From e41e0c05795b60cd749ae038cd96c966ec0c87bb Mon Sep 17 00:00:00 2001 From: dartraiden Date: Wed, 27 Mar 2019 17:53:10 +0300 Subject: libcurl: update to 7.64.1 --- libs/libcurl/docs/CHANGES | 10955 +++++++++++++++++++++++--------------------- 1 file changed, 5609 insertions(+), 5346 deletions(-) (limited to 'libs/libcurl/docs/CHANGES') diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index b03c666643..b924571db6 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,7744 +6,8007 @@ Changelog -Version 7.64.0 (6 Feb 2019) - -Daniel Stenberg (6 Feb 2019) -- RELEASE-NOTES: 7.64.0 +Version 7.64.1 (27 Mar 2019) -- RELEASE-PROCEDURE: update the release calendar - -- THANKS: 7.64.0 status +Daniel Stenberg (27 Mar 2019) +- RELEASE: 7.64.1 -Daniel Gustafsson (5 Feb 2019) -- ROADMAP: remove already performed item +- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" - Commit 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 introduced support - for the draft-ietf-httpbis-cookie-alone-01 cookie draft, and while - the entry was removed from the TODO it was mistakenly left here. - Fix by removing and rewording the entry slightly. + This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. - Closes #3530 - Reviewed-by: Daniel Stenberg + Fixes #3708 -- [Etienne Simard brought this change] +- [Christian Schmitz brought this change] - CONTRIBUTE.md: Fix grammatical errors - - Fix grammatical errors making the document read better. Also fixes - a typo. + ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set - Closes #3525 - Reviewed-by: Daniel Gustafsson - -Daniel Stenberg (4 Feb 2019) -- [Julian Z brought this change] + Closes #3704 - docs: use $(INSTALL_DATA) to install man page +Jay Satiro (26 Mar 2019) +- tool_cb_wrt: fix writing to Windows null device NUL - Fixes #3518 - Closes #3522 + - Improve console detection. + + Prior to this change WriteConsole could be called to write to a handle + that may not be a console, which would cause an error. This issue is + limited to character devices that are not also consoles such as the null + device NUL. + + Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 + Reported-by: Gisle Vanem -Jay Satiro (4 Feb 2019) -- [Ladar Levison brought this change] +- CURLMOPT_PIPELINING.3: fix typo - runtests.pl: Fix perl call to include srcdir +Daniel Stenberg (25 Mar 2019) +- TODO: config file parsing - - Use explicit include opt for perl calls. + Closes #3698 + +Jay Satiro (24 Mar 2019) +- os400: Disable Alt-Svc by default since it's experimental - Prior to this change some scripts couldn't find their dependencies. + Follow-up to 520f0b4 which added Alt-Svc support and enabled it by + default for OS400. Since the feature is experimental, it should be + disabled by default. - At the top, perl is called using with the "-Isrcdir" option, and it - works: + Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 + Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html - https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L183 + Closes https://github.com/curl/curl/pull/3688 + +Dan Fandrich (24 Mar 2019) +- tests: Fixed XML validation errors in some test files. + +- tests: Fix some incorrect precheck error messages. - But on line 3868, that option is omitted. This caused problems for me, - as the symbol-scan.pl script in particular couldn't find its - dependencies properly: + [ci skip] + +Daniel Stenberg (22 Mar 2019) +- curl_url.3: this is not experimental anymore + +- travis: bump the used wolfSSL version to 4.0.0 - https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L3868 + Test 311 is now fine, leaving only 313 (CRL) disabled. - This patch fixes that oversight by making calls to perl sub-shells - uniform. + Test 313 details can be found here: + https://github.com/wolfSSL/wolfssl/issues/1546 - Closes https://github.com/curl/curl/pull/3496 + Closes #3697 -Daniel Stenberg (4 Feb 2019) -- [Daniel Gustafsson brought this change] +Daniel Gustafsson (22 Mar 2019) +- lib: Fix typos in comments - smtp: avoid risk of buffer overflow in strtol +David Woodhouse (20 Mar 2019) +- openssl: if cert type is ENG and no key specified, key is ENG too - If the incoming len 5, but the buffer does not have a termination - after 5 bytes, the strtol() call may keep reading through the line - buffer until is exceeds its boundary. Fix by ensuring that we are - using a bounded read with a temporary buffer on the stack. - - Bug: https://curl.haxx.se/docs/CVE-2019-3823.html - Reported-by: Brian Carpenter (Geeknik Labs) - CVE-2019-3823 + Fixes #3692 + Closes #3692 -- ntlm: fix *_type3_message size check to avoid buffer overflow +Daniel Stenberg (20 Mar 2019) +- sectransp: tvOS 11 is required for ALPN support - Bug: https://curl.haxx.se/docs/CVE-2019-3822.html - Reported-by: Wenxiang Qian - CVE-2019-3822 + Reported-by: nianxuejie on github + Assisted-by: Nick Zitzmann + Assisted-by: Jay Satiro + Fixes #3689 + Closes #3690 -- NTLM: fix size check condition for type2 received data +- test1541: threaded connection sharing - Bug: https://curl.haxx.se/docs/CVE-2018-16890.html - Reported-by: Wenxiang Qian - CVE-2018-16890 + The threaded-shared-conn.c example turned into test case. Only works if + pthread was detected. + + An attempt to detect future regressions such as e3a53e3efb942a5 + + Closes #3687 -Marcel Raad (1 Feb 2019) -- [georgeok brought this change] +Patrick Monnerat (17 Mar 2019) +- os400: alt-svc support. + + Although experimental, enable it in the platform config file. + Upgrade ILE/RPG binding. - spnego_sspi: add support for channel binding +Daniel Stenberg (17 Mar 2019) +- conncache: use conn->data to know if a transfer owns it - Attempt to add support for Secure Channel binding when negotiate - authentication is used. The problem to solve is that by default IIS - accepts channel binding and curl doesn't utilise them. The result was a - 401 response. Scope affects only the Schannel(winssl)-SSPI combination. + - make sure an already "owned" connection isn't returned unless + multiplexed. - Fixes https://github.com/curl/curl/issues/3503 - Closes https://github.com/curl/curl/pull/3509 + - clear ->data when returning the connection to the cache again + + Regression since 7.62.0 (probably in commit 1b76c38904f0) + + Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + + Closes #3686 -Daniel Stenberg (1 Feb 2019) - RELEASE-NOTES: synced -- schannel: stop calling it "winssl" +- [Chris Young brought this change] + + configure: add --with-amissl - Stick to "Schannel" everywhere. The configure option --with-winssl is - kept to allow existing builds to work but --with-schannel is added as an - alias. + AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. + It also requires all programs using it to use bsdsocket.library + directly, rather than accessing socket functions through clib, which + libcurl was not necessarily doing previously. Configure will now check + for the headers and ensure they are included if found. - Closes #3504 + Closes #3677 -- multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time - - To make sure Curl_timeleft() also thinks the timeout has been reached - when one of the EXPIRE_*TIMEOUTs expires. +- [Chris Young brought this change] + + vtls: rename some of the SSL functions - Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html - Reported-by: Zhao Yisha - Closes #3501 + ... in the SSL structure as AmiSSL is using macros for the socket API + functions. -- [John Marshall brought this change] +- [Chris Young brought this change] - doc: use meaningless port number in CURLOPT_LOCALPORT example + tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr + +- [Chris Young brought this change] + + tool_operate: build on AmigaOS + +- makefile: make checksrc and hugefile commands "silent" - Use an ephemeral port number here; previously the example had 8080 - which could be confusing as the common web server port number might - be misinterpreted as suggesting this option affects the remote port. + ... to match the style already used for compiling, linking + etc. Acknowledges 'make V=1' to enable verbose. - URL: https://curl.haxx.se/mail/lib-2019-01/0084.html - Closes #3513 - -GitHub (29 Jan 2019) -- [Gisle Vanem brought this change] + Closes #3681 - Escape the '\' +- curl.1: --user and --proxy-user are hidden from ps output - A backslash should be escaped in Roff / Troff. + Suggested-by: Eric Curtin + Improved-by: Dan Fandrich + Ref: #3680 + + Closes #3683 -Jay Satiro (29 Jan 2019) -- TODO: WinSSL: 'Add option to disable client cert auto-send' +- curl.1: mark the argument to --cookie as - By default WinSSL selects and send a client certificate automatically, - but for privacy and consistency we should offer an option to disable the - default auto-send behavior. + From a discussion in #3676 - Reported-by: Jeroen Ooms + Suggested-by: Tim Rühsen - Closes https://github.com/curl/curl/issues/2262 + Closes #3682 -Daniel Stenberg (28 Jan 2019) -- [Jeremie Rapin brought this change] +Dan Fandrich (14 Mar 2019) +- fuzzer: Only clone the latest fuzzer code, for speed. - sigpipe: if mbedTLS is used, ignore SIGPIPE - - mbedTLS doesn't have a sigpipe management. If a write/read occurs when - the remote closes the socket, the signal is raised and kills the - application. Use the curl mecanisms fix this behavior. +Daniel Stenberg (14 Mar 2019) +- [Dominik Hölzl brought this change] + + Negotiate: fix for HTTP POST with Negotiate - Signed-off-by: Jeremie Rapin + * Adjusted unit tests 2056, 2057 + * do not generally close connections with CURLAUTH_NEGOTIATE after every request + * moved negotiatedata from UrlState to connectdata + * Added stream rewind logic for CURLAUTH_NEGOTIATE + * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC + * Consider authproblem state for CURLAUTH_NEGOTIATE + * Consider reuse_forbid for CURLAUTH_NEGOTIATE + * moved and adjusted negotiate authentication state handling from + output_auth_headers into Curl_output_negotiate + * Curl_output_negotiate: ensure auth done is always set + * Curl_output_negotiate: Set auth done also if result code is + GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may + also indicate the last challenge request (only works with disabled + Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) + * Consider "Persistent-Auth" header, detect if not present; + Reset/Cleanup negotiate after authentication if no persistent + authentication + * apply changes introduced with #2546 for negotiate rewind logic - Closes #3502 - -- unit1653: make it survive torture tests + Fixes #1261 + Closes #1975 -Jay Satiro (28 Jan 2019) -- [Michael Kujawa brought this change] +- [Marc Schlatter brought this change] - timeval: Disable MSVC Analyzer GetTickCount warning + http: send payload when (proxy) authentication is done - Compiling with msvc /analyze and a recent Windows SDK warns against - using GetTickCount (Suggests to use GetTickCount64 instead.) + The check that prevents payload from sending in case of authentication + doesn't check properly if the authentication is done or not. - Since GetTickCount is only being used when GetTickCount64 isn't - available, I am disabling that warning. + They're cases where the proxy respond "200 OK" before sending + authentication challenge. This change takes care of that. - Fixes https://github.com/curl/curl/issues/3437 - Closes https://github.com/curl/curl/pull/3440 + Fixes #2431 + Closes #3669 -Daniel Stenberg (26 Jan 2019) -- configure: rewrite --enable-code-coverage +- file: fix "Checking if unsigned variable 'readcount' is less than zero." - The previously used ax_code_coverage.m4 is not license compatible and - must not be used. + Pointed out by codacy - Reported-by: William A. Rowe Jr - Fixes #3497 - Closes #3499 - -- [Felix Hädicke brought this change] + Closes #3672 - setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh +- memdebug: log pointer before freeing its data - CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for - libssh as well. So accepting these options only when compiling with - libssh2 is wrong here. + Coverity warned for two potentional "Use after free" cases. Both are false + positives because the memory wasn't used, it was only the actual pointer + value that was logged. - Fixes #3493 - Closes #3494 + The fix still changes the order of execution to avoid the warnings. + + Coverity CID 1443033 and 1443034 + + Closes #3671 -- [Felix Hädicke brought this change] +- RELEASE-NOTES: synced - libssh: do not let libssh create socket +Marcel Raad (12 Mar 2019) +- travis: actually use updated compiler versions - By default, libssh creates a new socket, instead of using the socket - created by curl for SSH connections. + For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the + new GCC versions were only used for the coverage build and for building + nghttp2, while the new clang version was not used at all. - Pass the socket created by curl to libssh using ssh_options_set() with - SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket - instead of creating a new one. + BoringSSL needs to use the default GCC as it respects CC, but not CXX, + so it would otherwise pass gcc 8 options to g++ 4.8 and fail. - This approach is very similar to what is done in the libssh2 code, where - the socket created by curl is passed to libssh2 when - libssh2_session_startup() is called. + Also remove GCC 7, it's not needed anymore. - Fixes #3491 - Closes #3495 + Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + + Closes https://github.com/curl/curl/pull/3670 -- RELEASE-NOTES: synced +- travis: update clang to version 7 + + Closes https://github.com/curl/curl/pull/3670 -- [Archangel_SDY brought this change] +Jay Satiro (11 Mar 2019) +- [Andre Guibert de Bruet brought this change] - schannel: preserve original certificate path parameter + examples/externalsocket: add missing close socket calls - Fixes #3480 - Closes #3487 - -- KNOWN_BUGS: tests not compatible with python3 + .. and for Windows also call WSACleanup since we call WSAStartup. - Closes #3289 - [skip ci] + The example is to demonstrate handling the socket independently of + libcurl. In this case libcurl is not responsible for creating, opening + or closing the socket, it is handled by the application (our example). + + Fixes https://github.com/curl/curl/pull/3663 -Daniel Gustafsson (20 Jan 2019) -- memcmp: avoid doing single char memcmp +Daniel Stenberg (11 Mar 2019) +- multi: removed unused code for request retries - There is no real gain in performing memcmp() comparisons on single - characters, so change these to array subscript inspections which - saves a call and makes the code clearer. + This code was once used for the non multi-interface using code path, but + ever since easy_perform was turned into a wrapper around the multi + interface, this code path never runs. - Closes #3486 - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro + Closes #3666 -Daniel Stenberg (19 Jan 2019) -- COPYING: it's 2019 +Jay Satiro (11 Mar 2019) +- doh: inherit some SSL options from user's easy handle - [skip ci] - -- [hhb brought this change] - - configure: fix recv/send/select detection on Android + - Inherit SSL options for the doh handle but not SSL client certs, + SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, + SSL pinned public key, SSL ciphers, SSL id cache setting, + SSL kerberos or SSL gss-api settings. - This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9. + - Fix inheritance of verbose setting. - The overloadable attribute is removed again starting from - NDK17. Actually they only exist in two NDK versions (15 and 16). With - overloadable, the first condition tried will succeed. Results in wrong - detection result. + - Inherit NOSIGNAL. - Closes #3484 + There is no way for the user to set options for the doh (DNS-over-HTTPS) + handles and instead we inherit some options from the user's easy handle. + + My thinking for the SSL options not inherited is they are most likely + not intended by the user for the DOH transfer. I did inherit insecure + because I think that should still be in control of the user. + + Prior to this change doh did not work for me because CAINFO was not + inherited. Also verbose was set always which AFAICT was a bug (#3660). + + Fixes https://github.com/curl/curl/issues/3660 + Closes https://github.com/curl/curl/pull/3661 -Marcel Raad (19 Jan 2019) -- [georgeok brought this change] +Daniel Stenberg (9 Mar 2019) +- test331: verify set-cookie for dotless host name + + Reproduced bug #3649 + Closes #3659 - ntlm_sspi: add support for channel binding +- Revert "cookies: extend domain checks to non psl builds" - Windows extended potection (aka ssl channel binding) is required - to login to ntlm IIS endpoint, otherwise the server returns 401 - responses. + This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. - Fixes #3280 - Closes #3321 + Regression shipped in 7.64.0 + Fixes #3649 -Daniel Stenberg (18 Jan 2019) -- schannel: on connection close there might not be a transfer +- memdebug: make debug-specific functions use curl_dbg_ prefix - Reported-by: Marcel Raad - Fixes #3412 - Closes #3483 - -- [Joel Depooter brought this change] + To not "collide" or use up the regular curl_ name space. Also makes them + easier to detect in helper scripts. + + Closes #3656 - ssh: log the libssh2 error message when ssh session startup fails +- cmdline-opts/proxytunnel.d: the option tunnnels all protocols - When a ssh session startup fails, it is useful to know why it has - failed. This commit changes the message from: - "Failure establishing ssh session" - to something like this, for example: - "Failure establishing ssh session: -5, Unable to exchange encryption keys" + Clarify the language and simplify. - Closes #3481 + Reported-by: Daniel Lublin + Closes #3658 -Alessandro Ghedini (16 Jan 2019) -- Fix typo in manpage +- KNOWN_BUGS: Client cert (MTLS) issues with Schannel + + Closes #3145 -Daniel Stenberg (16 Jan 2019) -- RELEASE-NOTES: synced +- ROADMAP: updated to some more current things to work on -Sergei Nikulov (16 Jan 2019) -- cmake: updated check for HAVE_POLL_FINE to match autotools +- tests: fix multiple may be used uninitialized warnings -Daniel Stenberg (16 Jan 2019) -- curl-compilers.m4: check for __ibmxl__ to detect xlclang +- RELEASE-NOTES: synced + +- source: fix two 'nread' may be used uninitialized warnings - Follow-up to 2fa0d57e2e3. The __xlc__ symbol is only defined there if a - particular flag is used for legacy macros. + Both seem to be false positives but we don't like warnings. - Fixes #3474 - Closes #3479 + Closes #3646 -- openssl: fix the SSL_get_tlsext_status_ocsp_resp call +- gopher: remove check for path == NULL - .... to not pass in a const in the second argument as that's not how it - is supposed to be used and might cause compiler warnings. + Since it can't be NULL and it makes Coverity believe we lack proper NULL + checks. Verified by test 659, landed in commit 15401fa886b. - Reported-by: Pavel Pavlov - Fixes #3477 - Closes #3478 + Pointed out by Coverity CID 1442746. + + Assisted-by: Dan Fandrich + Fixes #3617 + Closes #3642 -- curl-compilers.m4: detect xlclang +- examples: only include - Since it isn't totally clang compatible, we detect this IBM clang - front-end and if detected, avoids some clang specific magic. + That's the only public curl header we should encourage use of. - Reported-by: Kees Dekker - Fixes #3474 - Closes #3476 + Reviewed-by: Marcel Raad + Closes #3645 -- README: add codacy code quality badge +- ssh: loop the state machine if not done and not blocking - [skip ci] + If the state machine isn't complete, didn't fail and it didn't return + due to blocking it can just as well loop again. + + This addresses the problem with SFTP directory listings where we would + otherwise return back to the parent and as the multi state machine + doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the + doing phase isn't