakiness in the CI builds + +- urldata: store tcp_keepidle and tcp_keepintvl as ints + + They can't be set larger than INT_MAX in the setsocket API calls. + + Also document the max values in their respective man pages. + + Closes #8940 + +- urldata: reduce size of a few struct fields + + When the values are never larger than 32 bit, ints are better than longs. + + Closes #8940 + +- urldata: remove three unused booleans from struct UserDefined + + - is_fwrite_set + - free_referer + - strip_path_slash + + Closes #8940 + +- remote-name.d: mention --output-dir + + plus add two see-alsos + + Closes #8945 + +Jay Satiro (1 Jun 2022) + +- configure: skip libidn2 detection when winidn is used + + Prior to this change --with-winidn could be overridden by libidn2 + detection. + + Closes https://github.com/curl/curl/pull/8934 + +Daniel Stenberg (31 May 2022) + +- CURLOPT_FILETIME.3: fix the protocols this works with + +- test681: verify --no-remote-name + + Follow-up to 83ee5c428d960 (from #8931) + + Closes #8942 + +Tatsuhiro Tsujikawa (31 May 2022) + +- ngtcp2: enable Linux GSO + + Enable Linux GSO in ngtcp2 QUIC. In order to recover from the + EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write, + packet buffer is now held by struct quicsocket. GSO write might fail in + runtime depending on NIC. Disable GSO if sendmsg returns EIO. + + Closes #8909 + +Daniel Stenberg (31 May 2022) + +- CURLOPT_PORT.3: We discourage using this option + + Closes #8941 + +- RELEASE-NOTES: synced + +- headers_push: error out if a folded header has no previous header + + As that would indicate an illegal header. The fuzzer reached the assert + in unfold_value() proving that this case can happen. + + Follow-up to c9b60f005358a364 + + Closes #8939 + +Boris Verkhovskiy (31 May 2022) + +- curl: re-enable --no-remote-name + + Closes #8931 + +Daniel Stenberg (31 May 2022) + +- test680: require 'http' since it uses such a URL + + Follow-up to d1b376c03524 + +- CURLOPT_NETRC.3: document the .netrc file format + +- test680: verify rejection of malformatted .netrc quoted password + +- test679: verify netrc quoted string + +- netrc: support quoted strings + + The .netrc parser now accepts strings within double-quotes in order to + deal with for example passwords containing white space - which + previously was not possible. + + A password that starts with a double-quote also ends with one, and + double-quotes themselves are escaped with backslashes, like \". It also + supports \n, \r and \t for newline, carriage return and tabs + respectively. + + If the password does not start with a double quote, it will end at first + white space and no escaping is performed. + + WARNING: this change is not entirely backwards compatible. If anyone + previously used a double-quote as the first letter of their password, + the parser will now get it differently compared to before. This is + highly unfortunate but hard to avoid. + + Reported-by: ImpatientHippo on GitHub + Fixes #8908 + Closes #8937 + +- curl_getdate.3: document that some illegal dates pass through + + Closes #8938 + +- CI: remove configure --enable-headers-api flags + +- headers api: remove EXPERIMENTAL tag + + Closes #8900 + +Daniel Gustafsson (30 May 2022) + +- cookies: fix documentation comment + + Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but + missed updating the documentation comment at the head of the file. + +Marc Hoersken (30 May 2022) + +- tests/data/test1940: use binary mode for expected stdout + + The generated stdout data is written in binary mode with [LF] + line endings, therefore we also need to do a binary comparison. + + Assisted-by: Jay Satiro + Assisted-by: Daniel Stenberg + + Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84 + Fixes #8920 + Closes #8936 + +Daniel Stenberg (29 May 2022) + +- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation + + Spell out the multi-TLS situation. + + Reported-by: Dan Fandrich + Fixes #8926 + Closes #8932 + +JustAnotherArchivist (28 May 2022) + +- tool_getparam: fix --parallel-max maximum value constraint + + - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to + default value. + + Previously, --parallel-max 300 would use 300 concurrent transfers, but + --parallel-max 301 would