complete, it would return out when in reality there + was more data to deal with. + + Fixes #3506 + Closes #3644 -- extract_if_dead: follow-up to 54b201b48c90a +Jay Satiro (5 Mar 2019) +- multi: support verbose conncache closure handle - extract_if_dead() dead is called from two functions, and only one of - them should get conn->data updated and now neither call path clears it. + - Change closure handle to receive verbose setting from the easy handle + most recently added via curl_multi_add_handle. - scan-build found a case where conn->data would be NULL dereferenced in - ConnectionExists() otherwise. + The closure handle is a special easy handle used for closing cached + connections. It receives limited settings from the easy handle most + recently added to the multi handle. Prior to this change that did not + include verbose which was a problem because on connection shutdown + verbose mode was not acknowledged. - Closes #3473 + Ref: https://github.com/curl/curl/pull/3598 + + Co-authored-by: Daniel Stenberg + + Closes https://github.com/curl/curl/pull/3618 -- multi: remove "Dead assignment" +Daniel Stenberg (4 Mar 2019) +- CURLU: fix NULL dereference when used over proxy - Found by scan-build. Follow-up to 4c35574bb785ce. + Test 659 verifies - Closes #3471 + Also fixed the test 658 name + + Closes #3641 -- tests: move objnames-* from lib into tests +- altsvc_out: check the return code from Curl_gmtime - Since they're used purely for testing purposes, I think they should - rather be stored there. + Pointed out by Coverity, CID 1442956. - Closes #3470 + Closes #3640 -Sergei Nikulov (15 Jan 2019) -- travis: added cmake build for osx +- docs/ALTSVC.md: docs describing the approach + + Closes #3498 -Daniel Stenberg (14 Jan 2019) -- [Frank Gevaerts brought this change] +- alt-svc: add a travis build - cookie: fix comment typo (url_path_len -> uri_path_len) - - Closes #3469 +- alt-svc: add test 355 and 356 to verify with command line curl -Marcel Raad (14 Jan 2019) -- winbuild: conditionally use /DZLIB_WINAPI +- alt-svc: the curl command line bits + +- alt-svc: the libcurl bits + +- travis: add build using gnutls - zlibwapi.lib (dynamic library) and zlibstat.lib (static library) have - the ZLIB_WINAPI define set by default. Using them requires that define - too. + Closes #3637 + +- RELEASE-NOTES: synced + +- [Simon Legner brought this change] + + scripts/completion.pl: also generate fish completion file - Ref: https://zlib.net/DLL_FAQ.txt + This is the renamed script formerly known as zsh.pl - Fixes https://github.com/curl/curl/issues/3133 - Closes https://github.com/curl/curl/pull/3460 + Closes #3545 -Daniel Stenberg (14 Jan 2019) -- src/Makefile: make 'tidy' target work for metalink builds +- gnutls: remove call to deprecated gnutls_compression_get_name + + It has been deprecated by GnuTLS since a year ago and now causes build + warnings. + + Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f + Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html + + Closes #3636 -- extract_if_dead: use a known working transfer when checking connections +Jay Satiro (2 Mar 2019) +- system_win32: move win32_init here from easy.c - Make sure that this function sets a proper "live" transfer for the - connection before calling the protocol-specific connection check - function, and then clear it again afterward as a non-used connection has - no current transfer. + .. since system_win32 is a more appropriate location for the functions + and to extern the globals. - Reported-by: Jeroen Ooms - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Gustafsson - Fixes #3463 - Closes #3464 + Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 + Reported-by: Gisle Vanem + + Closes https://github.com/curl/curl/pull/3625 -- openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated +Daniel Stenberg (1 Mar 2019) +- curl_easy_duphandle.3: clarify that a duped handle has no shares - OpenSSL_version() replaces OpenSSL_version_num() + Reported-by: Sara Golemon - Closes #3462 + Fixes #3592 + Closes #3634 -Sergei Nikulov (11 Jan 2019) -- cmake: added checks for HAVE_VARIADIC_MACROS_C99 and HAVE_VARIADIC_MACROS_GCC +- 10-at-a-time.c: fix too long line -Daniel Stenberg (11 Jan 2019) -- urldata: rename easy_conn to just conn +- [Arnaud Rebillout brought this change] + + examples: various fixes in ephiperfifo.c - We use "conn" everywhere to be a pointer to the connection. + The main change here is the timer value that was wrong, it was given in + usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * + 1000). This resulted in the callback being invoked WAY TOO OFTEN. - Introduces two functions that "attaches" and "detaches" the connection - to and from the transfer. + As a quick check you can run this command before and after applying this + commit: - Going forward, we should favour using "data->conn" (since a transfer - always only has a single connection or none at all) to "conn->data" - (since a connection can have none, one or many transfers associated with - it and updating conn->data to be correct is error prone and a frequent - reason for internal issues). + # shell 1 + ./ephiperfifo 2>&1 | tee ephiperfifo.log + # shell 2 + echo http://hacking.elboulangero.com > hiper.fifo - Closes #3442 + Then just compare the size of the logs files. + + Closes #3633 + Fixes #3632 + Signed-off-by: Arnaud Rebillout -- tool_cb_prg: avoid integer overflow +- urldata: simplify bytecounters - When calculating the progress bar width. + - no need to have them protocol specific - Reported-by: Peng Li - Fixes #3456 - Closes #3458 - -Daniel Gustafsson (11 Jan 2019) -- travis: turn off copyright year checks in checksrc + - no need to set pointers to them with the Curl_setup_transfer() call - Invoking the maintainer intended COPYRIGHTYEAR check for everyone - in the PR pipeline is too invasive, especially at the turn of the - year when many files get affected. Remove and leave it as a tool - for maintainers to verify patches before commits. + - make Curl_setup_transfer() operate on a transfer pointer, not + connection - This reverts f7bdf4b2e1d81b2652b81b9b3029927589273b41. + - switch some counters from long to the more proper curl_off_t type - After discussion with: Daniel Stenberg + Closes #3627 -Daniel Stenberg (10 Jan 2019) -- KNOWN_BUGS: cmake makes unusable tool_hugehelp.c with MinGW +- examples/10-at-a-time.c: improve readability and simplify - Closes #3125 + - use better variable names to explain their purposes + - convert logic to curl_multi_wait() -- KNOWN_BUGS: Improve --data-urlencode space encoding +- threaded-resolver: shutdown the resolver thread without error message - Closes #3229 + When a transfer is done, the resolver thread will be brought down. That + could accidentally generate an error message in the error buffer even + though this is not an error situationand the transfer would still return + OK. An application that still reads the error buffer could find a + "Could not resolve host: [host name]" message there and get confused. + + Reported-by: Michael Schmid + Fixes #3629 + Closes #3630 -Patrick Monnerat (10 Jan 2019) -- os400: add a missing closing bracket +- [Ԝеѕ brought this change] + + docs: update max-redirs.d phrasing - See https://github.com/curl/curl/issues/3453#issuecomment-453054458 + clarify redir - "in absurdum" doesn't seem to make sense in this context - Reported-by: jonrumsey on github + Closes #3631 -- os400: fix extra parameter syntax error. +- ssh: fix Condition '!status' is always true - Reported-by: jonrumsey on github - Closes #3453 - -Daniel Stenberg (10 Jan 2019) -- test1558: verify CURLINFO_PROTOCOL on file:// transfer + in the same sftp_done function in both SSH backends. Simplify them + somewhat. - Attempt to reproduce issue #3444. + Pointed out by Codacy. - Closes #3447 + Closes #3628 -- RELEASE-NOTES: synced +- test578: make it read data from the correct test -- xattr: strip credentials from any URL that is stored +- Curl_easy: remove req.maxfd - never used! - Both user and password are cleared uncondtitionally. - - Added unit test 1621 to verify. + Introduced in 8b6314ccfb, but not used anymore in current code. Unclear + since when. - Fixes #3423 - Closes #3433 + Closes #3626 -- cookies: allow secure override when done over HTTPS +- http: set state.infilesize when sending formposts - Added test 1562 to verify. + Without it set, we would unwillingly triger the "HTTP error before end + of send, stop sending" condition even if the entire POST body had been + sent (since it wouldn't know the expected size) which would + unnecessarily log that message and close the connection when it didn't + have to. - Reported-by: Jeroen Ooms - Fixes #3445 - Closes #3450 + Reported-by: Matt McClure + Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html + Closes #3624 -- multi: multiplexing improvements +- INSTALL: refer to the current TLS library names and configure options + +- FAQ: minor updates and spelling fixes + +- GOVERNANCE.md: minor spelling fixes + +- Secure Transport: no more "darwinssl" - Fixes #3436 - Closes #3448 + Everyone calls it Secure Transport, now we do too. - Problem 1 + Reviewed-by: Nick Zitzmann - After LOTS of scratching my head, I eventually realized that even when doing - 10 uploads in parallel, sometimes the socket callback to the application that - tells it what to wait for on the socket, looked like it would reflect the - status of just the single transfer that just changed state. + Closes #3619 + +Marcel Raad (27 Feb 2019) +- AppVeyor: add classic MinGW build - Digging into the code revealed that this was indeed the truth. When multiple - transfers are using the same connection, the application did not correctly get - the *combined* flags for all transfers which then could make it switch to READ - (only) when in fact most transfers wanted to get told when the socket was - WRITEABLE. + But use the MSYS2 shell rather than the default MSYS shell because of + POSIX path