unexpectedly use only 50. This change clamps + higher values to the maximum (ie --parallel-max 301 would use 300). + + Closes https://github.com/curl/curl/pull/8930 + +Daniel Stenberg (27 May 2022) + +- curl.1: add a few see also --tls-max + + Closes #8929 + +Viktor Szakats (26 May 2022) + +- cmake: do not add libcurl.rc to the static libcurl library + + Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855 + + Reviewed-By: Karlson2k@users.noreply.github.com + Closes #8923 + +- cmake: support adding a suffix to the OS value + + CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS + string appearing in the --version output after the curl version number, + for example: + + 'curl 7.83.1 (Windows)' + + This patchs adds the ability to pass a suffix that is appended to this + value. It's useful to add CPU info or other platform details, + for example: + + 'curl 7.83.1 (Windows-x64)' + + Closes #8919 + +- cmake: enable curl.rc for all Windows targets + + Before this patch, it was only enabled for MSVC. This syncs this + configuration with libcurl.rc, which was already included with + every Windows compiler. + + Closes #8918 + +- cmake: fix detecting libidn2 + + Without this patch, libidn2 detection doesn't even seem to be + attempted. With this patch, cmake can be configured to pick it + up and enable it. Necessary configuration remains manual and + differs from most other dependencies. + + If you are aware of a better fix, we're glad hearing about it + in a new Issue. + + Closes #8917 + +- version: allow stricmp() for sorting the feature list + + In CMakeLists.txt there is an attempt to detect `stricmp()`, and in + certain cases, this attempt is the only successful one to detect a + case-insensitive comparison function. `HAVE_STRICMP` is defined as + a result, but this macro wasn't used anywhere in the source. This + patch makes use of it as an alternative when alpha-sorting the + `--version` feature list. + + Reviewed-by: Daniel Stenberg + Closes #8916 + +Daniel Stenberg (25 May 2022) + +- DISABLED: add six tests that fail with hyper + + 1117 1274 1940 1941 1942 1943 + +- c-hyper: mark status line as status for Curl_client_write() + + To make sure the headers API can filter it out as not a regular header. + + Reported-by: Gisle Vanem + Fixes #8894 + Closes #8914 + +Marc Hoersken (25 May 2022) + +- tests/data/test1501: kill ftp server after slow LIST response + + This test is contributing to flakiness on the Windows CI runs. + Killing the ftp server after the test run like other slowness + tests already do may help resolve or reduce the flakiness. + + Closes #8907 + +Daniel Stenberg (25 May 2022) + +- headers: fix the unfold realloc to use proper new size + + Previously it didn't take the old name length into acount + + Follow-up to: c9b60f005358a364 + Closes #8913 + +Marc Hoersken (25 May 2022) + +- GHA: align all install, configure and build steps again + + First step towards more unified build steps on GitHub Actions. + + Closes #8873 + +- CI/azure: remove obsolete strategy for single builds + + This shortens these CI job names on GitHub even more. + Follow up to #8906 which also increased their timeout. + + Closes #8911 + +- CI/azure: shorten names of Windows CI jobs + + Suggested-by: Daniel Stenberg + Closes #8906 + +Daniel Stenberg (24 May 2022) + +- http: restore header folding behavior + + Folded header lines will now get passed through like before. The headers + API is adapted and will provide the content unfolded. + + Added test 1274 and extended test 1940 to verify. + + Reported-by: Petr Pisar + Fixes #8844 + Closes #8899 + +Viktor Szakats (24 May 2022) + +- Makefile.m32: delete obsolete options, improve -On [ci skip] + + - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now + . + - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and + I used this with VxWorks in another project, but otherwise this isn't + necessary anymore as a default. If a target still needs it, it can be + added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing` + - bump up default optimization level to `-O3` (from `-O2`), and also rearrang + e + option order so the default can now be overridden via + `CURL_CFLAG_EXTRAS`. + - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS` + (strip debug info). They were working against each other. Now, if someone + needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g` + + Closes #8904 + +Daniel Gustafsson (24 May 2022) + +- ntlm: fix one more hostname test fallout + + This fixup was missed in commit 5a41abef6dca19. + + Closes: #8901 + Reviewed-by: Daniel Stenberg + +- doh: remove UNITTEST macro definition + + The UNITTEST macro is defined by curl_setup.h so there is no use in + carry a local copy of the logic. + + Closes: #8902 + Reviewed-by: Daniel Stenberg + +Daniel Stenberg (24 May 2022) + +- cookie: fix false positive "potentially uninitialized local variable" + + Reviewed-by: Daniel Gustafsson + Closes #8903 + +- curl: add --rate to set max request rate per time unit + + --rate "12/m" - for 12 per minute or + --rate "5/h" - for 5 per hour + + Removed from TODO + + Closes #8671 + +Jay Satiro (23 May 2022) + +- max-time.d: clarify max-time sets max transfer time + + Prior to this change the doc said --max-time set the maximum time of the + 'whole operation' which is not accurate. The option maps to + CURLOPT_TIMEOUT_MS which sets maximum transfer time. + + For example, the maximum time on a transfer is reset if the transfer is + retried (--retry). + + Reported-by: Nuru@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/8877 + Closes #8879 + +Daniel Stenberg (23 May 2022) + +- GHA/hyper: enable debug in the build + +- hyper: use 'alt-used' + + Makes test 412+413 work + + Closes #8898 + +- RELEASE-NOTES: synced + +- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl + + Closes #8888 + +- links: update dead links + + The wiki pages are gone, remove and link to more long-living docs. + + Closes #8897 + +- ntlm: (void) typecast msnprintf() where we ignore return code + + Follow-up to 5a41abef6, to please Coverity + +Daniel Gustafsson (22 May 2022) + +- ntlm: copy NTLM_HOSTNAME to host buffer + + Commit 709ae2454f43 added a fake hostname to avoid leaking the local + hostname, but omitted copying it to the host buffer. Fix by copying + and adjust the test fallout. + + Closes: #8895 + Fixes: #8893 + Reported-by: Patrick Monnerat + Reviewed-by: Daniel Stenberg + +- configure: use the SED value to invoke sed + + Rather than assuming sed in PATH, use the resolved $SED variable + like in all other invocations of sed in configure. + + Closes: #8891 + Reviewed-by: Daniel Stenberg + Reviewed-by: Marcel Raad + +Tatsuhiro Tsujikawa (20 May 2022) + +- ngtcp2: Allow curl to send larger UDP datagrams + + Allow curl to send larger UDP datagram if Path MTU Discovery finds the + availability of larger path MTU. To make it work and not to send + fragmented packet, we need to set DF bit. That makes send(2) fail with + EMSGSIZE if UDP datagram is too large. In that case, just let it be + lost. This patch enables DF bit for Linux only. + + Closes #8883 + +Daniel Stenberg (20 May 2022) + +- libcurl-security.3: add "Secrets in memory" + + Closes #8881 + +- tests: update NTLM tests to use new host name + + Also drop the debug requirement, remove the setenv sections, remove + prechecks and add NTLM to the top keywords. + + Closes #8889 + +- ntlm: provide a fixed fake host name + + The NTLM protocol includes providing the local host name, but apparently + other implementations already provide a fixed fake name instead to avoid + leaking the real local name. + + The exact name used is 'WORKSTATION', because Firefox uses that. + + The change is written to allow someone to "back-pedal" fairly easy in + case of need. + + Reported-by: Carlo Alberto + Fixes #8859 + Closes #8889 + +Daniel Gustafsson (20 May 2022) + +- KNOWN_BUGS: fix typo in problem description + + s/TSL/TLS/ + +- FEATURES: remove yassl as TLS library for NTLM + + yassl was added in commit 9d904ee41b880b but is no longer available + and is thus not a library to use for NTLM. This aligns the FEATURES + doc with the FAQ. + + Closes: #8886 + Reviewed-by: Daniel Stenberg + +- FEATURES: reorder footnotes + + The empty left-behind footnote confused the website rendering into + creating a nested emoty list, making the resulting page look quite + odd. Remove and re-order the remaining ones to avoid a gap in the + sequence. + + Closes: #8886 + Reviewed-by: Daniel Stenberg + +- FAQ: remove opinionated sentence on NTLM + + curl is a tool that support many different things, and it doesn't + really seem like our job to tell other what to use (as they might + not have much say in the matter even). Also tidy up wording. + + Closes: #8886 + Reviewed-by: Daniel Stenberg + +Viktor Szakats (20 May 2022) + +- log2changes: do not indent empty lines [ci skip] + + This will omit two spaces of indentation from lines with no content, + thus avoiding 'spaces @ EOL'. + + Reviewed-by: Daniel Stenberg + Closes #8887 + +Daniel Stenberg (19 May 2022) + +- wolfssl: correct the failf() message when a handle can't be made + + Closes #8885 + +Viktor Szakats (19 May 2022) + +- Makefile.m32: delete two obsolete OpenSSL options [ci skip] + + - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or + LibreSSL 3.5.x, yet it collides with the latter, which defines + it unconditionally, resulting in this warning: + ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_ + NO_KRB5' macro redefined [-Wmacro-redefined] + It was originally added to curl in 2004. + + - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or + LibreSSL back to at least 2.5.5. Originally added in the same + commit as the above, in 2004. + + Closes #8884 + +Daniel Stenberg (19 May 2022) + +- RELEASE-NOTES: synced + + bump to 7.84.0 + +Christian Weisgerber via curl-library (19 May 2022) + +- Makefile.am: fix portability issues + + Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that + there is a portability issue in curl's top-level Makefile.am. + + $< can only be used in rules that deal with .SUFFIXES. Its use + for general prerequisites is a GNU make extension. + + $< could be replaced by $?, but I think in an autotools context, + something like this is better: + + Bug: https://curl.se/mail/lib-2022-05/0024.html + Closes #8861 + +Balakrishnan Balasubramanian (19 May 2022) + +- socks: support unix sockets for socks proxy + + Usage: + curl -x "socks5h://localhost/run/tor/socks" "https://example.com" + + Updated runtests.pl to run a socksd server listening on unix socket + + Added tests test1467 test1468 + + Added documentation for proxy command line option and socks proxy + options + + Closes #8668 + +Vincent Torri (19 May 2022) + +- cmake: add libpsl support + + Fixes #8865 + Closes #8867 + +Tatsuhiro Tsujikawa (19 May 2022) + +- ngtcp2: extend QUIC transport parameters buffer + + Extend QUIC transport parameters buffer because 64 bytes are too + short for the ever increasing parameters. + + Closes #8872 + +- ngtcp2: handle error from ngtcp2_conn_submit_crypto_data + + Closes #8871 + +- ngtcp2: send appropriate connection close error code + + Closes #8870 + +Daniel Stenberg (19 May 2022) + +- test1561: adjusted for the cookie fix + +- test414: verify secure cookie domain overlay + +Harry Sintonen (19 May 2022) + +- cookie: address secure domain overlay + + Bug: https://hackerone.com/reports/1560324 + Co-authored-by: Daniel Stenberg + Closes #8840 + +Frank Gevaerts (19 May 2022) + +- strcase: some optimisations + + Lookup tables for toupper() and tolower() make Curl_strcasecompare() + about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit + early then also allows simplifying the check at the end, for another + 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7 + times faster. + + Note that these optimisation assume ASCII. The original + Curl_raw_toupper() and raw_tolower() look like they already made that + assumption. + + Closes #8875 + +Daniel Stenberg (19 May 2022) + +- BUG-BOUNTY.md: mention the audit exception + + Dedicated - paid for - security audits that are performed in + collaboration with curl developers are not eligible for bounties. + + (plus I changed the sub-titles to use ## instead of # in the markdown) + + Closes #8880 + +- lib/vssh/wolfssh.h: removed + + Unused header file + + Reported-by: Illarion Taev + Fixes #8863 + Closes #8866 + +Elms (17 May 2022) + +- wolfSSL: explicitly use compatibility layer + + This change removes adding an include `$prefix/wolfssl` or similar to + allow for openssl include aliasing. Include paths of `wolfssl/openssl/` + are used to explicitly use wolfSSL includes. This fixes cmake builds as + well as avoiding