conversion issues. Classic MinGW is only available on the + Visual Studio 2015 image. - Problem 1b + Closes https://github.com/curl/curl/pull/3623 + +- AppVeyor: add MinGW-w64 build - A separate but related regression had also been introduced by me when I - cleared connection/transfer association better a while ago, as now the logic - couldn't find the connection and see if that was marked as used by more - transfers and then it would also prematurely remove the socket from the socket - hash table even in times other transfers were still using it! + Add a MinGW-w64 build using CMake's MSYS Makefiles generator. + Use the Visual Studio 2015 image as it has GCC 8, while the + Visual Studio 2017 image only has GCC 7.2. - Fix 1 + Closes https://github.com/curl/curl/pull/3623 + +Daniel Stenberg (27 Feb 2019) +- cookies: only save the cookie file if the engine is enabled - Make sure that each socket stored in the socket hash has a "combined" action - field of what to ask the application to wait for, that is potentially the ORed - action of multiple parallel transfers. And remove that socket hash entry only - if there are no transfers left using it. + Follow-up to 8eddb8f4259. - Problem 2 + If the cookieinfo pointer is NULL there really is nothing to save. - The socket hash entry stored an association to a single transfer using that - socket - and when curl_multi_socket_action() was called to tell libcurl about - activities on that specific socket only that transfer was "handled". + Without this fix, we got a problem when a handle was using shared object + with cookies and is told to "FLUSH" it to file (which worked) and then + the share object was removed and when the easy handle was closed just + afterwards it has no cookieinfo and no cookies so it decided to save an + empty jar (overwriting the file just flushed). - This was WRONG, as a single socket/connection can be used by numerous parallel - transfers and not necessarily a single one. + Test 1905 now verifies that this works. - Fix 2 + Assisted-by: Michael Wallner + Assisted-by: Marcel Raad - We now store a list of handles in the socket hashtable entry and when libcurl - is told there's traffic for a particular socket, it now iterates over all - known transfers using that single socket. + Closes #3621 -- test1561: improve test name +- [DaVieS brought this change] + + cacertinmem.c: use multiple certificates for loading CA-chain - [skip ci] + Closes #3421 -- [Katsuhiko YOSHIDA brought this change] +- urldata: convert bools to bitfields and move to end + + This allows the compiler to pack and align the structs better in + memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 + makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. + + Removed an unused struct field. + + No functionality changes. + + Closes #3610 - cookies: skip custom cookies when redirecting cross-site +- [Don J Olmstead brought this change] + + curl.h: use __has_declspec_attribute for shared builds - Closes #3417 + Closes #3616 -- THANKS: fixups and a dedupe +- curl: display --version features sorted alphabetically - [skip ci] + Closes #3611 -- timediff: fix math for unsigned time_t +- runtests: detect "schannel" as an alias for "winssl" - Bug: https://curl.haxx.se/mail/lib-2018-12/0088.html + Follow-up to 180501cb02 - Closes #3449 - -- [Bernhard M. Wiedemann brought this change] + Reported-by: Marcel Raad + Fixes #3609 + Closes #3620 - tests: allow tests to pass by 2037-02-12 +Marcel Raad (26 Feb 2019) +- AppVeyor: update to Visual Studio 2017 - similar to commit f508d29f3902104018 + Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a + moving target anymore as the last update, Update 9, has been released. - Closes #3443 - -- RELEASE-NOTES: synced + Closes https://github.com/curl/curl/pull/3606 -- [Brad Spencer brought this change] +- AppVeyor: switch VS 2015 builds to VS 2017 image + + The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. + + Closes https://github.com/curl/curl/pull/3606 - curl_multi_remove_handle() don't block terminating c-ares requests +- AppVeyor: explicitly select worker image - Added Curl_resolver_kill() for all three resolver modes, which only - blocks when necessary, along with test 1592 to confirm - curl_multi_remove_handle() doesn't block unless it must. + Currently, we're using the default Visual Studio 2015 image for + everything. - Closes #3428 - Fixes #3371 + Closes https://github.com/curl/curl/pull/3606 -- Revert "http_negotiate: do not close connection until negotiation is completed" +Daniel Stenberg (26 Feb 2019) +- strerror: make the strerror function use local buffers - This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47. + Instead of using a fixed 256 byte buffer in the connectdata struct. - This also reopens PR #3275 which brought the change now reverted. + In my build, this reduces the size of the connectdata struct by 11.8%, + from 2160 to 1904 bytes with no functionality or performance loss. - Fixes #3384 - Closes #3439 - -- curl/urlapi.h: include "curl.h" first + This also fixes a bug in schannel's Curl_verify_certificate where it + called Curl_sspi_strerror when it should have called Curl_strerror for + string from GetLastError. the only effect would have been no text or the + wrong text being shown for the error. - This allows programs to include curl/urlapi.h directly. + Co-authored-by: Jay Satiro - Reviewed-by: Daniel Gustafsson - Reported-by: Ben Kohler - Fixes #3438 - Closes #3441 + Closes #3612 -Marcel Raad (6 Jan 2019) -- VS projects: fix build warning +- [Michael Wallner brought this change] + + cookies: fix NULL dereference if flushing cookies with no CookieInfo set - Starting with Visual Studio 2017 Update 9, Visual Studio doesn't like - the MinimalRebuild option anymore and warns: + Regression brought by a52e46f3900fb0 (shipped in 7.63.0) - cl : Command line warning D9035: option 'Gm' has been deprecated and - will be removed in a future release + Closes #3613 + +Marcel Raad (26 Feb 2019) +- AppVeyor: re-enable test 500 - The option can be safely removed so that the default is used. + It's passing now. - Closes https://github.com/curl/curl/pull/3425 + Closes https://github.com/curl/curl/pull/3615 -- schannel: fix compiler warning +- AppVeyor: remove redundant builds - When building with Unicode on MSVC, the compiler warns about freeing a - pointer to const in Curl_unicodefree. Fix this by declaring it as - non-const and casting the argument to Curl_convert_UTF8_to_tchar to - non-const too, like we do in all other places. + Remove the Visual Studio 2012 and 2013 builds as they add little value. - Closes https://github.com/curl/curl/pull/3435 + Ref: https://github.com/curl/curl/pull/3606 + Closes https://github.com/curl/curl/pull/3614 -Daniel Stenberg (4 Jan 2019) -- [Rikard Falkeborn brought this change] - - printf: introduce CURL_FORMAT_TIMEDIFF_T +Daniel Stenberg (25 Feb 2019) +- RELEASE-NOTES: synced -- [Rikard Falkeborn brought this change] +- [Bernd Mueller brought this change] - printf: fix format specifiers + OpenSSL: add support for TLS ASYNC state - Closes #3426 + Closes #3591 -- libtest/stub_gssapi: use "real" snprintf +Jay Satiro (25 Feb 2019) +- [Michael Felt brought this change] + + acinclude: add additional libraries to check for LDAP support - ... since it doesn't link with libcurl. + - Add an additional check for LDAP that also checks for OpenSSL since + on AIX those libraries may be required to link LDAP properly. - Reverts the commit dcd6f81025 changes from this file. + Fixes https://github.com/curl/curl/issues/3595 + Closes https://github.com/curl/curl/pull/3596 + +- [georgeok brought this change] + + schannel: support CALG_ECDH_EPHEM algorithm - Bug: https://curl.haxx.se/mail/lib-2019-01/0000.html - Reported-by: Shlomi Fish - Reviewed-by: Daniel Gustafsson - Reviewed-by: Kamil Dudka + Add support for Ephemeral elliptic curve Diffie-Hellman key exchange + algorithm option when selecting ciphers. This became available on the + Win10 SDK. - Closes #3434 + Closes https://github.com/curl/curl/pull/3608 -- INTERNALS: correct some outdated function names +Daniel Stenberg (24 Feb 2019) +- multi: call multi_done on connect timeouts - Closes #3431 + Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get + updated correctly and could end up getting reported to the application + completely wrong (way too small). + + Reported-by: accountantM on github + Fixes #3602 + Closes #3605 -- docs/version.d: mention MultiSSL +- examples: remove recursive calls to curl_multi_socket_action - Reviewed-by: Daniel Gustafsson - Closes #3432 + From within the timer callbacks. Recursive is problematic for several + reasons. They should still work, but this way the examples and the + documentation becomes simpler. I don't think we need to encourage + recursive calls. + + Discussed in #3537 + Closes #3601 -Daniel Gustafsson (2 Jan 2019) -- [Rikard Falkeborn brought this change] +Marcel Raad (23 Feb 2019) +- configure: remove CURL_CHECK_FUNC_FDOPEN call + + The macro itself has been removed in commit + 11974ac859c5d82def59e837e0db56fef7f6794e. + + Closes https://github.com/curl/curl/pull/3604 - examples: Update .gitignore +Daniel Stenberg (23 Feb 2019) +- wolfssl: stop custom-adding curves - Add a few missing examples to make `make examples` not leave the - workspace in a dirty state. + since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in + wolfSSL 3.10.2 and later) it sends these curves by default already. - Closes #3427 - Reviewed-by: Daniel Gustafsson + Pointed-out-by: David Garske + + Closes #3599 -- THANKS: add more missing names +- configure: remove the unused fdopen macro - Add Adrian Burcea who made the artwork for the curl://up 2018 event - which was held in Stockholm, Sweden. + and the two remaining #ifdefs for it + + Closes #3600 -- docs: mention potential leak in curl_slist_append +Jay Satiro (22 Feb 2019) +- url: change conn shutdown order to unlink data as last step - When a non-empty list is appended to, and used as the returnvalue, - the list pointer can leak in case of an allocation failure in the - curl_slist_append() call. This is correctly handled in curl code - usage but we weren't explicitly pointing it out in the API call - documentation. Fix by extending the RETURNVALUE manpage section - and example code. + - Split off connection shutdown procedure from Curl_disconnect into new + function conn_shutdown. - Closes #3424 - Reported-by: dnivras on github - Reviewed-by: Daniel Stenberg + - Change the shutdown procedure to close the sockets before + disassociating the transfer. + + Prior to this change the sockets were closed after disassociating the + transfer so SOCKETFUNCTION wasn't called since the transfer was already + disassociated. That likely came about from recent work started in + Jan 2019 (#3442) to separate transfers from connections. + + Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html + Reported-by: Pavel Löbl + + Closes https://github.com/curl/curl/issues/3597 + Closes https://github.com/curl/curl/pull/3598 -Marcel Raad (1 Jan 2019) -- tvnow: silence conversion warnings +Marcel Raad (22 Feb 2019) +- Fix strict-prototypes GCC warning - MinGW-w64 defaults to targeting Windows 7 now, so GetTickCount64 is - used and the milliseconds are represented as unsigned long long, - leading to a compiler warning when implicitly converting them to long. + As seen in the MinGW autobuilds. Caused by commit + f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. -Daniel Stenberg (1 Jan 2019) -- THANKS: dedupe more names +Dan Fandrich (21 Feb 2019) +- tests: Fixed XML validation errors in some test files. + +Daniel Stenberg (20 Feb 2019) +- TODO: Allow SAN names in HTTP/2 server push - Researched-by: Tae Wong + Suggested-by: Nicolas Grekas -Marcel Raad (1 Jan 2019) -- [Markus Moeller brought this change] +- RELEASE-NOTES: synced - ntlm: update selection of type 3 response +- curl: remove MANUAL from -M output - NTLM2 did not work i.e. no NTLMv2 response was created. Changing the - check seems to work. + ... and remove it from the dist tarball. It has served its time, it + barely gets updated anymore and "everything curl" is now convering all + this document once tried to include, and does it more and better. - Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf + In the compressed scenario, this removes ~15K data from the binary, + which is 25% of the -M output. - Fixes https://github.com/curl/curl/issues/3286 - Closes https://github.com/curl/curl/pull/3287 - Closes https://github.com/curl/curl/pull/3415 + It remains in the git repo for now for as long as the web site builds a + page using that as source. It renders poorly on the site (especially for + mobile users) so its not even good there. + + Closes #3587 -Daniel Stenberg (31 Dec 2018) -- THANKS: added missing names from year <= 2000 +- http2: verify :athority in push promise requests - Due to a report of a missing name in THANKS I manually went through an - old CHANGES.0 file and added many previously missing names here. + RFC 7540 says we should verify that the push is for an "authoritative" + server. We make sure of this by only allowing push with an :athority + header that matches the host that was asked for in the URL. + + Fixes #3577 + Reported-by: Nicolas Grekas + Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html + Closes #3581 -Daniel Gustafsson (30 Dec 2018) -- urlapi: fix parsing ipv6 with zone index +- singlesocket: fix the 'sincebefore' placement - The previous fix for parsing IPv6 URLs with a zone index was a paddle - short for URLs without an explicit port. This patch fixes that case - and adds a unit test case. + The variable wasn't properly reset within the loop and thus could remain + set for sockets that hadn't been set before and miss notifying the app. - This bug was highlighted by issue #3408, and while it's not the full - fix for the problem there it is an isolated bug that should be fixed - regardless. + This is a follow-up to 4c35574 (shipped in curl 7.64.0) - Closes #3411 - Reported-by: GitYuanQu on github - Reviewed-by: Daniel Stenberg + Reported-by: buzo-ffm on github + Detected-by: Jan Alexander Steffens + Fixes #3585 + Closes #3589 -Daniel Stenberg (30 Dec 2018) -- THANKS: dedupe Guenter Knauf +- connection: never reuse CONNECT_ONLY conections - Reported-by: Tae Wong - -- THANKS: missing name from the 6.3.1 release! - -Daniel Gustafsson (27 Dec 2018) -- RELEASE-NOTES: synced + and make CONNECT_ONLY conections never reuse any existing ones either. + + Reported-by: Pavel Löbl + Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html + Closes #3586 -- [Claes Jakobsson brought this change] +Patrick Monnerat (19 Feb 2019) +- cli tool: fix mime post with --disable-libcurl-option configure option + + Reported-by: Marcel Raad + Fixes #3576 + Closes #3583 - hostip: support wildcard hosts +Daniel Stenberg (19 Feb 2019) +- x509asn1: cleanup and unify code layout - This adds support for wildcard hosts in CURLOPT_RESOLVE. These are - try-last so any non-wildcard entry is resolved first. If specified, - any host not matched by another CURLOPT_RESOLVE config will use this - as fallback. + - rename 'n' to buflen in functions, and use size_t for them. Don't pass + in negative buffer lengths. - Example send a.com to 10.0.0.1 and everything else to 10.0.0.2: - curl --resolve *:443:10.0.0.2 --resolve a.com:443:10.0.0.1 \ - https://a.com https://b.com + - move most function comments to above the function starts like we use + to - This is probably quite similar to using: - --connect-to a.com:443:10.0.0.1:443 --connect-to :443:10.0.0.2:443 + - remove several unnecessary typecasts (especially of NULL) - Closes #3406 - Reviewed-by: Daniel Stenberg - -- url: fix incorrect indentation + Reviewed-by: Patrick Monnerat + Closes #3582 -Patrick Monnerat (26 Dec 2018) -- os400: upgrade ILE/RPG binding. +- curl_multi_remove_handle.3: use at any time, just not from within callbacks - - Trailer function support. - - http 0.9 option. - - curl_easy_upkeep. + [ci skip] -Daniel Gustafsson (25 Dec 2018) -- FAQ: remove mention of sourceforge for github +- http: make adding a blank header thread-safe - The project bug tracker is no longer hosted at sourceforge but is now - hosted on the curl Github page. Update the FAQ to reflect. + Previously the function would edit the provided header in-place when a + semicolon is used to signify an empty header. This made it impossible to + use the same set of custom headers in multiple threads simultaneously. - Closes #3410 - Reviewed-by: Daniel Stenberg + This approach now makes a local copy when it needs to edit the string. + + Reported-by: d912e3 on github + Fixes #3578 + Closes #3579 -- openvms: fix typos in documentation +- unit1651: survive curl_easy_init() fails -- openvms: fix OpenSSL discovery on VAX - - The DCL code had a typo in one of the commands which would make the - OpenSSL discovery on VAX fail. The correct syntax is F$ENVIRONMENT. - - Closes #3407 - Reviewed-by: Viktor Szakats +- [Frank Gevaerts brought this change] -Daniel Stenberg (24 Dec 2018) -- [Ruslan Baratov brought this change] + rand: Fix a mismatch between comments in source and header. + + Reported-by: Björn Stenberg + Closes #3584 - cmake: use lowercase for function name like the rest of the code +Patrick Monnerat (18 Feb 2019) +- x509asn1: replace single char with an array - Reviewed-by: Sergei Nikulov + Although safe in this context, using a single char as an array may + cause invalid accesses to adjacent memory locations. - closes #3196 + Detected by Coverity. -- Revert "libssh: no data pointer == nothing to do" +Daniel Stenberg (18 Feb 2019) +- examples/http2-serverpush: add some sensible error checks - This reverts commit c98ee5f67f497195c9 since commit f3ce38739fa fixed the - problem in a more generic way. + To avoid NULL pointer dereferences etc in the case of problems. + + Closes #3580 -- disconnect: set conn->data for protocol disconnect +Jay Satiro (18 Feb 2019) +- easy: fix win32 init to work without CURL_GLOBAL_WIN32 - Follow-up to fb445a1e18d: Set conn->data explicitly to point out the - current transfer when invoking the protocol-specific disconnect function - so that it can work correctly. + - Change the behavior of win32_init so that the required initialization + procedures are not affected by CURL_GLOBAL_WIN32 flag. - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12173 - -Jay Satiro (23 Dec 2018) -- [Pavel Pavlov brought this change] + libcurl via curl_global_init supports initializing for win32 with an + optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop + Winsock initialization. It did so internally by skipping win32_init() + when that flag was set. Since then win32_init() has been expanded to + include required initialization routines that are separate from + Winsock and therefore must be called in all cases. This commit fixes + it so that CURL_GLOBAL_WIN32 only controls the optional win32 + initialization (which is Winsock initialization, according to our doc). + + The only users affected by this change are those that don't pass + CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the + risk of a potential crash. + + Ref: https://github.com/curl/curl/pull/3573 + + Fixes https://github.com/curl/curl/issues/3313 + Closes https://github.com/curl/curl/pull/3575 - timeval: Use high resolution timestamps on Windows +Daniel Gustafsson (17 Feb 2019) +- cookie: Add support for cookie prefixes - - Use QueryPerformanceCounter on Windows Vista+ + The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes + and how they should affect cookie initialization, which has been + adopted by the major browsers. This adds support for the two prefixes + defined, __Host- and __Secure, and updates the testcase with the + supplied examples from the draft. - There is confusing info floating around that QueryPerformanceCounter - can leap etc, which might have been