potentially using openSSL headers since include path + order is not guaranteed. + + Closes #8864 + +Daniel Stenberg (17 May 2022) + +- curl: deprecate --random-file and --egd-file + + As libcurl no longer has any functionality for them, the tool now does + nothing with them. + + Closes #8670 + +- opts: deprecate RANDOM_FILE and EGDSOCKET + + These two options were only ever used for the OpenSSL backend for + versions before 1.1.0. They were never used for other backends and they + are not used with recent OpenSSL versions. They were never used much by + applications. + + The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time + for ancient EOL OpenSSL versions. + + Closes #8670 + +Harry Sintonen (17 May 2022) + +- bindlocal: don't use a random port if port number would wrap + + Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port + 65535 the code would fall back to random port rather than giving up. + + Closes #8862 + +Daniel Gustafsson (16 May 2022) + +- transfer: Fix potential NULL pointer dereference + + Commit 0ef54abf5208 accidentally used the conn variable before the + assertion for it being NULL. Fix by moving the assignment which use + conn to after the assertion. + + Closes: #8857 + Reviewed-by: Daniel Stenberg + +- docs: clarify data replacement policy for MIME API + + The API documentation for the MIME functions specify that the parts + can be set twice, with the last call winning. While true, the user + can set the parts n times for n > 2, reword to specify multiple API + calls instead. + + Closes: #8860 + Reviewed-by: Daniel Stenberg + +vvb2060 on github (16 May 2022) + +- ngtcp2: support boringssl crypto backend + + Closes #8789 + +Tatsuhiro Tsujikawa (16 May 2022) + +- quic: add Curl_quic_idle + + Add Curl_quic_idle which is called when no HTTP level read or write is + performed. It is a good place to handle timer expiry for QUIC transport + (.e.g, retransmission). + + Closes #8698 + +Gregor Jasny (16 May 2022) + +- mprintf: ignore clang non-literal format string + + Closes #8740 + +Nick Zitzmann (16 May 2022) + +- sectransp: check for a function defined when __BLOCKS__ is undefined + + SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it + requires Grand Central Dispatch to be supported by the compiler, and + some third-party macOS compilers do not support Grand Central Dispatch. + SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't + adversely affect anything. + + Fixes #8846 + Reported-by: Egor Pugin + Closes #8854 + +Daniel Gustafsson (16 May 2022) + +- test412/413: Use version macro for User-Agent + + Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test + output file which breaks when curlver is updated. Shift to using + the %VERSION macro instead. + + Closes: #8856 + +- macos9: remove partial support + + The support for compiling on Mac OS 9 hasn't been modified since 2001 + and has no active maintainer or packager, so it's time to remove it as + it's incredibly unlikely to work. If a maintainer re-emerges it can be + resurrected from Git history. + + Closes: #8836 + Reviewed-by: Daniel Stenberg + +Daniel Stenberg (16 May 2022) + +- test1635: verify --fail-with-body with --retry + + Almost a dupe of 1634 + + Closes #8847 + +- tool_operate: make sure --fail-with-body works with --retry + + ... in the same way --fail already does. + + Reported-by: Jakub Bochenski + Fixes #8845 + Closes #8847 + +Tatsuhiro Tsujikawa (16 May 2022) + +- ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types + + Closes #8851 + +- ngtcp2: Fix alert_read_func return value + + Closes #8852 + +Harry Sintonen (16 May 2022) + +- Curl_parsenetrc: don't access local pwbuf outside of scope + + Accessing local variables outside of the scope is forbidden and + depending on the compiler can result in the value being + overwritten. Fixed by moving the pwbuf to be in scope. + + Closes #8850 + +Daniel Stenberg (16 May 2022) + +- RELEASE-NOTES: synced + + and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon) + +Frazer Smith (14 May 2022) + +- ci: update github actions + + - bump actions/checkout from 2 to 3 + - bump actions/upload-artifact from 1 to 3 + - bump github/codeql-actions from 1 to 2 + - use version tag for actions/checkout + + Closes #8843 + +Daniel Stenberg (14 May 2022) + +- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix + +- url: free old conn better on reuse + + Make use of conn_free() better and avoid duplicate code. + + Reported-by: Andrea Pappacoda + Fixes #8841 + Closes #8842 + +Jay Satiro (14 May 2022) + +- FAQ: Clarify Windows double quote usage + + - Windows command prompt doesn't use literal quoting via single quotes. + + - Windows command prompt inner double quotes are escaped with a + backslash. + + - Windows powershell does use single quotes but curl is not a powershell + script so the arguments may not be passed on correctly. + + - Windows powershell inner double quotes seems can be passed to curl if + the outer quotes are double quotes and an escape of backslash-backtick + is used. + + Command prompt example: + + ~~~ + getargs -v -d "\"a\"" + + argv[0]: getargs + argv[1]: -v + argv[2]: -d + argv[3]: "a" + ~~~ + + Ref: https://github.com/curl/curl/issues/8818 + Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c + + Reported-by: KotlinIsland@users.noreply.github.com + + Closes https://github.com/curl/curl/pull/8823 + +Daniel Stenberg (12 May 2022) + +- github/workflows/nss: apt update first + + Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found" + + Closes #8837 + +- page-footer: mention exit code zero too + + Success (zero) is also an "exit code" worth mentioning. + + Closes #8833 + +Daniel Gustafsson (12 May 2022) + +- gssapi: initialize gss_buffer_desc strings + + Explicitly initialize gss_buffer_desc strings such that a call to + freeing resources will succeed even if no data has been allocated + to it. + + Reported-by: Jay Satiro + +- gssapi: improve handling of errors from gss_display_status + + In case gss_display_status() returns an error, avoid trying to add + it to the buffer as the message may well be a NULL pointer. + + Originally this fix comes from a discussion in issue #8816. + + Closes: #8832 + Reviewed-by: Jay Satiro + +steini2000 (12 May 2022) + +- http2: always debug print stream id in decimal with %u + + Prior to this change the stream id shown could be hex or decimal which + was inconsistent and confusing. + + Closes https://github.com/curl/curl/pull/8808 + +Kamil Dudka (11 May 2022) + +- url: remove redundant #ifdefs in allocate_conn() + + No change in behavior intended by this commit. + +Fabian Keil (11 May 2022) + +- tests 266, 116 and 1540: add a small write delay + + This makes it more likely that the trailer is received + seperately from the last-chunk. + + curl doesn't seem to care about this but it makes the tests + more useful when testing external proxies like Privoxy. + +- tests 1117,1238,1523: adjust writedelay servercmds + + ... so the delays are the same now that the unit + is in milliseconds. + +- tests/server/sws.c: change the HTTP writedelay unit to milliseconds + + This allows to use write delays for large responses without + resulting in the test taking an unreasonable amount of time. + + In many cases delaying writes by a whole second or more isn't + necessary for the desired effect. + + Closes #8827 + +Daniel Gustafsson (11 May 2022) + +- aws-sigv4: fix potentional NULL pointer arithmetic + + We need to check if the strchr() call returns NULL (due to missing + char) before we use the returned value in arithmetic. There is no + live bug here, but fixing it before it can become for hygiene. + + Closes: #8814 + Reviewed-by: Daniel Stenberg + +Daniel Stenberg (11 May 2022) + +- quiche: support ca-fallback + + Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl + + Removed from KNOWN_BUGS + + Fixes #8696 + Closes #8830 + +Daniel Gustafsson (11 May 2022) + +- x509asn1: mark msnprintf return as unchecked + + We have lots of unchecked msnprintf calls, and this particular msnprintf + call isn't more interesting than the others, but this one yields a Coverity + warning so let's implicitly silence it. Going over the other invocations + is probably a worthwhile project, but for now let's keep the static + analyzers happy. + + Closes: #8831 + Reviewed-by: Daniel Stenberg + +Version 7.83.1 (11 May 2022) + +Daniel Stenberg (11 May 2022) + +- RELEASE-NOTES: synced + + curl 7.83.1 release + +- THANKS: added contributors from 7.83.1 -- cgit v1.2.3