true long time ago, but no longer - the case nowadays (perhaps starting from WinXP?). Also, boost and - std::chrono::steady_clock use QueryPerformanceCounter in a similar way. + Closes #3554 + Reviewed-by: Daniel Stenberg + +- mbedtls: release sessionid resources on error - Prior to this change GetTickCount or GetTickCount64 was used, which has - lower resolution. That is still the case for <= XP. + If mbedtls_ssl_get_session() fails, it may still have allocated + memory that needs to be freed to avoid leaking. Call the library + API function to release session resources on this errorpath as + well as on Curl_ssl_addsessionid() errors. - Fixes https://github.com/curl/curl/issues/3309 - Closes https://github.com/curl/curl/pull/3318 + Closes: #3574 + Reported-by: Michał Antoniak + Reviewed-by: Daniel Stenberg -Daniel Stenberg (22 Dec 2018) -- libssh: no data pointer == nothing to do +Patrick Monnerat (16 Feb 2019) +- cli tool: refactor encoding conversion sequence for switch case fallthrough. -- conncache_unlock: avoid indirection by changing input argument type +- version.c: silent scan-build even when librtmp is not enabled -- disconnect: separate connections and easy handles better +Daniel Stenberg (15 Feb 2019) +- RELEASE-NOTES: synced + +- Curl_now: figure out windows version in win32_init - Do not assume/store assocation between a given easy handle and the - connection if it can be avoided. + ... and avoid use of static variables that aren't thread safe. - Long-term, the 'conn->data' pointer should probably be removed as it is a - little too error-prone. Still used very widely though. + Fixes regression from e9ababd4f5a (present in the 7.64.0 release) - Reported-by: masbug on github - Fixes #3391 - Closes #3400 + Reported-by: Paul Groke + Fixes #3572 + Closes #3573 -- libssh: free sftp_canonicalize_path() data correctly +Marcel Raad (15 Feb 2019) +- unit1307: just fail without FTP support - Assisted-by: Harry Sintonen + I missed to check this in with commit + 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. + This fixes the actual linker error. - Fixes #3402 - Closes #3403 - -- RELEASE-NOTES: synced + Closes https://github.com/curl/curl/pull/3568 -- http: added options for allowing HTTP/0.9 responses +Daniel Stenberg (15 Feb 2019) +- travis: enable valgrind for the iconv tests too - Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose. + Closes #3571 + +- travis: add scan-build - For now, both the tool and library allow HTTP/0.9 by default. - docs/DEPRECATE.md lays out the plan for when to reverse that default: 6 - months after the 7.64.0 release. The options are added already now so - that applications/scripts can start using them already now. + Closes #3564 + +- examples/sftpuploadresume: Value stored to 'result' is never read - Fixes #2873 - Closes #3383 + Detected by scan-build -- if2ip: remove unused function Curl_if_is_interface_name +- examples/http2-upload: cleaned up - Closes #3401 + Fix scan-build warnings, no globals, no silly handle scan. Also remove + handles from the multi before cleaning up. -- http2: clear pause stream id if it gets closed +- examples/http2-download: cleaned up - Reported-by: Florian Pritz + To avoid scan-build warnings and global variables. + +- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' - Fixes #3392 - Closes #3399 + Detected by scan-build -Daniel Gustafsson (20 Dec 2018) -- [David Garske brought this change] +- examples/httpcustomheader: Value stored to 'res' is never read + + Detected by scan-build - wolfssl: Perform cleanup +- examples: remove superfluous null-pointer checks - This adds a cleanup callback for cyassl. Resolves possible memory leak - when using ECC fixed point cache. + in ftpget, ftpsget and sftpget, so that scan-build stops warning for + potential NULL pointer dereference below! - Closes #3395 - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson + Detected by scan-build -Daniel Stenberg (20 Dec 2018) -- mbedtls: follow-up VERIFYHOST fix from f097669248 +- strip_trailing_dot: make sure NULL is never used for strlen - Fix-by: Eric Rosenquist - - Fixes #3376 - Closes #3390 + scan-build warning: Null pointer passed as an argument to a 'nonnull' + parameter -- curlver: bump to 7.64.0 for next release +- [Jay Satiro brought this change] -Daniel Gustafsson (19 Dec 2018) -- cookies: extend domain checks to non psl builds + connection_check: restore original conn->data after the check - Ensure to perform the checks we have to enforce a sane domain in - the cookie request. The check for non-PSL enabled builds is quite - basic but it's better than nothing. + - Save the original conn->data before it's changed to the specified + data transfer for the connection check and then restore it afterwards. - Closes #2964 - Reviewed-by: Daniel Stenberg + This is a follow-up to 38d8e1b 2019-02-11. + + History: + + It was discovered a month ago that before checking whether to extract a + dead connection that that connection should be associated with a "live" + transfer for the check (ie original conn->data ignored and set to the + passed in data). A fix was landed in 54b201b which did that and also + cleared conn->data after the check. The original conn->data was not + restored, so presumably it was thought that a valid conn->data was no + longer needed. + + Several days later it was discovered that a valid conn->data was needed + after the check and follow-up fix was landed in bbae24c which partially + reverted the original fix and attempted to limit the scope of when + conn->data was changed to only when pruning dead connections. In that + case conn->data was not cleared and the original conn->data not + restored. + + A month later it was discovered that the original fix was somewhat + correct; a "live" transfer is needed for the check in all cases + because original conn->data could be null which could cause a bad deref + at arbitrary points in the check. A fix was landed in 38d8e1b which + expanded the scope to all cases. conn->data was not cleared and the + original conn->data not restored. + + A day later it was discovered that not restoring the original conn->data + may lead to busy loops in applications that use the event interface, and + given this observation it's a pretty safe assumption that there is some + code path that still needs the original conn->data. This commit is the + follow-up fix for that, it restores the original conn->data after the + connection check. + + Assisted-by: tholin@users.noreply.github.com + Reported-by: tholin@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/3542 + Closes #3559 -Daniel Stenberg (19 Dec 2018) -- [Matus Uzak brought this change] +- memdebug: bring back curl_mark_sclose + + Used by debug builds with NSS. + + Reverted from 05b100aee247bb - smb: fix incorrect path in request if connection reused +Patrick Monnerat (14 Feb 2019) +- transfer.c: do not compute length of undefined hex buffer. - Follow-up to 09e401e01bf9. If connection gets reused, then data member - will be copied, but not the proto member. As a result, in smb_do(), - path has been set from the original proto.share data. + On non-ascii platforms, the chunked hex header was measured for char code + conversion length, even for chunked trailers that do not have an hex header. + In addition, the efective length is already known: use it. + Since the hex length can be zero, only convert if needed. - Closes #3388 + Reported by valgrind. -- curl -J: do not append to the destination file +Daniel Stenberg (14 Feb 2019) +- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP - Reported-by: Kamil Dudka - Fixes #3380 - Closes #3381 + Closes #2367 -- mbedtls: use VERIFYHOST +Patrick Monnerat (14 Feb 2019) +- x509asn1: "Dereference of null pointer" - Previously, VERIFYPEER would enable/disable all checks. + Detected by scan-build (false positive). + +Daniel Stenberg (14 Feb 2019) +- configure: show features as well in the final summary - Reported-by: Eric Rosenquist - Fixes #3376 - Closes #3380 + Closes #3569 -- pingpong: change default response timeout to 120 seconds +- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 - Previously it was 30 minutes + Closes #2905 -- pingpong: ignore regular timeout in disconnect phase +- KNOWN_BUGS: Deflate error after all content was received - The timeout set with CURLOPT_TIMEOUT is no longer used when - disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP, - POP3). + Closes #2719 + +- gssapi: fix deprecated header warnings - Reported-by: jasal82 on github + Heimdal includes on FreeBSD spewed out lots of them. Less so now. - Fixes #3264 - Closes #3374 + Closes #3566 -- TODO: Windows: set attribute 'archive' for completed downloads +- TODO: Upgrade to websockets - Closes #3354 + Closes #3523 -- RELEASE-NOTES: synced +- TODO: cmake test suite improvements + + Closes #3109 -- http: minor whitespace cleanup from f464535b +Patrick Monnerat (13 Feb 2019) +- curl: "Dereference of null pointer" + + Rephrase to satisfy scan-build. -- [Ayoub Boudhar brought this change] - - http: Implement trailing headers for chunked transfers +Marcel Raad (13 Feb 2019) +- unit1307: require FTP support - This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION - options that allow a callback based approach to sending trailing headers - with chunked transfers. + This test doesn't link without FTP support after + fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch + unavailable without FTP support. - The test server (sws) was updated to take into account the detection of the - end of transfer in the case of trailing headers presence. + Closes https://github.com/curl/curl/pull/3565 + +Daniel Stenberg (13 Feb 2019) +- TODO: TFO support on Windows - Test 1591 checks that trailing headers can be sent using libcurl. + Nobody works on this now. - Closes #3350 + Closes #3378 -- darwinssl: accept setting max-tls with default min-tls +- multi: Dereference of null pointer - Reported-by: Andrei Neculau - Fixes #3367 - Closes #3373 - -- gopher: fix memory leak from 9026083ddb2a9 - -- [Leonardo Taccari brought this change] - - test1201: Add a trailing `?' to the selector + Mostly a false positive, but this makes the code easier to read anyway. - This verify that the `?' in the selector is kept as is. + Detected by scan-build. - Verifies the fix in #3370 - -- [Leonardo Taccari brought this change] + Closes #3563 - gopher: always include the entire gopher-path in request +- urlglob: Argument with 'nonnull' attribute passed null - After the migration to URL API all octets in the selector after the - first `?' were interpreted as query and accidentally discarded and not - passed to the server. + Detected by scan-build. + +Jay Satiro (12 Feb 2019) +- schannel: restore some debug output but only for debug builds - Add a gopherpath to always concatenate possible path and query URL - pieces. + Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy + debug output in DEBUGF but omitted a few lines. - Fixes #3369 - Closes #3370 + Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 -- [Leonardo Taccari brought this change] +- examples/crawler: Fix the Accept-Encoding setting + + - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default + supported encodings. + + Prior to this change the specific encodings of gzip and deflate were set + but there's no guarantee they'd be supported by the user's libcurl. - urlapi: distinguish possibly empty query +Daniel Stenberg (12 Feb 2019) +- mime: put the boundary buffer into the curl_mime struct - If just a `?' to indicate the query is passed always store a zero length - query instead of having a NULL query. + ... instead of allocating it separately and point to it. It is + fixed-size and always used for each part. - This permits to distinguish URL with trailing `?'. + Closes #3561 + +- schannel: be quiet - Fixes #3369 - Closes #3370 + Convert numerous infof() calls into debug-build only messages since they + are annoyingly verbose for regular applications. Removed a few. + + Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html + Reported-by: Volker Schmid + Closes #3552 -Daniel Gustafsson (13 Dec 2018) -- OS400: handle memory error in list conversion +- [Romain Geissler brought this change] + + Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning - Curl_slist_append_nodup() returns NULL when it fails to create a new - item for the specified list, and since the coding here reassigned the - new list on top of the old list it would result in a dangling pointer - and lost memory. Also, in case we hit an allocation failure at some - point during the conversion, with allocation succeeding again on the - subsequent call(s) we will return a truncated list around the malloc - failure point. Fix by assigning to a temporary list pointer, which can - be checked (which is the common pattern for slist appending), and free - all the resources on allocation failure. + Closes #3562 + +- http2: multi_connchanged() moved from multi.c, only used for h2 - Closes #3372 - Reviewed-by: Daniel Stenberg + Closes #3557 -- cookies: leave secure cookies alone +- curl: "Function call argument is an uninitialized value" - Only allow secure origins to be able to write cookies with the - 'secure' flag set. This reduces the risk of non-secure origins - to influence the state of secure origins. This implements IETF - Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates - RFC6265. + Follow-up to cac0e4a6ad14b42471eb - Closes #2956 - Reviewed-by: Daniel Stenberg + Detected by scan-build + Closes #3560 -Daniel Stenberg (13 Dec 2018) -- docs: fix the --tls-max description +- pretransfer: don't strlen() POSTFIELDS set for GET requests - Reported-by: Tobias Lindgren - Pointed out in #3367 + ... since that data won't be used in the request anyway. - Closes #3368 + Fixes #3548 + Reported-by: Renaud Allard + Close #3549 -Daniel Gustafsson (12 Dec 2018) -- urlapi: Fix port parsing of eol colon +- multi: remove verbose "Expire in" ... messages - A URL with a single colon without a portnumber should use the default - port, discarding the colon. Fix, add a testcase and also do little bit - of comment wordsmithing. + Reported-by: James Brown + Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html + Closes #3558 + +- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set - Closes #3365 - Reviewed-by: Daniel Stenberg + Reported-by: MAntoniak on github + Fixes #3553 + Closes #3556 -Version 7.63.0 (12 Dec 2018) +Daniel Gustafsson (12 Feb 2019) +- non-ascii.c: fix typos in comments + + Fix two occurrences of s/convers/converts/ spotted while reading code. -Daniel Stenberg (12 Dec 2018) -- RELEASE-NOTES: 7.63.0 +Daniel Stenberg (12 Feb 2019) +- fnmatch: disable if FTP is disabled + + Closes #3551 -- THANKS: from the curl 7.62.0 cycle +- curl_path: only enabled for SSH builds -- test1519: use lib1518 and test CURLINFO_REDIRECT_URL more +- [Frank Gevaerts brought this change] -- Curl_follow: extract the Location: header field unvalidated + tests: add stderr comparison to the test suite - ... when not actually following the redirect. Otherwise we return error - for this and an application can't extract the value. + The code is more or less copied from the stdout comparison code, maybe + some better reuse is possible. - Test 1518 added to verify. + test 1457 is adjusted to make the output actually match (by using --silent) + test 506 used without actually needing it, so that block is removed - Reported-by: Pavel Pavlov - Fixes #3340 - Closes #3364 + Closes #3536 -- multi: convert two timeout variables to timediff_t +Patrick Monnerat (11 Feb 2019) +- cli tool: do not use mime.h private structures. - The time_t type is unsigned on some systems and these variables are used - to hold return values from functions that return timediff_t - already. timediff_t is always a signed type. - - Closes #3363 - -- delta: use --diff-filter on the git diff-tree invokes + Option -F generates an intermediate representation of the mime structure + that is used later to create the libcurl mime structure and generate + the --libcurl statements. - Suggested-by: Dave Reisner + Reported-by: Daniel Stenberg + Fixes #3532 + Closes #3546 -Patrick Monnerat (11 Dec 2018) -- documentation: curl_formadd field and file names are now escaped - - Prior to 7.56.0, fieldnames and filenames were set in Content-Disposition - header without special processing: this may lead to invalid RFC 822 - quoted-strings. - 7.56.0 introduces escaping of backslashes and double quotes in these names: - mention it in the documentation. - - Reported-by: daboul on github - Closes #3361 +Daniel Stenberg (11 Feb 2019) +- curlver: bump to 7.64.1-dev -Daniel Stenberg (11 Dec 2018) -- scripts/delta: show repo delta info from last release +- RELEASE-NOTES: synced - ... where "last release" should be the git tag in the repo. + and bump the version in progress to 7.64.1. If we merge any "change" + before the cut-off date, we update again. -Daniel Gustafsson (11 Dec 2018) -- tests: add urlapi unittest +Daniel Gustafsson (11 Feb 2019) +- curl: follow-up to 3f16990ec84 - This adds a new unittest intended to cover the internal functions in - the urlapi code, starting with parse_port(). In order to avoid name - collisions in debug builds, parse_port() is renamed Curl_parse_port() - since it will be exported. + Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was + inadvertently introducing a new bug in the ternary expression. + Close #3555 Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad -- urlapi: fix portnumber parsing for ipv6 zone index +- dns: release sharelock as soon as possible - An IPv6 URL which contains a zone index includes a '%%25' - string before the ending ']' bracket. The parsing logic wasn't set - up to cope with the zone index however, resulting in a malformed url - error being returned. Fix by breaking the parsing into two stages - to correctly handle the zone index. + There is no benefit to holding the data sharelock when freeing the + addrinfo in case it fails, so ensure releaseing it as soon as we can + rather than holding on to it. This also aligns the code with other + consumers of sharelocks. - Closes #3355 - Closes #3319 - Reported-by: tonystz on Github + Closes #3516 Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad - -Daniel Stenberg (11 Dec 2018) -- [Jay Satiro brought this change] - http: fix HTTP auth to include query in URI +Daniel Stenberg (11 Feb 2019) +- curl: follow-up to b49652ac66cc0 - - Include query in the path passed to generate HTTP auth. + On FreeBSD, return non-zero on error otherwise zero. - Recent changes to use the URL API internally (46e1640, 7.62.0) - inadvertently broke authentication URIs by omitting the query. + Reported-by: Marcel Raad + +- multi: (void)-prefix when ignoring return values - Fixes https://github.com/curl/curl/issues/3353 - Closes #3356 + ... and added braces to two function calls which fixes warnings if they + are replace by empty macros at build-time. -- [Michael Kaufmann brought this change] +- curl: fix FreeBSD compiler warning in the --xattr code + + Closes #3550 - http: don't set CURLINFO_CONDITION_UNMET for http status code 204 +- connection_check: set ->data to the transfer doing the check - The http status code 204 (No Content) should not change the "condition - unmet" flag. Only the http status code 304 (Not Modified) should do - this. + The http2 code for connection checking needs a transfer to use. Make + sure a working one is set before handler->connection_check() is called. - Closes #359 + Reported-by: jnbr on github + Fixes #3541 + Closes #3547 -- [Samuel Surtees brought this change] +- hostip: make create_hostcache_id avoid alloc + free + + Closes #3544 - ldap: fix LDAP URL parsing regressions +- scripts/singleuse: script to use to track single-use functions - - Match URL scheme with LDAP and LDAPS - - Retrieve attributes, scope and filter from URL query instead + That is functions that are declared global but are not used from outside + of the file in which it is declared. Such functions should be made + static or even at times be removed. - Regression brought in 46e164069d1a5230 (7.62.0) + It also verifies that all used curl_ prefixed functions are "blessed" - Closes #3362 - -- RELEASE-NOTES: synced + Closes #3538 -- [Stefan Kanthak brought this change] - - (lib)curl.rc: fixup for minor bugs +- cleanup: make local functions static - All resources defined in lib/libcurl.rc and curl.rc are language - neutral. + urlapi: turn three local-only functions into statics - winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the - ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong. + conncache: make conncache_find_first_connection static - Replace the hard-coded constants in both *.rc files with #define'd - values. + multi: make detach_connnection static - Thumbs-uped-by: Rod Widdowson, Johannes Schindelin - URL: https://curl.haxx.se/mail/lib-2018-11/0000.html - Closes #3348 - -- test329: verify cookie max-age=0 immediate expiry - -- cookies: expire "Max-Age=0" immediately + connect: make getaddressinfo static - Reported-by: Jeroen Ooms - Fixes #3351 - Closes #3352 - -- [Johannes Schindelin brought this change] - - Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 + curl_ntlm_core: make hmac_md5 static - This is a companion patch to cbea2fd2c (NTLM: force the connection to - HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1 - preemptively. However, with other (Negotiate) authentication it is not - clear to this developer whether there is a way to make it work with - HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the - error HTTP_1_1_REQUIRED. + http2: make two functions static - Note: we will still keep the NTLM workaround, as it avoids an extra - round trip. + http: make http_setup_conn static - Daniel Stenberg helped a lot with this patch, in particular by - suggesting to introduce the Curl_h2_http_1_1_error() function. + connect: make tcpnodelay static - Closes #3349 + tests: make UNITTEST a thing to mark functions with, so they can be static for + normal builds and non-static for unit test builds - Signed-off-by: Johannes Schindelin - -- [Ben Greear brought this change] - - openssl: fix unused variable compiler warning with old openssl + ... and mark Curl_shuffle_addr accordingly. - URL: https://curl.haxx.se/mail/lib-2018-11/0055.html + url: make up_free static - Closes #3347 - -- [Johannes Schindelin brought this change] - - NTLM: force the connection to HTTP/1.1 + setopt: make vsetopt static - Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces - the capability. However, NTLM authentication only works with HTTP/1.1, - and will likely remain in that boat (for details, see - https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported). + curl_endian: make write32_le static - When we just found out that we want to use NTLM, and when the current - connection runs in HTTP/2 mode, let's force the connection to be closed - and to be re-opened using HTTP/1.1. + rtsp: make rtsp_connisdead static - Fixes https://github.com/curl/curl/issues/3341. - Closes #3345 + warnless: remove unused functions - Signed-off-by: Johannes Schindelin - -- [Johannes Schindelin brought this change] + memdebug: remove one unused function, made another static - curl_global_sslset(): id == -1 is not necessarily an error - - It is allowed to call that function with id set to -1, specifying the - backend by the name instead. We should imitate what is done further down - in that function to allow for that. +Dan Fandrich (10 Feb 2019) +- cirrus: Added FreeBSD builds using Cirrus CI. - Signed-off-by: Johannes Schindelin + The build logs will be at https://cirrus-ci.com/github/curl/curl - Closes #3346 + Some tests are currently failing and so disabled for now. The SSH server + isn't starting for the SSH tests due to unsupported options used in its + config file. The DICT server also is failing on startup. -Johannes Schindelin (6 Dec 2018) -- .gitattributes: make tabs in indentation a visible error +Daniel Stenberg (9 Feb 2019) +- url/idnconvert: remove scan for <= 32 ascii values - Signed-off-by: Johannes Schindelin - -Daniel Stenberg (6 Dec 2018) -- RELEASE-NOTES: synced - -- doh: fix memory leak in OOM situation + The check was added back in fa939220df before the URL parser would catch + these problems and therefore these will never trigger now. - Reviewed-by: Daniel Gustafsson - Closes #3342 + Closes #3539 -- doh: make it work for h2-disabled builds too +- urlapi: reduce variable scope, remove unreachable 'break' - Reported-by: dtmsecurity at github - Fixes #3325 - Closes #3336 + Both nits pointed out by codacy.com + + Closes #3540 -- packages: remove old leftover files and dirs +Alessandro Ghedini (7 Feb 2019) +- zsh.pl: escape ':' character - This subdir has mostly become an attic of never-used cruft from the - past. + ':' is interpreted as separator by zsh, so if used as part of the argument + or option's description it needs to be escaped. - Closes #3331 - -- [Gergely Nagy brought this change] + The problem can be reproduced as follows: + + % curl --reso + % curl -E + + Bug: https://bugs.debian.org/921452 + +- zsh.pl: update regex to better match curl -h output + + The current regex fails to match '<...>' arguments properly (e.g. those + with spaces in them), which causes an completion script with wrong + descriptions for some options. + + Here's a diff of the generated completion script, comparing the previous + version to the one with this fix: + + --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 + +++ _curl 2019-02-05 20:57:29.453349040 +0000 + @@ -9,48 +9,48 @@ + + _arguments -C -S \ + --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ + + --resolve'[Resolve the host+port to this address]':'' \ + {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ + {-D,--dump-header}'[Write the received headers to ]':'':_files \ + {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ + --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ + - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ + {-E,--cert}'[Client certificate file and password]':'' \ + --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ + --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ + - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ + --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ + --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ + - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ + - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ + + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ + --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ + --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ + + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ + --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ + + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ + {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ + --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ + --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ + - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ + --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ + --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ + - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ + {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ + --local-port'[Force use of RANGE for local port numbers]':'' \ + --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ + {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ + - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ + - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ + - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ + - --location-trusted'[--location, and send auth to other hosts]':'Like' \ + + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ + --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ + {-O,--remote-name}'[Write output to a file named as the remote file]' \ + + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ + + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ + --trace-ascii'[Like --trace, but without hex output]':'':_files \ + --connect-timeout'[Maximum time allowed for connection]':'' \ + --expect100-timeout'[How long to wait for 100-continue]':'' \ + {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ + + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ + {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ + --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ + --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ + - --ignore-content-length'[the size of the remote resource]':'Ignore' \ + {-k,--insecure}'[Allow insecure server connections when using SSL]' \ + + --location-trusted'[Like --location, and send auth to other hosts]' \ + --mail-auth'[Originator address of the original email]':'
' \ + --noproxy'[List of hosts which do not use proxy]':'' \ + --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ + @@ -62,18 +62,19 @@ + --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ + --cacert'[CA certificate to verify peer against]':'':_files \ + {-H,--header}'[Pass custom header(s) to server]':'
' \ + + --ignore-content-length'[Ignore the size of the remote resource]' \ + {-i,--include}'[Include protocol response headers in the output]' \ + --proxy-header'[Pass custom header(s) to proxy]':'
' \ + --unix-socket'[Connect through this Unix domain socket]':'' \ + {-w,--write-out}'[Use output FORMAT after completion]':'' \ + - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ + {-o,--output}'[Write to file instead of stdout]':'':_files \ + - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ + + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ + --socks4a'[SOCKS4a proxy on given host + port]':'' \ + {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ + {-z,--time-cond}'[Transfer based on a time condition]':'